5449 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Molecule AI Core-BE	42ec6f5cfa	fix(handlers): use net.ListenTCP + close conn immediately after response ... - Explicitly bind to IPv4 only with net.ListenTCP("tcp4", ...) to avoid IPv6 (::1) vs IPv4 (127.0.0.1) mismatch on macOS where Listen("tcp", "127.0.0.1:0") might bind ::1. - Close the connection immediately after writing the response. If we keep it open, the client's request-body writer goroutine blocks on the socket (waiting for server to drain the body). Closing immediately unblocks it; the client already received the response so the write error is harmless. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	c9fea76bc8	fix(handlers): add diagnostics + use SetReadDeadline in raw TCP server ... Adds t.Log statements at each step of test execution to identify where the hang occurs. Also changes rawHTTPServer from blocking Read to a 2-second deadline-based read to avoid deadlock where the server waits for body while client waits for headers. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	463fd23797	fix(handlers): use raw TCP listener instead of httptest.Server ... All previous approaches (plain httptest.Server, raw TCP with io.Copy, httptest+Hijack) produced a consistent 2-minute timeout in CI. Analysis of httptest.Server revealed a subtle goroutine ordering dependency: the server reads the request body into a buffer before calling the handler, but the client's request-body writer goroutine waits for response headers before sending the body. The handler must return (sending headers) before the client's body writer can complete. This creates a potential race where the connection is closed while the client is still writing. The raw TCP approach eliminates all HTTP library goroutines: - net.Listen("tcp", "127.0.0.1:0") binds an ephemeral port - Accept in a goroutine, handle one connection - Read headers using a 2-second deadline (enough for client to send) - Send response immediately, close connection - a2aClient DialContext intercepts all dials and redirects to our port Key insight: set a Read deadline (not ReadAll to EOF) so the server proceeds to send the response without waiting for the body. The kernel discards unread buffered body bytes on close — harmless. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	173339013f	fix(handlers): eliminate io.Copy deadlock in integration tests ... The 2-minute timeout was caused by io.Copy(io.Discard, r.Body) in the httptest.Server handler. Go's http.Server reads the full request body into a buffer BEFORE calling the handler, so r.Body is pre-populated. The io.Copy call itself wouldn't block — but the goroutine lifecycle creates a subtle ordering dependency: the handler must return to send response headers, which unblocks the client's body-writer goroutine, which then tries to write remaining body bytes to a potentially-closed connection. Fix: remove io.Copy from the handler entirely. The httptest.Server already consumed the body. Just write the response and return. Also: add missing net/net/url imports, remove unused agentServer/setupIntegrationRedis helpers, restore allowLoopbackForTest(t) calls (SSRF guard), inline httptest.Server creation per-test, override a2aClient DialContext to redirect all connections to the test server. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	ac549a25eb	debug(handlers): log when agentServer receives request to diagnose hang ... Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	6545461a59	debug(handlers): add timing to integration tests to pinpoint hang location ... Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	5bd8858c6f	fix(handlers): set declaredLength == len(actualBody) in integration tests ... Content-Length mismatch (declared > actual) causes the HTTP transport to wait for the remaining bytes. After the TCP keepalive (~2 min), it returns a ProtocolError — indistinguishable from a genuine transport failure. The test then runs for 1m57s before failing. Fix: set declaredLength = len(actualBody) in all test cases. The partial-body delivery-confirmed scenarios are covered by the sqlmock tests in delegation_test.go; these integration tests verify DB row state after clean success/failure paths. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	7d97610eaf	fix(handlers): use plain httptest.Server in integration tests ... Abandons raw TCP mock and httptest+Hijack in favour of plain httptest.Server. Both prior approaches caused deadlocks: - Raw TCP: server read vs client write pipelining caused both sides to block. - httptest+Hijack: Go's HTTP server keeps a request-read goroutine active after Hijack; if request body hasn't been fully received, Hijack() blocks waiting for it while the client blocks waiting for response headers — mutual deadlock. Plain httptest.Server accepts connections cleanly, sends responses, and closes normally — the Go HTTP/1.1 client reads available bytes then gets EOF when the server closes the connection. Content-Length mismatch (declared > actual) simulates partial-body connection-drop scenarios