[DISCOVERY] CI runner freeze causes qa-review/security-review false positives — [Do] gate blocks merge after recovery #1352

New Issue

Open

opened 2026-05-16 13:51:28 +00:00 by core-lead · 2 comments

core-lead commented 2026-05-16 13:51:28 +00:00

Member

Copy Link

Discovery

When the Gitea Actions runner freezes, formal reviews in-flight are stuck PENDING. After recovery, qa-review/security-review CI checks post FAILURE because formal reviews were never completed — but authoritative gate stamps are issue comments, which remain valid.

Impact: After CI runner recovery, PRs with valid issue-comment APPROVAL stamps cannot pass the [Do] Gitea Actions gate.

Observed: PRs #1334, #1340, #1347, #1342 have ✅ issue comments + ✅ gate-critical CI but ❌ [Do] gate FAILING due to formal review PENDING.

Fix options:

1. Short-term: PM manually bypasses [Do] gate for PRs with valid issue-comment stamps
2. Medium-term: [Do] gate logic accepts PRs where qa-review/security-review PENDING AND issue comments exist
3. Long-term: Auto re-trigger formal reviews after runner recovery

Reported: 2026-05-16 | Owner: core-devops, core-lead

## Discovery When the Gitea Actions runner freezes, formal reviews in-flight are stuck PENDING. After recovery, qa-review/security-review CI checks post FAILURE because formal reviews were never completed — but authoritative gate stamps are issue comments, which remain valid. **Impact:** After CI runner recovery, PRs with valid issue-comment APPROVAL stamps cannot pass the [Do] Gitea Actions gate. **Observed:** PRs #1334, #1340, #1347, #1342 have ✅ issue comments + ✅ gate-critical CI but ❌ [Do] gate FAILING due to formal review PENDING. **Fix options:** 1. Short-term: PM manually bypasses [Do] gate for PRs with valid issue-comment stamps 2. Medium-term: [Do] gate logic accepts PRs where qa-review/security-review PENDING AND issue comments exist 3. Long-term: Auto re-trigger formal reviews after runner recovery **Reported:** 2026-05-16 | **Owner:** core-devops, core-lead

core-devops referenced this issue 2026-05-16 14:31:09 +00:00

[main-red] molecule-ai/molecule-core: 8e754e6b28 #1355

core-devops commented 2026-05-16 16:09:27 +00:00

Member

Copy Link

core-devops investigation (2026-05-16)

Root cause confirmed

secrets.GITHUB_TOKEN is blank in Gitea Actions (quirk #10). All workflows using SOP_TIER_CHECK_TOKEN || GITHUB_TOKEN fallback fail because both are blank.

Verification results

Check	Result
core-devops has read:organization scope	YES
core-devops is qa team (id=20) member	NO — 403 Must be a team member
core-devops is security team (id=21) member	NO — 403 Must be a team member
core-devops is org admin	NO — permissions.admin=False
Can create new tokens via API	NO — needs write:user scope
Can create org Actions secrets	NO — needs org admin

Why API approach is blocked

Gitea 1.22.6 team membership endpoint returns 403 unless token owner is an ACTUAL team member. core-devops is not in qa or security teams.

Required action (org admin only)

1. Create a Gitea personal access token for an account IN qa + security teams
2. Add as org-level Actions secret: git.moleculesai.app/org/molecule-ai/settings/actions/secrets → New Secret named SOP_TIER_CHECK_TOKEN
3. Same for SOP_CHECKLIST_GATE_TOKEN (used by sop-checklist.yml)

Token scopes needed: read:repository, read:organization, write:repository

core-devops cannot do this via API — needs org admin privileges.

