Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 fullstack-engineer
|
8a981a472a | ||
|
fullstack-engineer
|
3d0d9b1818 | ||
|
fullstack-engineer
|
1c61db9042 |
@@ -218,31 +218,6 @@ def is_red(status: dict) -> tuple[bool, list[dict]]:
|
||||
|
||||
`failed_statuses` is the list of per-context entries whose own
|
||||
`state` is in the red set; useful for the issue body.
|
||||
|
||||
Cancel-cascade filter (mc#1564, 2026-05-19):
|
||||
Gitea maps BOTH `action_run.status=2 (Failure)` AND
|
||||
`action_run.status=3 (Cancelled)` to commit-status string
|
||||
`"failure"`. On a busy main with
|
||||
`concurrency: cancel-in-progress: true`, every merge burst
|
||||
cancels prior in-flight runs (status=3) — those bubble to the
|
||||
combined-status `failure` and inflate the watchdog's red%,
|
||||
generating phantom `[main-red]` issues (mc#1562/#1552/#1540/...).
|
||||
Canonical Gitea 1.22.6 enum per `models/actions/status.go` +
|
||||
`reference_gitea_action_status_enum_corrected_2026_05_19`:
|
||||
1=Success, 2=Failure, 3=Cancelled, 4=Skipped,
|
||||
5=Waiting, 6=Running, 7=Blocked
|
||||
We only want status=2 (real defects) to file. At the
|
||||
commit-status layer we don't have the integer enum directly
|
||||
(only the `failure` rollup string), so we use the description
|
||||
string Gitea writes when a run is cancelled — empirically
|
||||
`"Has been cancelled"` (verified 2026-05-19 via #1562 body).
|
||||
Real failures show `"Failing after Ns"` and are unaffected.
|
||||
This is option B from mc#1564 (description-string filter, no
|
||||
extra API call). Description-string stability is a soft contract
|
||||
with Gitea; if a future release renames it, the cancel-cascade
|
||||
entries will simply leak back through (visible-not-silent), and
|
||||
we'll either re-pin the string or upgrade to option A (resolve
|
||||
the underlying action_run.status integer via target_url).
|
||||
"""
|
||||
combined = status.get("state")
|
||||
statuses = status.get("statuses") or []
|
||||
@@ -258,30 +233,11 @@ def is_red(status: dict) -> tuple[bool, list[dict]]:
|
||||
def _entry_state(s: dict) -> str:
|
||||
return s.get("status") or s.get("state") or ""
|
||||
|
||||
def _is_cancel_cascade(s: dict) -> bool:
|
||||
"""status=3 entry per Gitea 1.22.6 description-string contract.
|
||||
Match exactly (after strip) — substring match would catch
|
||||
legitimate test names like "Has been cancelled by the user
|
||||
unexpectedly" in failure logs."""
|
||||
desc = (s.get("description") or "").strip()
|
||||
return desc == "Has been cancelled"
|
||||
|
||||
failed = [
|
||||
s for s in statuses
|
||||
if isinstance(s, dict)
|
||||
and _entry_state(s) in red_states
|
||||
and not _is_cancel_cascade(s)
|
||||
if isinstance(s, dict) and _entry_state(s) in red_states
|
||||
]
|
||||
# Combined state alone is no longer sufficient — combined=failure
|
||||
# may be 100% cancel-cascade. Drive `red` off the FILTERED list:
|
||||
# if every red-shaped per-entry was cancel-cascade, `failed` is
|
||||
# empty and we report green. Combined-failure with no per-entry
|
||||
# detail (empty `statuses[]`) still trips red — that's the
|
||||
# "CI emitter set combined-status directly" edge case from
|
||||
# render_body's fallback path; we keep filing on it so the
|
||||
# operator sees the breadcrumb.
|
||||
combined_red_no_detail = combined in red_states and not statuses
|
||||
return (bool(failed) or combined_red_no_detail, failed)
|
||||
return (combined in red_states or bool(failed), failed)
|
||||
|
||||
|
||||
# --------------------------------------------------------------------------
|
||||
|
||||
@@ -71,12 +71,6 @@ def build_plan(env: dict[str, str]) -> dict:
|
||||
"soak_seconds": _int_env(env, "PROD_AUTO_DEPLOY_SOAK_SECONDS", 60, minimum=0),
|
||||
"batch_size": _int_env(env, "PROD_AUTO_DEPLOY_BATCH_SIZE", 3),
|
||||
"dry_run": truthy_flag(env.get("PROD_AUTO_DEPLOY_DRY_RUN", "")),
|
||||
# confirm:true ack required by CP /cp/admin/tenants/redeploy-fleet
|
||||
# contract (cp#228 / task #308) for fleet-wide intent. Empty body
|
||||
# / {confirm:false} / {only_slugs:[]} → 400. This caller is the
|
||||
# production auto-deploy step that rolls every live tenant (canary
|
||||
# + fan-out), no slug scoping, so confirm:true is correct.
|
||||
"confirm": True,
|
||||
}
|
||||
if canary_slug:
|
||||
body["canary_slug"] = canary_slug
|
||||
|
||||
@@ -100,12 +100,11 @@ printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$CURL_AUTH_FILE"
|
||||
# (bash trap 'function' EXIT expands variables at trap-fire time, not def time).
|
||||
PR_JSON=$(mktemp)
|
||||
REVIEWS_JSON=$(mktemp)
|
||||
COMMENTS_JSON=$(mktemp)
|
||||
TEAM_PROBE_TMP=$(mktemp)
|
||||
NA_STATUSES_TMP="" # declared here so cleanup() always has the var
|
||||
|
||||
cleanup() {
|
||||
rm -f "$CURL_AUTH_FILE" "$PR_JSON" "$REVIEWS_JSON" "$COMMENTS_JSON" "$TEAM_PROBE_TMP" "${NA_STATUSES_TMP-}"
|
||||
rm -f "$CURL_AUTH_FILE" "$PR_JSON" "$REVIEWS_JSON" "$TEAM_PROBE_TMP" "${NA_STATUSES_TMP-}"
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
@@ -207,81 +206,7 @@ CANDIDATES=$(jq -r --arg author "$PR_AUTHOR" --arg head "$PR_HEAD_SHA" "$JQ_FILT
|
||||
debug "candidate non-author approvers: $(echo "$CANDIDATES" | tr '\n' ' ')"
|
||||
|
||||
if [ -z "$CANDIDATES" ]; then
|
||||
# --- Guardrail (internal#503): explain the most common false
|
||||
# "no candidates" red. Gitea's review event enum is EXACTLY
|
||||
# APPROVED/REQUEST_CHANGES/COMMENT/PENDING. A wrong value ("APPROVE",
|
||||
# lowercase, ...) is silently accepted (HTTP 200) and stored as
|
||||
# state=PENDING. A correctly-started draft review has an EMPTY body;
|
||||
# a NON-empty body + state==PENDING by a non-author == an intended
|
||||
# verdict mis-filed by a wrong event string. Surface it actionably.
|
||||
# This does NOT change the gate result (still fail-closed below) — it
|
||||
# only converts a mystery red into a named, self-fixing error.
|
||||
MISFILED_FILTER='.[]
|
||||
| select(.state == "PENDING")
|
||||
| select(.dismissed != true)
|
||||
| select(.user.login != $author)
|
||||
| select(((.body // "") | gsub("^\\s+|\\s+$";"") | length) > 0)
|
||||
| "\(.id)\t\(.user.login)"'
|
||||
MISFILED=$(jq -r --arg author "$PR_AUTHOR" "$MISFILED_FILTER" "$REVIEWS_JSON" 2>/dev/null || true)
|
||||
if [ -n "$MISFILED" ]; then
|
||||
echo "::error::${TEAM}-review: non-author review(s) were SUBMITTED but stored as PENDING — almost certainly the wrong Gitea review event string (internal#503)."
|
||||
echo "::error::Gitea accepts ONLY the exact enum APPROVED / REQUEST_CHANGES / COMMENT. 'APPROVE' or lowercase is silently (HTTP 200) filed as PENDING and is invisible to this gate."
|
||||
printf '%s\n' "$MISFILED" | while IFS="$(printf '\t')" read -r _rid _rl; do
|
||||
[ -n "${_rid:-}" ] && echo "::error:: review id=${_rid} by '${_rl}': RE-SUBMIT via POST ${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}/reviews with {\"event\":\"APPROVED\"} (correct enum) — do NOT edit the DB."
|
||||
done
|
||||
fi
|
||||
|
||||
# --- Fallback (internal#348): check issue comments for agent-approval ---
|
||||
# core-qa-agent and core-security-agent approve via issue comments, NOT
|
||||
# the reviews API. The reviews API returns zero entries for comment-only
|
||||
# approvals. This fallback reads PR issue comments and extracts logins that:
|
||||
# 1. Posted a comment matching the agent-prefix pattern for this gate:
|
||||
# qa → "[core-qa-agent] APPROVED"
|
||||
# security → "[core-security-agent] APPROVED"
|
||||
# OR posted a generic approval keyword (word-anchored, case-insensitive):
|
||||
# APPROVED / LGTM / ACCEPTED
|
||||
# 2. Are not the PR author
|
||||
# 3. The team-membership probe below is the authoritative filter.
|
||||
AGENT_PATTERN=""
|
||||
case "$TEAM" in
|
||||
qa) AGENT_PATTERN="\\[core-qa-agent\\]" ;;
|
||||
security) AGENT_PATTERN="\\[core-security-agent\\]" ;;
|
||||
esac
|
||||
HTTP_CODE=$(curl -sS -o "$COMMENTS_JSON" -w '%{http_code}' \
|
||||
-K "$CURL_AUTH_FILE" "${API}/repos/${OWNER}/${NAME}/issues/${PR_NUMBER}/comments")
|
||||
debug "GET /issues/${PR_NUMBER}/comments → HTTP ${HTTP_CODE}"
|
||||
if [ "$HTTP_CODE" = "200" ]; then
|
||||
# JQ expression: select non-author comments that match either the
|
||||
# agent-prefix pattern (case-insensitive) OR a generic approval keyword.
|
||||
JQ_APPROVALS='
|
||||
.[] |
|
||||
select(.user.login != $author) |
|
||||
. as $cmt |
|
||||
if ($agent_pattern | length) > 0 and ($cmt.body // "" | test($agent_pattern; "i")) then
|
||||
$cmt.user.login
|
||||
elif ($cmt.body // "" | test("\\b(APPROVED|LGTM|ACCEPTED)\\b"; "i")) then
|
||||
$cmt.user.login
|
||||
else
|
||||
empty
|
||||
end
|
||||
'
|
||||
CANDIDATES=$(jq -r \
|
||||
--arg author "$PR_AUTHOR" \
|
||||
--arg agent_pattern "$AGENT_PATTERN" \
|
||||
"$JQ_APPROVALS" \
|
||||
"$COMMENTS_JSON" 2>/dev/null | sort -u)
|
||||
debug "comment-based approval candidates: $(echo "$CANDIDATES" | tr '\n' ' ')"
|
||||
|
||||
if [ -n "$CANDIDATES" ]; then
|
||||
echo "::notice::${TEAM}-review: reviews API found no APPROVED reviews; found $(echo "$CANDIDATES" | wc -w | xargs) comment-based approval candidate(s) — verifying team membership..."
|
||||
fi
|
||||
else
|
||||
debug "could not fetch issue comments (HTTP ${HTTP_CODE})"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "${CANDIDATES:-}" ]; then
|
||||
echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (no candidates from reviews API or issue comments)"
|
||||
echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (no candidates yet)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
@@ -268,7 +268,6 @@ def compute_ack_state(
|
||||
items_by_slug: dict[str, dict[str, Any]],
|
||||
numeric_aliases: dict[int, str],
|
||||
team_membership_probe: "callable[[str, list[str]], list[str]]",
|
||||
high_risk: bool = False,
|
||||
) -> dict[str, dict[str, Any]]:
|
||||
"""Compute per-item ack state.
|
||||
|
||||
@@ -331,16 +330,11 @@ def compute_ack_state(
|
||||
for slug, candidates in pending_team_check.items():
|
||||
if not candidates:
|
||||
continue
|
||||
# Risk-class-aware required-teams resolution (RFC#450 Option C):
|
||||
# high-risk PRs use `required_teams_high_risk` (when set on the
|
||||
# item); default class uses `required_teams`. The probe closure
|
||||
# is built with the same high_risk flag so the two reads are
|
||||
# always consistent (both sites share `resolve_required_teams`).
|
||||
required = resolve_required_teams(items_by_slug[slug], high_risk)
|
||||
required = items_by_slug[slug]["required_teams"]
|
||||
approved = team_membership_probe(slug, candidates) # returns subset
|
||||
rejected_not_in_team[slug] = [u for u in candidates if u not in approved]
|
||||
ackers_per_slug[slug] = approved
|
||||
# Stash resolved teams for description rendering.
|
||||
# Stash required teams for description rendering.
|
||||
items_by_slug[slug]["_required_resolved"] = required
|
||||
|
||||
return {
|
||||
@@ -771,42 +765,6 @@ def get_tier_mode(pr: dict[str, Any], cfg: dict[str, Any]) -> str:
|
||||
return default_mode
|
||||
|
||||
|
||||
def is_high_risk(pr: dict[str, Any], cfg: dict[str, Any]) -> bool:
|
||||
"""Return True when the PR is high-risk per RFC#450 Option C.
|
||||
|
||||
A PR is high-risk when ANY of:
|
||||
- it carries the `tier:high` label (mechanically strictest tier), or
|
||||
- it carries any label listed in cfg.high_risk_labels.
|
||||
|
||||
High-risk PRs use `required_teams_high_risk` (when set on an item)
|
||||
instead of the default `required_teams`. Items without
|
||||
`required_teams_high_risk` are unaffected (the default applies).
|
||||
|
||||
Governance fix for internal#442 — closes the inconsistency between
|
||||
sop-tier-check (tier-aware) and sop-checklist (was tier-blind).
|
||||
"""
|
||||
label_set = {(l.get("name") or "") for l in (pr.get("labels") or [])}
|
||||
if "tier:high" in label_set:
|
||||
return True
|
||||
high_risk_labels = set(cfg.get("high_risk_labels") or [])
|
||||
return bool(label_set & high_risk_labels)
|
||||
|
||||
|
||||
def resolve_required_teams(item: dict[str, Any], high_risk: bool) -> list[str]:
|
||||
"""Pick the active required_teams list for an item.
|
||||
|
||||
When high_risk is True AND the item declares a non-empty
|
||||
`required_teams_high_risk`, return that. Else fall back to
|
||||
`required_teams`. Keeping this in one helper means the gate's
|
||||
decision shape stays single-sited even as items grow.
|
||||
"""
|
||||
if high_risk:
|
||||
elevated = item.get("required_teams_high_risk") or []
|
||||
if elevated:
|
||||
return list(elevated)
|
||||
return list(item.get("required_teams") or [])
|
||||
|
||||
|
||||
def main(argv: list[str] | None = None) -> int:
|
||||
p = argparse.ArgumentParser()
|
||||
p.add_argument("--owner", required=True)
|
||||
@@ -867,12 +825,6 @@ def main(argv: list[str] | None = None) -> int:
|
||||
|
||||
comments = client.get_issue_comments(args.owner, args.repo, args.pr)
|
||||
|
||||
# High-risk classification (RFC#450 Option C, governance fix for
|
||||
# internal#442). Computed ONCE per PR — used by both the probe
|
||||
# closure and compute_ack_state so the elevation decision is
|
||||
# single-sited.
|
||||
high_risk = is_high_risk(pr, cfg)
|
||||
|
||||
# Build team-membership probe closure that caches results per
|
||||
# (user, team-id) so a user acking multiple items only triggers
|
||||
# one membership lookup per team.
|
||||
@@ -880,7 +832,7 @@ def main(argv: list[str] | None = None) -> int:
|
||||
|
||||
def probe(slug: str, users: list[str]) -> list[str]:
|
||||
item = items_by_slug[slug]
|
||||
team_names: list[str] = resolve_required_teams(item, high_risk)
|
||||
team_names: list[str] = item["required_teams"]
|
||||
# Resolve names → ids. NOTE: orgs/{org}/teams/search may not be
|
||||
# available — fall back to the list endpoint.
|
||||
team_ids: list[int] = []
|
||||
@@ -925,9 +877,7 @@ def main(argv: list[str] | None = None) -> int:
|
||||
# may still find membership in another team.
|
||||
return approved
|
||||
|
||||
ack_state = compute_ack_state(
|
||||
comments, author, items_by_slug, numeric_aliases, probe, high_risk=high_risk
|
||||
)
|
||||
ack_state = compute_ack_state(comments, author, items_by_slug, numeric_aliases, probe)
|
||||
body_state = {it["slug"]: section_marker_present(body, it["pr_section_marker"]) for it in items}
|
||||
|
||||
state, description = render_status(items, ack_state, body_state)
|
||||
@@ -940,10 +890,7 @@ def main(argv: list[str] | None = None) -> int:
|
||||
description = f"[info tier:low] {description}"
|
||||
|
||||
# Diagnostics to job log.
|
||||
print(
|
||||
f"::notice::PR #{args.pr} author={author} head={head_sha[:7]} "
|
||||
f"mode={mode} risk_class={'high' if high_risk else 'default'}"
|
||||
)
|
||||
print(f"::notice::PR #{args.pr} author={author} head={head_sha[:7]} mode={mode}")
|
||||
for it in items:
|
||||
slug = it["slug"]
|
||||
ackers = ack_state[slug]["ackers"]
|
||||
|
||||
@@ -17,9 +17,6 @@ Scenarios:
|
||||
T8_team_not_member — team membership → 404 (not a member) → exit 1
|
||||
T9_team_403 — team membership → 403 (token not in team) → exit 1
|
||||
T14_non_default_base — open PR targeting staging → script exits 0 (no-op)
|
||||
T15_comments_agent_approval — reviews empty; comments have "[core-qa-agent] APPROVED" → exit 0
|
||||
T16_comments_generic_approval — reviews empty; comments have "APPROVED" by team member → exit 0
|
||||
T17_comments_no_approval — reviews empty; comments have no approval keywords → exit 1
|
||||
|
||||
Usage:
|
||||
FIXTURE_STATE_DIR=/tmp/x python3 _review_check_fixture.py 8080
|
||||
@@ -100,9 +97,7 @@ class Handler(http.server.BaseHTTPRequestHandler):
|
||||
# GET /repos/{owner}/{name}/pulls/{pr_number}/reviews
|
||||
m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/pulls/(\d+)/reviews$", path)
|
||||
if m:
|
||||
if sc in ("T4_reviews_empty", "T5_reviews_only_author",
|
||||
"T15_comments_agent_approval", "T16_comments_generic_approval",
|
||||
"T17_comments_no_approval"):
|
||||
if sc in ("T4_reviews_empty", "T5_reviews_only_author"):
|
||||
return self._json(200, [])
|
||||
if sc == "T6_reviews_dismissed":
|
||||
return self._json(200, [{
|
||||
@@ -121,28 +116,6 @@ class Handler(http.server.BaseHTTPRequestHandler):
|
||||
{"state": "APPROVED", "dismissed": False, "user": {"login": "core-devops"}, "commit_id": "abc1234"},
|
||||
])
|
||||
|
||||
# GET /repos/{owner}/{name}/issues/{pr_number}/comments
|
||||
m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/issues/(\d+)/comments$", path)
|
||||
if m:
|
||||
if sc == "T15_comments_agent_approval":
|
||||
return self._json(200, [
|
||||
{"user": {"login": "core-qa-agent"}, "body": "[core-qa-agent] APPROVED this PR. Good changes.", "id": 1},
|
||||
{"user": {"login": "alice"}, "body": "I authored this PR", "id": 2},
|
||||
{"user": {"login": "random-user"}, "body": "Looks okay to me", "id": 3},
|
||||
])
|
||||
if sc == "T16_comments_generic_approval":
|
||||
return self._json(200, [
|
||||
{"user": {"login": "core-qa-agent"}, "body": "APPROVED — all acceptance criteria met", "id": 1},
|
||||
{"user": {"login": "alice"}, "body": "-authored", "id": 2},
|
||||
])
|
||||
if sc == "T17_comments_no_approval":
|
||||
return self._json(200, [
|
||||
{"user": {"login": "alice"}, "body": "I authored this PR", "id": 1},
|
||||
{"user": {"login": "random-user"}, "body": "Looks okay to me", "id": 2},
|
||||
])
|
||||
# Default scenarios (T1–T9, T14): no comments
|
||||
return self._json(200, [])
|
||||
|
||||
# GET /teams/{team_id}/members/{username}
|
||||
m = re.match(r"^/api/v1/teams/(\d+)/members/([^/]+)$", path)
|
||||
if m:
|
||||
@@ -154,12 +127,6 @@ class Handler(http.server.BaseHTTPRequestHandler):
|
||||
# T7_team_member: member
|
||||
return self._empty(204)
|
||||
|
||||
# GET /repos/{owner}/{name}/statuses/{sha} — for N/A declaration check
|
||||
m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/statuses/([a-f0-9]+)$", path)
|
||||
if m:
|
||||
# All comment-based scenarios have no N/A declarations
|
||||
return self._json(200, [])
|
||||
|
||||
return self._json(404, {"path": path, "msg": "fixture: no route"})
|
||||
|
||||
def do_POST(self):
|
||||
|
||||
@@ -36,37 +36,9 @@ def test_build_plan_defaults_to_staging_sha_target_and_prod_cp():
|
||||
"soak_seconds": 60,
|
||||
"batch_size": 3,
|
||||
"dry_run": False,
|
||||
# cp#228 / task #308: fleet-wide intent must carry confirm:true.
|
||||
"confirm": True,
|
||||
}
|
||||
|
||||
|
||||
def test_build_plan_always_sets_confirm_true_for_fleet_intent():
|
||||
"""Regression guard: every plan body MUST carry confirm:true.
|
||||
|
||||
CP /cp/admin/tenants/redeploy-fleet (cp#228) returns 400 on empty
|
||||
body / {confirm:false} / {only_slugs:[]} to prevent accidental
|
||||
fleet-wide mutation. This caller is fleet-wide intent (canary +
|
||||
fan-out, no slug scoping), so the plan MUST carry confirm:true.
|
||||
Pairs with cp#228's TestRedeployFleet_EmptyBodyReturns400 +
|
||||
TestRedeployFleet_ConfirmTrueProceeds.
|
||||
"""
|
||||
plan = prod.build_plan({"GITHUB_SHA": "abcdef1234567890"})
|
||||
assert plan["body"]["confirm"] is True
|
||||
|
||||
# Operator-overridable knobs do NOT drop the ack.
|
||||
plan = prod.build_plan(
|
||||
{
|
||||
"GITHUB_SHA": "abcdef1234567890",
|
||||
"PROD_AUTO_DEPLOY_SOAK_SECONDS": "0",
|
||||
"PROD_AUTO_DEPLOY_BATCH_SIZE": "10",
|
||||
"PROD_AUTO_DEPLOY_DRY_RUN": "true",
|
||||
"PROD_AUTO_DEPLOY_CANARY_SLUG": "",
|
||||
}
|
||||
)
|
||||
assert plan["body"]["confirm"] is True
|
||||
|
||||
|
||||
def test_build_plan_rejects_non_prod_cp_without_explicit_override():
|
||||
try:
|
||||
prod.build_plan(
|
||||
|
||||
@@ -334,31 +334,6 @@ assert_contains "T12 jq: core-devops (non-author APPROVED) in candidates" "core-
|
||||
assert_eq "T12 jq: alice (author) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^alice$' || true)"
|
||||
assert_eq "T12 jq: carol (dismissed) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^carol$' || true)"
|
||||
|
||||
# T15 — comment-based approval via agent prefix pattern → exit 0
|
||||
echo
|
||||
echo "== T15 comment agent-prefix approval =="
|
||||
T15_OUT=$(run_review_check "T15_comments_agent_approval")
|
||||
T15_RC=$(cat "$FIX_STATE_DIR/last_rc")
|
||||
assert_eq "T15 exit code 0 (agent-comment approval + team member)" "0" "$T15_RC"
|
||||
assert_contains "T15 comment fallback notice" "comment-based approval" "$T15_OUT"
|
||||
assert_contains "T15 core-qa-agent APPROVED" "APPROVED by core-qa-agent" "$T15_OUT"
|
||||
|
||||
# T16 — comment-based approval via generic APPROVED keyword → exit 0
|
||||
echo
|
||||
echo "== T16 comment generic keyword approval =="
|
||||
T16_OUT=$(run_review_check "T16_comments_generic_approval")
|
||||
T16_RC=$(cat "$FIX_STATE_DIR/last_rc")
|
||||
assert_eq "T16 exit code 0 (generic-approval comment + team member)" "0" "$T16_RC"
|
||||
assert_contains "T16 comment fallback notice" "comment-based approval" "$T16_OUT"
|
||||
|
||||
# T17 — no approval keywords in comments → exit 1
|
||||
echo
|
||||
echo "== T17 comments with no approval keywords =="
|
||||
T17_OUT=$(run_review_check "T17_comments_no_approval")
|
||||
T17_RC=$(cat "$FIX_STATE_DIR/last_rc")
|
||||
assert_eq "T17 exit code 1 (no candidates from comments)" "1" "$T17_RC"
|
||||
assert_contains "T17 no candidates error" "no candidates from reviews API or issue comments" "$T17_OUT"
|
||||
|
||||
echo
|
||||
echo "------"
|
||||
echo "PASS=$PASS FAIL=$FAIL"
|
||||
|
||||
@@ -602,216 +602,4 @@ class TestComputeNaState(unittest.TestCase):
|
||||
self.assertEqual(len(na_directives), 1)
|
||||
self.assertEqual(na_directives[0][0], "sop-n/a")
|
||||
self.assertEqual(na_directives[0][1], "qa-review")
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# RFC#450 Option C — risk-classed two-eyes (governance fix for internal#442)
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
|
||||
class TestIsHighRisk(unittest.TestCase):
|
||||
"""The high-risk predicate decides which required_teams list applies.
|
||||
|
||||
Predicate: tier:high label OR any label in cfg.high_risk_labels.
|
||||
"""
|
||||
|
||||
def setUp(self):
|
||||
self.cfg = sop.load_config(CONFIG_PATH)
|
||||
|
||||
def test_no_labels_is_default_class(self):
|
||||
pr = {"labels": []}
|
||||
self.assertFalse(sop.is_high_risk(pr, self.cfg))
|
||||
|
||||
def test_tier_high_is_high_risk(self):
|
||||
pr = {"labels": [{"name": "tier:high"}]}
|
||||
self.assertTrue(sop.is_high_risk(pr, self.cfg))
|
||||
|
||||
def test_tier_low_is_default_class(self):
|
||||
pr = {"labels": [{"name": "tier:low"}]}
|
||||
self.assertFalse(sop.is_high_risk(pr, self.cfg))
|
||||
|
||||
def test_tier_medium_is_default_class(self):
|
||||
# tier:medium alone is NOT high-risk (Option C — medium routes
|
||||
# to the wider engineers OR-set).
|
||||
pr = {"labels": [{"name": "tier:medium"}]}
|
||||
self.assertFalse(sop.is_high_risk(pr, self.cfg))
|
||||
|
||||
def test_area_security_label_is_high_risk(self):
|
||||
pr = {"labels": [{"name": "tier:medium"}, {"name": "area:security"}]}
|
||||
self.assertTrue(sop.is_high_risk(pr, self.cfg))
|
||||
|
||||
def test_area_schema_label_is_high_risk(self):
|
||||
pr = {"labels": [{"name": "area:schema"}]}
|
||||
self.assertTrue(sop.is_high_risk(pr, self.cfg))
|
||||
|
||||
def test_area_identity_label_is_high_risk(self):
|
||||
pr = {"labels": [{"name": "area:identity"}]}
|
||||
self.assertTrue(sop.is_high_risk(pr, self.cfg))
|
||||
|
||||
def test_area_fleet_image_label_is_high_risk(self):
|
||||
pr = {"labels": [{"name": "area:fleet-image"}]}
|
||||
self.assertTrue(sop.is_high_risk(pr, self.cfg))
|
||||
|
||||
def test_area_gate_meta_label_is_high_risk(self):
|
||||
# Gate-meta = changes to sop-checklist/sop-tier-check itself.
|
||||
pr = {"labels": [{"name": "area:gate-meta"}]}
|
||||
self.assertTrue(sop.is_high_risk(pr, self.cfg))
|
||||
|
||||
def test_unknown_area_label_is_default_class(self):
|
||||
pr = {"labels": [{"name": "area:docs"}]}
|
||||
self.assertFalse(sop.is_high_risk(pr, self.cfg))
|
||||
|
||||
|
||||
class TestResolveRequiredTeams(unittest.TestCase):
|
||||
"""The team resolver picks the elevated list only for high-risk PRs
|
||||
AND only when the item declares one — items without an elevated
|
||||
list always use the default required_teams."""
|
||||
|
||||
def test_default_class_uses_default_teams(self):
|
||||
item = {"required_teams": ["engineers", "managers", "ceo"], "required_teams_high_risk": ["ceo"]}
|
||||
self.assertEqual(
|
||||
sop.resolve_required_teams(item, high_risk=False),
|
||||
["engineers", "managers", "ceo"],
|
||||
)
|
||||
|
||||
def test_high_risk_uses_elevated_teams(self):
|
||||
item = {"required_teams": ["engineers", "managers", "ceo"], "required_teams_high_risk": ["ceo"]}
|
||||
self.assertEqual(
|
||||
sop.resolve_required_teams(item, high_risk=True),
|
||||
["ceo"],
|
||||
)
|
||||
|
||||
def test_high_risk_without_elevated_falls_back_to_default(self):
|
||||
# Items that don't declare required_teams_high_risk (e.g.
|
||||
# comprehensive-testing, staging-smoke) are unaffected by risk-class.
|
||||
item = {"required_teams": ["engineers"]}
|
||||
self.assertEqual(
|
||||
sop.resolve_required_teams(item, high_risk=True),
|
||||
["engineers"],
|
||||
)
|
||||
|
||||
def test_empty_elevated_list_falls_back_to_default(self):
|
||||
# A defensive case: required_teams_high_risk: [] should not
|
||||
# silently lock out all approvers — fall back to the default
|
||||
# so the gate stays satisfiable. (Tightening should remove the
|
||||
# key, not set it to empty.)
|
||||
item = {"required_teams": ["engineers"], "required_teams_high_risk": []}
|
||||
self.assertEqual(
|
||||
sop.resolve_required_teams(item, high_risk=True),
|
||||
["engineers"],
|
||||
)
|
||||
|
||||
|
||||
class TestRootCauseAckEligibilityWidened(unittest.TestCase):
|
||||
"""Closes internal#442: a non-author engineers-team ack now satisfies
|
||||
root-cause / no-backwards-compat for the default class.
|
||||
|
||||
The dead-managers/ceo-persona-token gridlock is the symptom; the
|
||||
root cause is that sop-checklist ignored tier-class. These tests
|
||||
pin the new wider-default behavior so it can't regress silently.
|
||||
"""
|
||||
|
||||
def setUp(self):
|
||||
self.items = _items_by_slug()
|
||||
self.aliases = _numeric_aliases()
|
||||
|
||||
@staticmethod
|
||||
def _approve_only(allowed):
|
||||
return lambda slug, users: [u for u in users if u in allowed]
|
||||
|
||||
def test_engineers_ack_satisfies_root_cause_default_class(self):
|
||||
# Bob is in engineers only (not managers, not ceo). Default class.
|
||||
comments = [_comment("bob", "/sop-ack root-cause")]
|
||||
# Probe: bob is approved because root-cause now lists engineers.
|
||||
probe = self._approve_only({"bob"})
|
||||
state = sop.compute_ack_state(
|
||||
comments, "alice", self.items, self.aliases, probe, high_risk=False
|
||||
)
|
||||
self.assertEqual(state["root-cause"]["ackers"], ["bob"])
|
||||
|
||||
def test_engineers_ack_satisfies_no_backwards_compat_default_class(self):
|
||||
comments = [_comment("bob", "/sop-ack no-backwards-compat")]
|
||||
probe = self._approve_only({"bob"})
|
||||
state = sop.compute_ack_state(
|
||||
comments, "alice", self.items, self.aliases, probe, high_risk=False
|
||||
)
|
||||
self.assertEqual(state["no-backwards-compat"]["ackers"], ["bob"])
|
||||
|
||||
def test_engineers_ack_alone_fails_root_cause_when_high_risk(self):
|
||||
# High-risk PR: only ceo can ack. Engineers-only ack must fail.
|
||||
comments = [_comment("bob", "/sop-ack root-cause")]
|
||||
# Probe: bob is in engineers, not ceo. Under high_risk,
|
||||
# required_teams_high_risk=[ceo] → bob is NOT approved.
|
||||
# Probe receives the items + flag indirectly via main(); for
|
||||
# the unit-test path we inject a probe that rejects bob.
|
||||
probe = self._approve_only(set()) # nobody is in ceo
|
||||
state = sop.compute_ack_state(
|
||||
comments, "alice", self.items, self.aliases, probe, high_risk=True
|
||||
)
|
||||
self.assertEqual(state["root-cause"]["ackers"], [])
|
||||
self.assertIn("bob", state["root-cause"]["rejected"]["not_in_team"])
|
||||
|
||||
def test_ceo_ack_satisfies_root_cause_when_high_risk(self):
|
||||
# High-risk PR + ceo-team approver → passes (the senior path).
|
||||
comments = [_comment("hongming", "/sop-ack root-cause")]
|
||||
probe = self._approve_only({"hongming"})
|
||||
state = sop.compute_ack_state(
|
||||
comments, "alice", self.items, self.aliases, probe, high_risk=True
|
||||
)
|
||||
self.assertEqual(state["root-cause"]["ackers"], ["hongming"])
|
||||
|
||||
def test_self_ack_still_forbidden_even_with_widened_eligibility(self):
|
||||
# Author cannot self-ack — widening teams must NOT weaken
|
||||
# the non-author rule.
|
||||
comments = [_comment("alice", "/sop-ack root-cause")]
|
||||
probe = self._approve_only({"alice"})
|
||||
state = sop.compute_ack_state(
|
||||
comments, "alice", self.items, self.aliases, probe, high_risk=False
|
||||
)
|
||||
self.assertEqual(state["root-cause"]["ackers"], [])
|
||||
self.assertIn("alice", state["root-cause"]["rejected"]["self_ack"])
|
||||
|
||||
|
||||
class TestHighRiskClassUsesElevatedListInConfig(unittest.TestCase):
|
||||
"""End-to-end: the shipped config + RFC#450 predicate must keep
|
||||
root-cause / no-backwards-compat gated on ceo for high-risk PRs."""
|
||||
|
||||
def test_root_cause_high_risk_elevated_to_ceo_only(self):
|
||||
items = _items_by_slug()
|
||||
# tier:high alone makes the PR high-risk → root-cause needs ceo.
|
||||
self.assertEqual(
|
||||
sop.resolve_required_teams(items["root-cause"], high_risk=True),
|
||||
["ceo"],
|
||||
)
|
||||
# Default class accepts engineers/managers/ceo.
|
||||
self.assertEqual(
|
||||
sorted(sop.resolve_required_teams(items["root-cause"], high_risk=False)),
|
||||
sorted(["engineers", "managers", "ceo"]),
|
||||
)
|
||||
|
||||
def test_no_backwards_compat_high_risk_elevated_to_ceo_only(self):
|
||||
items = _items_by_slug()
|
||||
self.assertEqual(
|
||||
sop.resolve_required_teams(items["no-backwards-compat"], high_risk=True),
|
||||
["ceo"],
|
||||
)
|
||||
self.assertEqual(
|
||||
sorted(sop.resolve_required_teams(items["no-backwards-compat"], high_risk=False)),
|
||||
sorted(["engineers", "managers", "ceo"]),
|
||||
)
|
||||
|
||||
def test_other_items_unchanged_by_risk_class(self):
|
||||
# Items without required_teams_high_risk are unaffected.
|
||||
items = _items_by_slug()
|
||||
for slug in (
|
||||
"comprehensive-testing",
|
||||
"local-postgres-e2e",
|
||||
"staging-smoke",
|
||||
"five-axis-review",
|
||||
"memory-consulted",
|
||||
):
|
||||
self.assertEqual(
|
||||
sop.resolve_required_teams(items[slug], high_risk=False),
|
||||
sop.resolve_required_teams(items[slug], high_risk=True),
|
||||
f"item {slug} should not be affected by risk-class",
|
||||
)
|
||||
self.assertIn("no surface", na_directives[0][2])
|
||||
|
||||
@@ -50,34 +50,6 @@ tier_failure_mode:
|
||||
"tier:low": soft
|
||||
default_mode: hard # used when no tier:* label is present
|
||||
|
||||
# High-risk class (RFC#450 Option C, governance-fix for internal#442).
|
||||
#
|
||||
# A PR is "high-risk" when ANY of the listed labels are applied OR when
|
||||
# the PR has `tier:high` (mechanically the strictest existing tier).
|
||||
# High-risk items use `required_teams_high_risk` (when present on the
|
||||
# item); non-high-risk items use the default `required_teams`.
|
||||
#
|
||||
# This closes the inconsistency that the SOP charter already mandates
|
||||
# `tier:high → ceo only` for the sibling `sop-tier-check` gate; the
|
||||
# sop-checklist's `root-cause` and `no-backwards-compat` items now
|
||||
# follow the same risk-classed two-eyes shape:
|
||||
# - Default class (tier:low/medium, not high-risk): a non-author
|
||||
# engineers/managers/ceo ack satisfies the item — 25+ live
|
||||
# identities, no dependency on a dead/inactive senior persona
|
||||
# token.
|
||||
# - High-risk class (tier:high OR any high_risk_label): still
|
||||
# requires a non-author ceo ack (durable human team).
|
||||
#
|
||||
# Tightening: add labels to high_risk_labels.
|
||||
# Loosening: remove labels.
|
||||
high_risk_labels:
|
||||
- "risk:high"
|
||||
- "area:security"
|
||||
- "area:schema"
|
||||
- "area:fleet-image"
|
||||
- "area:identity"
|
||||
- "area:gate-meta"
|
||||
|
||||
items:
|
||||
- slug: comprehensive-testing
|
||||
numeric_alias: 1
|
||||
@@ -106,15 +78,11 @@ items:
|
||||
- slug: root-cause
|
||||
numeric_alias: 4
|
||||
pr_section_marker: "Root-cause not symptom"
|
||||
required_teams: [engineers, managers, ceo]
|
||||
required_teams_high_risk: [ceo]
|
||||
required_teams: [managers, ceo]
|
||||
description: >-
|
||||
One-sentence root-cause statement. Default class: non-author
|
||||
engineers/managers/ceo ack suffices (engineers can attest
|
||||
root-cause-vs-symptom for routine fixes). High-risk class
|
||||
(see `high_risk_labels`): non-author ceo ack required —
|
||||
senior judgment for irreversible/security/identity/gate
|
||||
changes. Closes internal#442 + tracks RFC#450.
|
||||
One-sentence root-cause statement. Ack from managers tier
|
||||
(team-leads) or ceo. Senior judgment required to attest
|
||||
root-cause-versus-symptom.
|
||||
|
||||
- slug: five-axis-review
|
||||
numeric_alias: 5
|
||||
@@ -127,14 +95,10 @@ items:
|
||||
- slug: no-backwards-compat
|
||||
numeric_alias: 6
|
||||
pr_section_marker: "No backwards-compat shim / dead code added"
|
||||
required_teams: [engineers, managers, ceo]
|
||||
required_teams_high_risk: [ceo]
|
||||
required_teams: [managers, ceo]
|
||||
description: >-
|
||||
Yes/no + justification if no. Default class: non-author
|
||||
engineers/managers/ceo ack suffices. High-risk class
|
||||
(see `high_risk_labels`): non-author ceo ack required —
|
||||
senior judgment for shim-versus-real-fix on irreversible
|
||||
surfaces. Closes internal#442 + tracks RFC#450.
|
||||
Yes/no + justification if no. Senior ack required because
|
||||
backward-compat shims are how dead-code accretes.
|
||||
|
||||
- slug: memory-consulted
|
||||
numeric_alias: 7
|
||||
|
||||
@@ -158,68 +158,8 @@ jobs:
|
||||
echo "NOTE: No warning in output (may be suppressed by log level)"
|
||||
fi
|
||||
|
||||
- name: Reproduce openclaw failure — pipe held OPEN, no EOF
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "=== keep-stdin-open pipe (the real openclaw / Claude Code case) ==="
|
||||
echo ""
|
||||
echo "Before the readline() fix this HANGS: main() did"
|
||||
echo " stdin.read(65536) -> on a pipe, blocks until 64KB OR EOF."
|
||||
echo "An MCP client sends one ~150B initialize and keeps stdin"
|
||||
echo "open waiting for the response, so the server never parsed"
|
||||
echo "the request and the client timed out (openclaw: 'MCP error"
|
||||
echo "-32000: Connection closed'). The earlier regular-file /"
|
||||
echo "heredoc-pipe steps PASSED through this bug because a file"
|
||||
echo "(or a closing heredoc) yields EOF immediately."