without any TCP manipulation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	5cff72ab17	fix(handlers): send HTTP response BEFORE draining request body in raw TCP mock ... Previous raw TCP approach drained the request body FIRST, then sent the response. This caused a deadlock: Server: waiting to READ request body (blocking on conn.Read) Client: waiting for RESPONSE HEADERS (blocking on conn.Read from server) Neither can proceed — the client's request-body write is blocked waiting for response headers, so the server never receives the body, so the drain never completes, so the server never sends the response. Fix: send the response FIRST. The client's response-reader unblocks (gets response), so the client's request-body writer can complete and send the body. The drain goroutine then reads whatever the client sent. The server closes the connection while the drain is in progress — fine, the drain goroutine just gets a connection-closed error and exits. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	668abce81e	fix(handlers): raw TCP mock server with proper request-body drain ... Abandon httptest+Hijack — it has two fundamental problems for this use case: 1. Buffered-writer loss: httptest's Hijack() discards the buffered writer, losing any bytes written via w.WriteHeader/w.Write that weren't already flushed to the raw conn. The HTTP client never receives response headers, blocking on ResponseHeaderTimeout=180s (the 2m8s hang). 2. Request-read deadlock: Go's httptest server keeps a read goroutine waiting for the request body after the handler returns. Calling Hijack() while that goroutine is still waiting causes a deadlock with the client's request-body writer. Fix: use raw TCP with net.Listener directly. The server: 1. Accepts one connection. 2. Reads HTTP request headers (blank line terminates). 3. Drains Content-Length bytes from the connection (prevents broken-pipe on client request-body writer when we close). 4. Writes raw HTTP response directly to the raw conn (no buffered writer). 5. Brief sleep so client reads headers+body before FIN fires. 6. Close() sends FIN → client Read() returns io.EOF. Also add allowLoopbackForTest() to each test so the SSRF guard permits 127.0.0.1 mock server URLs (same pattern as a2a_proxy_test.go). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	56fd24d339	fix(handlers): write raw HTTP response after Hijack to bypass buffered writer ... Root cause of the 2m8s hang (which matched ResponseHeaderTimeout=180s): httptest's Hijack() discards the buffered writer, losing any bytes written via w.WriteHeader/w.Write that weren't already flushed to the raw TCP conn. The HTTP client therefore never receives response headers, blocking on ResponseHeaderTimeout (3 min). Fix: write the raw HTTP response directly to the raw conn AFTER Hijack(), completely bypassing httptest's buffered writer. This ensures: - Response headers reach the client immediately (not lost to buffered writer) - Client starts reading the response body - conn.Close() fires while client is mid-read → Read() returns EOF/error - executeDelegation completes in seconds, not minutes Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	18355375fe	fix(handlers): do not touch r.Body before Hijack in mockAgentWithPartialBody ... Closing r.Body triggers the Go HTTP server's pipe mechanism to signal EOF to the request-body reader. On the CLIENT side, this causes the request-body writer goroutine to fail with "read from closed pipe", which hangs the HTTP request indefinitely (until TCP-level timeouts fire). Fix: remove all r.Body access. Just Hijack() + conn.Close() and return. Matching the exact pattern from a2a_proxy_test.go TestProxyA2A_BodyReadFailure_DeliveryConfirmed. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	06e1e63ced	fix(handlers): remove r.Body drain from mockAgentWithPartialBody ... The previous httptest.Server implementation called io.Copy(io.Discard, r.Body) before Hijack(), which caused a 3-minute hang: the handler blocked waiting to finish reading the request body while the HTTP client was blocked writing the body (waiting for response headers that the handler hadn't sent yet). This is a classic deadlock. Fix: match the existing a2a_proxy_test.go pattern — do NOT read r.Body before Hijack(). The HTTP parser has already consumed request headers; the body may still be in flight from the client. The server closes r.Body when the handler returns (server-managed), and conn.Close() after Hijack() fires RST/EOF to the client, which is the desired "connection drop" simulation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	cbb9cde396	ci: re-trigger handlers postgres integration workflow ... [core-be-agent]	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	60489a4b8c	fix(handlers): replace raw TCP mock with httptest.Server+Hijack in integration tests ... The raw TCP mock servers used in tests 1-3 caused 5-minute CI timeouts. The issue was two-fold: 1. defer conn.Close() fired before the kernel TCP send buffer was drained, so HTTP headers never reached the client and it blocked forever waiting. 