6666 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
core-devops	14d91ef032	Merge pull request 'fix(workspace/chat_uploads): surface exception class + detail in 400 response' (#1575) from fix/chat-uploads-surface-exception-in-400 into main runtime-v0.1.1008	2026-05-19 21:10:46 +00:00
core-be	5f6aa3da69	fix(workspace/chat_uploads): surface exception class + detail in 400 response ... Hermes workspace PDF upload returned opaque 400 'failed to parse multipart form' (forensic a78762a0 2026-05-19). Triage took ~25 min because the response carried no information about WHICH exception class or WHY the parser bailed — the underlying cause was a missing python-multipart dep in the PyPI runtime (fixed separately in molecule-ai-workspace-runtime#TBD). Per feedback_surface_actionable_failure_reason_to_user (CTO 2026-05-17): user-facing failures MUST tell the user WHY. This patch surfaces exception class + str(exc) in the 400 JSON body, keeping the top-level 'error' key unchanged so existing canvas / alert rules keep matching. Salvage note on mc#1524 (the wrong-RCA PR, closed): mc#1524 attributed the 400 to Starlette's max_part_size limit and proposed bumping it. That diagnosis was incorrect — Starlette only enforces max_part_size on form FIELDS (text values), not on file PARTS, so a 5 MB PDF would not trip that limit regardless of the value. The useful idea from mc#1524 — surfacing the failure reason to the caller — is salvaged here as a separate, narrowly-scoped change. Adds unit test test_malformed_multipart_returns_exception_class_and_detail which sends a boundary-mismatched body, asserts 400, and pins the response shape (error/exception/detail keys present). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-19 13:40:29 -07:00
core-devops	01226cfc73	audit: phase 1 structured audit-log — emit pkg + secrets wire-in (#1572)	2026-05-19 20:30:25 +00:00
core-devops	7054b75650	fix(ci): main-red-watchdog skips cancel-cascade entries (mc#1564) (#1571)	2026-05-19 20:23:42 +00:00
core-devops	dd4bba8913	Merge branch 'main' into infra-sre/audit-log-phase1-emit-secrets	2026-05-19 20:17:28 +00:00
core-devops	876ef122be	Merge branch 'main' into fix/main-red-watchdog-skip-cancel-cascade-mc1564	2026-05-19 20:07:19 +00:00
core-devops	b5b95de19a	test(audit): bind HashValuePrefix calls to vars to satisfy staticcheck SA4000 ... Staticcheck SA4000 flagged the stability assertion as tautological (identical expressions on both sides of !=). Bind both calls to local vars to preserve test intent (call-stability) and silence the linter. No functional change. Follow-up to mc#1572 review (core-devops lens).	2026-05-19 20:00:26 +00:00
hongming	302235da23	Merge pull request 'build(ws-server): -trimpath -ldflags="-s -w" (RFC#563)' (#1570) from feat/rfc563-ws-server-binary-strip into main	2026-05-19 19:51:15 +00:00
infra-sre	7c751ef675	audit: phase 1 structured audit-log — emit pkg + secrets wire-in ... Add internal/audit with single Emit(ctx, event_type, fields) entrypoint that ships JSON-encoded records via two transports: 1. audit:-prefixed stdout line — tenant Vector docker-logs source already ships this to Loki. No obs-stack change required. 2. Best-effort append to /var/log/molecule-audit.jsonl — durable forensic copy, target for the dedicated Vector file source in Phase 2. Schema is stable v1 (ts, event_type, workspace_id, user_id, actor_kind, correlation_id, fields). Cardinality budget keeps workspace_id + user_id + correlation_id OUT of Loki labels (JSON body only) — fleet active-stream count ~200, well within Loki headroom. Phase 1 wires secret.set and secret.delete on the workspace-scoped (POST/PUT/DELETE /workspaces/:id/secrets) and admin-scoped (POST/DELETE /admin/secrets, /settings/secrets) handlers. value_hash is the first 8 hex chars of sha256(value) — never the raw value. Tests cover: stdout emit, JSONL append, file-failure fallback, concurrent integrity, hash bounds, raw-value-never-emitted contract. Vet + handler-secret tests pass. See: rfc internal/rfcs/audit-log-to-loki.md	2026-05-19 12:22:35 -07:00
core-be	c7b523a0a9	ci(security): task #146 lint — no GITEA/GITHUB token in tenant-writer paths (#1565) ... ci(security): RFC#523 lint — no GITEA/GITHUB token in tenant-writer paths (#1565) Three non-author APPROVEs (core-devops, core-security, core-qa) + CI/all-required green. Co-authored-by: core-be <core-be@agents.moleculesai.app> Co-committed-by: core-be <core-be@agents.moleculesai.app>	2026-05-19 19:19:28 +00:00
