Closes coverage-audit gaps for CI-coverable, keyless feature endpoints that
had NO e2e assertion in the required `E2E API Smoke Test` lane.
New: tests/e2e/test_keyless_feature_contracts_e2e.sh — a self-contained,
hermetic script (runtime=external fixture, NO LLM key) asserting the real
HTTP contract + a meaningful failure mode for each endpoint:
* GET /workspaces/:id/terminal/diagnose — 200 report / 401 no-auth
(the /terminal WS-upgrade sibling that is HTTP-assertable keyless)
* POST /webhooks/:type (public) — 200 ignored / 400 bad-json / 404 unknown
* GET /workspaces/:id/budget + PATCH — periods view / set+persist / 400 / 401
* /workspaces/:id/checkpoints* — upsert→latest→list→delete→404 / 400 / 401
* GET /workspaces/:id/audit — total0+chain_valid null / 400 bad-from / 401
* GET /workspaces/:id/traces — 200 [] without Langfuse / 401
* GET /workspaces/:id/session-search — q-filter hit / [] miss / 401
* GET /workspaces/:id/rescue — fail-closed 503 (no MOLECULE_ORG_ID) / 401
* GET/PUT /admin/workspaces/:id/llm-billing-mode — flip byok+readback / 400 ×3
* Lifecycle pause→resume + hibernate — transitions / 404 wrong-state / 401
Auth model mirrors wsauth_middleware.go: WorkspaceAuth is strict (401 without
bearer once a token exists), AdminAuth accepts the platform ADMIN_TOKEN OR the
workspace bearer (Tier-3) — so the script is green in BOTH the current
no-ADMIN_TOKEN CI shape and the post-#2286 ADMIN_TOKEN shape (proven locally,
48/48 each). Mock-runtime A2A canned round-trip is left to #2286's mock arm
(not duplicated). Does not touch e2e-api.yml admin-auth wiring or
test_priority_runtimes runtime arms (#2286 owns those) — only adds run steps.
Wire: tests/e2e/test_secrets_dispatch.sh was orphaned (no workflow ran it).
Added as a required-lane step. It is hermetic (extracts + runs the SECRETS_JSON
branch-order block in isolation; no platform/bearer/network), guarding the
2026-05-03 "wrong LLM-key shape wins" incident class.
Proof: local PG+Redis+platform-server (CI shape), all three scripts GREEN in
lane order under both auth shapes; bash -n + shellcheck clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Status (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Python Lint & Test (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
lint-continue-on-error-tracking / lint-continue-on-error-tracking (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Status (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Python Lint & Test (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
lint-continue-on-error-tracking / lint-continue-on-error-tracking (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Status (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Python Lint & Test (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Status (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Python Lint & Test (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Status (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
lint-continue-on-error-tracking / lint-continue-on-error-tracking (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Status (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Python Lint & Test (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
The internal#189 Phase 1 burn-in window closed 2026-05-17 (18+ days ago).
The header comment already claimed continue-on-error was removed from the
tier-check job, but three masking layers persisted and made the gate unable
to honestly fail CI on a real SOP-6 violation:
1. continue-on-error: true on the 'Install jq' setup step (redundant — the
step's final command already exits 0 unconditionally; not a gate).
2. continue-on-error: true on the 'Verify tier label + reviewer team
membership' step — the actual expired burn-in mask.
3. '|| true' after the sop-tier-check.sh invocation, which swallowed the
script's real exit 1 (missing tier label / no approval / unsatisfied
AND-clause).
All three removed. SOP_FAIL_OPEN=1 is RETAINED: it fails-open ONLY on
infra faults (empty/invalid token, unreachable Gitea API, missing jq) via
the guarded exit-0 branches in sop-tier-check.sh — it does NOT mask a real
tier-gate verdict. Stale header comment updated to reflect reality.
Evidence it is safe: across the 50 open core PRs, the latest per-context
sop-tier-check status is success/pending; the two PRs showing a 'failure'
context (#2285, #2132) are 'Has been cancelled' supersede artifacts from
cancel-in-progress, whose real (pull_request_review) run is success — not
gate verdicts. No currently-green PR newly reds from this change.
Restores the gate's honest ability to fail per the no-non-gating-CI goal.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
PR #2255's normalizeA2APayload (#2251) renames the legacy Part
discriminator "type" -> "kind" (A2A v0.3) on ingest. ProxyA2A logs the
NORMALIZED body to activity_logs (a2a_proxy.go:432 body=normalizedBody;
logA2AReceiveQueued RequestBody=json.RawMessage(body)). So a poll-mode
caller that posts {"type":"text",...} has its row stored with
{"kind":"text",...}.
test_poll_mode_e2e.sh Phase 5's ASC parser hard-coded
`if p.get('type')=='text'` to extract part text from the stored
request_body. Post-rename every part is keyed on "kind", so the filter
matched nothing, text_of() returned '' for every row, and the assert saw
`got: |` (empty|empty) -> REQUIRED E2E API Smoke gate FAILED on #2255.
Root cause: the test asserted on an INTERNAL wire detail (which
discriminator field the server stored) instead of on the text payload.
The product change is correct and is covered by Go unit tests in
a2a_proxy_test.go; only the E2E parser was coupled to the legacy format.
Fix:
- text_of() now accepts kind=='text' OR type=='text' (works on main's
legacy feed AND on #2255's normalized feed) — so it gates the text
payload, not the field name.
- Add a positive wire-contract assertion: the stored Part must carry the
v0.3 "kind" discriminator and NOT the legacy "type". This is the
end-to-end half of the unit tests — it proves the rename survives the
durable activity_logs path, and makes a dropped/reverted rename (or a
feed that stops storing the normalized body) fail LOUDLY here instead
of silently feeding a polling agent an untagged Part.
Verified: on main (no rename) poll-mode = 22 passed/0 failed; on #2255
(f0b6079a) it was 21 passed/1 failed at this exact assert. Both parsers
simulated against kind- and type-shaped feeds.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two incident-derived regression gates plus the real source bug the first
one surfaced.
1) Outbound A2A `message/send` envelope (#2251) — REAL, currently-shipping bug.
buildA2AMessageParts (mcp_tools.go, feeds delegate_task +
delegate_task_async) and the inline sync-delegation envelope
(delegation.go) emitted the text Part as {"type":"text"} instead of
the A2A v0.3-canonical {"kind":"text"}. A v0.3 peer's Pydantic
validator discriminates Parts on `kind` and silently drops a
`type`-keyed Part — the sender sees a happy 200/202 while the brief
is lost. #2255 fixed the INBOUND normalizeA2APayload (type→kind on
receive); this OUTBOUND send path was separate and still buggy on
main. The file-attachment Part already used `kind` (untouched);
MCP tools/call content schema legitimately keeps `type` (different
protocol, untouched).
Fix: text Part type→kind in both send paths.
Gate: a2a_outbound_envelope_test.go — pins text-part `kind`,
file-part `kind` (non-regression), and the full envelope role+kind.
RED before the fix (the two kind-asserting tests failed against the
shipping `type` shape), GREEN after.
2) Platform provider auth_env SSOT (#2250) — exact-equality gate.
The `platform` (closed proxy) provider must advertise ONLY
MOLECULE_LLM_USAGE_TOKEN in auth_env; a vendor key there makes the
canvas demand a credential the platform path ignores (wrong-bill /
silent no-op). The pre-existing tests only do a membership /
non-empty check, which passes against a drifted two-element list.
This pins the WHOLE set. Core's providers.yaml is already clean
(the vendor key lives in the separate auth_token_env field), so the
gate currently PASSES and locks that invariant against future drift
onto this SSOT. The drift itself lives in the codex template repo.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
Hardens the core#2261 instance-state reconciler against three review
findings on a path that runs against real customer SaaS workspaces.
[HIGH-1] TOCTOU false-flip. reconcileOnce SELECTed ids, then called
IsRunning which INDEPENDENTLY re-resolves instance_id (resolveInstanceID).
If instance_id was cleared/NULLed or the row deleted/reprovisioned between
the two reads, IsRunning returns a STALE (false, nil) that reflects a
missing instance_id — NOT a confirmed-terminated EC2 — and we'd flip a
workspace whose EC2 is not proven dead (and fire RestartByID on a maybe-
just-deleted row). Fix: capture instance_id in the SELECT, and after a
(false, nil) re-confirm the row's CURRENT (status, instance_id) with a
short-timeout primary-key read; flip ONLY when the row still exists, is
still online/degraded, and still records the SAME non-empty instance we
asked CP about. Any divergence (row gone, status moved, instance_id
cleared/changed) or a re-confirm DB error → skip (fail-safe toward NOT
flipping). Mirrors healthsweep's guarded-write re-confirm.
[MED-3] degraded scope. Widen the SELECT to status IN ('online',
'degraded') so a SaaS workspace the heartbeat handler flipped degraded,
then lost its EC2, is reconciled instead of falling through every sweep.
Matches healthsweep's status set.
[MED-2] per-cycle deadline. Wrap row processing in a cycleCtx with a 45s
cpInstanceCycleDeadline (under the 60s interval); per-workspace IsRunning
timeouts derive from it; break and defer the backlog if the cycle blows
its deadline. Mirrors cp_orphan_sweeper. Prevents a degraded-but-not-
erroring CP (slow-but-under-cap IsRunning × 200 rows) from dragging one
cycle to ~33min.
IsRunning is unchanged (a2a_proxy + healthsweep also call it). Existing
fail-safe-on-error behavior (err != nil → never flip) is preserved.
Tests: TOCTOU guards (instance changed / cleared / status moved / row
gone — all assert NO flip), degraded flips, re-confirm DB-error fail-safe,
happy re-confirm; updated the scope regex for the new
status IN (...) + instance_id column.
Refs core#2261. DO NOT MERGE until heavy core SOP gate clears.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comprehensive-review HIGH finding: core's providers.yaml was STALE vs the CP
canonical. cp#521 merged to CP-only AFTER the cp#529 byte-sync, removing the
unroutable colon-forms moonshot:kimi-k2.* / minimax:MiniMax-* from claude-code's
kimi-coding/minimax arms (claude-code's adapter can't strip those prefixes). It
was never synced to core — the repo that actually runs the workspace-create
enforcer. Consequence: core's enforcer ACCEPTED moonshot:kimi-k2.6 /
minimax:MiniMax-M2 for claude-code (which then wedge at adapter init), while CP
rejects them — the exact unroutable-id class cp#521 set out to close.
The hermetic sync_canonical_test only pins core-vs-its-own-copy (passed); only
the live cross-repo sync-providers-yaml CI catches this, and it's paths-filtered
+ token-gated, so the CP-only change slipped through.
Sync core to CP verbatim: providers.yaml + runtimes_test.go now byte-identical to
molecule-controlplane canonical, registry_gen regenerated, canonicalProvidersYAMLSHA256
bumped to 9eb6f97f. providers + handlers tests green; the enforcer now correctly
rejects the unroutable claude-code colon-forms.
core#2261 cp#521
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The online-wait loop only exited when status=online AND the tenant API surfaced
instance_id — but staging never surfaces it (observed: the DB has it, the API
response omits it). So the loop spun to the 900s deadline and failed with a
misleading "never reached online", and the slug-tag fallback below was dead code
(only reachable when instance_id was empty AFTER the loop, which never happened).
Fix: once online, grace-wait (45s) for the API instance_id, then fall back to the
AWS workspace-instance tag (ws-tenant-<slug>-<wsid>) — the same approach the live
proof used. The reconciler reads instance_id from the DB and acts on the real EC2
regardless of what the API surfaces, so the AWS-tag instance is the correct kill
target. Makes the e2e actually able to reach the kill + reconciler-flip steps.
core#2261
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
Run 216031 hung ~32min in the boot-to-online poll (3600s default) and leaked a
running staging e2e-rec EC2 — the workspace never reached online (a staging
boot/serving issue, same root as the full-saas A2A failures, upstream of the
reconciler this test exercises). Reduce the online timeout default to 900s so a
non-booting workspace fails fast and the teardown trap terminates the EC2
instead of hanging ~1h. Does not change what the test proves once staging can
boot a workspace online.
core#2261
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Removes the harness-side false-green / un-named-flake mechanisms so
`E2E Staging SaaS` + `E2E Staging Platform Boot` can become HARD merge-gates.
Does NOT flip continue-on-error (CTO's irreversible branch-protection call) —
adds a PROMOTION-READINESS block listing what's now fail-closed + what still
blocks promotion-to-required.
False-green / fail-open mechanisms fixed (each with a named mechanism):
1. Peer-discovery (9b) fail-open: `[ "$PEERS_CODE" = "404" ] && fail` only
caught route-missing — a 5xx / 000 / empty capture all read as "reachable".
Also `2>&1 | head -1` could capture a curl stderr line as the status.
Fix: route http_code to its own tempfile, require an explicit 2xx; a
non-2xx now hard-fails (mechanism: broken-but-present route ≠ healthy).
2. Activity-log (9b) "validated nothing": `|| echo '[]'` swallowed a 5xx /
network failure into an empty list, then the count was only logged, never
asserted — the step exited 0 having validated nothing. Fix: assert 2xx +
parseable JSON shape (do NOT assert count>0 — 0 events early is a valid
real state).
3. Child activity provenance (10) soft-green: "did not reference parent" was
logged and the step passed regardless, so a broken provenance pipeline
read as success. Fix: bounded readiness-POLL for the parent reference
(E2E_CHILD_ACTIVITY_TIMEOUT_SECS, default 60s) — the real readiness signal,
not a fixed sleep — then hard-fail with a named mechanism on deadline.