|
||||
echo ""
|
||||
|
||||
# Drive the server through a real pipe that stays OPEN: write
|
||||
# one initialize, do NOT close stdin, and require a response
|
||||
# within a hard timeout. read(65536) -> no output -> timeout
|
||||
# kills it -> FAIL. readline() -> immediate response -> PASS.
|
||||
python - <<'PYEOF'
|
||||
import json, subprocess, sys, time, select
|
||||
|
||||
proc = subprocess.Popen(
|
||||
[sys.executable, "a2a_mcp_server.py"],
|
||||
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
||||
stderr=subprocess.STDOUT,
|
||||
env={**__import__("os").environ},
|
||||
)
|
||||
req = json.dumps({
|
||||
"jsonrpc": "2.0", "id": 1, "method": "initialize",
|
||||
"params": {"protocolVersion": "2024-11-05",
|
||||
"capabilities": {},
|
||||
"clientInfo": {"name": "keepopen", "version": "1"}},
|
||||
}) + "\n"
|
||||
proc.stdin.write(req.encode())
|
||||
proc.stdin.flush()
|
||||
# Deliberately DO NOT close proc.stdin — mirror a live MCP client.
|
||||
|
||||
deadline = time.time() + 15
|
||||
line = b""
|
||||
while time.time() < deadline:
|
||||
r, _, _ = select.select([proc.stdout], [], [], 1)
|
||||
if r:
|
||||
line = proc.stdout.readline()
|
||||
if line:
|
||||
break
|
||||
proc.kill()
|
||||
|
||||
if not line:
|
||||
print("FAIL: no response within 15s on an open pipe — "
|
||||
"stdin.read(65536) regression is back")
|
||||
sys.exit(1)
|
||||
resp = json.loads(line.decode())
|
||||
assert resp.get("id") == 1 and "result" in resp, \
|
||||
f"unexpected response: {line[:200]!r}"
|
||||
assert resp["result"]["serverInfo"]["name"] == "molecule", \
|
||||
f"wrong serverInfo: {line[:200]!r}"
|
||||
print("PASS: server answered initialize on a still-open pipe")
|
||||
PYEOF
|
||||
|
||||
- name: Run unit tests for stdio transport
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "=== Running stdio transport unit tests ==="
|
||||
python -m pytest tests/test_a2a_mcp_server.py::TestStdioPipeAssertion tests/test_a2a_mcp_server.py::TestStdioKeepOpenPipe -v --no-cov
|
||||
python -m pytest tests/test_a2a_mcp_server.py::TestStdioPipeAssertion -v --no-cov
|
||||
|
||||
@@ -401,7 +401,7 @@ jobs:
|
||||
|
||||
canvas-deploy-reminder:
|
||||
name: Canvas Deploy Reminder
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
# mc#774 root-fix: added job-level `if:` so ci-required-drift.py's
|
||||
# ci_job_names() detects this as github.ref-gated and skips it from F1.
|
||||
# The step-level exit 0 handles the "not main push" case; the job-level
|
||||
@@ -538,13 +538,11 @@ jobs:
|
||||
all-required:
|
||||
# Aggregator sentinel — RFC internal#219 §2 (Phase 4 — closes internal#286).
|
||||
#
|
||||
# Emits `CI / all-required (<event>)` where <event> is the workflow trigger
|
||||
# (e.g. `CI / all-required (pull_request)`, `CI / all-required (push)`).
|
||||
# Branch protection MUST be updated to require the event-suffixed name —
|
||||
# requiring `CI / all-required` (bare, no suffix) silently blocks all merges
|
||||
# because Gitea treats absent status contexts as pending (not skipped), and
|
||||
# no workflow emits the bare name. Fixed: BP now requires
|
||||
# `CI / all-required (pull_request)` per issue #1473.
|
||||
# Single stable required-status name that branch protection points at;
|
||||
# CI churns underneath in `needs:` without any protection edits. Mirrors
|
||||
# the molecule-controlplane Phase 2a impl shipped in CP PR#112 and
|
||||
# referenced by `internal#286` ("Phase 4 is a single small PR... mirrors
|
||||
# CP's existing one").
|
||||
#
|
||||
# Closes the failure mode where status_check_contexts on molecule-core/main
|
||||
# only listed `Secret scan` + `sop-tier-check` (the 2 meta-gates), so real
|
||||
|
||||
@@ -108,20 +108,7 @@ env:
|
||||
|
||||
jobs:
|
||||
detect-changes:
|
||||
# mc#1529 follow-on: pin to `docker-host` so the e2e-api lane lands
|
||||
# on Linux operator-host runners (molecule-runner-*) that carry the
|
||||
# `molecule-core-net` bridge network + a working `aws ecr get-login-
|
||||
# password | docker login` path. The bare `ubuntu-latest` label is
|
||||
# also accepted by hongming-pc-runner-* (Windows act_runner v1.0.3),
|
||||
# where the docker.sock-bound steps below fail non-deterministically
|
||||
# (e.g. `docker run -d --name pg-e2e-api-...` with port-bind +
|
||||
# `docker exec ... pg_isready` cannot work against a Windows daemon).
|
||||
# detect-changes itself doesn't bind docker.sock, but pinning here too
|
||||
# keeps both jobs on the same lane so we don't re-roll the dice on
|
||||
# workspace-volume cross-host surprises and the routing rule is
|
||||
# discoverable in one place. Mirror of mc#1543 (handlers-postgres-
|
||||
# integration). See internal#512 for the class defect.
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
# Phase 3 (RFC #219 §1): surface broken workflows without blocking.
|
||||
# mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
|
||||
continue-on-error: true
|
||||
@@ -173,10 +160,7 @@ jobs:
|
||||
e2e-api:
|
||||
needs: detect-changes
|
||||
name: E2E API Smoke Test
|
||||
# mc#1529 follow-on: must run on operator-host Linux runners (where
|
||||
# docker.sock + `molecule-core-net` + `aws ecr ...` work). See
|
||||
# detect-changes for the full rationale.
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
# Phase 3 (RFC #219 §1): surface broken workflows without blocking.
|
||||
# mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
|
||||
continue-on-error: true
|
||||
@@ -381,9 +365,6 @@ jobs:
|
||||
- name: Run poll-mode chat upload E2E (RFC #2891)
|
||||
if: needs.detect-changes.outputs.api == 'true'
|
||||
run: bash tests/e2e/test_poll_mode_chat_upload_e2e.sh
|
||||
- name: Run today's-PR-coverage E2E (mc#1525/1535/1536/1539/1542 fix-specific assertions)
|
||||
if: needs.detect-changes.outputs.api == 'true'
|
||||
run: bash tests/e2e/test_today_pr_coverage_e2e.sh
|
||||
- name: Dump platform log on failure
|
||||
if: failure() && needs.detect-changes.outputs.api == 'true'
|
||||
run: cat workspace-server/platform.log || true
|
||||
|
||||
@@ -33,13 +33,7 @@ env:
|
||||
jobs:
|
||||
# bp-exempt: helper job; real gate is E2E Chat / E2E Chat (pull_request)
|
||||
detect-changes:
|
||||
# mc#1529 follow-on: pin to `docker-host` (Linux operator-host
|
||||
# runners). The bare `ubuntu-latest` label is also advertised by
|
||||
# hongming-pc-runner-* (Windows act_runner v1.0.3) where the
|
||||
# docker.sock-bound steps below fail. Mirror of mc#1543
|
||||
# (handlers-postgres-integration). See internal#512 for the class
|
||||
# defect.
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
# Phase 3 (RFC #219 §1): surface broken workflows without blocking.
|
||||
# mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
|
||||
continue-on-error: true
|
||||
@@ -77,9 +71,7 @@ jobs:
|
||||
e2e-chat:
|
||||
needs: detect-changes
|
||||
name: E2E Chat
|
||||
# mc#1529 follow-on: docker run/exec for postgres + redis containers.
|
||||
# Must land on operator-host Linux (docker-host).
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
# Phase 3 (RFC #219 §1): surface broken workflows without blocking.
|
||||
# mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
|
||||
continue-on-error: true
|
||||
|
||||
@@ -52,30 +52,6 @@ name: E2E Peer Visibility (literal MCP list_peers)
|
||||
# flip-to-required-ready (mirrors e2e-staging-saas.yml's proven shape;
|
||||
# real EC2-provisioning E2E is push/dispatch/cron only — it is 30+ min
|
||||
# and cannot run per-PR-update).
|
||||
#
|
||||
# LOCAL BACKEND (added 2026-05-15 — feedback_local_must_mimic_production,
|
||||
# feedback_mandatory_local_e2e_before_ship, feedback_local_test_before_
|
||||
# staging_e2e)
|
||||
# --------------------------------------------------------------------
|
||||
# The standing rule is that the local prod-mimic stack runs a MANDATORY
|
||||
# local-Postgres E2E BEFORE staging E2E. A staging-only peer-visibility
|
||||
# gate caught regressions late + expensively (cold EC2). The
|
||||
# `peer-visibility-local` job below runs the SAME byte-identical
|
||||
# assertion (tests/e2e/lib/peer_visibility_assert.sh) against the local
|
||||
# docker-compose stack — built + booted exactly like e2e-api.yml's
|
||||
# proven E2E API Smoke Test job (ephemeral pg/redis ports, go build,
|
||||
# background platform-server). It runs on PR + push (local boot is
|
||||
# minutes, not the 30+ min cold-EC2 path), so peer-visibility is part of
|
||||
# the local gate that fires before the staging E2E.
|
||||
#
|
||||
# It is its OWN non-required status context `E2E Peer Visibility (local)`
|
||||
# — same non-required-by-design decision as the staging job (red until
|
||||
# Hermes-401 #162 / OpenClaw-never-online #165 land; flip-to-required
|
||||
# tracked at molecule-core#1296). It is an HONEST gate: NO
|
||||
# continue-on-error mask (feedback_fix_root_not_symptom). It is kept a
|
||||
# distinct context (not folded into e2e-api.yml's required `E2E API
|
||||
# Smoke Test`) precisely so a deliberately-RED-today gate cannot wedge
|
||||
# the required local-E2E job or any unrelated merge.
|
||||
|
||||
on:
|
||||
push:
|
||||
@@ -89,8 +65,6 @@ on:
|
||||
- 'workspace/a2a_mcp_server.py'
|
||||
- 'workspace/platform_tools/registry.py'
|
||||
- 'tests/e2e/test_peer_visibility_mcp_staging.sh'
|
||||
- 'tests/e2e/test_peer_visibility_mcp_local.sh'
|
||||
- 'tests/e2e/lib/peer_visibility_assert.sh'
|
||||
- '.gitea/workflows/e2e-peer-visibility.yml'
|
||||
pull_request:
|
||||
branches: [main]
|
||||
@@ -103,8 +77,6 @@ on:
|
||||
- 'workspace/a2a_mcp_server.py'
|
||||
- 'workspace/platform_tools/registry.py'
|
||||
- 'tests/e2e/test_peer_visibility_mcp_staging.sh'
|
||||
- 'tests/e2e/test_peer_visibility_mcp_local.sh'
|
||||
- 'tests/e2e/lib/peer_visibility_assert.sh'
|
||||
- '.gitea/workflows/e2e-peer-visibility.yml'
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
@@ -136,160 +108,16 @@ jobs:
|
||||
timeout-minutes: 5
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- name: Validate driving scripts + shared assertion lib
|
||||
- name: Validate driving script
|
||||
run: |
|
||||
bash -n tests/e2e/lib/peer_visibility_assert.sh
|
||||
echo "lib/peer_visibility_assert.sh — bash syntax OK"
|
||||
bash -n tests/e2e/test_peer_visibility_mcp_staging.sh
|
||||
echo "test_peer_visibility_mcp_staging.sh — bash syntax OK"
|
||||
bash -n tests/e2e/test_peer_visibility_mcp_local.sh
|
||||
echo "test_peer_visibility_mcp_local.sh — bash syntax OK"
|
||||
echo "Staging fresh-provision MCP list_peers E2E runs on push to"
|
||||
echo "Real fresh-provision MCP list_peers E2E runs on push to"
|
||||
echo "main / workflow_dispatch / daily cron (30+ min EC2 boot)."
|
||||
echo "The LOCAL backend runs in the peer-visibility-local job"
|
||||
echo "below on this same PR (local docker-compose stack)."
|
||||
|
||||
# LOCAL gate: same byte-identical assertion against the local prod-mimic
|
||||
# docker-compose stack — the MANDATORY local-E2E that must run BEFORE
|
||||
# the staging E2E (feedback_mandatory_local_e2e_before_ship,
|
||||
# feedback_local_test_before_staging_e2e). Bootstrap mirrors
|
||||
# e2e-api.yml's proven E2E API Smoke Test job (per-run container names +
|
||||
# ephemeral host ports so concurrent host-network act_runner runs don't
|
||||
# collide; go build; background platform-server). Its OWN non-required
|
||||
# status context `E2E Peer Visibility (local)` — non-required-by-design
|
||||
# exactly like the staging job (red until #162/#165 land;
|
||||
# flip-to-required tracked at molecule-core#1296). HONEST gate, NO
|
||||
# continue-on-error mask (feedback_fix_root_not_symptom). Runs on PR +
|
||||
# push (local boot is minutes, not the 30+ min cold-EC2 path).
|
||||
# bp-required: pending #1296
|
||||
peer-visibility-local:
|
||||
name: E2E Peer Visibility (local)
|
||||
runs-on: docker-host
|
||||
timeout-minutes: 30
|
||||
env:
|
||||
# Per-run names + ephemeral ports — same collision-avoidance as
|
||||
# e2e-api.yml (host-network act_runner; feedback_act_runner_*).
|
||||
PG_CONTAINER: pg-e2e-pv-${{ github.run_id }}-${{ github.run_attempt }}
|
||||
REDIS_CONTAINER: redis-e2e-pv-${{ github.run_id }}-${{ github.run_attempt }}
|
||||
# LLM keys so hermes/openclaw can actually boot. The local script
|
||||
# SKIPs (not fails) any runtime whose key is absent, so a partially
|
||||
# keyed CI env still exercises whatever it can.
|
||||
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.E2E_CLAUDE_CODE_OAUTH_TOKEN }}
|
||||
E2E_MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
|
||||
E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
|
||||
E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_API_KEY }}
|
||||
PV_RUNTIMES: "hermes openclaw claude-code"
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
|
||||
with:
|
||||
go-version: 'stable'
|
||||
cache: true
|
||||
cache-dependency-path: workspace-server/go.sum
|
||||
- name: Pre-pull alpine + ensure provisioner network
|
||||
run: |
|
||||
docker pull alpine:latest >/dev/null
|
||||
docker network create molecule-core-net >/dev/null 2>&1 || true
|
||||
echo "alpine:latest pre-pulled; molecule-core-net ensured."
|
||||
- name: Start Postgres (docker, ephemeral port)
|
||||
run: |
|
||||
docker rm -f "$PG_CONTAINER" 2>/dev/null || true
|
||||
docker run -d --name "$PG_CONTAINER" \
|
||||
-e POSTGRES_USER=dev -e POSTGRES_PASSWORD=dev -e POSTGRES_DB=molecule \
|
||||
-p 0:5432 postgres:16 >/dev/null
|
||||
PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
|
||||
[ -n "$PG_PORT" ] || PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | head -1 | awk -F: '{print $NF}')
|
||||
if [ -z "$PG_PORT" ]; then
|
||||
echo "::error::Could not resolve host port for $PG_CONTAINER"
|
||||
docker logs "$PG_CONTAINER" || true; exit 1
|
||||
fi
|
||||
echo "DATABASE_URL=postgres://dev:dev@127.0.0.1:${PG_PORT}/molecule?sslmode=disable" >> "$GITHUB_ENV"
|
||||
for i in $(seq 1 30); do
|
||||
docker exec "$PG_CONTAINER" pg_isready -U dev >/dev/null 2>&1 && { echo "Postgres ready after ${i}s"; exit 0; }
|
||||
sleep 1
|
||||
done
|
||||
echo "::error::Postgres did not become ready in 30s"; docker logs "$PG_CONTAINER" || true; exit 1
|
||||
- name: Start Redis (docker, ephemeral port)
|
||||
run: |
|
||||
docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
|
||||
docker run -d --name "$REDIS_CONTAINER" -p 0:6379 redis:7 >/dev/null
|
||||
REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
|
||||
[ -n "$REDIS_PORT" ] || REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | head -1 | awk -F: '{print $NF}')
|
||||
if [ -z "$REDIS_PORT" ]; then
|
||||
echo "::error::Could not resolve host port for $REDIS_CONTAINER"
|
||||
docker logs "$REDIS_CONTAINER" || true; exit 1
|
||||
fi
|
||||
echo "REDIS_URL=redis://127.0.0.1:${REDIS_PORT}" >> "$GITHUB_ENV"
|
||||
for i in $(seq 1 15); do
|
||||
docker exec "$REDIS_CONTAINER" redis-cli ping 2>/dev/null | grep -q PONG && { echo "Redis ready after ${i}s"; exit 0; }
|
||||
sleep 1
|
||||
done
|
||||
echo "::error::Redis did not become ready in 15s"; docker logs "$REDIS_CONTAINER" || true; exit 1
|
||||
- name: Build platform
|
||||
working-directory: workspace-server
|
||||
run: go build -o platform-server ./cmd/server
|
||||
- name: Pick platform port
|
||||
run: |
|
||||
PLATFORM_PORT=$(python3 - <<'PY'
|
||||
import socket
|
||||
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
|
||||
s.bind(("127.0.0.1", 0))
|
||||
print(s.getsockname()[1])
|
||||
PY
|
||||
)
|
||||
echo "PORT=${PLATFORM_PORT}" >> "$GITHUB_ENV"
|
||||
echo "BASE=http://127.0.0.1:${PLATFORM_PORT}" >> "$GITHUB_ENV"
|
||||
echo "Platform host port: ${PLATFORM_PORT}"
|
||||
- name: Kill stale platform-server before start
|
||||
run: |
|
||||
killed=0
|
||||
for pid in $(grep -l "platform-serve" /proc/[0-9]*/comm 2>/dev/null); do
|
||||
kpid="${pid%/comm}"; kpid="${kpid##*/}"
|
||||
cmdline=$(cat "/proc/${kpid}/cmdline" 2>/dev/null | tr '\0' ' ')
|
||||
if echo "$cmdline" | grep -q "platform-server"; then
|
||||
echo "Killing stale platform-server pid ${kpid}"
|
||||
kill "$kpid" 2>/dev/null || true; killed=$((killed + 1))
|
||||
fi
|
||||
done
|
||||
[ "$killed" -gt 0 ] && sleep 2 || true
|
||||
echo "stale-kill done ($killed killed)"
|
||||
- name: Start platform (background)
|
||||
working-directory: workspace-server
|
||||
run: |
|
||||
./platform-server > platform.log 2>&1 &
|
||||
echo $! > platform.pid
|
||||
- name: Wait for /health
|
||||
run: |
|
||||
for i in $(seq 1 30); do
|
||||
curl -sf "$BASE/health" > /dev/null && { echo "Platform up after ${i}s"; exit 0; }
|
||||
sleep 1
|
||||
done
|
||||
echo "::error::Platform did not become healthy in 30s"
|
||||
cat workspace-server/platform.log || true; exit 1
|
||||
- name: Run LOCAL fresh-provision peer-visibility E2E (literal MCP list_peers)
|
||||
# HONEST gate — NO continue-on-error. Red today (Hermes-401 #162 /
|
||||
# OpenClaw-never-online #165 not yet fixed); green when they land.
|
||||
# Non-required-by-design via its distinct status context until the
|
||||
# molecule-core#1296 flip-to-required.
|
||||
run: bash tests/e2e/test_peer_visibility_mcp_local.sh
|
||||
- name: Dump platform log on failure
|
||||
if: failure()
|
||||
run: cat workspace-server/platform.log || true
|
||||
- name: Stop platform
|
||||
if: always()
|
||||
run: |
|
||||
if [ -f workspace-server/platform.pid ]; then
|
||||
kill "$(cat workspace-server/platform.pid)" 2>/dev/null || true
|
||||
fi
|
||||
- name: Stop service containers
|
||||
if: always()
|
||||
run: |
|
||||
docker rm -f "$PG_CONTAINER" 2>/dev/null || true
|
||||
docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
|
||||
|
||||
# Real STAGING gate: provisions a throwaway org + sibling-per-runtime,
|
||||
# drives the LITERAL list_peers MCP call per runtime, asserts 200 +
|
||||
# expected peer set, then scoped teardown. push(main)/dispatch/cron only.
|
||||
# Real gate: provisions a throwaway org + sibling-per-runtime, drives
|
||||
# the LITERAL list_peers MCP call per runtime, asserts 200 + expected
|
||||
# peer set, then scoped teardown. push(main)/dispatch/cron only.
|
||||
peer-visibility:
|
||||
name: E2E Peer Visibility
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
@@ -52,9 +52,5 @@ jobs:
|
||||
# explicitly instead of the combined state avoids false-pause when
|
||||
# non-blocking jobs (continue-on-error: true) have failed — those
|
||||
# failures pollute combined state but do not gate merges.
|
||||
# NOTE: the event-suffixed context name is intentional — branch protection
|
||||
# MUST require `CI / all-required (pull_request)` (with suffix), NOT the
|
||||
# bare `CI / all-required`. Gitea treats absent contexts as pending, not
|
||||
# skipped; requiring the bare name silently blocks all merges (issue #1473).
|
||||
PUSH_REQUIRED_CONTEXTS: CI / all-required (push)
|
||||
run: python3 .gitea/scripts/gitea-merge-queue.py
|
||||
|
||||
@@ -77,16 +77,7 @@ env:
|
||||
jobs:
|
||||
detect-changes:
|
||||
name: detect-changes
|
||||
# mc#1529 §1: pin to `docker-host` so the integration job runs on the
|
||||
# operator-host runners (molecule-runner-*), which carry the
|
||||
# `molecule-core-net` bridge network this workflow depends on. PC2
|
||||
# runners (hongming-pc-runner-*) also advertise ubuntu-latest but
|
||||
# don't have that network — the previous `runs-on: ubuntu-latest`
|
||||
# rolled the dice and hard-failed the bridge-inspect step ~30% of
|
||||
# the time. detect-changes itself doesn't need the bridge, but keeping
|
||||
# both jobs on the same label avoids workspace-volume cross-host
|
||||
# surprises and keeps the routing rule discoverable in one place.
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
# mc#774 Phase 3 (RFC §1): surface broken workflows without blocking.
|
||||
# mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
|
||||
continue-on-error: true
|
||||
@@ -138,9 +129,7 @@ jobs:
|
||||
integration:
|
||||
name: Handlers Postgres Integration
|
||||
needs: detect-changes
|
||||
# mc#1529 §1: must run on operator-host (where `molecule-core-net`
|
||||
# exists). See detect-changes for the full routing rationale.
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
# mc#774 Phase 3 (RFC §1): surface broken workflows without blocking.
|
||||
# mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
|
||||
continue-on-error: true
|
||||
|
||||
@@ -62,13 +62,7 @@ env:
|
||||
jobs:
|
||||
# bp-exempt: change detector only; downstream Harness Replays is the meaningful gate.
|
||||
detect-changes:
|
||||
# mc#1529 follow-on: pin to `docker-host` so this lane lands on
|
||||
# Linux operator-host runners (the only ones with a working
|
||||
# docker.sock + `molecule-core-net`). The bare `ubuntu-latest`
|
||||
# label is also matched by hongming-pc-runner-* (Windows act_runner
|
||||
# v1.0.3), where the `docker compose ...` exec below fails. Mirror
|
||||
# of mc#1543; see internal#512 for class defect.
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
# Phase 3 (RFC #219 §1): surface broken workflows without blocking.
|
||||
# mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
|
||||
continue-on-error: true
|
||||
@@ -168,9 +162,7 @@ jobs:
|
||||
harness-replays:
|
||||
needs: detect-changes
|
||||
name: Harness Replays
|
||||
# mc#1529 follow-on: `docker compose ... ps/logs` against tenant-alpha/
|
||||
# beta containers. Must run on operator-host Linux (docker-host).
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
# Phase 3 (RFC #219 §1): surface broken workflows without blocking.
|
||||
# mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
|
||||
continue-on-error: true
|
||||
|
||||
@@ -1,168 +0,0 @@
|
||||
name: Lint forbidden tenant-env keys
|
||||
|
||||
# RFC#523 Layer 3 (task #146): scan workspace_secrets-writer Go code
|
||||
# under workspace-server/ for new code that hardcodes a forbidden
|
||||
# operator-scope env var NAME (GITEA_TOKEN, CP_ADMIN_API_TOKEN,
|
||||
# RAILWAY_TOKEN, INFISICAL_OPERATOR_TOKEN, MOLECULE_OPERATOR_*, …).
|
||||
#
|
||||
# Catches the class "a new writer accidentally widens the propagation
|
||||
# set" — e.g. a future env-mutator plugin that sets envVars["GITEA_TOKEN"]
|
||||
# directly. Today the L1 runtime guard would abort the provision, but
|
||||
# this lint surfaces the offending code at PR review time instead of
|
||||
# at first provision attempt.
|
||||
#
|
||||
# Companion layers:
|
||||
# - L1: workspace-server/internal/handlers/workspace_provision_forbidden_env.go
|
||||
# (fail-closed abort at provision time)
|
||||
# - L2: workspace/entrypoint.sh top-of-file env-grep + exit 1
|
||||
#
|
||||
# Open-source-template-friendly: the deny pattern is generic. A fork
|
||||
# can copy this workflow and replace OPERATOR_KEY_PATTERN with its
|
||||
# own operator-scope key names.
|
||||
#
|
||||
# Path-filter discipline:
|
||||
# This workflow runs on every PR (no paths: filter — see
|
||||
# feedback_path_filtered_workflow_cant_be_required). The scan itself
|
||||
# targets workspace_secrets-writer paths via grep -r; it's fast
|
||||
# (sub-second) so unconditional run is fine.
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened]
|
||||
push:
|
||||
branches: [main, staging]
|
||||
|
||||
env:
|
||||
GITHUB_SERVER_URL: https://git.moleculesai.app
|
||||
|
||||
jobs:
|
||||
scan:
|
||||
name: Scan workspace_secrets writers for forbidden env keys
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Scan for forbidden operator-scope env key NAMES in writer paths
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
# Forbidden EXACT-MATCH env var names. Kept in lockstep with
|
||||
# workspace-server/internal/handlers/workspace_provision_forbidden_env.go
|
||||
# forbiddenTenantEnvKeys. The Go-side test
|
||||
# TestIsForbiddenTenantEnvKey_ExactMatches is the source of
|
||||
# truth — if Go-side adds a key, also add it here (and
|
||||
# vice-versa). Drift between the two is the failure mode this
|
||||
# entire 3-layer guardrail is designed to catch.
|
||||
FORBIDDEN_KEYS=(
|
||||
"GITEA_TOKEN" "GITEA_PAT"
|
||||
"GITHUB_TOKEN" "GITHUB_PAT" "GH_TOKEN"
|
||||
"GITLAB_TOKEN" "GL_TOKEN"
|
||||
"BITBUCKET_TOKEN"
|
||||
"CP_ADMIN_API_TOKEN" "CP_ADMIN_TOKEN"
|
||||
"INFISICAL_OPERATOR_TOKEN" "INFISICAL_BOOTSTRAP_TOKEN"
|
||||
"RAILWAY_TOKEN" "RAILWAY_PERSONAL_API_TOKEN"
|
||||
"HETZNER_TOKEN" "HETZNER_API_TOKEN"
|
||||
)
|
||||
|
||||
# Forbidden PREFIX patterns — operator-scope families.
|
||||
FORBIDDEN_PREFIXES=(
|
||||
"MOLECULE_OPERATOR_"
|
||||
)
|
||||
|
||||
# Writer paths: Go source under workspace-server/ that
|
||||
# writes to the env-vars map or to workspace_secrets DB rows.
|
||||
# Tests, the forbidden-env source itself, and the silent-
|
||||
# strip denylist are exempt (they LIST the keys by design).
|
||||
SCAN_ROOT="workspace-server/internal"
|
||||
# Exempt paths fall in two classes:
|
||||
# 1. The deny-set definitions + the silent-strip denylist:
|
||||
# they LIST the forbidden names by design.
|
||||
# 2. Pre-RFC#523 persona-merge / config-read paths that
|
||||
# already handle these names correctly (the silent-
|
||||
# strip downstream + the new L1 fail-closed cover the
|
||||
# runtime risk; these reads are unchanged).
|
||||
# New code MUST NOT be added to this list without reviewer
|
||||
# signoff and a one-line justification in this diff.
|
||||
EXEMPT_PATHS=(
|
||||
# Class 1 — deny-set definitions
|
||||
"workspace-server/internal/handlers/workspace_provision_forbidden_env.go"
|
||||
"workspace-server/internal/handlers/workspace_provision_forbidden_env_test.go"
|
||||
"workspace-server/internal/provisioner/provisioner.go"
|
||||
"workspace-server/internal/provisioner/provisioner_test.go"
|
||||
# Class 2 — pre-existing persona-fallback / org-helper paths
|
||||
# that set the GITEA_TOKEN fallback lane (stripped downstream
|
||||
# by provisioner.buildContainerEnv per forensic #145). The
|
||||
# new L1 fail-closed runs BEFORE these writers, so any
|
||||
# operator-scope leak via global/workspace_secrets is
|
||||
# already caught. See applyAgentGitHTTPCreds doc-comment.
|
||||
"workspace-server/internal/handlers/agent_git_identity.go"
|
||||
"workspace-server/internal/handlers/org_helpers.go"
|
||||
"workspace-server/internal/handlers/org.go"
|
||||
# Class 2 — CP→platform admin auth (NOT a tenant env write;
|
||||
# this is the control-plane HTTP auth header source).
|
||||
"workspace-server/internal/provisioner/cp_provisioner.go"
|
||||
)
|
||||
|
||||
# Build a single grep -F pattern: every forbidden key wrapped
|
||||
# in quotes (Go string-literal form, which is how env-map
|
||||
# writes appear). e.g. envVars["GITEA_TOKEN"] = ... or
|
||||
# `"GITEA_TOKEN":` in a literal-map declaration.
|
||||
#
|
||||
# We deliberately match the quoted form so a comment that
|
||||
# happens to spell the name without quotes (e.g. "see
|
||||
# GITEA_TOKEN below") doesn't trip the lint.
|
||||
PATTERN=""
|
||||
for k in "${FORBIDDEN_KEYS[@]}"; do
|
||||
PATTERN="${PATTERN}\"${k}\"\n"
|
||||
done
|
||||
for p in "${FORBIDDEN_PREFIXES[@]}"; do
|
||||
# Prefix match needs a regex; switch to grep -E below for
|
||||
# this slice. Kept conceptually here so the deny set lives
|
||||
# in one place; scan is run twice (literal + prefix).
|
||||
true
|
||||
done
|
||||
|
||||
# Build exempt-paths grep filter — `grep -v -f` style.
|
||||
EXEMPT_FILTER=$(mktemp)
|
||||
trap 'rm -f "$EXEMPT_FILTER"' EXIT
|
||||
for p in "${EXEMPT_PATHS[@]}"; do
|
||||
echo "$p" >> "$EXEMPT_FILTER"
|
||||
done
|
||||
|
||||
# --- Exact-match scan ---
|
||||
HITS=""
|
||||
for k in "${FORBIDDEN_KEYS[@]}"; do
|
||||
# Only .go files; skip _test.go for the writer-path scan
|
||||
# since tests legitimately reference the names. The
|
||||
# writer-path lint targets PRODUCTION code only.
|
||||
found=$(grep -rn --include='*.go' --exclude='*_test.go' "\"${k}\"" "$SCAN_ROOT" 2>/dev/null \
|
||||
| grep -v -F -f "$EXEMPT_FILTER" || true)
|
||||
if [ -n "$found" ]; then
|
||||
HITS="${HITS}${found}\n"
|
||||
fi
|
||||
done
|
||||
|
||||
# --- Prefix scan ---
|
||||
for prefix in "${FORBIDDEN_PREFIXES[@]}"; do
|
||||
found=$(grep -rnE --include='*.go' --exclude='*_test.go' "\"${prefix}[A-Z0-9_]+\"" "$SCAN_ROOT" 2>/dev/null \
|
||||
| grep -v -F -f "$EXEMPT_FILTER" || true)
|
||||
if [ -n "$found" ]; then
|
||||
HITS="${HITS}${found}\n"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ -n "$HITS" ]; then
|
||||
echo "::error::RFC#523 Layer 3: forbidden operator-scope env var name(s) hardcoded in tenant-workspace writer paths:"
|
||||
printf "$HITS"
|
||||
echo ""
|
||||
echo "These env-var NAMES are on the operator-scope deny list (see"
|
||||
echo "workspace-server/internal/handlers/workspace_provision_forbidden_env.go)."
|
||||
echo "If your code legitimately needs to inject one of these for a"
|
||||
echo "non-tenant code path, add the file to EXEMPT_PATHS in this"
|
||||
echo "workflow with a one-line justification — reviewer signoff required."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "OK No forbidden operator-scope env key names hardcoded in writer paths."
|
||||
@@ -1,182 +0,0 @@
|
||||
name: Lint no tenant GITEA or GITHUB token write
|
||||
|
||||
# Task #146 — CI guardrail companion to RFC#523's `lint-forbidden-env-keys.yml`.
|
||||
#
|
||||
# `lint-forbidden-env-keys.yml` (Layer 3) catches code that hardcodes a
|
||||
# forbidden env-var key NAME as a quoted literal in workspace_secrets
|
||||
# writer paths under workspace-server/internal/.
|
||||
#
|
||||
# This workflow catches a BROADER class: any code path that reads a
|
||||
# repo-host token (GITEA_TOKEN / GITHUB_TOKEN / GH_TOKEN) and then writes
|
||||
# it into a TENANT WORKSPACE's env, secret store, user-data, or
|
||||
# provision payload. This is the actual RFC#523 threat-model statement —
|
||||
# the goal is "no tenant workspace ever receives an operator-scope repo
|
||||
# token," not just "no _quoted_ literal `GITEA_TOKEN`." A future writer
|
||||
# could route the value via a variable, a struct field, or a config key
|
||||
# and slip past the existing literal scan; this lint catches those
|
||||
# routing patterns at PR review time.
|
||||
#
|
||||
# Scope
|
||||
# Scans the WHOLE repo's Go sources (not just workspace-server/) for
|
||||
# co-occurrences of:
|
||||
# - a repo-host token NAME (GITEA_TOKEN / GITHUB_TOKEN / GH_TOKEN /
|
||||
# GITEA_PAT / GITHUB_PAT) used as os.Getenv argument or string
|
||||
# literal
|
||||
# - within a file that ALSO references a tenant-writer surface
|
||||
# (`tenant`, `workspace_secrets`, `global_secrets`, `seedAllowList`,
|
||||
# `/settings/secrets`, `userData`, `provisionPayload`,
|
||||
# `envVars[`, `containerEnv`).
|
||||
#
|
||||
# Co-occurrence (not single-line) is the false-positive control: a
|
||||
# file that just LOGS the variable name (e.g. "missing GITEA_TOKEN")
|
||||
# without touching any tenant surface won't fire.
|
||||
#
|
||||
# Drift contract with lint-forbidden-env-keys.yml
|
||||
# Both lints share the same FORBIDDEN_KEYS list (a subset — only the
|
||||
# repo-host tokens, since this lint's threat model is "tenant gets
|
||||
# write access to operator's git host"). If RFC#523's deny set grows,
|
||||
# update BOTH this file AND lint-forbidden-env-keys.yml AND the Go
|
||||
# source-of-truth in
|
||||
# workspace-server/internal/handlers/workspace_provision_forbidden_env.go.
|
||||
#
|
||||
# Open-source-template-friendly
|
||||
# The patterns scanned are generic (no MOLECULE_-prefix literals).
|
||||
# A fork can copy this workflow as-is and adjust FORBIDDEN_KEYS.
|
||||
#
|
||||
# Path-filter discipline
|
||||
# No `paths:` filter — required-status workflows must run on every PR
|
||||
# per `feedback_path_filtered_workflow_cant_be_required`. Scan is
|
||||
# sub-second.
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened]
|
||||
push:
|
||||
branches: [main, staging]
|
||||
|
||||
env:
|
||||
GITHUB_SERVER_URL: https://git.moleculesai.app
|
||||
|
||||
jobs:
|
||||
# bp-exempt: advisory RFC#523 lint; PR review gate is review-driven, not BP-driven.
|
||||
# (Carried with the workflow-name rename in PR mc#1593 so the renamed
|
||||
# context emission satisfies lint_required_context_exists_in_bp Tier 2g.)
|
||||
scan:
|
||||
name: Scan for repo-host token write into tenant workspace surface
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Find Go files referencing a tenant-writer surface AND a repo-host token
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
# Repo-host token NAMES — the threat-model subset. Operator-fleet
|
||||
# tokens (CP_ADMIN_API_TOKEN, RAILWAY_TOKEN, INFISICAL_*) are
|
||||
# caught by lint-forbidden-env-keys.yml's broader deny set; this
|
||||
# lint focuses on the git-host class so a single co-occurrence
|
||||
# match has a low false-positive rate.
|
||||
FORBIDDEN_KEYS=(
|
||||
"GITEA_TOKEN"
|
||||
"GITEA_PAT"
|
||||
"GITHUB_TOKEN"
|
||||
"GITHUB_PAT"
|
||||
"GH_TOKEN"
|
||||
)
|
||||
|
||||
# Tenant-writer surface markers. A file matches the surface set
|
||||
# if it references ANY of these strings. This is the "is this
|
||||
# code path writing into a tenant workspace?" heuristic.
|
||||
# Curated to catch the actual code shapes used in this repo
|
||||
# (verified by grep against current main 2026-05-19):
|
||||
# - "workspace_secrets" / "global_secrets" → DB table writes
|
||||
# - "seedAllowList" → CP-side seed table
|
||||
# - "/settings/secrets" → tenant HTTP API write
|
||||
# - "envVars[" → in-memory env map write
|
||||
# - "containerEnv" → docker-run env-set
|
||||
# - "userData" → EC2 user-data script
|
||||
# - "provisionPayload" / "provisionContext" → provision-request shape
|
||||
SURFACE_PATTERN='workspace_secrets|global_secrets|seedAllowList|/settings/secrets|envVars\[|containerEnv|userData|provisionPayload|provisionContext'
|
||||
|
||||
# Files that legitimately reference these names AND a surface
|
||||
# marker, but do so for guard / strip / test / doc-comment
|
||||
# reasons. New entries require reviewer signoff and a one-line
|
||||
# justification in the diff.
|
||||
EXEMPT_FILES=(
|
||||
# RFC#523 L1 deny-set source-of-truth + tests
|
||||
"workspace-server/internal/handlers/workspace_provision_forbidden_env.go"
|
||||
"workspace-server/internal/handlers/workspace_provision_forbidden_env_test.go"
|
||||
# Forensic-#145 silent-strip denylist (defense-in-depth, by design lists the names)
|
||||
"workspace-server/internal/provisioner/provisioner.go"
|
||||
"workspace-server/internal/provisioner/provisioner_test.go"
|
||||
# Pre-RFC#523 persona-fallback / org-helper paths. The L1
|
||||
# fail-closed runs BEFORE these writers; downstream silent-strip
|
||||
# also covers them. See applyAgentGitHTTPCreds doc-comment.
|
||||
"workspace-server/internal/handlers/agent_git_identity.go"
|
||||
"workspace-server/internal/handlers/org_helpers.go"
|
||||
"workspace-server/internal/handlers/org.go"
|
||||
# CP→platform admin auth (NOT a tenant env write).
|
||||
"workspace-server/internal/provisioner/cp_provisioner.go"
|
||||
)
|
||||
|
||||
# Build an extended-regex alternation of forbidden keys.
|
||||
KEY_ALT="$(IFS='|'; echo "${FORBIDDEN_KEYS[*]}")"
|
||||
|
||||
# Find candidate files: Go non-test sources that contain a
|
||||
# tenant-writer surface marker.
|
||||
mapfile -t CANDIDATES < <(
|
||||
grep -rlE --include='*.go' --exclude='*_test.go' \
|
||||
"${SURFACE_PATTERN}" . 2>/dev/null \
|
||||
| sed 's|^\./||' \
|
||||
| sort -u
|
||||
)
|
||||
|
||||
if [ "${#CANDIDATES[@]}" -eq 0 ]; then
|
||||
echo "OK No tenant-writer-surface files found in tree (unexpected, but not a lint failure)."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
HITS=""
|
||||
for f in "${CANDIDATES[@]}"; do
|
||||
# Skip exempt files.
|
||||
skip=0
|
||||
for ex in "${EXEMPT_FILES[@]}"; do
|
||||
if [ "$f" = "$ex" ]; then skip=1; break; fi
|
||||
done
|
||||
[ "$skip" = "1" ] && continue
|
||||
|
||||
# File contains a surface marker; now grep for a forbidden
|
||||
# key NAME. We require a QUOTED-literal match to avoid
|
||||
# firing on a comment like "// also handle GITEA_TOKEN".
|
||||
#
|
||||
# The literal form catches:
|
||||
# - os.Getenv("GITEA_TOKEN")
|
||||
# - envVars["GITEA_TOKEN"] = ...
|
||||
# - {envKey: "GITEA_TOKEN", tenantKey: "GITEA_TOKEN"}
|
||||
# but not:
|
||||
# - // see GITEA_TOKEN below (no quotes)
|
||||
found=$(grep -nE "\"(${KEY_ALT})\"" "$f" 2>/dev/null || true)
|
||||
if [ -n "$found" ]; then
|
||||
HITS="${HITS}--- ${f} ---\n${found}\n"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ -n "$HITS" ]; then
|
||||
echo "::error::Task #146 lint: repo-host token name(s) quoted in a tenant-writer-surface file:"
|
||||
printf "$HITS"
|
||||
echo ""
|
||||
echo "These files reference a tenant-writer surface (workspace_secrets,"
|
||||
echo "seedAllowList, /settings/secrets, containerEnv, userData, etc.)"
|
||||
echo "AND quote a repo-host token name (GITEA_TOKEN/GITHUB_TOKEN/…)."
|
||||
echo "Per RFC#523 threat model, tenant workspaces MUST NOT receive"
|
||||
echo "operator-scope repo-host tokens. If your code legitimately needs"
|
||||
echo "to reference one of these names in a tenant-writer file (e.g."
|
||||
echo "a deny-set definition or silent-strip list), add the file to"
|
||||
echo "EXEMPT_FILES with a one-line justification — reviewer signoff"
|
||||
echo "required."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "OK No tenant-writer-surface file co-mentions a repo-host token literal."