core-devops	fcf08647c5	fix(ci): main-red-watchdog skips cancel-cascade entries — closes #1564 ... Gitea maps BOTH `action_run.status=2` (Failure) AND `status=3` (Cancelled) to commit-status string `"failure"`. On a busy `main` with `concurrency: cancel-in-progress: true`, every merge burst cancels prior in-flight runs (status=3) — those bubble to the combined-status `failure` rollup and inflate the watchdog's red%, generating phantom `[main-red]` issues (mc#1562/#1552/#1540/#1532/#1527/#1526/#1522/#1503/#1487/#1484). Per mc#1564 the cleanest filter at this layer is option B (description string): cancelled-run entries carry description `"Has been cancelled"`, real failures carry `"Failing after Ns"`. is_red() now excludes the former from the failed[] list, and combined=failure alone (no per-entry detail) only trips red when statuses[] is empty (the CI-emitter-direct edge case from render_body's existing fallback). Match is description == "Has been cancelled" exactly (after strip), not substring, so a hypothetical real-failure log line containing that phrase still counts as red. Canonical Gitea 1.22.6 enum per `models/actions/status.go`: 1=Success, 2=Failure, 3=Cancelled, 4=Skipped, 5=Waiting, 6=Running, 7=Blocked (reference: operator memory reference_gitea_action_status_enum_corrected_2026_05_19 + reference_chronic_red_sweep_cancelled_vs_failed_filter) Tests (6 new, all 36 in suite pass locally): - cancel-cascade entry alone → not red - real-failure entry alone → red (no over-filter) - mixed cancel + real → red, failed[] contains only real failures - all entries cancelled → not red (the phantom-issue case) - combined=failure + empty statuses[] → still red (preserve fallback) - exact-match contract (substring would over-match) Refs: - mc#1564 - mc#1529 (chronic-red triage that surfaced this) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-19 12:12:59 -07:00
core-be	244263430d	build(ws-server): add -trimpath -ldflags="-s -w" for smaller image (RFC#563) ... Mirror the pattern already used in molecule-controlplane/Dockerfile. Currently workspace-server only sets -X buildinfo.GitSHA; add -trimpath plus -s -w (strip symbol table + DWARF debug info) inside the same -ldflags string. The -X GitSHA injection is preserved (verified via strings(1) on locally-built binary). Empirical local measurement (CGO_ENABLED=0 GOOS=linux GOARCH=amd64, go 1.26.3, /platform binary only): before 44,669,544 bytes (42 MB) after 31,191,202 bytes (29 MB) delta 13,478,342 bytes (12 MB) — 30.2% reduction RFC#563 reports the published *image* deltas as 87 -> 61 MB (-26 MB, ~29%); the per-image figure is larger than the per-binary figure because both /platform and /memory-plugin are stripped, and the binary is one layer of the multi-layer image. Flag semantics (Go 1.26): -trimpath strip absolute build-host paths from object code (also improves reproducibility) -ldflags "-s -w" linker drops symbol table (-s) and DWARF debug info (-w); -X-injected strings are NOT in the symbol table so GitSHA survives stripping Single-purpose change: only ws-server Dockerfile + Dockerfile.tenant touched; no behavioral changes to the binaries themselves.	2026-05-19 12:03:21 -07:00
documentation-specialist	cf1438a525	docs: fix stale channel-install flag + dead GitHub-org refs (task #230) (#1566) ... Co-authored-by: documentation-specialist <documentation-specialist@agents.moleculesai.app> Co-committed-by: documentation-specialist <documentation-specialist@agents.moleculesai.app>	2026-05-19 04:05:16 +00:00
hongming	e27ce29e81	Merge pull request 'seed(workspaces): production-team agent identity (internal#492 followup to #1427)' (#1563) from feat/agent-card-identity-seed-prod-team-internal-492-followup into main	2026-05-19 03:59:35 +00:00
hongming	ec4c8d81ae	Merge pull request 'fix(handlers): RFC#524 Layer 1 — convert bare-go sites to goAsync/globalGoAsync' (#1559) from fix/rfc524-layer1-bare-go-conversion into main	2026-05-19 03:55:03 +00:00
infra-runtime-be	75b51028c3	seed(workspaces): production-team agent identity (internal#492 followup to #1427) ... PR #1427 added the platform-side reconcile (`agent_card_reconcile.go`) that pulls workspaces.name and workspaces.role into the stored agent_card on /registry/register. The reconcile only ever FILLS gaps — without a populated workspaces row it has nothing to substitute and the prod-team cards keep showing name=UUID / description="" / role=null (the exact gap internal#492 is filed against). This migration seeds name, role, and the agent_card JSONB (description + skills[]) for the 6 CTO-locked production-team workspaces (PM, Reviewer, Researcher, Dev-A, Dev-B, CEO-Assistant). Idempotent UPDATEs only — no INSERTs, no schema change, zero behaviour change for any workspace outside the prod team. Schema sources (vendor-doc-checked): - workspaces.{name,role} columns: 001_workspaces.sql - agent_card JSONB shape (name/description/skills[{id,name,description,tags,examples}]/role): workspace/main.py:197-222 - validateWorkspaceFields contract (name<=255, role<=1000, no YAML special chars `{}[]|>*&!`, no newline/CR): workspace-server/internal/handlers/workspace_crud.go:526 CEO-Assistant uses the full UUID known from workspace-server/internal/handlers/chat_files_test.go:286. The other five rows are matched by 8-char prefix LIKE — the CTO will confirm on review that each prefix resolves to a single tenant row. NOT merged — CTO review pending per the dev-tree two-eyes gate.	2026-05-19 03:41:27 +00:00