4. No fail-closed-on-skip guard: a future short-circuit / skip path could let
the script reach its final `ok` and report GREEN having validated nothing.
Fix: E2E_REQUIRE_LIVE (mirrors CP serving-e2e SERVING_E2E_REQUIRE_LIVE).
Load-bearing lifecycle stages stamp milestones (provisioned / tenant_online
/ workspace_online / a2a_roundtrip — the last stamped only AFTER the
real-completion gate, not the looser PONG check); require_live_or_die()
exits 5 if any required milestone did not fire. CI sets E2E_REQUIRE_LIVE=1
on both jobs (smoke mode still runs all four milestone stages).
The existing bounded readiness-polls (provision step 2, TLS step 4, online
step 7) already hard-fail on a named deadline — verified, not fixed-sleeps.
Verification (no live infra — full staging run is in CI):
- bash -n + shellcheck (-x, CI --severity=warning) clean on all touched files.
- New offline fail-direction unit test tests/e2e/test_require_live_guard_unit.sh
proves the guard exits 5 when no live lifecycle ran and passes when all
milestones fired (7/7). Wired into ci.yml "Run E2E bash unit tests".
- lint_cleanup_traps + existing completion/rc/model_slug unit tests still pass.
Coordination: avoids PR #2274's lines (model-slug default e2e-staging-saas.yml:175
/ lib/model_slug.sh, and the `error code: 502` retry grep) — confirmed no
protected pattern appears in the harness diff.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Both lanes stay continue-on-error (CTO's irreversible call) but are now
fail-closed so they can become required gates. No "flaky" dispositions —
each flake mechanism is named + fixed deterministically (internal#828).
e2e-staging-external + test_staging_external_runtime.sh:
- REQUIRE_LIVE guard (E2E_REQUIRE_LIVE=1 in CI): exit 5 if the harness
reaches a clean exit without proving all four awaiting_agent
transitions — a silent skip / early-return / dropped assertion can no
longer show green. Mirrors CP serving-e2e SERVING_E2E_REQUIRE_LIVE.
- Sweep-cadence flake (step 6): replaced fixed `sleep $STALE_WAIT_SECS`
+ one-shot assert with a bounded readiness-poll up to
STALE_POLL_DEADLINE_SECS. A slow-but-working sweep tick was being
misread as a stuck 'online'.
- Cold-boot transient flake (register / re-register): single-shot POST
/registry/register failed on Caddy 502/503/504 during cold TLS/agent
boot. Added register_with_retry mirroring the full-saas bounded
retry-on-transient loop — retries ONLY the transport class (5xx + body
match), fails closed on 4xx (real contract bug) and on exhausted budget.
- Token redaction (sanitize_http_body) on all transient-error logs.
e2e-chat + Playwright:
- passWithNoTests:false + forbidOnly(CI) in playwright.config.ts: a
renamed/moved spec or stray test.only can no longer green the lane with
zero executed tests.
- REQUIRE-LIVE guard in the run step: chat==true must execute >=1 test.
- chat-desktop "activity log" test no longer swallows its assertion with
`.catch(() => {})` (always-passed before) — now presence-gated skip or
a real visibility assertion.
PROMOTION-READINESS comments added to each workflow listing what's now
fail-closed and what still blocks promotion-to-required (infra-vs-code
signal split for external; server-received A2A assertion for chat).
Verified without live infra: bash -n + shellcheck clean on the harness
(only a pre-existing SC2015 info on untouched teardown line); both
workflow YAMLs parse; embedded run-step bash -n clean; pure-logic unit
tests for REQUIRE_LIVE fail-closed, sweep-deadline guard, and transient
retry classification all pass. Live staging suite NOT run (no infra).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two fixes so the live reconciler e2e can actually reach its assertion:
1. The create 400'd because the script used the BYOK path (MiniMax-M2 +
MINIMAX_API_KEY secret) — a combo that fails workspace-create. Add the
E2E_LLM_PATH=platform branch (DEFAULT) mirroring test_staging_full_saas.sh:
moonshot/kimi-k2.6, no tenant key — the create combo proven to succeed.
This test only needs the workspace status=online (then it kills the EC2),
so it doesn't need a real LLM completion.
2. set -e + curl --fail-with-body aborted the create command-substitution
before the fail line could echo $WS_RESP, hiding the real HTTP-400 reason.
Capture the body via `|| { fail "...$WS_RESP" }` so any future create
failure is diagnosable.
core#2261
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Deflake the staging canvas tab E2E so it can become a required check
(continue-on-error stays per RFC internal#219 §1 / CTO call — NOT removed).
Each flake/weak-gate mechanism is named and fixed deterministically
(§ No flakes / internal#828). Does NOT touch staging-display.spec.ts
(in-flight PR #2275).
staging-tabs.spec.ts:
- Weak "container visible" gate shipped empty/errored panels green: the
single tabpanel div always mounts. Replaced with assertPanelRendered():
settled REAL content via expect.poll (non-empty, not stuck on a loading
spinner) for non-degraded tabs. Mechanism: polled content condition
instead of implicit "network finished by now".
- ErrorBoundary ("Something went wrong") was never asserted — a React
subtree crash passed. Now asserted absent at hydration AND per tab.
- Error detection was [role=alert]:has-text("Failed to load") ONLY: missed
other error phrasings and role-less error divs (ActivityTab). Replaced
with any *visible* alert inside the panel for non-degraded tabs.
- Hand-maintained TAB_IDS could drift silently from SidePanel.tsx TABS
(it was already stale: missing display + container-config). Added a
live-DOM parity guard (fails loud on a new/removed tab); display +
container-config explicitly excluded (display owned by PR #2275).
- Added click→activation confirmation (aria-selected) before asserting the
panel — closes a wrong-panel race on slow click handlers.
- Fail-closed: CANVAS_E2E_STAGING=1 with no tenant state now hard-errors
(was a silent skip→green path); unset env still skips cleanly.
- Added PROMOTION-READINESS block (reliable now / still-blocks-required /
checklist).
staging-setup.ts:
- Fail-closed handoff: empty slug/tenantURL/workspaceId/tenantToken now
hard-fails setup naming the missing field, instead of handing off a
partial state the spec diagnoses (or skips) downstream.
e2e-staging-canvas.yml:
- PROMOTION-READINESS comment (what's reliable / what still blocks
promotion-to-required). continue-on-error untouched.
Verified without live infra: tsc --noEmit clean on all three e2e files;
playwright --list collects the staging spec; suite self-skips clean with
no STAGING env (exit 0) and hard-errors loud with CANVAS_E2E_STAGING=1 and
no token (exit !=0). Full live suite needs staging infra — not run here.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The desktop take-control path (acquire → noVNC WS upgrade → ws-proxy → EIC
→ websockify → x11vnc → Xvfb) had NO real e2e. staging-tabs.spec.ts only
opens the 13 declared panel tabs (TAB_IDS:24-38 omits `display`) and asserts
they render — it never acquires control, the noVNC WS never upgrades, and no
frame is asserted. DisplayTab.test.tsx mocks the RFB constructor, so no real
WebSocket is opened there either. A broken display path ships green.
This adds staging-display.spec.ts, which exercises the REAL wire path against
a standing desktop-capable staging workspace:
- POST .../display/control/acquire → asserts 200 + session_url with the
signed token in its #token= fragment (the contract DisplayTab.tsx:459-466
depends on).
- Opens the noVNC WebSocket from inside the page (so the browser sends the
same-origin Origin header that AdminAuth's isSameOriginCanvas path
requires — a browser WS can't set Authorization) with the exact
subprotocols the canvas uses (DisplayTab.tsx:339): asserts it UPGRADES
(onopen, no pre-open 1006/403 close).
- Asserts at least one BINARY framebuffer message arrives (real frame off
x11vnc, not a panel mount). No RFB mock.
Fail-closed, no "flaky" escape hatch: each failure stage names the broken hop.
Gated LOUD on STAGING_DISPLAY_WORKSPACE_ID; skips with a clear message when
absent. staging-setup.ts gains a fully env-gated block (no-op unless
STAGING_DISPLAY_SLUG is set) that resolves the standing desktop org's tenant
URL / admin token / org id, and now always exports STAGING_ORG_ID. It
provisions nothing — standing up one always-on desktop EC2 on staging is a
CTO cost item to activate this gate as a required check.
Does NOT touch the Gap 2 instance-state reconciler (needs CTO arch sign-off).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The staging SaaS E2E provisioned its claude-code canary with the BARE id
`MiniMax-M2`. The deployed staging tenant ws-server's compiled model
registry lags source, so validateRegisteredModelForRuntime returns HTTP
400 on the bare id at workspace-create. The sibling Platform Boot job, on
the SAME image, succeeds with the NAMESPACED `moonshot/kimi-k2.6` — only
the id form differs (deploy-skew, internal#718; NOT flaky).
Harness-side fix: switch the claude-code MiniMax default from bare
`MiniMax-M2` to the COLON-namespaced `minimax:MiniMax-M2.7`. Crucially
this is the colon (BYOK) form, NOT the slash/platform form
`minimax/MiniMax-M2.7` the issue floated: the canary injects
E2E_MINIMAX_API_KEY (BYOK), so the #1994 byok-not-platform guard asserts
provider_selection=minimax. The colon form stays in the BYOK `minimax`
arm (providers.yaml:851 → provider=minimax, passes the guard); the slash
form resolves to provider=platform and would trip it. Mirrors how the
proven-working kimi BYOK colon-form is registered.
Changed both the operator-override default in e2e-staging-saas.yml (which
sets E2E_MODEL_SLUG and wins over pick_model_slug) and the pick_model_slug
fallback in lib/model_slug.sh, plus the pinned unit-test expectations.
Also: widen the known-answer A2A POST retry grep to include the
Cloudflare-shaped literal `error code: 502/504` token, matching the
cold-start PONG probe and delegation loops. A single un-retried edge 502
right after a healthy round-trip (Platform Boot, task 268859) fell through
to break and failed the gate on the first attempt. Bounded by the existing
6-attempt/sleep-10 loop — no new sleep-as-fix.
NOTE: harness-side only. The durable fix is promoting the staging tenant
ws-server runtime image to a build whose compiled registry includes the
bare id.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Single Go choke that guarantees a schema-valid outbound A2A message/send
envelope: default params.message.role to "user" when absent (inject-only,
never clobbers a caller-supplied "agent"), and rename legacy part "type"
discriminator to v0.3 "kind". All 7 outbound message/send paths funnel
through proxyA2ARequest -> normalizeA2APayload, so this is the single
authority. The a2a-sdk v0.3 validator marks role REQUIRED; role-less
envelopes were failing peers with 'params.message.role Field required'
(broke delegate_task / the agents-team transport).
Contract tests added (role default, explicit-role preserved, type->kind,
regression guard). Part of the cross-repo SSOT fix anchored on the a2a-sdk
SendMessageRequest schema (runtime + mcp-server companions).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Provisions a real staging workspace, terminates its EC2 out-of-band, and
asserts the core#2261 instance-state reconciler heals it against real infra.
PRIMARY assertion (gate): within ~180s the workspace status leaves 'online'
— the reconciler detected the dead instance via CPProvisioner.IsRunning and
flipped it. A terminated EC2 masquerading as 'online' is exactly the
core#2247 regression this guards.
SECONDARY assertion (best-effort, ~600s): the onOffline -> RestartByID
existing-volume heal brings it back to 'online' on a NEW instance_id. Logged
but non-fatal — PRIMARY is the gate; a future tightening to a hard fail is
one edit away (noted in the script).
Kill primitive: aws ec2 terminate-instances on the captured instance_id
(falls back to slug-tag describe). Teardown is guaranteed by an up-front
EXIT/INT/TERM trap that deletes the tenant + leak-sweeps slug-tagged EC2
(reuses lib/aws_leak_check.sh), so a mid-test failure never orphans a box.
Real-infra complement to the deterministic unit tests
(cp_instance_reconciler.go). New workflow e2e-staging-reconciler.yml fires on
reconciler/script/lib changes + a daily schedule. NON-required initially
(continue-on-error: true) — promote to branch-required once green on main for
a de-flake window.
Refs core#2261, core#2247.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Server-side integration test for the workspace-server DisplaySession
WS-proxy + signed-token handshake, covering the WS-1006 regression
surface (proxy upgrade + token validation + bidirectional bytes) from
core#2247 — without any EC2/desktop/noVNC.
Positive: valid signed token + active lock + enabled display upgrades
(HTTP 101), the fake websockify backend's RFB greeting arrives through
the proxy, and a client->server byte echoes back end-to-end.
Negative (table-driven): missing token (403), tampered token (403),
expired lock (403), display mode none (404), empty instance_id (503),
wrong proxyPath (404) — each asserts no upgrade and no leak to upstream.
displayForward is overridden to a fake httptest websockify backend and
DB reads are sqlmock-ed, mirroring the sibling display-control test
harness. Complements the canvas reconnect unit tests (DisplayTab).
Refs core#2261, core#2247.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
Root cause (core#2247): every existing liveness sweep keys off a PROXY
(Redis TTL, agent heartbeat, local Docker, or runtime='external'). A SaaS
claude-code workspace whose EC2 was terminated/stopped falls through ALL
of them and stays status=online pointing at a dead instance_id forever.
Adds StartCPInstanceReconciler: a 60s sweep that asks the ONE
authoritative question the others lack — CPProvisioner.IsRunning (CP
DescribeInstances-equivalent) — for each online SaaS row, and on a clean
"not running" feeds it into the existing onWorkspaceOffline closure
(status flip + RestartByID reprovision, existing volume).
