6493 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
core-devops	7932bc4c48	chore(ssot): delete dead .github/workflows/ — Gitea is SSOT (#331 SSOT-Instance-4) ... Per CTO directive 2026-05-20 and task #347 (disabled GitHub-mirror push fleet-wide), .github/workflows/ on molecule-core is dead — Gitea Actions reads .gitea/workflows/ exclusively (memory: reference_molecule_core_actions_gitea_only), and GitHub Actions has had no real push activity since 2026-05-06 (the only post-2026-05-06 runs are dynamic CodeQL re-runs on frozen pre-suspension PRs). Empirical validation: - 24 files total in .github/workflows/. - 23 have same-name siblings in .gitea/workflows/ (port carries "Ported from .github/workflows/X on 2026-05-11 per RFC internal#219" header on most files). - 1 .github-only file: canary-staging.yml — already ported to .gitea/workflows/staging-smoke.yml on 2026-05-11 per the same RFC, Hongming directive renamed canary→smoke. Verified via header comment in staging-smoke.yml. - Last GitHub-side push event: 2026-05-06T07:06:12Z (pre-suspension). - All 24 .github/workflows/* files removed. Tooling updates needed (load-bearing): - tools/branch-protection/check_name_parity.sh: hard-coded $REPO_ROOT/.github/workflows path → switched to .gitea/workflows. Pre-existing parity findings (3x Analyze CodeQL names absent from any workflow file) are unchanged — that drift exists pre-PR and is out-of-scope (file as follow-up). - tools/branch-protection/test_check_name_parity.sh: synthetic test fixtures now create .gitea/workflows/ instead of .github/workflows/. All 6 unit tests pass after change. - .gitea/workflows/lint-required-workflows-docker-host-pinned.yml: dropped '.github/workflows/**' from path-filter triggers + dropped '.github/workflows' from the python directory-walk loop (the isdir-check would have made this a no-op cleanly, but pruning reflects current truth). Out-of-scope (NOT touched in this PR): - .github/CODEOWNERS, .github/dependabot.yml, .github/scripts/ remain (task is scoped to .github/workflows/). - COVERAGE_FLOOR.md, workspace/smoke_mode.py, workspace/main.py contain comment references to .github/workflows/* — stale docs string-references only, not behavioral. Separate follow-up. - Provenance comments inside .gitea/workflows/* of the form "Ported from .github/workflows/X on 2026-05-11" are intentionally preserved — useful history. Refs: task #331 (SSOT-Instance-4), task #347 (mirror push disabled), memory reference_molecule_core_actions_gitea_only, memory reference_per_repo_gitea_vs_github_actions_dir, RFC internal#219 §1 (the original 2026-05-11 port sweep).	2026-05-20 09:29:33 -07:00
core-devops	dd3090c894	Merge pull request 'ci: SSOT-Instance-10 — ECR registry via vars.ECR_REGISTRY (#333)' (#1611) from chore/ssot10-ecr-registry-var into main	2026-05-20 13:04:05 +00:00
core-devops	6f69c62d5b	Merge pull request 'fix(sop-checklist): stream comment pagination + RLIMIT_AS guardrail + na-fallback (task #369)' (#1610) from fix/sop-checklist-stream-pagination-oom into main	2026-05-20 13:03:49 +00:00
core-devops	bf3f044786	Merge pull request 'chore(workspace-server): drop dead runtime_image_pins migration (closes #335, supersedes #1608)' (#1612) from task335/drop-runtime-image-pins-mig-fresh into main	2026-05-20 12:59:45 +00:00
core-devops	03cee314ba	chore(workspace-server): drop dead runtime_image_pins migration (closes #335, supersedes #1608) ... Empirical finding (a6e3ff018, 2026-05-20): molecule-core's runtime_image_pins table (mig 047) has never had a writer in any repo. The reader at handlers/runtime_image_pin.go has been hitting sql.ErrNoRows on every workspace provision since mig 047 landed, silently falling through to the :latest path. CP's parallel table (CP mig 027) is the de-facto and only SSOT — it has the writer (POST /cp/admin/runtime-image/promote), the reader, the hard-gate (RFC internal#541 Step 2), seeded post-suspension digests (CP mig 028), and the admin endpoints. This PR ratifies that reality. Note: this is a fresh rebase against current main (tip f17375a9). PR #1608 was cut from a base before #1585 (RFC#596 Phase 2 dual-push) landed, so merging it would silently revert the publish-runtime.yml Gitea-PyPI-primary path. Sub-agent a5521785 flagged this on PR #1608 comment 41389. The substantive Go logic is identical to PR #1608; the only difference is the base. What - Add 20260520120000_drop_runtime_image_pins.up.sql / .down.sql to drop the unused table. Care zone PRESERVED: workspaces.runtime_image_digest column + its partial index untouched (earmarked for a future stale-workspace panel per RFC internal#617 §3). - Delete handlers/runtime_image_pin.go (the dead reader) + handlers/runtime_image_pin_test.go. - handlers/workspace_provision.go: replace resolveRuntimeImage(ctx, payload.Runtime) with Image: "" (the dead reader was already returning "" on every call). Rewire the surviving db.DB.QueryRow on this call site to QueryRowContext so the provision-timeout ctx stays load-bearing. - Doc comments in