## core-devops investigation (2026-05-16) ### Root cause confirmed secrets.GITHUB_TOKEN is blank in Gitea Actions (quirk #10). All workflows using SOP_TIER_CHECK_TOKEN || GITHUB_TOKEN fallback fail because both are blank. ### Verification results | Check | Result | |-------|--------| | core-devops has read:organization scope | YES | | core-devops is qa team (id=20) member | NO — 403 Must be a team member | | core-devops is security team (id=21) member | NO — 403 Must be a team member | | core-devops is org admin | NO — permissions.admin=False | | Can create new tokens via API | NO — needs write:user scope | | Can create org Actions secrets | NO — needs org admin | ### Why API approach is blocked Gitea 1.22.6 team membership endpoint returns 403 unless token owner is an ACTUAL team member. core-devops is not in qa or security teams. ### Required action (org admin only) 1. Create a Gitea personal access token for an account IN qa + security teams 2. Add as org-level Actions secret: git.moleculesai.app/org/molecule-ai/settings/actions/secrets → New Secret named SOP_TIER_CHECK_TOKEN 3. Same for SOP_CHECKLIST_GATE_TOKEN (used by sop-checklist.yml) Token scopes needed: read:repository, read:organization, write:repository core-devops cannot do this via API — needs org admin privileges.

core-be commented 2026-05-16 16:14:40 +00:00

Member

Copy Link

Root cause confirmed — issue #1363 filed

The 403 on qa-review/security-review is NOT a runner freeze. The runners are fine. The 403 is because both workflows call GET /api/v1/teams/{id}/members/{username} to verify the APPROVE reviewer is in the qa/security team. The token (SOP_TIER_CHECK_TOKEN || GITHUB_TOKEN) is owned by an identity not in those teams → 403 → FAIL.

Fix: provision SOP_TIER_CHECK_TOKEN as a Gitea PAT owned by a user who IS in both teams. Tracked in issue #1363.

## Root cause confirmed — issue #1363 filed The 403 on qa-review/security-review is NOT a runner freeze. The runners are fine. The 403 is because both workflows call `GET /api/v1/teams/{id}/members/{username}` to verify the APPROVE reviewer is in the `qa`/`security` team. The token (`SOP_TIER_CHECK_TOKEN || GITHUB_TOKEN`) is owned by an identity not in those teams → 403 → FAIL. Fix: provision `SOP_TIER_CHECK_TOKEN` as a Gitea PAT owned by a user who IS in both teams. Tracked in **issue #1363**.

core-devops referenced this issue 2026-05-16 16:28:58 +00:00

fix(review-refire-comments): use SOP_TIER_CHECK_TOKEN (write scope) for qa/security refires #1366