|
||||
@@ -1,163 +0,0 @@
|
||||
name: lint-required-workflows-docker-host-pinned
|
||||
|
||||
# Fail-closed lint that catches workflows touching docker.sock without
|
||||
# pinning `runs-on:` to a Linux-only label.
|
||||
#
|
||||
# Class defect (internal#512 + mc#1529 + today's oc#81/82/83 + autogen#8):
|
||||
# the `ubuntu-latest` label is advertised by BOTH the Linux operator-host
|
||||
# runners (molecule-runner-*) AND the Windows act_runner v1.0.3 on
|
||||
# hongming-pc-runner-*. Job placement is non-deterministic. When a docker-
|
||||
# bound job lands on a Windows runner, `docker run`/`docker login`/
|
||||
# `docker compose` fail with platform-specific errors ("protocol not
|
||||
# available", "cannot exec", etc.) — placement-dependent, not transient.
|
||||
#
|
||||
# This lint enforces the convention: any workflow whose YAML body
|
||||
# contains a docker exec (`docker run|build|buildx|compose|pull|push|
|
||||
# exec|tag|login|cp|inspect|ps` OR `docker/build-push-action|docker/
|
||||
# login-action|docker/setup-buildx`) MUST pin every job's `runs-on:` to
|
||||
# one of:
|
||||
# - docker-host (general docker.sock work — molecule-runner-*)
|
||||
# - publish (image build/push — molecule-runner-publish-*)
|
||||
#
|
||||
# Comments and heredoc/markdown bodies that merely MENTION docker are
|
||||
# excluded by the detection rule (see scan.py below).
|
||||
#
|
||||
# Per `feedback_never_skip_ci`: this is fail-closed (exit 1 on miss).
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.gitea/workflows/**'
|
||||
- '.github/workflows/**'
|
||||
push:
|
||||
branches: [main, staging]
|
||||
paths:
|
||||
- '.gitea/workflows/**'
|
||||
- '.github/workflows/**'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
env:
|
||||
GITHUB_SERVER_URL: https://git.moleculesai.app
|
||||
|
||||
jobs:
|
||||
lint-docker-host-pin:
|
||||
name: Lint docker-host pin on docker-touching workflows
|
||||
runs-on: docker-host
|
||||
timeout-minutes: 5
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
|
||||
- name: Scan workflows for docker-bound jobs missing docker-host/publish pin
|
||||
run: |
|
||||
set -euo pipefail
|
||||
python3 - <<'PY'
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
|
||||
# Docker-step detection: real exec, not just word-mention in comments.
|
||||
# We strip comment-only lines, then look for the docker subcommand
|
||||
# tokens at word-boundary, OR uses: docker/* actions.
|
||||
DOCKER_EXEC = re.compile(
|
||||
r'(?<!\w)docker\s+(run|build|buildx|compose|pull|push|exec|tag|login|cp|inspect|ps)\b'
|
||||
)
|
||||
DOCKER_ACTION = re.compile(
|
||||
r'uses:\s*docker/(build-push-action|login-action|setup-buildx-action|setup-qemu-action)'
|
||||
)
|
||||
# Detect a job header line like ` myjob:` (2-space indent) AND its runs-on.
|
||||
JOB_HEADER = re.compile(r'^( {2})([a-zA-Z0-9_-]+):\s*$')
|
||||
RUNS_ON = re.compile(r'^( {4})runs-on:\s*(.+?)\s*$')
|
||||
|
||||
ALLOWED_LABELS = {'docker-host', 'publish'}
|
||||
|
||||
fails = []
|
||||
warnings = []
|
||||
|
||||
roots = []
|
||||
for root in ('.gitea/workflows', '.github/workflows'):
|
||||
if os.path.isdir(root):
|
||||
roots.append(root)
|
||||
|
||||
for root in roots:
|
||||
for fn in sorted(os.listdir(root)):
|
||||
if not (fn.endswith('.yml') or fn.endswith('.yaml')):
|
||||
continue
|
||||
path = os.path.join(root, fn)
|
||||
with open(path) as f:
|
||||
raw_lines = f.readlines()
|
||||
|
||||
# Parse job headers + their runs-on. Simple line scan; relies on
|
||||
# 2-space job indent + 4-space runs-on indent under `jobs:`.
|
||||
jobs = []
|
||||
current = None
|
||||
in_jobs = False
|
||||
for i, line in enumerate(raw_lines, 1):
|
||||
if re.match(r'^jobs:\s*$', line):
|
||||
in_jobs = True
|
||||
continue
|
||||
if not in_jobs:
|
||||
continue
|
||||
mh = JOB_HEADER.match(line)
|
||||
if mh:
|
||||
if current:
|
||||
current['end'] = i - 1
|
||||
jobs.append(current)
|
||||
current = {'name': mh.group(2), 'line': i, 'end': len(raw_lines), 'runs_on': None}
|
||||
continue
|
||||
mr = RUNS_ON.match(line)
|
||||
if mr and current and current['runs_on'] is None:
|
||||
current['runs_on'] = mr.group(2).strip()
|
||||
if current:
|
||||
jobs.append(current)
|
||||
|
||||
for j in jobs:
|
||||
# Strip pure-comment lines for docker-exec detection so
|
||||
# documentation comments don't trigger the lint. Scan the
|
||||
# current job body only: a workflow may contain one
|
||||
# docker-bound job and several harmless metadata jobs.
|
||||
job_lines = raw_lines[j['line'] - 1:j['end']]
|
||||
scan_text = ''.join(
|
||||
l for l in job_lines
|
||||
if not re.match(r'^\s*#', l)
|
||||
)
|
||||
has_docker = bool(DOCKER_EXEC.search(scan_text)) or bool(DOCKER_ACTION.search(scan_text))
|
||||
if not has_docker:
|
||||
continue
|
||||
ro = j['runs_on']
|
||||
if ro is None:
|
||||
# Reusable workflow caller (`uses:` instead of `runs-on:`) —
|
||||
# skip; rule enforced in the called workflow.
|
||||
continue
|
||||
# Strip surrounding [ ] and quotes.
|
||||
ro_norm = ro.strip('[]').strip().strip('"\'')
|
||||
# Multi-label "[a, b]" — split.
|
||||
labels = [t.strip().strip('"\'') for t in ro_norm.split(',') if t.strip()]
|
||||
if any(lbl in ALLOWED_LABELS for lbl in labels):
|
||||
continue
|
||||
# Allow caller-supplied label expressions; spell the
|
||||
# marker indirectly so Gitea's expression parser does
|
||||
# not try to parse this Python heredoc.
|
||||
expression_marker = '$' + '{{'
|
||||
if any(expression_marker in lbl for lbl in labels):
|
||||
continue
|
||||
fails.append(
|
||||
f"{path}:{j['line']}: job `{j['name']}` uses docker but runs-on={ro!r} "
|
||||
f"(must be one of {sorted(ALLOWED_LABELS)})"
|
||||
)
|
||||
|
||||
if fails:
|
||||
print("FAIL: docker-bound jobs missing docker-host/publish pin:")
|
||||
for f in fails:
|
||||
print(f" - {f}")
|
||||
print()
|
||||
print("Why this rule exists (internal#512 + mc#1529):")
|
||||
print(" Bare `ubuntu-latest` is advertised by BOTH Linux operator-host")
|
||||
print(" runners AND Windows hongming-pc-runner-* (act_runner v1.0.3).")
|
||||
print(" Docker-bound jobs that land on Windows fail non-deterministically.")
|
||||
print(" Pin to `docker-host` (general) or `publish` (image build/push).")
|
||||
sys.exit(1)
|
||||
|
||||
print("OK: all docker-bound jobs are pinned to docker-host or publish.")
|
||||
PY
|
||||
@@ -1,88 +0,0 @@
|
||||
name: Lint shellcheck (arm64 pilot)
|
||||
|
||||
# Mac-CI dual-track pilot (#233). ADDITIVE / NOT REQUIRED.
|
||||
#
|
||||
# Validates the arm64 self-hosted lane (no docker.sock, no privileged
|
||||
# ops) before any required gate moves onto it. Until a Mac arm64 runner
|
||||
# is registered with the `arm64` label, this workflow sits PENDING —
|
||||
# that is FINE: `arm64` is NOT in branch_protections required contexts.
|
||||
#
|
||||
# Pairs with internal#543 (RFC: Mac arm64 multi-arch runner-base).
|
||||
# No paths: filter on purpose (feedback_path_filtered_workflow_cant_be_required).
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- staging
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
shellcheck-arm64:
|
||||
name: shellcheck-arm64 (pilot)
|
||||
runs-on: [self-hosted, arm64]
|
||||
# NOT a required check; safe to sit pending until Mac runner is up.
|
||||
# If the Mac runner has trouble pulling actions/checkout we fall
|
||||
# back to a plain git clone (see step 'fallback clone').
|
||||
timeout-minutes: 10
|
||||
env:
|
||||
GITHUB_SERVER_URL: https://git.moleculesai.app
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
set -eu
|
||||
echo "arch=$(uname -m)"
|
||||
echo "kernel=$(uname -sr)"
|
||||
echo "shell=$BASH_VERSION"
|
||||
# Sanity: must actually be arm64. If amd64 sneaks in here,
|
||||
# fail fast — that means the label routing is wrong.
|
||||
case "$(uname -m)" in
|
||||
aarch64|arm64) echo "arm64 confirmed" ;;
|
||||
*) echo "ERROR: expected arm64, got $(uname -m)"; exit 1 ;;
|
||||
esac
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Install shellcheck (arm64)
|
||||
run: |
|
||||
set -eu
|
||||
if command -v shellcheck >/dev/null 2>&1; then
|
||||
echo "shellcheck already present: $(shellcheck --version | head -1)"
|
||||
else
|
||||
# Prefer apt if the runner base ships it; else download arm64 binary.
|
||||
if command -v apt-get >/dev/null 2>&1; then
|
||||
sudo apt-get update -qq
|
||||
sudo apt-get install -y --no-install-recommends shellcheck
|
||||
else
|
||||
SC_VER=v0.10.0
|
||||
curl -fsSL "https://github.com/koalaman/shellcheck/releases/download/${SC_VER}/shellcheck-${SC_VER}.linux.aarch64.tar.xz" \
|
||||
| tar -xJf - --strip-components=1
|
||||
sudo mv shellcheck /usr/local/bin/
|
||||
fi
|
||||
fi
|
||||
shellcheck --version | head -2
|
||||
|
||||
- name: Run shellcheck on .gitea/scripts/*.sh
|
||||
run: |
|
||||
set -eu
|
||||
# Only the scripts we control under .gitea/scripts. Pilot
|
||||
# scope is intentionally narrow — broaden in a follow-up
|
||||
# once the lane is proven.
|
||||
mapfile -t TARGETS < <(find .gitea/scripts -maxdepth 2 -type f -name '*.sh' | sort)
|
||||
if [ "${#TARGETS[@]}" -eq 0 ]; then
|
||||
echo "No .sh files found under .gitea/scripts — nothing to check"
|
||||
exit 0
|
||||
fi
|
||||
echo "Checking ${#TARGETS[@]} file(s):"
|
||||
printf ' %s\n' "${TARGETS[@]}"
|
||||
# SC1091 = couldn't follow non-constant source; expected for
|
||||
# CI-time analysis without the full runtime layout.
|
||||
shellcheck --severity=error --exclude=SC1091 "${TARGETS[@]}"
|
||||
@@ -29,14 +29,6 @@ on:
|
||||
pull_request:
|
||||
paths:
|
||||
- "workspace/**"
|
||||
# mc#1578 / a05add29 cure: build_runtime_package.py owns PYPROJECT_TEMPLATE
|
||||
# (deps, classifiers, project metadata). A change there is publish-affecting
|
||||
# even when workspace/** is untouched, so the autobump must fire to claim
|
||||
# the next runtime-v$VERSION tag. Without this, manual tagging races PyPI
|
||||
# (e.g. runtime-v0.1.18 collided with the 2026-04-27 PyPI 0.1.18 publish,
|
||||
# blocking the python-multipart pin from reaching prod).
|
||||
- "scripts/build_runtime_package.py"
|
||||
- "scripts/test_build_runtime_package.py"
|
||||
# Bump-and-tag on main/staging push (the actual operational trigger).
|
||||
push:
|
||||
branches:
|
||||
@@ -44,8 +36,6 @@ on:
|
||||
- staging
|
||||
paths:
|
||||
- "workspace/**"
|
||||
- "scripts/build_runtime_package.py"
|
||||
- "scripts/test_build_runtime_package.py"
|
||||
# Manual dispatch — useful when Gitea Actions API (/actions/*) is
|
||||
# unreachable (e.g. act_runner 404 on Gitea 1.22.6) and we cannot
|
||||
# re-trigger via curl.
|
||||
@@ -114,7 +104,7 @@ jobs:
|
||||
with:
|
||||
python-version: "3.11"
|
||||
|
||||
- name: Compute next version from PyPI latest and existing tags
|
||||
- name: Compute next version from PyPI latest
|
||||
id: bump
|
||||
run: |
|
||||
set -eu
|
||||
@@ -122,24 +112,9 @@ jobs:
|
||||
| python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])")
|
||||
MAJOR=$(echo "$LATEST" | cut -d. -f1)
|
||||
MINOR=$(echo "$LATEST" | cut -d. -f2)
|
||||
TAG_LATEST=$(git tag --list "runtime-v${MAJOR}.${MINOR}.*" \
|
||||
| sed -E 's/^runtime-v//' \
|
||||
| grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' \
|
||||
| sort -V \
|
||||
| tail -1 || true)
|
||||
VERSION=$(PYPI_LATEST="$LATEST" TAG_LATEST="$TAG_LATEST" python - <<'PY'
|
||||
import os
|
||||
|
||||
def parse(v):
|
||||
return tuple(int(part) for part in v.split("."))
|
||||
|
||||
pypi = os.environ["PYPI_LATEST"]
|
||||
tag = os.environ.get("TAG_LATEST") or pypi
|
||||
base = max(parse(pypi), parse(tag))
|
||||
print(f"{base[0]}.{base[1]}.{base[2] + 1}")
|
||||
PY
|
||||
)
|
||||
echo "PyPI latest=$LATEST, latest runtime tag=${TAG_LATEST:-none} -> next=$VERSION"
|
||||
PATCH=$(echo "$LATEST" | cut -d. -f3)
|
||||
VERSION="${MAJOR}.${MINOR}.$((PATCH+1))"
|
||||
echo "PyPI latest=$LATEST -> next=$VERSION"
|
||||
if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
|
||||
echo "::error::computed version $VERSION does not match PEP 440 X.Y.Z"
|
||||
exit 1
|
||||
|
||||
@@ -89,7 +89,6 @@ on:
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: read
|
||||
secrets: read
|
||||
|
||||
jobs:
|
||||
# bp-exempt: PR review bot signal; required merge state is enforced by CI / all-required.
|
||||
|
||||
@@ -151,11 +151,6 @@ jobs:
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# confirm:true ack required by CP /cp/admin/tenants/redeploy-fleet
|
||||
# contract (cp#228 / task #308) for fleet-wide intent. Empty body
|
||||
# / {confirm:false} / {only_slugs:[]} → 400. This caller redeploys
|
||||
# the entire prod fleet (canary + fan-out), no slug scoping, so
|
||||
# confirm:true is correct.
|
||||
BODY=$(jq -nc \
|
||||
--arg tag "$TARGET_TAG" \
|
||||
--arg canary "$CANARY_SLUG" \
|
||||
@@ -167,8 +162,7 @@ jobs:
|
||||
canary_slug: $canary,
|
||||
soak_seconds: $soak,
|
||||
batch_size: $batch,
|
||||
dry_run: $dry,
|
||||
confirm: true
|
||||
dry_run: $dry
|
||||
}')
|
||||
|
||||
echo "POST $CP_URL/cp/admin/tenants/redeploy-fleet"
|
||||
|
||||
@@ -123,11 +123,6 @@ jobs:
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# confirm:true ack required by CP /cp/admin/tenants/redeploy-fleet
|
||||
# contract (cp#228 / task #308) for fleet-wide intent. Empty body
|
||||
# / {confirm:false} / {only_slugs:[]} → 400. Staging IS the
|
||||
# canary, no slug scoping; this rolls the entire staging fleet,
|
||||
# so confirm:true is correct.
|
||||
BODY=$(jq -nc \
|
||||
--arg tag "$TARGET_TAG" \
|
||||
--arg canary "$CANARY_SLUG" \
|
||||
@@ -139,8 +134,7 @@ jobs:
|
||||
canary_slug: $canary,
|
||||
soak_seconds: $soak,
|
||||
batch_size: $batch,
|
||||
dry_run: $dry,
|
||||
confirm: true
|
||||
dry_run: $dry
|
||||
}')
|
||||
|
||||
echo "POST $CP_URL/cp/admin/tenants/redeploy-fleet"
|
||||
|
||||
@@ -1,16 +1,11 @@
|
||||
# DEPRECATED — superseded by `.gitea/workflows/sop-checklist.yml`.
|
||||
# Consolidated comment dispatcher for manual review/tier refires.
|
||||
#
|
||||
# The review-refire logic (qa/security/tier slash-command dispatch) has been
|
||||
# merged into sop-checklist.yml as the `review-refire` job. This workflow
|
||||
# is kept as a no-op stub to avoid a gap during the transition window where
|
||||
# this file may be deleted while sop-checklist.yml has not yet been merged.
|
||||
#
|
||||
# After sop-checklist.yml lands, this file will be deleted (issue #1280).
|
||||
#
|
||||
# Historical behavior (superseded):
|
||||
# Gitea 1.22 queues one run per workflow subscribed to `issue_comment` before
|
||||
# evaluating job-level `if:`. Previously this workflow was the single
|
||||
# non-SOP comment subscriber for qa/security/tier refire slash commands.
|
||||
# evaluating job-level `if:`. SOP-heavy PRs therefore created queue storms when
|
||||
# qa-review, security-review, sop-checklist, and sop-tier-refire all
|
||||
# listened to comments. This workflow is the single non-SOP comment subscriber:
|
||||
# ordinary comments no-op quickly; slash commands post the required status
|
||||
# contexts to the PR head SHA.
|
||||
|
||||
name: review-refire-comments
|
||||
|
||||
@@ -28,12 +23,91 @@ concurrency:
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
# No-op stub — all refire logic moved to sop-checklist.yml review-refire job.
|
||||
# Kept to avoid transition gap; will be deleted after sop-checklist.yml merges.
|
||||
dispatch:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Deprecated — refire logic moved to sop-checklist.yml
|
||||
- name: Classify comment
|
||||
id: classify
|
||||
env:
|
||||
COMMENT_BODY: ${{ github.event.comment.body }}
|
||||
IS_PR: ${{ github.event.issue.pull_request != null }}
|
||||
run: |
|
||||
echo "::warning::review-refire-comments.yml is deprecated. Refire logic is now in sop-checklist.yml review-refire job. This workflow is a no-op stub pending deletion (issue #1280)."
|
||||
exit 0
|
||||
set -euo pipefail
|
||||
{
|
||||
echo "run_qa=false"
|
||||
echo "run_security=false"
|
||||
echo "run_tier=false"
|
||||
} >> "$GITHUB_OUTPUT"
|
||||
if [ "$IS_PR" != "true" ]; then
|
||||
echo "::notice::not a PR comment; no-op"
|
||||
exit 0
|
||||
fi
|
||||
first_line=$(printf '%s\n' "$COMMENT_BODY" | sed -n '1p')
|
||||
case "$first_line" in
|
||||
/qa-recheck*)
|
||||
echo "run_qa=true" >> "$GITHUB_OUTPUT"
|
||||
;;
|
||||
/security-recheck*)
|
||||
echo "run_security=true" >> "$GITHUB_OUTPUT"
|
||||
;;
|
||||
/refire-tier-check*)
|
||||
echo "run_tier=true" >> "$GITHUB_OUTPUT"
|
||||
;;
|
||||
*)
|
||||
echo "::notice::no supported review refire slash command; no-op"
|
||||
;;
|
||||
esac
|
||||
|
||||
- name: Check out BASE ref for trusted scripts
|
||||
if: |
|
||||
steps.classify.outputs.run_qa == 'true' ||
|
||||
steps.classify.outputs.run_security == 'true' ||
|
||||
steps.classify.outputs.run_tier == 'true'
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
ref: ${{ github.event.repository.default_branch }}
|
||||
|
||||
- name: Refire qa-review status
|
||||
if: steps.classify.outputs.run_qa == 'true'
|
||||
env:
|
||||
GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
GITEA_HOST: git.moleculesai.app
|
||||
REPO: ${{ github.repository }}
|
||||
PR_NUMBER: ${{ github.event.issue.number }}
|
||||
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
|
||||
TEAM: qa
|
||||
TEAM_ID: '20'
|
||||
REVIEW_CHECK_DEBUG: '0'
|
||||
REVIEW_CHECK_STRICT: '0'
|
||||
COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
.gitea/scripts/review-refire-status.sh
|
||||
|
||||
- name: Refire security-review status
|
||||
if: steps.classify.outputs.run_security == 'true'
|
||||
env:
|
||||
GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
GITEA_HOST: git.moleculesai.app
|
||||
REPO: ${{ github.repository }}
|
||||
PR_NUMBER: ${{ github.event.issue.number }}
|
||||
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
|
||||
TEAM: security
|
||||
TEAM_ID: '21'
|
||||
REVIEW_CHECK_DEBUG: '0'
|
||||
REVIEW_CHECK_STRICT: '0'
|
||||
COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
.gitea/scripts/review-refire-status.sh
|
||||
|
||||
- name: Refire sop-tier-check status
|
||||
if: steps.classify.outputs.run_tier == 'true'
|
||||
env:
|
||||
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
GITEA_HOST: git.moleculesai.app
|
||||
REPO: ${{ github.repository }}
|
||||
PR_NUMBER: ${{ github.event.issue.number }}
|
||||
COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
|
||||
SOP_DEBUG: '0'
|
||||
run: bash .gitea/scripts/sop-tier-refire.sh
|
||||
|
||||
@@ -30,11 +30,6 @@ jobs:
|
||||
scan:
|
||||
name: Scan diff for credential-shaped strings
|
||||
runs-on: ubuntu-latest
|
||||
# Hard CI gate — must complete or the PR is unmergable. 10-minute ceiling
|
||||
# is generous for a diff-scan against a single SHA. If this times out, the
|
||||
# runner is frozen and holding a slot — the step timeout triggers clean
|
||||
# failure, releasing the runner for the next job.
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
@@ -138,14 +133,6 @@ jobs:
|
||||
[ -z "$f" ] && continue
|
||||
[ "$f" = "$SELF_GITHUB" ] && continue
|
||||
[ "$f" = "$SELF_GITEA" ] && continue
|
||||
# Test-fixture exclude (internal#425): the secrets-detector's OWN
|
||||
# unit-test corpus deliberately embeds credential-SHAPED example
|
||||
# strings to exercise the detector. Verified 2026-05-18 synthetic
|
||||
# (fabricated ghp_* fixtures, not real). Without this the scanner
|
||||
# self-trips on its own fixtures and fail-closes every deploy.
|
||||
# Same rationale as the SELF_* excludes above; gate NOT weakened
|
||||
# (all other paths still fully scanned).
|
||||
[ "$f" = "workspace-server/internal/secrets/patterns_test.go" ] && continue
|
||||
if [ -n "$DIFF_RANGE" ]; then
|
||||
ADDED=$(git diff --no-color --unified=0 "$BASE" "$HEAD" -- "$f" 2>/dev/null | grep -E '^\+[^+]' || true)
|
||||
else
|
||||
|
||||
@@ -16,7 +16,6 @@ on:
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: read
|
||||
secrets: read
|
||||
|
||||
jobs:
|
||||
# bp-exempt: PR security review bot signal; required merge state is enforced by CI / all-required.
|
||||
|
||||
@@ -2,20 +2,24 @@
|
||||
#
|
||||
# RFC#351 Step 2 of 6 (implementation MVP).
|
||||
#
|
||||
# === CONSOLIDATION (issue #1280) ===
|
||||
# === DESIGN ===
|
||||
#
|
||||
# This workflow is the SINGLE `issue_comment` subscriber — the logic from
|
||||
# `review-refire-comments.yml` has been merged in. Before this change:
|
||||
# - sop-checklist.yml (pre-2026-05-16) → issue_comment:[created,edited,deleted] → runner slot used, job no-oped
|
||||
# - review-refire-comments.yml → issue_comment:[created] → runner slot used, job no-oped
|
||||
# → every non-refire comment occupied 2 runner slots for ~800 s each
|
||||
# (~650 no-op runs/day, ~1,300 runner-slot-occupancy-hours/day).
|
||||
# Goal: each PR must answer 7 SOP-checklist questions in its body,
|
||||
# and each item must have at least one /sop-ack <slug> comment from
|
||||
# a non-author peer in the required team. BP requires the
|
||||
# `sop-checklist / all-items-acked (pull_request)` status to merge.
|
||||
#
|
||||
# Fix (PR #1345 / issue #1280):
|
||||
# - ONE workflow, ONE issue_comment:[created] subscription (no edited/deleted)
|
||||
# - all-items-acked job: pull_request_target OR sop slash-command comments
|
||||
# - review-refire job: qa/security/tier refire slash commands
|
||||
# → ~50% reduction in comment-triggered runner occupancy vs pre-fix.
|
||||
# Triggers:
|
||||
# - `pull_request_target`: opened, edited, synchronize, reopened
|
||||
# → fires when PR opens, body is edited (refire — RFC#351 §4),
|
||||
# or new code is pushed (head.sha changes → stale status would
|
||||
# be auto-discarded by BP via dismiss_stale_reviews, but the
|
||||
# status itself is per-SHA so we re-post on the new head).
|
||||
# - `issue_comment`: created, edited, deleted
|
||||
# → fires on any new comment so /sop-ack / /sop-revoke take
|
||||
# effect immediately (Gitea 1.22.6 doesn't refire on
|
||||
# pull_request_review per feedback_pull_request_review_no_refire,
|
||||
# so issue_comment is the canonical refire channel).
|
||||
#
|
||||
# Trust boundary (mirrors RFC#324 §A4 + sop-tier-check security note):
|
||||
# `pull_request_target` (not `pull_request`) — workflow def is loaded
|
||||
@@ -47,7 +51,7 @@
|
||||
# /sop-ack <slug-or-numeric-alias> [optional note]
|
||||
# — register a peer-ack for one checklist item.
|
||||
# — slug accepts kebab-case, snake_case, or natural-spaces
|
||||
# (all normalized to canonical kebab-case).
|
||||
# (all normalize to canonical kebab-case).
|
||||
# — numeric 1..7 maps via config.items[*].numeric_alias.
|
||||
# — most-recent (user, slug) directive wins.
|
||||
#
|
||||
@@ -57,13 +61,6 @@
|
||||
# — most-recent (user, slug) directive wins, so a later /sop-ack
|
||||
# re-restores the ack.
|
||||
#
|
||||
# /sop-n/a <gate> [reason]
|
||||
# — declare a gate (qa-review, security-review) N/A.
|
||||
# — see sop-checklist-config.yaml n/a_gates section.
|
||||
#
|
||||
# /qa-recheck /security-recheck /refire-tier-check
|
||||
# — refire the corresponding status check on the PR head.
|
||||
#
|
||||
# The eval is read-only + idempotent (read PR + comments + team
|
||||
# membership, compute, post status). Re-running on any event is safe —
|
||||
# the new status overwrites the previous one for the same context.
|
||||
@@ -82,22 +79,22 @@ on:
|
||||
pull_request_target:
|
||||
types: [opened, edited, synchronize, reopened, labeled, unlabeled]
|
||||
issue_comment:
|
||||
types: [created] # NOT [created, edited, deleted] — Gitea 1.22.6 holds a runner slot
|
||||
# at job-parsing time, before job-level if: guards run. edited/deleted events
|
||||
# occupied ~1,300 runner-slot-hours/day on this workflow alone during the
|
||||
# 2026-05-16 freeze. Per PR #1345 fix.
|
||||
types: [created, edited, deleted]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: read
|
||||
# NOTE: `statuses: write` is the GitHub-Actions name for POST /statuses.
|
||||
# Gitea 1.22.6 may not gate on this permission key (it just checks the
|
||||
# token), but listing it explicitly documents intent for the next
|
||||
# platform-version upgrade.
|
||||
statuses: write
|
||||
secrets: read
|
||||
|
||||
jobs:
|
||||
# sop-checklist gate: runs on PR lifecycle events OR sop slash commands.
|
||||
# All other comment types (no-op text comments) no longer assign a runner
|
||||
# because this job's if: guard short-circuits before runner assignment.
|
||||
all-items-acked:
|
||||
# Run on pull_request_target events always. On issue_comment events,
|
||||
# only when the comment is on a PR (issue_comment fires for issues
|
||||
# too) and the body contains one of the slash-commands.
|
||||
if: |
|
||||
github.event_name == 'pull_request_target' ||
|
||||
(github.event_name == 'issue_comment' &&
|
||||
@@ -131,95 +128,3 @@ jobs:
|
||||
--pr "$PR_NUMBER" \
|
||||
--config .gitea/sop-checklist-config.yaml \
|
||||
--gitea-host git.moleculesai.app
|
||||
|
||||
# bp-exempt: informational refire handler, not a merge gate. Emits
|
||||
# qa-review/security-review status updates on /qa-recheck et al slash commands.
|
||||
review-refire:
|
||||
if: |
|
||||
github.event_name == 'issue_comment' &&
|
||||
github.event.issue.pull_request != null
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Classify comment
|
||||
id: classify
|
||||
env:
|
||||
COMMENT_BODY: ${{ github.event.comment.body }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
{
|
||||
echo "run_qa=false"
|
||||
echo "run_security=false"
|
||||
echo "run_tier=false"
|
||||
} >> "$GITHUB_OUTPUT"
|
||||
first_line=$(printf '%s\n' "$COMMENT_BODY" | sed -n '1p')
|
||||
case "$first_line" in
|
||||
/qa-recheck*)
|
||||
echo "run_qa=true" >> "$GITHUB_OUTPUT"
|
||||
;;
|
||||
/security-recheck*)
|
||||
echo "run_security=true" >> "$GITHUB_OUTPUT"
|
||||
;;
|
||||
/refire-tier-check*)
|
||||
echo "run_tier=true" >> "$GITHUB_OUTPUT"
|
||||
;;
|
||||
*)
|
||||
echo "::notice::no supported review refire slash command; no-op"
|
||||
;;
|
||||
esac
|
||||
|
||||
- name: Check out BASE ref for trusted scripts
|
||||
if: |
|
||||
steps.classify.outputs.run_qa == 'true' ||
|
||||
steps.classify.outputs.run_security == 'true' ||
|
||||
steps.classify.outputs.run_tier == 'true'
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
ref: ${{ github.event.repository.default_branch }}
|
||||
|
||||
- name: Refire qa-review status
|
||||
if: steps.classify.outputs.run_qa == 'true'
|
||||
env:
|
||||
# RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
|
||||
# review-refire-status.sh POSTs to /statuses — requires write scope.
|
||||
# SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
|
||||
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
GITEA_HOST: git.moleculesai.app
|
||||
REPO: ${{ github.repository }}
|
||||
PR_NUMBER: ${{ github.event.issue.number }}
|
||||
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
|
||||
TEAM: qa
|
||||
TEAM_ID: '20'
|
||||
REVIEW_CHECK_DEBUG: '0'
|
||||
REVIEW_CHECK_STRICT: '0'
|
||||
run: |
|
||||
set -euo pipefail
|
||||
.gitea/scripts/review-refire-status.sh
|
||||
|
||||
- name: Refire security-review status
|
||||
if: steps.classify.outputs.run_security == 'true'
|
||||
env:
|
||||
# RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
|
||||
# review-refire-status.sh POSTs to /statuses — requires write scope.
|
||||
# SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
|
||||
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
GITEA_HOST: git.moleculesai.app
|
||||
REPO: ${{ github.repository }}
|
||||
PR_NUMBER: ${{ github.event.issue.number }}
|
||||
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
|
||||
TEAM: security
|
||||
TEAM_ID: '21'
|
||||
REVIEW_CHECK_DEBUG: '0'
|
||||
REVIEW_CHECK_STRICT: '0'
|
||||
run: |
|
||||
set -euo pipefail
|
||||
.gitea/scripts/review-refire-status.sh
|
||||
|
||||
- name: Refire sop-tier-check status
|
||||
if: steps.classify.outputs.run_tier == 'true'
|
||||
env:
|
||||
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
GITEA_HOST: git.moleculesai.app
|
||||
REPO: ${{ github.repository }}
|
||||
PR_NUMBER: ${{ github.event.issue.number }}
|
||||
SOP_DEBUG: '0'
|
||||
run: bash .gitea/scripts/sop-tier-refire.sh
|
||||
|
||||
@@ -71,7 +71,6 @@ jobs:
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: read
|
||||
secrets: read
|
||||
steps:
|
||||
- name: Check out base branch (for the script)
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
|
||||
@@ -235,11 +235,6 @@ jobs:
|
||||
set -euo pipefail
|
||||
|
||||
TARGET_TAG="staging-${SHA}"
|
||||
# confirm:true ack required by CP /cp/admin/tenants/redeploy-fleet
|
||||
# contract (cp#228 / task #308) for fleet-wide intent. Empty body
|
||||
# / {confirm:false} / {only_slugs:[]} → 400. This caller promotes
|
||||
# the verified staging image across the entire prod fleet (canary
|
||||
# + fan-out), no slug scoping, so confirm:true is correct.
|
||||
BODY=$(jq -nc \
|
||||
--arg tag "$TARGET_TAG" \
|
||||
--argjson soak "${SOAK_SECONDS:-120}" \
|
||||
@@ -249,8 +244,7 @@ jobs:
|
||||
target_tag: $tag,
|
||||
soak_seconds: $soak,
|
||||
batch_size: $batch,
|
||||
dry_run: $dry,
|
||||
confirm: true
|
||||
dry_run: $dry
|
||||
}')
|
||||
|
||||
if [ -n "${CANARY_SLUG:-}" ]; then
|
||||
|
||||
@@ -0,0 +1,255 @@
|
||||
name: canary-verify
|
||||
|
||||
# Runs the canary smoke suite against the staging canary tenant fleet
|
||||
# after a new :staging-<sha> image lands in ECR. On green, calls the
|
||||
# CP redeploy-fleet endpoint to promote :staging-<sha> → :latest so
|
||||
# the prod tenant fleet's 5-minute auto-updater picks up the verified
|
||||
# digest. On red, :latest stays on the prior known-good digest and
|
||||
# prod is untouched.
|
||||
#
|
||||
# Registry note (2026-05-10): This workflow previously used GHCR
|
||||
# (ghcr.io/molecule-ai/platform-tenant) — that registry was retired
|
||||
# during the 2026-05-06 Gitea suspension migration when publish-
|
||||
# workspace-server-image.yml switched to the operator's ECR org
|
||||
# (153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/
|
||||
# platform-tenant). The GHCR → ECR migration was never applied to
|
||||
# this file, so canary-verify was silently smoke-testing the stale
|
||||
# GHCR image while the actual staging/prod tenants ran the ECR image.
|
||||
# Result: smoke tests could not catch a broken ECR build. Fix:
|
||||
# - Wait step: reads SHA from running canary /health (tenant-
|
||||
# agnostic, works regardless of registry).
|
||||
# - Promote step: calls CP redeploy-fleet endpoint with target_tag=
|
||||
# staging-<sha>, same mechanism as redeploy-tenants-on-main.yml.
|
||||
# No longer attempts GHCR crane ops.
|
||||
#
|
||||
# Dependencies:
|
||||
# - publish-workspace-server-image.yml publishes :staging-<sha>
|
||||
# to ECR on staging and main merges.
|
||||
# - Canary tenants are configured to pull :staging-<sha> from ECR
|
||||
# (TENANT_IMAGE env set to the ECR :staging-<sha> tag).
|
||||
# - Repo secrets CANARY_TENANT_URLS / CANARY_ADMIN_TOKENS /
|
||||
# CANARY_CP_SHARED_SECRET are populated.
|
||||
|
||||
on:
|
||||
workflow_run:
|
||||
workflows: ["publish-workspace-server-image"]
|
||||
types: [completed]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
actions: read
|
||||
|
||||
env:
|
||||
# ECR registry (post-2026-05-06 SSOT for tenant images).
|
||||
# publish-workspace-server-image.yml pushes here.
|
||||
IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform
|
||||
TENANT_IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform-tenant
|
||||
# CP endpoint for redeploy-fleet (used in promote step below).
|
||||
CP_URL: ${{ vars.CP_URL || 'https://staging-api.moleculesai.app' }}
|
||||
|
||||
jobs:
|
||||
canary-smoke:
|
||||
# Skip when the upstream workflow failed — no image to test against.
|
||||
if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
sha: ${{ steps.compute.outputs.sha }}
|
||||
smoke_ran: ${{ steps.smoke.outputs.ran }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
|
||||
- name: Compute sha
|
||||
id: compute
|
||||
run: echo "sha=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Wait for canary tenants to pick up :staging-<sha>
|
||||
# Poll canary health endpoints every 30s for up to 7 min instead
|
||||
# of a fixed 6-min sleep. Exits as soon as ALL canaries report
|
||||
# the new SHA (~2-3 min typical vs 6 min fixed). Falls back to
|
||||
# proceeding after 7 min even if not all canaries responded —
|
||||
# the smoke suite will catch any that didn't update.
|
||||
#
|
||||
# NOTE: The SHA is read from the running tenant's /health response,
|
||||
# NOT from a registry lookup. This is registry-agnostic and works
|
||||
# regardless of whether the tenant pulls from ECR, GHCR, or any
|
||||
# other registry — the canary is telling us what it's actually
|
||||
# running, which is the ground truth for smoke testing.
|
||||
env:
|
||||
CANARY_TENANT_URLS: ${{ secrets.CANARY_TENANT_URLS }}
|
||||
EXPECTED_SHA: ${{ steps.compute.outputs.sha }}
|
||||
run: |
|
||||
if [ -z "$CANARY_TENANT_URLS" ]; then
|
||||
echo "No canary URLs configured — falling back to 60s wait"
|
||||
sleep 60
|
||||
exit 0
|
||||
fi
|
||||
IFS=',' read -ra URLS <<< "$CANARY_TENANT_URLS"
|
||||
MAX_WAIT=420 # 7 minutes
|
||||
INTERVAL=30
|
||||
ELAPSED=0
|
||||
while [ $ELAPSED -lt $MAX_WAIT ]; do
|
||||
ALL_READY=true
|
||||
for url in "${URLS[@]}"; do
|
||||
HEALTH=$(curl -s --max-time 5 "${url}/health" 2>/dev/null || echo "{}")
|
||||
SHA=$(echo "$HEALTH" | grep -o "\"sha\":\"[^\"]*\"" | head -1 | cut -d'"' -f4)
|
||||
if [ "$SHA" != "$EXPECTED_SHA" ]; then
|
||||
ALL_READY=false
|
||||
break
|
||||
fi
|
||||
done
|
||||
if $ALL_READY; then
|
||||
echo "All canaries running staging-${EXPECTED_SHA} after ${ELAPSED}s"
|
||||
exit 0
|
||||
fi
|
||||
echo "Waiting for canaries... (${ELAPSED}s / ${MAX_WAIT}s)"
|
||||
sleep $INTERVAL
|
||||
ELAPSED=$((ELAPSED + INTERVAL))
|
||||
done
|
||||
echo "Timeout after ${MAX_WAIT}s — proceeding anyway (smoke suite will validate)"
|
||||
|
||||
- name: Run canary smoke suite
|
||||
id: smoke
|
||||
# Graceful-skip when no canary fleet is configured (Phase 2 not yet
|
||||
# stood up — see molecule-controlplane/docs/canary-tenants.md).
|
||||
# Sets `ran=false` on skip so promote-to-latest stays off (we don't
|
||||
# want every main merge auto-promoting without gating). Manual
|
||||
# promote-latest.yml is the release gate while canary is absent.
|
||||
# Once the fleet is real: delete the early-exit branch.
|
||||
env:
|
||||
CANARY_TENANT_URLS: ${{ secrets.CANARY_TENANT_URLS }}
|
||||
CANARY_ADMIN_TOKENS: ${{ secrets.CANARY_ADMIN_TOKENS }}
|
||||
CANARY_CP_BASE_URL: https://staging-api.moleculesai.app
|
||||
CANARY_CP_SHARED_SECRET: ${{ secrets.CANARY_CP_SHARED_SECRET }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
if [ -z "${CANARY_TENANT_URLS:-}" ] \
|
||||
|| [ -z "${CANARY_ADMIN_TOKENS:-}" ] \
|
||||
|| [ -z "${CANARY_CP_SHARED_SECRET:-}" ]; then
|
||||
{
|
||||
echo "## ⚠️ canary-verify skipped"
|
||||
echo
|
||||
echo "One or more canary secrets are unset (\`CANARY_TENANT_URLS\`, \`CANARY_ADMIN_TOKENS\`, \`CANARY_CP_SHARED_SECRET\`)."
|
||||
echo "Phase 2 canary fleet has not been stood up yet —"
|
||||
echo "see [canary-tenants.md](https://git.moleculesai.app/molecule-ai/molecule-controlplane/blob/main/docs/canary-tenants.md)."
|
||||
echo
|
||||
echo "**Skipped — promote-to-latest will NOT auto-fire.** Dispatch \`promote-latest.yml\` manually when ready."
|
||||
} >> "$GITHUB_STEP_SUMMARY"
|
||||
echo "ran=false" >> "$GITHUB_OUTPUT"
|
||||
echo "::notice::canary-verify: skipped — no canary fleet configured"
|
||||
exit 0
|
||||
fi
|
||||
bash scripts/canary-smoke.sh
|
||||
echo "ran=true" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Summary on failure
|
||||
if: ${{ failure() }}
|
||||
run: |
|
||||
{
|
||||
echo "## Canary smoke FAILED"
|
||||
echo
|
||||
echo "Canary tenants rejected image \`staging-${{ steps.compute.outputs.sha }}\`."
|
||||
echo ":latest stays pinned to the prior good digest — prod is untouched."
|
||||
echo
|
||||
echo "Fix forward and merge again, or investigate the specific failed"
|
||||
echo "assertions in the canary-smoke step log above."
|
||||
} >> "$GITHUB_STEP_SUMMARY"
|
||||
|
||||
promote-to-latest:
|
||||
# On green, calls the CP redeploy-fleet endpoint with target_tag=
|
||||
# staging-<sha> to promote the verified ECR image. This is the same
|
||||
# mechanism as redeploy-tenants-on-main.yml — no GHCR crane ops.
|
||||
#
|
||||
# Pre-fix history: the old GHCR promote step used `crane tag` against
|
||||
# ghcr.io/molecule-ai/platform-tenant, but publish-workspace-server-
|
||||
# image.yml had already migrated to ECR on 2026-05-07 (commit
|
||||
# 10e510f5). The GHCR tags were never updated, so this step was
|
||||
# silently promoting a stale GHCR image while actual prod tenants
|
||||
# pulled from ECR. Canary smoke tests were GHCR-targeted and could
|
||||
# not catch a broken ECR build.
|
||||
needs: canary-smoke
|
||||
if: ${{ needs.canary-smoke.result == 'success' && needs.canary-smoke.outputs.smoke_ran == 'true' }}
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
SHA: ${{ needs.canary-smoke.outputs.sha }}
|
||||
CP_URL: ${{ vars.CP_URL || 'https://staging-api.moleculesai.app' }}
|
||||
# CP_ADMIN_API_TOKEN gates write access to the redeploy endpoint.
|
||||
# Stored at the repo level so all workflows pick it up automatically.
|
||||
CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}
|
||||
# canary_slug pin: deploy the verified :staging-<sha> to the canary
|
||||
# first (soak 120s), then fan out to the rest of the fleet.
|
||||
CANARY_SLUG: ${{ vars.CANARY_PROMOTE_SLUG || '' }}
|
||||
SOAK_SECONDS: ${{ vars.CANARY_PROMOTE_SOAK || '120' }}
|
||||
BATCH_SIZE: ${{ vars.CANARY_PROMOTE_BATCH || '3' }}
|
||||
steps:
|
||||
- name: Check CP credentials
|
||||
run: |
|
||||
if [ -z "${CP_ADMIN_API_TOKEN:-}" ]; then
|
||||
echo "::error::CP_ADMIN_API_TOKEN secret is not set — promote step cannot call redeploy-fleet."