provisioner/provisioner.go + provisioner/registry.go updated to point at CP as the SSOT instead of the dead local table. - Add db/migration_20260520_drop_runtime_image_pins_test.go — static- file pin that up.sql DROPs runtime_image_pins, does NOT touch the care-zone column / index, and that the dead reader files cannot be re-added without failing the test. - Hygiene: prune the now-stranded mock.ExpectQuery("SELECT digest FROM runtime_image_pins") rows in handlers/handlers_test.go and handlers/workspace_provision_test.go (the dead reader is gone, so the mock expectation can never fire). Provisioner test comment updated to reflect CP-as-SSOT. Why Two parallel-named tables with structurally incompatible schemas, only one ever written — that is exactly the kind of internal drift feedback_no_single_source_of_truth was written about for non-vendor surfaces. The deletion is reversible (down.sql recreates the table) and the only behavior change is "ctx is now propagated into the workspace_dir DB lookup", which is a small correctness nudge. Verification - [x] go vet ./internal/handlers/... ./internal/db/... ./internal/provisioner/... — clean - [x] go build ./... — clean - [x] go test ./internal/handlers/ ./internal/db/ ./internal/provisioner/ — all pass (16.5s + 0.2s + 0.3s) - [x] New regression tests assert the care-zone column is not touched + the dead reader cannot return - [x] Empirical grep cross-check: no writer for runtime_image_pins in molecule-core; no reader for workspaces.runtime_image_digest anywhere (both confirmed in RFC internal#617 §1 + §3) - [x] Verified clean rebase: branch parent is current main tip (f17375a9), NOT pre-#1585 stale base. Diff vs main contains ONLY the migration-drop work — no .gitea/workflows/publish-runtime.yml regression. Tier tier:medium + area:schema — schema/migration change. Reversible by re-running the down-migration. Two-eye review reviewers: core-be (read path / Go) + core-qa (migration correctness). Cascade plan to ~6 live tenant DBs per RFC internal#617 §7 + feedback_image_promote_is_not_user_live (verify on at least 2 tenants post-deploy). Memory consulted: feedback_no_single_source_of_truth, feedback_image_promote_is_not_user_live, feedback_verify_actual_endstate_not_ack_follow_sop, reference_package_distribution_open_ecosystem_dual_push. RFC: molecule-ai/internal#617 Supersedes: #1608 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-20 05:30:35 -07:00
core-devops	896afc5bd7	ci: SSOT-Instance-10 — ECR registry via vars.ECR_REGISTRY (#333) ... The ECR registry triplet (account.dkr.ecr.region.amazonaws.com = 153263036946.dkr.ecr.us-east-2.amazonaws.com) is currently hardcoded in every publish/verify workflow across 4+ repos. Switching AWS accounts or regions means touching every workflow. Refactor each affected workflow's env block to source the triplet from `vars.ECR_REGISTRY` with the current prod-account literal as a bootstrap fallback. Once the org-level variable is set, the fallback becomes dead code and an account/region migration is a one-line change at the org level instead of N PRs. Pattern mirrors `vars.CP_URL || 'https://api.moleculesai.app'` already in use in molecule-core/staging-verify.yml + redeploy-tenants-on-main.yml — proven to work on Gitea 1.22.6. Constraints honored: - No cross-repo `uses:` (blocked on 1.22.6 per feedback_gitea_cross_repo_uses_blocked). - No new admin-required setup (the org-level var can be set later by CTO without touching these workflows again). - Zero functional change today (fallback literal == current hardcoded value), so the in-flight cascade (publish → ECR → redeploy-fleet) is unaffected.	2026-05-20 05:27:54 -07:00
core-devops	a224b26c0f	fix(sop-checklist): stream comment pagination + RLIMIT_AS guardrail + na-gate fallback ... PRs with thousands of bot-relay comments (e.g. mc#1242-class history) pushed `get_issue_comments` past the runner's cgroup memory cap and 137'd the gate job. Sub-agent aa8fa266 verified via SHA64 1:1 mapping that the leak source is `.gitea/scripts/sop-checklist.py:463-484` — a `while True` pagination that accumulates the FULL Gitea-API comment dict (~2 KiB median, ~3 KiB p95) into one list, then iterates it twice (compute_ack_state + compute_na_state). Fix shape (task #369): 1. `get_issue_comments` now projects to a minimal `{user.login, body}` shape during pagination — drops html_url, pull_request_url, assets, created_at/updated_at, user.avatar_url, etc. Synthetic benchmark on a 5000-comment fixture: 8.2 MiB → 5.5 MiB peak heap (~33% smaller). 2. New `iter_issue_comments` generator yields one minimal-dict per comment, allowing future streaming consumers. 3. Per-comment body cap (8 KiB, env-tunable) — the directive parser only walks for ^/sop-* markers in the first few KiB; a single pasted-CI-log comment can no longer OOM the runner. 4. Script-entry `RLIMIT_AS = 2 GiB` (skipped under SOP_CHECKLIST_NO_RLIMIT=1 for the test suite) so any future regression surfaces as a catchable MemoryError instead of SIGKILL. 