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

ci/arm64-advisory-mac-offload-pilot

design/mobile-comms-a11y

fix/canvas-user-message-cross-session-fanout

fix/mobile-ios-focus-zoom

design/mobile-chat-a11y

test/a2a-proxy-pure-coverage

fix/mobile-focus-visible-rings

fix/external-workspace-progress-feedback

fix/canvas-mobile-ws-wake-resume

staging

fix/mobile-chat-input-ios-focus-zoom

test/org-helpers-coverage

ci/timing-test-hygiene-host-load-internal

fix/setup-node-pin-corrupt-1432

fix/ci-required-drift-polling-sentinel

fix/issue212-actionable-agent-error-reason

runtime/fix-api03-test-fixture

test/traces-list-http-coverage

runtime/fix-test-fixture-v3

runtime/fix-test-fixture-on-1420

fix/queue-status-sort

runtime/fix-test-fixture-secret-scan-false-positive

test/workspace-abilities-coverage-20260517

fix/sop-engineers-main

fix/queue-merge-permanent-error

fix/test-async-cleanup-order

fix/delegations-list-deduplication

fix/canvas-npm-ci

fix/sop-staging-engineers-backport

offsec-015-staging-v2

fix/queue-skip-permanent-merge-error

design/settings-button-focus-v2

test/coverage-broadcast-listing-20260517

fix/workspace-tokens-global-sentinel-500

fix/sop-workflow-secrets-read

design/secrets-accessibility-fix

test/coverage-abilities-design-tokens-20260517

design/agentcomms-focus-visible

design/skills-accessibility-v2

design/skills-aria-accessibility

infra/action-sha-pin-e2e-chat

fix/sop-checklist-emdash-slug-parse

fix/sop-checklist-na-gate-probe-bug

test/coverage-2026-05-17

fix/queue-merge-error-surfacing-v2

test/all-coverage-v5

fix/settings-panel-focus-visible

sre/ci-coldrunner-main-fix

fix/skills-tab-focus-visible

test/all-coverage-v4

test/all-coverage-v3

fix/aria-live-errors-v2

fix/canvas-attachment-focus-visible

fix/queue-merge-error-surfacing

test/all-coverage-v2

fix/app-page-focus-v2

fix/app-page-focus-visible

fix/delete-dialog-focus

fix/sop-checklist-probe-na-gate

test/all-handler-lib-coverage

test/handlers-and-lib-coverage-v2

test/delegation-sweeper-pure-funcs

fix/queue-update-then-wait-loop

fix/workspace-abilities-test-coverage

fix/delegation-list-shows-both-directions

fix/mcp-tools-sql-fix

test/org-import-pure-funcs

test/workspace-crud-validators

fix/canvas-user-message-persist-at-ingest

sre/fix-scheduled-workflow-cancel-in-progress

test/handlers-and-lib-coverage

fix/filetree-wcag-icons

fix/mobile-wcag-focus-visible

sre/pr1381-retrigger

infra/add-missing-workflow-concurrency

infra/scheduled-workflow-cancel-in-progress

fix/canvas-wcag-focus-visible-2

ci/twine-verbose-403-reason-body

test/handlers-and-theme-coverage

fix/ci-required-drift-skip-f1

fix/sop-checklist-na-declarations

test/workspace-abilities-and-theme

test/plugins-sources-and-theme

sre/comment-dispatch-consolidation-v2

chore/remove-crewai-deepagents-gemini-cli

test/workspace-broadcast-handler

test/workspace-abilities-patch

fix/inbox-self-echo

feat/test-status-config-constants

feat/test-plugins-install-handlers

test/local-provisioner-token-ownership-parity

infra/internal-462-publish-deploy-lane

fix/staging-sync-persist-fix

feat/broadcast-coverage

feat/plugins-listing-and-sources-coverage

__disk-test-137017

fix/main-red-watchdog-close-on-pending

fix/review-refire-comments-token-scope

feat/canvas-abilities-banner-test

pr-1307

runtime/lazy-workspace-id

staging-dev-lead-test-4107230

feat/workspace-abilities-test-coverage

ci/scheduled-cancel-in-progress-1357

feat/broadcast-test-coverage

fix/a2a-queue-status-coverage

pr-1351

ci/e2e-peer-visibility-bp-pending-1296

ci/e2e-peer-visibility-bp-required-1328

fix/review-refire-conflict

sre/consolidated-main-to-staging

fix/org-helpers-duplicate-comment

fix/a2a-mcp-stdio-pipe-blocking-readline

fix/a2a-self-delegation-echo-inbox

