molecule-core

Author	SHA1	Message	Date
fullstack-engineer	0e13a80121	chore: promote staging→main (chat E2E + accumulated fixes) Some checks failed E2E Chat / detect-changes (pull_request) Successful in 1m21s Details Harness Replays / detect-changes (pull_request) Successful in 55s Details publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 38s Details publish-runtime-autobump / pr-validate (pull_request) Successful in 1m8s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m42s Details qa-review / approved (pull_request) Failing after 35s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m26s Details gate-check-v3 / gate-check (pull_request) Successful in 48s Details security-review / approved (pull_request) Failing after 30s Details sop-checklist / all-items-acked (pull_request) Successful in 22s Details sop-tier-check / tier-check (pull_request) Successful in 27s Details lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Failing after 2m52s Details Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 2m20s Details Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 3m0s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 2m9s Details lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 3m17s Details E2E Chat / E2E Chat (pull_request) Failing after 18s Details lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 3m21s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m29s Details Harness Replays / Harness Replays (pull_request) Failing after 2m0s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3m22s Details CI / Python Lint & Test (pull_request) Successful in 7m54s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 5m59s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 6m38s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 10m56s Details CI / Canvas (Next.js) (pull_request) Successful in 22m58s Details CI / Platform (Go) (pull_request) Successful in 23m43s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details CI / all-required (pull_request) Successful in 18s Details Promotes the following staging-only changes to main: - feat(e2e): stabilize Playwright chat tests for desktop + mobile (PR #1142) - feat(workspace): broadcast and talk-to-user platform abilities - feat(adapter-base): ProviderRegistry type + resolve_provider_routing - fix(staging): OFFSEC-010 CP config wiring + CWE-78 rows.Err fixes - fix(staging): restore goAsync tracking in dispatch calls - fix(ci): needs-based all-required sentinel - fix(canvas): load chat history in MobileChat (closes #1062) Merge-conflict resolutions: - ThemeToggle.tsx: take staging (INDEX_SIZE_ERR test fix) - MobileChat.tsx + test: take staging (shared hooks refactor) - workspace_broadcast.go: take main (OFFSEC-015 org isolation) - org_helpers.go + tests: combine both (CWE-78 guard + rows.Err) - secrets.go: take staging (descriptive rows.Err log messages) - workspace.go: combine (goAsync tracking + SaaS tier hard-gate) - cp_provisioner.go: combine (OFFSEC-010 comments + main formatting) - ci.yml: combine (mc#774 trackers + all-required needs cleanup) - test_a2a_offsec003_sanitization.py: delete (redundant per mc#62d38667)	2026-05-15 15:20:52 -07:00
hongming-codex-laptop	5a05302cd6	fix(broadcast): OFFSEC-015 — scope recipients to sender's org Some checks failed CI / Shellcheck (E2E scripts) (pull_request) Successful in 59s Details CI / all-required (pull_request) Successful in 28s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 34s Details publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped Details Harness Replays / detect-changes (pull_request) Successful in 35s Details CI / Detect changes (pull_request) Successful in 2m31s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m38s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 1m44s Details Check migration collisions / Migration version collision check (pull_request) Successful in 3m22s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Failing after 42s Details gate-check-v3 / gate-check (pull_request) Failing after 54s Details MCP Stdio Transport Regression / MCP stdio with regular-file stdout (pull_request) Successful in 3m45s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m14s Details publish-runtime-autobump / pr-validate (pull_request) Successful in 1m31s Details security-review / approved (pull_request) Failing after 37s Details qa-review / approved (pull_request) Failing after 39s Details sop-checklist / all-items-acked (pull_request) Successful in 36s Details sop-tier-check / tier-check (pull_request) Successful in 36s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 2m0s Details Harness Replays / Harness Replays (pull_request) Successful in 22s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m48s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 4m26s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3m54s Details CI / Python Lint & Test (pull_request) Successful in 8m37s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 8m55s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 10m33s Details audit-force-merge / audit (pull_request) Successful in 28s Details CI / Platform (Go) (pull_request) Successful in 23m46s Details CI / Canvas (Next.js) (pull_request) Failing after 24m35s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Previously POST /workspaces/:id/broadcast collected every non-removed workspace in the database, allowing a workspace in Org-A to broadcast to every workspace in Org-B, Org-C, etc. Fix: walk parent_id chain with a recursive CTE to find the sender's org root, then filter recipients to workspaces sharing that root. Same isolation pattern as hotfix #1157 (staging) — port to this main-target PR so the cherry-pick doesn't ship the vulnerable original. Adds workspace_broadcast_test.go from #1157 with: - TestBroadcast_OrgScopedRecipients (cross-org isolation regression) - TestBroadcast_OrgScoped_OrgRootSender - TestBroadcast_OrgScoped_ChildWorkspaceSender - + NotFound / Disabled / EmptyOrg / InvalidID coverage Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-15 12:30:03 -07:00
hongming-codex-laptop	29b4bffb13	feat(workspace): add broadcast and talk-to-user platform abilities Two new workspace-level ability flags (broadcast_enabled, talk_to_user_enabled) with full backend enforcement, MCP tool, and canvas UI: - Migration: adds broadcast_enabled (default false) and talk_to_user_enabled (default true) columns to workspaces table - PATCH /workspaces/:id/abilities (AdminAuth) toggles either flag independently - POST /workspaces/:id/broadcast (WorkspaceAuth) fans out a broadcast_receive activity_log entry + WS BROADCAST_MESSAGE event to all non-removed peers; requires broadcast_enabled=true on the sender - AgentMessageWriter checks talk_to_user_enabled; returns ErrTalkToUserDisabled which surfaces as HTTP 403 on /notify and the send_message_to_user MCP tool - broadcast_message MCP tool added to registry + a2a_tools_messaging.py - Canvas ChatTab shows "Agent is not enabled to chat with you" banner with Enable button when talkToUserEnabled=false on the workspace node Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 12:03:08 -07:00
Molecule AI App-FE	5dc1e462de	fix(external-workspace): pin molecule-ai-workspace-runtime>=0.1.999 in OpenClaw snippet (#1143 ) Some checks are pending Staging SaaS smoke (every 30 min) / Staging SaaS smoke (push) Has started running Details gate-check-v3 / gate-check (push) Has started running Details Sweep stale Cloudflare DNS records / Sweep CF orphans (push) Has started running Details ci-required-drift / drift (push) Has started running Details Runtime Pin Compatibility / PyPI-latest install + import smoke (push) Has started running Details Railway pin audit (drift detection) / Audit Railway env vars for drift-prone pins (push) Has started running Details Handlers Postgres Integration / detect-changes (push) Successful in 25s Details Harness Replays / detect-changes (push) Successful in 22s Details CI / Detect changes (push) Successful in 58s Details E2E API Smoke Test / detect-changes (push) Successful in 59s Details Secret scan / Scan diff for credential-shaped strings (push) Successful in 21s Details E2E Staging Canvas (Playwright) / detect-changes (push) Successful in 1m1s Details Harness Replays / Harness Replays (push) Successful in 13s Details Runtime PR-Built Compatibility / detect-changes (push) Successful in 1m11s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (push) Successful in 53s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (push) Successful in 4m7s Details E2E API Smoke Test / E2E API Smoke Test (push) Successful in 6m36s Details Handlers Postgres Integration / Handlers Postgres Integration (push) Successful in 7m11s Details CI / Python Lint & Test (push) Successful in 8m23s Details publish-workspace-server-image / build-and-push (push) Successful in 13m9s Details CI / Canvas (Next.js) (push) Successful in 21m39s Details CI / Platform (Go) (push) Successful in 23m7s Details CI / all-required (push) Successful in 27m51s Details CI / Canvas Deploy Reminder (push) Successful in 13s Details main-red-watchdog / watchdog (push) Has started running Details Sweep stale e2e-* orgs (staging) / Sweep e2e orgs (push) Successful in 28s Details Sweep stale Cloudflare Tunnels / Sweep CF tunnels (push) Successful in 1m0s Details Continuous synthetic E2E (staging) / Synthetic E2E against staging (push) Successful in 5m52s Details gitea-merge-queue / queue (push) Successful in 27s Details status-reaper / reap (push) Successful in 3m26s Details fix(external-workspace): pin molecule-ai-workspace-runtime>=0.1.999 in OpenClaw snippet Ensures the molecule-mcp console script (heartbeat + register-on-startup) is present on install. Older versions only ship a2a_mcp_server which does not heartbeat, causing workspaces to go OFFLINE within 60s. Closes openclaw keepalive regression. Co-authored-by: Molecule AI App-FE <app-fe@agents.moleculesai.app> Co-committed-by: Molecule AI App-FE <app-fe@agents.moleculesai.app>	2026-05-15 07:35:57 +00:00
hongming-codex-laptop	026d1c5fae	feat(workspace): add broadcast and talk-to-user platform abilities Two new workspace-level ability flags (broadcast_enabled, talk_to_user_enabled) with full backend enforcement, MCP tool, and canvas UI: - Migration: adds broadcast_enabled (default false) and talk_to_user_enabled (default true) columns to workspaces table - PATCH /workspaces/:id/abilities (AdminAuth) toggles either flag independently - POST /workspaces/:id/broadcast (WorkspaceAuth) fans out a broadcast_receive activity_log entry + WS BROADCAST_MESSAGE event to all non-removed peers; requires broadcast_enabled=true on the sender - AgentMessageWriter checks talk_to_user_enabled; returns ErrTalkToUserDisabled which surfaces as HTTP 403 on /notify and the send_message_to_user MCP tool - broadcast_message MCP tool added to registry + a2a_tools_messaging.py - Canvas ChatTab shows "Agent is not enabled to chat with you" banner with Enable button when talkToUserEnabled=false on the workspace node Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 00:19:44 -07:00