5. `--max-comments` cap (default 5000, env-tunable) — at the cap we post a SOFT pending status with a `[volume-skipped]` note so neither BP nor the author gets stuck. No-block. 6. Fold in `probe()` n/a-gate fallback (was issue-355-class KeyError 'security-review'): when called from `compute_na_state` with a gate name that isn't also an item slug, fall back to the gate's own `required_teams` from config instead of KeyError'ing on `items_by_slug[slug]`. Tests: 88/88 pass (87 existing + 8 new for streaming + body-cap + na-gate fallback). Live dry-run against open PR #1608 succeeds end- to-end with state=failure (expected, no acks yet) — minimal-dict shape flows cleanly through compute_ack_state + render_status. Closes #369 follow-up to #364 OOM source. RCA: sub-agent aa8fa266 (SHA64 1:1 mapping, no overlap-correlation). Supersedes mis-targeted attempts #365 (qa-review/security-review bash) and #366 (workflow yaml). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-20 05:25:05 -07:00
core-devops	f17375a901	Merge pull request 'feat(uploads): /uploads/limits SSOT endpoint + Go-side convergence (task #320)' (#1604) from feat/uploads-limits-ssot-task-320 into main	2026-05-20 12:19:03 +00:00
infra-sre	6602361bf5	ci(publish-runtime): dual-push to Gitea PyPI primary + PyPI fallback (RFC#596 Phase 2) (#1585) ... Co-authored-by: infra-sre <infra-sre@agents.moleculesai.app> Co-committed-by: infra-sre <infra-sre@agents.moleculesai.app> runtime-v0.1.1013	2026-05-20 10:19:50 +00:00
hongming-codex-laptop	47d24be523	feat(uploads): add /uploads/limits SSOT endpoint + Go-side convergence (task #320) ... Eliminates the upload-cap drift class that produced mc#1588 (push-mode bumped to 100MB) and mc#1589 (poll-mode + DB CHECK catch-up one day later). The same five surfaces had to be hand-synced for every cap change; this PR collapses the Go-side mirrors into a single source (internal/uploads) and exposes that source via a public GET /uploads/limits endpoint so the out-of-process consumers (canvas TS, workspace Python push + poll) can converge in Phase 2 follow-ups. Source: * internal/uploads/limits.go — UploadLimits struct + DefaultUploadLimits() (per_file_bytes=100MB, per_request_bytes=100MB, max_attachments_per_message=10). JSON-tagged shape is the stable wire contract. * Pinned by internal/uploads/limits_test.go — every cap change must update this test as part of the same PR (forces a reviewer to see the cap move and audit the matching DB migration + nginx config). Endpoint: * GET /uploads/limits — public, no auth, mirrors /buildinfo rationale (platform constraint, not operational state; gating it would force pre-auth UX before learning the cap). * Cached in the binary via DefaultUploadLimits(); zero per-request DB round-trip. Go consumer convergence: * pendinguploads.MaxFileBytes — now var derived from uploads.DefaultUploadLimits().PerFileBytes (int cast preserves the int-typed API surface so len() comparisons and make([]byte, N+1) sites keep working). * handlers.chatUploadMaxBytes — now var derived from uploads.DefaultUploadLimits().PerRequestBytes (int64 for http.MaxBytesReader). * chat_files.go line 631: int64(pendinguploads.MaxFileBytes) conversion for fh.Size (multipart.FileHeader.Size is int64). * chat_files_poll_test.go: matching int64 cast in the skip-guard that compares per-file vs body cap. Tests: * internal/uploads/limits_test.go — pins values + JSON wire shape. * internal/router/uploads_limits_route_test.go — pins endpoint is public + 200 + payload matches DefaultUploadLimits + in-tree Go consumers agree with the SSOT. * Full workspace-server test suite green (go test ./... — all packages ok). Boundaries (intentional non-changes): * Cap value stays at 100MB everywhere — no behavior change for any upload. The 25→100MB bump landed in mc#1588 + mc#1589; this PR is purely the SSOT refactor. * Migration's pending_uploads.size_bytes CHECK upper bound stays at 104857600 — DB constraints can't read Go vars at runtime, so this constant lives in lockstep with DefaultUploadLimits and the migration's --comment notes the dependency. Bumping the cap is still a two-step coordinated dance (Go default + matching migration) but step 1 is now one line. * Canvas TS (MAX_UPLOAD_BYTES) + workspace Python (CHAT_UPLOAD_MAX_BYTES / MAX_FILE_BYTES) stay as their own pinned-100MB constants for this PR; the Phase 2 follow-up migrates them to fetch /uploads/limits at startup with a cache. The doc comments in chat_files.go point at this PR so reviewers of the Phase 2 PR can trace the SSOT lineage. Why the canvas + Python migrations are NOT in this PR: Each consumer needs a different cache+retry shape (canvas at app-init in a browser, workspace Python at module-load in the container, python ingest similar but distinct). Bundling all of them into a single mega-PR fails the review-able-unit test and blocks CI for hours on a single conflict. The source-first sequencing (this PR) + per-consumer follow-up PRs ships faster through 2-eye review per CTO 2026-05-19 move-fast directive.	2026-05-20 03:15:10 -07:00