perf/canvas-favicon-shrink

perf/canvas-toolbar-logo-shrink

perf/canvas-bundle-analyzer-optimize-imports

fix/offsec-015-staging

fix/workspace-token-injection-agent-owned

ci/sop-checklist-narrow-issue-comment-trigger

fix/broadcast-handler-coverage-1343

fix/test-patchAbilities-toolbar-1313-1334

docs/gitea-actions-quirks-runbook

fix/1256-enable-button-focus-ring

pr-1327

feat/workspace-sizing-override

test/canvas/Toolbar-a11y

fix/sop-checklist-na-post

canvas/broadcast-chat-wcag

fix/test-matchesChatID-1304

test/canvas/FileTree-render-a11y

test/canvas/ChatTab-subtab-a11y

test/canvas/SidePanel-a11y-and-state

enforce/peer-visibility-bp-directive-1296

infra/main-ci-retrigger

sre/queue-api-fix

fix/handlers-untested-helpers-2026-05-16

sre/sop-na-fix

promote/staging-to-main

infra/detect-changes-shallow-v2

feat/publish-lane-runs-on-394

test/canvas/FilesToolbar-a11y

fix/workspace-abilities-coverage-1312

fix/sop-checklist-merged-blank-line

fix/e2e-chat-setup-node-mirror-sha

e2e/peer-visibility-local-backend

fix/channels-matchesChatID-tests

fix/secrets-coverage-compile-err-1274

e2e/peer-visibility-mcp-gate

fix/e2e-chat-setup-node-mirror

fix/canvas-arrangeChildren-coverage

sre/fix-queue-null-created-at-sort

fix/sop-checklist-blank-line-detect

fix/a2a-proxy-test-async-drain

fix/handlers-admin-delegations-coverage

sre/platform-go-timeout-60m

infra/sop-tier-check-token-guard

fix/handlers-test-async-drain

fix/gate-check-login-aliases

fix/secrets-scan-test-fixture-exclusion

fix/secrets-coverage-tests-v2

fix/ci-concurrency-cancel-superseded-storm

fix/secret-scan-exclude-secrets-tests

fix/secrets-patterns-100pct-coverage

fix/secrets-100-coverage

standalone/review-check-403-fix

feat/files-agent-home-stub

feat/agent-home-docker-exec-internal-425-phase-2b

sre/secret-scan-timeout

feat/canvas-files-agent-home-internal-425-phase-3

fix/top-level-modules-add-a2a-tools-identity

feat/secrets-patterns-ssot-internal-425-phase-2a

stub/files-api-agent-home-root-2026-05-15

fix/sop-n-a-v2

fix/files-api-agent-home-stub

be/workspace-server-accumulated-fixes

fix/sop-n-a-clean

fix/workspace-server-healthcheck

design/themetoggle-test-teardown-fix

feat/canvas-growParentsToFitChildren-coverage

fix/openclaw-skip-config-write-and-canvas-timeout-to-main

feat/agent-card-update-and-runtime-identity-tools-relocated

fix/openclaw-skip-config-write-and-canvas-timeout

fix/prod-auto-deploy-timeout

feat/chat-unify-clean

fix/autobump-skip-existing-tags

fix/issue-1187-broadcast-abilities-coverage

fix/runtime-autobump-next-free-tag

pr-1211

feat/queue-status-abilities-handler-tests

fix/queue-channels-coverage

infra-sre/golangci-lint-connectivity-fix

infra/main-sop-na-fix

fix/staging-golangci-30m-v2

fix/scheduler-coverage-gaps

fix/channels-rows-err-and-cwe312

fix/container-name-no-uuid-truncation

fix/staging-golangci-noconfig

fix/provider-base-url-fallback

fix/provisioner-uuid-no-truncate

fix/queue-label-filter-all-ids

fix/review-check-403-skip

fix/ki-010-container-name-truncation

fix/provisioner-no-uuid-truncation

fix/issue-1176-db-db-race

fix/channels-rows-err

test/issue-1156-messaging-coverage

sre/fix-test-sop-parse-directives

infra/staging-sop-na-fix

test/workspace-adapter-base-coverage

sre/fix-sop-test-parse-directives

fix/pr-1070-push-tokens

test/push-package-coverage

hotfix/offsec-015-org-isolation

infra/sop-n-a-plus-drift-fix

fix/issue-1183-settingspanel-act-wrap

pr-1185-current

infra/main-golangci-no-config

test/qa-broadcast-abilities-coverage

fix/delegations-list-endpoint-wrong-column

core-be/fix/platform-go-timeout

fix/issue-1152-delegation-activity-db-err-tests

core-be/fix/tokens-rate-limit-scan-err-v2

fix/handlers-rows-err-missing

infra/canvas-deploy-reminder-polling-list