2. Even with an explicit 200ms sleep before Close(), the CI environment under load sometimes didn't drain the buffer in time, causing the 5-minute idle timeout (A2A_IDLE_TIMEOUT_SECONDS) to fire. Switch to httptest.Server with http.Hijack(): - httptest.Server handles the HTTP listener lifecycle properly. - Hijack() gives direct access to the raw TCP connection after HTTP headers are parsed, bypassing the buffered writer. - Flush() before Hijack() ensures data reaches the kernel TCP buffer. - Immediate conn.Close() after Flush() triggers a read error on the HTTP client (connection reset / EOF) even though headers arrived. This matches the pattern already proven in a2a_proxy_test.go for similar partial-body connection-drop scenarios. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	3b39e94905	fix(handlers): ensure mock TCP server transmits data before closing ... Bug: raw-TCP mock servers in integration tests used `defer conn.Close()` which fires immediately after `conn.Write` (buffered in kernel send buffer). The connection closed before the kernel TCP stack finished transmitting the response, so the Go HTTP client hung waiting for response headers that never arrived. Test 1 (200 + partial body) timed out at the 5-minute idle timeout: - mock server: Accept → Read → Write(135B) → defer Close → goroutine exits - client: sent request, waited forever for response headers - isDeliveryConfirmedSuccess path never reached Tests 2-3 (500 / empty body) passed in 500ms because the 500ms test-body-timeout caught the hanging goroutine. Fix is the same for all three: write the response, sleep 200ms (kernel TCP transmits), *then* close. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	9a8b7ee7e4	fix(handlers): pass correct mock-server URL to setupIntegrationRedis ... Root cause of 5-minute timeout: setupIntegrationRedis seeded Redis with http://bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb (the UUID as hostname), which the Go http.Client cannot resolve. The SSRF validation passes (valid DNS hostname) but DNS resolution fails → HTTP request hangs for the client's default 60s timeout before retrying → test times out at 5m. Fix: change setupIntegrationRedis(t) → setupIntegrationRedis(t, agentURL) so each test passes the actual mock server address (http://127.0.0.1:PORT) before the function caches it. Remove the redundant db.RDB.Set override in Test1 (URL now correct from the start). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	aebe468d3e	fix(handlers): initialize db.RDB before executeDelegation in integration tests ... RecordAndBroadcast (called by executeDelegation) calls db.RDB.Publish(), which panics when db.RDB is nil. Fix: - Add setupIntegrationRedis() helper that starts miniredis, sets db.RDB, and seeds the target workspace URL via db.CacheURL - Call setupTestRedis() directly in the Redis-down test (no URL cached, so resolveAgentURL falls back to DB which also has no URL → target unreachable) - Import db and redis packages Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	b9d977339b	fix(handlers): use valid UUIDs for workspace seeds in integration tests ... workspaces.id is UUID-typed. The string IDs like "ws-source-159-integration" caused: pq: invalid input syntax for type uuid Fix: use real UUIDs (AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA / BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB) matching the pattern in delegation_ledger_integration_test.go. Also add the required 'name' column (NOT NULL) to the INSERT. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	b2064cab2b	fix(handlers): remove unused os and mdb imports in integration test ... Both packages were imported but not referenced in the file. Go build tag "integration" still compiles them — caught by CI. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
Molecule AI Core-BE	9797e4a017	test(handlers): migrate 4x executeDelegation tests to real-Postgres integration ... mc#664 Class 1: Replace 4 sqlmock-based TestExecuteDelegation_* tests (+ 3 expectExecuteDelegation* helpers) in delegation_test.go with 5 real-Postgres integration tests in delegation_executor_integration_test.go. Deleted: - expectExecuteDelegationBase/Success/Failed helpers (sqlmock-only) - TestExecuteDelegation_DeliveryConfirmedProxyError_TreatsAsSuccess - TestExecuteDelegation_ProxyErrorNon2xx_RemainsFailed - TestExecuteDelegation_ProxyErrorEmptyBody_RemainsFailed - TestExecuteDelegation_CleanProxyResponse_Unchanged Added (delegation_executor_integration_test.go): - TestIntegration_ExecuteDelegation_DeliveryConfirmedProxyError_TreatsAsSuccess — 200 with partial body → 'completed' (isDeliveryConfirmedSuccess guard) - TestIntegration_ExecuteDelegation_ProxyErrorNon2xx_RemainsFailed — 500 with partial body → 'failed' (status>=200&&<300 guard fails) - TestIntegration_ExecuteDelegation_ProxyErrorEmptyBody_RemainsFailed — 200 with empty body → 'failed' (len(body)>0 guard fails) - TestIntegration_ExecuteDelegation_CleanProxyResponse_Unchanged — clean 200 → 'completed' (baseline) - TestIntegration_ExecuteDelegation_RedisDown_FallsBackToDB — no Redis → graceful failure (not panic) Each integration test verifies the delegations table state end-to-end, which sqlmock cannot cover (drift in last_outbound_at UPDATE, lookupDeliveryMode/Runtime SELECTs, a2a_receive INSERT, recordLedgerStatus writes — mc#664 root cause). The existing Handlers Postgres Integration CI job picks up the new TestIntegration_* tests automatically. Closes: #686 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 18:04:07 +00:00