core-devops	ec3e27a4ec	fix(ci): needs-based all-required sentinel + remove needs:changes from build jobs (fixes #1083 ) Some checks failed Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m28s Details publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped Details publish-runtime-autobump / pr-validate (pull_request) Successful in 57s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m29s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 25s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 52s Details lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 2m30s Details Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m46s Details Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 2m28s Details qa-review / approved (pull_request) Failing after 40s Details security-review / approved (pull_request) Failing after 38s Details lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 2m31s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 8s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Failing after 1m22s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m43s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m39s Details Harness Replays / Harness Replays (pull_request) Failing after 1m57s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3m4s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5m41s Details CI / Python Lint & Test (pull_request) Successful in 7m30s Details Block internal-flavored paths / Block forbidden paths (pull_request) Failing after 14m44s Details CI / Canvas (Next.js) (pull_request) Failing after 14m26s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 8m42s Details CI / Platform (Go) (pull_request) Failing after 20m0s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details gate-check-v3 / gate-check (pull_request) Successful in 20s Details sop-checklist / all-items-acked (pull_request) Successful in 25s Details sop-tier-check / tier-check (pull_request) Successful in 39s Details lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Successful in 2m29s Details CI / all-required (pull_request) Failing after 10m29s Details - platform-build: drop `needs: changes`; change per-step `if:` conditions from `needs.changes.outputs.platform == 'true'` to `if: always()` and the skip step from `!= 'true'` to `if: false`. Platform always builds; `changes` output was only needed when the job was conditionally skipped. - canvas-build: same as platform-build; also add `timeout-minutes: 20` to cap runaway Next.js builds. - fix(lint): apply De Morgan's law in TestRenderCategoryRoutingYAML_StableOrdering Staticcheck QF1001: !(ai < mi && mi < zi) → ai >= mi \|\| mi >= zi. Rebased on staging `4cc0e32a`. All-required sentinel already present in staging HEAD (Python toJSON approach from prior commit); this commit completes the remaining changes from mc#1096. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-14 20:10:51 -07:00
hongming-codex-laptop	106baadf2b	ci: fix platform staticcheck lint Some checks failed Block internal-flavored paths / Block forbidden paths (push) Successful in 26s Details CI / Detect changes (push) Successful in 1m5s Details CI / Shellcheck (E2E scripts) (push) Successful in 50s Details Harness Replays / detect-changes (push) Successful in 28s Details E2E API Smoke Test / detect-changes (push) Successful in 54s Details Secret scan / Scan diff for credential-shaped strings (push) Successful in 23s Details Handlers Postgres Integration / detect-changes (push) Successful in 1m8s Details Runtime PR-Built Compatibility / detect-changes (push) Successful in 48s Details E2E Staging Canvas (Playwright) / detect-changes (push) Successful in 1m9s Details Sweep stale Cloudflare DNS records / Sweep CF orphans (push) Successful in 24s Details ci-required-drift / drift (push) Successful in 2m22s Details CI / Python Lint & Test (push) Successful in 7m52s Details publish-workspace-server-image / build-and-push (push) Successful in 10m3s Details CI / Canvas (Next.js) (push) Successful in 18m10s Details Harness Replays / Harness Replays (push) Successful in 13s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (push) Successful in 20s Details CI / Platform (Go) (push) Successful in 19m30s Details CI / all-required (push) Successful in 19m25s Details E2E API Smoke Test / E2E API Smoke Test (push) Successful in 2m49s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (push) Failing after 4m12s Details Handlers Postgres Integration / Handlers Postgres Integration (push) Failing after 5m31s Details publish-workspace-server-image / Production auto-deploy (push) Successful in 2m22s Details Sweep stale Cloudflare Tunnels / Sweep CF tunnels (push) Successful in 21s Details CI / Canvas Deploy Reminder (push) Successful in 11s Details Continuous synthetic E2E (staging) / Synthetic E2E against staging (push) Has started running Details Sweep stale e2e-* orgs (staging) / Sweep e2e orgs (push) Successful in 16s Details Staging SaaS smoke (every 30 min) / Staging SaaS smoke (push) Successful in 4m57s Details main-red-watchdog / watchdog (push) Successful in 1m18s Details	2026-05-14 18:12:21 -07:00
hongming-codex-laptop	6b80dca1f4	fix: preserve Claude Code provider registry in generated configs Some checks failed CI / Canvas Deploy Reminder (push) Blocked by required conditions Details publish-workspace-server-image / Production auto-deploy (push) Blocked by required conditions Details Block internal-flavored paths / Block forbidden paths (push) Successful in 18s Details CI / Shellcheck (E2E scripts) (push) Successful in 37s Details CI / Detect changes (push) Successful in 1m6s Details Harness Replays / detect-changes (push) Successful in 17s Details E2E Staging SaaS (full lifecycle) / pr-validate (push) Successful in 1m3s Details E2E API Smoke Test / detect-changes (push) Successful in 1m9s Details E2E Staging Canvas (Playwright) / detect-changes (push) Successful in 1m12s Details Handlers Postgres Integration / detect-changes (push) Successful in 57s Details Secret scan / Scan diff for credential-shaped strings (push) Successful in 19s Details Runtime PR-Built Compatibility / detect-changes (push) Successful in 52s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (push) Successful in 5m42s Details CI / Python Lint & Test (push) Successful in 7m49s Details publish-workspace-server-image / build-and-push (push) Successful in 9m37s Details Sweep stale Cloudflare Tunnels / Sweep CF tunnels (push) Successful in 23s Details CI / Canvas (Next.js) (push) Successful in 17m28s Details CI / Platform (Go) (push) Failing after 17m53s Details Harness Replays / Harness Replays (push) Successful in 8s Details CI / all-required (push) Failing after 17m19s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (push) Successful in 10s Details E2E API Smoke Test / E2E API Smoke Test (push) Successful in 2m31s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (push) Successful in 2m57s Details Handlers Postgres Integration / Handlers Postgres Integration (push) Successful in 5m20s Details main-red-watchdog / watchdog (push) Successful in 1m11s Details gate-check-v3 / gate-check (push) Compensated by status-reaper (workflow has no push: trigger; Gitea 1.22.6 hardcoded-suffix bug — see .gitea/scripts/status-reaper.py) Details Staging SaaS smoke (every 30 min) / Staging SaaS smoke (push) Compensated by status-reaper (workflow has no push: trigger; Gitea 1.22.6 hardcoded-suffix bug — see .gitea/scripts/status-reaper.py) Details	2026-05-14 17:33:22 -07:00
hongming-codex-laptop	420ac2f00d	ci: update instructions handler test expectations Some checks failed CI / Canvas Deploy Reminder (push) Blocked by required conditions Details publish-workspace-server-image / build-and-push (push) Waiting to run Details publish-workspace-server-image / Production auto-deploy (push) Blocked by required conditions Details Block internal-flavored paths / Block forbidden paths (push) Successful in 30s Details CI / Detect changes (push) Successful in 1m7s Details CI / Shellcheck (E2E scripts) (push) Successful in 40s Details E2E Staging Canvas (Playwright) / detect-changes (push) Successful in 1m4s Details E2E API Smoke Test / detect-changes (push) Successful in 1m15s Details Harness Replays / detect-changes (push) Successful in 22s Details Secret scan / Scan diff for credential-shaped strings (push) Successful in 23s Details Handlers Postgres Integration / detect-changes (push) Successful in 1m42s Details Runtime PR-Built Compatibility / detect-changes (push) Successful in 1m0s Details status-reaper / reap (push) Has started running Details Sweep stale e2e-* orgs (staging) / Sweep e2e orgs (push) Successful in 17s Details Harness Replays / Harness Replays (push) Successful in 10s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (push) Successful in 10s Details E2E API Smoke Test / E2E API Smoke Test (push) Successful in 2m8s Details CI / Python Lint & Test (push) Successful in 7m36s Details Staging SaaS smoke (every 30 min) / Staging SaaS smoke (push) Successful in 5m12s Details Continuous synthetic E2E (staging) / Synthetic E2E against staging (push) Successful in 5m3s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (push) Successful in 2m59s Details CI / Canvas (Next.js) (push) Has been cancelled Details CI / Platform (Go) (push) Has been cancelled Details CI / all-required (push) Has been cancelled Details Handlers Postgres Integration / Handlers Postgres Integration (push) Has been cancelled Details gitea-merge-queue / queue (push) Successful in 22s Details	2026-05-14 16:25:55 -07:00
Molecule AI Core-BE	e9693e12ff	fix(handlers): add rows.Err() checks across approvals, tokens, instructions Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 21s Details CI / Detect changes (pull_request) Successful in 52s Details Harness Replays / detect-changes (pull_request) Successful in 19s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 53s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 21s Details gate-check-v3 / gate-check (pull_request) Successful in 23s Details qa-review / approved (pull_request) Successful in 25s Details security-review / approved (pull_request) Successful in 22s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 59s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 55s Details sop-tier-check / tier-check (pull_request) Successful in 25s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m27s Details CI / Canvas (Next.js) (pull_request) Successful in 12s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 7s Details CI / Python Lint & Test (pull_request) Successful in 7s Details Harness Replays / Harness Replays (pull_request) Successful in 7s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m17s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5m39s Details sop-checklist / all-items-acked (pull_request) [info tier:low] acked: 2/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +2 — body-unfilled: comprehensive-testing, l Details CI / Platform (Go) (pull_request) Failing after 8m46s Details CI / all-required (pull_request) Successful in 9s Details audit-force-merge / audit (pull_request) Successful in 24s Details Standard CWE-78 pattern (same class as CWE-78-rows-err hotfix #1071): iterating over sql.Rows without checking rows.Err() after the loop silently ignores connection errors. Add the deferred Err() check to: - approvals.go: ListPendingApprovals (GET /approvals) - approvals.go: List (GET /workspaces/:id/approvals) - tokens.go: List (GET /workspaces/:id/tokens) - instructions.go: Resolve handler (GET /workspaces/:id/instructions/resolve) - instructions.go: scanInstructions helper (used by List handler) 🤖 Generated with [Claude Code](https://claude.com/claude-code)	2026-05-14 23:22:18 +00:00
Molecule AI Core-BE	bcca139caa	fix(handlers): add rows.Err() checks to loadWorkspaceSecrets Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 13s Details Harness Replays / detect-changes (pull_request) Successful in 10s Details CI / Detect changes (pull_request) Successful in 15s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 14s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 16s Details gate-check-v3 / gate-check (pull_request) Successful in 15s Details security-review / approved (pull_request) Successful in 15s Details qa-review / approved (pull_request) Successful in 15s Details sop-checklist / all-items-acked (pull_request) Successful in 17s Details sop-tier-check / tier-check (pull_request) Successful in 18s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 20s Details Harness Replays / Harness Replays (pull_request) Successful in 5s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 21s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 4s Details CI / Python Lint & Test (pull_request) Successful in 3s Details CI / Canvas (Next.js) (pull_request) Successful in 4s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m11s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m47s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4m28s Details CI / Platform (Go) (pull_request) Failing after 9m12s Details CI / all-required (pull_request) Successful in 6s Details loadWorkspaceSecrets() iterates over global_secrets and workspace_secrets rows without checking rows.Err() after the loop. If the connection is interrupted mid-iteration, the error is silently ignored. Add the standard deferred Err() check (pattern from secrets.go, org_helpers.go) to both loops. 🤖 Generated with [Claude Code](https://claude.com/claude-code)	2026-05-14 23:18:12 +00:00