core-be	6597e2408f	fix(handlers): forward-port RFC#524 Layer 1 — convert bare-go sites to goAsync/globalGoAsync ... RFC internal#524 Layer 1 deliverable 2: extend the canonical db.DB race-fix primitive (69d9b4e3, already on main via the 0e13a801 staging-promote) to the ~25 sibling bare-`go` sites that 69d9b4e3 left untouched. Without this, a SecretsHandler.Set's detached restartFunc, or a2a_proxy's extractAndUpsertTokenUsage, or a delegation goroutine still races a later test's setupTestDB t.Cleanup db.DB swap — exactly the data-race class that 69d9b4e3 fixed for the WorkspaceHandler path. What changed ============ - workspace.go: add package-level `globalAsync` sync.WaitGroup + `globalGoAsync(fn)` helper + `waitGlobalAsyncForTest()` drain. Same shape as h.goAsync but reachable from sibling handlers that don't carry a *WorkspaceHandler. - handlers_test.go: drainTestAsync now drains globalAsync alongside the per-handler asyncWGs. - Converted bare-`go` → tracked goroutine at 27 call sites: secrets.go (7) — restartFunc fan-out + restartAllAffected templates.go (6) — h.wh.RestartByID after file/template ops template_import.go (3) — h.wh.RestartByID after Import/ReplaceFiles plugins_install.go (2) — restartFunc after uninstall (both paths) plugins_install_pipeline.go (2) — restartFunc after install admin_plugin_drift.go (1) — restartFunc on drift apply registry.go (1) — drainQueue on heartbeat capacity a2a_proxy.go (1) — extractAndUpsertTokenUsage (db.DB INSERT) delegation.go (1) — executeDelegation (DB-touching pipeline) mcp_tools.go (1) — async MCP delegate (db.DB read+write) channels.go (1) — async HandleInbound webhook delivery org_import.go (1) — provisionWorkspaceAuto fan-out - Annotated 6 connection/lifecycle-scoped goroutines with `goAsync-exempt` (RFC Layer 2.2 contract): a2a_proxy.go applyIdleTimeout — SSE idle-timer, no db.DB access socket.go (2) — WebSocket Read/WritePump, conn-lifetime terminal.go (3) — PTY <-> WS bridges, conn-lifetime eic_tunnel_pool.go (group) — pool janitor + cleanup closures - rfc524_layer1_async_drain_test.go: new regression test asserting drainTestAsync waits for BOTH per-handler asyncWG AND the package-level globalAsync — fails fast if either drain side is dropped. Verification ============ - `go vet ./internal/handlers/` : clean - `go test -race -count=1 ./internal/handlers/` : ok 28.6s - `go test -race -count=10 ./internal/handlers/` : ok 4m15s (RFC Layer 5 nightly target) - `go test -race -shuffle=on -count=1 ...` : ok 26.6s The 4 `TestExecuteDelegation_*` tests were already un-Skipped on main (via the staging→main backsync); Layer 1.3 of the RFC is therefore already satisfied. Verified passing under -race in this run. Layer 1 of RFC internal#524 is now complete on main. Layers 2-5 stay as separate PRs per the RFC sequencing. Refs ==== - RFC internal#524 (5-layer roadmap) - molecule-core commit 69d9b4e3 (canonical fix on staging, promoted to main via 0e13a801) - molecule-core#664, #774 (continue-on-error masks) - task #240 (no staging→main auto-promotion — why the gap existed) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-19 03:40:48 +00:00
hongming	517327aa1e	Merge pull request 'fix(ci): repair docker-host guardrail follow-up' (#1561) from fix/ci-docker-host-guardrail-red into main	2026-05-19 03:39:50 +00:00
claude-ceo-assistant	00351b4551	fix(ci): repair docker-host guardrail follow-up	2026-05-18 19:50:13 -07:00
hongming	c6e89219e1	Merge pull request 'ci: pin docker-bound workflows to docker-host + add lint guardrail (mc#1529 follow-on, internal#512)' (#1558) from ci/docker-host-pin-mc-1529-followon into main	2026-05-19 02:16:37 +00:00
hongming	c8fbcced3d	Merge pull request 'fix(ci): pin handlers-postgres-integration to docker-host label (mc#1529)' (#1543) from fix/handlers-pg-pin-docker-host-mc1529 into main	2026-05-19 02:13:02 +00:00
hongming	685f6d19f4	Merge pull request 'test(e2e): fix-specific coverage for today's merged PRs (mc#1525/1535/1536/1539/1542)' (#1557) from test/e2e-todays-pr-coverage into main	2026-05-19 01:57:33 +00:00
hongming	f5cc9493bb	Merge pull request 'feat(security): RFC#523 3-layer forbidden-env guardrail for tenant workspaces (task #146)' (#1555) from feat/146-forbidden-env-guard into main runtime-v0.1.1007	2026-05-19 01:57:30 +00:00
hongming	71ad3ffe1d	Merge pull request 'fix(sop-checklist): widen ack eligibility per RFC#450 Option C (closes internal#442)' (#1554) from fix/sop-checklist-widen-ack-internal-442 into main	2026-05-19 01:57:08 +00:00
hongming	a3fc350c6e	Merge pull request 'test(e2e): local prod-mimic backend for peer-visibility MCP gate + make e2e-peer-visibility (task #166)' (#1551) from e2e/peer-visibility-local-backend-task166 into main	2026-05-19 01:57:06 +00:00
hongming	57364c1bed	Merge pull request 'ci: arm64-lane pilot (additive shellcheck on Mac runner) [#233]' (#1553) from ci/mac-arm64-pilot-shellcheck into main	2026-05-19 01:56:16 +00:00
hongming	acc149e18e	Merge pull request 'fix(canvas/chat): surface actionable error reason in chat banner + link to Activity tab (internal#212)' (#1550) from fix/canvas-surface-error-detail into main	2026-05-19 01:56:12 +00:00
hongming	83ad7e252b	Merge pull request 'fix(workspace-server): surface secret-safe error_detail on ACTIVITY_LOGGED (internal#212)' (#1549) from fix/wsserver-broadcast-error-detail into main	2026-05-19 01:56:10 +00:00