|
||||
echo "::error::Set it at: repo Settings → Actions → Variables and Secrets → New Secret."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Promote verified ECR image to :latest
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
TARGET_TAG="staging-${SHA}"
|
||||
BODY=$(jq -nc \
|
||||
--arg tag "$TARGET_TAG" \
|
||||
--argjson soak "${SOAK_SECONDS:-120}" \
|
||||
--argjson batch "${BATCH_SIZE:-3}" \
|
||||
--argjson dry false \
|
||||
'{
|
||||
target_tag: $tag,
|
||||
soak_seconds: $soak,
|
||||
batch_size: $batch,
|
||||
dry_run: $dry
|
||||
}')
|
||||
|
||||
if [ -n "${CANARY_SLUG:-}" ]; then
|
||||
BODY=$(jq '. * {canary_slug: $slug}' --arg slug "$CANARY_SLUG" <<<"$BODY")
|
||||
fi
|
||||
|
||||
echo "Calling: POST $CP_URL/cp/admin/tenants/redeploy-fleet"
|
||||
echo " target_tag: $TARGET_TAG"
|
||||
echo " body: $BODY"
|
||||
|
||||
HTTP_RESPONSE=$(mktemp)
|
||||
HTTP_CODE_FILE=$(mktemp)
|
||||
set +e
|
||||
curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \
|
||||
-m 1200 \
|
||||
-H "Authorization: Bearer $CP_ADMIN_API_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \
|
||||
-d "$BODY" >"$HTTP_CODE_FILE"
|
||||
CURL_EXIT=$?
|
||||
set -e
|
||||
|
||||
HTTP_CODE=$(cat "$HTTP_CODE_FILE" 2>/dev/null || echo "000")
|
||||
[ -z "$HTTP_CODE" ] && HTTP_CODE="000"
|
||||
|
||||
echo "HTTP $HTTP_CODE (curl exit $CURL_EXIT)"
|
||||
cat "$HTTP_RESPONSE" | jq . || cat "$HTTP_RESPONSE"
|
||||
|
||||
if [ "$HTTP_CODE" -ge 400 ]; then
|
||||
echo "::error::CP redeploy-fleet returned HTTP $HTTP_CODE — refusing to proceed."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Summary
|
||||
run: |
|
||||
{
|
||||
echo "## Canary verified — :latest promoted via CP redeploy-fleet"
|
||||
echo ""
|
||||
echo "- **Target tag:** \`staging-${{ needs.canary-smoke.outputs.sha }}\`"
|
||||
echo "- **Registry:** ECR (\`${TENANT_IMAGE_NAME}\`)"
|
||||
echo "- **Canary slug:** \`${CANARY_SLUG:-<none>}\` (soak ${SOAK_SECONDS}s)"
|
||||
echo "- **Batch size:** ${BATCH_SIZE:-3}"
|
||||
echo ""
|
||||
echo "CP redeploy-fleet is rolling out the verified image across the prod fleet."
|
||||
echo "The fleet's 5-minute health-check loop will pick up the update automatically."
|
||||
} >> "$GITHUB_STEP_SUMMARY"
|
||||
@@ -300,7 +300,7 @@ jobs:
|
||||
|
||||
canvas-deploy-reminder:
|
||||
name: Canvas Deploy Reminder
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
needs: [changes, canvas-build]
|
||||
# Only fires on direct pushes to main (i.e. after staging→main promotion).
|
||||
if: needs.changes.outputs.canvas == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main'
|
||||
@@ -440,3 +440,4 @@ jobs:
|
||||
|
||||
# SDK + plugin validation moved to standalone repo:
|
||||
# github.com/molecule-ai/molecule-sdk-python
|
||||
|
||||
|
||||
@@ -128,7 +128,7 @@ jobs:
|
||||
e2e-api:
|
||||
needs: detect-changes
|
||||
name: E2E API Smoke Test
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 15
|
||||
env:
|
||||
# Unique per-run container names so concurrent runs on the host-
|
||||
|
||||
@@ -88,7 +88,7 @@ jobs:
|
||||
integration:
|
||||
name: Handlers Postgres Integration
|
||||
needs: detect-changes
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
# Unique name per run so concurrent jobs don't collide on the
|
||||
# bridge network. ${RUN_ID}-${RUN_ATTEMPT} is unique even across
|
||||
@@ -249,3 +249,4 @@ jobs:
|
||||
# already gone (e.g. concurrent rerun race), don't fail the job.
|
||||
docker rm -f "${PG_NAME}" >/dev/null 2>&1 || true
|
||||
echo "Cleaned up ${PG_NAME}"
|
||||
|
||||
|
||||
@@ -102,7 +102,7 @@ jobs:
|
||||
harness-replays:
|
||||
needs: detect-changes
|
||||
name: Harness Replays
|
||||
runs-on: docker-host
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
steps:
|
||||
- name: No-op pass (paths filter excluded this commit)
|
||||
|
||||
@@ -39,7 +39,7 @@ env:
|
||||
jobs:
|
||||
build-and-push:
|
||||
name: Build & push canvas image
|
||||
runs-on: publish
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
|
||||
@@ -0,0 +1,400 @@
|
||||
name: redeploy-tenants-on-main
|
||||
|
||||
# Auto-refresh prod tenant EC2s after every main merge.
|
||||
#
|
||||
# Why this workflow exists: publish-workspace-server-image builds and
|
||||
# pushes a new platform-tenant :<sha> to ECR on every merge to main,
|
||||
# but running tenants pulled their image once at boot and never re-pull.
|
||||
# Users see stale code indefinitely.
|
||||
#
|
||||
# This workflow closes the gap by calling the control-plane admin
|
||||
# endpoint that performs a canary-first, batched, health-gated rolling
|
||||
# redeploy across every live tenant. Implemented in molecule-ai/
|
||||
# molecule-controlplane as POST /cp/admin/tenants/redeploy-fleet
|
||||
# (feat/tenant-auto-redeploy, landing alongside this workflow).
|
||||
#
|
||||
# Registry: ECR (153263036946.dkr.ecr.us-east-2.amazonaws.com/
|
||||
# molecule-ai/platform-tenant). GHCR was retired 2026-05-07 during the
|
||||
# Gitea suspension migration. The canary-verify.yml promote step now
|
||||
# uses the same redeploy-fleet endpoint (fixes the silent-GHCR gap).
|
||||
#
|
||||
# Runtime ordering:
|
||||
# 1. publish-workspace-server-image completes → new :staging-<sha> in ECR.
|
||||
# 2. This workflow fires via workflow_run, calls redeploy-fleet with
|
||||
# target_tag=staging-<sha>. No CDN propagation wait needed —
|
||||
# ECR image manifest is consistent immediately after push.
|
||||
# 3. Calls redeploy-fleet with canary_slug (if set) and a soak
|
||||
# period. Canary proves the image boots; batches follow.
|
||||
# 4. Any failure aborts the rollout and leaves older tenants on the
|
||||
# prior image — safer default than half-and-half state.
|
||||
#
|
||||
# Rollback path: re-run this workflow with a specific SHA pinned via
|
||||
# the workflow_dispatch input. That calls redeploy-fleet with
|
||||
# target_tag=<sha>, re-pulling the older image on every tenant.
|
||||
|
||||
on:
|
||||
workflow_run:
|
||||
workflows: ['publish-workspace-server-image']
|
||||
types: [completed]
|
||||
branches: [main]
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
target_tag:
|
||||
# Empty default → auto-trigger and dispatch-without-input both
|
||||
# resolve to `staging-<short_head_sha>` (the digest publish-image
|
||||
# just pushed). Pre-fix this defaulted to 'latest', which only
|
||||
# gets retagged by canary-verify's promote-to-latest job — and
|
||||
# that job soft-skips when CANARY_TENANT_URLS is unset (the
|
||||
# current state, until Phase 2 canary fleet is live). Result:
|
||||
# `:latest` had been pinned to a 4-day-old digest (2026-04-28)
|
||||
# while every main push pushed fresh `staging-<sha>` images;
|
||||
# every prod redeploy pulled the stale `:latest` and the verify
|
||||
# step correctly flagged 3/3 tenants STALE. Pulling the
|
||||
# just-published `staging-<sha>` directly skips the dead retag
|
||||
# path. When canary fleet is real, this workflow should chain
|
||||
# on canary-verify completion (workflow_run from canary-verify),
|
||||
# not publish-image — separate, smaller PR.
|
||||
description: 'Tenant image tag to deploy (e.g. "latest", "staging-a59f1a6c"). Empty = auto staging-<head_sha>.'
|
||||
required: false
|
||||
type: string
|
||||
default: ''
|
||||
canary_slug:
|
||||
description: 'Tenant slug to deploy first + soak (empty = skip canary, fan out immediately).'
|
||||
required: false
|
||||
type: string
|
||||
# Must be an actual prod tenant slug (current: hongming,
|
||||
# chloe-dong, reno-stars). The previous default 'hongmingwang'
|
||||
# didn't match any tenant — CP soft-skipped the missing canary
|
||||
# and the fleet rolled out without the soak gate, defeating the
|
||||
# whole point of canary-first.
|
||||
default: 'hongming'
|
||||
soak_seconds:
|
||||
description: 'Seconds to wait after canary before fanning out.'
|
||||
required: false
|
||||
type: string
|
||||
default: '60'
|
||||
batch_size:
|
||||
description: 'How many tenants SSM redeploys in parallel per batch.'
|
||||
required: false
|
||||
type: string
|
||||
default: '3'
|
||||
dry_run:
|
||||
description: 'Plan only — do not actually redeploy.'
|
||||
required: false
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
# No write scopes needed — the workflow hits an external CP endpoint,
|
||||
# not the GitHub API.
|
||||
|
||||
# Serialize redeploys so two rapid main pushes' redeploys don't overlap
|
||||
# and cause confusing per-tenant SSM state. Without this, GitHub's
|
||||
# implicit workflow_run queueing would *probably* serialize them, but
|
||||
# the explicit block makes the invariant defensible. Mirrors the
|
||||
# concurrency block on redeploy-tenants-on-staging.yml for shape parity.
|
||||
#
|
||||
# cancel-in-progress: false → aborting a half-rolled-out fleet would
|
||||
# leave tenants stuck on whatever image they happened to be on when
|
||||
# cancelled. Better to finish the in-flight rollout before starting
|
||||
# the next one.
|
||||
concurrency:
|
||||
group: redeploy-tenants-on-main
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
redeploy:
|
||||
# Skip the auto-trigger if publish-workspace-server-image didn't
|
||||
# actually succeed. workflow_run fires on any completion state; we
|
||||
# don't want to redeploy against a half-built image.
|
||||
if: |
|
||||
github.event_name == 'workflow_dispatch' ||
|
||||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 25
|
||||
steps:
|
||||
- name: Note on ECR propagation
|
||||
# ECR image manifests are consistent immediately after push — no
|
||||
# CDN cache to wait for. The old GHCR-based workflow had a 30s
|
||||
# sleep to avoid race conditions; ECR makes that unnecessary.
|
||||
run: echo "ECR image available immediately after push — proceeding."
|
||||
|
||||
- name: Compute target tag
|
||||
id: tag
|
||||
# Resolution order:
|
||||
# 1. Operator-supplied input (workflow_dispatch with explicit
|
||||
# tag) → used verbatim. Lets ops pin `latest` for emergency
|
||||
# rollback to last canary-verified digest, or pin a specific
|
||||
# `staging-<sha>` to roll back to a known-good build.
|
||||
# 2. Default → `staging-<short_head_sha>`. The just-published
|
||||
# digest. Bypasses the `:latest` retag path that's currently
|
||||
# dead (canary-verify soft-skips without canary fleet, so
|
||||
# the only thing retagging `:latest` today is the manual
|
||||
# promote-latest.yml — last run 2026-04-28). Auto-trigger
|
||||
# from workflow_run uses workflow_run.head_sha; manual
|
||||
# dispatch with no input falls through to github.sha.
|
||||
env:
|
||||
INPUT_TAG: ${{ inputs.target_tag }}
|
||||
HEAD_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
if [ -n "${INPUT_TAG:-}" ]; then
|
||||
echo "target_tag=$INPUT_TAG" >> "$GITHUB_OUTPUT"
|
||||
echo "Using operator-pinned tag: $INPUT_TAG"
|
||||
else
|
||||
SHORT="${HEAD_SHA:0:7}"
|
||||
echo "target_tag=staging-$SHORT" >> "$GITHUB_OUTPUT"
|
||||
echo "Using auto tag: staging-$SHORT (head_sha=$HEAD_SHA)"
|
||||
fi
|
||||
|
||||
- name: Call CP redeploy-fleet
|
||||
# CP_ADMIN_API_TOKEN must be set as a repo/org secret on
|
||||
# molecule-ai/molecule-core, matching the staging/prod CP's
|
||||
# CP_ADMIN_API_TOKEN env. Stored in Railway, mirrored to this
|
||||
# repo's secrets for CI.
|
||||
env:
|
||||
CP_URL: ${{ vars.CP_URL || 'https://api.moleculesai.app' }}
|
||||
CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}
|
||||
TARGET_TAG: ${{ steps.tag.outputs.target_tag }}
|
||||
CANARY_SLUG: ${{ inputs.canary_slug || 'hongming' }}
|
||||
SOAK_SECONDS: ${{ inputs.soak_seconds || '60' }}
|
||||
BATCH_SIZE: ${{ inputs.batch_size || '3' }}
|
||||
DRY_RUN: ${{ inputs.dry_run || false }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
if [ -z "${CP_ADMIN_API_TOKEN:-}" ]; then
|
||||
echo "::error::CP_ADMIN_API_TOKEN secret not set — skipping redeploy"
|
||||
echo "::notice::Set CP_ADMIN_API_TOKEN in repo secrets to enable auto-redeploy."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
BODY=$(jq -nc \
|
||||
--arg tag "$TARGET_TAG" \
|
||||
--arg canary "$CANARY_SLUG" \
|
||||
--argjson soak "$SOAK_SECONDS" \
|
||||
--argjson batch "$BATCH_SIZE" \
|
||||
--argjson dry "$DRY_RUN" \
|
||||
'{
|
||||
target_tag: $tag,
|
||||
canary_slug: $canary,
|
||||
soak_seconds: $soak,
|
||||
batch_size: $batch,
|
||||
dry_run: $dry
|
||||
}')
|
||||
|
||||
echo "POST $CP_URL/cp/admin/tenants/redeploy-fleet"
|
||||
echo " body: $BODY"
|
||||
|
||||
HTTP_RESPONSE=$(mktemp)
|
||||
HTTP_CODE_FILE=$(mktemp)
|
||||
# Route -w into its own tempfile so curl's exit code (e.g. 56
|
||||
# on connection-reset, 22 on --fail-with-body 4xx/5xx) can't
|
||||
# pollute the captured stdout. The previous inline-substitution
|
||||
# shape produced "000000" on connection reset (curl wrote
|
||||
# "000" via -w, then the inline echo-fallback appended another
|
||||
# "000") — caught on the 2026-05-04 redeploy of sha 2b862f6.
|
||||
# set +e/-e keeps the non-zero curl exit from tripping the
|
||||
# outer pipeline. See lint-curl-status-capture.yml for the
|
||||
# CI gate that pins this fix shape.
|
||||
set +e
|
||||
curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \
|
||||
-m 1200 \
|
||||
-H "Authorization: Bearer $CP_ADMIN_API_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \
|
||||
-d "$BODY" >"$HTTP_CODE_FILE"
|
||||
set -e
|
||||
# Stderr from curl (e.g. dial errors with -sS) goes to the runner
|
||||
# log so operators can see WHY a connection failed. Stdout is
|
||||
# captured to $HTTP_CODE_FILE because that's where -w writes.
|
||||
HTTP_CODE=$(cat "$HTTP_CODE_FILE" 2>/dev/null || echo "000")
|
||||
[ -z "$HTTP_CODE" ] && HTTP_CODE="000"
|
||||
|
||||
echo "HTTP $HTTP_CODE"
|
||||
cat "$HTTP_RESPONSE" | jq . || cat "$HTTP_RESPONSE"
|
||||
|
||||
# Pretty-print per-tenant results in the job summary so
|
||||
# ops can see which tenants were redeployed without drilling
|
||||
# into the raw response.
|
||||
{
|
||||
echo "## Tenant redeploy fleet"
|
||||
echo ""
|
||||
echo "**Target tag:** \`$TARGET_TAG\`"
|
||||
echo "**Canary:** \`$CANARY_SLUG\` (soak ${SOAK_SECONDS}s)"
|
||||
echo "**Batch size:** $BATCH_SIZE"
|
||||
echo "**Dry run:** $DRY_RUN"
|
||||
echo "**HTTP:** $HTTP_CODE"
|
||||
echo ""
|
||||
echo "### Per-tenant result"
|
||||
echo ""
|
||||
echo '| Slug | Phase | SSM Status | Exit | Healthz | Error |'
|
||||
echo '|------|-------|------------|------|---------|-------|'
|
||||
jq -r '.results[]? | "| \(.slug) | \(.phase) | \(.ssm_status // "-") | \(.ssm_exit_code) | \(.healthz_ok) | \(.error // "-") |"' "$HTTP_RESPONSE" || true
|
||||
} >> "$GITHUB_STEP_SUMMARY"
|
||||
|
||||
if [ "$HTTP_CODE" != "200" ]; then
|
||||
echo "::error::redeploy-fleet returned HTTP $HTTP_CODE"
|
||||
exit 1
|
||||
fi
|
||||
OK=$(jq -r '.ok' "$HTTP_RESPONSE")
|
||||
if [ "$OK" != "true" ]; then
|
||||
echo "::error::redeploy-fleet reported ok=false (see summary for which tenant halted the rollout)"
|
||||
exit 1
|
||||
fi
|
||||
echo "::notice::Tenant fleet redeploy reported ssm_status=Success — verifying actual image roll on each tenant..."
|
||||
|
||||
# Stash the response for the verify step. $RUNNER_TEMP outlasts
|
||||
# the step boundary; $HTTP_RESPONSE doesn't.
|
||||
cp "$HTTP_RESPONSE" "$RUNNER_TEMP/redeploy-response.json"
|
||||
|
||||
- name: Verify each tenant /buildinfo matches published SHA
|
||||
# ROOT FIX FOR #2395.
|
||||
#
|
||||
# `redeploy-fleet`'s `ssm_status=Success` means "the SSM RPC
|
||||
# didn't error" — NOT "the new image is running on the tenant."
|
||||
# `:latest` lives in the local Docker daemon's image cache; if
|
||||
# the SSM document does `docker compose up -d` without an
|
||||
# explicit `docker pull`, the daemon serves the previously-
|
||||
# cached digest and the container restarts on stale code.
|
||||
# 2026-04-30 incident: hongmingwang's tenant reported
|
||||
# ssm_status=Success at 17:00:53Z but kept serving pre-501a42d7
|
||||
# chat_files for 30+ min — the lazy-heal fix never reached the
|
||||
# user despite green deploy + green redeploy.
|
||||
#
|
||||
# This step closes the gap by curling each tenant's /buildinfo
|
||||
# endpoint (added in workspace-server/internal/buildinfo +
|
||||
# /Dockerfile* GIT_SHA build-arg, this PR) and comparing the
|
||||
# returned git_sha to the SHA the workflow expects. Mismatches
|
||||
# fail the workflow, which is what `ok=true` should have
|
||||
# guaranteed all along.
|
||||
#
|
||||
# When the redeploy was triggered by workflow_dispatch with a
|
||||
# specific tag (target_tag != "latest"), the expected SHA may
|
||||
# not equal ${{ github.sha }} — in that case we resolve via
|
||||
# GHCR's manifest. For workflow_run (default :latest) the
|
||||
# workflow_run.head_sha is the SHA that just published.
|
||||
env:
|
||||
EXPECTED_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
|
||||
TARGET_TAG: ${{ steps.tag.outputs.target_tag }}
|
||||
# Tenant subdomain template — slugs from the response are
|
||||
# appended. Production CP issues `<slug>.moleculesai.app`;
|
||||
# staging CP issues `<slug>.staging.moleculesai.app`. This
|
||||
# workflow runs on main → prod CP → no `staging.` infix.
|
||||
TENANT_DOMAIN: 'moleculesai.app'
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
EXPECTED_SHORT="${EXPECTED_SHA:0:7}"
|
||||
if [ "$TARGET_TAG" != "latest" ] \
|
||||
&& [ "$TARGET_TAG" != "$EXPECTED_SHA" ] \
|
||||
&& [ "$TARGET_TAG" != "staging-$EXPECTED_SHORT" ]; then
|
||||
# workflow_dispatch with a pinned tag that isn't the head
|
||||
# SHA — operator is rolling back / pinning. Skip the
|
||||
# verification because we don't have the expected SHA in
|
||||
# this context (would need to crane-inspect the GHCR
|
||||
# manifest, which is a follow-up). Failing-open here is
|
||||
# safe: the operator chose the tag deliberately.
|
||||
#
|
||||
# `staging-<short_head_sha>` IS verified — it's the new
|
||||
# auto-trigger default (see Compute target tag step) and
|
||||
# the digest under that tag SHOULD match EXPECTED_SHA.
|
||||
echo "::notice::target_tag=$TARGET_TAG (operator-pinned) — skipping per-tenant SHA verification."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
RESP="$RUNNER_TEMP/redeploy-response.json"
|
||||
if [ ! -s "$RESP" ]; then
|
||||
echo "::error::redeploy-response.json missing or empty — verify step ran without a response to read"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Pull only successfully-redeployed tenants. Any tenant that
|
||||
# halted the rollout already failed the previous step, so we
|
||||
# don't double-count them here.
|
||||
mapfile -t SLUGS < <(jq -r '.results[]? | select(.healthz_ok == true) | .slug' "$RESP")
|
||||
if [ ${#SLUGS[@]} -eq 0 ]; then
|
||||
echo "::warning::No tenants reported healthz_ok — nothing to verify"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Verifying ${#SLUGS[@]} tenant(s) against EXPECTED_SHA=${EXPECTED_SHA:0:7}..."
|
||||
|
||||
# Two distinct failure modes — STALE (the #2395 bug class, hard-fail)
|
||||
# vs UNREACHABLE (teardown race, soft-warn). See the staging variant's
|
||||
# comment for the full rationale; same logic applies on prod even
|
||||
# though prod has fewer ephemeral tenants — the asymmetry would be a
|
||||
# gratuitous fork.
|
||||
STALE_COUNT=0
|
||||
UNREACHABLE_COUNT=0
|
||||
STALE_LINES=()
|
||||
UNREACHABLE_LINES=()
|
||||
for slug in "${SLUGS[@]}"; do
|
||||
URL="https://${slug}.${TENANT_DOMAIN}/buildinfo"
|
||||
# 30s total: tenant just SSM-restarted, may still be coming
|
||||
# up. Retry-on-empty rather than retry-on-status — we want
|
||||
# to fail fast on "responded with wrong SHA", not "still
|
||||
# warming up".
|
||||
BODY=$(curl -sS --max-time 30 --retry 3 --retry-delay 5 --retry-connrefused "$URL" || true)
|
||||
ACTUAL_SHA=$(echo "$BODY" | jq -r '.git_sha // ""' 2>/dev/null || echo "")
|
||||
if [ -z "$ACTUAL_SHA" ]; then
|
||||
UNREACHABLE_COUNT=$((UNREACHABLE_COUNT + 1))
|
||||
UNREACHABLE_LINES+=("| $slug | (no /buildinfo response) | ${EXPECTED_SHA:0:7} | ⚠ unreachable (likely teardown race) |")
|
||||
continue
|
||||
fi
|
||||
if [ "$ACTUAL_SHA" = "$EXPECTED_SHA" ]; then
|
||||
echo " $slug: ${ACTUAL_SHA:0:7} ✓"
|
||||
else
|
||||
STALE_COUNT=$((STALE_COUNT + 1))
|
||||
STALE_LINES+=("| $slug | ${ACTUAL_SHA:0:7} | ${EXPECTED_SHA:0:7} | ❌ stale |")
|
||||
fi
|
||||
done
|
||||
|
||||
{
|
||||
echo ""
|
||||
echo "### Per-tenant /buildinfo verification"
|
||||
echo ""
|
||||
echo "Expected SHA: \`${EXPECTED_SHA:0:7}\`"
|
||||
echo ""
|
||||
if [ $STALE_COUNT -gt 0 ]; then
|
||||
echo "**${STALE_COUNT} STALE tenant(s) — these did NOT pick up the new image despite ssm_status=Success:**"
|
||||
echo ""
|
||||
echo "| Slug | Actual /buildinfo SHA | Expected | Status |"
|
||||
echo "|------|----------------------|----------|--------|"
|
||||
for line in "${STALE_LINES[@]}"; do echo "$line"; done
|
||||
echo ""
|
||||
fi
|
||||
if [ $UNREACHABLE_COUNT -gt 0 ]; then
|
||||
echo "**${UNREACHABLE_COUNT} unreachable tenant(s) — likely teardown race (soft-warn, not failing):**"
|
||||
echo ""
|
||||
echo "| Slug | Actual /buildinfo SHA | Expected | Status |"
|
||||
echo "|------|----------------------|----------|--------|"
|
||||
for line in "${UNREACHABLE_LINES[@]}"; do echo "$line"; done
|
||||
echo ""
|
||||
fi
|
||||
if [ $STALE_COUNT -eq 0 ] && [ $UNREACHABLE_COUNT -eq 0 ]; then
|
||||
echo "All ${#SLUGS[@]} tenants returned matching SHA. ✓"
|
||||
fi
|
||||
} >> "$GITHUB_STEP_SUMMARY"
|
||||
|
||||
if [ $UNREACHABLE_COUNT -gt 0 ]; then
|
||||
echo "::warning::$UNREACHABLE_COUNT tenant(s) unreachable post-redeploy. Likely benign teardown race — CP healthz monitor catches real outages."
|
||||
fi
|
||||
|
||||
# Belt-and-suspenders sanity floor: same logic as the staging
|
||||
# variant — see that file's comment for the full rationale.
|
||||
# Floor only applies when fleet >= 4; below that, canary-verify
|
||||
# is the actual gate.
|
||||
TOTAL_VERIFIED=${#SLUGS[@]}
|
||||
if [ $TOTAL_VERIFIED -ge 4 ] && [ $UNREACHABLE_COUNT -gt $((TOTAL_VERIFIED / 2)) ]; then
|
||||
echo "::error::$UNREACHABLE_COUNT of $TOTAL_VERIFIED tenant(s) unreachable — exceeds 50% threshold on a fleet large enough that this signals a real outage, not teardown race."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ $STALE_COUNT -gt 0 ]; then
|
||||
echo "::error::$STALE_COUNT tenant(s) returned a stale SHA. ssm_status=Success was misleading — see job summary."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "::notice::Tenant fleet redeploy complete — all reachable tenants on ${EXPECTED_SHA:0:7} (${UNREACHABLE_COUNT} unreachable, soft-warned)."
|
||||
@@ -0,0 +1,362 @@
|
||||
name: redeploy-tenants-on-staging
|
||||
|
||||
# Auto-refresh staging tenant EC2s after every staging-branch merge.
|
||||
#
|
||||
# Mirror of redeploy-tenants-on-main.yml, with the staging-CP host and
|
||||
# the :staging-latest tag. Sister workflow exists for prod (rolls
|
||||
# :latest after canary-verify). Both share the same shape — just
|
||||
# different CP_URL + target_tag + admin token secret.
|
||||
#
|
||||
# Why this workflow exists: publish-workspace-server-image now builds
|
||||
# on every staging-branch push (PR #2335), pushing
|
||||
# platform-tenant:staging-latest to GHCR. Existing tenants pulled
|
||||
# their image once at boot and never re-pull, so the new image just
|
||||
# sits unused until the tenant is reprovisioned.
|
||||
#
|
||||
# This workflow closes the gap by calling staging-CP's
|
||||
# /cp/admin/tenants/redeploy-fleet, which performs a canary-first,
|
||||
# batched, health-gated SSM redeploy across every live staging tenant.
|
||||
# Same endpoint shape as prod CP — only the host differs.
|
||||
#
|
||||
# Runtime ordering:
|
||||
# 1. publish-workspace-server-image completes on staging branch →
|
||||
# new :staging-latest in GHCR.
|
||||
# 2. This workflow fires via workflow_run, waits 30s for GHCR's CDN
|
||||
# to propagate the new tag.
|
||||
# 3. Calls redeploy-fleet with no canary (staging IS canary; we don't
|
||||
# need a sub-canary inside it). Soak still applies to the first
|
||||
# tenant in case of bad-deploy detection.
|
||||
# 4. Any failure aborts the rollout and leaves older tenants on the
|
||||
# prior image — safer default than half-and-half state.
|
||||
#
|
||||
# Rollback path: re-run with workflow_dispatch + target_tag=staging-<sha>
|
||||
# of a known-good build.
|
||||
|
||||
on:
|
||||
workflow_run:
|
||||
workflows: ['publish-workspace-server-image']
|
||||
types: [completed]
|
||||
branches: [main]
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
target_tag:
|
||||
description: 'Tenant image tag to deploy (e.g. "staging-latest" or "staging-a59f1a6c"). Defaults to staging-latest when empty.'
|
||||
required: false
|
||||
type: string
|
||||
default: 'staging-latest'
|
||||
canary_slug:
|
||||
description: 'Tenant slug to deploy first + soak (empty = skip canary, fan out immediately). Default empty for staging since staging itself is the canary.'
|
||||
required: false
|
||||
type: string
|
||||
default: ''
|
||||
soak_seconds:
|
||||
description: 'Seconds to wait after canary before fanning out. Only meaningful if canary_slug is set.'
|
||||
required: false
|
||||
type: string
|
||||
default: '60'
|
||||
batch_size:
|
||||
description: 'How many tenants SSM redeploys in parallel per batch.'
|
||||
required: false
|
||||
type: string
|
||||
default: '3'
|
||||
dry_run:
|
||||
description: 'Plan only — do not actually redeploy.'
|
||||
required: false
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
# No write scopes needed — the workflow hits an external CP endpoint,
|
||||
# not the GitHub API.
|
||||
|
||||
# Serialize per-branch so two rapid staging pushes' redeploys don't
|
||||
# overlap and cause confusing per-tenant SSM state. cancel-in-progress
|
||||
# is false because aborting a half-rolled-out fleet leaves tenants
|
||||
# stuck on whatever image they happened to be on when cancelled.
|
||||
concurrency:
|
||||
group: redeploy-tenants-on-staging
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
redeploy:
|
||||
# Skip the auto-trigger if publish-workspace-server-image didn't
|
||||
# actually succeed. workflow_run fires on any completion state; we
|
||||
# don't want to redeploy against a half-built image.
|
||||
if: |
|
||||
github.event_name == 'workflow_dispatch' ||
|
||||
(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 25
|
||||
steps:
|
||||
- name: Wait for GHCR tag propagation
|
||||
# GHCR's edge cache takes ~15-30s to consistently serve the new
|
||||
# :staging-latest manifest after the registry accepts the push.
|
||||
# Same rationale as redeploy-tenants-on-main.yml.
|
||||
run: sleep 30
|
||||
|
||||
- name: Call staging-CP redeploy-fleet
|
||||
# CP_STAGING_ADMIN_API_TOKEN must be set as a repo/org secret
|
||||
# on molecule-ai/molecule-core, matching staging-CP's
|
||||
# CP_ADMIN_API_TOKEN env var (visible in Railway controlplane
|
||||
# / staging environment). Stored separately from the prod
|
||||
# CP_ADMIN_API_TOKEN so a leak of one doesn't auth the other.
|
||||
env:
|
||||
CP_URL: ${{ vars.STAGING_CP_URL || 'https://staging-api.moleculesai.app' }}
|
||||
CP_STAGING_ADMIN_API_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
|
||||
TARGET_TAG: ${{ inputs.target_tag || 'staging-latest' }}
|
||||
CANARY_SLUG: ${{ inputs.canary_slug || '' }}
|
||||
SOAK_SECONDS: ${{ inputs.soak_seconds || '60' }}
|
||||
BATCH_SIZE: ${{ inputs.batch_size || '3' }}
|
||||
DRY_RUN: ${{ inputs.dry_run || false }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
# Schedule-vs-dispatch hardening (mirrors sweep-cf-orphans
|
||||
# and sweep-cf-tunnels): hard-fail on auto-trigger when the
|
||||
# secret is missing so a misconfigured-repo doesn't silently
|
||||
# serve stale staging tenants. Soft-skip on operator dispatch.
|
||||
if [ -z "${CP_STAGING_ADMIN_API_TOKEN:-}" ]; then
|
||||
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
|
||||
echo "::warning::CP_STAGING_ADMIN_API_TOKEN secret not set — skipping redeploy"
|
||||
echo "::warning::Set CP_STAGING_ADMIN_API_TOKEN in repo secrets to enable auto-redeploy."
|
||||
echo "::notice::Pull the value from staging-CP's CP_ADMIN_API_TOKEN env in Railway."
|
||||
exit 0
|
||||
fi
|
||||
echo "::error::staging redeploy cannot run — CP_STAGING_ADMIN_API_TOKEN secret missing"
|
||||
echo "::error::set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_API_TOKEN env in Railway."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
BODY=$(jq -nc \
|
||||
--arg tag "$TARGET_TAG" \
|
||||
--arg canary "$CANARY_SLUG" \
|
||||
--argjson soak "$SOAK_SECONDS" \
|
||||
--argjson batch "$BATCH_SIZE" \
|
||||
--argjson dry "$DRY_RUN" \
|
||||
'{
|
||||
target_tag: $tag,
|
||||
canary_slug: $canary,
|
||||
soak_seconds: $soak,
|
||||
batch_size: $batch,
|
||||
dry_run: $dry
|
||||
}')
|
||||
|
||||
echo "POST $CP_URL/cp/admin/tenants/redeploy-fleet"
|
||||
echo " body: $BODY"
|
||||
|
||||
HTTP_RESPONSE=$(mktemp)
|
||||
HTTP_CODE_FILE=$(mktemp)
|
||||
# Route -w into its own tempfile so curl's exit code (e.g. 56
|
||||
# on connection-reset) can't pollute the captured stdout. The
|
||||
# previous inline-substitution shape produced "000000" on
|
||||
# connection reset — caught on main variant 2026-05-04
|
||||
# redeploying sha 2b862f6. Same fix shape as the synth-E2E
|
||||
# §9c gate (PR #2797). See lint-curl-status-capture.yml for
|
||||
# the CI gate that pins this fix shape.
|
||||
set +e
|
||||
curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \
|
||||
-m 1200 \
|
||||
-H "Authorization: Bearer $CP_STAGING_ADMIN_API_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \
|
||||
-d "$BODY" >"$HTTP_CODE_FILE"
|
||||
set -e
|
||||
# Stderr from curl (-sS shows dial errors etc.) goes to the
|
||||
# runner log so operators can see WHY a connection failed.
|
||||
HTTP_CODE=$(cat "$HTTP_CODE_FILE" 2>/dev/null || echo "000")
|
||||
[ -z "$HTTP_CODE" ] && HTTP_CODE="000"
|
||||
|
||||
echo "HTTP $HTTP_CODE"
|
||||
cat "$HTTP_RESPONSE" | jq . || cat "$HTTP_RESPONSE"
|
||||
|
||||
{
|
||||
echo "## Staging tenant redeploy fleet"
|
||||
echo ""
|
||||
echo "**Target tag:** \`$TARGET_TAG\`"
|
||||
echo "**Canary:** \`${CANARY_SLUG:-(none — staging is itself the canary)}\` (soak ${SOAK_SECONDS}s)"
|
||||
echo "**Batch size:** $BATCH_SIZE"
|
||||
echo "**Dry run:** $DRY_RUN"
|
||||
echo "**HTTP:** $HTTP_CODE"
|
||||
echo ""
|
||||
echo "### Per-tenant result"
|
||||
echo ""
|
||||
echo '| Slug | Phase | SSM Status | Exit | Healthz | Error |'
|
||||
echo '|------|-------|------------|------|---------|-------|'
|
||||
jq -r '.results[]? | "| \(.slug) | \(.phase) | \(.ssm_status // "-") | \(.ssm_exit_code) | \(.healthz_ok) | \(.error // "-") |"' "$HTTP_RESPONSE" || true
|
||||
} >> "$GITHUB_STEP_SUMMARY"
|
||||
|
||||
# Distinguish "real fleet failure" from "E2E teardown race".
|
||||
#
|
||||
# CP returns HTTP 500 + ok=false whenever ANY tenant in the
|
||||
# fleet failed SSM or healthz. In practice the recurring source
|
||||
# of these is ephemeral test tenants being torn down by their
|
||||
# parent E2E run mid-redeploy: the EC2 dies → SSM exit=2 or
|
||||
# healthz timeout → CP marks the fleet failed → this workflow
|
||||
# goes red even though every operator-facing tenant rolled fine.
|
||||
#
|
||||
# Ephemeral slug prefixes (kept in sync with sweep-stale-e2e-orgs.yml
|
||||
# — see that file for the source-of-truth list and rationale):
|
||||
# - e2e-* — canvas/saas/ext E2E suites
|
||||
# - rt-e2e-* — runtime-test harness fixtures (RFC #2251)
|
||||
# Long-lived prefixes that are NOT ephemeral and MUST hard-fail:
|
||||
# demo-prep, dryrun-*, dryrun2-*, plus all human tenant slugs.
|
||||
#
|
||||
# Filter: if HTTP=500/ok=false AND every failed slug matches an
|
||||
# ephemeral prefix, treat as soft-warn and let the verify step
|
||||
# downstream handle unreachable-vs-stale (#2402). Any non-ephemeral
|
||||
# failure or a non-500 HTTP response remains a hard failure.
|
||||
OK=$(jq -r '.ok // "false"' "$HTTP_RESPONSE")
|
||||
FAILED_SLUGS=$(jq -r '
|
||||
.results[]?
|
||||
| select((.healthz_ok != true) or (.ssm_status != "Success"))
|
||||
| .slug' "$HTTP_RESPONSE" 2>/dev/null || true)
|
||||
EPHEMERAL_PREFIX_RE='^(e2e-|rt-e2e-)'
|
||||
NON_EPHEMERAL_FAILED=$(printf '%s\n' "$FAILED_SLUGS" | grep -v '^$' | grep -Ev "$EPHEMERAL_PREFIX_RE" || true)
|
||||
|
||||
if [ "$HTTP_CODE" = "200" ] && [ "$OK" = "true" ]; then
|
||||
: # happy path — fall through to verification
|
||||
elif [ "$HTTP_CODE" = "500" ] && [ -z "$NON_EPHEMERAL_FAILED" ] && [ -n "$FAILED_SLUGS" ]; then
|
||||
COUNT=$(printf '%s\n' "$FAILED_SLUGS" | grep -Ec "$EPHEMERAL_PREFIX_RE" || true)
|
||||
echo "::warning::redeploy-fleet returned HTTP 500 but every failed tenant ($COUNT) is ephemeral (e2e-*/rt-e2e-*) — treating as teardown race, soft-warning."
|
||||
printf '%s\n' "$FAILED_SLUGS" | sed 's/^/::warning:: failed: /'
|
||||
elif [ "$HTTP_CODE" != "200" ]; then
|
||||
echo "::error::redeploy-fleet returned HTTP $HTTP_CODE"
|
||||
if [ -n "$NON_EPHEMERAL_FAILED" ]; then
|
||||
echo "::error::non-ephemeral tenant(s) failed:"
|
||||
printf '%s\n' "$NON_EPHEMERAL_FAILED" | sed 's/^/::error:: /'
|
||||
fi
|
||||
exit 1
|
||||
else
|
||||
# HTTP=200 but ok=false (shouldn't happen with current CP
|
||||
# but keep the gate for completeness).
|
||||
echo "::error::redeploy-fleet reported ok=false (see summary for which tenant halted the rollout)"
|
||||
exit 1
|
||||
fi
|
||||
echo "::notice::Staging tenant fleet redeploy reported ssm_status=Success — verifying actual image roll on each tenant..."
|
||||
|
||||
cp "$HTTP_RESPONSE" "$RUNNER_TEMP/redeploy-response.json"
|
||||
|
||||
- name: Verify each staging tenant /buildinfo matches published SHA
|
||||
# Mirror of the verify step in redeploy-tenants-on-main.yml — see
|
||||
# there for the rationale (#2395 root fix). Staging has the same
|
||||
# ssm_status-success-but-stale-image hazard and benefits from the
|
||||
# same gate. Diff: TENANT_DOMAIN includes the `staging.` infix.
|
||||
env:
|
||||
EXPECTED_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
|
||||
TARGET_TAG: ${{ inputs.target_tag || 'staging-latest' }}
|
||||
TENANT_DOMAIN: 'staging.moleculesai.app'
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
# staging-latest is the staging-side moving tag; treat it the
|
||||
# same way main treats `latest`. Operator-pinned SHAs skip
|
||||
# verification (see main variant for why).
|
||||
if [ "$TARGET_TAG" != "staging-latest" ] && [ "$TARGET_TAG" != "latest" ] && [ "$TARGET_TAG" != "$EXPECTED_SHA" ]; then
|
||||
echo "::notice::target_tag=$TARGET_TAG (operator-pinned) — skipping per-tenant SHA verification."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
RESP="$RUNNER_TEMP/redeploy-response.json"
|
||||
if [ ! -s "$RESP" ]; then
|
||||
echo "::error::redeploy-response.json missing or empty"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mapfile -t SLUGS < <(jq -r '.results[]? | select(.healthz_ok == true) | .slug' "$RESP")
|
||||
if [ ${#SLUGS[@]} -eq 0 ]; then
|
||||
echo "::warning::No staging tenants reported healthz_ok — nothing to verify"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Verifying ${#SLUGS[@]} staging tenant(s) against EXPECTED_SHA=${EXPECTED_SHA:0:7}..."