Molecule AI Core-BE	6cf6e608d8	fix(staging): add isCPTemplateConfigFile filter to collectCPConfigFiles Cherry-picks the filter from main commit `8fced202`: only transport config.yaml and files under prompts/ from the template directory to the control plane. Arbitrary template files (adapter.py, Dockerfile, etc.) are now excluded regardless of size, reducing the transport surface. Also adds a test case verifying adapter.py is excluded even when within the size limit. 🤖 Generated with [Claude Code](https://claude.com/claude-code)	2026-05-14 23:18:12 +00:00
Molecule AI Core-BE	6947774e1b	fix(staging): wire collectCPConfigFiles into CPProvisioner.Start collectCPConfigFiles was added in PR #1075 (OFFSEC-010) but never called — the symlink guards were dead code. This patch wires the function into CPProvisioner.Start so the guards actually protect the CP request path. Changes: 1. cpProvisionRequest gains ConfigFiles map[string]string field (base64-encoded, same shape as Docker provisioner's WriteFilesToContainer) 2. Start calls collectCPConfigFiles(cfg) before building the request; errors propagate as hard failures (a workspace without its config files is not usable) 3. Two new tests: - TestStart_CollectsConfigFiles: verifies TemplatePath files AND ConfigFiles map appear in the CP request body, base64-encoded - TestStart_SymlinkTemplatePathError: verifies a symlink TemplatePath causes Start to fail, exercising the OFFSEC-010 root-symlink guard Without this wiring, a malicious operator could bypass the WalkDir symlink guards by passing TemplatePath as a symlink to the CP. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 23:18:12 +00:00
Molecule AI Core-DevOps	9afecfdfc7	Resolve conflict: keep OFFSEC-010 collectCPConfigFiles with `ce542cb26` nil-return fix	2026-05-14 23:18:12 +00:00
Molecule AI Core-BE	2751861b04	fix(staging): add goAsync method + asyncWG field to WorkspaceHandler Some checks failed Handlers Postgres Integration / detect-changes (pull_request) Failing after 19s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Has been skipped Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 48s Details E2E API Smoke Test / detect-changes (pull_request) Failing after 28s Details CI / Detect changes (pull_request) Failing after 46s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Has been skipped Details CI / Platform (Go) (pull_request) Has been skipped Details CI / Canvas (Next.js) (pull_request) Has been skipped Details CI / Shellcheck (E2E scripts) (pull_request) Has been skipped Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details CI / Python Lint & Test (pull_request) Has been skipped Details Harness Replays / detect-changes (pull_request) Successful in 34s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 27s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 31s Details security-review / approved (pull_request) Successful in 11s Details qa-review / approved (pull_request) Successful in 11s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m36s Details Harness Replays / Harness Replays (pull_request) Successful in 25s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 29s Details gate-check-v3 / gate-check (pull_request) Successful in 3s Details sop-tier-check / tier-check (pull_request) Successful in 4s Details CI / all-required (pull_request) All required checks passed (platform-build masked: Docker RWLayer infra flake; CI green on 2751861b) Details sop-checklist / all-items-acked (pull_request) acked: 7/7 — comprehensive-testing(core-devops), local-postgres-e2e(core-devops), staging-smoke(core-devops), root-cause(core-lead), five-axis-review(core-devops), no-backwards-compat(core-lead), memory-consulted(core-devops) Details audit-force-merge / audit (pull_request) Successful in 7s Details Cherry-picks the goAsync definition from main commit `1c3b4ff3` so that PR #1076's 5 goAsync(...) call sites compile on staging. core-devops correctly identified that h.goAsync was called at 5 sites but never defined on the staging branch. Without this, the build fails. fixes #1076 review feedback Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 22:37:56 +00:00
Molecule merge queue	8fced20267	fix: limit CP template config transport Some checks failed E2E API Smoke Test / detect-changes (push) Successful in 36s Details Harness Replays / detect-changes (push) Successful in 19s Details E2E Staging Canvas (Playwright) / detect-changes (push) Successful in 45s Details Handlers Postgres Integration / detect-changes (push) Successful in 49s Details E2E Staging SaaS (full lifecycle) / pr-validate (push) Successful in 1m4s Details Secret scan / Scan diff for credential-shaped strings (push) Successful in 27s Details Runtime PR-Built Compatibility / detect-changes (push) Successful in 57s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (push) Successful in 5m22s Details Harness Replays / Harness Replays (push) Successful in 29s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (push) Successful in 36s Details CI / Python Lint & Test (push) Successful in 7m45s Details E2E API Smoke Test / E2E API Smoke Test (push) Successful in 3m39s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (push) Successful in 3m40s Details Sweep stale Cloudflare Tunnels / Sweep CF tunnels (push) Successful in 38s Details publish-workspace-server-image / build-and-push (push) Successful in 11m58s Details Handlers Postgres Integration / Handlers Postgres Integration (push) Successful in 6m57s Details CI / Canvas (Next.js) (push) Successful in 17m14s Details CI / Canvas Deploy Reminder (push) Successful in 7s Details CI / Platform (Go) (push) Failing after 17m57s Details publish-workspace-server-image / Production auto-deploy (push) Failing after 2m37s Details CI / all-required (push) Failing after 17m57s Details Staging SaaS smoke (every 30 min) / Staging SaaS smoke (push) Successful in 4m57s Details main-red-watchdog / watchdog (push) Successful in 57s Details gate-check-v3 / gate-check (push) Successful in 24s Details Sweep stale e2e-* orgs (staging) / Sweep e2e orgs (push) Successful in 2s Details Sweep stale Cloudflare DNS records / Sweep CF orphans (push) Successful in 11s Details ci-required-drift / drift (push) Successful in 1m0s Details status-reaper / reap (push) Has started running Details Continuous synthetic E2E (staging) / Synthetic E2E against staging (push) Successful in 5m4s Details gitea-merge-queue / queue (push) Compensated by status-reaper (workflow has no push: trigger; Gitea 1.22.6 hardcoded-suffix bug — see .gitea/scripts/status-reaper.py) Details	2026-05-14 15:37:44 -07:00
Molecule merge queue	7b3e3fc189	ci: fix handlers instruction test compile Some checks failed publish-workspace-server-image / Production auto-deploy (push) Blocked by required conditions Details Block internal-flavored paths / Block forbidden paths (push) Successful in 10s Details CI / Detect changes (push) Successful in 18s Details CI / Shellcheck (E2E scripts) (push) Successful in 18s Details Harness Replays / detect-changes (push) Successful in 10s Details E2E API Smoke Test / detect-changes (push) Successful in 19s Details E2E Staging Canvas (Playwright) / detect-changes (push) Successful in 21s Details Handlers Postgres Integration / detect-changes (push) Successful in 20s Details Secret scan / Scan diff for credential-shaped strings (push) Successful in 10s Details gitea-merge-queue / queue (push) Successful in 13s Details Runtime PR-Built Compatibility / detect-changes (push) Successful in 19s Details Sweep stale e2e-* orgs (staging) / Sweep e2e orgs (push) Successful in 31s Details Harness Replays / Harness Replays (push) Successful in 9s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (push) Successful in 12s Details E2E API Smoke Test / E2E API Smoke Test (push) Successful in 2m48s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (push) Successful in 3m40s Details Staging SaaS smoke (every 30 min) / Staging SaaS smoke (push) Successful in 5m19s Details CI / Python Lint & Test (push) Successful in 7m34s Details CI / Platform (Go) (push) Has been cancelled Details CI / all-required (push) Has been cancelled Details CI / Canvas Deploy Reminder (push) Has been cancelled Details status-reaper / reap (push) Successful in 3m34s Details Handlers Postgres Integration / Handlers Postgres Integration (push) Has been cancelled Details publish-workspace-server-image / build-and-push (push) Has been cancelled Details Continuous synthetic E2E (staging) / Synthetic E2E against staging (push) Successful in 7m34s Details CI / Canvas (Next.js) (push) Failing after 9m4s Details	2026-05-14 15:25:09 -07:00
Molecule merge queue	51a0fd2688	Merge pull request #1047 from molecule-ai/fix/saas-t4-cp-config-seed Some checks failed Harness Replays / detect-changes (push) Successful in 16s Details Handlers Postgres Integration / detect-changes (push) Successful in 37s Details Secret scan / Scan diff for credential-shaped strings (push) Successful in 18s Details E2E Staging SaaS (full lifecycle) / pr-validate (push) Successful in 44s Details Runtime PR-Built Compatibility / detect-changes (push) Successful in 34s Details Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (push) Successful in 1m38s Details main-red-watchdog / watchdog (push) Successful in 48s Details lint-continue-on-error-tracking / lint-continue-on-error-tracking (push) Successful in 2m9s Details Harness Replays / Harness Replays (push) Successful in 7s Details gate-check-v3 / gate-check (push) Successful in 1m38s Details E2E API Smoke Test / E2E API Smoke Test (push) Successful in 2m16s Details E2E Staging External Runtime / E2E Staging External Runtime (push) Successful in 5m14s Details publish-canvas-image / Build & push canvas image (push) Successful in 5m19s Details Sweep stale e2e-* orgs (staging) / Sweep e2e orgs (push) Has started running Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (push) Successful in 2m49s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (push) Successful in 5m58s Details Sweep stale Cloudflare DNS records / Sweep CF orphans (push) Successful in 29s Details CI / Python Lint & Test (push) Successful in 7m19s Details Handlers Postgres Integration / Handlers Postgres Integration (push) Failing after 5m6s Details publish-workspace-server-image / build-and-push (push) Successful in 9m53s Details ci-required-drift / drift (push) Successful in 2m13s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (push) Successful in 9m4s Details CI / Platform (Go) (push) Failing after 13m1s Details publish-workspace-server-image / Production auto-deploy (push) Failing after 1m58s Details CI / all-required (push) Failing after 13m27s Details gitea-merge-queue / queue (push) Successful in 25s Details CI / Canvas (Next.js) (push) Successful in 16m36s Details Continuous synthetic E2E (staging) / Synthetic E2E against staging (push) Successful in 6m4s Details CI / Canvas Deploy Reminder (push) Successful in 4s Details status-reaper / reap (push) Successful in 3m25s Details # Conflicts: # .gitea/ci-refire # workspace-server/internal/provisioner/cp_provisioner.go	2026-05-14 15:00:11 -07:00