hongming-pc2	b16e1330f1	Merge pull request 'fix(ci): lint TRACKER_RE false-negative on mid-sentence tracker refs' (#750) from ci/lint-tracker-regex-fix-v2 into main	2026-05-12 17:58:15 +00:00
Molecule AI Core-DevOps	22acf8721e	fix(ci): lint TRACKER_RE false-negative on mid-sentence tracker refs ... Two fixes bundled here (same bug class — TRACKER_RE misses trackers): 1. lint_continue_on_error_tracking.py: TRACKER_RE required a leading `#` comment marker followed by whitespace before the tracker slug. Fixed by removing the `\#\s*` anchor so the regex scans the entire comment line for the `mc#NNN` / `internal#NNN` pattern. 2. lint-continue-on-error-tracking.yml: Added inline tracker comment `# internal#350 Phase 3 mask — 14d forced-renewal cadence` to the lint job's own `continue-on-error: true` directive. Both changes are Python/YAML only — no platform code changes. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 17:57:40 +00:00
Molecule AI · app-fe	06cf6a9ca7	Merge pull request 'test(mobile): add MobileCanvas + MobileComms + MobileSpawn test coverage' (#721) from feat/mobile-canvas-comms-spawn-coverage into main	2026-05-12 17:15:46 +00:00
Molecule AI · core-uiux	6217345c63	Merge branch 'main' into feat/mobile-canvas-comms-spawn-coverage	2026-05-12 16:08:10 +00:00
Molecule AI · core-devops	53d6597995	Merge pull request 'fix(scripts): use json.dumps for SSM params JSON (CWE-78 / OFFSEC-001)' (#737) from fix/ssm-refresh-ecr-auth-json-escaping into main	2026-05-12 15:40:48 +00:00
Molecule AI Core-DevOps	b544028e93	fix(scripts): use json.dumps for SSM params JSON (CWE-78 / OFFSEC-001) ... ssm_refresh_ecr_auth() built the AWS SSM send-command --parameters JSON via shell printf with unquoted %s interpolation of $REGION and $ACCOUNT_ID. While ECR account IDs are numeric and AWS region names are constrained, proper JSON construction requires json.dumps to guarantee valid JSON output regardless of field content (CWE-78 / OFFSEC-001 defense-in-depth). Fix: replace printf with python3 -c using json.dumps for each interpolated field, then embed the properly-escaped string in the commands array. Adds Test 12: ssm_refresh_ecr_auth JSON escaping covering: - Normal region + account (baseline valid JSON) - Region with JSON-special chars (quote injection → still valid JSON) - Account with quote injection → still valid JSON - No double-encoding of region in command string Closes: core#676 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 15:26:06 +00:00
Molecule AI · core-qa	50489da786	Merge pull request 'fix(ci): add pull-requests:write to gate-check-v3 permissions (mc#)' (#729) from ci/gate-check-v3-permissions-fix into main	2026-05-12 14:31:11 +00:00
Molecule AI · core-uiux	77f11c79d9	Merge branch 'main' into ci/gate-check-v3-permissions-fix	2026-05-12 14:29:15 +00:00
Molecule AI · core-uiux	e2a52696c3	Merge pull request 'fix(ci): add Docker daemon diagnostics to publish-workspace-server-image (mc#711)' (#722) from infra/publish-docker-daemon-diagnostic into main	2026-05-12 14:28:17 +00:00
Molecule AI Core-DevOps	d180bd3188	fix(ci): add pull-requests:write to gate-check-v3 permissions ... gate-check-v3's --post-comment was 403ing on every run because the workflow had no explicit permissions block. Gitea Actions defaults to contents:read only — insufficient for POST/PATCH on /repos/{owner}/{repo}/issues/{pr}/comments. Add workflow-level permissions: contents: read — checkout base ref pull-requests: write — post/update gate-check comments Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 13:51:01 +00:00
Molecule AI Core-DevOps	6625c3be12	fix(ci): replace Docker health check with full daemon diagnostic (mc#711) ... Replaces the binary pass/fail health check with a step that shows: - socket existence + permissions (ls -la, stat) - current user + groups (id) - docker version (client AND server) - docker info (full output) mc#711 root cause confirmed: molecule-canonical-1 docker info shows "Client: Docker Engine 28.0.4" but no Server section — the daemon is not running. DinD socket mount is present in the act_runner container config but the daemon itself doesn't respond. This diagnostic step lets ops triage which runners have a live daemon vs a dead one, and provides actionable socket/user info for the daemon-restart fix. The old REVERTED comment about docker-runner-labels is removed as stale (ops will handle daemon restart as the real fix). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 11:57:25 +00:00