core-devops	7704afcf90	chore(manifest): drop mock-bigorg from org_templates (task #337) (#1601)	2026-05-20 09:55:48 +00:00
hongming-pc2	02e305f6f5	chore(ci): retrigger publish-workspace-server-image after EACCES hotfix on PC2 WSL publish-2 (#1600) ... chore(ci): retrigger publish-workspace-server-image after EACCES hotfix on PC2 WSL publish-2 (#1600) Trigger-only � 8-line doc-comment in workflow header. Hot-patched the buildx/certs dir perms on the WSL publish runner. The push:main triggers publish-workspace-server-image.yml; the image rebuild from the unchanged main HEAD lands platform-tenant:staging-<sha> in ECR, unblocking the mc#1589 cascade (CP scoped redeploy + reno-stars 94MB PDF retry).	2026-05-20 09:40:36 +00:00
core-be	0f0f1ba28a	fix(uploads): bump poll-mode size_bytes CHECK to 100MB to match push-mode (mc#1588) (#1589) ... PR #1589 � fix(uploads): bump poll-mode size_bytes CHECK to 100MB (mc#1588 follow-up) Completes the poll-mode side of the 25?100MB upload cap raise. Storage cap + migration + tests + python ingest tweaks; chat_files.go doc-comment hunk dropped post-rebase as redundant with mc#1588. 3 non-author APPROVEs from core-qa + core-security + core-devops on the rebased head 5918031. Co-authored-by: Molecule AI · core-be <core-be@agents.moleculesai.app> Co-committed-by: Molecule AI · core-be <core-be@agents.moleculesai.app> runtime-v0.1.1011	2026-05-20 09:08:27 +00:00
infra-sre	349d3a5ca7	fix(ci): add confirm:true to redeploy-fleet callers (cp#228 contract) (#1595) ... Closes follow-up to cp#228 (44317b0). Adds confirm:true to all 4 fleet-wide callers of /cp/admin/tenants/redeploy-fleet (publish-workspace-server-image via prod-auto-deploy.py + redeploy-tenants-on-main + redeploy-tenants-on-staging + staging-verify). Pairs with cp#228 TestRedeployFleet_ConfirmTrueProceeds. 2 APPROVES from core-devops + core-qa (both independent of cp#228 author devops-engineer and this PR author infra-sre). Co-authored-by: infra-sre <infra-sre@agents.moleculesai.app> Co-committed-by: infra-sre <infra-sre@agents.moleculesai.app>	2026-05-20 08:15:06 +00:00
devops-engineer	74ba88ff27	fix(ci): drop slash from lint-no-tenant-gitea-token name (#1593) ... Closes task #307. Unblocks Production auto-deploy SOP path on publish-workspace-server-image (the manual aa375b1f curl is no longer required). Verification on this SHA: - Lint workflow YAML for Gitea-1.22.6-hostile shapes: Successful in 1m5s (cured Rule 3). - Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface: Successful in 4s (renamed, still scans). - lint-required-context-exists-in-bp: Successful in 1m33s (bp-exempt directive in def11782 satisfies Tier 2g). - CI / all-required: Successful in 7m31s. - qa-review: Refired and APPROVED by core-qa (id=4957). - security-review: Refired and APPROVED by core-security (id=4958). - sop-checklist / all-items-acked: Successful (7/7 acked). 2/2 APPROVES from core-qa + core-security (both independent of devops-engineer author).	2026-05-20 07:58:35 +00:00
devops-engineer	def11782f4	ci: add bp-exempt directive to renamed scan emission (#1593) ... The workflow-name rename in 979064f9 creates a new context emission ('Lint no tenant GITEA or GITHUB token write / Scan ...') that the lint_required_context_exists_in_bp (Tier 2g) gate flags as undeclared. The scan job is advisory (PR-review-driven, not BP-required), so the directive is bp-exempt rather than bp-required: pending. Verified locally: re-running the gate script with BASE/HEAD now exits 0 (no missing directives, no asymmetry).	2026-05-20 00:47:10 -07:00
devops-engineer	b8bf0646be	ci: empty commit to retrigger flaky runners (modules-cache miss) ... CI / Platform (Go), Handlers Postgres Integration / detect-changes, and lint-required-context-exists-in-bp all hit: Error: Cannot find module '/var/run/act/actions/1c2355.../dist/index.js' on the post-checkout step — an act_runner action-cache miss (the action artifact tarball was evicted between resolve and post-step execution). Empty commit per reference_empty_commit_is_only_rerun_mechanism_on_1_22_6 to re-fire the affected workflows.	2026-05-20 00:43:00 -07:00
devops-engineer	979064f90a	fix(ci): drop slash from lint-no-tenant-gitea-token name (task #307) ... The workflow's `name:` field contained `GITEA/GITHUB`, which trips `lint-workflow-yaml` Rule 3 (slash in workflow name breaks `<workflow> / <job> (<event>)` status-context tokenization). On 2026-05-20 aa375b1f this fatal lint blocked the Production auto-deploy job on `publish-workspace-server-image`, forcing a manual `redeploy-fleet` curl. Rename to "Lint no tenant GITEA or GITHUB token write" (the linter already documents `-` or space as the supported separators). Verification: - Pre-fix: `python3 .gitea/scripts/lint-workflow-yaml.py` → exit 1, Rule 3 FATAL on lint-no-tenant-gitea-token.yml. - Post-fix: same command → exit 0, 'no fatal Gitea-1.22.6-hostile shapes', and `pytest tests/test_lint_workflow_yaml.py` 27/27 pass. Surface unchanged: workflow still triggers on the same pull_request and push events; only the human-readable display name shifts.	2026-05-20 00:35:38 -07:00