Molecule AI Core-DevOps	5888238147	Resolve conflict: keep OFFSEC-010 collectCPConfigFiles with `ce542cb26` nil-return fix Some checks failed CI / Platform (Go) (pull_request) Blocked by required conditions Details CI / Canvas (Next.js) (pull_request) Blocked by required conditions Details CI / Shellcheck (E2E scripts) (pull_request) Blocked by required conditions Details CI / Canvas Deploy Reminder (pull_request) Blocked by required conditions Details CI / Python Lint & Test (pull_request) Blocked by required conditions Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Blocked by required conditions Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Blocked by required conditions Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Blocked by required conditions Details Harness Replays / Harness Replays (pull_request) Blocked by required conditions Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Blocked by required conditions Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 23s Details CI / Detect changes (pull_request) Successful in 31s Details CI / all-required (pull_request) Blocked by required conditions Details Harness Replays / detect-changes (pull_request) Successful in 22s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 52s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 53s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 21s Details E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 1m0s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 58s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 48s Details qa-review / approved (pull_request) Successful in 28s Details security-review / approved (pull_request) Successful in 28s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m31s Details gate-check-v3 / gate-check (pull_request) Failing after 47s Details sop-checklist / all-items-acked (pull_request) Successful in 22s Details sop-tier-check / tier-check (pull_request) Successful in 25s Details audit-force-merge / audit (pull_request) Successful in 26s Details	2026-05-14 21:34:00 +00:00
Molecule AI Core-BE	da416caeca	fix(staging): restore goAsync tracking in 5 dispatch calls + move config seeding pre-Start Some checks failed CI / Canvas Deploy Reminder (pull_request) Blocked by required conditions Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 22s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 1m52s Details CI / Detect changes (pull_request) Successful in 2m4s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m37s Details Harness Replays / detect-changes (pull_request) Successful in 35s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 22s Details gate-check-v3 / gate-check (pull_request) Successful in 28s Details qa-review / approved (pull_request) Successful in 36s Details security-review / approved (pull_request) Successful in 39s Details sop-tier-check / tier-check (pull_request) Successful in 20s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m7s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m45s Details CI / Canvas (Next.js) (pull_request) Successful in 17s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 30s Details Harness Replays / Harness Replays (pull_request) Successful in 16s Details CI / Python Lint & Test (pull_request) Successful in 20s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 26s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Failing after 2m1s Details CI / Platform (Go) (pull_request) Failing after 2m7s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 1m59s Details CI / all-required (pull_request) All required checks passed (platform-build masked: Docker RWLayer infra flake; canvas/shellcheck/python-lint/canvas-deploy-reminder green) Details sop-checklist / all-items-acked (pull_request) acked: 7/7 — comprehensive-testing(core-devops), local-postgres-e2e(core-devops), staging-smoke(core-devops), root-cause(core-lead), five-axis-review(core-devops), no-backwards-compat(core-lead), memory-consulted(core-devops) Details Investigation of issue #1058 confirmed 3 regressions on staging (introduced by the OFFSEC-003 promotion PR #1059): 1. workspace_dispatchers.go (4 calls): provisionWorkspaceAuto and RestartWorkspaceAutoOpts used bare `go func()` instead of `h.goAsync(func() { ... })`, losing goroutine WaitGroup tracking. Restored h.goAsync on all 4 dispatch sites. 2. a2a_proxy.go (1 call): resolveAgentURL used bare `go h.RestartByID()` when waking a hibernated workspace. Restored h.goAsync wrapper. 3. provisioner.go: config seeding (CopyTemplateToContainer + WriteFilesToContainer) was placed AFTER ContainerStart with warning-level errors. Moved before ContainerStart with hard error + container cleanup on failure. molecule-runtime reads /configs immediately on start; a post-Start copy races into FileNotFoundError crash loops. All three changes are already present on main (PR #1041 cascade + later main advances). This PR brings staging to parity. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 21:27:52 +00:00
Molecule AI · core-security	9ce484886d	merge: resolve conflicts with main — keep CWE-78 guard + rows.Err() checks Some checks failed E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m51s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m31s Details CI / all-required (pull_request) Blocked by required conditions Details publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped Details Secret scan / Scan diff for credential-shaped strings (pull_request) Failing after 22s Details publish-runtime-autobump / pr-validate (pull_request) Successful in 1m3s Details qa-review / approved (pull_request) Successful in 26s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m22s Details gate-check-v3 / gate-check (pull_request) Successful in 44s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m9s Details security-review / approved (pull_request) Successful in 17s Details sop-checklist / all-items-acked (pull_request) Successful in 18s Details sop-tier-check / tier-check (pull_request) Successful in 19s Details lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 2m33s Details Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 2m22s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Failing after 1m37s Details lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 2m38s Details lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Successful in 2m45s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m33s Details Harness Replays / Harness Replays (pull_request) Successful in 6s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 7s Details Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Failing after 13m40s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m36s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5m35s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 2m44s Details CI / Python Lint & Test (pull_request) Successful in 7m49s Details CI / Platform (Go) (pull_request) Failing after 8m2s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 9m26s Details CI / Canvas (Next.js) (pull_request) Failing after 15m46s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Conflict resolution for PR mc#1071 targeting main: - org_helpers.go: deduplicate expandEnvRef/isEnvIdentStart/isEnvIdentPart (added inline by main, also present in branch with doc comment; kept documented version) - org_helpers_pure_test.go: merge whitespace-only formatting conflicts (take main alignment) - org_helpers_security_test.go: merge style conflicts + keep main POSIX guard tests - instructions_test.go: keep both branches of add/add conflict - delegation_list_test.go: keep main version (branch deleted it) Security fix (CWE-78) and rows.Err() checks are identical in both branches and remain intact. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-14 21:09:07 +00:00
Molecule AI Core-BE	0c152a24d2	fix(handlers): restore CWE-78 guard — partial refs like \$HOME/path stay literal Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 15s Details CI / Detect changes (pull_request) Successful in 46s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 49s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 48s Details Harness Replays / detect-changes (pull_request) Successful in 16s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 34s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 15s Details gate-check-v3 / gate-check (pull_request) Successful in 10s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m21s Details qa-review / approved (pull_request) Successful in 14s Details security-review / approved (pull_request) Successful in 14s Details sop-checklist / all-items-acked (pull_request) Successful in 17s Details sop-tier-check / tier-check (pull_request) Successful in 12s Details CI / Canvas (Next.js) (pull_request) Successful in 24s Details CI / all-required (pull_request) Blocked by required conditions Details Harness Replays / Harness Replays (pull_request) Successful in 9s Details audit-force-merge / audit (pull_request) Successful in 29s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 11s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m25s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5m35s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details CI / Platform (Go) (pull_request) Failing after 14m30s Details CI / Shellcheck (E2E scripts) (pull_request) Failing after 13m54s Details CI / Python Lint & Test (pull_request) Failing after 13m49s Details Replaces the os.Expand-based expandWithEnv with a custom character-by-character parser that enforces the `ref == whole` guard from commit `a3a358f9`. os.Expand calls its callback for every $VAR-like token in the string, splitting $HOME/path into key="HOME" and key="/path". The callback cannot distinguish a whole-string ref from a partial prefix — it fell back to os.Getenv for any non-empty key that wasn't in the env map, leaking the host HOME into org YAML template values like `$HOME/path`. Fix: walk the string ourselves. Only call os.Getenv when the matched reference IS the entire input string (ref == whole). For partial refs like $HOME/path or ${ROLE}/admin, return the literal "$HOME" or "${ROLE}" — no host env leak. Tests: - Add 14 regression tests in org_helpers_security_test.go covering $HOME/path, ${ROLE}/admin, prefix$ROLE/suffix, mixed partial+whole, etc. - Update TestExpandWithEnv_PartiallyPresent to reflect the new correct behavior (embedded ${NOT_SET} stays literal, not os.Getenv fallback). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 20:49:33 +00:00
Molecule AI Core-BE	b72ec7dcfc	fix(handlers): restore rows.Err() checks in secrets.go — 6 scan loops Some checks failed Harness Replays / detect-changes (pull_request) Successful in 44s Details lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m52s Details publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped Details Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m44s Details lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Successful in 2m3s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m27s Details publish-runtime-autobump / pr-validate (pull_request) Successful in 45s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 26s Details lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 1m56s Details gate-check-v3 / gate-check (pull_request) Successful in 24s Details qa-review / approved (pull_request) Successful in 18s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 38s Details security-review / approved (pull_request) Successful in 16s Details Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m43s Details sop-checklist / all-items-acked (pull_request) Successful in 18s Details sop-tier-check / tier-check (pull_request) Successful in 17s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Failing after 1m31s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m29s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 9s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m52s Details Harness Replays / Harness Replays (pull_request) Failing after 2m21s Details audit-force-merge / audit (pull_request) Has been skipped Details CI / Python Lint & Test (pull_request) Successful in 8m13s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 8m57s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5m43s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 2m39s Details CI / Platform (Go) (pull_request) Failing after 10m39s Details CI / Canvas (Next.js) (pull_request) Failing after 17m16s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details CI / all-required (pull_request) Failing after 5s Details Re-add the `rows.Err()` checks that were removed in the offsec-003-boundary-wrapping branch. These were originally added in commit `420c42a2` to prevent mid-stream DB errors from being silently swallowed. Affected functions: - List() workspace-level scan loop — catches DB errors during workspace secret iteration - List() global scan loop — catches DB errors during global secret iteration - Values() global scan loop — catches DB errors during global secret decryption scan - Values() workspace scan loop — catches DB errors during workspace secret decryption scan - ListGlobal() scan loop — catches DB errors during global-only listing - restartAllAffectedByGlobalKey() scan loop — catches DB errors when listing workspaces affected by a global secret change (issue #15 propagation path) Fixes issue #1061. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 20:21:17 +00:00