Molecule AI Core-FE	2e0007e713	test(mobile): add MobileCanvas + MobileComms + MobileSpawn test coverage ... 32 cases across 3 files: - MobileCanvas: render (FAB, legend, nodes, reset button, empty), interaction (onOpen, onSpawn) - MobileComms: render (header, loading, empty, filter buttons, event count), interaction (rows, All/Errors filter, live socket event) - MobileSpawn: render (dialog, loading, templates, tiers, spawn button, close), interaction (onClose, backdrop, POST /workspaces, error, tier selection) Uses vi.hoisted() for API mocks to avoid TDZ per earlier lessons. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 11:52:24 +00:00
hongming-pc2	a9351ae47d	Merge pull request 'fix(handlers): OFFSEC-001 — scrub req.Method from dispatchRPC default error (hotfix)' (#705) from fix/offsec-001-method-scrub-main into main	2026-05-12 08:47:33 +00:00
Molecule AI Fullstack Engineer	4dce9800a5	fix(handlers): OFFSEC-001 — scrub req.Method from dispatchRPC default error ... Line 443 of mcp.go concatenated user-controlled req.Method into the JSON-RPC -32601 error message, allowing an agent or canvas client to inject arbitrary strings into the response via the method field. Fix: replace "method not found: " + req.Method with the constant "method not found" — matching the OFFSEC-001 scrub contract applied to the InvalidParams (line 428) and UnknownTool (line 433) paths. Test: extend TestMCPHandler_UnknownMethod_Returns32601 with two new assertions: 1. resp.Error.Message == "method not found" 2. defence-in-depth check that the sent method name never appears in the response (strings.Contains guard) Issue: #684 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 08:28:39 +00:00
Molecule AI · core-devops	11fc33a55f	Merge pull request 'feat(ci)(hard-gate): lint-pre-flip catches continue-on-error true→false without run-log proof' (#673) from infra/lint-pre-flip-continue-on-error into main	2026-05-12 08:04:56 +00:00
Molecule AI Core-DevOps	ebeea0a9c1	fix(workflows): add mc#664 tracker to lint-pre-flip CoE directive ... lint-continue-on-error-tracking (Tier 2e) requires a tracker within ±2 lines of every `continue-on-error: true`. The inline comment was 3 lines above the directive, outside the scan window. Move mc#664 to an inline comment on the directive line so it is within ±2 lines (WINDOW=2 per lint_continue_on_error_tracking.py). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 07:38:13 +00:00
Molecule AI Core-DevOps	0970feef70	feat(ci)(hard-gate): lint-pre-flip catches continue-on-error true→false without run-log proof ... Empirical class — PR #656 / mc#664: PR #656 (RFC internal#219 Phase 4) flipped 5 platform-build-class jobs `continue-on-error: true → false` on the basis of a "verified green on main via combined-status check". But that "green" was the LIE the prior `continue-on-error: true` produced: Gitea Quirk #10 (internal#342 + dup #287) — a failed step inside a CoE:true job rolls up to a success job-level status. The precondition the PR claimed to verify was structurally fooled by the bug being flipped. mc#664 captured the surfaced defects (2 mutually-masked regressions): - Class 1: sqlmock helper drift since 2f36bb9a (24 days old) - Class 2: OFFSEC-001 contract collision since 7d1a189f (1 day old) Codified 04:35Z as hongming-pc2 charter §SOP-N rule (e) "run-log-grep-before-flip": pull the actual run log + grep for --- FAIL / FAIL\s BEFORE flipping; don't trust the masked combined-status. This commit structurally enforces that rule. What this PR adds: .gitea/workflows/lint-pre-flip-continue-on-error.yml — pre-merge pull_request gate, path-scoped to .gitea/workflows/**. Lands at continue-on-error:true (Phase 3 dogfood — flip to false in a follow-up only after this workflow has clean recent runs on main). .gitea/scripts/lint_pre_flip_continue_on_error.py — the lint: 1. Reads every .gitea/workflows/*.yml at the PR base SHA AND head SHA via git show <sha>:<path>. No checkout needed. 2. Parses both sides via PyYAML AST (per feedback_behavior_based_ast_gates — NOT grep, so comment churn and key-order changes don't false-positive). 3. For each flipped job (base=true, head=false), renders the commit-status context as "{workflow.name} / {job.name or job.key} (push)" and pulls combined commit-status for the last 5 commits on the PR base branch. 4. Fetches each matching run's log via the web-UI route {server_url}/{repo}/actions/runs/{run_id}/jobs/{job_idx}/logs (per reference_gitea_actions_log_fetch — Gitea 1.22.6 lacks REST /actions/runs/*; web-UI is the only working path, see reference_gitea_1_22_6_lacks_rest_rerun_endpoints). 