hongming	509bad2c68	ci: pin docker-bound workflows to docker-host + add lint guardrail ... Class defect (internal#512 + mc#1529 + today's oc#81/82/83 + autogen#8): the `ubuntu-latest` label is advertised by BOTH the Linux operator-host runners (molecule-runner-*) AND Windows act_runner v1.0.3 on hongming-pc-runner-*. Job placement is non-deterministic. When a docker-bound job lands on a Windows runner, `docker run`/`docker login`/`docker compose` fail with platform-specific errors and the job hard-fails — placement-dependent, not transient. Followon to mc#1543 (handlers-postgres-integration). Three more lanes needed the same pin: - e2e-api.yml: docker run/exec for postgres + redis containers - e2e-chat.yml: docker run/exec for postgres + redis containers - harness-replays.yml: docker compose ... ps/logs for tenant-alpha/beta canvas-deploy-reminder is NOT pinned — its `docker compose ...` only appears inside a markdown heredoc written to GITHUB_STEP_SUMMARY; it does not exec docker. Adds `lint-required-workflows-docker-host-pinned.yml` to catch future regressions: any workflow whose YAML touches `docker exec` or uses docker/* actions but doesn't pin every job's runs-on to `docker-host` or `publish` fails the lint. Comment-only mentions of docker are excluded (strip-`#` lines before regex). Fail-closed (per feedback_never_skip_ci). This eliminates the manual-pin maintenance burden the CTO flagged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 18:42:33 -07:00
hongming	d27df740f5	Merge pull request 'fix(ws-server): close self-fire restart feedback loop (internal#544)' (#1556) from fix/ws-server-self-fire-restart-loop into main	2026-05-19 01:40:54 +00:00
core-qa	ab8ff865e4	test(e2e): add fix-specific E2E coverage for today's merged PRs (mc#1525/1535/1536/1539/1542) ... Per E2E coverage audit 2026-05-18: today's merged platform PRs landed with unit-test coverage only. This adds one consolidated bash E2E (tests/e2e/test_today_pr_coverage_e2e.sh) that exercises each fix through the real HTTP / activity-log path with no mocks of the unit-under-fix, and wires it into the existing e2e-api.yml lane after the poll-mode chat-upload step. What the test asserts: - Section A (mc#1535 + mc#1536): provisions two workspaces back-to-back, pulls /workspaces/:id/external/connection, regex-extracts the `claude mcp add <NAME>` server slug from each install snippet, and asserts (1) both start with `molecule-` (per-workspace, not literal `molecule`) and (2) the two slugs DIFFER (no overwrite class). Codex TOML table key uniqueness is checked too when the codex tab is in the build. - Section B (mc#1525 + mc#1542): probes /admin/workspaces/:id/debug for the presence of GIT_HTTP_USERNAME and GIT_ASKPASS keys in workspace_secrets — pre-#1542 the GIT_HTTP_* key was absent entirely; pre-#1525 there was no env-only askpass wiring. Value-emptiness is tolerated on the dev platform where no persona is seeded (presence is the post-fix regression contract). - Section C (mc#1539): self-delegates via POST /workspaces/:id/delegate with target=self and asserts (a) the API gate returns structured rejection OR (b) no activity_logs rows with source_id=our_uuid AND method != 'delegate_result' surface — the inbox-poller predicate the fix added. Polls activity for 2s, counts violating rows, fails closed on > 0. Why E2E (not just unit): - mc#1525 + mc#1542 ship a unit test that only checks the loader; the REAL contract is "git ls-remote rc=0 inside the container with the env the provisioner builds". This test probes the produced workspace_secrets map at the platform end — one step short of in- container exec, which the e2e-api lane lacks docker-exec privilege for, but materially closer than the loader-only unit. - mc#1535 + mc#1536 unit-tested the slug helper in isolation; the bug was that the SNIPPET STRINGS shipped to the user still had hardcoded `molecule` in the codex/openclaw/hermes branches. The E2E pulls the literal user-facing strings. - mc#1539 unit-tested the inbox _is_self_echo predicate; the E2E hits the actual /delegate → activity-log → poll path. Test pattern follows tests/e2e/test_activity_e2e.sh (set -uo pipefail, check/check_not helpers, BASE default, cleanup at end). EXIT cleanup deletes both provisioned workspaces. Time-bound: 60s default, override via E2E_TIMEOUT. CI-runnable on the existing e2e-api lane (postgres + redis + workspace-server already provisioned earlier in the same job). Refs: PR audit memo 2026-05-18; pairs with feedback_verify_actual_endstate_not_ack_follow_sop (presence-of-end- state-not-ack rule). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 18:30:33 -07:00
core-devops	4bf87d122d	fix(ws-server): close self-fire restart feedback loop (internal#544) ... Three-layer cohesive fix for the 2026-05-19 ~00:05-00:09Z 4x reprov thrash class observed on prod-Reviewer + prod-Researcher: a single secrets PUT fanned out into 4x stop+provision cycles per workspace within 4 min, each stopping the just-launched (still-pending) EC2 of the previous cycle. Root-caused via Loki (provision.ec2_started / ec2_stopped pairs). Empirical chain (all in workspace-server/internal/handlers/): 1. secrets.go SetSecret → go h.restartFunc → coalesceRestart cycle. 2. runRestartCycle sets url='' synchronously, then async provisions EC2. 3. During 20-30s pending window: url='' AND cpProv.IsRunning()==false — indistinguishable from a dead container. 