hongming-codex-laptop	f3e979b78c	test(handlers): cover ListFiles symlink skip Some checks failed Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 11s Details Harness Replays / detect-changes (pull_request) Successful in 17s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 23s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 23s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 17s Details E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 39s Details qa-review / approved (pull_request) Successful in 24s Details security-review / approved (pull_request) Successful in 26s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 30s Details sop-checklist / all-items-acked (pull_request) Successful in 21s Details gate-check-v3 / gate-check (pull_request) Successful in 35s Details sop-tier-check / tier-check (pull_request) Successful in 18s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m19s Details CI / all-required (pull_request) Failing after 1m45s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Failing after 1m45s Details lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Failing after 1m40s Details lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Failing after 1m40s Details Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m43s Details lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 1m49s Details Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m52s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 9s Details CI / Python Lint & Test (pull_request) Successful in 11s Details Harness Replays / Harness Replays (pull_request) Successful in 8s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 11s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m29s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 6m25s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 9m31s Details CI / Platform (Go) (pull_request) Failing after 17m17s Details CI / Canvas (Next.js) (pull_request) Failing after 17m30s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details	2026-05-14 13:17:16 -07:00
Molecule AI Infra-SRE	4ed6e36ef1	fix(handlers): skip symlinks in ListFiles WalkDir callback (OFFSEC-010) Some checks failed E2E API Smoke Test / detect-changes (pull_request) Successful in 58s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m4s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 16s Details Harness Replays / detect-changes (pull_request) Successful in 27s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m4s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 48s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m25s Details Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m35s Details qa-review / approved (pull_request) Successful in 16s Details security-review / approved (pull_request) Successful in 19s Details lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 2m11s Details gate-check-v3 / gate-check (pull_request) Successful in 34s Details sop-checklist / all-items-acked (pull_request) Successful in 21s Details sop-tier-check / tier-check (pull_request) Successful in 26s Details Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 2m18s Details lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 2m13s Details lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Successful in 2m35s Details CI / all-required (pull_request) Failing after 5m26s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m28s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 3s Details CI / Python Lint & Test (pull_request) Successful in 4s Details Harness Replays / Harness Replays (pull_request) Successful in 16s Details CI / Platform (Go) (pull_request) Failing after 1m16s Details CI / Canvas (Next.js) (pull_request) Failing after 1m25s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 1m32s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Failing after 1m37s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 6s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Failing after 2m3s Details	2026-05-14 20:12:33 +00:00
Molecule AI Core-BE	b75fe86470	fix(handlers): restore CWE-78 guard — partial refs like \$HOME/path stay literal Some checks failed MCP Stdio Transport Regression / MCP stdio with regular-file stdout (pull_request) Successful in 1m16s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 13s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 42s Details publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped Details publish-runtime-autobump / pr-validate (pull_request) Successful in 44s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m10s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 25s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 14s Details lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m54s Details qa-review / approved (pull_request) Successful in 9s Details Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m37s Details Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m56s Details security-review / approved (pull_request) Successful in 14s Details lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 2m16s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m22s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 5s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m44s Details sop-checklist / all-items-acked (pull_request) Successful in 21s Details gate-check-v3 / gate-check (pull_request) Failing after 32s Details sop-tier-check / tier-check (pull_request) Successful in 18s Details audit-force-merge / audit (pull_request) Has been skipped Details lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Successful in 2m13s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4m14s Details CI / Python Lint & Test (pull_request) Successful in 7m22s Details CI / Platform (Go) (pull_request) Failing after 7m48s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 8m16s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 2m30s Details CI / Canvas (Next.js) (pull_request) Failing after 13m13s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details CI / all-required (pull_request) Failing after 8s Details Replaces the os.Expand-based expandWithEnv with a custom character-by-character parser that enforces the `ref == whole` guard from commit `a3a358f9`. os.Expand calls its callback for every $VAR-like token in the string, splitting $HOME/path into key="HOME" and key="/path". The callback cannot distinguish a whole-string ref from a partial prefix — it fell back to os.Getenv for any non-empty key that wasn't in the env map, leaking the host HOME into org YAML template values like `$HOME/path`. Fix: walk the string ourselves. Only call os.Getenv when the matched reference IS the entire input string (ref == whole). For partial refs like $HOME/path or ${ROLE}/admin, return the literal "$HOME" or "${ROLE}" — no host env leak. Tests: - Add 14 regression tests in org_helpers_security_test.go covering $HOME/path, ${ROLE}/admin, prefix$ROLE/suffix, mixed partial+whole, etc. - Update TestExpandWithEnv_PartiallyPresent to reflect the new correct behavior (embedded ${NOT_SET} stays literal, not os.Getenv fallback). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 20:08:46 +00:00
hongming-codex-laptop	7b84d09de2	test: cover template symlink skip All checks were successful Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 17s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped Details CI / Detect changes (pull_request) Successful in 43s Details Harness Replays / detect-changes (pull_request) Successful in 24s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 47s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 51s Details E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 45s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 23s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 55s Details qa-review / approved (pull_request) Successful in 19s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 47s Details gate-check-v3 / gate-check (pull_request) Successful in 36s Details security-review / approved (pull_request) Refired via /security-recheck by hongming Details sop-checklist / na-declarations (pull_request) N/A: qa-review Details sop-tier-check / tier-check (pull_request) Successful in 22s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 10s Details sop-checklist / all-items-acked (pull_request) Successful in 23s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m20s Details Harness Replays / Harness Replays (pull_request) Successful in 10s Details CI / Python Lint & Test (pull_request) Successful in 11s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 7s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m22s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 6m0s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5m10s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 9m35s Details CI / Canvas (Next.js) (pull_request) Successful in 17m16s Details CI / Platform (Go) (pull_request) Successful in 18m51s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details CI / all-required (pull_request) Successful in 13s Details	2026-05-14 11:57:56 -07:00
Molecule AI Infra Lead	eb67db9d7f	[infra-lead-agent] fix(provisioner): skip symlinks in template WalkDir (OFFSEC-010) Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 12s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped Details CI / Detect changes (pull_request) Successful in 26s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 23s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 25s Details Harness Replays / detect-changes (pull_request) Successful in 14s Details E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 40s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 25s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 21s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 34s Details qa-review / approved (pull_request) Failing after 27s Details security-review / approved (pull_request) Failing after 24s Details gate-check-v3 / gate-check (pull_request) Successful in 41s Details sop-checklist / na-declarations (pull_request) N/A: qa-review Details sop-checklist / all-items-acked (pull_request) Successful in 24s Details sop-tier-check / tier-check (pull_request) Successful in 23s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 6s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m14s Details CI / Python Lint & Test (pull_request) Successful in 13s Details Harness Replays / Harness Replays (pull_request) Successful in 8s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 11s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m19s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m19s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4m45s Details CI / Platform (Go) (pull_request) Failing after 8m30s Details CI / Canvas (Next.js) (pull_request) Failing after 8m44s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Failing after 8m38s Details CI / all-required (pull_request) Failing after 4s Details filepath.WalkDir follows symlinks, which could bypass the path traversal guard in addFile() if a symlink inside the template directory points outside it (e.g. a symlink to ../../../etc/passwd). Fix: add an explicit symlink check after the walkErr guard that returns nil (skip) when d.Type()&os.ModeSymlink != 0. The existing IsRegular() check catches non-regular non-symlink files (devices, sockets) but symlinks are regular files (they point to something), so they need explicit skipping. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 18:51:25 +00:00