devops-engineer	491ce1d1f0	chore(ci): retrigger publish-workspace-server-image after op-config#110 deploy (internal#603) (#1591) ... Retrigger publish-workspace-server-image after PR#110 op-config runner HOME fix. Required for workspace-server 100MB upload cap to reach tenants. Approvals: core-devops, core-security, core-qa. Co-Authored-By: hongming (CTO directive 2026-05-19)	2026-05-20 05:12:03 +00:00
devops-engineer	a23c0217ae	feat(uploads): bump cap to 100MB + correct-reason error messages (#1588) ... Bump chat upload cap 50MB → 100MB across canvas, workspace-server (Go), workspace (Python), and the nginx test harness. Pre-flight gates oversized files BEFORE network I/O so the user gets an immediate 'File too large (got X MB) — limit is 100MB' instead of a downstream timeout. Scaled abort-timeout (60s floor, ~100KB/s rate) replaces the fixed 60s that mis-attributed slow-uplink streams as 'timed out'. Resolves forensic a99ab0a1. Approvers: core-devops (id=52), core-qa (id=64), core-security (id=68). Follow-up: SSOT for upload cap (4 mirror sites) — see internal/<issue-tba>. runtime-v0.1.1010	2026-05-20 03:36:27 +00:00
infra-runtime-be	5c989fef2f	feat(uploads): bump cap to 100MB + correct-reason error messages ... CTO 2026-05-19 directive on forensic a99ab0a1 (reno-stars >50MB upload that surfaced "signal timed out" when the real cause was file-size + a fixed 60s client timeout): "if its file size issue, should have error that instead saying timeout which is wrong" Bundles the cap raise + the wrong-reason fix in ONE PR because the two are coupled — bumping the server alone would still leak the fixed-60s timeout for legitimate slow uploads; fixing the client alone would 413 every >50MB attempt. Server (push-mode, EC2 workspace): - workspace-server/internal/handlers/chat_files.go: chatUploadMaxBytes 50→100 MB httpClient.Timeout 120→1200 s (matches the new slow-uplink budget) - workspace/internal_chat_uploads.py: CHAT_UPLOAD_MAX_BYTES 50→100 MB CHAT_UPLOAD_MAX_FILE_BYTES 25→100 MB (aligned with total so a single legitimate large file succeeds end-to-end) Canvas: - canvas/src/components/tabs/chat/uploads.ts: MAX_UPLOAD_BYTES 100 MB constant + FileTooLargeError class pre-flight gate: file-size violation throws BEFORE any fetch, with the actionable "File too large (got X MB) — limit is 100MB" computeUploadTimeoutMs: 60s floor + 100 KB/s scaled deadline (was a fixed 60s — the root cause of the forensic) - canvas/src/components/tabs/chat/hooks/useChatSend.ts: mapUploadErrorToReason: routes each cause to ITS OWN message (FileTooLargeError | TimeoutError | server-Error | fallback) no conflation between file-size and connection-too-slow Tests: - workspace-server chat_files_test.go: pins 100 MB constant, asserts sub-cap forwards + over-cap non-2xx - canvas uploads.cap.test.ts (10 cases): pre-flight gate, exact-cap edge, scaled-timeout curve, server-413 propagation, AbortSignal shape — explicit negative on "TimeoutError ≠ FileTooLargeError" - canvas useChatSend.errorReason.test.ts (5 cases): per-cause message contract, explicit negatives that guard against the wrong-reason conflation Test harness mirror: - tests/harness/cf-proxy/nginx.conf: client_max_body_size 50m→100m (this is the harness mirror; the production CF / nginx tier is out-of-repo. If prod still caps at 50m, this mirror passes while prod 413s — surface to ops.) Follow-up (SSOT, NOT in this PR): The 100 MB constant now lives in THREE mirror sites (canvas TS + workspace Python + platform Go). Per feedback_no_single_source_of_truth, the proper fix is exposing the cap via GET /uploads/limits so the client fetches the live value. Filing as a separate issue. References: - task #295 (internal tracker; CTO-authorized this work) - forensic a99ab0a1 (reno-stars 2026-05-19) - feedback_surface_actionable_failure_reason_to_user (CTO 2026-05-17) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-19 20:23:04 -07:00
infra-sre	5e5e10a8dc	ci(workflows): consolidate issue_comment subscribers — sop-checklist + review-refire (issue #1280) (#1333) ... Co-authored-by: Molecule AI Infra-SRE <infra-sre@agents.moleculesai.app> Co-committed-by: Molecule AI Infra-SRE <infra-sre@agents.moleculesai.app>	2026-05-20 02:29:24 +00:00
core-be	52a31072a3	fix(autobump): trigger on scripts/build_runtime_package.py changes (#1580) ... Co-authored-by: Molecule AI · core-be <core-be@agents.moleculesai.app> Co-committed-by: Molecule AI · core-be <core-be@agents.moleculesai.app>	2026-05-20 00:27:39 +00:00
hongming	7b40a03c45	Merge pull request 'chore(workspace): trigger autobump for PDF P0 cure cascade' (#1583) from chore/trigger-autobump-2026-05-19 into main runtime-v0.1.1009	2026-05-19 22:56:58 +00:00
core-be	e9d32c09d3	chore(workspace): trigger autobump for python-multipart pin cascade	2026-05-19 15:33:54 -07:00