Guardrails: fail-safe (IsRunning is (true, err) on any transient error →
never flip); online + SaaS-EC2 only (runtime <> 'external'); per-cycle
LIMIT 200 + per-workspace timeout.
Refs core#2261, core#2247.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
core#2262 merged via a race on the pre-fix commit, so main carries the stale
`platform_shared_openai_namespaced_still_rejected` assertion while the
byok-vendor providers (also in that merge) make hermes openai/gpt-4o routable
via the tenant's key. Flip the assertion to allowed. Unbreaks CI/Platform(Go).
cp#529
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Addresses the two valid sub-points in CR2's review of #2258, while the core
claim (existing rows left NULL) is empirically disproven.
EMPIRICAL GROUND TRUTH (PostgreSQL 16.13 prod, re-confirmed on 16.14):
adding `seq BIGINT GENERATED BY DEFAULT AS IDENTITY` to a populated
activity_logs REWRITES the table and assigns seq to EXISTING rows during the
ALTER in physical table-scan order (x=1..5 -> seq=1..5, all NON-NULL); the
identity sequence then advances ABOVE max(seq) so the next INSERT gets seq=6
with no collision. The migration is correct; rows do NOT stay NULL.
1) Comment precision: the up.sql overclaimed seq as a "gap-free monotonically
increasing value in INSERT (commit) order". Replaced with an accurate
statement — seq is a UNIQUE, monotonic-once-assigned tiebreaker that is NOT
gap-free (rollbacks burn values) and NOT a strict commit-order guarantee
under concurrency; neither property is needed, because any total, stable
tiebreaker makes (created_at, seq) a deterministic order. Documents the
table-rewrite backfill + sequence-advances-past-max behavior explicitly.
2) Backfill regression test (the coverage CR2 correctly said was missing):
new activity_seq_backfill_integration_test.go against real Postgres pins
the invariant the migration guarantees —
- _SeqBackfill_NoNull: after migrations, NO activity_logs row has NULL
seq (per-workspace and table-wide), and the IDENTITY default yields
distinct, strictly-increasing, non-null seq for fresh inserts.
- _SeqBackfill_SinceIDOnBackfilledRow: a row whose seq came purely from
the IDENTITY default (the same mechanism that backfills pre-existing
rows) is usable as a since_id cursor — its seq is non-null and a second
row sharing its exact created_at microsecond is returned, not dropped.
Proven to FAIL if seq were nullable/un-backfilled (ran against a mutant
schema with a plain nullable seq column: both tests trip) and PASS as-is.
go build ./... + go vet -tags=integration ./internal/handlers/ clean;
integration suite green (SinceID|Seq|Backfill|Ordering) on PG16.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Byte-synced mirror of the canonical change in molecule-controlplane
internal/providers/providers.yaml: add 5 NON-PLATFORM BYOK-vendor
provider entries (byok-anthropic, byok-openai, byok-gemini,
byok-minimax, groq) and wire them as name-only prefix-routing arms
into the hermes / openclaw / codex runtime native sets so the 20
residual ids cp#529 flagged as drift become routable with the
TENANT's OWN vendor key (billing-safe), not the platform-shared key.
- hermes: + byok-anthropic, byok-gemini, byok-openai, byok-minimax (12 ids)
- openclaw: + byok-openai, byok-minimax, groq (7 ids; runtime DEFAULT
minimax:MiniMax-M2.7 now resolves)
- codex: + byok-minimax (codex-minimax-m2.7 via narrow ^codex-minimax- leg)
Billing-safe: every new provider IsPlatform()==false -> BYOK billing.
Collision-free: all matchers namespaced, disjoint from the platform
vendors' bare matchers; DeriveProvider resolves all 20 ids +
codex-minimax-m2.7 to exactly one non-platform provider.
This is the molecule-core SIDE of the synced registry: providers.yaml
is byte-identical to controlplane's (diff -u empty), registry_gen.go
regenerated, and canonicalProvidersYAMLSHA256 bumped to the new
canonical sha. The two PRs must land together.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
HEAD 911d9ce3 was labeled test-only but its rebase took the pre-fix source
blobs, deleting the isPlatformManagedProvider helper + its 3 call-sites that
21268f0f had correctly added — so the new #2245 tests ran against un-fixed
source (6 reds: 'isPlatformManagedProvider is not a function' x4 + missing
'Platform-managed — no API key required.' copy x2). Mechanism = clobbered
source, NOT a flake. Restores both files to 21268f0f. SSOT: helper defined
once in ProviderModelSelector, imported in the dialog. Canvas suite 3342 pass / 0 fail.
Dimension-2 (schema-contract gaps) sweep, the #2251 blind-spot class.
registry_test.go binds hand-written JSON literals that encode the test
author's idea of the wire shape, not the bytes the runtime emits. This
adds registry_payload_contract_test.go: it feeds the EXACT golden bodies
the workspace runtime produces (byte-synced with the companion runtime
test test_registry_payload_contract.py) through gin binding.JSON.BindBody
— the same decode+validate path ShouldBindJSON runs — into the real
RegisterPayload / HeartbeatPayload structs.
Pins: the runtime's register + heartbeat (healthy and wedged) bodies bind
cleanly, and a body missing a binding:required field (id, agent_card,
workspace_id) is REJECTED. Proven red->green by stripping binding:required
from WorkspaceID. Together with the runtime-side producer test, drift on
either half fails CI instead of shipping an undialable/silent workspace.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The prior commit added ORDER BY created_at DESC, seq DESC to
buildSessionSearchQuery, but the outer SELECT reads from the
session_items CTE whose projection did NOT include seq. An outer ORDER BY
can only reference the CTE's output columns, so real Postgres raised
`column "seq" does not exist` -> SessionSearch 500 ->
TestIntegration_SessionSearch_Basic/_EmptyQuery failed the Handlers
Postgres Integration job. sqlmock missed it (regex-matches the query
string, never executes it).
Fix: project seq through session_items so the outer ORDER BY can see it.
Integration suite green (incl. the two SinceID ordering proofs).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
buildSessionSearchQuery ORDER BY created_at DESC had the same missing-tiebreaker
non-determinism as the since_id feed. Unused in production, but the seq column
now exists and leaving a known unstable sort violates dev-sop § No flakes.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The poll-mode since_id feed ordered by created_at with NO tiebreaker, and
activity_logs.id is a random UUID (no monotonic column) — same-microsecond
rows came back in arbitrary planner order, intermittently flipping
hello-from-e2e-2|hello-from-e2e-3 in test_poll_mode_e2e.sh. Not a flake: a
missing tiebreaker (per dev-sop § No flakes). Second bug fixed: the since_id
cursor filtered created_at > X strictly, silently dropping a row written in
the cursor row's microsecond.
Fix: add monotonic seq BIGINT GENERATED BY DEFAULT AS IDENTITY (idempotent) +
(workspace_id, created_at, seq) index; ORDER BY (created_at, seq); cursor
compares the full (created_at, seq) tuple. Integration test (real PG) proves
red->green incl. the boundary row (fails 5/5 pre-fix). Unit sqlmock updated.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
validateRegisteredModelForRuntime now allows a model if it is on the
runtime's platform menu (ModelsForRuntime) OR DeriveProvider resolves a
native provider — the CTO-approved Option C routability path. Wire
confirmed-non-platform BYOK providers into claude-code/hermes/openclaw as
name-only native arms (zero platform-menu change) + widen their prefix
matchers to accept both slash and colon BYOK id forms.
Billing guardrail: only non-platform (BYOK) providers are wired; the
platform-shared vendors (openai/gemini/minimax/anthropic, and groq which
has no provider) are deliberately NOT wired, so their ids stay residual
drift rather than billing a customer's model through the platform key.
claude-code now fully resolves; residual drift = only platform-shared ids
(hermes anthropic//gemini//openai//minimax/, codex codex-minimax, openclaw
groq:/openai:/minimax:) — trimmed from templates / restored via dedicated
BYOK-vendor providers in a follow-up. Build + providers/gen/handlers tests
green.
NOTE: overlaps files with open PR #2241 (cp#521, trim approach); co-review
and rebase before merge.
cp#529
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The canvas /api/buildinfo route existed but only read VERCEL_GIT_COMMIT_SHA,
which the fleet's ECR-image Docker deploy never sets — so the served SHA
always reported "dev" and canvas deploys could not be verified by the
served SHA the way the platform's /buildinfo is.
Bake the merge SHA into the canvas image at build time and surface it:
- canvas/Dockerfile: ARG BUILD_SHA=dev -> ENV BUILD_SHA in the final
runtime stage (server-only, not NEXT_PUBLIC_, so it stays out of the
client bundle). Default "dev" matches workspace-server's sentinel so an
unwired build fails the SHA comparison closed.
- route.ts: BUILD_SHA takes priority, then VERCEL_GIT_COMMIT_SHA, then
"dev". force-dynamic so the route reads BUILD_SHA from the standalone
Node server's runtime env per request (confirmed via next build: the
route renders as Dynamic / server-rendered on demand).
- publish-canvas-image.yml: pass BUILD_SHA=${{ github.sha }} (full 40-char
SHA) so the fleet redeploy verification can match exactly.
- docker-compose.yml: BUILD_SHA build arg (default "dev") for local builds.
- test: assert BUILD_SHA wins over the Vercel var + the dev fallback.
Follow-up (flagged, not in scope): core#2226's canvas deploy could poll
this /api/buildinfo per-tenant to assert the served SHA, the same way the
platform redeploy workflow polls workspace-server's /buildinfo.
Closes#2235
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Independent review noted the integration test exercised only the legacy
vendor==="platform" branch; production uses the registry-backed
billingMode==="platform_managed" path. Add a registry fixture whose
platform provider declares auth_env:[MOLECULE_LLM_USAGE_TOKEN] and assert
end-to-end through buildProviderCatalogFromRegistry: field hidden, no
error, no secret in the create payload. Watch-it-fail verified red->green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Create-workspace dialog blocked submission with "Provider credential
is required" for the platform-managed provider, even though platform-
managed mode injects its own usage token (MOLECULE_LLM_USAGE_TOKEN = the
tenant admin_token, set by the CP provisioner) and the user supplies no
key. The validation keyed only off envVars.length, with no exemption for
platform-managed; it also rendered a credential field for the internal
token and would have sent secrets:{MOLECULE_LLM_USAGE_TOKEN:""} on create,
clobbering the provisioner-injected token.
Add isPlatformManagedProvider() (vendor==="platform" ||
billingMode==="platform_managed") and gate the validation, the
credential-field render, and the secret-send on it. Platform-managed now
shows "no API key required" and sends no secret; BYOK is unchanged.
Tests: discriminating vitest (watch-it-fail verified red->green) — a
platform-managed provider WITH a declared auth env requires no credential,
hides the field, and sends no secret; BYOK still requires + renders the
field; + isPlatformManagedProvider unit cases. The prior mock masked the
bug by giving the platform provider required_env:[] — the new fixture
matches production (auth_env carries MOLECULE_LLM_USAGE_TOKEN).
Fixes#2245
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Status (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Python Lint & Test (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
The SOP tier checker collected approvers with:
jq '[.[] | select(.state=="APPROVED") | .user.login]'
without filtering on the review's commit_id. After a PR head moved,
stale approvals against the old SHA remained valid to the tier gate.
Fix:
- Fetch HEAD_SHA from the PR API before reading reviews.
- Filter reviews with `.commit_id == $head_sha` so only current-head
approvals count toward the gate.
Add regression test `test_sop_tier_check_stale_reviews.sh` with three
cases: mixed stale/current approvals, all-stale, and null commit_id.
Closes internal#816.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The `na-declarations` context is informational (tells review-check.sh
which gates are N/A), not a merge gate. When no `/sop-n/a` declarations
exist, the script was posting `pending` with description `N/A: (none)`,
which poisoned the PR combined status and looked like an in-flight gate.
Change `na_status_state` from conditional `"success" if na_descs else
"pending"` to unconditional `"success"`. An empty declaration list is a
valid terminal state.
Add regression tests `TestNaDeclarationsStatusTerminal` with mocked
GiteaClient to verify both empty and populated N/A cases post success.
Closes internal#818.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Reminder (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
The standalone molecule-ai/canvas image previously only built+pushed
:latest + :sha-<sha> with no deploy step, and docker-compose referenced
canvas:latest UNPINNED. Tenants/hosts picked up new canvas only as a side
effect of the platform fleet-redeploy pulling :latest — non-deterministic
and unverifiable, hence the advisory "Canvas Deploy Reminder".
Mirror the platform's ordered deploy (publish-workspace-server-image.yml):
- publish-canvas-image.yml: build job now pushes :staging-<sha> +
:staging-latest (+ legacy :sha-<sha>) and no longer moves :latest. New
promote-canvas job waits for green main CI on the SHA (same
prod-auto-deploy wait-ci SSOT the platform deploy uses), then re-points
:latest to the verified :staging-<sha> by digest (imagetools create).
So :latest == last CI-green canvas, and platform+canvas advance off the
identical signal/SHA. Honors the PROD_AUTO_DEPLOY_DISABLED kill-switch.
- docker-compose.yml: canvas image pins via CANVAS_IMAGE_TAG (default
latest = prod-blessed; set staging-<sha> or staging-<sha>@<digest> for a
reproducible deploy). Resolves the standing TODO: pin canvas ECR digest.
Local-dev `build:` context unchanged.
- ci.yml: replace the advisory "Canvas Deploy Reminder" (prescribed a
manual docker compose pull) with "Canvas Deploy Status" recording that
the ordered deploy is handling it.