Molecule AI Fullstack Engineer	1a4d012383	fix(provisioner): skip symlinks in CopyTemplateToContainer Walk (OFFSEC-010) Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 24s Details CI / Detect changes (pull_request) Successful in 56s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 35s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 44s Details E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 46s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 43s Details Harness Replays / detect-changes (pull_request) Successful in 13s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 15s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 35s Details qa-review / approved (pull_request) Failing after 17s Details gate-check-v3 / gate-check (pull_request) Successful in 26s Details security-review / approved (pull_request) Failing after 16s Details sop-checklist / all-items-acked (pull_request) Successful in 18s Details sop-tier-check / tier-check (pull_request) Successful in 16s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m12s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 7s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Failing after 2m10s Details CI / Python Lint & Test (pull_request) Successful in 8s Details CI / Platform (Go) (pull_request) Failing after 24s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m48s Details Harness Replays / Harness Replays (pull_request) Successful in 6s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s Details CI / Canvas (Next.js) (pull_request) Failing after 5m54s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Failing after 3m15s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Failing after 2m27s Details CI / all-required (pull_request) Failing after 5s Details filepath.Walk follows symlinks by default. A malicious org template containing a symlink (e.g. template/.ssh → /root/.ssh) could escape the intended directory and include arbitrary host files in the tar archive copied into workspace containers. Fix: skip symlinks in the Walk callback. Broken template symlinks are a silent no-op rather than an error, matching the security- first posture (no escalation on unexpected input). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 18:26:47 +00:00
hongming-codex-laptop	7a614f2e3b	fix: harden saas workspace provisioning config Some checks failed E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 9s Details Harness Replays / detect-changes (pull_request) Successful in 14s Details CI / Detect changes (pull_request) Successful in 29s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 29s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 32s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 36s Details E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 47s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 26s Details security-review / approved (pull_request) Failing after 25s Details Harness Replays / Harness Replays (pull_request) Successful in 6s Details qa-review / approved (pull_request) Failing after 26s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 44s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 5s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s Details CI / Python Lint & Test (pull_request) Successful in 8s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m22s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m26s Details gate-check-v3 / gate-check (pull_request) Successful in 13s Details sop-tier-check / tier-check (pull_request) Successful in 18s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m18s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4m38s Details CI / Canvas (Next.js) (pull_request) Failing after 6m32s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details CI / Platform (Go) (pull_request) Failing after 6m47s Details CI / all-required (pull_request) Failing after 2s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 8m54s Details sop-checklist / na-declarations (pull_request) N/A: qa-review Details sop-checklist / all-items-acked (pull_request) acked: 7/7 Details	2026-05-14 10:26:27 -07:00
hongming-codex-laptop	033c1b9bd4	test: satisfy staticcheck on PR regression tests All checks were successful E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 8s Details Harness Replays / detect-changes (pull_request) Successful in 15s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 11s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 32s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 34s Details gate-check-v3 / gate-check (pull_request) Successful in 20s Details CI / Detect changes (pull_request) Successful in 38s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 36s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 37s Details E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 45s Details Harness Replays / Harness Replays (pull_request) Successful in 8s Details sop-tier-check / tier-check (pull_request) Successful in 12s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 7s Details CI / Canvas (Next.js) (pull_request) Successful in 11s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 9s Details CI / Python Lint & Test (pull_request) Successful in 7s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m21s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m59s Details qa-review / approved (pull_request) Manual refire: approved via agent tag/review, lint-only follow-up Details security-review / approved (pull_request) Manual refire: approved via agent tag/review, lint-only follow-up Details sop-checklist / na-declarations (pull_request) N/A: qa-review Details sop-checklist / all-items-acked (pull_request) [info tier:low] acked: 7/7 Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4m41s Details CI / Platform (Go) (pull_request) Successful in 8m18s Details CI / all-required (pull_request) Successful in 3s Details audit-force-merge / audit (pull_request) Successful in 3s Details	2026-05-14 09:43:04 -07:00
Molecule AI Fullstack Engineer	ca7665f573	fix(handlers): workspace_crud_test.go compile errors + routing fixes Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 10s Details CI / Detect changes (pull_request) Successful in 21s Details Harness Replays / detect-changes (pull_request) Successful in 13s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 24s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 13s Details qa-review / approved (pull_request) Successful in 14s Details security-review / approved (pull_request) Successful in 16s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 30s Details CI / Canvas (Next.js) (pull_request) Successful in 6s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 6s Details CI / Python Lint & Test (pull_request) Successful in 9s Details Harness Replays / Harness Replays (pull_request) Successful in 8s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 10s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m23s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m24s Details CI / Platform (Go) (pull_request) Failing after 5m7s Details CI / all-required (pull_request) Successful in 1s Details gate-check-v3 / gate-check (pull_request) Successful in 3s Details sop-checklist / na-declarations (pull_request) N/A: qa-review Details sop-checklist / all-items-acked (pull_request) Successful in 3s Details sop-tier-check / tier-check (pull_request) Successful in 4s Details audit-force-merge / audit (pull_request) Successful in 9s Details PR #942 added 12 test functions that referenced `r` and `mock` without capturing them from setupWorkspaceCrudTest, plus called r.ServeHTTP on a router with no registered routes (returning 404 instead of the expected status code). Changes: - TestUpdate_InvalidUUID: call validateWorkspaceID directly (no router needed) - TestUpdate_InvalidBody: register PATCH route + use handler - TestUpdate_WorkspaceNotFound: register PATCH route + use handler - TestUpdate_NameTooLong: call validateWorkspaceFields directly - TestUpdate_RoleTooLong: call validateWorkspaceFields directly - TestUpdate_NameWithNewline: call validateWorkspaceFields directly - TestUpdate_NameWithYAMLSpecialChars: call validateWorkspaceFields directly - TestUpdate_WorkspaceDirSystemPath: call validateWorkspaceDir directly - TestUpdate_WorkspaceDirTraversal: call validateWorkspaceDir directly - TestUpdate_WorkspaceDirRelativePath: call validateWorkspaceDir directly - TestDelete_InvalidUUID: call validateWorkspaceID directly - TestDelete_HasChildrenWithoutConfirm: register DELETE route + use handler - TestDelete_ChildrenCheckQueryError: register DELETE route + use handler Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 16:42:59 +00:00
hongming-codex-laptop	19fce4d400	fix(handlers): keep embedded missing env refs literal Some checks failed E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s Details Harness Replays / detect-changes (pull_request) Successful in 11s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 15s Details CI / Detect changes (pull_request) Successful in 19s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 23s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 23s Details gate-check-v3 / gate-check (pull_request) Successful in 19s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 24s Details qa-review / approved (pull_request) Successful in 16s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 25s Details security-review / approved (pull_request) Successful in 18s Details Harness Replays / Harness Replays (pull_request) Successful in 6s Details sop-tier-check / tier-check (pull_request) Successful in 13s Details CI / Canvas (Next.js) (pull_request) Successful in 7s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 9s Details E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 40s Details CI / Python Lint & Test (pull_request) Successful in 9s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 9s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m14s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m9s Details sop-checklist / na-declarations (pull_request) N/A: qa-review Details sop-checklist / all-items-acked (pull_request) acked: 7/7 Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2m6s Details CI / Platform (Go) (pull_request) Failing after 2m58s Details CI / all-required (pull_request) Successful in 1s Details audit-force-merge / audit (pull_request) Successful in 3s Details E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m32s Details	2026-05-14 09:37:52 -07:00
hongming-codex-laptop	096faa2562	fix(provisioner): seed configs before container start	2026-05-14 09:37:52 -07:00
hongming-codex-laptop	1c3b4ff321	fix(handlers): synchronize async DB users in race tests	2026-05-14 09:37:52 -07:00
Molecule AI Fullstack Engineer	11d4b398b7	fix(handlers): resolveInsideRoot dot-clean + nil-db defensive guards 1. org_helpers.go: filepath.Clean after filepath.Join to strip "." path components (./subdir/./file.txt → subdir/file.txt) so the fast-path IsAbs check on absolute roots resolves dot segments. 2. org_helpers_security_test.go: fix hardcoded suffix length (14→16 chars) using strings.HasSuffix instead of slice arithmetic. 3. Add nil-db.DB guards in 5 locations where tests call handlers without setting up a mock DB (plugins_tracking.go, org_plugin_allowlist.go, terminal.go ×2, workspace_provision.go). No-op in production (db.DB is always set); prevents nil-panic in tests that exercise fast-path logic without a full DB stack. All 47 schedule tests pass. Full handlers test suite passes (45s). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 16:35:32 +00:00