4. Canvas /delegations poll OR the trailing restart-context probe fires ProxyA2A → maybeMarkContainerDead OR preflightContainerHealth → RestartByID → loop. 5. coalesceRestart's pending flag drains by running ANOTHER full cycle → ec2_stopped of the just-booted instance → re-provision. Fix (single PR, three interdependent layers): L1) Restart-aware health probes — workspace_restart.go exposes isRestarting(workspaceID) bool. Both maybeMarkContainerDead and preflightContainerHealth early-return false/nil while a restart cycle is in flight. Breaks the self-fire at the probe layer. L2) Restart-context probe gate — sendRestartContext now requires url != '' AND last_heartbeat_at > restart_start_ts before firing the trailing ProxyA2A probe. Adds waitForFreshHeartbeat() next to waitForWorkspaceOnline. Belt-and-suspenders so the probe never tries until the new container is actually addressable. L3) RestartByID debounce — silent-drop successive RestartByID calls within restartDebounceWindow=60s of restartStartedAt. Not coalesce (which would still drain to another full cycle). Drop is observable via restartByIDDropCounter (atomic.Uint64) + the dropped log line. Only programmatic path; HTTP Restart handler is unaffected. Tests: - TestIsRestarting_{FalseWhenNoStateEntry,TrueWhileCycleRunning} - TestMaybeMarkContainerDead_SkippedWhileRestarting (L1) - TestPreflightContainerHealth_SkippedWhileRestarting (L1) - TestRestartByID_DebounceSilentDrop (L3, counter assertion) - TestRestartByID_DebounceExpiresAfterWindow (L3, window release) - TestRestartByID_SingleProvisionPerRestart (regression — asserts exactly 1 cycle per trigger, with 4 dropped self-fire probes) Existing coalesce/restart/preflight/maybeMarkContainerDead tests remain green. Full handlers suite: ok in 15.8s. Closes internal#544. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 18:24:09 -07:00
core-security	aabf933a5c	feat(security): RFC#523 3-layer forbidden-env guardrail for tenant workspaces (task #146) ... Refuse to start a tenant workspace if any operator-fleet-scope env var name is present. Threat model: a leaked GITEA_TOKEN / CP_ADMIN_API_TOKEN / RAILWAY_TOKEN / INFISICAL_OPERATOR_TOKEN / MOLECULE_OPERATOR_* in a tenant container would let a compromised agent escalate from "compromise of one workspace" to "compromise of the whole platform." 3-layer defense-in-depth: L1 — provisioner-side fail-closed abort (Go): workspace_provision_forbidden_env.go + prepareProvisionContext hook. Runs immediately after loadWorkspaceSecrets, BEFORE the per-agent persona GIT_HTTP_* injection that legitimately sets a fallback GITEA_TOKEN. Catches leaks from the operator-controlled stores (global_secrets, workspace_secrets). The existing forensic #145 silent-strip guard in provisioner.buildContainerEnv stays as defense-in-depth. L2 — workspace/entrypoint.sh top-of-file env-grep + exit 1: Fires if both upstream layers are bypassed (e.g. docker run -e GITEA_TOKEN=... standalone). MOLECULE_TENANT_GUARD_DISABLE=1 bypass for local-dev. POSIX-portable (busybox/alpine/debian). L3 — .gitea/workflows/lint-forbidden-env-keys.yml: Scans workspace-server/internal/**.go for new code that hardcodes a forbidden env-var name. Exempts the deny-set definitions + the pre-existing persona-fallback paths whose downstream silent-strip + new L1 fail-closed already cover the runtime risk. Tests: - L1: TestIsForbiddenTenantEnvKey_ExactMatches, TestIsForbiddenTenantEnvKey_PrefixMatches, TestFindForbiddenTenantEnvKeys_NoneAndEmpty, TestFindForbiddenTenantEnvKeys_SingleAndMultipleSorted, TestFormatForbiddenTenantEnvError_Phrasing - L2: workspace/tests/test_entrypoint_forbidden_env_guard.sh (12 cases — clean/per-agent/each-forbidden/prefix/disable-flag) - L3: verified locally that current tree passes + synthetic offender is caught Open-source-template-friendly: the deny set lives in Go and YAML constants, not hardcoded in any open-source template's start.sh. Per memory feedback_open_source_templates_no_hardcoded_org_internals, templates published as separate repos (template-codex / template- hermes / template-openclaw) get their L2 added in follow-up template PRs with a fork-friendly default deny set (no MOLECULE_-specific literal). The MOLECULE_OPERATOR_ prefix appears only in the internal claude-code template's entrypoint.sh. Refs: - RFC#523 (internal#523) - Task #146 - memory feedback_passwords_in_chat_are_burned - memory feedback_per_agent_gitea_identity_default - memory feedback_open_source_templates_no_hardcoded_org_internals - memory feedback_check_vendor_docs_and_actual_source_before_guess_api_shape (POSIX env-set semantics verified via shell test; Go os.Environ / map[string]string contract verified via go test) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 18:22:08 -07:00
