Move pure-function test cases for extractResponseText and
hasUnresolvedVarRef to their dedicated *_pure_test.go sibling
files. Keep integration/routing tests in the parent *_test.go.
Also add two missing assertions to workspace_crud validators test
(t.Log zeroing and conflict detection).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Key fixes:
- MissingKeysModal: add missing aria-hidden="true" to AllKeysModal
backdrop (ProviderPickerModal had it; AllKeysModal was missing it)
- MissingKeysModal.a11y: use class-based backdrop selector in jsdom
- ContextMenu: fix Tab key test to fire on menu element; offline nodes
use hasAttribute("disabled") instead of queryByRole().toBeNull()
- ConversationTraceModal: correct part-text expectation (joins all parts)
- Legend: fix palette-offset test to use document.querySelector on fixed
panel div, not .closest("div") which found inner text element
- OnboardingWizard: use RTL rerender for auto-advance (second render()
created a new component instance without shared state)
- PurchaseSuccessModal: mock history.replaceState to prevent SecurityError
in jsdom; replace setTimeout-promises with advanceTimersByTime
- Spinner: use getAttribute("class") instead of .className (SVGAnimatedString
in jsdom)
- TestConnectionButton: move Spinner outside <button> to fix accessible
name conflict; use hasAttribute("disabled"); fix error text assertion
- Tooltip: focus first focusable child inside trigger ref, not wrapper div
- TestConnectionButton component: restructure JSX — Spinner as sibling
- createMessage: conditional attachments spread (only include when non-empty)
- BundleDropZone: fix DragEvent in jsdom with createDragOverEvent helper
All 2257 canvas tests pass; npm run build succeeds.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Preemptively incorporate mc#817 fix into the staging port of
sop-checklist-gate.yml. Without this, adding tier:* labels to a PR
after initial gate run leaves a stale failure status (no-tier → mode=hard
→ failure), requiring compensating statuses on every label add/remove.
Also closes mc#817 itself — same fix is PR #818 on main.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Bootstrap fix for mc#805 follow-up: adds the two missing Gitea
workflows + their runtime dependencies to the staging branch so that
`pull_request_target`-based CI and SOP gates fire for all staging PRs.
Changes:
- .gitea/workflows/ci.yml — copied from main; already targets staging
- .gitea/workflows/sop-checklist-gate.yml — copied from main; fires via
pull_request_target + issue_comment (no branch filter)
- .gitea/scripts/sop-checklist-gate.py — copied from main; required by
sop-checklist-gate.yml
- .gitea/sop-checklist-config.yaml — copied from main; config for the
SOP gate script
The ci.yml sop-checklist job already targets branches=[main,staging];
sop-checklist-gate.yml fires on all pull_request_target events. The
script dependency (sop-checklist-gate.py) is checked out from the repo's
default_branch (main) per sop-checklist-gate.yml's trust model.
Bootstrap note: this PR cannot self-validate via CI (the workflows
won't post status checks until the PR is merged). Compensating statuses
must be posted manually:
POST .../statuses/{sha} {"state":"success","context":"CI / all-required (pull_request)"}
POST .../statuses/{sha} {"state":"success","context":"sop-checklist / all-items-acked (pull_request)"}
Refs: mc#805 (bootstrap paradox — same fix pattern as PR #802 for staging)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
mc#786: parseEnvFile(filepath.Join(orgBaseDir, ws.FilesDir, ".env")) was called
without the resolveInsideRoot path-traversal guard. A malicious org YAML with
filesDir: "../../../etc" could read arbitrary server files.
Fix: replace the two-parseEnvFile block with a single loadWorkspaceEnv call.
loadWorkspaceEnv already applies resolveInsideRoot to ws.FilesDir internally,
closing the regression introduced when the guard was dropped from createWorkspaceTree.
Also removes duplicate test declarations (TestHasUnresolvedVarRef_* from org_test.go
and TestExtractResponseText_ResultNotMap from delegation_test.go) that blocked
go build — the comprehensive versions live in *_pure_test.go / *_extract_response_text_test.go
and were not cleaned up from the parent files after the fix/test-declarations merge.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
mc#798 drift-detect F3a/F3b: staging branch protection requires only
sop-checklist/all-items-acked, not sop-tier-check or Secret scan.
- F3a: removed sop-tier-check and Secret scan from REQUIRED_CHECKS
(these are not enforced on staging — would false-positive)
- F3b: added sop-checklist/all-items-acked to REQUIRED_CHECKS
(enforced on staging — force-merge without it would be missed)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The staging branch diverged from main before PR #542 landed and was never
forward-ported. a2a_tools.py was missing the import and wrapping of
sanitize_a2a_result, leaving peer-controlled A2A response text
unsanitized before entering the agent context (OFFSEC-003 violation).