core-be	e89f0ce605	fix(workspace-server): rename workspace_secrets MODEL_PROVIDER → MODEL (#1581) ... 3-reviewer relay: core-devops + core-security + core-qa APPROVED. Fixes the MODEL_PROVIDER naming-confusion (abe512c2 finding). Migration 20260519000000 is idempotent. CI/all-required green. Co-authored-by: core-be <core-be@agents.moleculesai.app> Co-committed-by: core-be <core-be@agents.moleculesai.app>	2026-05-19 22:31:23 +00:00
core-be	1278d57c12	fix(workspace/deps): pin python-multipart>=0.0.27 for chat-upload Starlette parser (#1578) ... Closes PDF upload P0 root cause: Starlette Request.form() requires python-multipart at parse time. Without it, chat-uploads surfaced an opaque 400. Mirrors workspace/requirements.txt floor; >=0.0.27 avoids CVE-2024-53981. Fresh APPROVEs on 940bae15: - core-devops: review id=4879 - core-security: review id=4878 - core-qa: review id=4880 Co-authored-by: core-be <core-be@agents.moleculesai.app> Co-committed-by: core-be <core-be@agents.moleculesai.app>	2026-05-19 21:41:06 +00:00
core-devops	14d91ef032	Merge pull request 'fix(workspace/chat_uploads): surface exception class + detail in 400 response' (#1575) from fix/chat-uploads-surface-exception-in-400 into main runtime-v0.1.1008	2026-05-19 21:10:46 +00:00
core-be	5f6aa3da69	fix(workspace/chat_uploads): surface exception class + detail in 400 response ... Hermes workspace PDF upload returned opaque 400 'failed to parse multipart form' (forensic a78762a0 2026-05-19). Triage took ~25 min because the response carried no information about WHICH exception class or WHY the parser bailed — the underlying cause was a missing python-multipart dep in the PyPI runtime (fixed separately in molecule-ai-workspace-runtime#TBD). Per feedback_surface_actionable_failure_reason_to_user (CTO 2026-05-17): user-facing failures MUST tell the user WHY. This patch surfaces exception class + str(exc) in the 400 JSON body, keeping the top-level 'error' key unchanged so existing canvas / alert rules keep matching. Salvage note on mc#1524 (the wrong-RCA PR, closed): mc#1524 attributed the 400 to Starlette's max_part_size limit and proposed bumping it. That diagnosis was incorrect — Starlette only enforces max_part_size on form FIELDS (text values), not on file PARTS, so a 5 MB PDF would not trip that limit regardless of the value. The useful idea from mc#1524 — surfacing the failure reason to the caller — is salvaged here as a separate, narrowly-scoped change. Adds unit test test_malformed_multipart_returns_exception_class_and_detail which sends a boundary-mismatched body, asserts 400, and pins the response shape (error/exception/detail keys present). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-19 13:40:29 -07:00
core-devops	01226cfc73	audit: phase 1 structured audit-log — emit pkg + secrets wire-in (#1572)	2026-05-19 20:30:25 +00:00
core-devops	7054b75650	fix(ci): main-red-watchdog skips cancel-cascade entries (mc#1564) (#1571)	2026-05-19 20:23:42 +00:00
core-devops	dd4bba8913	Merge branch 'main' into infra-sre/audit-log-phase1-emit-secrets	2026-05-19 20:17:28 +00:00
core-devops	876ef122be	Merge branch 'main' into fix/main-red-watchdog-skip-cancel-cascade-mc1564	2026-05-19 20:07:19 +00:00
core-devops	b5b95de19a	test(audit): bind HashValuePrefix calls to vars to satisfy staticcheck SA4000 ... Staticcheck SA4000 flagged the stability assertion as tautological (identical expressions on both sides of !=). Bind both calls to local vars to preserve test intent (call-stability) and silence the linter. No functional change. Follow-up to mc#1572 review (core-devops lens).	2026-05-19 20:00:26 +00:00
hongming	302235da23	Merge pull request 'build(ws-server): -trimpath -ldflags="-s -w" (RFC#563)' (#1570) from feat/rfc563-ws-server-binary-strip into main	2026-05-19 19:51:15 +00:00
infra-sre	7c751ef675	audit: phase 1 structured audit-log — emit pkg + secrets wire-in ... Add internal/audit with single Emit(ctx, event_type, fields) entrypoint that ships JSON-encoded records via two transports: 1. audit:-prefixed stdout line — tenant Vector docker-logs source already ships this to Loki. No obs-stack change required. 2. Best-effort append to /var/log/molecule-audit.jsonl — durable forensic copy, target for the dedicated Vector file source in Phase 2. Schema is stable v1 (ts, event_type, workspace_id, user_id, actor_kind, correlation_id, fields). Cardinality budget keeps workspace_id + user_id + correlation_id OUT of Loki labels (JSON body only) — fleet active-stream count ~200, well within Loki headroom. Phase 1 wires secret.set and secret.delete on the workspace-scoped (POST/PUT/DELETE /workspaces/:id/secrets) and admin-scoped (POST/DELETE /admin/secrets, /settings/secrets) handlers. value_hash is the first 8 hex chars of sha256(value) — never the raw value. Tests cover: stdout emit, JSONL append, file-failure fallback, concurrent integrity, hash bounds, raw-value-never-emitted contract. Vet + handler-secret tests pass. See: rfc internal/rfcs/audit-log-to-loki.md	2026-05-19 12:22:35 -07:00