|
||||
|
||||
# Two distinct failure modes here:
|
||||
# STALE_COUNT — tenant returned a SHA that doesn't match. THIS is
|
||||
# the #2395 bug class: tenant up + serving old code.
|
||||
# Always hard-fail the workflow.
|
||||
# UNREACHABLE_COUNT — tenant didn't respond. Almost always a benign
|
||||
# teardown race: redeploy-fleet snapshot says
|
||||
# healthz_ok=true, then the E2E suite tears the
|
||||
# ephemeral tenant down before this step runs (the
|
||||
# e2e-* fixtures churn 5-10/hour on staging). Soft-
|
||||
# warn so we don't block staging→main on cleanup.
|
||||
# Real "tenant up but unreachable" is caught by CP's
|
||||
# own healthz monitor + the post-redeploy alert; we
|
||||
# don't need to double-count it here.
|
||||
STALE_COUNT=0
|
||||
UNREACHABLE_COUNT=0
|
||||
STALE_LINES=()
|
||||
UNREACHABLE_LINES=()
|
||||
for slug in "${SLUGS[@]}"; do
|
||||
URL="https://${slug}.${TENANT_DOMAIN}/buildinfo"
|
||||
BODY=$(curl -sS --max-time 30 --retry 3 --retry-delay 5 --retry-connrefused "$URL" || true)
|
||||
ACTUAL_SHA=$(echo "$BODY" | jq -r '.git_sha // ""' 2>/dev/null || echo "")
|
||||
if [ -z "$ACTUAL_SHA" ]; then
|
||||
UNREACHABLE_COUNT=$((UNREACHABLE_COUNT + 1))
|
||||
UNREACHABLE_LINES+=("| $slug | (no /buildinfo response) | ${EXPECTED_SHA:0:7} | ⚠ unreachable (likely teardown race) |")
|
||||
continue
|
||||
fi
|
||||
if [ "$ACTUAL_SHA" = "$EXPECTED_SHA" ]; then
|
||||
echo " $slug: ${ACTUAL_SHA:0:7} ✓"
|
||||
else
|
||||
STALE_COUNT=$((STALE_COUNT + 1))
|
||||
STALE_LINES+=("| $slug | ${ACTUAL_SHA:0:7} | ${EXPECTED_SHA:0:7} | ❌ stale |")
|
||||
fi
|
||||
done
|
||||
|
||||
{
|
||||
echo ""
|
||||
echo "### Per-tenant /buildinfo verification (staging)"
|
||||
echo ""
|
||||
echo "Expected SHA: \`${EXPECTED_SHA:0:7}\`"
|
||||
echo ""
|
||||
if [ $STALE_COUNT -gt 0 ]; then
|
||||
echo "**${STALE_COUNT} STALE tenant(s) — these did NOT pick up the new image despite ssm_status=Success:**"
|
||||
echo ""
|
||||
echo "| Slug | Actual /buildinfo SHA | Expected | Status |"
|
||||
echo "|------|----------------------|----------|--------|"
|
||||
for line in "${STALE_LINES[@]}"; do echo "$line"; done
|
||||
echo ""
|
||||
fi
|
||||
if [ $UNREACHABLE_COUNT -gt 0 ]; then
|
||||
echo "**${UNREACHABLE_COUNT} unreachable tenant(s) — likely E2E teardown race (soft-warn, not failing):**"
|
||||
echo ""
|
||||
echo "| Slug | Actual /buildinfo SHA | Expected | Status |"
|
||||
echo "|------|----------------------|----------|--------|"
|
||||
for line in "${UNREACHABLE_LINES[@]}"; do echo "$line"; done
|
||||
echo ""
|
||||
fi
|
||||
if [ $STALE_COUNT -eq 0 ] && [ $UNREACHABLE_COUNT -eq 0 ]; then
|
||||
echo "All ${#SLUGS[@]} staging tenants returned matching SHA. ✓"
|
||||
fi
|
||||
} >> "$GITHUB_STEP_SUMMARY"
|
||||
|
||||
if [ $UNREACHABLE_COUNT -gt 0 ]; then
|
||||
echo "::warning::$UNREACHABLE_COUNT staging tenant(s) unreachable post-redeploy. Likely benign teardown race — CP healthz monitor catches real outages."
|
||||
fi
|
||||
|
||||
# Belt-and-suspenders sanity floor: if MORE than half the fleet is
|
||||
# unreachable AND the fleet is large enough that "half down" is
|
||||
# statistically meaningful, this is a real outage (e.g. new image
|
||||
# crashes on startup), not a teardown race. Hard-fail.
|
||||
#
|
||||
# Floor only applies when TOTAL_VERIFIED >= 4 — below that, the
|
||||
# canary-verify step is the actual gate for "all tenants down"
|
||||
# detection (it runs against the canary first and aborts the
|
||||
# rollout if the canary fails to come up). Without the >=4 gate,
|
||||
# a 1-tenant fleet (e.g. a single ephemeral e2e-* tenant on a
|
||||
# quiet staging push) would re-flake on the exact teardown-race
|
||||
# condition #2402 fixed: 1 of 1 unreachable = 100% > 50% → fail.
|
||||
TOTAL_VERIFIED=${#SLUGS[@]}
|
||||
if [ $TOTAL_VERIFIED -ge 4 ] && [ $UNREACHABLE_COUNT -gt $((TOTAL_VERIFIED / 2)) ]; then
|
||||
echo "::error::$UNREACHABLE_COUNT of $TOTAL_VERIFIED staging tenant(s) unreachable — exceeds 50% threshold on a fleet large enough that this signals a real outage, not teardown race."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ $STALE_COUNT -gt 0 ]; then
|
||||
echo "::error::$STALE_COUNT staging tenant(s) returned a stale SHA. ssm_status=Success was misleading — see job summary."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "::notice::Staging tenant fleet redeploy complete — all reachable tenants on ${EXPECTED_SHA:0:7} (${UNREACHABLE_COUNT} unreachable, soft-warned)."
|
||||
+18
-19
@@ -57,24 +57,24 @@ See `CLAUDE.md` for a full list of environment variables and their purposes.
|
||||
|
||||
This repo is scoped to **code** (canvas, workspace, workspace-server, related
|
||||
infra). Public content (blog posts, marketing copy, OG images, SEO briefs,
|
||||
DevRel demos) lives in [`molecule-ai/docs`](https://git.moleculesai.app/molecule-ai/docs).
|
||||
DevRel demos) lives in [`Molecule-AI/docs`](https://git.moleculesai.app/molecule-ai/docs).
|
||||
The `Block forbidden paths` CI gate fails any PR that writes to `marketing/`
|
||||
or other removed paths — open against `molecule-ai/docs` instead.
|
||||
or other removed paths — open against `Molecule-AI/docs` instead.
|
||||
|
||||
| Content type | Target |
|
||||
|---|---|
|
||||
| Blog posts | `molecule-ai/docs` → `content/blog/<YYYY-MM-DD-slug>/` |
|
||||
| Doc pages | `molecule-ai/docs` → `content/docs/` |
|
||||
| Marketing copy / PMM positioning | `molecule-ai/docs` → `marketing/` |
|
||||
| OG images, visual assets | `molecule-ai/docs` → `app/` or `marketing/` |
|
||||
| SEO briefs | `molecule-ai/docs` → `marketing/` |
|
||||
| DevRel demos (runnable code) | Standalone repo under `molecule-ai/`, OR embedded in `molecule-ai/docs` |
|
||||
| Launch checklists, internal tracking | Gitea Issues — **not** committed files |
|
||||
| Blog posts | `Molecule-AI/docs` → `content/blog/<YYYY-MM-DD-slug>/` |
|
||||
| Doc pages | `Molecule-AI/docs` → `content/docs/` |
|
||||
| Marketing copy / PMM positioning | `Molecule-AI/docs` → `marketing/` |
|
||||
| OG images, visual assets | `Molecule-AI/docs` → `app/` or `marketing/` |
|
||||
| SEO briefs | `Molecule-AI/docs` → `marketing/` |
|
||||
| DevRel demos (runnable code) | Standalone repo under `Molecule-AI/`, OR embedded in `Molecule-AI/docs` |
|
||||
| Launch checklists, internal tracking | GitHub Issues — **not** committed files |
|
||||
| Engineering docs (`docs/adr/`, `docs/architecture/`, `docs/incidents/`) | This repo (internal, not published) |
|
||||
| Live product pages (e.g. `canvas/src/app/pricing/page.tsx`) | This repo (these are app code, not marketing copy) |
|
||||
|
||||
If a PR fails the `Block forbidden paths` check, the contents belong in
|
||||
`molecule-ai/docs`. No CI drag, no Canvas E2E, content lands in minutes.
|
||||
`Molecule-AI/docs`. No CI drag, no Canvas E2E, content lands in minutes.
|
||||
|
||||
## Development Workflow
|
||||
|
||||
@@ -106,7 +106,7 @@ causing a render loop when any node position changed.
|
||||
|
||||
#### Auto-merge & the "extra commit" trap
|
||||
|
||||
**Two system guards protect against pushing commits after auto-merge has been enabled.** Don't try to work around them — they exist because we shipped a half-merged PR on 2026-04-27 (`#2174` merged with only its first commit; the second was orphaned on a branch the host had already deleted).
|
||||
**Two system guards protect against pushing commits after auto-merge has been enabled.** Don't try to work around them — they exist because we shipped a half-merged PR on 2026-04-27 (`#2174` merged with only its first commit; the second was orphaned on a branch GitHub had already deleted).
|
||||
|
||||
1. **Repo-wide:** "Automatically delete head branches" is on. Once a PR merges, the branch is deleted server-side. Any subsequent `git push` to that branch fails with `remote rejected — no such branch`.
|
||||
|
||||
@@ -145,7 +145,7 @@ Fix violations before committing — the hook will reject the commit.
|
||||
|
||||
### CI Pipeline
|
||||
|
||||
CI runs on Gitea Actions with self-hosted runners. External contributors:
|
||||
CI runs on GitHub Actions with a self-hosted runner. External contributors:
|
||||
PRs from forks will not trigger CI automatically. A maintainer will review
|
||||
and run CI manually.
|
||||
|
||||
@@ -190,9 +190,9 @@ Runs the full regression suite against a fixture HTTP server. No network access
|
||||
Code in this repo lands in molecule-core. Some related runtime artifacts
|
||||
live in their own repos:
|
||||
|
||||
- [`molecule-ai/molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime) — Python adapter SDK (`molecule_runtime`) that runs inside containerized Molecule workspaces. Bridges Claude Code SDK / hermes / langgraph / etc. → A2A queue.
|
||||
- [`molecule-ai/molecule-sdk-python`](https://git.moleculesai.app/molecule-ai/molecule-sdk-python) — `A2AServer` + `RemoteAgentClient` for external agents that register over the public `/registry/register` flow.
|
||||
- [`molecule-ai/molecule-mcp-claude-channel`](https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel) — Claude Code channel plugin. Bridges A2A traffic into a running Claude Code session via MCP `notifications/claude/channel`. Polling-based (no tunnel required); install inside Claude Code via `/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`, then launch with `claude --dangerously-load-development-channels=plugin:molecule@molecule-channel`.
|
||||
- [`Molecule-AI/molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime) — Python adapter SDK (`molecule_runtime`) that runs inside containerized Molecule workspaces. Bridges Claude Code SDK / hermes / langgraph / etc. → A2A queue.
|
||||
- [`Molecule-AI/molecule-sdk-python`](https://git.moleculesai.app/molecule-ai/molecule-sdk-python) — `A2AServer` + `RemoteAgentClient` for external agents that register over the public `/registry/register` flow.
|
||||
- [`Molecule-AI/molecule-mcp-claude-channel`](https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel) — Claude Code channel plugin. Bridges A2A traffic into a running Claude Code session via MCP `notifications/claude/channel`. Polling-based (no tunnel required); install with `claude --channels plugin:molecule@Molecule-AI/molecule-mcp-claude-channel`.
|
||||
|
||||
When extending the **A2A surface** in molecule-core (`workspace-server/internal/handlers/a2a_proxy.go` etc.), consider whether the change has a downstream impact on the runtime SDK or the channel plugin — they're versioned independently but share the wire shape.
|
||||
|
||||
@@ -206,7 +206,7 @@ See `CLAUDE.md` for detailed architecture documentation, including:
|
||||
|
||||
## Reporting Issues
|
||||
|
||||
Use Gitea Issues with a clear title and reproduction steps. Include:
|
||||
Use GitHub Issues with a clear title and reproduction steps. Include:
|
||||
- What you expected
|
||||
- What actually happened
|
||||
- Platform/OS version
|
||||
@@ -214,9 +214,8 @@ Use Gitea Issues with a clear title and reproduction steps. Include:
|
||||
|
||||
## Security
|
||||
|
||||
If you discover a security vulnerability, please report it privately by
|
||||
opening an issue against `molecule-ai/internal` (a private repo only
|
||||
maintainers can see) rather than filing a public issue here.
|
||||
If you discover a security vulnerability, please report it privately via
|
||||
GitHub Security Advisories rather than opening a public issue.
|
||||
|
||||
## License
|
||||
|
||||
|
||||
@@ -4,10 +4,10 @@
|
||||
# use this Makefile; CI calls docker compose / go test directly so the
|
||||
# Makefile can evolve without breaking the build.
|
||||
|
||||
.PHONY: help dev up down logs build test e2e-peer-visibility
|
||||
.PHONY: help dev up down logs build test
|
||||
|
||||
help: ## Show this help.
|
||||
@grep -E '^[a-zA-Z0-9_-]+:.*?## ' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-22s\033[0m %s\n", $$1, $$2}'
|
||||
@grep -E '^[a-zA-Z_-]+:.*?## ' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-12s\033[0m %s\n", $$1, $$2}'
|
||||
|
||||
dev: ## Start the full stack with air hot-reload for the platform service.
|
||||
docker compose -f docker-compose.yml -f docker-compose.dev.yml up
|
||||
@@ -26,13 +26,3 @@ build: ## Force a fresh build of the platform image (no cache).
|
||||
|
||||
test: ## Run Go unit tests in workspace-server/.
|
||||
cd workspace-server && go test -race ./...
|
||||
|
||||
# ─── Local prod-mimic E2E gates ────────────────────────────────────────
|
||||
# Run the LITERAL peer-visibility MCP list_peers gate against the
|
||||
# already-running local stack (`make up` or `make dev`). Same byte-
|
||||
# identical assertion as the staging gate — only provisioning differs.
|
||||
# Skips any runtime whose provider key is absent (partially-keyed env
|
||||
# is fine). See tests/e2e/test_peer_visibility_mcp_local.sh for the
|
||||
# env contract (CLAUDE_CODE_OAUTH_TOKEN / E2E_MINIMAX_API_KEY / etc).
|
||||
e2e-peer-visibility: ## Run the LOCAL peer-visibility MCP gate vs the running stack (needs `make up` first).
|
||||
bash tests/e2e/test_peer_visibility_mcp_local.sh
|
||||
|
||||
@@ -238,7 +238,7 @@ The result is not just “an agent that learns.” It is **an organization that
|
||||
- subscribe to one or more workspaces; peer messages surface as conversation turns; replies route back through Molecule's A2A
|
||||
- no tunnel, no public endpoint — the plugin self-registers each watched workspace as `delivery_mode=poll` and long-polls `/activity?since_id=…`
|
||||
- multi-tenant friendly: one plugin install can watch workspaces across multiple Molecule tenants (`MOLECULE_PLATFORM_URLS` per-workspace)
|
||||
- install via the standard marketplace flow: `/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`, then launch with `claude --dangerously-load-development-channels=plugin:molecule@molecule-channel`
|
||||
- install via the standard marketplace flow: `/plugin marketplace add Molecule-AI/molecule-mcp-claude-channel` → `/plugin install molecule-channel@molecule-mcp-claude-channel`
|
||||
|
||||
## Built For Teams That Need More Than A Demo
|
||||
|
||||
|
||||
+1
-1
@@ -237,7 +237,7 @@ Molecule AI 并不是要替代下面这些 framework,而是把它们纳入更
|
||||
- 订阅一个或多个 workspace;peer 的消息会以 user-turn 出现,回复会经 Molecule A2A 路由出去
|
||||
- 无需公网隧道、无需公开端点 —— 插件启动时自动把每个 watched workspace 注册成 `delivery_mode=poll`,长轮询 `/activity?since_id=…`
|
||||
- 多租户友好:单次安装即可同时 watch 跨多个 Molecule 租户的 workspace(`MOLECULE_PLATFORM_URLS` 按 workspace 配置)
|
||||
- 通过标准 marketplace 流程安装:`/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`,然后用 `claude --dangerously-load-development-channels=plugin:molecule@molecule-channel` 启动
|
||||
- 通过标准 marketplace 流程安装:`/plugin marketplace add Molecule-AI/molecule-mcp-claude-channel` → `/plugin install molecule-channel@molecule-mcp-claude-channel`
|
||||
|
||||
## 适合什么团队
|
||||
|
||||
|
||||
+1
-2
@@ -1,2 +1 @@
|
||||
trigger
|
||||
retrigger 2026-05-20T04:09Z after op-config#110 (HOME=/home/runner) deploy to fleet — internal#603
|
||||
trigger
|
||||
@@ -1,113 +0,0 @@
|
||||
import { describe, it, expect, vi } from "vitest";
|
||||
|
||||
// Marketing-launch SEO (mc#1486). These tests pin the public crawler
|
||||
// contract: anything that flips public marketing routes to disallow,
|
||||
// drops the sitemap from robots.txt, or removes the OG image
|
||||
// reference from root metadata should fail loudly here.
|
||||
|
||||
// next/font and the rest of the layout's runtime tree are not
|
||||
// vitest-compatible (next/font expects the Next.js compiler swc
|
||||
// transform). We import layout.tsx only for its exported `metadata`
|
||||
// constant — mock the font module to a constructor-returning stub.
|
||||
vi.mock("next/font/google", () => ({
|
||||
Inter: () => ({ variable: "--font-inter" }),
|
||||
JetBrains_Mono: () => ({ variable: "--font-jetbrains" }),
|
||||
}));
|
||||
|
||||
import robots from "../robots";
|
||||
import sitemap from "../sitemap";
|
||||
import { metadata } from "../layout";
|
||||
|
||||
describe("robots.ts", () => {
|
||||
it("allows public marketing routes and blocks authed/app routes", () => {
|
||||
const r = robots();
|
||||
expect(r.rules).toBeDefined();
|
||||
const rule = Array.isArray(r.rules) ? r.rules[0] : r.rules!;
|
||||
expect(rule.userAgent).toBe("*");
|
||||
const allow = Array.isArray(rule.allow) ? rule.allow : [rule.allow];
|
||||
expect(allow).toEqual(expect.arrayContaining(["/", "/pricing", "/blog"]));
|
||||
const disallow = Array.isArray(rule.disallow)
|
||||
? rule.disallow
|
||||
: [rule.disallow];
|
||||
expect(disallow).toEqual(
|
||||
expect.arrayContaining(["/api/", "/orgs", "/cp/"]),
|
||||
);
|
||||
});
|
||||
|
||||
it("declares the sitemap URL", () => {
|
||||
const r = robots();
|
||||
expect(r.sitemap).toMatch(/\/sitemap\.xml$/);
|
||||
});
|
||||
|
||||
it("declares a canonical host", () => {
|
||||
const r = robots();
|
||||
expect(r.host).toMatch(/^https:\/\//);
|
||||
});
|
||||
});
|
||||
|
||||
describe("sitemap.ts", () => {
|
||||
it("includes apex, pricing, and the live blog post", () => {
|
||||
const entries = sitemap();
|
||||
const urls = entries.map((e) => e.url);
|
||||
expect(urls.some((u) => u.endsWith("/"))).toBe(true);
|
||||
expect(urls.some((u) => u.endsWith("/pricing"))).toBe(true);
|
||||
expect(
|
||||
urls.some((u) => u.includes("/blog/2026-04-20-chrome-devtools-mcp")),
|
||||
).toBe(true);
|
||||
});
|
||||
|
||||
it("does NOT include authed/app routes", () => {
|
||||
const entries = sitemap();
|
||||
const urls = entries.map((e) => e.url);
|
||||
expect(urls.some((u) => u.includes("/orgs"))).toBe(false);
|
||||
expect(urls.some((u) => u.includes("/api/"))).toBe(false);
|
||||
});
|
||||
|
||||
it("sets a non-zero priority and a valid changeFrequency on every entry", () => {
|
||||
const valid = new Set([
|
||||
"always",
|
||||
"hourly",
|
||||
"daily",
|
||||
"weekly",
|
||||
"monthly",
|
||||
"yearly",
|
||||
"never",
|
||||
]);
|
||||
for (const e of sitemap()) {
|
||||
expect(e.priority).toBeGreaterThan(0);
|
||||
expect(valid.has(String(e.changeFrequency))).toBe(true);
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
describe("root layout metadata", () => {
|
||||
it("sets a templated title + non-empty description", () => {
|
||||
const t = metadata.title as { default: string; template: string };
|
||||
expect(t.default).toMatch(/Molecule AI/);
|
||||
expect(t.template).toMatch(/%s/);
|
||||
expect((metadata.description ?? "").length).toBeGreaterThan(50);
|
||||
});
|
||||
|
||||
it("declares OG + Twitter text fields (image comes from opengraph-image.tsx)", () => {
|
||||
const og = metadata.openGraph;
|
||||
expect(og).toBeDefined();
|
||||
expect((og as { title: string }).title).toMatch(/Molecule AI/);
|
||||
expect((og as { description: string }).description.length).toBeGreaterThan(
|
||||
50,
|
||||
);
|
||||
const tw = metadata.twitter;
|
||||
expect(tw).toBeDefined();
|
||||
// Next.js typings narrow twitter.card to a union — assert via cast.
|
||||
expect((tw as { card: string }).card).toBe("summary_large_image");
|
||||
});
|
||||
|
||||
it("sets a canonical alternate", () => {
|
||||
expect(metadata.alternates?.canonical).toBe("/");
|
||||
});
|
||||
|
||||
it("enables indexing at the metadata level (robots.ts owns per-route)", () => {
|
||||
const r = metadata.robots as { index: boolean; follow: boolean };
|
||||
expect(r.index).toBe(true);
|
||||
expect(r.follow).toBe(true);
|
||||
});
|
||||
});
|
||||
+2
-140
@@ -27,78 +27,9 @@ import {
|
||||
themeBootScript,
|
||||
} from "@/lib/theme-cookie";
|
||||
|
||||
// Marketing-launch SEO (mc#1486). Canonical apex is app.moleculesai.app —
|
||||
// tenant subdomains (<slug>.moleculesai.app) reuse the same Next.js build
|
||||
// but are gated behind auth (AuthGate redirects anonymous → /cp/auth/login)
|
||||
// and are de-indexed in robots.ts. The metadata here applies to the
|
||||
// public marketing surface served from the apex host.
|
||||
//
|
||||
// Override per-route by exporting a page-level `metadata`/`generateMetadata`
|
||||
// — Next.js merges page metadata over layout metadata using
|
||||
// `title.template` for "<page> | Molecule AI" composition.
|
||||
const SITE_URL =
|
||||
process.env.NEXT_PUBLIC_SITE_URL ?? "https://app.moleculesai.app";
|
||||
|
||||
export const metadata: Metadata = {
|
||||
metadataBase: new URL(SITE_URL),
|
||||
title: {
|
||||
default: "Molecule AI — the AI org chart canvas",
|
||||
template: "%s | Molecule AI",
|
||||
},
|
||||
description:
|
||||
"Molecule AI is an org-chart canvas for AI agent teams. Wire Claude Code, Codex, Hermes, and OpenClaw agents into a governed multi-agent workspace with credit metering, audit, and one-click runtime provisioning.",
|
||||
applicationName: "Molecule AI",
|
||||
keywords: [
|
||||
"AI agents",
|
||||
"multi-agent",
|
||||
"agent orchestration",
|
||||
"AI org chart",
|
||||
"Claude Code",
|
||||
"Codex",
|
||||
"MCP",
|
||||
"agent governance",
|
||||
"A2A",
|
||||
"agent runtime",
|
||||
],
|
||||
authors: [{ name: "Molecule AI" }],
|
||||
creator: "Molecule AI",
|
||||
publisher: "Molecule AI",
|
||||
alternates: { canonical: "/" },
|
||||
// OG + Twitter images come from the file-convention sibling
|
||||
// `opengraph-image.tsx` — Next.js auto-attaches them to og:image
|
||||
// and twitter:image when present at the segment root. We keep the
|
||||
// text fields here so they win over per-page metadata when a page
|
||||
// doesn't override them. `images: []` as the structural fallback
|
||||
// for hosts that won't follow the file convention; the real URL
|
||||
// is injected by Next.js at build time from opengraph-image.tsx.
|
||||
openGraph: {
|
||||
type: "website",
|
||||
siteName: "Molecule AI",
|
||||
url: SITE_URL,
|
||||
title: "Molecule AI — the AI org chart canvas",
|
||||
description:
|
||||
"Wire Claude Code, Codex, Hermes, and OpenClaw agents into a governed multi-agent workspace. Credit metering, audit, and one-click runtime provisioning.",
|
||||
locale: "en_US",
|
||||
},
|
||||
twitter: {
|
||||
card: "summary_large_image",
|
||||
title: "Molecule AI — the AI org chart canvas",
|
||||
description:
|
||||
"Wire Claude Code, Codex, Hermes, and OpenClaw agents into a governed multi-agent workspace.",
|
||||
},
|
||||
icons: {
|
||||
icon: "/molecule-icon.png",
|
||||
apple: "/molecule-icon.png",
|
||||
},
|
||||
// robots.ts owns the per-route allow/disallow contract; this is the
|
||||
// header-level fallback for routes the crawler reaches before
|
||||
// robots.txt resolves. Default = index public marketing routes;
|
||||
// app/auth/api/orgs are noindex'd by robots.ts.
|
||||
robots: {
|
||||
index: true,
|
||||
follow: true,
|
||||
googleBot: { index: true, follow: true, "max-image-preview": "large" },
|
||||
},
|
||||
title: "Molecule AI",
|
||||
description: "AI Org Chart Canvas",
|
||||
};
|
||||
|
||||
export default async function RootLayout({
|
||||
@@ -163,75 +94,6 @@ export default async function RootLayout({
|
||||
nonce={nonce}
|
||||
dangerouslySetInnerHTML={{ __html: themeBootScript }}
|
||||
/>
|
||||
{/*
|
||||
* JSON-LD structured data (mc#1486). Two graph nodes:
|
||||
*
|
||||
* - Organization: surfaces the brand to Google Knowledge
|
||||
* Graph + Bing entity index. URL+logo+sameAs are the
|
||||
* minimum recommended set for new brands without a
|
||||
* Wikipedia page.
|
||||
*
|
||||
* - WebSite: enables the sitelinks search box and tells
|
||||
* crawlers the canonical site URL when the same content
|
||||
* is reachable via multiple subdomains (apex + tenant).
|
||||
*
|
||||
* Type-application/ld+json runs synchronously without
|
||||
* executing JS, so 'strict-dynamic' isn't required — we still
|
||||
* carry the nonce because production CSP's default-src 'self'
|
||||
* applies to any <script> element. The "type" attribute is
|
||||
* what keeps the browser from running the body as JS, but
|
||||
* CSP nonces are gated on the element not the type, so we
|
||||
* include the nonce too.
|
||||
*/}
|
||||
<script
|
||||
type="application/ld+json"
|
||||
nonce={nonce}
|
||||
dangerouslySetInnerHTML={{
|
||||
__html: JSON.stringify({
|
||||
"@context": "https://schema.org",
|
||||
"@graph": [
|
||||
{
|
||||
"@type": "Organization",
|
||||
"@id": `${SITE_URL}#organization`,
|
||||
name: "Molecule AI",
|
||||
url: SITE_URL,
|
||||
logo: `${SITE_URL}/molecule-icon.png`,
|
||||
sameAs: [
|
||||
"https://github.com/molecule-ai",
|
||||
"https://x.com/moleculeai",
|
||||
],
|
||||
},
|
||||
{
|
||||
"@type": "WebSite",
|
||||
"@id": `${SITE_URL}#website`,
|
||||
url: SITE_URL,
|
||||
name: "Molecule AI",
|
||||
publisher: { "@id": `${SITE_URL}#organization` },
|
||||
inLanguage: "en-US",
|
||||
},
|
||||
{
|
||||
"@type": "SoftwareApplication",
|
||||
"@id": `${SITE_URL}#software`,
|
||||
name: "Molecule AI",
|
||||
applicationCategory: "DeveloperApplication",
|
||||
operatingSystem: "Web",
|
||||
description:
|
||||
"Org-chart canvas for AI agent teams with credit metering, audit, and one-click runtime provisioning.",
|
||||
url: SITE_URL,
|
||||
offers: {
|
||||
"@type": "AggregateOffer",
|
||||
priceCurrency: "USD",
|
||||
lowPrice: "0",
|
||||
highPrice: "99",
|
||||
offerCount: "3",
|
||||
url: `${SITE_URL}/pricing`,
|
||||
},
|
||||
publisher: { "@id": `${SITE_URL}#organization` },
|
||||
},
|
||||
],
|
||||
}),
|
||||
}}
|
||||
/>
|
||||
</head>
|
||||
<body className={`bg-surface text-ink ${interFont.variable} ${monoFont.variable}`}>
|
||||
<ThemeProvider initialTheme={theme}>
|
||||
|
||||
@@ -1,82 +0,0 @@
|
||||
import { ImageResponse } from "next/og";
|
||||
|
||||
// Marketing-launch SEO (mc#1486). Next.js App-Router file-system OG
|
||||
// convention: served as `/opengraph-image` and auto-attached as
|
||||
// `og:image` + `twitter:image`. Dynamic (not a static PNG in /public)
|
||||
// so we can iterate the brand mark + tagline pre-launch without
|
||||
// churning a binary blob in git history.
|
||||
export const runtime = "edge";
|
||||
|
||||
export const alt = "Molecule AI — the AI org chart canvas";
|
||||
export const size = { width: 1200, height: 630 };
|
||||
export const contentType = "image/png";
|
||||
|
||||
export default function OG() {
|
||||
return new ImageResponse(
|
||||
(
|
||||
<div
|
||||
style={{
|
||||
width: "100%",
|
||||
height: "100%",
|
||||
display: "flex",
|
||||
flexDirection: "column",
|
||||
alignItems: "flex-start",
|
||||
justifyContent: "center",
|
||||
padding: "80px",
|
||||
background:
|
||||
"linear-gradient(135deg, #0a0a0a 0%, #1a1a2e 60%, #16213e 100%)",
|
||||
color: "#ffffff",
|
||||
fontFamily: "system-ui, -apple-system, sans-serif",
|
||||
}}
|
||||
>
|
||||
<div
|
||||
style={{
|
||||
fontSize: 28,
|
||||
color: "#a3a3c2",
|
||||
letterSpacing: "0.18em",
|
||||
textTransform: "uppercase",
|
||||
marginBottom: 24,
|
||||
}}
|
||||
>
|
||||
Molecule AI
|
||||
</div>
|
||||
<div
|
||||
style={{
|
||||
fontSize: 76,
|
||||
fontWeight: 700,
|
||||
lineHeight: 1.05,
|
||||
letterSpacing: "-0.02em",
|
||||
maxWidth: 980,
|
||||
}}
|
||||
>
|
||||
The AI org chart canvas
|
||||
</div>
|
||||
<div
|
||||
style={{
|
||||
fontSize: 32,
|
||||
color: "#c8c8d8",
|
||||
marginTop: 32,
|
||||
lineHeight: 1.3,
|
||||
maxWidth: 980,
|
||||
}}
|
||||
>
|
||||
Wire Claude Code, Codex, Hermes, and OpenClaw agents into a governed
|
||||
multi-agent workspace.
|
||||
</div>
|
||||
<div
|
||||
style={{
|
||||
position: "absolute",
|
||||
right: 80,
|
||||
bottom: 80,
|
||||
fontSize: 22,
|
||||
color: "#7a7a96",
|
||||
display: "flex",
|
||||
}}
|
||||
>
|
||||
moleculesai.app
|
||||
</div>
|
||||
</div>
|
||||
),
|
||||
{ ...size },
|
||||
);
|
||||
}
|
||||
@@ -103,7 +103,7 @@ export default function Home() {
|
||||
setHydrationError(null);
|
||||
window.location.reload();
|
||||
}}
|
||||
className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
|
||||
className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm"
|
||||
>
|
||||
Retry
|
||||
</button>
|
||||
@@ -115,9 +115,7 @@ export default function Home() {
|
||||
|
||||
return (
|
||||
<>
|
||||
<main aria-label="Agent canvas">
|
||||
<Canvas />
|
||||
</main>
|
||||
<Canvas />
|
||||
<Legend />
|
||||
<CommunicationOverlay />
|
||||
{hydrationError && (
|
||||
@@ -136,7 +134,7 @@ export default function Home() {
|
||||
setHydrationError(null);
|
||||
window.location.reload();
|
||||
}}
|
||||
className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
|
||||
className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm"
|
||||
>
|
||||
Retry
|
||||
</button>
|
||||
@@ -178,7 +176,7 @@ brew services start redis`}</pre>
|
||||
</p>
|
||||
<button
|
||||
onClick={() => window.location.reload()}
|
||||
className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm mt-2 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
|
||||
className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm mt-2"
|
||||
>
|
||||
Reload
|
||||
</button>
|
||||
|
||||
@@ -1,45 +0,0 @@
|
||||
import type { MetadataRoute } from "next";
|
||||
|
||||
// Marketing-launch SEO (mc#1486). Next.js App-Router robots convention:
|
||||
// this file is served as `/robots.txt` at build time and is the single
|
||||
// source of truth for crawler allow/disallow.
|
||||
//
|
||||
// Contract:
|
||||
// - Public marketing routes (/, /pricing, /blog/*) are crawlable.
|
||||
// - Authed/app routes (/orgs, /api/*) are noindex'd. They render
|
||||
// useful content only after a session round-trip, so a crawler hit
|
||||
// just wastes our crawl budget and exposes endpoint shapes.
|
||||
// - Tenant subdomains (<slug>.moleculesai.app) share this build but
|
||||
// are blocked at the host level by the canvas middleware sending
|
||||
// an `X-Robots-Tag: noindex` header — robots.txt is per-host and
|
||||
// this file's `host` field claims the apex as canonical.
|
||||
//
|
||||
// Note: `sitemap` is published via the sibling `sitemap.ts` route; we
|
||||
// reference it explicitly here so crawlers don't have to guess.
|
||||
const SITE_URL =
|
||||
process.env.NEXT_PUBLIC_SITE_URL ?? "https://app.moleculesai.app";
|
||||
|
||||
export default function robots(): MetadataRoute.Robots {
|
||||
return {
|
||||
rules: [
|
||||
{
|
||||
userAgent: "*",
|
||||
allow: ["/", "/pricing", "/blog"],
|
||||
// Authed app surface + API + transient checkout returns. The
|
||||
// /orgs route boots the org-selector behind AuthGate; even
|
||||
// though SSR returns markup, that markup is a login wall when
|
||||
// hit by an unauthenticated crawler, so indexing it dilutes
|
||||
// brand searches with a "Please sign in" snippet.
|
||||
disallow: [
|
||||
"/orgs",
|
||||
"/orgs/",
|
||||
"/api/",
|
||||
"/cp/",
|
||||
"/checkout/",
|
||||
],
|
||||
},
|
||||
],
|
||||
sitemap: `${SITE_URL}/sitemap.xml`,
|
||||
host: SITE_URL,
|
||||
};
|
||||
}
|
||||
@@ -1,42 +0,0 @@
|
||||
import type { MetadataRoute } from "next";
|
||||
|
||||
// Marketing-launch SEO (mc#1486). App-Router sitemap convention: this
|
||||
// file is served as `/sitemap.xml` and enumerates the public marketing
|
||||
// surface for search crawlers + AI training pipelines.
|
||||
//
|
||||
// Scope deliberately narrow:
|
||||
// - Apex landing, pricing, and the (currently single) blog post.
|
||||
// - Authed app routes are excluded — they're disallowed in robots.ts
|
||||
// and would appear as "Please sign in" wall to a crawler.
|
||||
//
|
||||
// `lastModified` uses a build-time timestamp rather than per-route
|
||||
// fs.stat so the same value applies regardless of where the build
|
||||
// runs (Vercel/Railway/local). When we add CMS-backed blog content,
|
||||
// swap to a per-entry timestamp from the source-of-truth metadata.
|
||||
const SITE_URL =
|
||||
process.env.NEXT_PUBLIC_SITE_URL ?? "https://app.moleculesai.app";
|
||||
|
||||
const BUILD_DATE = new Date();
|
||||
|
||||
export default function sitemap(): MetadataRoute.Sitemap {
|
||||
return [
|
||||
{
|
||||
url: `${SITE_URL}/`,
|
||||
lastModified: BUILD_DATE,
|
||||
changeFrequency: "weekly",
|
||||
priority: 1.0,
|
||||
},
|
||||
{
|
||||
url: `${SITE_URL}/pricing`,
|
||||
lastModified: BUILD_DATE,
|
||||
changeFrequency: "weekly",
|
||||
priority: 0.9,
|
||||
},
|
||||
{
|
||||
url: `${SITE_URL}/blog/2026-04-20-chrome-devtools-mcp`,
|
||||
lastModified: new Date("2026-04-20"),
|
||||
changeFrequency: "monthly",
|
||||
priority: 0.6,
|
||||
},
|
||||
];
|
||||
}
|
||||
@@ -132,7 +132,7 @@ export function AuditTrailPanel({ workspaceId }: Props) {
|
||||
|
||||
if (loading) {
|
||||
return (
|
||||
<div role="status" aria-live="polite" className="flex items-center justify-center h-32">
|
||||
<div className="flex items-center justify-center h-32">
|
||||
<span className="text-xs text-ink-mid">Loading audit trail…</span>
|
||||
</div>
|
||||
);
|
||||
|
||||
@@ -133,13 +133,13 @@ export function ConversationTraceModal({ open, workspaceId: _workspaceId, onClos
|
||||
{/* Timeline */}
|
||||
<div className="flex-1 overflow-y-auto px-5 py-4">
|
||||
{loading && (
|
||||
<div role="status" aria-live="polite" className="text-xs text-ink-mid text-center py-8">
|
||||
<div className="text-xs text-ink-mid text-center py-8">
|
||||
Loading trace from all workspaces...
|
||||
</div>
|
||||
)}
|
||||
|
||||
{!loading && entries.length === 0 && (
|
||||
<div role="status" aria-live="polite" className="text-xs text-ink-mid text-center py-8">
|
||||
<div className="text-xs text-ink-mid text-center py-8">
|
||||
No activity found
|
||||
</div>
|
||||
)}
|
||||
|
||||
@@ -105,7 +105,7 @@ export function EmptyState() {
|
||||
|
||||
{/* Template grid */}
|
||||
{loading ? (
|
||||
<div role="status" aria-live="polite" className="flex items-center justify-center gap-2 text-xs text-ink-mid py-4">
|
||||
<div className="flex items-center justify-center gap-2 text-xs text-ink-mid py-4">
|
||||
<Spinner />
|
||||
Loading templates...
|
||||
</div>
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
// ($AGENT_URL). They ARE NOT filled in server-side because the
|
||||
// server doesn't know where the operator's agent will live.
|
||||
|
||||
import { useCallback, useRef, useState } from "react";
|
||||
import { useCallback, useState } from "react";
|
||||
import * as Dialog from "@radix-ui/react-dialog";
|
||||
|
||||
type Tab = "python" | "curl" | "claude" | "mcp" | "hermes" | "codex" | "openclaw" | "kimi" | "fields";
|
||||
@@ -84,33 +84,6 @@ export function ExternalConnectModal({ info, onClose }: Props) {
|
||||
: "python";
|
||||
const [tab, setTab] = useState<Tab>(initialTab);
|
||||
const [copiedKey, setCopiedKey] = useState<string | null>(null);
|
||||
const tabRefs = useRef<Map<Tab, HTMLButtonElement | null>>(new Map());
|
||||
|
||||
const handleTabKeyDown = useCallback(
|
||||
(e: React.KeyboardEvent<HTMLButtonElement>, current: Tab, tabs: Tab[]) => {
|
||||
const idx = tabs.indexOf(current);
|
||||
if (e.key === "ArrowRight" || e.key === "ArrowDown") {
|
||||
e.preventDefault();
|
||||
const next = tabs[(idx + 1) % tabs.length];
|
||||
setTab(next);
|
||||
tabRefs.current.get(next)?.focus();
|
||||
} else if (e.key === "ArrowLeft" || e.key === "ArrowUp") {
|
||||
e.preventDefault();
|
||||
const prev = tabs[(idx - 1 + tabs.length) % tabs.length];
|
||||
setTab(prev);
|
||||
tabRefs.current.get(prev)?.focus();
|
||||
} else if (e.key === "Home") {
|
||||
e.preventDefault();
|
||||
setTab(tabs[0]);
|
||||
tabRefs.current.get(tabs[0])?.focus();
|
||||
} else if (e.key === "End") {
|
||||
e.preventDefault();
|
||||
setTab(tabs[tabs.length - 1]);
|
||||
tabRefs.current.get(tabs[tabs.length - 1])?.focus();
|
||||
}
|
||||
},
|
||||
[],
|
||||
);
|
||||
|
||||
const copy = useCallback(async (value: string, key: string) => {
|
||||
try {
|
||||
@@ -187,19 +160,6 @@ export function ExternalConnectModal({ info, onClose }: Props) {
|
||||
`MOLECULE_WORKSPACE_TOKEN=${info.auth_token}`,
|
||||
);
|
||||
|
||||
// Build the tab list once so both the tab bar and keyboard handler
|
||||
// share the same ordered array. Computed here (after all filled* vars)
|
||||
// so TypeScript's block-scoping analysis can reach them.
|
||||
const tabList: Tab[] = [];
|
||||
if (filledUniversalMcp) tabList.push("mcp");
|
||||
tabList.push("python");
|
||||
if (filledChannel) tabList.push("claude");
|
||||
if (filledHermes) tabList.push("hermes");
|
||||
if (filledCodex) tabList.push("codex");
|
||||
if (filledOpenClaw) tabList.push("openclaw");
|
||||
if (filledKimi) tabList.push("kimi");
|
||||
tabList.push("curl", "fields");
|
||||
|
||||
return (
|
||||
<Dialog.Root open onOpenChange={(o) => !o && onClose()}>
|
||||
<Dialog.Portal>
|
||||
@@ -220,18 +180,34 @@ export function ExternalConnectModal({ info, onClose }: Props) {
|
||||
aria-label="Connection snippet format"
|
||||
className="mt-4 flex gap-1 border-b border-line"
|
||||
>
|
||||
{tabList.map((t) => (
|
||||
{(() => {
|
||||
// Build the tab order dynamically. Claude Code first
|
||||
// (when offered) since it's the simplest setup; Python
|
||||
// SDK second (full register+heartbeat+inbound); Universal
|
||||
// MCP third (any MCP-aware runtime, outbound-only); curl
|
||||
// for one-shot register; Fields for raw values.
|
||||
// Tab order: Universal MCP first (default, runtime-
|
||||
// agnostic primitives), then runtime-specific channel/
|
||||
// SDK tabs, then curl + Fields. Each runtime tab only
|
||||
// appears when the platform supplies the snippet — no
|
||||
// dead "tab missing snippet" UX.