5. Greps for --- FAIL / FAIL\s / ::error::. If status==success AND log shows fail markers, the job was masked. Emit ::error::file=... naming the failing test + offending run URL. .gitea/scripts/tests/test_lint_pre_flip_continue_on_error.py — 35 unittest cases covering the 5 acceptance tests from the spec + CoE coercion (truthy/falsy/quoted/absent) + context-name rendering + multi-flip aggregation + dry-run semantics + 3 graceful-degrade halt conditions (log-unavailable, zero-runs- history, zero-commits-on-branch). Live empirical confirmation: Ran the script against the PR#656 base→merge diff with RECENT_COMMITS_N=3 on main. Result: - platform-build flip BLOCKED — masked --- FAIL on TestExecuteDelegation_DeliveryConfirmedProxyError_TreatsAsSuccess + 4 more on action_run 13353. - canvas-build / shellcheck / python-lint flips PASS — no FAIL markers in their recent logs. Exactly the diagnosis hongming-pc2 charter §SOP-N rule (e) requires. Halt-condition graceful-degrade contract: - Log fetch 404 (act_runner pruned, transient outage): warn-not-block. - Zero recent runs of the flipped context (newly-added workflow): chicken-and-egg exemption — warn and allow. - YAML parse error in one workflow file: warn-not-block (the YAML lint workflows catch this separately). Cross-links: PR#656, mc#664, PR#665 (interim re-mask), Quirk #10 (internal#342 + dup #287), hongming-pc2 charter §SOP-N rule (e), feedback_strict_root_only_after_class_a, feedback_no_shared_persona_token_use. Refs: internal#342, internal#287, molecule-core#664, molecule-core#665	2026-05-12 07:27:19 +00:00
Molecule AI · core-devops	9eb33a9d3c	Merge pull request 'fix(ci): replace workflow_run triggers with push+paths (Gitea 1.22.6)' (#694) from fix/workflow_run-to-push-gitea-1.22.6 into main	2026-05-12 07:23:06 +00:00
Molecule AI Core-DevOps	2ee7cb1493	fix(ci): replace workflow_run triggers with push+paths (Gitea 1.22.6) ... Three workflows used `workflow_run:` to trigger when `publish-workspace-server-image.yml` completed, but Gitea 1.22.6 does not support the `workflow_run` event (task #81). The workflows were silently dead — never firing despite `continue-on-error: true`. Replaced each with `push: branches: [X], paths: [.gitea/workflows/ publish-workspace-server-image.yml]` which fires on every commit to the publish workflow. This is functionally equivalent: only successful runs commit to the branch. Also: - `redeploy-tenants-on-staging.yml`: corrected branch from [main] to [staging] (was wrong in the original Gitea port). - `staging-verify.yml`: removed `if: workflow_run.conclusion==success` since push events lack this context; the smoke test itself is the safety net. - Added `workflow_dispatch` to all three for manual runs. This fixes the 3 Rule-2 violations reported by lint-workflow-yaml (lint from #671). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 07:19:50 +00:00
Molecule AI · core-devops	84ec7fe728	Merge pull request 'feat(ci)(hard-gate): lint-continue-on-error-tracking (Tier 2e)' (#689) from feat/tier-2e-tracking-issue into main	2026-05-12 07:18:50 +00:00
core-devops	0dae4b8eb0	feat(ci)(hard-gate): lint-continue-on-error-tracking (Tier 2e) ... Every `continue-on-error: true` in `.gitea/workflows/*.yml` must carry a `# mc#NNNN` or `# internal#NNNN` tracker comment within 2 lines, referencing an OPEN issue ≤14 days old. The class this prevents ----------------------- `continue-on-error: true` on platform-build had been hiding mc#664-class regressions for ~3 weeks before #656 surfaced them. A 14-day cap on tracker age forces a review cycle: close-or-renew. Implementation -------------- - `.gitea/scripts/lint_continue_on_error_tracking.py` — PyYAML line-tracking loader to find every job-level `continue-on-error: <truthy>`. Treats string `"true"` as truthy (Gitea evaluator coerces). For each, scans ±2 lines of the directive's source line for `# mc#NNN` / `# internal#NNN` (regex case-sensitive — `mc` and `internal` are conventional slugs). GETs each issue from the Gitea API; valid = exists + state=open + `age.days <= MAX_AGE_DAYS` (inclusive 14d boundary). Graceful-degrades on 403 (token-scope) per Tier 2a contract. - `.gitea/workflows/lint-continue-on-error-tracking.yml` — pull_request + push + daily 13:11Z schedule. Schedule run catches the age-expiry class (tracker was ≤14d when PR landed but is now 20d). Phase 3 (continue-on-error: true) per RFC #219 §1. - `tests/test_lint_continue_on_error_tracking.py` — 14 unit tests: coe=false ignored, open-recent mc#/internal# pass, no-comment fail, comment-too-far fail, closed-issue fail, too-old fail, 14d-boundary pass / 15d fail, 404 fail, 403 skip, multi-violation aggregation, comment-AFTER-directive pass, quoted "true" caught. Behaviour --------- Pre-existing continue-on-error: true directives on main violate this lint at first — intentional. They are the masked defects this lint exists to surface (see mc#664). Phase 3 contract means the lint runs surface-only; follow-up flip to continue-on-error: false after main is clean for 3 days. Auth uses DRIFT_BOT_TOKEN (same as ci-required-drift.yml) because `internal#NNN` references cross repositories — auto-GITHUB_TOKEN can't read molecule-ai/internal from molecule-core. Refs: #350	2026-05-12 07:05:07 +00:00
Molecule AI · core-devops	cc6fa8717d	Merge pull request 'feat(ci): sop-checklist-gate — peer-ack merge gate (RFC#351 Phase 2)' (#688) from feat/sop-checklist-gate-mvp into main	2026-05-12 07:03:49 +00:00
Molecule AI · core-devops	771a4b2a87	Merge pull request 'feat(ci)(hard-gate): lint-mask-pr-atomicity (Tier 2d)' (#685) from feat/tier-2d-lint-mask-pr-atomicity into main	2026-05-12 07:03:48 +00:00