Closes#2226
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Peer agents can now pass files (images, video, audio, documents) alongside
task text when delegating to another workspace. The attachments schema mirrors
send_message_to_user: each item needs uri + name; mimeType and size are optional.
Changes:
- MCP tool schemas for delegate_task / delegate_task_async gain optional
attachments array (same shape as send_message_to_user).
- toolDelegateTask + toolDelegateTaskAsync parse attachments and emit them as
a2a-sdk v1 message parts with kind derived from MIME type.
- buildA2AMessageParts helper constructs the parts array: text part first,
then file/image/audio/video parts in order.
- extractAttachmentsFromMessageParts now accepts video kind (was file/image/audio
only), so video attachments round-trip correctly through the A2A envelope.
- Tests cover sync + async delegation with video and image attachments, and
video part extraction from message bodies.
Closes#2222.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Byte-sync mirror of molecule-controlplane's cp#514 (chore: remove transitional
vertex: arm from google-adk). Copies the canonical providers.yaml verbatim,
regenerates workspace-server's registry_gen.go projection, re-pins
canonicalProvidersYAMLSHA256, and flips the mirrored
TestVertexProviderRegistered runtime-arm assertions.
The standalone keyless `vertex` provider (^vertex: namespace) is unchanged; only
the transitional `vertex:gemini-2.5-pro` selectable arm on the google-adk runtime
is removed. A saved `vertex:gemini-*` model still resolves harmlessly.
Synced pair with the CP PR (sync-providers-yaml + verify-providers-gen gates) —
must merge TOGETHER with it. Verified the two providers.yaml are byte-identical
(sha256 8e19aaf8a2a37cdd109184ae80ca223ce0a0ce0ed30299a52aa990271da5af7a).
Refs molecule-controlplane#514
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Issue #2205 reports E2E API Smoke health-wait times out while platform
migrations are still running. The previous step polled /health for 30s
with no migration awareness, so it could exit 0 before the DB was
actually usable, causing downstream steps to flake on "no such table".
Hybrid fix:
1. Bump probe count 30→300 (1s sleep each, 5min ceiling — enough
for the full migration chain on cold-cache runners).
2. Gate exit on the same workspaces-table existence check the
downstream "Assert migrations applied" step uses. We now only
declare /health success when both /health=200 AND the workspaces
table is present.
3. The downstream "Assert migrations applied" step stays as a
defense-in-depth final check; with the new gate it should
always pass on a clean run.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The post-merge `E2E Staging Canvas (Playwright) / Canvas tabs E2E` job was
permanently red for two reasons unrelated to the code under test.
1. Stale fixture (code fix). canvas/e2e/staging-setup.ts created the test
workspace with `runtime=hermes, model=gpt-4o`. The provider-registry SSOT
(internal#718) registers ONLY Kimi models for the hermes runtime, so the
create now correctly 422s UNREGISTERED_MODEL_FOR_RUNTIME. Switched to
`moonshot/kimi-k2.6`, the platform-managed hermes entry in
workspace-server/internal/providers/providers.yaml (hermes -> platform).
The workspace already defaults closed to platform_managed, so a
platform-namespaced id is the registry-correct, self-sufficient choice
(no tenant LLM key needed). Validated against BOTH create-time gates:
the model-side ModelsForRuntime membership check AND the #2172
derived-provider check (moonshot is a declared provider).
2. Missing CI secret (workflow fix). The `Verify admin token present` step
hard-failed with `::error::Missing CP_STAGING_ADMIN_API_TOKEN` + exit 2,
painting main red on an operator CONFIG gap. Converted to a
skip-if-absent gate mirroring the serving-e2e skip-if-secret-unset
contract: when the secret is unset it emits a loud ::warning:: + ::notice::
and skips the provision/test steps (job completes green); when present it
runs the full suite exactly as before.
OPERATOR ACTION: set CP_STAGING_ADMIN_API_TOKEN as a repo/org Actions secret
on molecule-core for the E2E to actually execute (it skips until then).
Closes#2225
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds scripts/check-manifest-repos-exist.sh — a fail-fast guard that
verifies every repo in manifest.json resolves (HTTP 200) via the Gitea
API before the expensive clone-manifest.sh step runs. Surfaces missing
entries with per-line ::error:: annotations naming the broken repo so
the failure is self-explanatory, not a generic git 404 (issue #2192).
Integrates the check into publish-workspace-server-image.yml immediately
before the Pre-clone manifest deps step. This is the push-time complement
to PR #2186's PR-time manifest-entry-existence gate.
Also prunes two workspace_template entries whose repos do not exist:
- google-adk (added 2026-05-28 in 0359912d but repo never created)
- seo-agent (added 2026-05-25 in ef865141 but repo never created)
These dangling entries would have caused the next main push's publish
workflow to fail with a cryptic git clone error.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The Create handler already validates (runtime, model) against the
provider registry (commit e53a47b4). The SetModel endpoint
(PUT /workspaces/:id/model) was the remaining unguarded save path —
a user could change the model after creation and bypass both the
model-registration gate and the derived-provider gate.
Fix:
- Query the workspace's runtime before persisting the model.
- Call validateRegisteredModelForRuntime + validateDerivedProviderInRegistry
for non-empty models, mirroring the Create handler order and error
shape (422 with code + actionable list).
- Return 404 when the workspace does not exist.
- Federation contract preserved: unknown runtimes fail-open exactly
as in Create.
Tests:
- Update existing SetModel / RoundTrip mocks to expect the runtime
lookup query.
- Add TestSecretsSetModel_UnregisteredModel_422.
- Add TestSecretsSetModel_UnknownRuntimeFailOpen_200.
- Add TestSecretsSetModel_WorkspaceNotFound_404.
Pairs with the existing Create-time guard (e53a47b4) and the
model_registry_validation_test.go regression suite.
SOP: /sop-ack engineer-ack as fullstack-engineer
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
E2E Chat / detect-changes (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
lint-continue-on-error-tracking / lint-continue-on-error-tracking (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
Root cause of the #2213 main-red (`publish-workspace-server-image /
Production auto-deploy` failing on hongming "is stale"):
Two main pushes landed ~2 min apart (7a72516 then 7f25373). With no
`concurrency:` on this workflow (intentional — Gitea 1.22.6 cancels queued
prod deploys) BOTH deploy-production jobs run. The OLDER 7a72516 job started
late, after 7f25373 was already main's head. The #2194 superseded guard only
protected the *verify* step — it ran AFTER the redeploy and the :latest
promote. So the older job still:
1. redeployed the canary (hongming) BACKWARD to staging-7a72516, reverting
it from the newer SHA the 7f25373 job had just shipped — which is exactly
what the 7f25373 job's verify then saw ("hongming is stale: actual=7a72516,
expected=7f25373") -> main red; AND
2. promoted :latest BACKWARD to the older staging-7a72516 image,
before finally skipping verify and exiting green.
Fix (defense in depth, no change to the redeploy/rollout logic itself):
- Add a "Check superseded before production side effects" step that runs the
existing check-superseded BEFORE the rollout. When a newer commit already
owns main, gate OFF both the redeploy-fleet step and the :latest promote so
an older job never rolls the fleet (or :latest) backward. Fail-safe: an
unreadable head is treated as NOT superseded, so a genuine deploy never
silently skips. The in-step verify guard is kept to catch a newer job that
lands DURING this job's rollout.
- Harden the /buildinfo verify with a bounded per-tenant settle budget
(default 240s, 20s interval, both overridable via repo vars). `curl --retry`
only retries connection/5xx failures, not a stale-but-200 body, so a tenant
whose container the CP just swapped — still serving the draining old image
at the edge — false-reds "stale" on the first poll. Now we poll until the
tenant reports the target SHA or the budget is exhausted, then fail loud.
A genuinely stuck tenant is NOT masked.
Tests: pin the superseded contract for the exact 7a72516/7f25373 incident
shape (older job superseded -> skip; latest job -> still rolls + verifies).
All 35 prod-auto-deploy unit tests pass; lint-workflow-yaml + curl-status
linters clean; every run block bash -n clean.
Refs #2213
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The `E2E Peer Visibility (literal MCP list_peers)` gate has been red on
main because tests/e2e/test_peer_visibility_mcp_staging.sh created both
the parent and the per-runtime sibling workspaces with a runtime + secrets
but NO `model` field. Staging now enforces the workspace-create contract:
there is no platform-side default model for a runtime
(feedback_workspace_model_required_no_platform_default — the MODEL_REQUIRED
gate). The create was therefore rejected with MODEL_REQUIRED before the
peer-visibility assertion could run.
Fix: supply the required `model` on every create via a small
pv_platform_model_for_runtime helper that returns a PLATFORM-MANAGED id
(Molecule owns billing — no tenant key needed; this gate only needs the
workspace to boot + list peers). Ids are validated against the controlplane
providers SSOT (internal/providers/providers.yaml runtimes.<rt>.providers
[platform].models):
- claude-code (parent + claude-code sibling) → anthropic/claude-sonnet-4-6
- hermes / openclaw siblings → moonshot/kimi-k2.6
E2E_MODEL_SLUG still overrides for operator-dispatched runs, mirroring
lib/model_slug.sh. Contract enforcement is preserved; we supply the field
rather than removing the gate.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds the required Tier 2g directive comments to 4 workflow jobs that emit
commit-status contexts on pull_request but lacked a bp-directive:
- e2e-peer-visibility.yml / pr-validate
# bp-required: pending #1296 — intentionally not yet in branch protection
(sibling peer-visibility-local already carries this; pr-validate was missed).
- ci-arm64-advisory.yml / fast-checks
# bp-exempt: advisory arm64 pilot, non-gating by design (internal#418).
- sync-providers-yaml.yml / compare
# bp-required: pending #718 — soak-then-promote, not in BP yet.
- verify-providers-gen.yml / verify
# bp-required: pending #718 — soak-then-promote, not in BP yet.
All directives are placed within the 3-line lint window above the job key
so lint-required-context-exists-in-bp (Tier 2g) can see them.
Closes Task #77 / internal#802.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Reminder (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Reminder (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Python Lint & Test (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
lint-continue-on-error-tracking / lint-continue-on-error-tracking (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
Reasoning models (MiniMax M2.7, Moonshot K2.6) can spend the entire
4-token budget on reasoning, leaving zero tokens for the actual
response. Bump the per-provider liveness probe to 32 so reasoning
models have headroom to emit both reasoning and content.
Part of issue #2204.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The `E2E API Smoke Test` REQUIRED gate (and the sibling local-platform E2E
workflows) started the platform in the background and waited for /health with
a fixed 30×1s loop (~30s). The platform binds /health only AFTER applying the
FULL migration chain on cold start; that chain now reaches past the 30s window
(the run log gets to 20260523000000_schedule_consecutive_sdk_errors.up.sql
before "Platform starting on :PORT"), so the health loop expired before the
server was reachable → downstream E2E never ran → main went red. A fixed budget
is brittle by construction because the migration chain grows every release.
Fix (deterministic, not a bigger magic number):
- Poll /health on a generous, clearly-commented wall-clock budget (180s) that
comfortably exceeds cold-start + full-migration time and is robust to the
chain continuing to grow. /health returning 200 is the real readiness signal
(migrations done + server listening).
- Still fail fast + loud on a genuinely dead platform: if the backgrounded
platform-server PID has exited (e.g. a broken migration crashed it), stop
immediately and dump the platform log — we never mask a real startup failure,
and we never wait out the full budget for a process that is already gone.
- On true timeout, dump the platform log tail and fail with ::error::.
Applied identically to the four workflows sharing the 30×1s platform-/health
pattern: e2e-api, e2e-chat, e2e-peer-visibility, e2e-legacy-advisory. The
unrelated Postgres-readiness `seq 1 30` waits (which are not gated on the
migration chain) are intentionally left unchanged.
curl usage avoids the -w '%{http_code}' status-capture shape, so
lint-curl-status-capture passes; lint-workflow-yaml passes on all 56 files.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Reminder (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
Step 8 of the full-lifecycle SaaS canary sends an A2A round-trip to the
parent and asserts a PONG. When the configured completion backend returns
a 2xx with no text part (empty content / tool_calls-or-reasoning-only),
the agent runtime surfaces the literal reply "Error: message contained no
text content." Today that fell through the generic "error|exception"
catch-all and was reported as a vague "A2A returned an error-shaped
response", which misdirects triage to workspace-server.
Add a specific error-class check (mirroring the existing hermes-401 /
quota-exhausted patterns) that names this as a model/provider BACKEND
regression with the operator action, before the generic catch-all. No
behaviour change for healthy runs; the failure still hard-fails — it is
just diagnosed correctly.
Observed 2026-06-03/04: 100% of staging canaries on MODEL_SLUG=MiniMax-M2
(canary default since #2710) hit this on the parent's first cold turn,
identical on main's scheduled synthetic E2E and on open PRs — i.e. an
environmental backend regression, not PR-introduced. This is purely a
diagnostic-precision improvement to the unmodified main-line step-8 block.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The ci-required-drift parser only looked for REQUIRED_CHECKS while
audit-force-merge.yml switched to REQUIRED_CHECKS_JSON (branch-aware
dict). This caused F3 drift detection to fail on repos using the JSON
variant.
Changes:
- required_checks_env() now detects both REQUIRED_CHECKS_JSON (preferred)
and REQUIRED_CHECKS (legacy fallback).
- For JSON variant: parse the dict, extract the array for the target
branch, validate structure, return as a set of context names.
- For legacy variant: unchanged newline-split behavior.
- Error messages updated to mention both env vars.
- render_body() resolution text updated to mention both variants.