|
||||
const tabs: Tab[] = [];
|
||||
if (filledUniversalMcp) tabs.push("mcp");
|
||||
tabs.push("python");
|
||||
if (filledChannel) tabs.push("claude");
|
||||
if (filledHermes) tabs.push("hermes");
|
||||
if (filledCodex) tabs.push("codex");
|
||||
if (filledOpenClaw) tabs.push("openclaw");
|
||||
if (filledKimi) tabs.push("kimi");
|
||||
tabs.push("curl", "fields");
|
||||
return tabs;
|
||||
})().map((t) => (
|
||||
<button
|
||||
key={t}
|
||||
type="button"
|
||||
role="tab"
|
||||
id={`tab-${t}`}
|
||||
aria-selected={tab === t}
|
||||
aria-controls={`panel-${t}`}
|
||||
tabIndex={tab === t ? 0 : -1}
|
||||
ref={(el) => { tabRefs.current.set(t, el); }}
|
||||
onClick={() => setTab(t)}
|
||||
onKeyDown={(e) => handleTabKeyDown(e, t, tabList)}
|
||||
className={`px-3 py-2 text-sm border-b-2 -mb-px transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface ${
|
||||
tab === t
|
||||
? "border-accent text-ink"
|
||||
@@ -259,39 +235,18 @@ export function ExternalConnectModal({ info, onClose }: Props) {
|
||||
))}
|
||||
</div>
|
||||
|
||||
{/* Snippet area — all panels always in the DOM so aria-controls
|
||||
targets are stable. Hidden panels use aria-hidden so screen
|
||||
readers skip them; active panel uses role=tabpanel with
|
||||
aria-labelledby pointing to the tab button. */}
|
||||
<div className="mt-3" data-testid="snippet-panels">
|
||||
{/* Claude Code tab */}
|
||||
<div
|
||||
id="panel-claude"
|
||||
data-testid="panel-claude"
|
||||
role="tabpanel"
|
||||
aria-labelledby="tab-claude"
|
||||
hidden={tab !== "claude" || !filledChannel}
|
||||
className={tab === "claude" && filledChannel ? "" : "hidden"}
|
||||
>
|
||||
{filledChannel && (
|
||||
<SnippetBlock
|
||||
value={filledChannel}
|
||||
label="Claude Code channel — polls workspace's A2A; no tunnel needed"
|
||||
copyKey="claude"
|
||||
copied={copiedKey === "claude"}
|
||||
onCopy={() => copy(filledChannel, "claude")}
|
||||
/>
|
||||
)}
|
||||
</div>
|
||||
{/* Python SDK tab */}
|
||||
<div
|
||||
id="panel-python"
|
||||
data-testid="panel-python"
|
||||
role="tabpanel"
|
||||
aria-labelledby="tab-python"
|
||||
hidden={tab !== "python"}
|
||||
className={tab === "python" ? "" : "hidden"}
|
||||
>
|
||||
{/* Snippet area */}
|
||||
<div className="mt-3">
|
||||
{tab === "claude" && filledChannel && (
|
||||
<SnippetBlock
|
||||
value={filledChannel}
|
||||
label="Claude Code channel — polls workspace's A2A; no tunnel needed"
|
||||
copyKey="claude"
|
||||
copied={copiedKey === "claude"}
|
||||
onCopy={() => copy(filledChannel, "claude")}
|
||||
/>
|
||||
)}
|
||||
{tab === "python" && (
|
||||
<SnippetBlock
|
||||
value={filledPython}
|
||||
label="Python SDK — includes heartbeat loop (push-mode, needs public URL)"
|
||||
@@ -299,16 +254,8 @@ export function ExternalConnectModal({ info, onClose }: Props) {
|
||||
copied={copiedKey === "python"}
|
||||
onCopy={() => copy(filledPython, "python")}
|
||||
/>
|
||||
</div>
|
||||
{/* curl tab */}
|
||||
<div
|
||||
id="panel-curl"
|
||||
data-testid="panel-curl"
|
||||
role="tabpanel"
|
||||
aria-labelledby="tab-curl"
|
||||
hidden={tab !== "curl"}
|
||||
className={tab === "curl" ? "" : "hidden"}
|
||||
>
|
||||
)}
|
||||
{tab === "curl" && (
|
||||
<SnippetBlock
|
||||
value={filledCurl}
|
||||
label="curl — one-shot register only (no heartbeat)"
|
||||
@@ -316,111 +263,53 @@ export function ExternalConnectModal({ info, onClose }: Props) {
|
||||
copied={copiedKey === "curl"}
|
||||
onCopy={() => copy(filledCurl, "curl")}
|
||||
/>
|
||||
</div>
|
||||
{/* Universal MCP tab */}
|
||||
<div
|
||||
id="panel-mcp"
|
||||
data-testid="panel-mcp"
|
||||
role="tabpanel"
|
||||
aria-labelledby="tab-mcp"
|
||||
hidden={tab !== "mcp" || !filledUniversalMcp}
|
||||
className={tab === "mcp" && filledUniversalMcp ? "" : "hidden"}
|
||||
>
|
||||
{filledUniversalMcp && (
|
||||
<SnippetBlock
|
||||
value={filledUniversalMcp}
|
||||
label="Universal MCP — standalone register + heartbeat + tools for any MCP-aware runtime (Claude Code, hermes, codex). Pair with Python or Claude Code tab if you need inbound A2A delivery."
|
||||
copyKey="mcp"
|
||||
copied={copiedKey === "mcp"}
|
||||
onCopy={() => copy(filledUniversalMcp, "mcp")}
|
||||
/>
|
||||
)}
|
||||
</div>
|
||||
{/* Hermes tab */}
|
||||
<div
|
||||
id="panel-hermes"
|
||||
data-testid="panel-hermes"
|
||||
role="tabpanel"
|
||||
aria-labelledby="tab-hermes"
|
||||
hidden={tab !== "hermes" || !filledHermes}
|
||||
className={tab === "hermes" && filledHermes ? "" : "hidden"}
|
||||
>
|
||||
{filledHermes && (
|
||||
<SnippetBlock
|
||||
value={filledHermes}
|
||||
label="Hermes channel — bridges this workspace's A2A traffic into your hermes-agent session as platform messages (push parity with Claude Code). Long-poll based; no tunnel needed."
|
||||
copyKey="hermes"
|
||||
copied={copiedKey === "hermes"}
|
||||
onCopy={() => copy(filledHermes, "hermes")}
|
||||
/>
|
||||
)}
|
||||
</div>
|
||||
{/* Codex tab */}
|
||||
<div
|
||||
id="panel-codex"
|
||||
data-testid="panel-codex"
|
||||
role="tabpanel"
|
||||
aria-labelledby="tab-codex"
|
||||
hidden={tab !== "codex" || !filledCodex}
|
||||
className={tab === "codex" && filledCodex ? "" : "hidden"}
|
||||
>
|
||||
{filledCodex && (
|
||||
<SnippetBlock
|
||||
value={filledCodex}
|
||||
label="Codex MCP config — wires the molecule MCP server into ~/.codex/config.toml. Outbound tools today; inbound A2A push needs the Python SDK tab paired in (codex's MCP runtime doesn't route arbitrary notifications/* yet)."
|
||||
copyKey="codex"
|
||||
copied={copiedKey === "codex"}
|
||||
onCopy={() => copy(filledCodex, "codex")}
|
||||
/>
|
||||
)}
|
||||
</div>
|
||||
{/* OpenClaw tab */}
|
||||
<div
|
||||
id="panel-openclaw"
|
||||
data-testid="panel-openclaw"
|
||||
role="tabpanel"
|
||||
aria-labelledby="tab-openclaw"
|
||||
hidden={tab !== "openclaw" || !filledOpenClaw}
|
||||
className={tab === "openclaw" && filledOpenClaw ? "" : "hidden"}
|
||||
>
|
||||
{filledOpenClaw && (
|
||||
<SnippetBlock
|
||||
value={filledOpenClaw}
|
||||
label="OpenClaw MCP config — wires the molecule MCP server via openclaw mcp set + starts the gateway on loopback. Outbound tools today; inbound A2A push on an external openclaw needs the Python SDK tab paired in (a sessions.steer bridge daemon is future work)."
|
||||
copyKey="openclaw"
|
||||
copied={copiedKey === "openclaw"}
|
||||
onCopy={() => copy(filledOpenClaw, "openclaw")}
|
||||
/>
|
||||
)}
|
||||
</div>
|
||||
{/* Kimi tab */}
|
||||
<div
|
||||
id="panel-kimi"
|
||||
data-testid="panel-kimi"
|
||||
role="tabpanel"
|
||||
aria-labelledby="tab-kimi"
|
||||
hidden={tab !== "kimi" || !filledKimi}
|
||||
className={tab === "kimi" && filledKimi ? "" : "hidden"}
|
||||
>
|
||||
{filledKimi && (
|
||||
<SnippetBlock
|
||||
value={filledKimi}
|
||||
label="Kimi CLI — self-contained Python bridge. Registers, heartbeats, polls for canvas messages, and echoes replies back. NAT-safe (no public URL). Run in a background terminal or via launchd."
|
||||
copyKey="kimi"
|
||||
copied={copiedKey === "kimi"}
|
||||
onCopy={() => copy(filledKimi, "kimi")}
|
||||
/>
|
||||
)}
|
||||
</div>
|
||||
{/* Fields tab */}
|
||||
<div
|
||||
id="panel-fields"
|
||||
data-testid="panel-fields"
|
||||
role="tabpanel"
|
||||
aria-labelledby="tab-fields"
|
||||
hidden={tab !== "fields"}
|
||||
className={tab === "fields" ? "" : "hidden"}
|
||||
>
|
||||
)}
|
||||
{tab === "mcp" && filledUniversalMcp && (
|
||||
<SnippetBlock
|
||||
value={filledUniversalMcp}
|
||||
label="Universal MCP — standalone register + heartbeat + tools for any MCP-aware runtime (Claude Code, hermes, codex). Pair with Python or Claude Code tab if you need inbound A2A delivery."
|
||||
copyKey="mcp"
|
||||
copied={copiedKey === "mcp"}
|
||||
onCopy={() => copy(filledUniversalMcp, "mcp")}
|
||||
/>
|
||||
)}
|
||||
{tab === "hermes" && filledHermes && (
|
||||
<SnippetBlock
|
||||
value={filledHermes}
|
||||
label="Hermes channel — bridges this workspace's A2A traffic into your hermes-agent session as platform messages (push parity with Claude Code). Long-poll based; no tunnel needed."
|
||||
copyKey="hermes"
|
||||
copied={copiedKey === "hermes"}
|
||||
onCopy={() => copy(filledHermes, "hermes")}
|
||||
/>
|
||||
)}
|
||||
{tab === "codex" && filledCodex && (
|
||||
<SnippetBlock
|
||||
value={filledCodex}
|
||||
label="Codex MCP config — wires the molecule MCP server into ~/.codex/config.toml. Outbound tools today; inbound A2A push needs the Python SDK tab paired in (codex's MCP runtime doesn't route arbitrary notifications/* yet)."
|
||||
copyKey="codex"
|
||||
copied={copiedKey === "codex"}
|
||||
onCopy={() => copy(filledCodex, "codex")}
|
||||
/>
|
||||
)}
|
||||
{tab === "openclaw" && filledOpenClaw && (
|
||||
<SnippetBlock
|
||||
value={filledOpenClaw}
|
||||
label="OpenClaw MCP config — wires the molecule MCP server via openclaw mcp set + starts the gateway on loopback. Outbound tools today; inbound A2A push on an external openclaw needs the Python SDK tab paired in (a sessions.steer bridge daemon is future work)."
|
||||
copyKey="openclaw"
|
||||
copied={copiedKey === "openclaw"}
|
||||
onCopy={() => copy(filledOpenClaw, "openclaw")}
|
||||
/>
|
||||
)}
|
||||
{tab === "kimi" && filledKimi && (
|
||||
<SnippetBlock
|
||||
value={filledKimi}
|
||||
label="Kimi CLI — self-contained Python bridge. Registers, heartbeats, polls for canvas messages, and echoes replies back. NAT-safe (no public URL). Run in a background terminal or via launchd."
|
||||
copyKey="kimi"
|
||||
copied={copiedKey === "kimi"}
|
||||
onCopy={() => copy(filledKimi, "kimi")}
|
||||
/>
|
||||
)}
|
||||
{tab === "fields" && (
|
||||
<div className="space-y-2">
|
||||
<Field label="workspace_id" value={info.workspace_id} onCopy={() => copy(info.workspace_id, "wsid")} copied={copiedKey === "wsid"} />
|
||||
<Field label="platform_url" value={info.platform_url} onCopy={() => copy(info.platform_url, "url")} copied={copiedKey === "url"} />
|
||||
@@ -434,7 +323,7 @@ export function ExternalConnectModal({ info, onClose }: Props) {
|
||||
<Field label="registry_endpoint" value={info.registry_endpoint} onCopy={() => copy(info.registry_endpoint, "reg")} copied={copiedKey === "reg"} />
|
||||
<Field label="heartbeat_endpoint" value={info.heartbeat_endpoint} onCopy={() => copy(info.heartbeat_endpoint, "hb")} copied={copiedKey === "hb"} />
|
||||
</div>
|
||||
</div>
|
||||
)}
|
||||
</div>
|
||||
|
||||
<div className="mt-5 flex justify-end gap-2">
|
||||
|
||||
@@ -440,7 +440,6 @@ function ProviderPickerModal({
|
||||
onChange={(e) => updateEntry(index, { value: e.target.value.trimStart() })}
|
||||
placeholder={entry.key.includes("API_KEY") ? "sk-..." : "Enter value"}
|
||||
type="password"
|
||||
aria-label={`Value for ${entry.key}`}
|
||||
ref={index === 0 ? firstInputRef : undefined}
|
||||
onKeyDown={(e) => {
|
||||
if (e.key === "Enter" && entry.value.trim()) {
|
||||
@@ -460,7 +459,7 @@ function ProviderPickerModal({
|
||||
)}
|
||||
|
||||
{entry.error && (
|
||||
<div role="alert" aria-live="assertive" className="mt-1.5 text-[10px] text-bad">{entry.error}</div>
|
||||
<div className="mt-1.5 text-[10px] text-bad">{entry.error}</div>
|
||||
)}
|
||||
</div>
|
||||
))}
|
||||
@@ -695,7 +694,6 @@ function AllKeysModal({
|
||||
onChange={(e) => updateEntry(index, { value: e.target.value.trimStart() })}
|
||||
placeholder={entry.key.includes("API_KEY") ? "sk-..." : "Enter value"}
|
||||
type="password"
|
||||
aria-label={`Value for ${entry.key}`}
|
||||
autoFocus={index === 0}
|
||||
onKeyDown={(e) => {
|
||||
if (e.key === "Enter" && entry.value.trim()) {
|
||||
@@ -720,7 +718,7 @@ function AllKeysModal({
|
||||
))}
|
||||
|
||||
{globalError && (
|
||||
<div role="alert" aria-live="assertive" className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[11px] text-bad">
|
||||
<div className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[11px] text-bad">
|
||||
{globalError}
|
||||
</div>
|
||||
)}
|
||||
|
||||
@@ -71,7 +71,7 @@ export function WorkspaceUsage({ workspaceId }: WorkspaceUsageProps) {
|
||||
<SkeletonRow />
|
||||
</>
|
||||
) : error ? (
|
||||
<p role="alert" aria-live="assertive" className="text-xs text-bad" data-testid="usage-error">
|
||||
<p className="text-xs text-bad" data-testid="usage-error">
|
||||
{error}
|
||||
</p>
|
||||
) : metrics ? (
|
||||
|
||||
@@ -131,9 +131,7 @@ describe("ExternalConnectModal — tab switching", () => {
|
||||
it("switches to the Python SDK tab and shows the snippet with stamped token", () => {
|
||||
renderAndFlush(defaultInfo);
|
||||
fireEvent.click(screen.getByRole("tab", { name: /python sdk/i }));
|
||||
// Query within the python panel so we get the right pre (not the first in DOM).
|
||||
const pythonPanel = document.querySelector("[data-testid='panel-python']");
|
||||
const preEl = pythonPanel?.querySelector("pre");
|
||||
const preEl = document.querySelector("pre");
|
||||
expect(preEl?.textContent).toContain("AUTH_TOKEN");
|
||||
// The placeholder is replaced with the real auth token
|
||||
expect(preEl?.textContent).toContain("secret-auth-token-abc");
|
||||
@@ -142,9 +140,7 @@ describe("ExternalConnectModal — tab switching", () => {
|
||||
it("switches to the curl tab and shows the snippet with stamped token", () => {
|
||||
renderAndFlush(defaultInfo);
|
||||
fireEvent.click(screen.getByRole("tab", { name: /curl/i }));
|
||||
// Query within the curl panel so we get the right pre (not the first in DOM).
|
||||
const curlPanel = document.querySelector("[data-testid='panel-curl']");
|
||||
const preEl = curlPanel?.querySelector("pre");
|
||||
const preEl = document.querySelector("pre");
|
||||
expect(preEl?.textContent).toContain("curl");
|
||||
expect(preEl?.textContent).toContain("secret-auth-token-abc");
|
||||
});
|
||||
@@ -152,11 +148,9 @@ describe("ExternalConnectModal — tab switching", () => {
|
||||
it("switches to the Fields tab and shows raw values", () => {
|
||||
renderAndFlush(defaultInfo);
|
||||
fireEvent.click(screen.getByRole("tab", { name: /fields/i }));
|
||||
// Query within the fields panel for specific values.
|
||||
const fieldsPanel = document.querySelector("[data-testid='panel-fields']");
|
||||
expect(fieldsPanel?.textContent).toContain("ws-123");
|
||||
expect(fieldsPanel?.textContent).toContain("https://app.example.com");
|
||||
expect(fieldsPanel?.textContent).toContain("secret-auth-token-abc");
|
||||
expect(screen.getByText("ws-123")).toBeTruthy();
|
||||
expect(screen.getByText("https://app.example.com")).toBeTruthy();
|
||||
expect(screen.getByText("secret-auth-token-abc")).toBeTruthy();
|
||||
});
|
||||
|
||||
it("hides the Hermes tab when hermes_channel_snippet is absent", () => {
|
||||
@@ -174,8 +168,7 @@ describe("ExternalConnectModal — snippet token stamping", () => {
|
||||
it("stamps the real auth_token into the Python snippet instead of the placeholder", () => {
|
||||
renderAndFlush(defaultInfo);
|
||||
fireEvent.click(screen.getByRole("tab", { name: /python sdk/i }));
|
||||
const pythonPanel = document.querySelector("[data-testid='panel-python']");
|
||||
const preEl = pythonPanel?.querySelector("pre");
|
||||
const preEl = document.querySelector("pre");
|
||||
expect(preEl?.textContent).not.toContain("<paste from create response>");
|
||||
expect(preEl?.textContent).toContain("secret-auth-token-abc");
|
||||
});
|
||||
@@ -183,8 +176,7 @@ describe("ExternalConnectModal — snippet token stamping", () => {
|
||||
it("stamps the real auth_token into the curl snippet", () => {
|
||||
renderAndFlush(defaultInfo);
|
||||
fireEvent.click(screen.getByRole("tab", { name: /curl/i }));
|
||||
const curlPanel = document.querySelector("[data-testid='panel-curl']");
|
||||
const preEl = curlPanel?.querySelector("pre");
|
||||
const preEl = document.querySelector("pre");
|
||||
// curl template uses WORKSPACE_AUTH_TOKEN placeholder, not the generic one
|
||||
expect(preEl?.textContent).toContain("secret-auth-token-abc");
|
||||
});
|
||||
@@ -192,8 +184,7 @@ describe("ExternalConnectModal — snippet token stamping", () => {
|
||||
it("stamps the real auth_token into the Universal MCP snippet", () => {
|
||||
renderAndFlush(defaultInfo);
|
||||
// Default tab is Universal MCP
|
||||
const mcpPanel = document.querySelector("[data-testid='panel-mcp']");
|
||||
const preEl = mcpPanel?.querySelector("pre");
|
||||
const preEl = document.querySelector("pre");
|
||||
expect(preEl?.textContent).toContain("secret-auth-token-abc");
|
||||
expect(preEl?.textContent).not.toContain("<paste from create response>");
|
||||
});
|
||||
@@ -202,10 +193,8 @@ describe("ExternalConnectModal — snippet token stamping", () => {
|
||||
describe("ExternalConnectModal — copy functionality", () => {
|
||||
it("calls navigator.clipboard.writeText with the snippet text", () => {
|
||||
renderAndFlush(defaultInfo);
|
||||
// Default tab is Universal MCP — query the copy button within the mcp panel.
|
||||
const mcpPanel = document.querySelector("[data-testid='panel-mcp']");
|
||||
const copyBtn = mcpPanel?.querySelector("button");
|
||||
if (copyBtn) fireEvent.click(copyBtn);
|
||||
// Default tab is Universal MCP
|
||||
fireEvent.click(screen.getByRole("button", { name: /^copy$/i }));
|
||||
expect(clipboardWriteText).toHaveBeenCalledWith(
|
||||
expect.stringContaining("secret-auth-token-abc"),
|
||||
);
|
||||
@@ -238,8 +227,7 @@ describe("ExternalConnectModal — missing optional fields", () => {
|
||||
};
|
||||
renderAndFlush(minimalInfo);
|
||||
fireEvent.click(screen.getByRole("tab", { name: /fields/i }));
|
||||
const fieldsPanel = document.querySelector("[data-testid='panel-fields']");
|
||||
expect(fieldsPanel?.textContent).toContain("(missing)");
|
||||
expect(screen.getByText("(missing)")).toBeTruthy();
|
||||
});
|
||||
|
||||
it("hides the Hermes tab when hermes_channel_snippet is absent", () => {
|
||||
|
||||
@@ -223,7 +223,6 @@ export function MobileCanvas({
|
||||
textTransform: "uppercase",
|
||||
fontWeight: 600,
|
||||
}}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
>
|
||||
Reset
|
||||
</button>
|
||||
|
||||
@@ -356,7 +356,6 @@ export function MobileChat({
|
||||
type="button"
|
||||
onClick={onBack}
|
||||
aria-label="Back"
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
width: 36,
|
||||
height: 36,
|
||||
@@ -403,7 +402,6 @@ export function MobileChat({
|
||||
<button
|
||||
type="button"
|
||||
aria-label="More"
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
width: 36,
|
||||
height: 36,
|
||||
@@ -434,7 +432,6 @@ export function MobileChat({
|
||||
key={t.id}
|
||||
type="button"
|
||||
onClick={() => setTab(t.id)}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
padding: "4px 0 8px",
|
||||
border: "none",
|
||||
@@ -478,7 +475,7 @@ export function MobileChat({
|
||||
}}
|
||||
>
|
||||
{tab === "my" && historyLoading && (
|
||||
<div role="status" aria-live="polite" style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
|
||||
<div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
|
||||
Loading chat history…
|
||||
</div>
|
||||
)}
|
||||
@@ -498,8 +495,6 @@ export function MobileChat({
|
||||
onClick={() => {
|
||||
loadInitial();
|
||||
}}
|
||||
aria-label="Retry loading chat history"
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400"
|
||||
style={{
|
||||
padding: "6px 14px",
|
||||
borderRadius: 14,
|
||||
@@ -515,7 +510,7 @@ export function MobileChat({
|
||||
</div>
|
||||
)}
|
||||
{tab === "my" && !historyLoading && !historyError && messages.length === 0 && (
|
||||
<div role="status" aria-live="polite" style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
|
||||
<div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
|
||||
Send a message to start chatting.
|
||||
</div>
|
||||
)}
|
||||
@@ -669,7 +664,6 @@ export function MobileChat({
|
||||
type="button"
|
||||
onClick={() => removePendingFile(i)}
|
||||
aria-label={`Remove ${f.name}`}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
border: "none",
|
||||
background: "transparent",
|
||||
@@ -710,7 +704,6 @@ export function MobileChat({
|
||||
onClick={() => fileInputRef.current?.click()}
|
||||
disabled={!reachable || sending || uploading}
|
||||
aria-label="Attach"
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
width: 32,
|
||||
height: 32,
|
||||
@@ -732,7 +725,6 @@ export function MobileChat({
|
||||
ref={composerRef}
|
||||
value={draft}
|
||||
onChange={(e) => setDraft(e.target.value)}
|
||||
aria-label="Message"
|
||||
onKeyDown={(e) => {
|
||||
// Enter sends; Shift+Enter inserts a newline. Skip when the
|
||||
// IME is composing — pressing Enter to commit a Chinese/
|
||||
@@ -756,12 +748,7 @@ export function MobileChat({
|
||||
border: "none",
|
||||
outline: "none",
|
||||
background: "transparent",
|
||||
// iOS Safari/PWA zooms the viewport when a focused textarea
|
||||
// has a computed font-size below 16px. 14.5 triggers that
|
||||
// focus-zoom; the page looks broken until the user pinches
|
||||
// back (#224, same class as desktop #1434 / sibling #225).
|
||||
// 16px is the minimum that keeps focus from zooming.
|
||||
fontSize: 16,
|
||||
fontSize: 14.5,
|
||||
lineHeight: 1.4,
|
||||
color: p.text,
|
||||
padding: "6px 0",
|
||||
@@ -777,13 +764,12 @@ export function MobileChat({
|
||||
onClick={send}
|
||||
disabled={(!draft.trim() && pendingFiles.length === 0) || !reachable || sending || uploading}
|
||||
aria-label="Send"
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
width: 36,
|
||||
height: 36,
|
||||
borderRadius: 999,
|
||||
border: "none",
|
||||
cursor: (draft.trim() || pendingFiles.length === 0) && !sending && !uploading ? "pointer" : "not-allowed",
|
||||
cursor: (draft.trim() || pendingFiles.length > 0) && !sending && !uploading ? "pointer" : "not-allowed",
|
||||
flexShrink: 0,
|
||||
background:
|
||||
(draft.trim() || pendingFiles.length > 0) && reachable && !sending && !uploading
|
||||
|
||||
@@ -231,7 +231,6 @@ export function MobileComms({ dark }: { dark: boolean }) {
|
||||
fontSize: 13,
|
||||
fontWeight: 500,
|
||||
}}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
>
|
||||
{o.label}
|
||||
<span
|
||||
@@ -252,11 +251,11 @@ export function MobileComms({ dark }: { dark: boolean }) {
|
||||
|
||||
<div style={{ padding: "0 14px", display: "flex", flexDirection: "column", gap: 8 }}>
|
||||
{loading && items.length === 0 ? (
|
||||
<div role="status" aria-live="polite" style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
|
||||
<div style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
|
||||
Loading recent comms…
|
||||
</div>
|
||||
) : filtered.length === 0 ? (
|
||||
<div role="status" aria-live="polite" style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
|
||||
<div style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
|
||||
No A2A traffic yet.
|
||||
</div>
|
||||
) : (
|
||||
|
||||
@@ -83,12 +83,11 @@ export function MobileDetail({
|
||||
type="button"
|
||||
onClick={onBack}
|
||||
aria-label="Back"
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={iconButtonStyle(p, dark)}
|
||||
>
|
||||
{Icons.back({ size: 18 })}
|
||||
</button>
|
||||
<button type="button" aria-label="More" className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900" style={iconButtonStyle(p, dark)}>
|
||||
<button type="button" aria-label="More" style={iconButtonStyle(p, dark)}>
|
||||
{Icons.more({ size: 18 })}
|
||||
</button>
|
||||
</div>
|
||||
@@ -184,7 +183,6 @@ export function MobileDetail({
|
||||
key={t.id}
|
||||
type="button"
|
||||
onClick={() => setTab(t.id)}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
padding: "8px 14px",
|
||||
borderRadius: 999,
|
||||
@@ -217,7 +215,6 @@ export function MobileDetail({
|
||||
type="button"
|
||||
onClick={onChat}
|
||||
data-testid="mobile-chat-cta"
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
width: "100%",
|
||||
height: 52,
|
||||
@@ -419,8 +416,6 @@ function DetailActivity({ workspaceId, dark }: { workspaceId: string; dark: bool
|
||||
if (items === null) {
|
||||
return (
|
||||
<div
|
||||
role="status"
|
||||
aria-live="polite"
|
||||
style={{
|
||||
background: p.surface,
|
||||
borderRadius: 16,
|
||||
|
||||
@@ -200,7 +200,6 @@ export function MobileHome({
|
||||
justifyContent: "center",
|
||||
boxShadow: "0 8px 24px rgba(40,30,20,0.25), 0 2px 6px rgba(40,30,20,0.15)",
|
||||
}}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
>
|
||||
{Icons.plus({ size: 22 })}
|
||||
</button>
|
||||
|
||||
@@ -92,7 +92,6 @@ export function MobileMe({
|
||||
border: on ? `2px solid ${p.text}` : "2px solid transparent",
|
||||
boxShadow: on ? `0 0 0 2px ${p.bg} inset` : "none",
|
||||
}}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
/>
|
||||
);
|
||||
})}
|
||||
@@ -185,7 +184,6 @@ function SegmentedRow({
|
||||
fontSize: 13,
|
||||
fontWeight: 600,
|
||||
}}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
>
|
||||
{o.label}
|
||||
</button>
|
||||
|
||||
@@ -148,7 +148,6 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
|
||||
type="button"
|
||||
onClick={onClose}
|
||||
aria-label="Close"
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
width: 32,
|
||||
height: 32,
|
||||
@@ -171,8 +170,6 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
|
||||
<div style={{ padding: "0 14px" }}>
|
||||
{loadingTemplates ? (
|
||||
<div
|
||||
role="status"
|
||||
aria-live="polite"
|
||||
style={{
|
||||
padding: "24px 8px",
|
||||
textAlign: "center",
|
||||
@@ -217,8 +214,6 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
|
||||
setTplId(t.id);
|
||||
setTier(tCode);
|
||||
}}
|
||||
aria-label={`Select template: ${t.name} (tier ${t.tier})`}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
background: on
|
||||
? dark
|
||||
@@ -307,7 +302,6 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
|
||||
<input
|
||||
value={name}
|
||||
onChange={(e) => setName(e.target.value)}
|
||||
aria-label="Agent name"
|
||||
placeholder={tplId
|
||||
? (templates.find((t) => t.id === tplId)?.name ?? "agent-name")
|
||||
: "agent-name"}
|
||||
@@ -318,12 +312,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
|
||||
border: `0.5px solid ${p.border}`,
|
||||
borderRadius: 12,
|
||||
fontFamily: MOBILE_FONT_MONO,
|
||||
// iOS Safari/PWA zooms the viewport when a focused input has
|
||||
// a computed font-size below 16px; the layout jumps and the
|
||||
// page looks broken until the user pinches back (#224 / #225,
|
||||
// same class as desktop #1434). 16px is the minimum that
|
||||
// suppresses that focus-zoom.
|
||||
fontSize: 16,
|
||||
fontSize: 13.5,
|
||||
color: p.text,
|
||||
outline: "none",
|
||||
boxSizing: "border-box",
|
||||
@@ -341,8 +330,6 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
|
||||
key={t}
|
||||
type="button"
|
||||
onClick={() => setTier(t)}
|
||||
aria-label={`Select tier ${t}: ${TIER_LABEL[t]}`}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
flex: 1,
|
||||
padding: "10px 8px",
|
||||
@@ -390,8 +377,6 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
|
||||
type="button"
|
||||
onClick={handleSpawn}
|
||||
disabled={busy || !tplId || templates.length === 0}
|
||||
aria-label="Spawn agent"
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
width: "100%",
|
||||
height: 52,
|
||||
|
||||
@@ -263,20 +263,6 @@ describe("MobileChat — composer", () => {
|
||||
const sendBtn = container.querySelector('[aria-label="Send"]') as HTMLButtonElement;
|
||||
expect(sendBtn.disabled).toBe(true);
|
||||
});
|
||||
|
||||
// Regression #224: the composer textarea must render with font-size
|
||||
// ≥ 16px. iOS Safari and PWAs auto-zoom the viewport when a focused
|
||||
// input has a computed font-size below 16px — the layout jumps and
|
||||
// the page looks broken until the user pinches back. Same class as
|
||||
// desktop #1434 / sibling MobileSpawn #225.
|
||||
it("composer textarea renders at font-size 16px or greater (iOS focus-zoom regression #224)", () => {
|
||||
const { container } = renderChat(mockAgentId);
|
||||
const textarea = container.querySelector("textarea") as HTMLTextAreaElement;
|
||||
expect(textarea).toBeTruthy();
|
||||
const fs = Number.parseFloat(textarea.style.fontSize);
|
||||
expect(Number.isFinite(fs)).toBe(true);
|
||||
expect(fs).toBeGreaterThanOrEqual(16);
|
||||
});
|
||||
});
|
||||
|
||||
// ─── Tabs ─────────────────────────────────────────────────────────────────────
|
||||
|
||||
@@ -93,24 +93,6 @@ describe("MobileSpawn — render", () => {
|
||||
expect(input).toBeTruthy();
|
||||
});
|
||||
|
||||
// Regression #224 / #225: the agent-name input must render with a
|
||||
// font-size ≥ 16px. iOS Safari and PWAs auto-zoom the viewport when a
|
||||
// focused input has a computed font-size below 16px — the layout
|
||||
// jumps and the page looks broken until the user pinches back.
|
||||
it("renders the name input at font-size 16px or greater (iOS focus-zoom regression)", () => {
|
||||
apiGetSpy.mockResolvedValue(mockTemplates);
|
||||
render(<MobileSpawn dark={true} onClose={vi.fn()} />);
|
||||
const input = document.querySelector(
|
||||
'input[aria-label="Agent name"]',
|
||||
) as HTMLInputElement | null;
|
||||
expect(input).toBeTruthy();
|
||||
// Parse the inline style font-size — jsdom doesn't run a layout
|
||||
// engine, so getComputedStyle reports the inline value verbatim.
|
||||
const fs = Number.parseFloat(input!.style.fontSize);
|
||||
expect(Number.isFinite(fs)).toBe(true);
|
||||
expect(fs).toBeGreaterThanOrEqual(16);
|
||||
});
|
||||
|
||||
it("renders all 4 tier buttons", () => {
|
||||
apiGetSpy.mockResolvedValue(mockTemplates);
|
||||
render(<MobileSpawn dark={true} onClose={vi.fn()} />);
|
||||
|
||||
@@ -133,7 +133,6 @@ export function TabBar({
|
||||
aria-label={t.label}
|
||||
onClick={() => onChange(t.id)}
|
||||
onKeyDown={(e) => handleKeyDown(e, idx)}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
background: "none",
|
||||
border: "none",
|
||||
@@ -292,7 +291,6 @@ export function AgentCard({
|
||||
data-testid="workspace-card"
|
||||
aria-label={`${agent.name}, status: ${agent.status}, tier ${agent.tier}${agent.remote ? ", remote" : ""}`}
|
||||
onClick={onClick}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
display: "block",
|
||||
width: "100%",
|
||||
@@ -446,7 +444,6 @@ export function FilterChips({
|
||||
type="button"
|
||||
aria-checked={on}
|
||||
onClick={() => onChange(o.id)}
|
||||
className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
|
||||
style={{
|
||||
display: "inline-flex",
|
||||
alignItems: "center",
|
||||
|
||||
@@ -160,14 +160,14 @@ export function OrgTokensTab() {
|
||||
</code>
|
||||
<button
|
||||
onClick={handleCopy}
|
||||
className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
|
||||
className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors"
|
||||
>
|
||||
{copied ? 'Copied' : 'Copy'}
|
||||
</button>
|
||||
</div>
|
||||
<button
|
||||
onClick={() => setNewToken(null)}
|
||||
className="text-[9px] text-good/60 hover:text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
|
||||
className="text-[9px] text-good/60 hover:text-good transition-colors"
|
||||
>
|
||||
Dismiss
|
||||
</button>
|
||||
@@ -219,7 +219,7 @@ export function OrgTokensTab() {
|
||||
</div>
|
||||
<button
|
||||
onClick={() => setRevokeTarget(t)}
|
||||
className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 shrink-0 focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1"
|
||||
className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 shrink-0"
|
||||
>
|
||||
Revoke
|
||||
</button>
|
||||
|
||||
@@ -140,14 +140,14 @@ function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
|
||||
</code>
|
||||
<button
|
||||
onClick={handleCopy}
|
||||
className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
|
||||
className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors"
|
||||
>
|
||||
{copied ? 'Copied' : 'Copy'}
|
||||
</button>
|
||||
</div>
|
||||
<button
|
||||
onClick={() => setNewToken(null)}
|
||||
className="text-[9px] text-good/60 hover:text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
|
||||
className="text-[9px] text-good/60 hover:text-good transition-colors"
|
||||
>
|
||||
Dismiss
|
||||
</button>
|
||||
@@ -192,7 +192,7 @@ function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
|
||||
</div>
|
||||
<button
|
||||
onClick={() => setRevokeTarget(t)}
|
||||
className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1"
|
||||
className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1"
|
||||
>
|
||||
Revoke
|
||||
</button>
|
||||
|
||||
@@ -185,7 +185,7 @@ export function ActivityTab({ workspaceId }: Props) {
|
||||
{/* Activity list */}
|
||||
<div className="flex-1 overflow-y-auto p-3 space-y-1.5">
|
||||
{loading && activities.length === 0 && (
|
||||
<div role="status" aria-live="polite" className="text-xs text-ink-mid text-center py-8">Loading activity...</div>
|
||||
<div className="text-xs text-ink-mid text-center py-8">Loading activity...</div>
|
||||
)}
|
||||
|
||||
{error && (
|
||||
|
||||
@@ -262,7 +262,7 @@ export function ChannelsTab({ workspaceId }: Props) {
|
||||
</div>
|
||||
|
||||
{error && (
|
||||
<div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
|
||||
<div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
|
||||
{error}
|
||||
</div>
|
||||
)}
|
||||
|
||||
@@ -10,7 +10,6 @@ import { downloadChatFile, isPlatformAttachment } from "./chat/uploads";
|
||||
import { PendingAttachmentPill } from "./chat/AttachmentViews";
|
||||
import { AttachmentPreview } from "./chat/AttachmentPreview";
|
||||
import { AgentCommsPanel } from "./chat/AgentCommsPanel";
|
||||
import { ChatErrorBanner } from "./chat/ChatErrorBanner";
|
||||
import { appendActivityLine } from "./chat/activityLog";
|
||||
import { runtimeDisplayName } from "@/lib/runtime-names";
|
||||
import { ConfirmDialog } from "@/components/ConfirmDialog";
|
||||
@@ -593,19 +592,22 @@ function MyChatPanel({ workspaceId, data }: Props) {
|
||||
<div ref={bottomRef} />
|
||||
</div>
|
||||
|
||||
{/* Error banner — internal#212: surfaces the secret-safe
|
||||
actionable failure reason that ws-server places on
|
||||
ACTIVITY_LOGGED.error_detail (propagated via
|
||||
useChatSocket → onSendError → setError) and offers a
|
||||
"View activity log" affordance that navigates the user to
|
||||
the Activity tab where the full row lives. The previous
|
||||
inline JSX hardcoded "see workspace logs for details" with
|
||||
no link — there is no separate Logs tab. */}
|
||||
<ChatErrorBanner
|
||||
message={displayError}
|
||||
isOnline={isOnline}
|
||||
onRestart={() => setConfirmRestart(true)}
|
||||
/>
|
||||
{/* Error banner */}
|
||||
{displayError && (
|
||||
<div className="px-3 py-2 bg-red-900/20 border-t border-red-800/30">
|
||||
<div className="flex items-center justify-between">
|
||||
<span className="text-[10px] text-red-300">{displayError}</span>
|
||||
{!isOnline && (
|
||||
<button
|
||||
onClick={() => setConfirmRestart(true)}
|
||||
className="text-[11px] px-2 py-0.5 bg-red-800 text-red-200 rounded hover:bg-red-700"
|
||||
>
|
||||
Restart
|
||||
</button>
|
||||
)}
|
||||
</div>
|
||||
</div>
|
||||
)}
|
||||
|
||||
{/* Input */}
|
||||
<div className="p-3 border-t border-line">
|
||||
|
||||
@@ -81,7 +81,7 @@ function AgentCardSection({ workspaceId }: { workspaceId: string }) {
|
||||
spellCheck={false} rows={12}
|
||||
className="w-full bg-surface-card border border-line rounded p-2 text-[10px] font-mono text-ink focus:outline-none focus:border-accent resize-none"
|
||||
/>
|
||||
{error && <div role="alert" aria-live="assertive" className="px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">{error}</div>}
|
||||
{error && <div className="px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">{error}</div>}
|
||||
<div className="flex gap-2">
|
||||
<button type="button" onClick={handleSave} disabled={saving}
|
||||
className="px-2 py-1 bg-accent hover:bg-accent-strong text-[10px] rounded text-white disabled:opacity-50 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface">
|
||||
@@ -109,130 +109,6 @@ function AgentCardSection({ workspaceId }: { workspaceId: string }) {
|
||||
);
|
||||
}
|
||||
|
||||
// --- Agent Abilities Section ---
|
||||
//
|
||||
// Always-visible on/off controls for the two workspace-level ability flags
|
||||
// (broadcast_enabled, talk_to_user_enabled). Both are mutated through the
|
||||
// same admin endpoint the ChatTab recovery banner already uses
|
||||
// (PATCH /workspaces/:id/abilities) and reflected into the canvas store node
|
||||
// data (broadcastEnabled / talkToUserEnabled) so every surface that reads
|
||||
// useCanvasStore.nodes stays consistent without a full re-hydrate.
|
||||
//
|
||||
// Before this section there was NO canvas control for either flag: the
|
||||
// backend was fully wired (workspace_abilities.go / workspace_broadcast.go /
|
||||
// agent_message_writer.go, see commit 29b4bffb + internal#510/#511) but the
|
||||
// only frontend affordance was the ChatTab recovery banner, which renders
|
||||
// solely when talk_to_user_enabled===false and so is invisible under the
|
||||
// TRUE default and never existed at all for broadcast.
|
||||
function AgentAbilitiesSection({ workspaceId }: { workspaceId: string }) {
|
||||
// Read the live ability flags off the canvas store node — the platform
|
||||
// event stream hydrates these (canvas-topology.ts maps the workspace row's
|
||||
// broadcast_enabled/talk_to_user_enabled onto node data), so this stays in
|
||||
// sync with the recovery banner and avoids a duplicate GET. Mirrors the
|
||||
// store-read pattern used by AgentCardSection above.
|
||||
const node = useCanvasStore((s) =>
|
||||
s.nodes?.find?.((n) => n.id === workspaceId),
|
||||
);
|
||||
// Defaults match the backend column defaults + canvas-topology mapping:
|
||||
// broadcast_enabled defaults FALSE, talk_to_user_enabled defaults TRUE.
|
||||
const broadcastEnabled = node?.data.broadcastEnabled ?? false;
|
||||
const talkToUserEnabled = node?.data.talkToUserEnabled ?? true;
|
||||
|
||||
// Track an in-flight PATCH per field so a double-click can't fire two
|
||||
// racing writes, and surface a one-line error if the server rejects.
|
||||
const [pending, setPending] = useState<null | "broadcast" | "talk">(null);
|
||||
const [error, setError] = useState<string | null>(null);
|
||||
|
||||
const patchAbility = async (
|
||||
which: "broadcast" | "talk",
|
||||
body: { broadcast_enabled: boolean } | { talk_to_user_enabled: boolean },
|
||||
optimistic: Partial<{ broadcastEnabled: boolean; talkToUserEnabled: boolean }>,
|
||||
) => {
|
||||
setError(null);
|
||||
setPending(which);
|
||||
// Optimistic store update — the toggle flips immediately; on failure we
|
||||
// roll back to the server-truth value the store last held.