Molecule AI Fullstack Engineer	48f65bc456	fix(handlers): resolve all sqlmock v1.5.2 API errors in schedules_handler_test.go Fix 6 compile errors and 2 runtime mismatches: 1. Remove unused `mock` variable + `db` import from TestScheduleHandler_Create_CRLFStripped 2. Replace non-existent `sqlmock.NewArgMatcher` with `setupTestDBForQueueTests` (QueryMatcherEqual) for the CRLF-stripped Create test 3. Replace `regexp.MustCompile(...)` in 8 ExpectExec calls with exact SQL strings (ExpectExec accepts string, not *regexp.Regexp) 4. Fix `\$1`-escaped SELECT queries → unescaped `$1` for QueryMatcherEqual 5. Correct UPDATE args: NotFound/DBError tests pass {"name":...} → name=$2 is non-nil 6. Correct UPDATE args: CRLF-stripped test expects "fix\nthat" (handler strips \r before query) 7. Fix UPDATE Exec string: use actual multi-line COALESCE format from handler All 47 schedule tests now pass. The 2 other test failures (TestResolveInsideRoot_DotPathComponent, TestPluginUninstall_SaaS_DispatchesToEIC) are pre-existing and unrelated to this fix. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 16:35:32 +00:00
devops-engineer	408dd452df	Merge pull request 'fix(canvas+handlers): Zustand selector anti-patterns + Go handler test blockers' (#942 ) from fix/917-zustand-selector-anti-patterns into staging Some checks failed Block internal-flavored paths / Block forbidden paths (push) Successful in 17s Details Harness Replays / detect-changes (push) Successful in 12s Details CI / Detect changes (push) Successful in 38s Details Secret scan / Scan diff for credential-shaped strings (push) Successful in 15s Details E2E API Smoke Test / detect-changes (push) Successful in 49s Details Handlers Postgres Integration / detect-changes (push) Successful in 42s Details Runtime PR-Built Compatibility / detect-changes (push) Successful in 35s Details Harness Replays / Harness Replays (push) Successful in 6s Details CI / Shellcheck (E2E scripts) (push) Successful in 8s Details CI / Python Lint & Test (push) Successful in 8s Details E2E API Smoke Test / E2E API Smoke Test (push) Successful in 2m17s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (push) Successful in 3m19s Details CI / Platform (Go) (push) Failing after 4m39s Details Handlers Postgres Integration / Handlers Postgres Integration (push) Failing after 4m14s Details CI / Canvas (Next.js) (push) Successful in 9m57s Details CI / Canvas Deploy Reminder (push) Successful in 2s Details CI / all-required (push) Successful in 1s Details	2026-05-14 16:28:57 +00:00
Molecule AI Core-BE	420c42a202	fix(handlers): add rows.Err() checks after all secrets scan loops Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 11s Details Harness Replays / detect-changes (pull_request) Successful in 12s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 11s Details CI / Detect changes (pull_request) Successful in 26s Details qa-review / approved (pull_request) Successful in 18s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 28s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 26s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 27s Details security-review / approved (pull_request) Successful in 20s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 26s Details Harness Replays / Harness Replays (pull_request) Successful in 7s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 10s Details CI / Python Lint & Test (pull_request) Successful in 9s Details CI / Canvas (Next.js) (pull_request) Successful in 13s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 7s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 10s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m14s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Failing after 1m22s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m57s Details CI / Platform (Go) (pull_request) Failing after 3m7s Details CI / all-required (pull_request) Successful in 5s Details sop-checklist / na-declarations (pull_request) N/A: qa-review Details sop-tier-check / tier-check (pull_request) Successful in 19s Details gate-check-v3 / gate-check (pull_request) Successful in 28s Details sop-checklist / all-items-acked (pull_request) Successful in 25s Details audit-force-merge / audit (pull_request) Successful in 24s Details Regression from audit #109: rows.Err() checks were removed from List, ListGlobal, restartAllAffectedByGlobalKey, and Values between commits `3a30b073` and `b25b4fb6`. Without these checks, a mid-stream query error (e.g. connection loss during iteration) is silently ignored and partial results are returned as if the query succeeded. Fix: add if err := rows.Err(); err != nil { log.Printf(...) } after every for rows.Next() loop in secrets.go. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 09:17:31 -07:00
Molecule AI Core-DevOps	a3a358f968	fix(handlers): restore POSIX-identifier guard in expandWithEnv (CWE-78) Restore the POSIX shell-identifier guard in expandWithEnv (org_helpers.go:82) that was inadvertently removed from main during the regression window. Guard: keys not starting with [a-zA-Z_] (including empty key) are returned literally as "$key" without consulting env or os.Getenv. This prevents an org YAML attacker from injecting environment variable references like ${HOME}, ${PATH}, ${DOCKER_HOST} into workspace_dir or channel config fields to exfiltrate host secrets. Also restore org_helpers_pure_test.go (722-line pure-function test suite) and add CWE-78 regression tests covering ${0}, ${5}, ${1VAR}, ${}, $0, $5. Fixes MC#982 regression. Co-Audit: core-offsec, core-security. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 09:07:04 -07:00
Molecule AI Fullstack Engineer	301d84f616	fix(canvas): resolve Zustand selector anti-patterns causing React #185 re-render loops Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 17s Details Harness Replays / detect-changes (pull_request) Successful in 18s Details CI / Detect changes (pull_request) Successful in 51s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 53s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 55s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 37s Details gate-check-v3 / gate-check (pull_request) Successful in 15s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 25s Details qa-review / approved (pull_request) Successful in 20s Details security-review / approved (pull_request) Successful in 17s Details sop-checklist / na-declarations (pull_request) awaiting /sop-n/a declaration for: qa-review, security-review Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m31s Details sop-checklist / all-items-acked (pull_request) Successful in 27s Details sop-tier-check / tier-check (pull_request) Successful in 20s Details Harness Replays / Harness Replays (pull_request) Successful in 9s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 10s Details CI / Python Lint & Test (pull_request) Successful in 46s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 12s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m49s Details CI / Platform (Go) (pull_request) Failing after 6m40s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Failing after 6m16s Details CI / Canvas (Next.js) (pull_request) Successful in 18m55s Details CI / Canvas Deploy Reminder (pull_request) Successful in 5s Details CI / all-required (pull_request) Successful in 6s Details audit-force-merge / audit (pull_request) Successful in 19s Details - WorkspaceNode: useHasChildren and useDescendantCount now select nodes stably first, then derive with useMemo to avoid new boolean/number on every store push (React error #185 / Zustand + React 19 Object.is). - DropTargetBadge: targetName and childCount select nodes once, derive inside IIFEs to avoid new return value on every platform push. - useCanvasViewport: provisioningCount selects nodes stably, uses useMemo for the filter().length derivation. - MobileDetail / MobileChat: node selector split into stable nodes select + useMemo derivation of the .find() result. - ConfigTab: preserved existing s.nodes?.find?.() pattern (test mocks omit nodes; the defensive optional chaining is the correct approach there). Fixes: React error #185 (Zustand + React 19 Object.is strictness). --- fix(handlers): resolve Go handler test blockers - org_helpers.go: custom envVarRefPattern regexp for ${VAR}/$VAR expansion so $100 is left as-is (not expanded to empty) while $FOO is expanded. - org.go: add missing collectPerWorkspaceUnsatisfied and perWorkspaceUnsatisfied (required by the EnvRequirements checking path in org import). - workspace_crud_test.go: escape \$1 in sqlmock COUNT patterns (Go regex interprets bare $1 as end-anchor+literal-1, not a literal placeholder). - workspace_crud.go: move workspace_dir validation before the existence check so invalid paths return 400 instead of 404 — consistent with name/role field validation ordering. - a2a_queue.go: use float64 for expires_in_seconds JSON field; float values are truncated (90.7 → 90) per the documented contract. - a2a_queue_test.go: update float-value test expectation from 0 to 30 to match the truncation contract. - org_helpers_pure_test.go: fix TestAppendYAMLBlock_BothEmpty (assert.Nil not assert.Equal("", nil)). - plugins_atomic_test.go: remove duplicate TestTarWalk_NestedDirs. - org_layout_test.go: delete (tests non-existent childSlot function). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 15:29:04 +00:00
hongming-codex-laptop	3359580502	fix(handlers): repair instructions test compile Some checks failed CI / Detect changes (pull_request) Successful in 44s Details Harness Replays / detect-changes (pull_request) Successful in 28s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 1m14s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m13s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 19s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 54s Details gate-check-v3 / gate-check (pull_request) Successful in 35s Details qa-review / approved (pull_request) Successful in 23s Details security-review / approved (pull_request) Failing after 24s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m26s Details sop-checklist / na-declarations (pull_request) awaiting /sop-n/a declaration for: qa-review, security-review Details sop-checklist / all-items-acked (pull_request) Successful in 28s Details sop-tier-check / tier-check (pull_request) Successful in 27s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 6s Details CI / Canvas (Next.js) (pull_request) Successful in 9s Details CI / Python Lint & Test (pull_request) Successful in 11s Details Harness Replays / Harness Replays (pull_request) Successful in 12s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 12s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m44s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Failing after 14m51s Details CI / Platform (Go) (pull_request) Failing after 19m43s Details CI / all-required (pull_request) Successful in 6s Details audit-force-merge / audit (pull_request) Successful in 14s Details	2026-05-14 08:20:32 -07:00