core-be	c7b523a0a9	ci(security): task #146 lint — no GITEA/GITHUB token in tenant-writer paths (#1565) ... ci(security): RFC#523 lint — no GITEA/GITHUB token in tenant-writer paths (#1565) Three non-author APPROVEs (core-devops, core-security, core-qa) + CI/all-required green. Co-authored-by: core-be <core-be@agents.moleculesai.app> Co-committed-by: core-be <core-be@agents.moleculesai.app>	2026-05-19 19:19:28 +00:00
core-devops	fcf08647c5	fix(ci): main-red-watchdog skips cancel-cascade entries — closes #1564 ... Gitea maps BOTH `action_run.status=2` (Failure) AND `status=3` (Cancelled) to commit-status string `"failure"`. On a busy `main` with `concurrency: cancel-in-progress: true`, every merge burst cancels prior in-flight runs (status=3) — those bubble to the combined-status `failure` rollup and inflate the watchdog's red%, generating phantom `[main-red]` issues (mc#1562/#1552/#1540/#1532/#1527/#1526/#1522/#1503/#1487/#1484). Per mc#1564 the cleanest filter at this layer is option B (description string): cancelled-run entries carry description `"Has been cancelled"`, real failures carry `"Failing after Ns"`. is_red() now excludes the former from the failed[] list, and combined=failure alone (no per-entry detail) only trips red when statuses[] is empty (the CI-emitter-direct edge case from render_body's existing fallback). Match is description == "Has been cancelled" exactly (after strip), not substring, so a hypothetical real-failure log line containing that phrase still counts as red. Canonical Gitea 1.22.6 enum per `models/actions/status.go`: 1=Success, 2=Failure, 3=Cancelled, 4=Skipped, 5=Waiting, 6=Running, 7=Blocked (reference: operator memory reference_gitea_action_status_enum_corrected_2026_05_19 + reference_chronic_red_sweep_cancelled_vs_failed_filter) Tests (6 new, all 36 in suite pass locally): - cancel-cascade entry alone → not red - real-failure entry alone → red (no over-filter) - mixed cancel + real → red, failed[] contains only real failures - all entries cancelled → not red (the phantom-issue case) - combined=failure + empty statuses[] → still red (preserve fallback) - exact-match contract (substring would over-match) Refs: - mc#1564 - mc#1529 (chronic-red triage that surfaced this) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-19 12:12:59 -07:00
core-be	244263430d	build(ws-server): add -trimpath -ldflags="-s -w" for smaller image (RFC#563) ... Mirror the pattern already used in molecule-controlplane/Dockerfile. Currently workspace-server only sets -X buildinfo.GitSHA; add -trimpath plus -s -w (strip symbol table + DWARF debug info) inside the same -ldflags string. The -X GitSHA injection is preserved (verified via strings(1) on locally-built binary). Empirical local measurement (CGO_ENABLED=0 GOOS=linux GOARCH=amd64, go 1.26.3, /platform binary only): before 44,669,544 bytes (42 MB) after 31,191,202 bytes (29 MB) delta 13,478,342 bytes (12 MB) — 30.2% reduction RFC#563 reports the published *image* deltas as 87 -> 61 MB (-26 MB, ~29%); the per-image figure is larger than the per-binary figure because both /platform and /memory-plugin are stripped, and the binary is one layer of the multi-layer image. Flag semantics (Go 1.26): -trimpath strip absolute build-host paths from object code (also improves reproducibility) -ldflags "-s -w" linker drops symbol table (-s) and DWARF debug info (-w); -X-injected strings are NOT in the symbol table so GitSHA survives stripping Single-purpose change: only ws-server Dockerfile + Dockerfile.tenant touched; no behavioral changes to the binaries themselves.	2026-05-19 12:03:21 -07:00
documentation-specialist	cf1438a525	docs: fix stale channel-install flag + dead GitHub-org refs (task #230) (#1566) ... Co-authored-by: documentation-specialist <documentation-specialist@agents.moleculesai.app> Co-committed-by: documentation-specialist <documentation-specialist@agents.moleculesai.app>	2026-05-19 04:05:16 +00:00
hongming	e27ce29e81	Merge pull request 'seed(workspaces): production-team agent identity (internal#492 followup to #1427)' (#1563) from feat/agent-card-identity-seed-prod-team-internal-492-followup into main	2026-05-19 03:59:35 +00:00
hongming	ec4c8d81ae	Merge pull request 'fix(handlers): RFC#524 Layer 1 — convert bare-go sites to goAsync/globalGoAsync' (#1559) from fix/rfc524-layer1-bare-go-conversion into main	2026-05-19 03:55:03 +00:00
infra-runtime-be	75b51028c3	seed(workspaces): production-team agent identity (internal#492 followup to #1427) ... PR #1427 added the platform-side reconcile (`agent_card_reconcile.go`) that pulls workspaces.name and workspaces.role into the stored agent_card on /registry/register. The reconcile only ever FILLS gaps — without a populated workspaces row it has nothing to substitute and the prod-team cards keep showing name=UUID / description="" / role=null (the exact gap internal#492 is filed against). This migration seeds name, role, and the agent_card JSONB (description + skills[]) for the 6 CTO-locked production-team workspaces (PM, Reviewer, Researcher, Dev-A, Dev-B, CEO-Assistant). Idempotent UPDATEs only — no INSERTs, no schema change, zero behaviour change for any workspace outside the prod team. Schema sources (vendor-doc-checked): - workspaces.{name,role} columns: 001_workspaces.sql - agent_card JSONB shape (name/description/skills[{id,name,description,tags,examples}]/role): workspace/main.py:197-222 - validateWorkspaceFields contract (name<=255, role<=1000, no YAML special chars `{}[]|>*&!`, no newline/CR): workspace-server/internal/handlers/workspace_crud.go:526 CEO-Assistant uses the full UUID known from workspace-server/internal/handlers/chat_files_test.go:286. The other five rows are matched by 8-char prefix LIKE — the CTO will confirm on review that each prefix resolves to a single tenant row. NOT merged — CTO review pending per the dev-tree two-eyes gate.	2026-05-19 03:41:27 +00:00