|
||||
const prev = {
|
||||
broadcastEnabled,
|
||||
talkToUserEnabled,
|
||||
};
|
||||
useCanvasStore.getState().updateNodeData(workspaceId, optimistic);
|
||||
try {
|
||||
await api.patch(`/workspaces/${workspaceId}/abilities`, body);
|
||||
} catch (e) {
|
||||
// Roll back the optimistic change to last-known server truth.
|
||||
useCanvasStore.getState().updateNodeData(workspaceId, {
|
||||
broadcastEnabled: prev.broadcastEnabled,
|
||||
talkToUserEnabled: prev.talkToUserEnabled,
|
||||
});
|
||||
setError(
|
||||
e instanceof Error ? e.message : "Failed to update ability — try again",
|
||||
);
|
||||
} finally {
|
||||
setPending(null);
|
||||
}
|
||||
};
|
||||
|
||||
return (
|
||||
<Section title="Agent Abilities">
|
||||
<p className="text-[10px] text-ink-mid px-1 pb-1">
|
||||
Workspace-level permissions for this agent. Changes apply immediately
|
||||
(no restart required).
|
||||
</p>
|
||||
<div className="space-y-2">
|
||||
<div>
|
||||
<Toggle
|
||||
label="Talk to user"
|
||||
checked={talkToUserEnabled}
|
||||
onChange={(v) =>
|
||||
pending
|
||||
? undefined
|
||||
: patchAbility(
|
||||
"talk",
|
||||
{ talk_to_user_enabled: v },
|
||||
{ talkToUserEnabled: v },
|
||||
)
|
||||
}
|
||||
/>
|
||||
<p className="text-[10px] text-ink-mid mt-0.5 ml-6">
|
||||
When off, the agent's <code className="font-mono">send_message_to_user</code>{" "}
|
||||
and <code className="font-mono">POST /notify</code> calls are
|
||||
rejected (403) — it must route updates through a parent workspace.
|
||||
</p>
|
||||
</div>
|
||||
<div>
|
||||
<Toggle
|
||||
label="Broadcast to peers"
|
||||
checked={broadcastEnabled}
|
||||
onChange={(v) =>
|
||||
pending
|
||||
? undefined
|
||||
: patchAbility(
|
||||
"broadcast",
|
||||
{ broadcast_enabled: v },
|
||||
{ broadcastEnabled: v },
|
||||
)
|
||||
}
|
||||
/>
|
||||
<p className="text-[10px] text-ink-mid mt-0.5 ml-6">
|
||||
When on, the agent may <code className="font-mono">POST /broadcast</code>{" "}
|
||||
to message all non-removed agent workspaces in the org. Off by
|
||||
default — only privileged orchestrators should hold this.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
{pending && (
|
||||
<div className="mt-2 text-[10px] text-ink-mid">Saving…</div>
|
||||
)}
|
||||
{error && (
|
||||
<div role="alert" aria-live="assertive" className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
|
||||
{error}
|
||||
</div>
|
||||
)}
|
||||
</Section>
|
||||
);
|
||||
}
|
||||
|
||||
// --- Main ConfigTab ---
|
||||
|
||||
interface ModelSpec {
|
||||
@@ -919,7 +795,6 @@ export function ConfigTab({ workspaceId }: Props) {
|
||||
<label className="text-[10px] text-ink-mid block mb-1">Model</label>
|
||||
<input
|
||||
type="text"
|
||||
aria-label="Model"
|
||||
value={currentModelId}
|
||||
onChange={(e) => {
|
||||
const v = e.target.value;
|
||||
@@ -1010,8 +885,6 @@ export function ConfigTab({ workspaceId }: Props) {
|
||||
)}
|
||||
</Section>
|
||||
|
||||
<AgentAbilitiesSection workspaceId={workspaceId} />
|
||||
|
||||
{/* Claude Settings — shown for claude-code runtime or claude/anthropic model names */}
|
||||
{(config.runtime === "claude-code" ||
|
||||
(config.runtime_config?.model || config.model || "").toLowerCase().includes("claude") ||
|
||||
@@ -1122,7 +995,7 @@ export function ConfigTab({ workspaceId }: Props) {
|
||||
)}
|
||||
|
||||
{error && (
|
||||
<div role="alert" aria-live="assertive" className="mx-3 mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">{error}</div>
|
||||
<div className="mx-3 mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">{error}</div>
|
||||
)}
|
||||
{!error && RUNTIMES_WITH_OWN_CONFIG.has(config.runtime || "") && (
|
||||
<div className="mx-3 mb-2 px-3 py-1.5 bg-surface-sunken/50 border border-line rounded text-xs text-ink-mid">
|
||||
|
||||
@@ -157,7 +157,7 @@ export function DetailsTab({ workspaceId, data }: Props) {
|
||||
</select>
|
||||
</Field>
|
||||
{saveError && (
|
||||
<div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
|
||||
<div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
|
||||
{saveError}
|
||||
</div>
|
||||
)}
|
||||
@@ -203,7 +203,7 @@ export function DetailsTab({ workspaceId, data }: Props) {
|
||||
{isRestartable && (
|
||||
<div className="pt-2">
|
||||
{restartError && (
|
||||
<div role="alert" aria-live="assertive" className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
|
||||
<div className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
|
||||
{restartError}
|
||||
</div>
|
||||
)}
|
||||
@@ -307,7 +307,7 @@ export function DetailsTab({ workspaceId, data }: Props) {
|
||||
{/* Delete */}
|
||||
<Section title="Danger Zone">
|
||||
{deleteError && (
|
||||
<div role="alert" aria-live="assertive" className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
|
||||
<div className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
|
||||
{deleteError}
|
||||
</div>
|
||||
)}
|
||||
|
||||
@@ -82,7 +82,7 @@ export function EventsTab({ workspaceId }: Props) {
|
||||
</div>
|
||||
|
||||
{error && (
|
||||
<div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
|
||||
<div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
|
||||
{error}
|
||||
</div>
|
||||
)}
|
||||
|
||||
@@ -102,7 +102,7 @@ export function ExternalConnectionSection({ workspaceId }: Props) {
|
||||
</div>
|
||||
|
||||
{error && (
|
||||
<div role="alert" aria-live="assertive" className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
|
||||
<div className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
|
||||
{error}
|
||||
</div>
|
||||
)}
|
||||
|
||||
@@ -266,7 +266,7 @@ function PlatformOwnedFilesTab({
|
||||
// immediately. Delete-All hovers DARKER (bg-red-700) — same AA
|
||||
// contrast trap that bit ConfirmDialog/ApprovalBanner. Cancel
|
||||
// lifts to surface-elevated instead of the prior no-op hover.
|
||||
<div role="alertdialog" aria-modal="false" aria-labelledby="files-delete-all-msg" className="mx-3 mt-2 px-3 py-2 bg-red-950/30 border border-red-800/40 rounded space-y-1.5">
|
||||
<div role="alertdialog" aria-labelledby="files-delete-all-msg" className="mx-3 mt-2 px-3 py-2 bg-red-950/30 border border-red-800/40 rounded space-y-1.5">
|
||||
<p id="files-delete-all-msg" className="text-xs text-bad">Delete all {files.filter((f) => !f.dir).length} files? This cannot be undone.</p>
|
||||
<div className="flex gap-2">
|
||||
<button type="button" onClick={() => { handleDeleteAll(); setShowDeleteAll(false); }} className="px-2 py-0.5 bg-red-700 hover:bg-red-600 text-[10px] rounded text-white transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface">Delete All</button>
|
||||
@@ -280,7 +280,7 @@ function PlatformOwnedFilesTab({
|
||||
)}
|
||||
|
||||
{confirmDelete && (
|
||||
<div role="alertdialog" aria-modal="false" aria-labelledby="files-delete-one-msg" className="mx-3 mt-2 px-3 py-2 bg-amber-950/30 border border-amber-800/40 rounded space-y-1.5">
|
||||
<div role="alertdialog" aria-labelledby="files-delete-one-msg" className="mx-3 mt-2 px-3 py-2 bg-amber-950/30 border border-amber-800/40 rounded space-y-1.5">
|
||||
<p id="files-delete-one-msg" className="text-xs text-warm">Delete <span className="font-mono">{confirmDelete}</span>{files.find((f) => f.path === confirmDelete && f.dir) ? " and all its contents" : ""}?</p>
|
||||
<div className="flex gap-2">
|
||||
<button type="button" onClick={confirmDeleteFile} className="px-2 py-0.5 bg-red-700 hover:bg-red-600 text-[10px] rounded text-white transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface">Delete</button>
|
||||
|
||||
@@ -275,7 +275,7 @@ export function ScheduleTab({ workspaceId }: Props) {
|
||||
Enabled
|
||||
</label>
|
||||
</div>
|
||||
{error && <div role="alert" aria-live="assertive" className="text-[10px] text-bad">{error}</div>}
|
||||
{error && <div className="text-[10px] text-bad">{error}</div>}
|
||||
<div className="flex gap-2">
|
||||
<button
|
||||
type="button"
|
||||
|
||||
@@ -67,7 +67,7 @@ export function TracesTab({ workspaceId }: Props) {
|
||||
</div>
|
||||
|
||||
{error && (
|
||||
<div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
|
||||
<div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
|
||||
{error}
|
||||
</div>
|
||||
)}
|
||||
|
||||
@@ -1,99 +0,0 @@
|
||||
// @vitest-environment jsdom
|
||||
//
|
||||
// Pins internal#212 — the chat error banner must:
|
||||
//
|
||||
// 1. Render the secret-safe failure reason (e.g. the provider's own
|
||||
// "403 oauth_org_not_allowed: ..." string), NOT the opaque
|
||||
// hardcoded "Agent error (Exception) — see workspace logs for
|
||||
// details." that points at a workspace-logs tab that doesn't
|
||||
// exist.
|
||||
//
|
||||
// 2. Offer a working "View activity log" affordance that navigates
|
||||
// the user to the Activity tab where the full row lives.
|
||||
//
|
||||
// Tested at the banner-component seam (ChatErrorBanner). The
|
||||
// hook-level path is pinned separately by
|
||||
// chat/hooks/__tests__/useChatSocket.test.tsx — together they cover
|
||||
// wire-payload → callback → render without each test needing to drive
|
||||
// the full ChatTab send-state machinery.
|
||||
|
||||
import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
|
||||
import { render, screen, cleanup, fireEvent } from "@testing-library/react";
|
||||
|
||||
afterEach(cleanup);
|
||||
|
||||
const mocks = vi.hoisted(() => ({
|
||||
setPanelTabMock: vi.fn(),
|
||||
}));
|
||||
|
||||
vi.mock("@/store/canvas", () => {
|
||||
const state = {
|
||||
setPanelTab: mocks.setPanelTabMock,
|
||||
panelTab: "chat",
|
||||
};
|
||||
const hook = (selector?: (s: typeof state) => unknown) =>
|
||||
selector ? selector(state) : state;
|
||||
hook.getState = () => state;
|
||||
return { useCanvasStore: hook };
|
||||
});
|
||||
|
||||
beforeEach(() => {
|
||||
mocks.setPanelTabMock.mockClear();
|
||||
});
|
||||
|
||||
import { ChatErrorBanner } from "../chat/ChatErrorBanner";
|
||||
|
||||
describe("ChatErrorBanner — surfaces actionable reason (internal#212)", () => {
|
||||
it("renders the secret-safe failure reason verbatim, not a hardcoded opaque message", () => {
|
||||
const reason =
|
||||
"Anthropic 403 oauth_org_not_allowed: Your organization has disabled Claude subscription access for Claude Code — use an Anthropic API key or ask your admin to enable access.";
|
||||
render(<ChatErrorBanner message={reason} isOnline={true} onRestart={() => {}} />);
|
||||
expect(screen.getByText(/oauth_org_not_allowed/i)).toBeDefined();
|
||||
expect(screen.getByText(/disabled Claude subscription access/i)).toBeDefined();
|
||||
// The legacy boilerplate must NOT leak through when a real reason
|
||||
// is provided.
|
||||
expect(screen.queryByText(/see workspace logs for details/i)).toBeNull();
|
||||
});
|
||||
|
||||
it("falls back to the message when it IS the legacy boilerplate (older ws-server)", () => {
|
||||
// Graceful degradation: an older ws-server passes through the
|
||||
// hardcoded text; the banner still renders SOMETHING — never
|
||||
// silently swallow.
|
||||
render(
|
||||
<ChatErrorBanner
|
||||
message="Agent error (Exception) — see workspace logs for details."
|
||||
isOnline={true}
|
||||
onRestart={() => {}}
|
||||
/>,
|
||||
);
|
||||
expect(
|
||||
screen.getByText(/Agent error \(Exception\) — see workspace logs for details\./),
|
||||
).toBeDefined();
|
||||
});
|
||||
|
||||
it("offers a 'View activity log' button that calls setPanelTab('activity')", () => {
|
||||
render(
|
||||
<ChatErrorBanner message="kimi 401 invalid_api_key" isOnline={true} onRestart={() => {}} />,
|
||||
);
|
||||
const btn = screen.getByRole("button", { name: /view activity log/i });
|
||||
fireEvent.click(btn);
|
||||
expect(mocks.setPanelTabMock).toHaveBeenCalledWith("activity");
|
||||
});
|
||||
|
||||
it("still shows the Restart button when offline (existing behavior preserved)", () => {
|
||||
const onRestart = vi.fn();
|
||||
render(
|
||||
<ChatErrorBanner message="Agent is offline" isOnline={false} onRestart={onRestart} />,
|
||||
);
|
||||
const btn = screen.getByRole("button", { name: /^restart$/i });
|
||||
fireEvent.click(btn);
|
||||
expect(onRestart).toHaveBeenCalledTimes(1);
|
||||
});
|
||||
|
||||
it("renders nothing when message is null", () => {
|
||||
const { container } = render(
|
||||
<ChatErrorBanner message={null} isOnline={true} onRestart={() => {}} />,
|
||||
);
|
||||
expect(container.textContent).toBe("");
|
||||
});
|
||||
});
|
||||
@@ -1,165 +0,0 @@
|
||||
// @vitest-environment jsdom
|
||||
//
|
||||
// Tests for the always-visible "Agent Abilities" section added to ConfigTab
|
||||
// (internal#510 broadcast_enabled, internal#511 talk_to_user_enabled; backend
|
||||
// wired in commit 29b4bffb).
|
||||
//
|
||||
// Problem this pins: the two workspace ability flags had complete wired
|
||||
// backends but NO canvas control — broadcast had none at all, talk-to-user
|
||||
// only surfaced as a ChatTab recovery banner that is invisible under its
|
||||
// TRUE default. The CTO could not see or toggle either from canvas.
|
||||
//
|
||||
// What this suite pins:
|
||||
// 1. An "Agent Abilities" section renders (always visible, not gated).
|
||||
// 2. Both toggles render and reflect the store node's ability fields,
|
||||
// including the asymmetric defaults (broadcast FALSE, talk TRUE).
|
||||
// 3. Toggling a switch calls PATCH /workspaces/:id/abilities with the
|
||||
// correct snake_case body and optimistically updates the store.
|
||||
|
||||
import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
|
||||
import { render, screen, cleanup, waitFor, fireEvent } from "@testing-library/react";
|
||||
import React from "react";
|
||||
|
||||
afterEach(cleanup);
|
||||
|
||||
const apiGet = vi.fn();
|
||||
const apiPatch = vi.fn();
|
||||
vi.mock("@/lib/api", () => ({
|
||||
api: {
|
||||
get: (path: string) => apiGet(path),
|
||||
patch: (path: string, body?: unknown) => apiPatch(path, body),
|
||||
put: vi.fn(),
|
||||
post: vi.fn(),
|
||||
del: vi.fn(),
|
||||
},
|
||||
}));
|
||||
|
||||
// Store node carries the ability flags hydrated by the platform stream
|
||||
// (canvas-topology.ts maps broadcast_enabled/talk_to_user_enabled onto
|
||||
// node.data). Mirror that shape so the section reads real values.
|
||||
const storeUpdateNodeData = vi.fn();
|
||||
const storeRestartWorkspace = vi.fn();
|
||||
let nodeData: { broadcastEnabled?: boolean; talkToUserEnabled?: boolean } = {};
|
||||
const makeState = () => ({
|
||||
nodes: [{ id: "ws-test", data: nodeData }],
|
||||
restartWorkspace: storeRestartWorkspace,
|
||||
updateNodeData: storeUpdateNodeData,
|
||||
});
|
||||
vi.mock("@/store/canvas", () => ({
|
||||
useCanvasStore: Object.assign(
|
||||
(selector: (s: unknown) => unknown) => selector(makeState()),
|
||||
{ getState: () => makeState() },
|
||||
),
|
||||
}));
|
||||
|
||||
vi.mock("../AgentCardSection", () => ({
|
||||
AgentCardSection: () => <div data-testid="agent-card-stub" />,
|
||||
}));
|
||||
|
||||
import { ConfigTab } from "../ConfigTab";
|
||||
|
||||
beforeEach(() => {
|
||||
apiGet.mockReset();
|
||||
apiPatch.mockReset();
|
||||
apiPatch.mockResolvedValue({ status: "updated" });
|
||||
storeUpdateNodeData.mockReset();
|
||||
apiGet.mockImplementation((path: string) => {
|
||||
if (path === `/workspaces/ws-test`) {
|
||||
return Promise.resolve({ runtime: "claude-code" });
|
||||
}
|
||||
if (path === `/workspaces/ws-test/model`) {
|
||||
return Promise.resolve({ model: "claude-opus-4-7" });
|
||||
}
|
||||
if (path === `/workspaces/ws-test/provider`) {
|
||||
return Promise.resolve({ provider: "anthropic-oauth", source: "default" });
|
||||
}
|
||||
if (path === `/workspaces/ws-test/files/config.yaml`) {
|
||||
return Promise.resolve({ content: "name: test\nruntime: claude-code\n" });
|
||||
}
|
||||
if (path === "/templates") {
|
||||
return Promise.resolve([
|
||||
{ id: "claude-code", name: "Claude Code", runtime: "claude-code", providers: [] },
|
||||
]);
|
||||
}
|
||||
return Promise.reject(new Error(`unmocked api.get: ${path}`));
|
||||
});
|
||||
});
|
||||
|
||||
describe("ConfigTab Agent Abilities section", () => {
|
||||
it("renders an always-visible 'Agent Abilities' section with both toggles", async () => {
|
||||
nodeData = {}; // unset → defaults
|
||||
render(<ConfigTab workspaceId="ws-test" />);
|
||||
await waitFor(() => expect(apiGet).toHaveBeenCalled());
|
||||
expect(
|
||||
await screen.findByRole("button", { name: /Agent Abilities/i }),
|
||||
).toBeTruthy();
|
||||
expect(screen.getByText("Talk to user")).toBeTruthy();
|
||||
expect(screen.getByText("Broadcast to peers")).toBeTruthy();
|
||||
});
|
||||
|
||||
it("reflects the asymmetric defaults: talk-to-user ON, broadcast OFF", async () => {
|
||||
nodeData = {}; // unset → backend defaults
|
||||
render(<ConfigTab workspaceId="ws-test" />);
|
||||
await waitFor(() => expect(apiGet).toHaveBeenCalled());
|
||||
const talk = (await screen.findByText("Talk to user"))
|
||||
.closest("label")!
|
||||
.querySelector("input") as HTMLInputElement;
|
||||
const broadcast = screen
|
||||
.getByText("Broadcast to peers")
|
||||
.closest("label")!
|
||||
.querySelector("input") as HTMLInputElement;
|
||||
expect(talk.checked).toBe(true);
|
||||
expect(broadcast.checked).toBe(false);
|
||||
});
|
||||
|
||||
it("reflects explicit store values", async () => {
|
||||
nodeData = { broadcastEnabled: true, talkToUserEnabled: false };
|
||||
render(<ConfigTab workspaceId="ws-test" />);
|
||||
await waitFor(() => expect(apiGet).toHaveBeenCalled());
|
||||
const talk = (await screen.findByText("Talk to user"))
|
||||
.closest("label")!
|
||||
.querySelector("input") as HTMLInputElement;
|
||||
const broadcast = screen
|
||||
.getByText("Broadcast to peers")
|
||||
.closest("label")!
|
||||
.querySelector("input") as HTMLInputElement;
|
||||
expect(talk.checked).toBe(false);
|
||||
expect(broadcast.checked).toBe(true);
|
||||
});
|
||||
|
||||
it("PATCHes /abilities with talk_to_user_enabled and optimistically updates the store", async () => {
|
||||
nodeData = {}; // talk defaults true
|
||||
render(<ConfigTab workspaceId="ws-test" />);
|
||||
await waitFor(() => expect(apiGet).toHaveBeenCalled());
|
||||
const talk = (await screen.findByText("Talk to user"))
|
||||
.closest("label")!
|
||||
.querySelector("input") as HTMLInputElement;
|
||||
fireEvent.click(talk); // true → false
|
||||
await waitFor(() =>
|
||||
expect(apiPatch).toHaveBeenCalledWith("/workspaces/ws-test/abilities", {
|
||||
talk_to_user_enabled: false,
|
||||
}),
|
||||
);
|
||||
expect(storeUpdateNodeData).toHaveBeenCalledWith("ws-test", {
|
||||
talkToUserEnabled: false,
|
||||
});
|
||||
});
|
||||
|
||||
it("PATCHes /abilities with broadcast_enabled when the broadcast toggle is flipped", async () => {
|
||||
nodeData = {}; // broadcast defaults false
|
||||
render(<ConfigTab workspaceId="ws-test" />);
|
||||
await waitFor(() => expect(apiGet).toHaveBeenCalled());
|
||||
const broadcast = (await screen.findByText("Broadcast to peers"))
|
||||
.closest("label")!
|
||||
.querySelector("input") as HTMLInputElement;
|
||||
fireEvent.click(broadcast); // false → true
|
||||
await waitFor(() =>
|
||||
expect(apiPatch).toHaveBeenCalledWith("/workspaces/ws-test/abilities", {
|
||||
broadcast_enabled: true,
|
||||
}),
|
||||
);
|
||||
expect(storeUpdateNodeData).toHaveBeenCalledWith("ws-test", {
|
||||
broadcastEnabled: true,
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -405,7 +405,7 @@ export function AgentCommsPanel({ workspaceId }: { workspaceId: string }) {
|
||||
</p>
|
||||
<button
|
||||
onClick={loadInitial}
|
||||
className="text-[10px] px-2 py-0.5 rounded bg-red-800/40 text-bad hover:bg-red-700/50 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1"
|
||||
className="text-[10px] px-2 py-0.5 rounded bg-red-800/40 text-bad hover:bg-red-700/50 transition-colors"
|
||||
>
|
||||
Retry
|
||||
</button>
|
||||
@@ -610,7 +610,7 @@ function PeerTabButton({
|
||||
aria-selected={active}
|
||||
tabIndex={active ? 0 : -1}
|
||||
onClick={onClick}
|
||||
className={`shrink-0 px-3 py-1.5 text-[10px] font-medium transition-colors whitespace-nowrap focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-cyan-500/60 focus-visible:ring-offset-1 ${
|
||||
className={`shrink-0 px-3 py-1.5 text-[10px] font-medium transition-colors whitespace-nowrap ${
|
||||
active
|
||||
? "border-b-2 border-cyan-500 text-cyan-200"
|
||||
: "border-b-2 border-transparent text-ink-mid hover:text-ink-mid"
|
||||
|
||||
@@ -33,7 +33,7 @@ export function PendingAttachmentPill({
|
||||
<button
|
||||
onClick={onRemove}
|
||||
aria-label={`Remove ${file.name}`}
|
||||
className="ml-0.5 text-ink-mid hover:text-ink transition-colors shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/60 focus-visible:ring-offset-1"
|
||||
className="ml-0.5 text-ink-mid hover:text-ink transition-colors shrink-0"
|
||||
>
|
||||
<svg width="10" height="10" viewBox="0 0 16 16" fill="none" aria-hidden="true">
|
||||
<path d="M4 4l8 8M12 4l-8 8" stroke="currentColor" strokeWidth="1.6" strokeLinecap="round" />
|
||||
@@ -62,9 +62,8 @@ export function AttachmentChip({
|
||||
return (
|
||||
<button
|
||||
onClick={() => onDownload(attachment)}
|
||||
aria-label={`Download ${attachment.name}`}
|
||||
title={`Download ${attachment.name}`}
|
||||
className={`flex items-center gap-1.5 rounded-md border px-2 py-1 text-[10px] transition-colors max-w-full focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/60 focus-visible:ring-offset-1 ${toneClasses}`}
|
||||
className={`flex items-center gap-1.5 rounded-md border px-2 py-1 text-[10px] transition-colors max-w-full ${toneClasses}`}
|
||||
>
|
||||
<FileGlyph className="shrink-0 opacity-70" />
|
||||
<span className="truncate">{attachment.name}</span>
|
||||
|
||||
@@ -1,85 +0,0 @@
|
||||
"use client";
|
||||
|
||||
/**
|
||||
* ChatErrorBanner — error-state banner rendered under the chat
|
||||
* message list when an agent turn fails or the workspace is offline.
|
||||
*
|
||||
* internal#212 closes the "see workspace logs for details" pointer-to-
|
||||
* nowhere defect:
|
||||
*
|
||||
* - The banner now renders the actionable, secret-safe failure
|
||||
* reason that ws-server places on `ACTIVITY_LOGGED.error_detail`
|
||||
* (provider HTTP status + error code + provider's own human
|
||||
* message). The hook (`useChatSocket`) forwards this through
|
||||
* `onSendError`, which the ChatTab routes into this banner's
|
||||
* `message` prop. No hardcoded opaque text in this component.
|
||||
*
|
||||
* - A "View activity log" button navigates the user to the Activity
|
||||
* tab where the full row (request body, response body, timing,
|
||||
* full error_detail) lives. Until internal#212, the banner
|
||||
* mentioned "workspace logs" with no link — there is no separate
|
||||
* Logs tab in the side panel; the Activity tab IS the workspace-
|
||||
* logs surface. Routing through the existing tab makes the
|
||||
* reference real instead of dangling.
|
||||
*
|
||||
* - The existing Restart button (shown only when the workspace is
|
||||
* offline) is preserved unchanged so the recovery affordance the
|
||||
* old banner offered does not regress.
|
||||
*
|
||||
* Pure presentational — no socket subscription, no state machine. Easy
|
||||
* to unit-test in isolation and easy to compose into the ChatTab.
|
||||
*/
|
||||
|
||||
import { useCanvasStore } from "@/store/canvas";
|
||||
|
||||
export interface ChatErrorBannerProps {
|
||||
/** The user-visible reason. Pass `null` to render nothing. */
|
||||
message: string | null;
|
||||
/** Workspace reachable state — gates the Restart affordance. */
|
||||
isOnline: boolean;
|
||||
/** Fires when the user clicks Restart (offline-only). */
|
||||
onRestart: () => void;
|
||||
}
|
||||
|
||||
export function ChatErrorBanner({ message, isOnline, onRestart }: ChatErrorBannerProps) {
|
||||
// Pulled from the global store rather than threaded through props so
|
||||
// the chat tab does not need to know about the side-panel tab state.
|
||||
// Matches how Toolbar.tsx triggers the audit tab (the existing
|
||||
// precedent for cross-tab navigation).
|
||||
const setPanelTab = useCanvasStore((s) => s.setPanelTab);
|
||||
|
||||
if (!message) return null;
|
||||
|
||||
return (
|
||||
<div
|
||||
// role="alert" + aria-live mirrors the project's existing WCAG
|
||||
// 4.1.3 banner pattern (see fix/canvas-errors-aria-alert) — a
|
||||
// screen reader announces the failure as soon as it lands.
|
||||
role="alert"
|
||||
aria-live="assertive"
|
||||
className="px-3 py-2 bg-red-900/20 border-t border-red-800/30"
|
||||
>
|
||||
<div className="flex items-center justify-between gap-2">
|
||||
<span className="text-[10px] text-red-300 break-words flex-1">{message}</span>
|
||||
<div className="flex items-center gap-1.5 shrink-0">
|
||||
<button
|
||||
type="button"
|
||||
onClick={() => setPanelTab("activity")}
|
||||
className="text-[10px] px-2 py-0.5 bg-red-900/40 hover:bg-red-800/60 border border-red-700/40 text-red-200 rounded transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
|
||||
>
|
||||
View activity log
|
||||
</button>
|
||||
{!isOnline && (
|
||||
<button
|
||||
type="button"
|
||||
onClick={onRestart}
|
||||
className="text-[11px] px-2 py-0.5 bg-red-800 text-red-200 rounded hover:bg-red-700"
|
||||
>
|
||||
Restart
|
||||
</button>
|
||||
)}
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
@@ -0,0 +1,102 @@
|
||||
import { describe, it, expect, beforeEach } from "vitest";
|
||||
import { useCanvasStore } from "@/store/canvas";
|
||||
import { resolveWorkspaceName } from "../hooks/resolveWorkspaceName";
|
||||
|
||||
beforeEach(() => {
|
||||
// Reset store to a clean slate between tests so node lookup is deterministic.
|
||||
useCanvasStore.setState({ nodes: [] });
|
||||
});
|
||||
|
||||
describe("resolveWorkspaceName", () => {
|
||||
it("returns the workspace name when a node with that ID exists", () => {
|
||||
useCanvasStore.setState({
|
||||
nodes: [
|
||||
{
|
||||
id: "ws-alpha-001",
|
||||
type: "workspace",
|
||||
data: { name: "Alpha Agent" },
|
||||
position: { x: 0, y: 0 },
|
||||
},
|
||||
],
|
||||
});
|
||||
|
||||
expect(resolveWorkspaceName("ws-alpha-001")).toBe("Alpha Agent");
|
||||
});
|
||||
|
||||
it("falls back to the first 8 chars of the ID when no matching node exists", () => {
|
||||
expect(resolveWorkspaceName("ws-zzz-not-found")).toBe("ws-zzz-n");
|
||||
});
|
||||
|
||||
it("falls back to the first 8 chars when the node exists but has no name", () => {
|
||||
useCanvasStore.setState({
|
||||
nodes: [
|
||||
{
|
||||
id: "ws-no-name",
|
||||
type: "workspace",
|
||||
// data.name is deliberately absent
|
||||
data: {},
|
||||
position: { x: 0, y: 0 },
|
||||
},
|
||||
],
|
||||
});
|
||||
|
||||
expect(resolveWorkspaceName("ws-no-name")).toBe("ws-no-na");
|
||||
});
|
||||
|
||||
it("returns the first 8 chars for a very short ID", () => {
|
||||
expect(resolveWorkspaceName("ab")).toBe("ab");
|
||||
});
|
||||
|
||||
it("returns the first 8 chars when the ID is exactly 8 characters", () => {
|
||||
// slice(0,8) of an 8-char string is the full string
|
||||
const id = "12345678";
|
||||
expect(resolveWorkspaceName(id)).toBe(id);
|
||||
});
|
||||
|
||||
it("picks the right node when multiple workspaces share a prefix", () => {
|
||||
useCanvasStore.setState({
|
||||
nodes: [
|
||||
{
|
||||
id: "00000000-0000-0000-0000-000000000001",
|
||||
type: "workspace",
|
||||
data: { name: "Backend Agent" },
|
||||
position: { x: 0, y: 0 },
|
||||
},
|
||||
{
|
||||
id: "00000000-0000-0000-0000-000000000002",
|
||||
type: "workspace",
|
||||
data: { name: "Frontend Agent" },
|
||||
position: { x: 100, y: 0 },
|
||||
},
|
||||
],
|
||||
});
|
||||
|
||||
expect(resolveWorkspaceName("00000000-0000-0000-0000-000000000002")).toBe(
|
||||
"Frontend Agent"
|
||||
);
|
||||
expect(resolveWorkspaceName("00000000-0000-0000-0000-000000000001")).toBe(
|
||||
"Backend Agent"
|
||||
);
|
||||
});
|
||||
|
||||
it("does not mutate store state between calls", () => {
|
||||
useCanvasStore.setState({
|
||||
nodes: [
|
||||
{
|
||||
id: "stable-id",
|
||||
type: "workspace",
|
||||
data: { name: "Stable Workspace" },
|
||||
position: { x: 0, y: 0 },
|
||||
},
|
||||
],
|
||||
});
|
||||
|
||||
resolveWorkspaceName("stable-id");
|
||||
resolveWorkspaceName("unknown-id");
|
||||
|
||||
// Store nodes must be unchanged — resolveWorkspaceName is read-only.
|
||||
const nodes = useCanvasStore.getState().nodes;
|
||||
expect(nodes).toHaveLength(1);
|
||||
expect((nodes[0] as { id: string }).id).toBe("stable-id");
|
||||
});
|
||||
});
|
||||
@@ -1,179 +0,0 @@
|
||||
import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
|
||||
import {
|
||||
uploadChatFiles,
|
||||
FileTooLargeError,
|
||||
MAX_UPLOAD_BYTES,
|
||||
computeUploadTimeoutMs,
|
||||
} from "../uploads";
|
||||
|
||||
// Tests for the 100 MB upload-cap raise + correct-reason error mapping
|
||||
// (CTO 2026-05-19 directive on forensic a99ab0a1: "if its file size
|
||||
// issue, should have error that instead saying timeout which is
|
||||
// wrong"). Each case has its own specific reason; conflation is the
|
||||
// bug this PR fixes.
|
||||
|
||||
// File constructor in node's vitest env supports size via array length.
|
||||
// Allocate a typed-array of N bytes and wrap it — File reads .size off
|
||||
// the underlying Blob. Allocating 101 MB once per test is fine (vitest
|
||||
// maxWorkers=1, single test process).
|
||||
function makeFile(name: string, size: number): File {
|
||||
const buf = new Uint8Array(size);
|
||||
return new File([buf], name);
|
||||
}
|
||||
|
||||
const wsId = "00000000-0000-0000-0000-000000000001";
|
||||
|
||||
describe("uploadChatFiles — MAX_UPLOAD_BYTES + pre-flight gate", () => {
|
||||
it("MAX_UPLOAD_BYTES is exactly 100 MB (mirrors server constant)", () => {
|
||||
// Pinned so a regression that flipped the constant back to 50 MB
|
||||
// would fail loudly here — without this the canvas would
|
||||
// silently start rejecting files the server now accepts.
|
||||
expect(MAX_UPLOAD_BYTES).toBe(100 * 1024 * 1024);
|
||||
});
|
||||
|
||||
it("throws FileTooLargeError for a 101 MB file BEFORE any network I/O", async () => {
|
||||
const oversize = makeFile("big.bin", 101 * 1024 * 1024);
|
||||
const fetchSpy = vi.spyOn(globalThis, "fetch");
|
||||
try {
|
||||
await uploadChatFiles(wsId, [oversize]);
|
||||
throw new Error("expected uploadChatFiles to throw, but it resolved");
|
||||
} catch (e) {
|
||||
// The exact class name matters — useChatSend's mapUploadErrorToReason
|
||||
// routes off `instanceof FileTooLargeError`. A regression that
|
||||
// demoted to a plain Error would silently re-introduce the
|
||||
// wrong-reason conflation CTO flagged.
|
||||
expect(e).toBeInstanceOf(FileTooLargeError);
|
||||
const err = e as FileTooLargeError;
|
||||
// Message must contain the 100MB cap (so the user knows what the
|
||||
// limit is) and a number-with-MB form of the actual size.
|
||||
expect(err.message).toContain("100MB");
|
||||
// Some toFixed(1) renderings: 101.0MB. Loose match: contains "MB".
|
||||
expect(err.message).toMatch(/got\s+\d+(\.\d+)?MB/);
|
||||
expect(err.fileSize).toBe(101 * 1024 * 1024);
|
||||
}
|
||||
// CRITICAL: no fetch may have been initiated. Pre-flight is the
|
||||
// whole point — if a network round-trip happened we'd be back to
|
||||
// surfacing a downstream timeout / 413 instead of the actionable
|
||||
// file-size message.
|
||||
expect(fetchSpy).not.toHaveBeenCalled();
|
||||
fetchSpy.mockRestore();
|
||||
});
|
||||
|
||||
it("accepts a file exactly at the cap (== MAX_UPLOAD_BYTES)", async () => {
|
||||
// Equality must NOT trip the gate — the cap is inclusive on the
|
||||
// server side and the canvas must match. Without this, an exact-
|
||||
// cap file would 503 client-side while the server accepts it.
|
||||
const exact = makeFile("max.bin", MAX_UPLOAD_BYTES);
|
||||
const fetchSpy = vi
|
||||
.spyOn(globalThis, "fetch")
|
||||
.mockResolvedValue(
|
||||
new Response(JSON.stringify({ files: [] }), {
|
||||
status: 200,
|
||||
headers: { "content-type": "application/json" },
|
||||
}),
|
||||
);
|
||||
await expect(uploadChatFiles(wsId, [exact])).resolves.toBeDefined();
|
||||
expect(fetchSpy).toHaveBeenCalledOnce();
|
||||
fetchSpy.mockRestore();
|
||||
});
|
||||
});
|
||||
|
||||
describe("computeUploadTimeoutMs — scaled timeout curve", () => {
|
||||
it("100 KB file → 60s floor (small-file ergonomics)", () => {
|
||||
// Below the floor, the small-file UX (typo'd hostname surfacing as
|
||||
// connect-error quickly) takes priority over the slow-uplink
|
||||
// assumption.
|
||||
expect(computeUploadTimeoutMs(100 * 1024)).toBe(60_000);
|
||||
});
|
||||
|
||||
it("1 MB file → 60s floor", () => {
|
||||
expect(computeUploadTimeoutMs(1 * 1024 * 1024)).toBe(60_000);
|
||||
});
|
||||
|
||||
it("100 MB file → ~1000s (matches the slow-uplink design budget)", () => {
|
||||
// Pin the upper-bound case the design targets: at 100 MB / 100 KB/s
|
||||
// a legitimate slow uplink completes in ~1000s, comfortably
|
||||
// before the platform's 1200s http.Client timeout. Without this
|
||||
// scaling, the previous fixed 60s deadline aborted Ryan's ~60 MB
|
||||
// upload in forensic a99ab0a1.
|
||||
const ms = computeUploadTimeoutMs(100 * 1024 * 1024);
|
||||
// 100*1024*1024 / 100 = 1048576 ms ≈ 1048.6s — pin to ±1ms.
|
||||
expect(ms).toBe(Math.floor((100 * 1024 * 1024) / 100));
|
||||
expect(ms).toBeGreaterThan(1_000_000);
|
||||
expect(ms).toBeLessThan(1_100_000);
|
||||
});
|
||||
|
||||
it("strictly monotonic above the floor", () => {
|
||||
// A regression that capped or non-monotonised the curve would
|
||||
// silently re-introduce premature aborts for mid-size files.
|
||||
const a = computeUploadTimeoutMs(10 * 1024 * 1024);
|
||||
const b = computeUploadTimeoutMs(50 * 1024 * 1024);
|
||||
const c = computeUploadTimeoutMs(100 * 1024 * 1024);
|
||||
expect(b).toBeGreaterThan(a);
|
||||
expect(c).toBeGreaterThan(b);
|
||||
});
|
||||
});
|
||||
|
||||
describe("uploadChatFiles — error path shapes (for downstream reason-mapping)", () => {
|
||||
let fetchSpy: ReturnType<typeof vi.spyOn> | null = null;
|
||||
|
||||
beforeEach(() => {
|
||||
fetchSpy = vi.spyOn(globalThis, "fetch");
|
||||
});
|
||||
afterEach(() => {
|
||||
fetchSpy?.mockRestore();
|
||||
fetchSpy = null;
|
||||
});
|
||||
|
||||
it("propagates the server's 413 reason verbatim (not as 'timeout')", async () => {
|
||||
// The error message text is what useChatSend surfaces via
|
||||
// `Upload failed: ${e.message}` — pin that the server's reason
|
||||
// is present, not swallowed.
|
||||
fetchSpy!.mockResolvedValue(
|
||||
new Response('{"error":"file exceeds per-file limit (100 MB)"}', {
|
||||
status: 413,
|
||||
headers: { "content-type": "application/json" },
|
||||
}),
|
||||
);
|
||||
const f = makeFile("small.bin", 1024);
|
||||
await expect(uploadChatFiles(wsId, [f])).rejects.toThrow(
|
||||
/upload failed:.*413.*per-file limit/i,
|
||||
);
|
||||
});
|
||||
|
||||
it("propagates AbortSignal timeout as a DOMException with name=TimeoutError", async () => {
|
||||
// Reason-routing in useChatSend.mapUploadErrorToReason discriminates
|
||||
// by e.name === 'TimeoutError'. Pin the shape so a future browser /
|
||||
// polyfill change that renamed it would fail loudly here, NOT
|
||||
// silently fall through to the generic "Upload failed" path
|
||||
// (which is what made forensic a99ab0a1 hard to root-cause).
|
||||
const abortErr = new DOMException("signal timed out", "TimeoutError");
|
||||
fetchSpy!.mockRejectedValue(abortErr);
|
||||
const f = makeFile("small.bin", 1024);
|
||||
try {
|
||||
await uploadChatFiles(wsId, [f]);
|
||||
throw new Error("expected throw");
|
||||
} catch (e) {
|
||||
expect(e).toBeInstanceOf(DOMException);
|
||||
expect((e as DOMException).name).toBe("TimeoutError");
|
||||
// CRITICAL negative: the rejection must NOT be a
|
||||
// FileTooLargeError, because pre-flight already excluded that.
|
||||
expect(e).not.toBeInstanceOf(FileTooLargeError);
|
||||
}
|
||||
});
|
||||
|
||||
it("a 50 MB file does NOT trip the pre-flight gate (sub-cap)", async () => {
|
||||
// The forensic case: Ryan's file was over the OLD 50MB cap but
|
||||
// under the NEW 100MB cap. Pin that the pre-flight does NOT
|
||||
// misfire on a sub-100MB file.
|
||||
fetchSpy!.mockResolvedValue(
|
||||
new Response('{"files":[]}', {
|
||||
status: 200,
|
||||
headers: { "content-type": "application/json" },
|
||||
}),
|
||||
);
|
||||
const f = makeFile("ryan.bin", 50 * 1024 * 1024);
|
||||
await expect(uploadChatFiles(wsId, [f])).resolves.toBeDefined();
|
||||
expect(fetchSpy!).toHaveBeenCalledOnce();
|
||||
});
|
||||
});
|
||||
@@ -1,79 +0,0 @@
|
||||
import { describe, it, expect } from "vitest";
|
||||
import { mapUploadErrorToReason } from "../useChatSend";
|
||||
import { FileTooLargeError } from "../../uploads";
|
||||
|
||||
// Pin the case-by-case error mapping (CTO 2026-05-19 directive on
|
||||
// forensic a99ab0a1: each cause maps to ITS OWN message, no
|
||||
// conflation). The four cases — FileTooLargeError, TimeoutError,
|
||||
// other Error, non-Error — are the entire user-facing contract this
|
||||
// PR ships; each gets a dedicated assertion so a regression that
|
||||
// re-conflated them would surface here.