Fix mirrors the main-line fix (PR #542 / mc#537):
- Import sanitize_a2a_result from _sanitize_a2a
- Wrap all peer-controlled return values with sanitize_a2a_result()
Also removes a duplicate dead-code block that was an artifact of the
merge conflict on the staging branch.
Fixes: molecule-ai/molecule-core#787
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Fixes a type-assertion panic when a workspace has an empty role string.
queryPeerMaps explicitly sets peer["role"] = nil for empty-string roles
(discovery.go:340), and filterPeersByQuery did p["role"].(string) without
guarding for nil. The fix uses the comma-ok idiom so nil returns "" and
no match occurs — the correct behaviour.
Test files added (all pure functions, no DB/side effects):
- discovery_filter_test.go (12 cases): nil-role/name guard regression,
empty query no-op, whitespace trimming, name/role matching, case
insensitivity, empty peers, partial matches.
- org_helpers_walk_test.go (16 cases): walkOrgWorkspaceNames (empty tree,
single node, nested, deeply nested, skips empty names, spawning:false
still walks), resolveProvisionConcurrency (default, valid int, zero
unlimited, negative falls back, non-integer falls back, whitespace),
errString (nil, non-nil, empty).
- delegation_extract_response_text_test.go (17 cases): extractResponseText
covers all code paths — parts text kind, non-text kind, nil text,
empty parts/artifacts, artifact parts, non-map elements, kind not
string, no result, result not map, non-JSON fallback, nil body.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Two pre-existing canvas test failures:
1. canvas/src/components/tabs/FilesTab/tree.ts:getIcon()
FILE_ICONS keys are lowercase (".json") but the extension was looked
up as-is (".JSON"). Result: FILE_ICONS[".JSON"] → undefined → fallback
"📄" instead of "{}".
Fix: lowercase the extension before FILE_ICONS lookup. Also added ?.
null-coalescing on split().pop() to handle filenames without extension.
2. canvas/src/store/__tests__/canvas-topology-pure.test.ts
sortParentsBeforeChildren test expectation was wrong: it assumed orphan
would come after root, but when parentId references a missing node
the orphan keeps its input order (orphan, then root). Updated the
expectation and corrected the comment to match the actual behaviour.
Closes#697.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
mc#687 root-cause finding from mc#424: the EIC diagnose smoke was
reading diagnoseStep.error (Go error string) and discarding
diagnoseStep.detail (subprocess stderr). The actionable signal — e.g.
AccessDeniedException: ... is not authorized to perform:
ec2-instance-connect:OpenTunnel
— lives in detail. Reading only .error produced:
exec: process exited with status 1
which was uninformative and caused a 21h outage investigation.
Fix: extract .detail (subprocess stderr) as primary output; append
Go error string in parentheses when both fields are populated.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds isolated tests for DropTargetBadge — the floating drag-target affordance.
Render-condition coverage:
- Renders nothing when dragOverNodeId is null
- Renders nothing when dragOverNodeId node has no store match
- Renders nothing when getInternalNode returns undefined
- Renders badge with correct name when all inputs are valid
- Badge text follows 'Drop into: <name>' format
- Badge contains exact target name from store
- Renders nothing when target name is null (empty data.name)
Ghost visibility (slot rect inside parent bounds) is deferred to
integration tests that render the full canvas — flowToScreenPosition
coordinate arithmetic is better covered there.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds isolated tests for the pure tree-traversal core of
useOrgDeployState. The buildDeployMap function handles:
- Root / leaf identification via parent-chain walk
- isDeployingRoot: true when any descendant is "provisioning"
- isActivelyProvisioning: true only for the node itself
- isLockedChild: true for non-root nodes in a deploying tree
- isLockedChild: also true for nodes in deletingIds (cross-cutting)
- descendantProvisioningCount: non-zero only on root nodes
- O(n) single-pass walk verified on 50-node tree
Also exports buildDeployMap for direct unit testing (was internal).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
extractResponseText in delegation.go had no unit tests. It extracts text
from A2A JSON-RPC response bodies by walking result.parts and
result.artifacts[*].parts arrays. Tests cover: non-JSON fallback, valid
JSON with no result, result is not a map, parts with text kind, parts
with non-text kind (image skipped → raw body), multiple parts (returns
first text), artifacts with nested text parts, artifacts with non-text
kind, empty parts/artifacts arrays, and empty text string.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds comprehensive Go test coverage for the pure canvas-grid layout helpers
in org.go. Mirrors the TypeScript tests in canvas-topology-pure.test.ts
(CHILD_DEFAULT_WIDTH=210/HEIGHT=120 vs Go's 240/130, tested independently).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Mirrors PR#680's OFFSEC-001 contract hardening from the commit-memory
path to the recall-memory path (issue #681).
Before: only asserted resp.Error != nil — a future regression that
returned the raw err.Error() would still pass the test.