core-be	6597e2408f	fix(handlers): forward-port RFC#524 Layer 1 — convert bare-go sites to goAsync/globalGoAsync ... RFC internal#524 Layer 1 deliverable 2: extend the canonical db.DB race-fix primitive (69d9b4e3, already on main via the 0e13a801 staging-promote) to the ~25 sibling bare-`go` sites that 69d9b4e3 left untouched. Without this, a SecretsHandler.Set's detached restartFunc, or a2a_proxy's extractAndUpsertTokenUsage, or a delegation goroutine still races a later test's setupTestDB t.Cleanup db.DB swap — exactly the data-race class that 69d9b4e3 fixed for the WorkspaceHandler path. What changed ============ - workspace.go: add package-level `globalAsync` sync.WaitGroup + `globalGoAsync(fn)` helper + `waitGlobalAsyncForTest()` drain. Same shape as h.goAsync but reachable from sibling handlers that don't carry a *WorkspaceHandler. - handlers_test.go: drainTestAsync now drains globalAsync alongside the per-handler asyncWGs. - Converted bare-`go` → tracked goroutine at 27 call sites: secrets.go (7) — restartFunc fan-out + restartAllAffected templates.go (6) — h.wh.RestartByID after file/template ops template_import.go (3) — h.wh.RestartByID after Import/ReplaceFiles plugins_install.go (2) — restartFunc after uninstall (both paths) plugins_install_pipeline.go (2) — restartFunc after install admin_plugin_drift.go (1) — restartFunc on drift apply registry.go (1) — drainQueue on heartbeat capacity a2a_proxy.go (1) — extractAndUpsertTokenUsage (db.DB INSERT) delegation.go (1) — executeDelegation (DB-touching pipeline) mcp_tools.go (1) — async MCP delegate (db.DB read+write) channels.go (1) — async HandleInbound webhook delivery org_import.go (1) — provisionWorkspaceAuto fan-out - Annotated 6 connection/lifecycle-scoped goroutines with `goAsync-exempt` (RFC Layer 2.2 contract): a2a_proxy.go applyIdleTimeout — SSE idle-timer, no db.DB access socket.go (2) — WebSocket Read/WritePump, conn-lifetime terminal.go (3) — PTY <-> WS bridges, conn-lifetime eic_tunnel_pool.go (group) — pool janitor + cleanup closures - rfc524_layer1_async_drain_test.go: new regression test asserting drainTestAsync waits for BOTH per-handler asyncWG AND the package-level globalAsync — fails fast if either drain side is dropped. Verification ============ - `go vet ./internal/handlers/` : clean - `go test -race -count=1 ./internal/handlers/` : ok 28.6s - `go test -race -count=10 ./internal/handlers/` : ok 4m15s (RFC Layer 5 nightly target) - `go test -race -shuffle=on -count=1 ...` : ok 26.6s The 4 `TestExecuteDelegation_*` tests were already un-Skipped on main (via the staging→main backsync); Layer 1.3 of the RFC is therefore already satisfied. Verified passing under -race in this run. Layer 1 of RFC internal#524 is now complete on main. Layers 2-5 stay as separate PRs per the RFC sequencing. Refs ==== - RFC internal#524 (5-layer roadmap) - molecule-core commit 69d9b4e3 (canonical fix on staging, promoted to main via 0e13a801) - molecule-core#664, #774 (continue-on-error masks) - task #240 (no staging→main auto-promotion — why the gap existed) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-19 03:40:48 +00:00
hongming	517327aa1e	Merge pull request 'fix(ci): repair docker-host guardrail follow-up' (#1561) from fix/ci-docker-host-guardrail-red into main	2026-05-19 03:39:50 +00:00
claude-ceo-assistant	00351b4551	fix(ci): repair docker-host guardrail follow-up	2026-05-18 19:50:13 -07:00
hongming	c6e89219e1	Merge pull request 'ci: pin docker-bound workflows to docker-host + add lint guardrail (mc#1529 follow-on, internal#512)' (#1558) from ci/docker-host-pin-mc-1529-followon into main	2026-05-19 02:16:37 +00:00
hongming	c8fbcced3d	Merge pull request 'fix(ci): pin handlers-postgres-integration to docker-host label (mc#1529)' (#1543) from fix/handlers-pg-pin-docker-host-mc1529 into main	2026-05-19 02:13:02 +00:00
hongming	685f6d19f4	Merge pull request 'test(e2e): fix-specific coverage for today's merged PRs (mc#1525/1535/1536/1539/1542)' (#1557) from test/e2e-todays-pr-coverage into main	2026-05-19 01:57:33 +00:00
hongming	f5cc9493bb	Merge pull request 'feat(security): RFC#523 3-layer forbidden-env guardrail for tenant workspaces (task #146)' (#1555) from feat/146-forbidden-env-guard into main runtime-v0.1.1007	2026-05-19 01:57:30 +00:00