- Tests added for JSON precedence, fallback, missing branch, malformed
JSON, and full drift-class coverage (F3a/F3b/happy-path).
Closes internal#804
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Postgres TEXT columns in a UTF-8 database reject raw bytes like 0x80 and
0xff. The test was trying to insert these into workspace_schedules.prompt
via insertSchedule, which failed with:
pq: invalid byte sequence for encoding "UTF8": 0x80
Fix: insert a valid prompt into the DB fixture, then call fireSchedule
directly with a scheduleRow whose Prompt field carries the invalid bytes.
This still exercises the #2026 regression path (sanitizeUTF8 before jsonb
INSERT) without tripping Postgres TEXT validation.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The workspace_status enum migrated away from 'active' in migration
043_workspace_status_enum.up.sql; valid values are provisioning/online/
offline/degraded/failed/removed/paused/hibernated/awaiting_agent/
hibernating. Inserting 'active' caused all five scheduler integration
tests to fail at fixture setup with:
invalid input value for enum workspace_status: "active"
Fix: use 'online' (a valid enum member) for runnable fixture workspaces.
Also updates the helper comment to cite enum validity.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
E2E Staging Canvas (Playwright) / "Canvas tabs E2E" went red on main HEAD
b9d2f023. The actual failure (runner-6 task 258160) is in the Playwright
globalSetup, NOT in any spec assertion:
[staging-setup] Workspace created: 8e5c7354-...
Error: Workspace failed: (no last_sample_error) full body:
{... "runtime":"hermes","status":"failed","uptime_seconds":0,
"last_sample_error":null ...}
at canvas/e2e/staging-setup.ts:272 (waitFor "workspace online")
Root cause — NOT a canvas/test regression and NOT timing fragility. It is
a deterministic consequence of workspace-server #2162 (merged 2026-06-03,
"platform-managed workspace must fail-closed when CP proxy env absent"),
which is a correct production safety fix. The canvas E2E creates a bare
hermes/gpt-4o workspace that defaults closed to platform_managed; on a
staging tenant without MOLECULE_LLM_BASE_URL / MOLECULE_LLM_USAGE_TOKEN,
the agent now aborts at boot with MISSING_PLATFORM_PROXY — surfacing as
the pre-start credential-abort shape (status:"failed", uptime_seconds:0,
no last_sample_error). Pre-#2162 the same workspace booted credential-less
(the bug #2162 fixed) so the old harness happened to pass.
The fix is in the harness, because this test does not need a booted agent:
staging-tabs.spec.ts only opens the 13 side-panel tabs and asserts no hard
crash / no "Failed to load" toast. It makes zero LLM calls and even mocks
/cp/auth/me + 401→200. All it needs is a workspace ROW so the node + tabs
render.
So step 6 now waits for RENDERABLE instead of strictly online:
- online -> happy path (staging with proxy env)
- failed + uptime_seconds==0 + no sample -> pre-start credential-abort:
agent never ran, row still renders -> proceed, with a loud console.warn
- any other failed (last_sample_error present, OR uptime_seconds>0 i.e.
the agent started then crashed) -> still hard-throws (no masking)
Real infra/provision failure stays loud one step earlier at the org level
(instance_status === "failed", unchanged).
Verification: tsc clean for canvas/e2e/staging-* (pre-existing tsc errors
are all in unrelated __tests__ files); `playwright test --list` resolves
globalSetup + the single spec. Full live run needs staging CP creds not
available locally; the changed branch is the globalSetup readiness gate,
verified by inspection against the captured failing-run body.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The canvas-readiness loop added in PR #2195 captured the curl status
into CODE with `CODE=$(curl -s -o /dev/null -w '%{http_code}' ...
|| echo 000)`. That shape is exactly the BAD_STATUS_CAPTURE pattern
that .gitea/scripts/lint-curl-status-capture.py rejects — curl -w can
write a status to stdout before the || echo 000 fallback fires,
producing polluted values such as a concatenated status string rather
than one code.
Adopt the lint-approved tempfile pattern already used by
e2e-staging-external.yml (set +e / curl -w '...' > file / set -e /
cat file || echo '000') so the captured value is always a clean HTTP
code or '000'.
Closes#2198 (main-red after #2195).
Closes#2199 (auto-filed main-red watchdog, root cause identical to #2198).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Reminder (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Python Lint & Test (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
lint-continue-on-error-tracking / lint-continue-on-error-tracking (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
The moonshot/kimi incident: a canvas-created claude-code workspace with
provider=Platform + model=moonshot/kimi-k2.6 booted NOT_CONFIGURED in prod
because the generated config.yaml lacked the manifest-derived `provider:`
key, so the adapter slash-split "moonshot/..." -> unregistered provider.
Fixed by #2187 (ensureDefaultConfig stamps DeriveProvider->provider:platform)
+ #2188 (canvas). Unit tests passed; the REAL boot path was the gap.
This adds comprehensive regression coverage so the CLASS cannot reship:
Deterministic (no live infra, runs in the normal unit suite):
workspace-server/internal/handlers/workspace_provision_platform_boot_test.go
- TestEnsureDefaultConfig_StampsProviderForEverySSOTPlatformModel:
enumerates the claude-code `platform` arm from the providers SSOT
(providers.LoadManifest) and asserts ensureDefaultConfig stamps
provider:platform (top-level AND runtime_config) for EVERY offered
platform model — not just the single moonshot/kimi pin #2187 shipped.
A newly-offered platform model gets a case for free and only passes if
actually stamped (closes the offered-but-not-stamped divergence the bug
rode in on). Mutation-verified: disabling the stamp fails the test.
- TestPlatformModelDeriveProvider_SSOTConsistency: the upstream half —
DeriveProvider maps every SSOT platform model to provider Name "platform".
Real-boot (staging; I will run it):
Extends the existing staging harness (no new harness) with a
platform-managed path: E2E_LLM_PATH=platform pin-selects moonshot/kimi-k2.6,
sends NO tenant key, and reuses the harness's online-wait + completion
assertions to prove the workspace reaches status=online (not
not_configured) and a completion returns 200. The BYOK branches never
exercised the platform arm — the exact arm the bug shipped on.
- tests/e2e/lib/model_slug.sh: platform path + override semantics
- tests/e2e/test_model_slug.sh: 4 new pinned cases (16/16 green)
- tests/e2e/test_staging_full_saas.sh: empty-secrets platform branch
- .gitea/workflows/e2e-staging-saas.yml: new `E2E Staging Platform Boot`
job (continue-on-error during de-flake; bp-required: pending #2187),
+ providers.yaml/model_slug.sh added to the path triggers.
Coverage-audit theme: mc#1982 (continue-on-error masks; de-flake-then-gate).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Root cause of the intermittent `E2E Chat / E2E Chat` red
(`chat-mobile.spec.ts › history persists across reload`) is a REAL
product persistence race, not test fragility.
The push-mode A2A success path (`logA2ASuccess`) wrote the `a2a_receive`
activity_logs row — the ONLY durable record of a chat round-trip
(request_body = user message, response_body = agent reply, both read
back by chat-history hydration) — in a DETACHED goroutine via `goAsync`.
`ProxyA2A` flushes the HTTP 200 (carrying the reply) the moment
`proxyA2ARequest` returns, i.e. BEFORE that goroutine's INSERT commits.
The test's `page.reload()` then fires `GET /chat-history`, which reads
activity_logs and can miss the not-yet-committed row → "Mobile
persistence" absent → red. Outside the test the same window loses the
message on a reload / workspace-server restart / deploy / OOM between the
200 and the goroutine commit.
The poll-mode sibling path (`logA2AReceiveQueued` /
`persistUserMessageAtIngest`) was already made synchronous for exactly
this incident class (internal#470 / #1347 / RFC#2945). The push-mode
counterpart was left async — fixed here by writing the row inline
(context.WithoutCancel so a chat-exit disconnect can't abort it; still
best-effort so a DB hiccup never fails the user's send). The 200 is now
emitted only after the durable row exists.
Secondary determinism hardening:
- chat-mobile spec: after reload, deterministically wait for the
`GET /chat-history` 2xx that rehydrates the transcript before asserting
visibility, instead of racing a fixed 5s render timeout against an
in-flight fetch.
- e2e-chat.yml canvas readiness: probe the real `/?m=chat` route for a
2xx (Turbopack compiles routes lazily — a bare `curl /` 200s before the
page the tests load has compiled) and raise the cold-start budget
30s→120s to kill the `Canvas did not start in 30s` flake.
Verification: `go build`, `go vet`, full `internal/handlers` +
`internal/messagestore` test suites green (sqlmock, no DB needed);
Playwright spec compiles + lists; eslint clean. Browser E2E not run
locally (needs Postgres+Redis+platform+canvas servers).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
publish-workspace-server-image / Production auto-deploy intermittently
fails on main with:
::error::<slug> is stale: actual=<newerSHA>, expected=<thisSHA>
Root cause: the workflow deliberately has no `concurrency:` (Gitea
1.22.6 cancels queued runs even with cancel-in-progress:false, which is
unacceptable for a prod deploy). So when two main pushes land close
together (eb31bcf then 286338), BOTH deploy-production jobs run. The
newer job (286338 -> staging-2863380) rolls the fleet forward first;
then the OLDER job (eb31bcf) runs "Verify reachable tenants report this
SHA", sees tenants on 2863380, and fails on STRICT SHA EQUALITY — even
though the fleet is AHEAD, not behind. Git SHAs aren't ordered and
/buildinfo exposes only git_sha (no build time / monotonic number), so
the verify can't tell "ahead" from "behind" on its own.
Fix (option b — superseded-job detection): before the strict verify,
ask Gitea for the current head of the deploy branch (main). If it is no
longer this job's GITHUB_SHA, a newer commit has landed and this deploy
is superseded; the newest job's verify is authoritative. Log a notice
and exit success, skipping strict equality for the stale job.
Why this preserves real-stale detection:
- Only the SUPERSEDED (older) job skips strict verify. The LATEST deploy
job (head == its SHA) still runs strict equality, so a genuinely
behind/older tenant still fails loudly.
- Fail-safe: if the branch head can't be read (no token / API error) or
equals our SHA, superseded_by returns None -> strict verify runs. An
unreadable head never silently greens a deploy.
Why not the alternatives:
- (a) build-timestamp/monotonic compare: /buildinfo returns only
{git_sha} (router.go, buildinfo.go). Adding a build-time field needs a
workspace-server binary + Dockerfile change and a full fleet rebuild
before it can be relied on — heavy and slow to take effect.
- (c) concurrency: forbidden by the workflow header (Gitea cancels
queued prod deploys).
Verification:
- New unit tests for superseded_by / current_branch_head and the
fail-safe path; full suite 33 passed.
- Workflow yaml-lint clean (lint-workflow-yaml.py).
- CLI smoke test: eb31bcf-vs-2863380 -> exit 0 (skip, success);
latest job -> exit 10 (run strict verify); unreadable head -> exit 10.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Shellcheck (E2E scripts) (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
CI / Canvas Deploy Reminder (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
The two org-template repos were intentionally deleted; manifest.json still
referenced them so clone-manifest.sh 404'd → build-and-push failed → main red.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Root cause: the Create Workspace dialog built its provider→model dropdown
catalog with the LEGACY buildProviderCatalog(llmModels), whose inferVendor
heuristic slash-splits a platform model id like `moonshot/kimi-k2.6` into
vendor `moonshot`. There was therefore no `Platform` bucket and the create
payload sent `llm_provider: "moonshot"` for a platform-managed model.
ConfigTab was migrated to the registry-backed catalog
(buildProviderCatalogFromRegistry) in internal#718 P3; CreateWorkspaceDialog
was not. This mirrors that migration:
- Thread the registry fields (registry_backed / registry_providers /
registry_models) — already returned by GET /templates — through TemplateSpec.
- When the selected runtime's /templates row is registry_backed, build the
catalog from registry_providers/registry_models (each model carries its
DERIVED provider, e.g. moonshot/kimi-k2.6 → "platform"), feed the selector
the registry models, and pass the prebuilt catalog verbatim. Restores the
`Platform` bucket and makes the payload send `llm_provider: platform`.
- Non-registry runtimes / older backends keep the legacy buildProviderCatalog
fallback unchanged.
Tests: added a registry-backed claude-code fixture whose plain models[] is
UN-annotated (so the legacy path would mis-bucket to "moonshot"), asserting the
Platform bucket appears and selecting moonshot/kimi-k2.6 yields
llm_provider: platform; plus a MiniMax derived-provider/BYOK case. Verified the
3 new tests FAIL on the pre-fix code and PASS after. Full canvas suite: 3334
passed / 3 skipped. tsc: 0 new errors (223→223, all pre-existing test Mock
drift). eslint clean on touched files.
Fix C of the RFC#340 convergence (cosmetic/UX, client-only, no serving-path
risk). Fix A (workspace-server) is the boot fix.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A canvas-created claude-code workspace with model moonshot/kimi-k2.6 booted
NOT_CONFIGURED: the adapter slash-split the model id to provider="moonshot",
which is not in the providers registry. CP bakes `provider: platform` via
heredoc, but the cp#329 config-bundle fetch overwrites /configs/config.yaml
with the (previously providerless) bundle version, so molecule-runtime
config.py re-derived the wrong provider and the adapter raised ValueError.
Fix A: in ensureDefaultConfig, derive the provider via the SAME providers
manifest path the config-SAVE validators use (providerRegistry() +
Manifest.DeriveProvider, nil auth env) and stamp it into config.yaml at both
the top level and under runtime_config, mirroring CP's buildModelProviderYAML
shape. The derive uses the FULL un-normalized model id so the exact-id match
resolves moonshot/kimi-k2.6 -> platform before claude-code normalization
strips the slash prefix.