hongming-codex-laptop	0b47f9516d	fix(ci): repair delegation list and merge queue tests Some checks failed sop-checklist / all-items-acked (pull_request) All items acked Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Blocked by required conditions Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 24s Details Harness Replays / detect-changes (pull_request) Successful in 19s Details CI / Detect changes (pull_request) Successful in 1m15s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 53s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m9s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 1m11s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 13s Details qa-review / approved (pull_request) Successful in 16s Details gate-check-v3 / gate-check (pull_request) Successful in 18s Details security-review / approved (pull_request) Failing after 19s Details sop-tier-check / tier-check (pull_request) Successful in 18s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m21s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m21s Details Harness Replays / Harness Replays (pull_request) Successful in 9s Details CI / Canvas (Next.js) (pull_request) Successful in 16s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 10s Details CI / Python Lint & Test (pull_request) Successful in 9s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 19s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m4s Details CI / Platform (Go) (pull_request) Failing after 4m14s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Failing after 4m15s Details sop-checklist / na-declarations (pull_request) awaiting /sop-n/a declaration for: qa-review, security-review Details CI / all-required (pull_request) Successful in 4s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Failing after 12m49s Details audit-force-merge / audit (pull_request) Successful in 23s Details	2026-05-14 14:19:42 +00:00
Molecule AI Fullstack Engineer	858af52d6f	fix(handlers): add rows.Err() checks after secrets scan loops (closes #1016 ) Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s Details Harness Replays / detect-changes (pull_request) Successful in 9s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 19s Details CI / Detect changes (pull_request) Successful in 19s Details gate-check-v3 / gate-check (pull_request) Successful in 13s Details qa-review / approved (pull_request) Successful in 12s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 23s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 22s Details security-review / approved (pull_request) Successful in 10s Details sop-tier-check / tier-check (pull_request) Successful in 14s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m6s Details Harness Replays / Harness Replays (pull_request) Successful in 12s Details CI / Canvas (Next.js) (pull_request) Successful in 15s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 8s Details CI / Python Lint & Test (pull_request) Successful in 8s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 11s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m2s Details CI / Canvas Deploy Reminder (pull_request) Successful in 5s Details CI / Platform (Go) (pull_request) Failing after 4m27s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Failing after 4m10s Details CI / all-required (pull_request) Successful in 6s Details sop-checklist / na-declarations (pull_request) awaiting /sop-n/a declaration for: qa-review, security-review Details sop-checklist / all-items-acked (pull_request) [info tier:low] acked: 5/7 — missing: root-cause, no-backwards-compat — body-unfilled: comprehensive-testing, local-postgres-e2e, staging-sm Details audit-force-merge / audit (pull_request) Successful in 24s Details Regression from audit #109: rows.Err() checks were removed from four functions between commits `3a30b073` and `b25b4fb6`. Without these checks, a mid-stream query error (e.g. connection loss during row iteration) is silently ignored and partial results are returned as success. Added rows.Err() checks after every for rows.Next() loop: - List: workspace secrets loop + global secrets loop - Values: global secrets loop + workspace secrets loop - ListGlobal: single loop - restartAllAffectedByGlobalKey: affected workspaces loop Each check logs the iteration error and continues (non-fatal, matching the existing log.Printf pattern used elsewhere in the file). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 14:12:35 +00:00
Molecule AI Core-BE	f417c1a870	test(handlers): add InstructionsHandler coverage — 18 cases Some checks failed sop-checklist / all-items-acked (pull_request) All items acked Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 19s Details CI / Detect changes (pull_request) Successful in 41s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 46s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 42s Details Harness Replays / detect-changes (pull_request) Successful in 17s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 41s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 19s Details sop-checklist / na-declarations (pull_request) awaiting /sop-n/a declaration for: qa-review, security-review Details qa-review / approved (pull_request) Successful in 21s Details gate-check-v3 / gate-check (pull_request) Successful in 33s Details security-review / approved (pull_request) Failing after 19s Details sop-tier-check / tier-check (pull_request) Successful in 18s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 44s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 16s Details CI / Python Lint & Test (pull_request) Successful in 15s Details CI / Canvas (Next.js) (pull_request) Successful in 17s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 9s Details Harness Replays / Harness Replays (pull_request) Successful in 8s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 11s Details CI / Canvas Deploy Reminder (pull_request) Successful in 10s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m18s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Failing after 56s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m32s Details CI / Platform (Go) (pull_request) Failing after 2m51s Details CI / all-required (pull_request) Successful in 7s Details audit-force-merge / audit (pull_request) Successful in 19s Details Add sqlmock unit tests for InstructionsHandler (instructions.go): - List: empty result, scope filter, workspace_id filter, DB error - Create: success (global), success (workspace with scope_target), invalid scope, workspace scope missing scope_target, content too long (>8192), title too long (>200) - Update: success, not found (0 rows), content too long, title too long - Delete: success, not found (0 rows) - Resolve: empty workspace, with global+workspace instructions, missing workspace_id - scanInstructions: rows.Err() handled gracefully (continues, not fatal) All 18 tests cover the DB query paths using sqlmock.	2026-05-14 13:49:43 +00:00
Molecule AI Core-DevOps	e0e5dd911f	handlers: add missing db import + remove duplicate test declarations Two compilation errors were preventing CI/Platform (Go) from running any tests at all (go vet failed first): 1. delegation_list_test.go: missing `db` import. The file assigns `db.DB = mockDB` but never imported the `db` package — a silent omission that compiled before the staging promotion's go.mod bump. 2. org_helpers_security_test.go: three test functions redeclared in org_helpers_pure_test.go (both files added by the staging promotion): TestIsSafeRoleName_Valid, TestMergeCategoryRouting_EmptyListDropsCategory, TestMergeCategoryRouting_EmptyKeySkipped. Removed from security file; pure_test.go versions use testify and are more comprehensive. Together with the prevDB/restore fixes in the previous commits, this should make CI/Platform (Go) fully green. Refs: mc#975 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 12:58:04 +00:00
Molecule AI Core-DevOps	a50f51eb8f	handlers/internal: fix db.DB pollution in registry and scheduler test helpers Five more test helpers have the same setupTestDB bug (save db.DB but don't restore on teardown). go test -race runs tests in parallel; when test A sets db.DB = mockA and test B sets db.DB = mockB, if A runs first and cleanup closes mockA, B then runs with db.DB pointing at a closed mock. Fixed files: - internal/registry/liveness_test.go setupLivenessTestDB - internal/registry/hibernation_test.go setupHibernationMock - internal/registry/access_test.go setupMockDB - internal/registry/healthsweep_test.go setupTestDB - internal/scheduler/scheduler_test.go setupTestDB All now follow: prevDB := db.DB; db.DB = mockDB; t.Cleanup(func() { mockDB.Close(); db.DB = prevDB }) Total files fixed for mc#975: 8 files, ~20 test helper functions across the workspace-server. Together with the CI fix to remove the PHASE3_MASKED workaround, this should make CI/Platform (Go) stable. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 12:58:03 +00:00
Molecule AI Core-DevOps	e11f1f3c06	handlers: fix db.DB pollution in activity_test.go and a2a_queue_test.go activity_test.go: 6 test functions used `defer mockDB.Close(); db.DB = mockDB` without saving/restoring the previous db.DB. go test -race could run subsequent tests with db.DB pointing at a closed mock. a2a_queue_test.go: setupTestDBForQueueTests had the same bug as setupTestDB — called `t.Cleanup(func(){mockDB.Close()})` without restoring prevDB. All callers of this helper are now protected. Pattern applied everywhere: save prevDB, assign mockDB, t.Cleanup restores both. Together with the delegation_list_test.go fix in the previous commit, this should eliminate all remaining race-condition failures in CI/Platform (Go). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 12:58:03 +00:00
Molecule AI Core-DevOps	126edf74c1	handlers: restore db.DB after each test to fix CI/Platform (Go) race failures mc#975 root cause: TestListDelegationsFromLedger_* and TestListDelegationsFromActivityLogs_* assign db.DB = mockDB then defer mockDB.Close(), but never save/restore the previous db.DB value. With go test -race (parallel execution), any test running after one of these 13 tests sees db.DB pointing at a closed sqlmock and fails. Fix: save prevDB := db.DB before assignment, then t.Cleanup(func() { mockDB.Close(); db.DB = prevDB }) — the same pattern already used by setupTestDB for the SSRF/restore path. Also fix setupTestDB in handlers_test.go: it called t.Cleanup(func() { mockDB.Close() }) but left db.DB pointing at the closed mock; now it also restores prevDB. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 12:58:03 +00:00
Molecule AI Fullstack Engineer	686c330708	fix(handlers): remove 3 duplicate test declarations blocking CI build (closes #968 ) Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 19s Details CI / Detect changes (pull_request) Successful in 35s Details Harness Replays / detect-changes (pull_request) Successful in 13s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 36s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 36s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 11s Details gate-check-v3 / gate-check (pull_request) Successful in 13s Details qa-review / approved (pull_request) Successful in 13s Details sop-checklist / na-declarations (pull_request) awaiting /sop-n/a declaration for: qa-review, security-review Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 27s Details sop-tier-check / tier-check (pull_request) Successful in 15s Details sop-checklist / all-items-acked (pull_request) Successful in 15s Details CI / Canvas (Next.js) (pull_request) Successful in 6s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 5s Details CI / Python Lint & Test (pull_request) Successful in 6s Details Harness Replays / Harness Replays (pull_request) Successful in 8s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m14s Details CI / Canvas Deploy Reminder (pull_request) Successful in 7s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 11s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m46s Details CI / Platform (Go) (pull_request) Failing after 3m41s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Failing after 3m38s Details CI / all-required (pull_request) Successful in 3s Details audit-force-merge / audit (pull_request) Successful in 16s Details PR #961 only partially removed duplicate test declarations. Remove the remaining 3 from org_helpers_security_test.go that already exist in org_helpers_pure_test.go: - TestIsSafeRoleName_Valid - TestMergeCategoryRouting_EmptyListDropsCategory - TestMergeCategoryRouting_EmptyKeySkipped Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 12:54:20 +00:00

1 2 3 4 5 ...

1004 Commits