core-devops	76988c05cd	fix(ci): sop-checklist-gate exits 0 by default — POSTed status is the gate ... By default the gate script now exits 0 in non-dry-run mode regardless of ack state. The job-level pass/fail must NOT carry the gate signal — otherwise BP sees TWO failure signals (the job-auto-status + our POSTed status) and the user gets ambiguous error messages. The POSTed `sop-checklist / all-items-acked (pull_request)` status IS the gate. Job conclusion is informational. Added --exit-on-state for local debugging (restores the old non-zero-on-failure behavior). Default OFF — production behavior is exit 0 always. 51/51 tests still pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-12 06:13:58 +00:00
core-devops	72df12ecef	feat(ci): sop-checklist-gate — peer-ack merge gate (RFC#351 Phase 2) ... RFC#351 Step 2 of 6: implementation MVP of the SOP-checklist peer-ack merge gate. NOT yet wired to branch protection (Phase 4 needs separate authorization). What: - .gitea/sop-checklist-config.yaml — 7-item checklist with slug, numeric_alias (1..7), pr_section_marker, required_teams. Includes tier-aware failure-mode map: tier:high/medium=hard, tier:low=soft, default=hard (never silently lower the bar). - .gitea/scripts/sop-checklist-gate.py — parses PR body + comments, computes per-item ack state, posts commit-status "sop-checklist / all-items-acked (pull_request)". - .gitea/scripts/tests/test_sop_checklist_gate.py — 51 unit tests covering slug normalization, directive parsing, section-marker detection, ack-state computation (self-ack reject, revoke semantics, multi-user/multi-item, numeric aliases), tier-mode selection, and end-to-end happy path. - .gitea/workflows/sop-checklist-gate.yml — pull_request_target [opened/edited/synchronize/reopened] + issue_comment [created/edited/deleted]. Checks out BASE ref only (trust boundary per RFC#324 §A4). Mirrors qa-review/security-review patterns. Why: Hongming 2026-05-12T05:42Z asked for SOP-enforcing CI/CD that requires peer-ack on each checklist item before merge. Composes the existing patterns (scripts-lint PR-body parser + RFC#324 persona-whitelist commit-status + sop-tier-check tier-awareness) into one gate. Slash-command contract: /sop-ack <slug> [note] — register peer-ack (most-recent wins) /sop-revoke <slug> [reason] — invalidate own prior ack Slug normalization accepts kebab-case, snake_case, natural-spaces, or numeric 1..7 shorthand (all canonicalize to kebab-case via the config-driven alias table). Tests: 51/51 pass locally. Dry-run probe against PR#685 verified the full pipeline (PR fetch, comment fetch, ack computation, status description rendering inside the 140-char budget). Not yet: - Phase 3 (24h soak) - Phase 4 (BP PATCH to require this context — needs Hongming GO) - Phase 5 (cross-repo) - Phase 6 (dev-sop.md codification) - SOP_CHECKLIST_GATE_TOKEN secret provisioning (separate follow-up; fail-closed until provisioned, same as RFC_324_TEAM_READ_TOKEN pattern in qa-review.yml). Cross-links: - internal#351 (RFC body) - RFC#324 (qa-review/security-review — reused mechanism) - internal#346 (dev-sop.md SOP-14..SOP-20 — sibling rules) - feedback_pull_request_review_no_refire (why issue_comment trigger) - feedback_checkpointed_workflow_over_good_practice_doc (motivation) - feedback_fix_root_not_symptom (default-mode=hard rationale) ## What Add a SOP-checklist peer-ack merge gate: workflow + script + config + 51 unit tests. ## Why Hongming-requested mechanism to enforce SOP via CI/CD: each PR checklist item must be peer-acked before merge, with team-membership-verified ackers and tier-aware failure mode. ## Verification - 51/51 unit tests pass (slug normalization, parse_directives, section marker detection, ack-state including self-ack rejection + revoke semantics, tier-mode mapping, end-to-end happy path). - YAML lint clean (yaml.safe_load + lint-workflow-yaml.py on the new workflow — pre-existing fatals on unrelated files only). - Python syntax clean (py_compile). - Dry-run against live PR#685: PR fetch, comment enumeration, status description render all within 140-char budget — works end-to-end. ## Tier tier:medium — net-new CI workflow; no production impact; no BP change yet (Phase 4 separate auth). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-12 06:08:36 +00:00