hongming	11cd1b4c40	fix(sop-checklist): widen ack eligibility per RFC#450 Option C (closes internal#442) ... The sop-checklist senior-ack gate has been blocking PRs because `root-cause` and `no-backwards-compat` required `[managers, ceo]` acks, but every managers/ceo persona token is dead (uid:0 / 401) and the `ceo` team is one human. Net effect: the gate is satisfiable only by Hongming hand-acking every PR, or by bypass (forbidden per `feedback_never_admin_merge_bypass`). Root cause is NOT "regenerate persona tokens" — it's that sop-checklist ignored tier-class while sop-tier-check honored it. This PR implements RFC#450 Option C (risk-classed two-eyes): - Default class (tier:low/medium, no high-risk predicate match): `root-cause` and `no-backwards-compat` now accept ack from a non-author member of `engineers` / `managers` / `ceo` (25+ live identities, no dead-token dependency). - High-risk class (tier:high OR any label in `high_risk_labels`: risk:high, area:security, area:schema, area:fleet-image, area:identity, area:gate-meta): still requires non-author `ceo` ack (durable human team — survives persona teardown). Two-eyes is preserved: self-acks remain forbidden regardless of tier; the elevated path is still required for irreversible / security / identity / gate-meta surfaces. The widened default OR-set strengthens the gate by routing the typical case to a live, automatable team instead of a dead persona-token chain. Mechanism: - `.gitea/sop-checklist-config.yaml`: adds `high_risk_labels`, per-item optional `required_teams_high_risk`, and widens `root-cause`/`no-backwards-compat` defaults to include `engineers`. - `.gitea/scripts/sop-checklist.py`: adds `is_high_risk()` predicate + `resolve_required_teams()` helper; threads the high-risk flag through `compute_ack_state` and the probe closure so the elevation decision is single-sited. Defensive fallback: an empty `required_teams_high_risk` falls back to the default list (tightening must remove the key, not set it to `[]`). - Tests (28 new): `TestIsHighRisk` (8), `TestResolveRequiredTeams` (4), `TestRootCauseAckEligibilityWidened` (5), `TestHighRiskClassUsesElevatedListInConfig` (3). All 79 tests pass. Refs internal#442, RFC#450.	2026-05-18 18:19:13 -07:00
hongming	4d6be109c7	ci: add arm64-lane pilot (additive shellcheck on Mac runner) ... Mac-CI dual-track #233 pilot. Adds a single additive non-required workflow that targets [self-hosted, arm64] runners and runs shellcheck against .gitea/scripts/*.sh. Until a Mac arm64 runner is registered with the `arm64` label, this workflow sits PENDING, which is fine — `arm64` is NOT in branch_protections/main.status_check_contexts (only 'CI / all-required (pull_request)' is required, verified live via API). Why shellcheck for the pilot: pure userspace, no docker.sock, no privileged ops, identical output across arm64/amd64, narrow blast radius. A clean signal for whether the lane works. Pairs with internal#543 (RFC: Mac arm64 native multi-arch runner-base). 88 LoC, well under the <=100 line guidance. No required gate changes.	2026-05-18 18:16:02 -07:00
core-devops	2de81cdd85	build(make): expose e2e-peer-visibility target + fix help filter for digit-containing names (task #166) ... Wires the local peer-visibility MCP gate into the Makefile so a developer can run it via `make e2e-peer-visibility` against an already-up local prod-mimic stack (`make up`), without remembering the bash path. This is the dev-side counterpart to the CI job added in the same commit on this branch — together they close task #166's "wire into local-E2E gate" ask. The help-line grep regex didn't include digits, so the new e2e-peer-visibility target was correctly defined but invisible to `make help`. Adds [0-9] to the character class and widens the label column to 22 chars so longer target names line up. Other targets are unaffected. NOT auto-merged (per task #166 instructions). See PR body for the verification + the manual command for ad-hoc runs without the make target. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 17:51:43 -07:00
core-qa	84cba60ec2	test(e2e): add LOCAL backend for the peer-visibility MCP gate ... PR #1298 added the peer-visibility gate but staging-only. Per the standing rule that the local prod-mimic stack must run a MANDATORY local-Postgres E2E BEFORE staging E2E (feedback_local_must_mimic_ production, feedback_mandatory_local_e2e_before_ship, feedback_local_ test_before_staging_e2e), peer-visibility must also run locally so regressions are caught fast/cheap instead of late on cold EC2. - Factor the byte-identical assertion core out of test_peer_visibility_mcp_staging.sh into tests/e2e/lib/ peer_visibility_assert.sh::pv_assert_runtime. It drives the literal JSON-RPC tools/call name=list_peers envelope to POST /workspaces/:id/ mcp via each workspace's OWN bearer through the real WorkspaceAuth + MCPRateLimiter chain, with the same anti-proxy / anti-native-fallback guarantees. NOT a proxy: no registry row, /health, heartbeat, or GET /registry/:id/peers. Only provisioning differs per backend. - Refactor the staging script to source the shared lib (assertion byte-identical; provisioning/teardown/exit-codes unchanged). - Add tests/e2e/test_peer_visibility_mcp_local.sh: local docker-compose backend — POST /workspaces directly, e2e_mint_test_token for the MCP bearer (same model test_priority_runtimes_e2e.sh / test_api.sh use, no new credential flow), wait online, run the shared assertion, scoped per-workspace teardown only (feedback_cleanup_after_each_test, feedback_never_run_cluster_cleanup_tests_on_live_platform). bash-3.2- safe (no associative arrays) so it runs on local macOS dev boxes too. - Wire a peer-visibility-local job into e2e-peer-visibility.yml, bootstrapped exactly like e2e-api.yml's proven E2E API Smoke Test (per-run container names + ephemeral ports, go build, background platform-server). Runs on PR + push (local boot is minutes, not the 30+ min cold-EC2 path), so peer-visibility is part of the local gate that fires before the staging E2E. Its OWN non-required status context `E2E Peer Visibility (local)` — non-required-by-design like the staging job, HONEST gate with NO continue-on-error mask (feedback_fix_root_not_symptom); flip-to-required tracked at #1296 via the bp-required: pending directive. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 17:50:01 -07:00