Fail-open: a derive miss (unregistered model, unknown runtime, registry
unavailable) omits the provider field entirely — preserving today's behavior;
provisioning never fails on a miss. The existing template providers: registry
block injection is unchanged.
Tests: assert provider=platform (top-level + runtime_config) for claude-code +
moonshot/kimi-k2.6, and assert no provider: key for an unregistered model.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
Stale :latest reverted a production tenant (molecule-adk-demo,
2026-06-03). This workflow builds + pushes molecule-ai/platform-tenant
as :staging-<sha> + :staging-latest on every main build, but never
re-points :latest. So :latest stayed pinned to the 2026-05-10 build
(3.5 weeks stale). A no-arg POST /cp/admin/tenants/:slug/redeploy whose
default tag fell through to "latest" then pulled that stale image and
reverted the tenant.
Add a "Promote :latest" step to the deploy-production job that re-points
:latest (prod + staging ECR) to the just-shipped staging-<sha> image.
DESIGN — promote point, NOT raw build: the step lives at the END of
deploy-production, after wait-ci (green main CI) + the canary-first
batched fleet rollout + /buildinfo SHA verification. So :latest only
advances to a SHA that is actually green and confirmed running across
the live fleet — :latest == "current prod image", never a raw build
that might later fail the gate. If PROD_AUTO_DEPLOY is disabled, :latest
is correctly NOT advanced (an unpromoted build must not become :latest).
:staging-latest remains the rolling raw-build pointer for staging/E2E.
Re-tag is digest-level (docker buildx imagetools create) — no rebuild;
:latest is byte-identical to :staging-<sha> for that commit.
Pairs with molecule-controlplane change that flips the no-arg redeploy
default from :latest to :staging-latest (defense-in-depth).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Catches the adk-demo Assistant boot failure class (2026-06-03):
workspace config model=moonshot/kimi-k2.6 (claude-code)
→ adapter derives provider=moonshot
→ ValueError: provider=moonshot not in providers registry
→ save was accepted, agent wedged at boot, CI never saw it
The drift gate (RFC#580) validates templates; the existing model-side
validator (validateRegisteredModelForRuntime, P4 PR-2) catches a
(runtime, model) the runtime doesn't own. Neither checked the
DERIVED provider's membership in providers.yaml — the gate the
adapter actually trips at boot.
Fix (issue #2172, fail-closed at config-SAVE):
* validateDerivedProviderInRegistry (this PR) — load the manifest,
call DeriveProvider(runtime, model, nil) to get the provider the
adapter will resolve, and assert the provider name is in the
providers list. Returns 422 DERIVED_PROVIDER_NOT_IN_REGISTRY with
the sorted list of valid providers (actionable, unlike the
boot-time ValueError). Federation contract mirrored from the
model-side check (langgraph/external/kimi/mock pass through).
* Wired into CreateWorkspace after the existing model-side check.
Both gates fail-closed for first-party runtimes and fail-open for
non-registry / federated runtimes — the same shape.
* TestRegistryConsistency_AllNativeModelsDeriveToKnownProvider —
the static regression gate the issue asks for ('a CI test fails
if any shipped demo/template config references an unregistered
provider'), generalized to the catalog: walk every (runtime,
model) in the native model sets and assert each one derives to
a provider in the providers list. By construction always true
today, but fires on any future drift between providers: and
runtimes: in providers.yaml (the exact class cp#455 / boot-e2e
targets at the runtime layer).
* TestValidateDerivedProviderInRegistry — table-driven pass/fail
coverage mirroring TestValidateRegisteredModelForRuntime, plus
the langgraph / external / empty-model fail-open cases.
Pairs with cp#455 boot-to-registration e2e (the deep runtime layer);
this is the fast static layer the issue asked for. Reverts cleanly
by deleting the new validator + the wire-up in workspace.go.
SOP: /sop-ack engineer-ack as fullstack-engineer
Tested: build drift pre-checked; test cases pin both happy path
and the federation contract.
The ${INTEGRATION_DB_URL%%@*} pattern strips only the host portion,
leaving the user:password prefix exposed in CI logs. Replace with a
static confirmation string.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
**Step A — Go-level fail-closed**
Extract a shared `requireIntegrationDBURL(t)` helper into
`integration_helper_test.go` (build-tag: integration). The helper:
- Returns $INTEGRATION_DB_URL when present
- Calls `t.Fatalf` when the URL is empty AND any CI marker is set
(`CI`, `GITHUB_ACTIONS`, or `GITEA_ACTIONS`), preventing a silent
skip-to-green in CI
- Calls `t.Skip` when the URL is empty AND no CI marker is set,
preserving the local-dev ergonomics
Update all three integration test files to use the shared helper:
- delegation_ledger_integration_test.go
- pending_uploads_integration_test.go
- workspace_create_name_integration_test.go
This closes the Go-level fail-open where a missing INTEGRATION_DB_URL
in CI would cause every integration test to skip and report PASS.
**Step C — Workflow bash preflight**
Add a `Preflight — INTEGRATION_DB_URL must be present` step in
`.gitea/workflows/handlers-postgres-integration.yml` immediately before
the `go test` invocation. If the postgres-start step failed to export
the variable, the preflight exits 1 with `::error::` so the job fails
loud before the test binary can even start.
**Step B — Workflow CoE mask**
ALREADY FIXED in current main: both `detect-changes` and `integration`
jobs have `continue-on-error: false` (lines 93 and 125). The context is
already listed in `audit-force-merge.yml` REQUIRED_CHECKS_JSON for
`main`.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replace the single-field _get_status_updated_at with a richer
_get_status_snapshot that captures status id, updated_at, and target_url.
Add _extract_run_id helper to parse the Actions run_id from the
status target_url (Gitea 1.22.6 lacks REST /actions/runs/* endpoints,
so the run_id embedded in target_url is the strongest available proxy
for distinct run_id).
_poll_fresh_statuses now considers a status fresh if ANY of the
following changed from the pre-review snapshot: updated_at, id, or
target_url. This catches both timestamp-only updates and new-run
indicators.
In the test body, collect pre-existing run_ids before submitting the
APPROVED review. After polling, assert that each required context's
fresh status either has no target_url/run_id (cannot verify) or points
to a run_id that did NOT exist before the review. This proves the
status was posted by a NEW workflow run triggered from the
pull_request_review event, not merely updated in-place by an earlier
run.
Findings 2 & 3 (APPROVED spelling, HTTPError body double-read) were
already fixed in commit 77573074.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Use RFC3339Nano + 200ms gaps in BeforeTS test to avoid second-
truncation and Go/Postgres clock skew.
- Pre-set attempts=5 on seeded A2A queue item so MarkQueueItemFailed
transitions to 'failed' on first call (attempts are normally
incremented by DequeueNext, which the test bypasses).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Set peer role on seeded workspace so peer_role is populated in
?include=peer_info response (handler omits empty peer fields).
- Use valid UUID instead of empty string for caller_id in
seedA2AQueueItem to satisfy UUID column constraint.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
TestIntegration_ActivityList_Basic panicked with a nil pointer
dereference at activity.go:512 because gin.CreateTestContext returns
a context with c.Request == nil, and List() calls c.Request.Context().
Add a dummy httptest.NewRequest to newTestGinContext() so every test
that uses the helper has a non-nil request.
Relates to #2151.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replaces t.Skip with t.Fatal in the integration helper so that a
missing INTEGRATION_DB_URL env var surfaces as a hard failure rather
than a silent skip. The skip pattern is a fail-open dark-wedge: CI
could misconfigure the env, every test skips, and the gate reports
GREEN while exercising zero code.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Changes NewActivityHandler and NewDelegationHandler to accept the
narrow events.EventEmitter interface instead of *events.Broadcaster.
This aligns with WorkspaceHandler (already interface-typed) and lets
integration tests substitute noOpEmitter{} without standing up Redis.
No production callers affected — *events.Broadcaster still satisfies
the interface via the existing compile-time assertion.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Scaffold file with integrationDB helper, seed fixtures, and 4 starter
real-Postgres tests:
- TestIntegration_ActivityList_Basic
- TestIntegration_DelegationList_Basic
- TestIntegration_A2AQueue_EnqueueAndDepth
- TestIntegration_A2AQueue_DequeueNext
TODO markers for the full CRUD matrix awaiting spec delivery.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
CR2 blocking finding: the test registered waitForHandlerAsyncBeforeDBCleanup
BEFORE setupTestDB/setupTestRedis, which meant LIFO cleanup executed:
1. Redis close
2. db.DB restore
3. asyncWG wait
This caused the async goroutine (which accesses DB + Redis) to potentially
run against cleaned-up resources.
Fix: move waitForHandlerAsyncBeforeDBCleanup AFTER setupTestDB/setupTestRedis
so LIFO order becomes:
1. asyncWG wait (drain goroutines)
2. db.DB restore
3. Redis close
Matches the pattern already used in TestGracefulPreRestart_Success,
_NotImplemented, and _ConnectionRefused.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ci-arm64-advisory / fast-checks (push) Compensated by status-reaper (push run was cancelled/superseded; Gitea 1.22.6 reports cancelled runs as failure statuses)
The arm64-pilot workflow was failing the 'Identify runner' step when a
runner with label 'arm64-darwin' was not actually arm64. Because the
step lacked continue-on-error, the job failed → posted failure status
→ triggered main-red watchdog.
Changes:
- Identify runner: add id + continue-on-error; emit GITHUB_OUTPUT flag
'arm64' so subsequent steps can conditional-skip gracefully.
- Checkout, Install, Run steps: gate on steps.identify.outputs.arm64.
- Install step: detect Darwin vs Linux and download the correct
shellcheck binary (darwin.aarch64 vs linux.aarch64). Previously
always downloaded the Linux binary, which won't run on macOS.
- Run step: verify shellcheck is actually executable (not just in
PATH) before attempting to lint.
Fixes#2146
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- test_gate_auto_fire_live.py: change review event from \"APPROVE\" to
\"APPROVED\" to match Gitea API contract.
- Add _get_status_updated_at() to capture pre-existing status timestamps
before review submission.
- Add _poll_fresh_statuses() that only accepts statuses whose updated_at
differs from the pre-existing record, proving the context was posted
AFTER the review rather than tolerating stale contexts.
- Remove misleading \"tolerate stale contexts\" comment.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1. DOC - runbooks/dev-sop.md:
- Documents the Gitea PR-head workflow-selection rule (workflows load
from PR head, not base).
- Describes the standard core-PR flow: auto-fire for fresh heads,
slash-refire fallback for stale heads.
- Provides quick-check curl command and rebase vs. slash-refire guidance.
2. LIVE-FIRE TEST - test_gate_auto_fire_live.py:
- Runtime verification that submitting an APPROVED review to a PR whose
head contains the current gate workflows causes Gitea Actions to queue
qa-review + security-review and POST the BP-required contexts.
- Fix: handle string trigger form in addition to list/dict.
3. STALE-HEAD DIAGNOSTIC - test_gate_stale_head_diagnostic.py:
- Local-checkout baseline + optional PR_NUMBER mode.
- Fix: avoid double exc.read() on HTTPError (always returned empty).
- Fix: handle string trigger form.
CR round-2 fixes:
- Reverted out-of-scope Go changes that accidentally reverted the #2162
platform-managed fail-closed guard.
- Restored regression tests and env-mocking that were removed from Go tests.
The lint-pre-flip-continue-on-error gate was grepping ``::error::`` in
raw run logs without distinguishing actual execution output from script
source displayed inside ``::group::Run`` blocks. Bash workflows that
defensively contain ``echo \"::error::...\"`` branches (e.g. Postgres
port-resolution failure handlers) caused false-positive "masked run"
verdicts even when those branches were never executed.
Fix: track ``::group::Run`` / ``::endgroup::`` state while scanning the
log, skipping lines inside script-source display blocks. Also add a
heuristic guard for ``echo "::error::"`` on the same line.
This unblocks the two real-infra workflow flips in this PR.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
#2167 was accidentally merged to the staging branch instead of main; the
belt (cp#477) + workspace-provision fail-closed (#2164) are already on main,
but this tenant-server boot assertion (assertManagedTenantHasLLMEnv) was not.
Cherry-picked from ffd1bb7f. Conflict in a2a_proxy_helpers.go (an unused
canvasUserMessage struct removal incidental to #2167) resolved by keeping
main's version — the suspenders fix is self-contained in cp_config.go + main.go.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Flips continue-on-error: true -> false on the two real-infra jobs:
- Handlers Postgres Integration
- E2E API Smoke Test
These contexts are already listed as required on branch protection,
but the mask made each job report success even when its steps failed,
so the required gate could never actually block a bad merge.
If CI surfaces broken underlying tests on this PR, root-fix them —
do NOT renew the mask.
Closes#2152
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Previously PatchAbilities applied broadcast_enabled and
talk_to_user_enabled with two separate UPDATE statements. If the first
succeeded and the second failed, the workspace was left in a partial/
ambiguous capability state.
When both fields are present in the PATCH body, apply them in a single
combined UPDATE so the mutation is all-or-nothing. Single-field updates
continue to use the original per-column statements.
Updates the existing BothFields test to expect one combined UPDATE, and
replaces the old BothFields_BroadcastFails test with
BothFields_UpdateError which validates the atomic path.