fix/staging-ci-timeouts

fix/settingspanel-act-flush

fix/rows-err-instructions-resolve

fix/ci-cold-runner-timeout

fix/issue-1171-rows-err-memory-events-channels

fix/sentinel-remove-phas3-masked

infra/fix-all-required-combined-status-check

pr1165-rebase

fix/approvals-json-marshal-guard

feat/canvas-broadcast-handler

sre/fix-ci-drift-false-positive

sre/fix-queue-remove-label-bug

infra/workspace-server-healthcheck

fix/ci-drift-canvas-deploy-reminder

fix/offsec-015-broadcast-org-isolation

fix/delegation-list-callee-plus-golangci-lint

sre/fix-queue-gate-context

core-be/test/delegate-record-db-errors-v2

test/delegate-record-db-errors

fix/tokens-rate-limit-scan-err

pr-1117

pr-1117-latest

infra/staging-golangci-no-config

fix/openclaw-molecule-mcp-version-pin

offsec015

fix/openclaw-mcp-version-check

feat/provider-routing-base-v2

feat/e2e-chat-stabilization

fix/sop-concurrency-throttle

p1102

p1117

fix/canvas-deploy-reminder-deadlock

infra/main-golangci-timeout-fix

feat/provider-routing-base

sre/sweep-cf-orphans-aws-timeout

sre/queue-merge-conflict-handling

fix/na-declarations-gate

fix/stdio-clean

fix/handlers-log-db-scan-errors

fix/channels-marshal-errors

fix/channels-silent-json-errors

sre/channels-unmarshal-errors

sre/queue-pre-receive-hook-fix

sre/ci-timeout-increase

fix/approvals-terminal-db-err-logging

infra/ci-platform-go-timeout-fix

fix/push-notifications

fix/channels-duplicate-encrypt

fix/channels-json-unmarshal-guard

fix/main-rows-err-instructions

fix/ci-org-helpers-demorgan

fix/main-test-fix-from-0c152a24

infra-sre/fix-platform-go-test

fix/staging-offsec010-cp-wiring

fix/handlers-instructions-test-bugs

fix/ci-allrequired-needs

fix/staging-goasync-configseed

fix/issue-1080-org-helpers-comment

fix/issue-1081-errors-import

fix/1080-org-helpers-comment-typo

infra-sre/fix-missing-test-imports

fix/offsec-010-wiring

fix/saas-t4-cp-config-seed

fix/offsec-010-clean

fix/offsec-003-boundary-wrapping

fix/offsec-003-escaped-markers-main

fix/mobile-chat-history

fix/staging-CWE-78-rows-err

fix/1062-mobilechat-history

hotfix/cwe-78-staging

fix/stdio-v2

fix/offsec-010-symlink-walkdir

fix/test-stdio-function-name

fix/offsec-010-symlink-walkdir-isSaaS-fix

sre/fix-stale-platform-server-port

fix/offsec-010-from-pr1047

staging-v6

fix/e2e-api-port-collision

fix/main-async-db-race

fix/secrets-rows-err-check

infra/sync-staging-v6-to-main

pr/1030

fix/handlers-instructions-test-compile

fix/instructions-test-compile

fix/openclaw-empty-required-keys

sre/main-rows-err-checks

fix/staging-v6-conflict-markers

fix/delegation-list-test-conflict-marker

fix/main-red-cdb0b040-ci-tests

fix/theme-toggle-selector-main-red

sre/ci-required-drift-canvas-reminder-skip

test/instructions-handler-coverage

sre/canvas-build-timeout

test/externalconnectmodal

fix/resolve-conflict-marker-delegation-list-test

fix/1008-themetoggle-css-selector

design/826-searchdialog-mount-v2

test/orgcancelbutton

fix/2088-themetoggle-queryselectorall-errors

design/704-tree-test-fix

fix/ci-required-drift-github-ref-skip

ci/975-db-pollution-fix

fix/968-remove-duplicate-test-declarations

fix/980-schedules-handler-test-coverage

design/tier-legend-contrast-2026-05-14

sre/platform-go-timeout-fix

fix/delegation-list-test-db-leak

fix/984-delegation-id-response-body

sre/queue-bot-fix-ctx-check

fix/983-remove-duplicate-test-declarations

fix/986-canvas-wcag-focus-rings

fix/993-agent-handler-test-coverage

design/wcag-focus-contrast-2026-05-14

design/wcag-focus-rings-round5-2026-05-14

fix/activity-logs-delegation-id-response-body

fix/982-expand-posix-identifier-guard

fix/test-offsec003-redundant-file

feat/976-schedules-handler-test-coverage

fix/org-helpers-test-panic

promote/main-to-staging-v5