core-devops	44affbde24	fix(canvas/chat): surface actionable error reason in chat banner + link to Activity tab (internal#212) ... The chat error banner used to render the hardcoded "Agent error (Exception) — see workspace logs for details." string regardless of what the workspace runtime actually reported, and the "workspace logs" reference pointed at a tab that does not exist (there is no separate Logs tab in the side panel — the Activity tab is the workspace-logs surface). Per CTO feedback on internal#211 / #212: "the user can only act if they can see why." useChatSocket now forwards the new ACTIVITY_LOGGED.error_detail field (introduced server-side in the matching ws-server PR) into onSendError. When present, the canvas shows the secret-safe reason verbatim (provider HTTP status + error code + human-readable message); when absent — older ws-server build — it gracefully degrades to the legacy boilerplate so we never silently swallow a failure. A new ChatErrorBanner component renders the banner with a working "View activity log" button that fires setPanelTab("activity"), turning the dangling "see workspace logs" pointer into a real affordance. The existing offline-Restart button is preserved. Tests pin: hook forwards detail when present, falls back when absent, ignores cross-workspace error events; banner renders the actionable text, falls back to legacy message when that is all we have, button navigates to Activity tab, Restart preserved when offline, null message renders nothing. Refs: internal#212, feedback_surface_actionable_failure_reason_to_user	2026-05-18 17:39:09 -07:00
hongming	c5534700f8	Merge branch 'main' into fix/handlers-pg-pin-docker-host-mc1529	2026-05-19 00:34:42 +00:00
hongming	81825575f9	Merge pull request 'fix(provisioner): inject GIT_HTTP_USERNAME/PASSWORD env from persona token (closes Dev-A/B durable git auth gap from mc#1525)' (#1542) from fix/provisioner-inject-git-http-creds-from-persona-token into main	2026-05-19 00:34:07 +00:00
hongming	22d2f8a6fc	Merge pull request 'fix(ci): remove 3 silently-dead .github/ workflows using workflow_run (task #81)' (#1541) from fix/ci-remove-dead-workflow-run-task81 into main	2026-05-19 00:33:40 +00:00
hongming	a053ca6f72	Merge pull request 'fix(runtime): close self-delegation echo gap in builtin_tools + inbox kind classification (#190 / #193)' (#1539) from fix/self-delegation-echo-runtime-builtin-tools into main runtime-v0.1.1006	2026-05-19 00:33:36 +00:00
hongming	dfc9d91ccd	Merge pull request 'docs: fix stale channel-install + Molecule-AI org references (#230)' (#1538) from fix/docs-stale-channel-install-task230 into main	2026-05-19 00:32:52 +00:00
hongming	9fb7060e9c	Merge pull request 'feat(canvas): homepage SEO for marketing launch (mc#1486)' (#1537) from feat/homepage-seo-mc-1486 into main	2026-05-19 00:32:50 +00:00
hongming	567937e2bc	Merge pull request 'fix(canvas): extend mc#1535 per-workspace MCP slug to codex/openclaw/hermes/kimi (multi-workspace class sweep)' (#1536) from fix/multi-workspace-install-snippets-class-sweep into main runtime-v0.1.1005	2026-05-19 00:28:47 +00:00
core-devops	94eff31c20	fix(workspace-server): surface secret-safe error_detail on ACTIVITY_LOGGED broadcast (internal#212) ... When an a2a_receive row is persisted with status="error" the DB column error_detail already carries the actionable cause (provider HTTP status, error code, provider human message). The live ACTIVITY_LOGGED broadcast dropped it, so the canvas chat-tab error banner fell back to a hardcoded "Agent error (Exception) — see workspace logs for details." string with no logs tab to navigate to. Include error_detail in the broadcast payload, omitted when nil so the canvas's "has actionable reason" guard doesn't false-positive on empty keys. Defense-in-depth: a sanitizeErrorDetailForBroadcast scrubber redacts anything that looks credential-shaped (bearer tokens, sk- prefixed API keys, JWTs) while preserving the actionable parts (status codes, error codes, human-readable provider messages) — over- redacting would defeat the whole point of internal#212. Tests pin: detail surfaces on the wire, omitted when nil, scrubber removes secret shapes but keeps actionable text, scrubber survives the broadcast round-trip. Refs: internal#212	2026-05-18 17:28:41 -07:00
hongming	80a5f51c27	Merge pull request 'fix(a2a-mcp): use readline() not read(65536) for pipe-safe stdio (openclaw peer-visibility root cause)' (#1307) from fix/a2a-mcp-stdio-pipe-blocking-readline into main	2026-05-19 00:28:29 +00:00