Fixes#2131
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds error logging for silently-discarded returns in:
- bundle/importer.go: broadcast on provision-failed
- channels/manager.go: broadcast on inbound/outbound messages
- channels/telegram.go: bot.Send callback ack and edit message
- handlers/approvals.go: broadcast on approval create/escalate/decide
Does not change control flow; purely observability.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
mc#1264: 7 tests fail under parallel CI execution with sqlmock
"was not expected" errors. Root cause is untracked goroutines
from RestartByID (sendRestartContext) that access db.DB after the
sqlmock is closed and db.DB is restored to the previous mock.
Fix: wrap the sendRestartContext goroutine in runRestartCycle with
h.goAsync so it is tracked by asyncWG. Tests that call
waitForHandlerAsyncBeforeDBCleanup will now wait for this goroutine
before restoring db.DB, preventing cross-test pollution.
Also fix TestGracefulPreRestart_* tests to call
waitForHandlerAsyncBeforeDBCleanup BEFORE setupTestDB, ensuring
LIFO order is: async wait → db.DB restore. Previously, async
cleanup was registered after setupTestDB, running before db.DB
restoration and leaving goroutines to hit the next test's mock.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Defensive hygiene for TestIntegration_BroadcastOrgRoot_NonRootSenderResolvesToRoot:
if a prior run crashed or was killed before t.Cleanup fired, stale rows
with the same itest-bcastroot-* prefix may remain in the shared integration
DB and collide on workspaces_parent_name_uniq. Delete them before inserting.
No production logic changed.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-02 03:33:40 +00:00
112 changed files with 11177 additions and 554 deletions
# Skip-if-absent (core#2225), mirroring the serving-e2e gate's
# skip-if-secret-unset contract: a MISSING CI secret is an operator
# CONFIG gap, not a code regression, so it must not paint this E2E
# red. When CP_STAGING_ADMIN_API_TOKEN is unset we emit a LOUD
# ::warning:: + ::notice:: and skip the real provision/test steps (the
# job still completes green). When the secret IS present we run the
# full suite exactly as before. Operators: set
# CP_STAGING_ADMIN_API_TOKEN as a repo/org Actions secret on
# molecule-core to actually exercise this E2E.
- name:Check admin token (skip-if-absent)
id:token_check
if:needs.detect-changes.outputs.canvas == 'true'
run:|
if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
echo "::error::MissingCP_STAGING_ADMIN_API_TOKEN"
exit 2
echo "::warning::CP_STAGING_ADMIN_API_TOKEN is not set on this runner — SKIPPING the staging canvas E2E (cannot auth to staging CP). This is an operator config gap, not a code failure; set the secret on molecule-core (repo or org Actions secrets) to run it. See core#2225."
if [ "$code" = "200" ] || [ "$code" = "204" ]; then
echo "[teardown] deleted $slug (HTTP $code)"
else
echo "::warning::reconciler teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/rec-cleanup.out 2>/dev/null)"
leaks+=("$slug")
fi
done
if [ ${#leaks[@]} -gt 0 ]; then
echo "::warning::reconciler teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
if [ "$code" = "200" ] || [ "$code" = "204" ]; then
echo "[teardown] deleted $slug (HTTP $code)"
else
echo "::warning::platform-boot teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within ~45 min. Body: $(head -c 300 /tmp/plat-cleanup.out 2>/dev/null)"
leaks+=("$slug")
fi
done
if [ ${#leaks[@]} -gt 0 ]; then
echo "::warning::platform-boot teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
echo "Reason: \`PROD_AUTO_DEPLOY_DISABLED=$PROD_AUTO_DEPLOY_DISABLED\`. The CI-green build is published as \`:staging-${GITHUB_SHA::7}\`; \`:latest\` was left unchanged."
} >> "$GITHUB_STEP_SUMMARY"
exit 0 ;;
esac
fi
if [ -z "${GITEA_TOKEN:-}" ]; then
echo "::error::AUTO_SYNC_TOKEN/PROD_AUTO_DEPLOY_CONTROL_TOKEN is required so the canvas promote can wait for green CI."
exit 1
fi
echo "enabled=true" >> "$GITHUB_OUTPUT"
- name:Wait for green main CI on this SHA
if:${{ steps.gate.outputs.enabled == 'true' }}
run:|
set -euo pipefail
# Same SSOT wait the platform deploy uses: blocks until the required
# push contexts (CI / all-required (push) + Secret scan) go green on
# THIS sha, and fails closed if any required context terminally fails.
if [ "$SUPERSEDED_EXIT" -eq 0 ] && [ -n "$NEWER_HEAD" ]; then
echo "superseded=true" >> "$GITHUB_OUTPUT"
echo "::notice::Superseded before rollout: main head is now ${NEWER_HEAD:0:7} (this job deploys ${GITHUB_SHA:0:7}). Skipping redeploy + :latest promote so an older job never rolls the fleet backward."
{
echo "## Production auto-deploy skipped — superseded before rollout"
echo ""
echo "This deploy job's SHA \`${GITHUB_SHA:0:7}\` is no longer the head of \`main\` (now \`${NEWER_HEAD:0:7}\`)."
echo "A newer deploy job owns the fleet; rolling it backward to this older build would revert tenants and \`:latest\`. No side effects performed."
if [ "$SUPERSEDED_EXIT" -eq 0 ] && [ -n "$NEWER_HEAD" ]; then
echo "::notice::Superseded deploy: main head is now ${NEWER_HEAD:0:7} (this job deployed ${GITHUB_SHA:0:7}). The fleet is at or ahead of this build; the newer deploy job's verify is authoritative. Skipping strict SHA verify."
> Applies to: all core-PR authors and reviewers on `molecule-core` and sibling
> repos using the `qa-review` + `security-review` branch-protection gates.
---
## 1. Gitea PR-head workflow-selection rule
**Rule:** For `pull_request_target` and `pull_request_review` events, Gitea
loads the workflow definition from the **PR's HEAD branch**, not from the
base (`main`) branch.
This is different from GitHub Actions, where `pull_request_target` always
loads workflows from the base branch. Gitea's behaviour means:
- A PR that was opened **before** the `pull_request_review` trigger was added
to `qa-review.yml` / `security-review.yml` will **NOT** auto-fire on review,
because its HEAD still contains the old workflow YAML (no trigger).
- A PR that was opened **after** the trigger was added (or that has been
rebased onto a commit containing the trigger) **WILL** auto-fire, because its
HEAD contains the new workflow YAML.
### Ops implication
| PR head contains `pull_request_review` trigger? | Behaviour on APPROVED review |
|---|---|
| **Yes** (cut from current main, or rebased) | Workflows auto-queue, evaluate, and POST the `(pull_request_target)` context automatically. No slash-command needed. |
| **No** (stale head, opened before #2157) | Nothing fires. Use `/qa-recheck` + `/security-recheck` slash-commands in a PR comment, OR rebase onto current main. |
---
## 2. Standard core-PR flow (post-#2157)
```
1. Author opens PR from a branch based on current main
→ qa-review + security-review workflows run on pull_request_target
→ status contexts post (initial eval, usually red until reviews land)
2. Reviewers submit real APPROVED reviews
→ If PR head has the trigger: workflows AUTO-FIRE on pull_request_review
→ Contexts flip green (or stay red if reviewer is not in team)
3. [Optional] If contexts did not flip (stale head, event lost, etc.):
→ Anyone can comment `/qa-recheck` or `/security-recheck`
→ sop-checklist.yml refires the evaluator (read-only, idempotent)
4. Both qa-review + security-review contexts are green
→ Plain Do:merge (no force-merge needed)
```
### Key point
The `/qa-recheck` and `/security-recheck` commands are a **backstop**, not the
primary path. PRs cut from current main should auto-fire without manual
intervention.
---
## 3. Diagnosing a stale head
If a PR has real team-member APPROVED reviews but the qa/security contexts
remain red and no workflow run appears on the PR's "Actions" tab for the
review event, the PR head is likely stale.
### Quick check
```bash
# From the PR page, look at the head commit SHA, then:
| **Rebase onto current main** | PR is genuinely stale (head lacks trigger OR head is far behind main) | Clean history, gets all recent fixes, but requires force-push and re-approval if the branch was protected |
| **`/qa-recheck` + `/security-recheck`** | PR head is recent but the review event was missed, or you want to avoid rebase churn | Quick, no force-push, but does NOT fix a missing trigger in the head |
**Do not** use slash-refire as a substitute for rebasing a stale head. If the
workflow YAML in the PR head does not contain `pull_request_review`, no amount
of rechecking will make auto-fire work.
---
## 5. Live-fire verification
The `test_gate_auto_fire_live.py` regression test exercises the full runtime
path: it submits an APPROVED review to a test PR and polls for the
`(pull_request_target)` status contexts. It is skipped when no API token is
available, and is intended to catch runtime non-fire that static structural
| python3 -c "import json,sys; d=json.load(sys.stdin); print(sum(1 for o in d.get('orgs', []) if o.get('slug')=='$SLUG' and o.get('status') != 'purged'))"\
2>/dev/null ||echo 1)
if["$leak_count"="0"];then
break
fi
sleep 5
elapsed=$((elapsed +5))
done
if["$leak_count" !="0"];then
echo"⚠️ LEAK: org $SLUG still present post-teardown after ${elapsed}s (count=$leak_count)" >&2
log " instance_id not surfaced by API after ${INSTANCE_ID_GRACE_SECS}s — using AWS workspace tag: $ORIGINAL_INSTANCE_ID"
break
fi
fi
log "$WS_ID online but instance_id not populated yet — waiting"
fi
# 'failed' is transient on cold boot (bootstrap-watcher deadline vs heartbeat
# recovery, cp#245). Keep polling; only the deadline hard-fails.
sleep 10
done
ok "Workspace online (instance_id=$ORIGINAL_INSTANCE_ID)"
# ─── 5. Kill the EC2 ────────────────────────────────────────────────────
# Terminate the EXACT instance the workspace reported. Prefer the captured
# instance_id (precise — kills only this workspace's box); fall back to the
# slug-tag describe if the API didn't surface an id (shouldn't happen — we
# only break out of the online-wait once instance_id is non-empty).
log "5/6 KILLING the workspace EC2 to simulate an out-of-band termination..."
if ! e2e_aws_creds_available;then
fail "AWS CLI/creds unavailable — cannot terminate the EC2 to exercise the reconciler. Set AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY (the CI workflow wires these)."
fi
AWS_REGION_RESOLVED=$(e2e_aws_region)
if[ -n "$ORIGINAL_INSTANCE_ID"];then
log " Terminating $ORIGINAL_INSTANCE_ID in $AWS_REGION_RESOLVED (aws ec2 terminate-instances)..."
ok "PRIMARY held — workspace left 'online' (now '$REC_STATUS') after EC2 termination"
break
fi
sleep 10
done
if["$LEFT_ONLINE" !="1"];then
fail "PRIMARY FAILED (core#2261 regression): workspace $WS_ID still reads status=online ${RECONCILE_OFFLINE_TIMEOUT_SECS}s after its EC2 ($KILLED_IDS) was terminated. The reconciler did NOT detect the dead instance — a terminated EC2 is masquerading as a healthy workspace."
# online again but instance_id either not surfaced yet or still the old
# (terminated) id — keep polling until the reprovision swaps it.
fi
sleep 15
done
if["$REPROV_OK"="1"];then
ok "SECONDARY held — auto-reprovisioned to online on NEW instance_id=$NEW_INSTANCE_ID (was $ORIGINAL_INSTANCE_ID)"
else
# Soft-miss — see FUTURE TIGHTENING note above. PRIMARY is the gate.
log "⚠️ SECONDARY not satisfied within ${REPROVISION_TIMEOUT_SECS}s (status=${REPROV_LAST_STATUS:-<empty>}, instance_id=${NEW_INSTANCE_ID:-<none>}, original=$ORIGINAL_INSTANCE_ID). NOT failing — the PRIMARY heal-detection assertion is the gate; reprovision is a slower, flakier cold path. Promote this to a hard fail once it's proven reliable."
fi
ok "Reconciler live E2E PASSED — PRIMARY heal-detection held (SECONDARY: $(["$REPROV_OK"="1"]&&echo"held"||echo"soft-miss, logged"))"
echo"❌ REQUIRE_LIVE: exited 0 but only ${TRANSITIONS_VERIFIED}/${EXPECTED_TRANSITIONS} awaiting_agent transitions were proven — refusing to report green." >&2
exit5
fi
case"$entry_rc" in
0|1|2|3|4);;
0|1|2|3|4|5);;
*)exit1;;
esac
}
@@ -248,6 +342,7 @@ GET_RESP=$(tenant_call GET "/workspaces/$WS_ID")
fail "Misconfigured: STALE_POLL_DEADLINE_SECS ($STALE_POLL_DEADLINE_SECS) must exceed STALE_WAIT_SECS ($STALE_WAIT_SECS) by at least one sweep interval"
fail "After ${STALE_WAIT_SECS}s with no heartbeat, expected status=awaiting_agent (sweep transition), got $STALE_STATUS — migration 046 likely not applied OR sweep not running"
fail "After ${STALE_POLL_DEADLINE_SECS}s with no heartbeat, status still '$STALE_STATUS' (expected awaiting_agent sweep transition) — migration 046 likely not applied OR sweep not running"
echo"[$(date +%H:%M:%S)] ❌ E2E_REQUIRE_LIVE=1 but the run did NOT prove a full live lifecycle — missing milestone(s):${missing}. Reached:${LIVE_MILESTONES:-<none>}. This is a false-green-on-skip guard: a run that validates no real provision→online→A2A cycle MUST NOT report green." >&2
exit5
fi
}
# Per-runtime model slug dispatch — see lib/model_slug.sh for the rationale.
# Extracted so unit tests (tests/e2e/test_model_slug.sh) can pin every branch
# without booting the full 11-step lifecycle.
@@ -197,7 +272,7 @@ cleanup_org() {
# case statement, and opens a false-positive priority-high
# "safety net broken" issue (#2159, 2026-04-27).
case"$entry_rc" in
0|1|2|3|4);;# contracted codes — let bash use entry_rc
0|1|2|3|4|5);;# contracted codes — let bash use entry_rc
*)exit1;;# anything else is a generic failure
esac
}
@@ -295,6 +370,7 @@ print('(no org row found for slug=$SLUG — DB drift?)')