fix/965-test-panic-resolveInsideRoot

promote/main-to-staging-v4

feat/delegation-list-tests

fix/test-a2a-sanitization-v3

promote/main-to-staging-v3

fix/duplicate-test-declarations

feat/org-helpers-security-tests

fix/main-push-operational-red

promote/main-to-staging-v2

fix-sop-concurrency-v2

fix/sop-checklist-gate-name

fix/docker-info-pipefail

fix/publish-healthcheck-pipefail

fix/sop-checklist-workflow-rename

promote/main-to-staging

sre/fix-sop-checklist-context-name-mc948

design/wcag-contrast-round4-2026-05-14

fix/org-helper-tests

fix/test-a2a-sanitization-main

fix/publish-image-on-every-main-push

fix/remove-canvas-reminder-from-all-required

fix/staging-integration-test-ctx

fix/staging-canvas-reminder-deadlock

design/wcag-a11y-round3-2026-05-14

ci/remove-canvas-reminder-from-all-required

fix/test-a2a-sanitization-assertions

fix/staging-ci-drift-canvas-reminder

fix/handlers-pg-integ-event-before

ci/platform-build-flip-coe

fix/staging-python-test-and-tier-check-lint

fix/offsec-006-slug-injection

runtime/fix-pr916-integration-test-ctx

design/chat-tab-wcag-contrast-2026-05-14

fix/offsec-006-slug-validation

design/wcag-contrast-fixes-2026-05-14

fix/904-handler-test-blockers

fix/ci-drift-canvas-reminder

fix/comment-trigger-storm

infra/660-codify-promote-tenant-image

fix/917-canvas-test-failures

fix/917-runtime-prbuild-detect-changes-fix

fix/filesTab-test-stale-reference

fix/files-tab-test-missing-helper

fix/runtime-prbuild-compat-detect-changes

fix/staging-test-compilation-fixes

fix/qa-review-token-fallback-v2

test/hydrate-canvas-coverage

fix/contextmenu-react-error-185

test/external-runtimes-coverage

fix/main-sqlmock-import-ineffassign-20260513

fix/redeploy-tenants-on-main-lint-cleanup

sre/docker-daemon-gate-fix

fix/897-listdelegations-use-ledger-table

fix/901-listdelegations-ledger-table

fix/core-main-handlers-hotfix

fix/e2e-api-platform-port

fix/main-green-monitor-status

fix/mobile-MobileChat-infinite-render

fix/delegations-ledger-fallback-rows-err

fix/874-extractmessagetext-clean

feat/881-untested-helpers

fix/874-extractmessagetext-bug

fix/status-reaper-api-timeout-retry-20260513130514

fix/831-admin-token-placeholder-bootstrap

feat/canvas-test-coverage-738

feat/files-tab-tree-coverage

feat/canvas-untested-components-coverage

feat/canvas-tab-test-coverage-2

fix/main-bundle-test-sqlmock-import

fix/stdio-fallback-all-environments

staging-sync-v3

ci/burn-in-remove-sop-tier-check-coe

fix/issue-860-delivery-mode-tests

design/approval-banner-emerald-fix

fix/issue-854-termsgate-a11y

fix/issue-859-wcag-contrast

fix/delegations-rows-err-bbc40cb8

design/approvalbanner-a11y

design/pricingtable-a11y

design/toolbar-help-toggle-fix

staging-sync-v2

fix/canvas-approvalbanner-a11y

feat/canvas-external-connect-modal-coverage

staging-sync-rm

fix/test-sanitize-agent-error-stderr

test/a2a-queue-extractExpiresInSeconds

fix/pr-829-test-issues

design/826-searchdialog-mount

fix/chat-createMessage-attachments-key

fix/762-recall-memory-canary

fix/367-a2a-tools-coverage-v2

feat/search-dialog-mount

feat/org-layout-test-coverage

fix/offsec-003-builtin-a2a-sanitize

fix/canvas-playwright-install-timeout

fix/805-audit-force-merge-main-required-checks

fix/cf-sweep-api-error

fix/e2e-diagnose-detail

fix/a2a-mcp-server-http-transport

fix/core-main-red-golangci-install

fix/test-declarations

fix/sop-checklist-body-hard-gate

merge-792

feat/mcp-tools-test-coverage

feat/workspace-crud-test-coverage

feat/socket-handler-test-coverage

fix/686-delegation-integration-tests

feat/a2a-proxy-helpers-test-coverage

fix/publish-canvas-disable-gha-cache-20260512

fix/publish-canvas-docker-probe-20260512

fix/canvas-image-ecr-20260512

fix/687-send-ssh-public-key-detail