|
||||
|
||||
describe("mapUploadErrorToReason", () => {
|
||||
it("FileTooLargeError → surfaces the pre-flight message verbatim", () => {
|
||||
const err = new FileTooLargeError(
|
||||
101 * 1024 * 1024,
|
||||
"File too large (got 101.0MB) — limit is 100MB. Please use a smaller file.",
|
||||
);
|
||||
const out = mapUploadErrorToReason(err);
|
||||
// Verbatim, no "Upload failed:" prefix — the FileTooLargeError
|
||||
// message is already a complete, user-facing sentence.
|
||||
expect(out).toBe(err.message);
|
||||
expect(out).not.toMatch(/^Upload failed:/);
|
||||
// Must mention the cap so the user knows what to aim for.
|
||||
expect(out).toContain("100MB");
|
||||
// Must NOT mention timeout — wrong-reason conflation guard.
|
||||
expect(out.toLowerCase()).not.toContain("timeout");
|
||||
expect(out.toLowerCase()).not.toContain("connection");
|
||||
});
|
||||
|
||||
it("TimeoutError → connection-too-slow message, NOT file-size", () => {
|
||||
const err = new DOMException("signal timed out", "TimeoutError");
|
||||
const out = mapUploadErrorToReason(err);
|
||||
// The user-facing reason matches the design contract: tells the
|
||||
// user the connection is slow, gives them the actionable retry
|
||||
// hint, and does NOT mention file-size (pre-flight already
|
||||
// excluded that — this is the case CTO flagged).
|
||||
expect(out).toContain("Upload timed out");
|
||||
expect(out).toContain("connection is too slow");
|
||||
// CRITICAL negatives — guard against the wrong-reason conflation.
|
||||
expect(out).not.toMatch(/100MB|file too large|File too large/);
|
||||
});
|
||||
|
||||
it("plain Error from server (e.g. 413) → wraps with 'Upload failed:' + server reason", () => {
|
||||
// What uploadChatFiles throws when res.ok is false. The message
|
||||
// already encodes the status + body; the mapper just prefixes
|
||||
// "Upload failed:" so the chat error banner makes sense.
|
||||
const err = new Error("upload failed: 413 file exceeds per-file limit");
|
||||
const out = mapUploadErrorToReason(err);
|
||||
expect(out).toBe("Upload failed: upload failed: 413 file exceeds per-file limit");
|
||||
// Server's actual reason must survive — that's the whole
|
||||
// feedback_surface_actionable_failure_reason_to_user point.
|
||||
expect(out).toContain("413");
|
||||
expect(out).toContain("per-file limit");
|
||||
});
|
||||
|
||||
it("non-Error throw → generic fallback", () => {
|
||||
// A string-throw (or a frozen object) is unusual but possible in
|
||||
// some catch paths. The fallback must NOT crash and must still
|
||||
// give the user a non-empty reason.
|
||||
expect(mapUploadErrorToReason("some random string")).toBe("Upload failed");
|
||||
expect(mapUploadErrorToReason(undefined)).toBe("Upload failed");
|
||||
expect(mapUploadErrorToReason(null)).toBe("Upload failed");
|
||||
expect(mapUploadErrorToReason(42)).toBe("Upload failed");
|
||||
});
|
||||
|
||||
it("an AbortError that ISN'T a TimeoutError falls through to generic Error path", () => {
|
||||
// Belt-and-braces: a regression that loosened the name check to
|
||||
// ANY DOMException would silently rewrite legitimate AbortError
|
||||
// (user-initiated cancel) into "connection too slow". Pin the
|
||||
// narrow check.
|
||||
const err = new DOMException("user aborted", "AbortError");
|
||||
const out = mapUploadErrorToReason(err);
|
||||
// Falls through to non-Error branch (DOMException is not an Error
|
||||
// subclass in node's vitest environment); accept either generic
|
||||
// fallback or the Error-message form depending on the runtime.
|
||||
expect(out).not.toContain("connection is too slow");
|
||||
expect(out).not.toContain("File too large");
|
||||
});
|
||||
});
|
||||
@@ -1,140 +0,0 @@
|
||||
// @vitest-environment jsdom
|
||||
import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
|
||||
import { renderHook, act } from "@testing-library/react";
|
||||
|
||||
// Capture the handler so we can drive WS events from tests. useSocketEvent
|
||||
// stores the latest handler in a ref under the hood, but since we mock
|
||||
// the hook entirely, just remember the last passed-in handler.
|
||||
let capturedHandler: ((msg: unknown) => void) | null = null;
|
||||
vi.mock("@/hooks/useSocketEvent", () => ({
|
||||
useSocketEvent: (h: (msg: unknown) => void) => {
|
||||
capturedHandler = h;
|
||||
},
|
||||
}));
|
||||
|
||||
// Canvas store mock — useChatSocket calls
|
||||
// useCanvasStore.getState().nodes for peer name resolution and reads
|
||||
// agentMessages via the selector form. Support both.
|
||||
vi.mock("@/store/canvas", () => {
|
||||
const state = {
|
||||
nodes: [
|
||||
{ id: "ws-self", data: { name: "Self" } },
|
||||
{ id: "ws-peer", data: { name: "Peer Agent" } },
|
||||
],
|
||||
agentMessages: {} as Record<string, unknown[]>,
|
||||
consumeAgentMessages: () => [],
|
||||
};
|
||||
const hook = (selector?: (s: typeof state) => unknown) =>
|
||||
selector ? selector(state) : state;
|
||||
hook.getState = () => state;
|
||||
return { useCanvasStore: hook };
|
||||
});
|
||||
|
||||
import { useChatSocket } from "../useChatSocket";
|
||||
|
||||
beforeEach(() => {
|
||||
capturedHandler = null;
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
vi.clearAllMocks();
|
||||
});
|
||||
|
||||
// Helper: assemble an ACTIVITY_LOGGED a2a_receive error event the way
|
||||
// the ws-server emits one when a peer call errors out. Fields mirror
|
||||
// workspace-server/internal/handlers/activity.go::logActivityExec
|
||||
// broadcast payload shape.
|
||||
function makeActivityErrorEvent(opts: { workspaceId: string; targetId?: string; errorDetail?: string | undefined }) {
|
||||
return {
|
||||
event: "ACTIVITY_LOGGED",
|
||||
workspace_id: opts.workspaceId,
|
||||
payload: {
|
||||
activity_type: "a2a_receive",
|
||||
method: "message/send",
|
||||
status: "error",
|
||||
target_id: opts.targetId ?? opts.workspaceId,
|
||||
duration_ms: 1500,
|
||||
...(opts.errorDetail !== undefined ? { error_detail: opts.errorDetail } : {}),
|
||||
},
|
||||
timestamp: "2026-05-18T00:00:00Z",
|
||||
};
|
||||
}
|
||||
|
||||
describe("useChatSocket — surface error_detail to onSendError (internal#212)", () => {
|
||||
it("forwards the secret-safe error_detail from the broadcast as the onSendError reason", () => {
|
||||
const onSendError = vi.fn();
|
||||
const onSendComplete = vi.fn();
|
||||
renderHook(() =>
|
||||
useChatSocket("ws-self", {
|
||||
onSendError,
|
||||
onSendComplete,
|
||||
}),
|
||||
);
|
||||
|
||||
expect(capturedHandler).not.toBeNull();
|
||||
act(() => {
|
||||
capturedHandler!(
|
||||
makeActivityErrorEvent({
|
||||
workspaceId: "ws-self",
|
||||
errorDetail:
|
||||
"Anthropic 403 oauth_org_not_allowed: Your organization has disabled Claude subscription access for Claude Code",
|
||||
}),
|
||||
);
|
||||
});
|
||||
|
||||
// The hook must NOT fall back to the opaque hardcoded
|
||||
// "Agent error (Exception) — see workspace logs for details." —
|
||||
// that was internal#212. When the broadcast carries an
|
||||
// error_detail, that string is the user-facing reason.
|
||||
expect(onSendError).toHaveBeenCalledTimes(1);
|
||||
const reason = onSendError.mock.calls[0][0] as string;
|
||||
expect(reason).toContain("403");
|
||||
expect(reason).toContain("oauth_org_not_allowed");
|
||||
expect(reason).toContain("disabled Claude subscription");
|
||||
expect(reason).not.toMatch(/see workspace logs for details/i);
|
||||
});
|
||||
|
||||
it("gracefully degrades to the legacy opaque message when error_detail is absent (older ws-server)", () => {
|
||||
// An older ws-server doesn't include error_detail in the payload.
|
||||
// The hook must still fire onSendError with the legacy hardcoded
|
||||
// text so the chat banner has SOMETHING to show. The fix is
|
||||
// additive — never depend on the new field's presence.
|
||||
const onSendError = vi.fn();
|
||||
renderHook(() =>
|
||||
useChatSocket("ws-self", {
|
||||
onSendError,
|
||||
}),
|
||||
);
|
||||
|
||||
act(() => {
|
||||
capturedHandler!(makeActivityErrorEvent({ workspaceId: "ws-self" }));
|
||||
});
|
||||
|
||||
expect(onSendError).toHaveBeenCalledTimes(1);
|
||||
const reason = onSendError.mock.calls[0][0] as string;
|
||||
// Legacy boilerplate is the floor — never silently swallow.
|
||||
expect(reason.length).toBeGreaterThan(0);
|
||||
});
|
||||
|
||||
it("ignores errors targeted at a different workspace's peer", () => {
|
||||
// Defense against a race where the WS hub fans out to all clients —
|
||||
// each chat panel must only react when target_id matches its own
|
||||
// workspace.
|
||||
const onSendError = vi.fn();
|
||||
renderHook(() =>
|
||||
useChatSocket("ws-self", {
|
||||
onSendError,
|
||||
}),
|
||||
);
|
||||
act(() => {
|
||||
capturedHandler!(
|
||||
makeActivityErrorEvent({
|
||||
workspaceId: "ws-self",
|
||||
targetId: "ws-someone-else",
|
||||
errorDetail: "irrelevant",
|
||||
}),
|
||||
);
|
||||
});
|
||||
expect(onSendError).not.toHaveBeenCalled();
|
||||
});
|
||||
});
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
import { useCallback, useRef, useState } from "react";
|
||||
import { api } from "@/lib/api";
|
||||
import { uploadChatFiles, FileTooLargeError } from "../uploads";
|
||||
import { uploadChatFiles } from "../uploads";
|
||||
import { createMessage, type ChatMessage, type ChatAttachment } from "../types";
|
||||
import { extractFilesFromTask } from "../message-parser";
|
||||
|
||||
@@ -46,52 +46,6 @@ export function extractReplyText(resp: A2AResponse): string {
|
||||
return collected.join("\n");
|
||||
}
|
||||
|
||||
/** Map a thrown error from `uploadChatFiles` to the user-facing reason
|
||||
* shown in the chat error banner.
|
||||
*
|
||||
* Cases (per `feedback_surface_actionable_failure_reason_to_user` —
|
||||
* user-facing failures MUST tell the user WHY):
|
||||
*
|
||||
* 1. FileTooLargeError → use the error's message verbatim. The
|
||||
* pre-flight already built the actionable string with the actual
|
||||
* size + the cap; don't re-wrap it (which would prepend a
|
||||
* redundant "Upload failed:" prefix).
|
||||
*
|
||||
* 2. DOMException name="TimeoutError" → AbortSignal.timeout fired
|
||||
* during the fetch. Pre-flight already excluded file-size, so
|
||||
* this CANNOT mean "file too large". Surface a connection-speed
|
||||
* message — the user's actionable next step is retry or check
|
||||
* network, NOT shrink the file.
|
||||
*
|
||||
* 3. Other Error → use the wrapped form so the server's reason
|
||||
* (e.g. "upload failed: 413 ...") reaches the user instead of
|
||||
* being swallowed.
|
||||
*
|
||||
* 4. Non-Error throw → generic fallback.
|
||||
*
|
||||
* Exported for unit testing — the case-by-case mapping is the
|
||||
* load-bearing contract this PR ships. */
|
||||
export function mapUploadErrorToReason(e: unknown): string {
|
||||
if (e instanceof FileTooLargeError) {
|
||||
// Already a complete, user-facing sentence — surface verbatim.
|
||||
return e.message;
|
||||
}
|
||||
// DOMException with name="TimeoutError" is what AbortSignal.timeout
|
||||
// produces on abort. Browsers represent it as a DOMException, not a
|
||||
// regular Error subclass — feature-detect via .name to avoid coupling
|
||||
// to a global that's missing in test envs.
|
||||
if (
|
||||
e !== null && typeof e === "object" &&
|
||||
"name" in e && (e as { name: unknown }).name === "TimeoutError"
|
||||
) {
|
||||
return "Upload timed out — your connection is too slow for this file. Try again, or reduce file size.";
|
||||
}
|
||||
if (e instanceof Error) {
|
||||
return `Upload failed: ${e.message}`;
|
||||
}
|
||||
return "Upload failed";
|
||||
}
|
||||
|
||||
export interface UseChatSendOptions {
|
||||
getHistoryMessages: () => ChatMessage[];
|
||||
onUserMessage?: (msg: ChatMessage) => void;
|
||||
@@ -131,12 +85,9 @@ export function useChatSend(workspaceId: string, options: UseChatSendOptions) {
|
||||
} catch (e) {
|
||||
setUploading(false);
|
||||
sendInFlightRef.current = false;
|
||||
// Error-reason routing (CTO 2026-05-19 on forensic a99ab0a1:
|
||||
// "if its file size issue, should have error that instead
|
||||
// saying timeout which is wrong"). Each cause maps to ITS
|
||||
// OWN message — NO conflation between file-size and
|
||||
// connection-too-slow.
|
||||
setError(mapUploadErrorToReason(e));
|
||||
setError(
|
||||
e instanceof Error ? `Upload failed: ${e.message}` : "Upload failed",
|
||||
);
|
||||
return;
|
||||
}
|
||||
setUploading(false);
|
||||
|
||||
@@ -67,23 +67,9 @@ export function useChatSocket(
|
||||
const own = (targetId || msg.workspace_id) === workspaceId;
|
||||
if (own) {
|
||||
callbacksRef.current.onSendComplete?.();
|
||||
// internal#212 — surface the actionable, secret-safe
|
||||
// failure reason (provider HTTP status + error code +
|
||||
// human-readable message) the ws-server now puts on
|
||||
// ACTIVITY_LOGGED.error_detail. The old hardcoded
|
||||
// "Agent error (Exception) — see workspace logs for
|
||||
// details." is the fallback only — it pointed at a
|
||||
// workspace-logs tab that doesn't exist, telling the
|
||||
// user nothing they could act on.
|
||||
//
|
||||
// Graceful degradation: older ws-server builds don't
|
||||
// include error_detail, so the legacy boilerplate is
|
||||
// still the floor (never silently swallow).
|
||||
const detail = (p.error_detail as string) || "";
|
||||
const reason = detail
|
||||
? detail
|
||||
: "Agent error (Exception) — see workspace logs for details.";
|
||||
callbacksRef.current.onSendError?.(reason);
|
||||
callbacksRef.current.onSendError?.(
|
||||
"Agent error (Exception) — see workspace logs for details.",
|
||||
);
|
||||
}
|
||||
}
|
||||
} else if (type === "a2a_send") {
|
||||
|
||||
@@ -1,55 +1,6 @@
|
||||
import { PLATFORM_URL, platformAuthHeaders } from "@/lib/api";
|
||||
import type { ChatAttachment } from "./types";
|
||||
|
||||
/** Hard cap on a single chat upload. Pre-flight gate: this constant is
|
||||
* checked BEFORE any network I/O so a file-size violation surfaces
|
||||
* immediately with an actionable reason ("File too large (got X MB)
|
||||
* — limit is 100MB") rather than as a downstream timeout or 413.
|
||||
*
|
||||
* SERVER_MIRROR: keep aligned with
|
||||
* - workspace-server/internal/handlers/chat_files.go chatUploadMaxBytes
|
||||
* - workspace/internal_chat_uploads.py CHAT_UPLOAD_MAX_BYTES /
|
||||
* CHAT_UPLOAD_MAX_FILE_BYTES
|
||||
*
|
||||
* Three mirror sites exist because each layer must enforce / pre-flight
|
||||
* on its own (no shared codegen yet). Tracked for SSOT follow-up:
|
||||
* expose via GET /uploads/limits so the client can fetch the live cap
|
||||
* instead of duplicating the constant. */
|
||||
export const MAX_UPLOAD_BYTES = 100 * 1024 * 1024;
|
||||
|
||||
/** Thrown by `uploadChatFiles` when a candidate file exceeds
|
||||
* MAX_UPLOAD_BYTES. Caught by `useChatSend` and surfaced verbatim —
|
||||
* the message is already user-actionable. Distinct name lets the
|
||||
* catch path route it correctly without parsing the message string.
|
||||
*
|
||||
* Why a distinct class instead of a sentinel string match: the catch
|
||||
* in `useChatSend` already needs to discriminate this case from a
|
||||
* `TimeoutError` (which has a structurally similar surface but a
|
||||
* DIFFERENT root cause). Conflating them was the bug CTO flagged on
|
||||
* forensic a99ab0a1: "if its file size issue, should have error that
|
||||
* instead saying timeout which is wrong". */
|
||||
export class FileTooLargeError extends Error {
|
||||
readonly name = "FileTooLargeError";
|
||||
readonly fileSize: number;
|
||||
constructor(fileSize: number, message: string) {
|
||||
super(message);
|
||||
this.fileSize = fileSize;
|
||||
}
|
||||
}
|
||||
|
||||
/** Compute the abort timeout for an upload of `totalBytes`. Floor at
|
||||
* 60s (small-file ergonomics: a 100 KB image shouldn't wait 1000s to
|
||||
* see a typo'd hostname surface as a connect error). Above the floor,
|
||||
* scale linearly at ~100 KB/s assumed minimum uplink — at the 100 MB
|
||||
* cap this yields ~1000s, comfortable for the slow-mobile-tether case
|
||||
* that motivated forensic a99ab0a1 (Ryan's >50 MB upload aborted at
|
||||
* the fixed 60s timeout while still streaming).
|
||||
*
|
||||
* Exported for the unit test that pins the curve at the boundary. */
|
||||
export function computeUploadTimeoutMs(totalBytes: number): number {
|
||||
return Math.max(60_000, totalBytes / 100); // 100KB/s → ms = bytes/100
|
||||
}
|
||||
|
||||
/** Chat attachments are intentionally uploaded via a direct fetch()
|
||||
* instead of the `api.post` helper — `api.post` JSON-stringifies the
|
||||
* body, which would 500 on a Blob. Auth headers (tenant slug, admin
|
||||
@@ -59,57 +10,25 @@ export function computeUploadTimeoutMs(totalBytes: number): number {
|
||||
* Content-Type so the browser writes the multipart boundary into the
|
||||
* header; setting it manually would yield a multipart body the server
|
||||
* can't parse. See lib/api.ts platformAuthHeaders() for the full
|
||||
* rationale on why this pair must stay matched.
|
||||
*
|
||||
* Failure-reason contract (CTO 2026-05-19 directive on forensic
|
||||
* a99ab0a1: each cause maps to ITS OWN message, no conflation):
|
||||
* 1. file.size > MAX_UPLOAD_BYTES → throws FileTooLargeError
|
||||
* BEFORE any network I/O, with the offending size + the cap.
|
||||
* 2. fetch aborts via AbortSignal → DOMException name="TimeoutError";
|
||||
* caller surfaces "connection too slow" (file-size already
|
||||
* excluded by gate 1, so the TimeoutError CANNOT mean file-size).
|
||||
* 3. server returns !res.ok → throws Error with the server's
|
||||
* reason embedded (status + body); caller surfaces verbatim.
|
||||
* 4. any other thrown error → falls through as-is. */
|
||||
* rationale on why this pair must stay matched. */
|
||||
export async function uploadChatFiles(
|
||||
workspaceId: string,
|
||||
files: File[],
|
||||
): Promise<ChatAttachment[]> {
|
||||
if (files.length === 0) return [];
|
||||
|
||||
// PRE-FLIGHT: bail before any network I/O if any file exceeds the cap.
|
||||
// After this gate, an AbortSignal.timeout firing during the fetch
|
||||
// CANNOT be attributed to file size — it's necessarily a slow
|
||||
// connection. That distinction is what makes the downstream error
|
||||
// mapping unambiguous.
|
||||
let totalBytes = 0;
|
||||
for (const f of files) {
|
||||
if (f.size > MAX_UPLOAD_BYTES) {
|
||||
const sizeMb = (f.size / (1024 * 1024)).toFixed(1);
|
||||
throw new FileTooLargeError(
|
||||
f.size,
|
||||
`File too large (got ${sizeMb}MB) — limit is 100MB. Please use a smaller file.`,
|
||||
);
|
||||
}
|
||||
totalBytes += f.size;
|
||||
}
|
||||
|
||||
const form = new FormData();
|
||||
for (const f of files) form.append("files", f, f.name);
|
||||
|
||||
// Scale the abort timeout with payload size so a legitimate slow-
|
||||
// uplink upload of a large file isn't aborted before the body has
|
||||
// finished streaming. The fixed 60s previous-version was the root
|
||||
// cause of forensic a99ab0a1: Ryan's ~60 MB upload over a constrained
|
||||
// uplink streamed past 60s, AbortSignal fired client-side, server
|
||||
// got a truncated body, the user saw "signal timed out" — when the
|
||||
// real cause was simply "uplink slower than our hard-coded deadline".
|
||||
// Uploads legitimately take a while on cold cache (tar write +
|
||||
// docker cp into the container). 60s is comfortable for the 25MB/
|
||||
// 50MB caps the server enforces.
|
||||
const res = await fetch(`${PLATFORM_URL}/workspaces/${workspaceId}/chat/uploads`, {
|
||||
method: "POST",
|
||||
headers: platformAuthHeaders(),
|
||||
body: form,
|
||||
credentials: "include",
|
||||
signal: AbortSignal.timeout(computeUploadTimeoutMs(totalBytes)),
|
||||
signal: AbortSignal.timeout(60_000),
|
||||
});
|
||||
if (!res.ok) {
|
||||
const text = await res.text().catch(() => "");
|
||||
|
||||
@@ -351,10 +351,8 @@ export function SecretsSection({ workspaceId, requiredEnv }: { workspaceId: stri
|
||||
{showAdd ? (
|
||||
<div className="bg-surface-card/50 rounded p-2 space-y-1.5 border border-line/50">
|
||||
<input value={newKey} onChange={(e) => setNewKey(e.target.value.toUpperCase())} placeholder="KEY_NAME"
|
||||
aria-label="Secret key name"
|
||||
className="w-full bg-surface-sunken border border-line rounded px-2 py-1 text-[10px] font-mono text-ink focus:outline-none focus:border-accent" />
|
||||
<input value={newValue} onChange={(e) => setNewValue(e.target.value)} placeholder="Value" type="password"
|
||||
aria-label="Secret value"
|
||||
className="w-full bg-surface-sunken border border-line rounded px-2 py-1 text-[10px] text-ink focus:outline-none focus:border-accent" />
|
||||
<div className="flex gap-2">
|
||||
<button type="button" onClick={() => { if (newKey && newValue) handleSave(newKey, newValue); }} disabled={!newKey || !newValue}
|
||||
|
||||
@@ -99,7 +99,7 @@ export function TestConnectionButton({
|
||||
|
||||
function Spinner() {
|
||||
return (
|
||||
<svg aria-hidden="true" className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
|
||||
<svg className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
|
||||
<path d="M12 2v4M12 18v4M4.93 4.93l2.83 2.83M16.24 16.24l2.83 2.83M2 12h4M18 12h4M4.93 19.07l2.83-2.83M16.24 7.76l2.83-2.83" />
|
||||
</svg>
|
||||
);
|
||||
|
||||
@@ -63,7 +63,7 @@ class MockWebSocket {
|
||||
(globalThis as unknown as Record<string, unknown>).WebSocket = MockWebSocket;
|
||||
|
||||
// Now import the socket module (uses globalThis.WebSocket at call time)
|
||||
import { connectSocket, disconnectSocket, wakeSocket } from "../socket";
|
||||
import { connectSocket, disconnectSocket } from "../socket";
|
||||
import { useCanvasStore } from "../canvas";
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
@@ -416,84 +416,3 @@ describe("RehydrateDedup", () => {
|
||||
expect(d.shouldSkip(2_700)).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// wakeSocket() — visibility-wake reconnect (regression #223 / #228)
|
||||
// ---------------------------------------------------------------------------
|
||||
//
|
||||
// Mobile browsers (iOS Safari, Chrome on Android in deep-sleep) silently
|
||||
// drop the WebSocket when the tab is backgrounded; the in-page onclose
|
||||
// fires very late or never. Without a visibility wake, the canvas stays
|
||||
// frozen until the user manually refreshes.
|
||||
//
|
||||
// The real wiring lives at module level: connectSocket installs a
|
||||
// visibilitychange/pageshow listener that calls wake() on foreground.
|
||||
// We can't dispatch DOM events here because the suite runs under the
|
||||
// `node` test environment (no `document`/`window` — see canvas/vitest
|
||||
// .config.ts). Instead we test wake() directly through the wakeSocket
|
||||
// public export, which is the same code path the listener invokes.
|
||||
|
||||
describe("wakeSocket → reconnect (#223 / #228 — mobile visibility wake)", () => {
|
||||
it("wake on a healthy OPEN socket does not create a new WebSocket", () => {
|
||||
connectSocket();
|
||||
const ws = getLastWS();
|
||||
ws.triggerOpen();
|
||||
// OPEN === 1. wake() should take the healthy-no-op branch.
|
||||
(ws as unknown as { readyState: number }).readyState = 1;
|
||||
const before = MockWebSocket.instances.length;
|
||||
wakeSocket();
|
||||
expect(MockWebSocket.instances.length).toBe(before);
|
||||
});
|
||||
|
||||
it("wake on a CLOSED socket creates a new WebSocket (the actual #223 fix)", () => {
|
||||
connectSocket();
|
||||
const ws = getLastWS();
|
||||
ws.triggerOpen();
|
||||
// CLOSED === 3. Simulates the OS killing the socket while the tab
|
||||
// was backgrounded. We deliberately don't fire triggerClose() —
|
||||
// the whole point of #223 is that mobile browsers don't fire
|
||||
// onclose when they kill the WS, so reconnect never schedules.
|
||||
(ws as unknown as { readyState: number }).readyState = 3;
|
||||
const before = MockWebSocket.instances.length;
|
||||
wakeSocket();
|
||||
expect(MockWebSocket.instances.length).toBe(before + 1);
|
||||
});
|
||||
|
||||
it("wake while CONNECTING (readyState=0) does not pile another handshake", () => {
|
||||
connectSocket();
|
||||
const ws = getLastWS();
|
||||
// CONNECTING === 0 — a handshake is already in flight.
|
||||
(ws as unknown as { readyState: number }).readyState = 0;
|
||||
const before = MockWebSocket.instances.length;
|
||||
wakeSocket();
|
||||
expect(MockWebSocket.instances.length).toBe(before);
|
||||
});
|
||||
|
||||
it("wake cancels any pending backoff reconnect", () => {
|
||||
const clearTimeoutSpy = vi.spyOn(globalThis, "clearTimeout");
|
||||
connectSocket();
|
||||
const ws = getLastWS();
|
||||
ws.triggerOpen();
|
||||
// Drop the socket — onclose schedules a backoff reconnect.
|
||||
ws.triggerClose();
|
||||
// Now wake the page. wake() should pre-empt the backoff so the
|
||||
// user sees the canvas come back immediately, not after the
|
||||
// exponential delay window.
|
||||
(ws as unknown as { readyState: number }).readyState = 3;
|
||||
clearTimeoutSpy.mockClear();
|
||||
wakeSocket();
|
||||
expect(clearTimeoutSpy).toHaveBeenCalled();
|
||||
clearTimeoutSpy.mockRestore();
|
||||
});
|
||||
|
||||
it("wake after disconnectSocket is a no-op (no zombie reconnect)", () => {
|
||||
connectSocket();
|
||||
const ws = getLastWS();
|
||||
ws.triggerOpen();
|
||||
disconnectSocket();
|
||||
const before = MockWebSocket.instances.length;
|
||||
// Singleton is null now — wake() should silently do nothing.
|
||||
expect(() => wakeSocket()).not.toThrow();
|
||||
expect(MockWebSocket.instances.length).toBe(before);
|
||||
});
|
||||
});
|
||||
|
||||
@@ -268,46 +268,6 @@ class ReconnectingSocket {
|
||||
}
|
||||
useCanvasStore.getState().setWsStatus("disconnected");
|
||||
}
|
||||
|
||||
/** Force a reconnect attempt now, skipping the backoff window.
|
||||
* Used by the visibilitychange / pageshow handler: when a mobile
|
||||
* browser backgrounds the tab, the OS silently kills the WebSocket
|
||||
* but the in-page onclose either fires very late or never fires at
|
||||
* all (iOS Safari, Chrome on Android in deep-sleep). Once the user
|
||||
* brings the tab back, the canvas needs to reconnect within human
|
||||
* perception — not on whatever backoff delay was last scheduled,
|
||||
* which can be up to 30s. (#223 / #228)
|
||||
*
|
||||
* Idempotent: if the socket is already OPEN we leave it alone; the
|
||||
* WebSocket is still healthy and a reconnect would just churn. */
|
||||
wake() {
|
||||
if (this.disposed) return;
|
||||
// OPEN === 1. Use the numeric literal so we don't have to import
|
||||
// WebSocket type values; the runtime constant is well-defined.
|
||||
if (this.ws && this.ws.readyState === 1) {
|
||||
// Healthy. Run a rehydrate to catch any events we may have missed
|
||||
// while the tab was backgrounded — the OS does deliver some
|
||||
// packets late, but it can also drop them, and the dedup gate
|
||||
// collapses this with any subsequent health-check rehydrate.
|
||||
void this.rehydrate();
|
||||
return;
|
||||
}
|
||||
// CONNECTING === 0 means a handshake is already in flight. Don't
|
||||
// pile another one on; the existing attempt or its onclose-driven
|
||||
// reconnect will resolve.
|
||||
if (this.ws && this.ws.readyState === 0) return;
|
||||
// Otherwise (CLOSING, CLOSED, or null) we're in limbo. Cancel any
|
||||
// pending backoff and reconnect now.
|
||||
if (this.reconnectTimer) {
|
||||
clearTimeout(this.reconnectTimer);
|
||||
this.reconnectTimer = null;
|
||||
}
|
||||
// Reset attempt counter so the *next* failure (if any) starts from
|
||||
// a short delay again — we just had a real user interaction, not
|
||||
// an unattended-tab failure cascade.
|
||||
this.attempt = 0;
|
||||
this.connect();
|
||||
}
|
||||
}
|
||||
|
||||
export interface WorkspaceData {
|
||||
@@ -346,49 +306,11 @@ export interface WorkspaceData {
|
||||
|
||||
let socket: ReconnectingSocket | null = null;
|
||||
|
||||
/** visibilitychange / pageshow handler. Mobile browsers (iOS Safari,
|
||||
* Chrome on Android in deep-sleep) silently drop the WebSocket when
|
||||
* the tab is backgrounded — the in-page `onclose` fires very late or
|
||||
* never. Without this listener, the canvas appears frozen after the
|
||||
* user backgrounds the PWA and returns to it: status events, agent
|
||||
* messages, and cross-device chat broadcast don't arrive until a
|
||||
* manual refresh (#223 / #228).
|
||||
*
|
||||
* Both events are wired: `visibilitychange` covers tab-switch on a
|
||||
* live page; `pageshow` covers Safari's bfcache restore, where the
|
||||
* page comes back from cache without firing visibilitychange. */
|
||||
function onPageWake() {
|
||||
// document is undefined in SSR; the listener never installs there,
|
||||
// but defensively guard anyway in case this code is run via a test
|
||||
// harness that doesn't shim it.
|
||||
if (typeof document !== "undefined" && document.hidden) return;
|
||||
socket?.wake();
|
||||
}
|
||||
let visibilityHandlerInstalled = false;
|
||||
function installVisibilityHandler() {
|
||||
if (visibilityHandlerInstalled) return;
|
||||
if (typeof document === "undefined" || typeof window === "undefined") return;
|
||||
document.addEventListener("visibilitychange", onPageWake);
|
||||
// `pageshow` with `event.persisted === true` is the bfcache restore
|
||||
// signal — relevant on iOS Safari. We don't need to inspect
|
||||
// `persisted` because waking an OPEN socket is a no-op.
|
||||
window.addEventListener("pageshow", onPageWake);
|
||||
visibilityHandlerInstalled = true;
|
||||
}
|
||||
function uninstallVisibilityHandler() {
|
||||
if (!visibilityHandlerInstalled) return;
|
||||
if (typeof document === "undefined" || typeof window === "undefined") return;
|
||||
document.removeEventListener("visibilitychange", onPageWake);
|
||||
window.removeEventListener("pageshow", onPageWake);
|
||||
visibilityHandlerInstalled = false;
|
||||
}
|
||||
|
||||
export function connectSocket() {
|
||||
if (!socket) {
|
||||
socket = new ReconnectingSocket(WS_URL);
|
||||
}
|
||||
socket.connect();
|
||||
installVisibilityHandler();
|
||||
}
|
||||
|
||||
export function disconnectSocket() {
|
||||
@@ -396,14 +318,4 @@ export function disconnectSocket() {
|
||||
socket.disconnect();
|
||||
socket = null;
|
||||
}
|
||||
uninstallVisibilityHandler();
|
||||
}
|
||||
|
||||
/** Manually trigger the visibility-wake path. Exported so the test suite
|
||||
* can exercise `ReconnectingSocket.wake()` without depending on a
|
||||
* jsdom DOM (the rest of this file's tests run under the node env).
|
||||
* Real-world callers don't need this — the visibility/pageshow listener
|
||||
* drives it. */
|
||||
export function wakeSocket() {
|
||||
socket?.wake();
|
||||
}
|
||||
|
||||
@@ -584,10 +584,6 @@
|
||||
.secrets-tab__refresh-btn:hover {
|
||||
background: #1e40af;
|
||||
}
|
||||
.secrets-tab__refresh-btn:focus-visible {
|
||||
outline: 2px solid #1d4ed8;
|
||||
outline-offset: 2px;
|
||||
}
|
||||
|
||||
.secrets-tab__no-results {
|
||||
text-align: center;
|
||||
@@ -653,10 +649,6 @@
|
||||
border-radius: 6px;
|
||||
cursor: pointer;
|
||||
}
|
||||
.delete-dialog__cancel-btn:focus-visible {
|
||||
outline: var(--focus-ring);
|
||||
outline-offset: var(--focus-ring-offset);
|
||||
}
|
||||
|
||||
.delete-dialog__confirm-btn {
|
||||
background: var(--status-invalid);
|
||||
@@ -666,10 +658,6 @@
|
||||
border-radius: 6px;
|
||||
cursor: pointer;
|
||||
}
|
||||
.delete-dialog__confirm-btn:focus-visible {
|
||||
outline: var(--focus-ring);
|
||||
outline-offset: var(--focus-ring-offset);
|
||||
}
|
||||
|
||||
.delete-dialog__confirm-btn:disabled { opacity: 0.4; cursor: not-allowed; }
|
||||
|
||||
|
||||
@@ -1,104 +0,0 @@
|
||||
# local-e2e — session-continuity canary harness
|
||||
|
||||
Self-contained Docker-Compose harness that gates RFC#600-class template
|
||||
changes (session continuity, file-only messages, multimodal prompts,
|
||||
cross-session memory) **before** they reach customer canary.
|
||||
|
||||
Per CTO standing directive "fully tested + separate CI": this is a
|
||||
dedicated, *fast* (target <3 min), *small-surface* harness that uses a
|
||||
Python tenant-CP simulator (not the full `workspace-server` Go service)
|
||||
to exercise the runtime image end-to-end against canonical canary turns.
|
||||
|
||||
See [`feedback_no_single_source_of_truth`] — the harness IS the canonical
|
||||
session-continuity validator. Per-runtime unit tests still cover their
|
||||
own guard logic; the harness covers the live conversational behaviour
|
||||
that those unit tests cannot prove.
|
||||
|
||||
See [`feedback_image_promote_is_not_user_live`] — every assertion reads
|
||||
state back from the *running container*, never from a publish-pipeline
|
||||
ack.
|
||||
|
||||
## What it tests (the 4 canaries)
|
||||
|
||||
| # | Scenario | Asserts |
|
||||
|---|----------|---------|
|
||||
| 1 | 2-turn name canary | turn 2 reply contains "Hongming" → SessionStore continuity |
|
||||
| 2 | File-only message (no caption) | NOT "(empty prompt — nothing to do)" + reply references filename or asks for clarification |
|
||||
| 3 | File + caption ("summarize this") | reply addresses attachment + caption |
|
||||
| 4 | Cross-session memory recall | new session pulls "blue" via memory tool |
|
||||
|
||||
Each scenario re-uses the same A2A wire-shape that the production
|
||||
`workspace-server` POSTs to runtime `:8000` (canvas-thread-id semantics
|
||||
via `context_id`).
|
||||
|
||||
## Architecture
|
||||
|
||||
```
|
||||
local-e2e/
|
||||
docker-compose.yml # runtime under test + cp_sim
|
||||
cp_sim/ # ≈300 LoC Python A2A poster + file uploader
|
||||
cp_sim.py
|
||||
Dockerfile
|
||||
requirements.txt
|
||||
canary/
|
||||
conftest.py
|
||||
test_session_continuity.py # 4 canary scenarios
|
||||
test_layer_diagnostics.py # SessionStore state probe + key derivation
|
||||
scripts/
|
||||
run-canary.sh # one-shot orchestration entrypoint
|
||||
```
|
||||
|
||||
The CP simulator emits the **exact** JSON-RPC `message/send` envelope
|
||||
that `workspace-server` produces (verified against
|
||||
`tests/e2e/test_chat_attachments_e2e.sh`). No Go service is in the loop —
|
||||
this keeps the harness lean per the CTO directive.
|
||||
|
||||
## Run locally
|
||||
|
||||
```bash
|
||||
# from molecule-core repo root:
|
||||
export TEMPLATE_IMAGE=ghcr.io/molecule-ai/workspace-template-hermes:latest
|
||||
./local-e2e/scripts/run-canary.sh
|
||||
```
|
||||
|
||||
Exit code 0 = all 4 canaries pass. Non-zero = at least one canary failed
|
||||
and the harness dumped SessionStore state + last 200 log lines from the
|
||||
runtime container into `./local-e2e/artifacts/`.
|
||||
|
||||
## How it integrates into CI
|
||||
|
||||
Each template repo's `.gitea/workflows/session-continuity-e2e.yml` calls
|
||||
`run-canary.sh` with its own freshly-built `TEMPLATE_IMAGE`. The
|
||||
template repo's Gitea branch-protection lists
|
||||
`session-continuity-e2e (pull_request)` as a required context.
|
||||
|
||||
Rollout order (deliberate — per `feedback_image_promote_is_not_user_live`
|
||||
we bake before we cascade):
|
||||
|
||||
1. `molecule-ai-workspace-template-hermes` — highest-traffic + most
|
||||
recent RFC#600-class fixes — REQUIRED gate
|
||||
2. Bake for 5 business days
|
||||
3. Cascade to claude-code, langgraph, autogen, openclaw, smolagents,
|
||||
google-adk (one PR per template — see `scripts/onboard-template.sh`)
|
||||
|
||||
## Future extensions (out of scope for the initial PR)
|
||||
|
||||
- Multi-session memory consistency (3+ sessions deep)
|
||||
- Tool-use canary (workspace seeded with skills/, agent must invoke)
|
||||
- Streaming-cancellation canary (mid-stream client disconnect)
|
||||
- Cross-runtime A2A peer call (currently covered by `e2e-peer-visibility`)
|
||||
|
||||
## Why a thin Python simulator and not the real `workspace-server`?
|
||||
|
||||
`workspace-server` is a 60+ MB Go binary that requires Postgres, Redis,
|
||||
admin-token wiring, registry plumbing, and a 30+ second cold-boot. None
|
||||
of that touches session-continuity behaviour, which is fully owned by
|
||||
the runtime container's `a2a_executor.py`. Per CTO directive "separate
|
||||
CI as possible" + the <3 min target, we excise the platform-tenant Go
|
||||
service from the loop and emit identical wire-shape envelopes from a
|
||||
single Python file.
|
||||
|
||||
If the simulator diverges from `workspace-server` wire shape, the gate
|
||||
goes red — fix the simulator to match production. The wire shape is
|
||||
asserted in `tests/e2e/test_chat_attachments_e2e.sh` and the runtime's
|
||||
`workspace/a2a_executor.py:_core_execute`.
|
||||
@@ -1,19 +0,0 @@
|
||||
# Python tenant-CP simulator + canary test driver.
|
||||
# Single image — pytest + httpx + the canary tests baked in.
|
||||
FROM python:3.11-slim@sha256:e78299e55776ca065dcb769f80161f48465ad352014240eb5fe4712e22505e9b
|
||||
|
||||
WORKDIR /harness
|
||||
|
||||
COPY requirements.txt .
|
||||
RUN pip install --no-cache-dir -r requirements.txt
|
||||
|
||||
# Test files are bind-mounted by docker-compose at run time so a `pytest -x`
|
||||
# rerun loop doesn't require a rebuild. The COPY here is for the
|
||||
# self-contained image used by Gitea Actions (where bind mounts are awkward).
|
||||
COPY cp_sim.py /harness/cp_sim.py
|
||||
COPY canary /harness/canary
|
||||
|
||||
ENV PYTHONUNBUFFERED=1
|
||||
|
||||
# Default: run the 4 canaries with verbose output + JUnit XML for CI.
|
||||
CMD ["pytest", "-v", "--tb=short", "--junitxml=/harness/artifacts/junit.xml", "canary/"]
|
||||
@@ -1,31 +0,0 @@
|
||||
"""Shared pytest fixtures for the canary suite."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import sys
|
||||
import uuid
|
||||
|
||||
# cp_sim.py lives one dir up — make it importable without packaging.
|
||||
sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
|
||||
|
||||
import pytest # noqa: E402
|
||||
|
||||
from cp_sim import CPSim, CPSimConfig # noqa: E402
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def sim() -> CPSim:
|
||||
"""Fresh CPSim per test — cheap, isolates connection state."""
|
||||
return CPSim(
|
||||
cfg=CPSimConfig(
|
||||
runtime_url=os.environ.get("RUNTIME_URL", "http://localhost:18000"),
|
||||
)
|
||||
)
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def context_id() -> str:
|
||||
"""A unique canvas-thread-id per test — guarantees SessionStore isolation
|
||||
between scenarios so a failing canary doesn't poison the next one."""
|
||||
return f"canary-ctx-{uuid.uuid4().hex[:12]}"
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user