esac
done
ok "Tenant provisioning complete"
live_milestone provisioned
# Derive tenant domain from CP hostname so the same harness works in
# both prod (api.moleculesai.app → moleculesai.app) and staging
@@ -351,6 +427,7 @@ while true; do
sleep 5
done
ok "Tenant reachable at $TENANT_URL"
live_milestone tenant_online
# Sanity-test path: once the tenant is provisioned, poisoning the
# tenant token proves the EXIT trap + leak assertion still fire.
# All empty → '{}' (workspace will fail at first turn with an
# expected, actionable auth error rather than masking the test).
SECRETS_JSON='{}'
if[ -n "${E2E_MINIMAX_API_KEY:-}"];then
# Platform-managed path (E2E_LLM_PATH=platform) — the moonshot/kimi
# NOT_CONFIGURED regression (RFC#340 Fix A #2187). Molecule owns billing via the
# CP LLM proxy, so the workspace needs NO tenant key: provision with empty
# secrets and let the workspace boot purely on (a) the proxy env the control
# plane injects + (b) the manifest-derived `provider: platform` Fix A stamps into
# the generated config.yaml. This is the path that booted NOT_CONFIGURED in prod
# precisely because the BYOK branches below never exercise it. We deliberately
# skip the key-injection branches so a stray E2E_*_API_KEY in the runner env
# cannot silently convert this into a BYOK run and mask the regression.
if["${E2E_LLM_PATH:-}"="platform"];then
log " LLM path: PLATFORM-MANAGED (no tenant key; proxy + Fix A provider stamp)"
SECRETS_JSON='{}'
elif[ -n "${E2E_MINIMAX_API_KEY:-}"];then
SECRETS_JSON=$(python3 -c "
import json, os
k= os.environ['E2E_MINIMAX_API_KEY']
@@ -558,6 +647,7 @@ fi
WS_TO_CHECK=("$PARENT_ID")
[ -n "$CHILD_ID"]&&WS_TO_CHECK+=("$CHILD_ID")
wait_workspaces_online_routable "7/11 Waiting for workspace(s) to reach status=online (up to $((WORKSPACE_ONLINE_TIMEOUT_SECS/60)) min — hermes cold boot)...""${WS_TO_CHECK[@]}"
live_milestone workspace_online
# ─── 7a. Real chat image upload/download round-trip ───────────────────
# This deliberately uses the production workflow: tenant admin/session auth
@@ -858,6 +948,24 @@ fi
ifecho"$AGENT_TEXT"| grep -qiE "exceeded your current quota|insufficient_quota";then
fail "A2A — PROVIDER QUOTA EXHAUSTED (NOT a platform regression). Operator action: top up MOLECULE_STAGING_OPENAI_API_KEY billing or rotate to a higher-quota org at Settings → Secrets and Variables → Actions. Tracked in #2578. Raw: $AGENT_TEXT"
fi
# Empty-completion class — the agent runtime reached the LLM and got a
# 2xx back, but the assistant turn carried NO text part (empty content,
# or tool_calls/reasoning-only with no surfaced text), so the runtime
# returns the literal "Error: message contained no text content." as its
# reply text. Steps 0-7 passing means the platform is healthy (CP up,
# break is the configured completion BACKEND returning an empty turn — a
# model/provider-side regression, NOT a workspace-server or harness bug,
# and NOT NOT_CONFIGURED (that fails earlier, at boot). Name it explicitly
# so the canary alert points at the model, not the platform: a generic
# "error-shaped response" misdirects triage to workspace-server. Observed
# 2026-06-03/04 across every staging canary on MODEL_SLUG=MiniMax-M2 (the
# canary default since #2710) — 100% on the parent's first cold turn,
# identical on main's scheduled synthetic E2E and on PRs (so it is an
# environmental backend regression, never PR-introduced).
ifecho"$AGENT_TEXT"| grep -qiF "message contained no text content";then
fail "A2A — EMPTY COMPLETION (backend regression, NOT a platform/workspace-server bug). The configured model (MODEL_SLUG=${MODEL_SLUG:-?}) returned a 2xx completion with no text part; the runtime surfaced 'message contained no text content.'. Operator action: check the staging LLM backend / proxy for the canary model (the claude-code default is minimax:MiniMax-M2.7 since #2263; was bare MiniMax-M2 #2710) — empty assistant turns, not an auth/quota/boot fault. Raw: $AGENT_TEXT"
fi
# Generic catch-all — falls through if none of the known regressions hit.
fail "Peers endpoint unhealthy (curl_rc=$PEERS_RC, http=$PEERS_CODE) — not a clean 2xx, so 'reachable' would be a false-green. Body: $(head -c 200"$PEERS_TMP" 2>/dev/null | sanitize_http_body)"
fi
ok "Peers endpoint reachable (HTTP $PEERS_CODE)"
ACTIVITY=$(tenant_call GET "/activity?workspace_id=$PARENT_ID&limit=5" 2>/dev/null ||echo'[]')
fail "Activity-log endpoint unhealthy (curl_rc=$ACTIVITY_RC, http=$ACTIVITY_CODE) — was previously swallowed by '|| echo []' and reported as 0 events (false-green). Body: $(head -c 200"$ACTIVITY_TMP" 2>/dev/null | sanitize_http_body)"
fi
ACTIVITY_COUNT=$(python3 -c "import json,sys
d=json.load(open(sys.argv[1]))
print(len(d if isinstance(d, list)else d.get('events', [])))" "$ACTIVITY_TMP" 2>/dev/null) \
|| fail "Activity-log returned HTTP $ACTIVITY_CODE but body was not parseable JSON (events array / {events:[...]}). Body: $(head -c 200"$ACTIVITY_TMP" 2>/dev/null | sanitize_http_body)"
if grep -q "$PARENT_ID""$CHILD_ACT_TMP" 2>/dev/null;then
CHILD_ACT_SEEN=1
break
fi
["$(date +%s)" -ge "$CHILD_ACT_DEADLINE"]&& break
sleep 5
done
if["$CHILD_ACT_SEEN"="1"];then
ok "Child activity log records parent as source"
else
log"Child activity log did not reference parent (pipeline may be async)"
fail"Child activity log never referenced parent $PARENT_ID within ${E2E_CHILD_ACTIVITY_TIMEOUT_SECS:-60}s (last http=$CHILD_ACT_LASTCODE) — delegation-provenance pipeline regression (parent not recorded as source). Previously soft-logged → false-green."
fi
fi
# ─── 11. Teardown runs via trap ────────────────────────────────────────
# Fail-closed-on-skip: before declaring PASS, assert (when CI demanded a live
# run) that every load-bearing lifecycle milestone actually fired. A run that
# reaches here without provision→online→A2A having truly happened exits 5
# instead of reporting green. Teardown still runs (EXIT trap) on that exit.
require_live_or_die
log "11/11 All checks passed. Teardown runs via EXIT trap."
t.Fatal("buildA2AMessageParts returned no parts for a non-empty task")
}
text:=parts[0]
if_,hasType:=text["type"];hasType{
t.Errorf("text part uses forbidden v0.2 key `type` %v — A2A v0.3 Parts discriminate on `kind`; `type` is dropped by the receiver's validator (#2251)",text)
}
kind,ok:=text["kind"].(string)
if!ok{
t.Fatalf("text part missing string `kind` discriminator; got %v",text)
}
ifkind!="text"{
t.Errorf("text part kind = %q, want \"text\"",kind)
}
iftext["text"]!="do the work"{
t.Errorf("text part text = %v, want \"do the work\"",text["text"])
}
}
// TestBuildA2AMessageParts_FilePartUsesKind guards the file-attachment
// Part the same way. The file path was already correct (it used `kind`),
// so this is a non-regression pin — it must STAY `kind` when the text
// path is fixed (a careless "make them consistent" edit could flip both
mock.ExpectQuery(`SELECT controller, controlled_by, expires_at FROM workspace_display_control_locks WHERE workspace_id = \$1 AND expires_at > now\(\)`).
log.Printf("ensureDefaultConfig: workspace %s reached provisioning with empty model — Create handler should have rejected this; rendering empty model: \"\" in config.yaml (workspace will boot not_configured)",workspaceID)
}
// Derive the provider from the providers manifest and stamp it into the
// generated config BEFORE claude-code model normalization strips the
// slash-prefix. DeriveProvider needs the FULL, un-normalized model id
// (e.g. "moonshot/kimi-k2.6") for the exact-id match that resolves the
// canvas claude-code case to provider=platform — normalizing to
// "kimi-k2.6" first would lose that match.
//
// Why this exists (RFC#340 Fix A): a canvas-created claude-code workspace
// with model "moonshot/kimi-k2.6" booted NOT_CONFIGURED — the adapter
// derived provider="moonshot" (slash-split of the model id) which is not
// in the providers registry. CP bakes `provider: platform` via heredoc,
// but the cp#329 config-bundle fetch overwrites /configs/config.yaml with
// THIS (previously providerless) bundle version, so molecule-runtime
// config.py re-derived the wrong provider. Stamping the manifest-derived
// provider here (mirroring CP's buildModelProviderYAML shape) makes the
// config the adapter reads carry the canonical provider.
//
// Reuses the SAME manifest path the config-SAVE validators use
// (providerRegistry() + Manifest.DeriveProvider; see
// model_registry_validation.go). On a derive MISS (unknown/unregistered
// model, or registry unavailable) provider is left empty and the field is
// omitted below — preserving today's behavior; never fail provisioning on
t.Fatalf("providers SSOT lists no platform models for runtime %q — the regression matrix would be empty; the SSOT shape changed (this test is the canary)",runtime)
}
// Headline sentinel: the exact id that booted NOT_CONFIGURED in prod MUST be
// in the enumerated set. If a refactor drops it from the platform arm, this
// test must still cover it explicitly — fail loud rather than silently
t.Fatalf("the headline incident model \"moonshot/kimi-k2.6\" is no longer in the claude-code platform SSOT set (%v) — regression coverage for the original bug would be lost",platformModels)
t.Fatalf("expected config.yaml in generated files for model %q",model)
}
varparsedstruct{
Modelstring`yaml:"model"`
Providerstring`yaml:"provider"`
RuntimeConfigstruct{
Modelstring`yaml:"model"`
Providerstring`yaml:"provider"`
}`yaml:"runtime_config"`
}
iferr:=yaml.Unmarshal(raw,&parsed);err!=nil{
t.Fatalf("generated YAML invalid for model %q: %v\n%s",model,err,raw)
}
// The load-bearing invariant: BOTH the top-level and the
// runtime_config provider must be exactly "platform". An empty or
// vendor-namespace ("moonshot") value here is the prod NOT_CONFIGURED
// boot — the adapter would slash-split the model id and look up an
// unregistered provider.
ifparsed.Provider!="platform"{
t.Errorf("model %q: top-level provider = %q, want \"platform\" (Fix A invariant — empty/vendor value is the NOT_CONFIGURED boot)\n%s",model,parsed.Provider,raw)
t.Fatalf("no platform models for %q in SSOT",runtime)
}
for_,model:=rangeplatformModels{
model:=model
t.Run(model,func(t*testing.T){
// nil availableAuthEnv mirrors deriveDefaultConfigProvider's call at
// config-generation time (no per-workspace auth context yet).
p,err:=m.DeriveProvider(runtime,model,nil)
iferr!=nil{
t.Fatalf("DeriveProvider(%q, %q): unexpected error %v — an SSOT-offered platform model MUST derive",runtime,model,err)
}
ifp.Name!="platform"{
t.Errorf("DeriveProvider(%q, %q).Name = %q, want \"platform\" (this is the exact slash-split-to-vendor regression that booted NOT_CONFIGURED)",runtime,model,p.Name)
}
})
}
}
// containsString is a tiny local membership helper. Kept here (not a shared
// test util) so this regression file is self-contained and can be read top to
// bottom without chasing helpers across the package.
// gpt-* is OpenAI — not in claude-code's native set.
// gpt-* is OpenAI — not in claude-code's native set (no openai arm;
// the platform-shared openai vendor is never wired into a BYOK runtime).
{"claude-code","gpt-5.5"},
// deepseek is a catalog provider but in NO runtime's native set.
{"claude-code","deepseek-v4-pro"},
// qwen-* is alibaba — a catalog provider NOT wired into claude-code
// (cp#529 wires alibaba only into hermes; claude-code's name-only BYOK
// arms are zai/deepseek/xiaomi-mimo). So it stays unregistered here.
// (NB: deepseek-* IS now routable on claude-code via the deepseek
// name-only arm — see the routability tests — so it is no longer a valid
// "unregistered" example; qwen replaces it.)
{"claude-code","qwen-max"},
// codex is OpenAI-only — a kimi id is unregistered for it.
{"codex","kimi-for-coding"},
// a slug no provider in the manifest matches at all.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
core-devops
core-devops
hongming
hongming-personal
claude-ceo-assistant
molecule-code-reviewer
cp-lead
core-be