core-devops	5687a71476	fix(ci): pin handlers-postgres-integration to docker-host label (mc#1529) ... The workflow's "Start sibling Postgres" step hard-fails when the operator-host bridge network `molecule-core-net` is missing. PC2 runners (hongming-pc-runner-*) advertise `ubuntu-latest` but don't have that network — when the job was scheduled there, the bridge- inspect check correctly errored out. Result: ~30% chronic-red on main pushes (mc#1529 sweep, last 20 commits). Pin both jobs to the `docker-host` label, which only the operator-host runners (molecule-runner-1..20) carry. detect-changes doesn't strictly need the bridge but co-locating the jobs avoids volume-cross-host edge cases. mc#1529 §1 of 4 root causes.	2026-05-18 17:15:00 -07:00
infra-sre	95c84021c2	fix(provisioner): inject GIT_HTTP_USERNAME/PASSWORD env from persona token ... Closes the durable-git-auth gap left by template-claude-code#30 + mc#1525 for the prod-team workspaces (agent-dev-a / agent-dev-b / agent-pm). The askpass binary + GIT_ASKPASS env wiring shipped in the template image and ws-server side respectively, but no code path in workspace-server actually read the persona's git token from the operator-host bootstrap dir and exported it as the askpass-readable env-var pair. Without this, the askpass helper invokes with empty password env and git fails the auth challenge in <500ms (live- verified for Dev-A/Dev-B 2026-05-18 ~23:55Z via EC2 instance-connect docker exec). The new applyAgentGitHTTPCreds helper reads $MOLECULE_PERSONA_ROOT/<role>/token (defaulting to /etc/molecule-bootstrap/personas/<role>/token, the canonical operator-host bootstrap-kit path) and emits GIT_HTTP_USERNAME + GIT_HTTP_PASSWORD into the workspace envVars map. Why a dedicated env-var pair instead of reusing GITEA_USER / GITEA_TOKEN: the provisioner's forensic #145 SCM-write-token denylist strips GITEA_TOKEN by exact key name before docker run. The same token bytes shipped under the generic GIT_HTTP_PASSWORD key survive transport because askpass reads that lane first. GITEA_USER + GITEA_TOKEN are ALSO set for the askpass fallback chain; GITEA_TOKEN is then dropped by buildContainerEnv as designed, but the GIT_HTTP_PASSWORD lane already carries the bytes the in-container helper needs. Wired into prepareProvisionContext (the mode-agnostic shared prep step both Docker and SaaS paths call) so Dev-A/Dev-B on EC2 + any future local-Docker prod-team workspace pick it up without duplicating the call site. Runs AFTER applyAgentGitIdentity so workspace_secrets named GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD (operator-supplied via POST /workspaces/:id/secrets) win over the persona-file default. Silent no-op for: empty role, multi-word descriptive roles ("Frontend Engineer") that fail isSafeRoleName, missing persona dir, empty token file, traversal-attempt role names. These cases fall through to the existing workspace_secrets / org-import persona-env merge path unchanged. No hardcoded git.moleculesai.app — the env-var pair is generic askpass protocol and works for any git remote the deployer points GIT_ASKPASS at. Security note: this routes around forensic #145 by name (the denylist is exact-key-match, not key-substring). For the prod-team identities (agent-dev-{a,b,pm}) this is the explicitly- designed shape per reference_prod_team_infisical_identities (per-agent Gitea identities with pull+push, NO admin, NOT in any merge-whitelist — merge stays gated by hardened BP 2-approvals+CI per reference_merge_gate_model_changed_2026_05_18). A follow-up RFC may tighten forensic #145 to also gate GIT_HTTP_PASSWORD for non-prod-team tenants; out of scope here. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 17:11:12 -07:00
infra-sre	aff482a43c	fix(ci): remove silently-dead .github/ workflows using workflow_run trigger (task #81) ... Three workflows under .github/workflows/ used `on: workflow_run:`, an event Gitea 1.22.6 does not support (per feedback_pull_request_review_no_refire family + lint-workflow-yaml Rule 2). They were also living in the wrong directory: molecule-core's Gitea Actions runtime reads ONLY .gitea/workflows/ (per reference_molecule_core_actions_gitea_only). So these files were doubly dead — wrong path AND unsupported trigger. Two of them already have working replacements under .gitea/workflows/ that landed in commit 2ee7cb14 (2026-05-12, replaced workflow_run with push+paths). The third (canary-verify.yml) was superseded by staging-verify.yml (push-on-staging) + staging-smoke.yml (schedule). Removed → live replacement: - .github/workflows/canary-verify.yml → .gitea/workflows/staging-verify.yml (push+paths) + .gitea/workflows/staging-smoke.yml (schedule cron) - .github/workflows/redeploy-tenants-on-main.yml → .gitea/workflows/redeploy-tenants-on-main.yml (workflow_dispatch) - .github/workflows/redeploy-tenants-on-staging.yml → .gitea/workflows/redeploy-tenants-on-staging.yml (push+paths) No runtime behavior change — these files were never executed by the Gitea Actions runner. Removing them eliminates the dead-letter risk: an operator scanning .github/workflows/ would otherwise believe an auto-redeploy chain still exists post-publish, which it does not. Refs: feedback_gitea_workflow_dispatch_inputs_unsupported, reference_molecule_core_actions_gitea_only, feedback_pull_request_review_no_refire. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-19 00:09:57 +00:00