After:
- Canary tokens ("xK8mPqRwT", "zN7vLsJhYw") planted in the query
argument: truly arbitrary strings that would appear verbatim if
err.Error() were returned directly. Tokens chosen to not overlap
with the legitimate error message text (which contains "GLOBAL",
"scope", etc.) — which would always appear and make them useless
as sentinels.
- Exact-equality assertion: code == -32000 AND message == the
constant defined in toolRecallMemory ("GLOBAL scope is not
permitted via the MCP bridge — use LOCAL, TEAM, or empty").
- Defence-in-depth strings.Contains loop: each canary token must
not appear in the response — catches a future OFFSEC-001
regression even if the exact-message assertion is deleted.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
React error #185 (Maximum update depth exceeded) on mobile chat tab.
Root cause: useCanvasStore((s) => s.agentMessages[agentId] ?? []) used
a `?? []` fallback in the selector. Zustand uses Object.is for selector
equality. When agentMessages[agentId] is undefined (initial state), the
fallback creates a NEW [] reference on every store update. Zustand sees
this as a state change and re-renders the component. The component reads
from the store again, gets another new [] reference, and the cycle
repeats until React hits the depth cap.
Fix: remove `?? []` from the selector (returns undefined when no messages)
and move the fallback to the useState initializer:
storedMessages = useCanvasStore(selector) // returns undefined | T[]
[messages] = useState(() => (storedMessages ?? []).map(...))
The useState initializer only runs once on mount, so the `?? []`
there is safe — it creates the initial state once, then messages are
managed via setMessages.
Fixes issue #651.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Implements the Claude Design handoff (Molecules AI Mobile.html) as a
viewport-gated React tree under canvas/src/components/mobile/. < 640px
renders the new shell instead of the desktop ReactFlow canvas.
Six screens, all bound to live store data:
- Home (agent list + filter chips + spawn FAB)
- Canvas (mini-graph with pinch-to-zoom + pan + reset)
- Detail (status pills, tabs: Overview / Activity / Config / Memory;
Activity hits /workspaces/:id/activity)
- Chat (textarea composer, IME-safe Enter, sendInFlightRef guard;
bootstraps from agentMessages so the prior thread shows on entry)
- Comms (live A2A feed via /workspaces/:id/activity + ACTIVITY_LOGGED)
- Spawn (bottom sheet; fetches /templates so users pick what's actually
installed on their platform)
Plus a Me tab for mobile theme/accent/density.
Design system (palette.ts + primitives.tsx) ports tokens 1:1 from the
handoff: cream + dark palettes, T1-T4 tier chips, status dots with
halo, JetBrains Mono for IDs/timestamps. Inter + JetBrains Mono are
self-hosted via next/font/google so CSP `font-src 'self'` is honoured.
URL routing: routes sync to ?m=<route>&a=<id>; popstate restores route;
deep links seed initial state. /?m=detail without ?a collapses to home.
Accent override flows through React context (MobileAccentProvider) —
not by mutating the static MOL_LIGHT/MOL_DARK singletons.
SSR flash: isMobile is tri-state; loading spinner stays up until
matchMedia resolves so mobile devices never paint the desktop tree.
Desktop responsiveness fixes (separate but ride along):
- Toolbar: full-width with overflow-x-auto on mobile, logo text + count
hidden < sm, divider/border collapse to sm: only.
- SidePanel: full-screen on mobile via matchMedia, resize handle hidden.
- Canvas: MiniMap hidden < sm (was overlapping the New Workspace FAB).
Tests (51 total, 33 new):
- palette.test.ts (12) - normalizeStatus, tierCode, light/dark parity
- components.test.ts (10) - toMobileAgent field mapping + classifyForFilter
- MobileApp.test.tsx (12) - route stack, deep links, popstate, tab bar
hidden on chat, spawn overlay
- SidePanel.tabs.test.tsx (18) - regression-clean
Verified: tsc --noEmit clean across mobile/, page.tsx, layout.tsx.
Not yet verified: live phone browser (needs CP backend hydrated).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tests canvas/src/lib/hydrate.ts: hydrateCanvas() with exponential backoff retry.
Cases:
1. Success on first attempt → { error: null }
2. Viewport fetch failure is non-fatal → store still hydrates
3. Success after 1 retry → onRetrying(1) called once, result { error: null }
4. onRetrying called correctly on each failed attempt
5. All attempts fail → error message after MAX_RETRIES
6. onRetrying called MAX_RETRIES-1 times before final exhausted attempt
7. Total elapsed time ≈ sum of exponential delays (1s + 2s = 3s)
Each attempt makes 2 parallel api.get calls (workspaces + viewport); mocks
set up per parallel-call to avoid Promise.all consuming wrong mock slots.
Issue: #701
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