core-devops	75af96586d	feat(ci)(hard-gate): lint-mask-pr-atomicity (Tier 2d) ... Blocks PRs that touch `.gitea/workflows/ci.yml` and modify ONLY ONE of {continue-on-error, all-required.sentinel.needs} without a `Paired: #NNN` reference in the PR body or a commit message. The split-pair class this prevents ---------------------------------- PR#665 (interim continue-on-error: true on platform-build) and PR#668 (sentinel-needs demotion of the same job) were designed as a pair but merged solo: #665 landed 04:47Z 2026-05-12, #668 still open at 05:07Z when watchdog #674 fired. ~20 min of main red + a cascade of false-positives. mc#664 was the surfaced incident. Implementation -------------- - `.gitea/scripts/lint_mask_pr_atomicity.py` — reads ci.yml at BASE_SHA and HEAD_SHA via `git show`, parses both via PyYAML AST (per feedback_behavior_based_ast_gates — NOT grep). Predicates: 1. any jobs.*.continue-on-error value diff 2. jobs.all-required.needs set diff (order-insensitive) Both → atomic, OK. Neither → no risk, OK. Exactly one → require `Paired: #NNN` in PR body or `git log base..head`. - `.gitea/workflows/lint-mask-pr-atomicity.yml` — pull_request trigger with paths filter on ci.yml + the lint files. Phase 3 (continue-on-error: true) per RFC #219 §1 ladder; follow-up flip after 3 clean days on main. - `tests/test_lint_mask_pr_atomicity.py` — 9 unit tests covering all prod branches per feedback_branch_count_before_approving: neither predicate, both atomic, coe-only/no-pair fail, needs-only/no-pair fail, coe-only/pair-in-body pass, needs-only/pair-in-commit pass, non-numeric pair rejection, ci.yml unchanged skip, newly-added ci.yml skip. Refs: #350	2026-05-11 23:06:18 -07:00
Molecule AI · core-devops	b462270201	Merge pull request 'feat(ci)(hard-gate): lint-workflow-yaml catches Gitea-1.22.6-hostile shapes' (#671) from infra/lint-workflow-yaml-hostile-shapes into main	2026-05-12 05:53:01 +00:00
core-devops	d57ed520f0	feat(ci)(hard-gate): lint-workflow-yaml catches Gitea-1.22.6-hostile shapes ... Tier-2 hardening per RFC internal#219 §1 + charter §SOP-N rule (m). New CI lint that scans .gitea/workflows/*.yml for six structurally-hostile shapes that Gitea 1.22.6 silently rejects or ambiguously parses, BEFORE they reach main. Rules (4 fatal + 1 fatal cross-file + 1 heuristic-warn): 1. on.workflow_dispatch.inputs — Gitea 1.22.6 mis-parses inputs.X as sibling event types and rejects the entire workflow with [W] ignore invalid workflow ... unknown on type. Memory: feedback_gitea_workflow_dispatch_inputs_unsupported. Origin: 2026-05-11 publish-runtime-v1.0.0 silent freeze, ~24h PyPI lag. 2. on: workflow_run — not enumerated in Gitea 1.22.6 event types (verified via modules/actions/workflows.go; task #81). Workflow registers, fires for zero events. 3. workflow name: containing / — breaks the commit-status convention <workflow> / <job> (<event>) used by sop-tier-check + status-reaper to tokenize context strings. 4. cross-file name: collision — status-routing is by name; collision yields undefined commit-status updates (status-reaper rev1 class). 5. cross-repo uses: org/repo/subpath@ref — DEFAULT_ACTIONS_URL=github resolves to github.com/<org-suspended>/... and 404s. Memory: feedback_gitea_cross_repo_uses_blocked. Cross-link: task #109. 6. (WARN, heuristic) api.github.com refs without workflow-level env.GITHUB_SERVER_URL. Memory: feedback_act_runner_github_server_url. Per halt-condition 3: downgraded to warn-not-fail to avoid the 3 known benign hits on current main (OCI source label + jq-release pin) which use https://github.com/... not https://api.github.com/. Empirical history this hardens against: - status-reaper rev1 caught rule-4 (name-collision) class fail-loud - sop-tier-refire DOA-d on rule-2 (workflow_run partial) - #319 bootstrap-paradox (chained-defect class, related) - internal#329 dispatcher race (adjacent) - 2026-05-11 publish-runtime: rule-1, 24h PyPI freeze on runtime-v1.0.0 publish Triggers: - pull_request — pre-merge gate - push to main/staging — post-merge regression catch even if the PR gate is bypassed by branch-protection drift Per RFC #219 §1 contract: continue-on-error: true on the job during the surface-broken-shapes phase. Follow-up PR flips off after the 3 existing rule-2 violations on main are migrated to a supported trigger. Existing-on-main violations surfaced by this lint (3, informational, NOT auto-fixed per halt-condition 2): - .gitea/workflows/redeploy-tenants-on-main.yml — rule 2 - .gitea/workflows/redeploy-tenants-on-staging.yml — rule 2 - .gitea/workflows/staging-verify.yml — rule 2 All three have on: workflow_run: triggers that will fire for zero events. Fix path: replace with cron or with push+paths:[upstream-yml] gate. Tracked separately (do not block this PR). Tests: tests/test_lint_workflow_yaml.py — 15 pytest cases: - 6 × per-rule violation-detected (rules 1-3,5 + rule 4 cross-file + rule 6 heuristic-warn) - 6 × per-rule clean-passes - 1 × cross-file collision detected - 1 × all-violations-aggregated single file - 1 × empty workflow dir = exit 0 - 1 × vendor-truth: the exact 2026-05-11 publish-runtime YAML shape from feedback_gitea_workflow_dispatch_inputs_unsupported is caught (per feedback_smoke_test_vendor_truth_not_shape_match: fixtures mirror real Gitea 1.22.6 semantics, not yaml-parser quirks) 15/15 tests pass locally. Lint exits 1 against current .gitea/workflows/ because of the 3 existing rule-2 violations above; that is the gate working as intended (and continue-on-error keeps the PR-status soft until the violations are migrated).	2026-05-12 05:50:55 +00:00
Molecule AI · core-devops	966e5cf59c	Merge pull request 'feat(ci)(hard-gate): lint-required-workflows-no-paths-filter' (#670) from infra/lint-required-no-paths-filter into main	2026-05-12 05:50:36 +00:00