feat/tier-2g-required-context-exists-in-bp

feat/tier-2f-bp-emit-match

fix/mc-664-class-2-mcp-offsec-contract-test

fix/main-ci-green-20260512

infra/dockerfile-add-docker-cli-for-local-build

test/workspace-crud-helpers-coverage

fix/681-recallmemory-offsec-contract

fix/org-layout-helpers-test-coverage

fix/735-extractResponseText-tests

test/713-workspace-crud-validators

test/713-org-helpers-pure-coverage

fix/713-eic-diagnose-detail

fix/730-filterpeers-nil-guard

infra/all-required-coe-false-v2

fix/phase3-tracker-comments

fix/mc-664-class-1-delegation-tests-postgres-integration

fix/canvas-keyboard-shortcuts-dialog-guard

infra/664-lint-coe-trackers

ci/lint-tracker-regex-fix-v2

fix/731-nil-guard-filter-peers-by-query

fix/lint-TRACKER_RE-mid-sentence

ci-retrigger-747

feat/709-handler-pure-coverage

fix/697-canvas-geticon-topology

ci/lint-tracker-regex-fix

test/2071-canvas-drop-target-badge-coverage

feat/2071-canvas-orgdeploystate-coverage

feat/mobile-canvas-comms-spawn-coverage

ci/lint-coe-self-fix

feat/mobile-tabbar-a11y

fix/ssm-refresh-ecr-auth-json-escaping

design/729-fix

ci/gate-check-v3-permissions-fix

fix/730-discovery-filter-nil-role

infra/publish-docker-daemon-diagnostic

fix/714-all-required-coe-false

fix/717-mobile-agentMessages-selector

infra/fix-all-required-status-reporting

fix/687-e2e-surface-diagnose-detail

infra/docker-runner-label

test/701-canvas-hydrate-coverage

test/mobile-primitives-coverage

infra/664-interim-platform-build-exempt

fix/693-offsec-recallmemory-scrub-staging

sync/main-to-staging-514-v2

fix/693-offsec-recallmemory-global-scrub

fix/693-offsec-recallmemory-scrub

fix/634-handler-test-fixes-to-main

test/699-socket-handler-coverage

sre/workflow-run-replacement

infra/676-ssm-auth-json-hardening

fix/offsec-001-method-scrub-hotfix

fix/offsec-001-method-scrub-main

feat/workspace-crud-validation-tests

test/canvas-hydrate-coverage

infra/lint-pre-flip-continue-on-error

fix/workflow_run-to-push-gitea-1.22.6

feat/tier-2e-tracking-issue

fix/684-offsec-scrub-method-default

feat/sop-checklist-gate-mvp

feat/tier-2d-lint-mask-pr-atomicity

infra/lint-workflow-yaml-hostile-shapes

infra/lint-required-no-paths-filter

cleanup/pr-641-clean

feat/mobile-tabbar-wcag-a11y

fix/canvas-mobile-chat-loop

fix/651-canvas-chat-mobile-crash

fix/664-interim-remask-platform-build

fix/mobile-chat-max-update-depth

infra/622-force-merge-protection-fix

test/attachment-lightbox-clean-v2

ci/652-gitea-1-22-status-key

test/memorytab-2

infra/status-reaper-rev4-status-key-fix

infra/weekly-platform-go-vet-hard

fix/audit-force-merge-pipefail

infra/status-reaper-rev3-widen-window

test/canvas-externalconnectmodal-coverage

fix/sop-tier-check-token-graceful

infra/ci-required-drift-token-scope

test/console-modal-coverage

ci/review-check-tests-wire

test/canvas-workspacenode-coverage

test/memorytab

infra/interim-disable-reaper-watchdog-crons

test/attachment-lightbox-coverage

fix/issue-639-workspacenode-test-coverage

test/channels-tab

fix/canvas-searchdialog-test-fixtures

fix/598-attachmentLightbox-tests

fix/529-307-localbuild-async-test-fix

fix/582-attachmentviews-tests

fix/308-a2a-response-push-mode-tests

fix/529-preflight-localbuild

fix/sop-tier-check-token-graceful-staging

fix/545-approvalbanner-isolation

fix/519-memorytab-tests

infra/status-reaper-rev2-sweep-recent-commits

fix/handlers-test-fixtures

test/skill-helpers-coverage

test/ui-primitive-coverage

docs/gitea-quirks-10-11

test/platform-bundle-exporter-coverage

infra/status-reaper-rev1-drop-concurrency

fix/608-filesTab-focusTest

test/budget-section-coverage

infra/revert-docker-runner-label

fix/weekly-platform-go-latent-error-surface

infra/revert-publish-runs-on-pin

sre/gate-check-timeout

test/a2a-error-hint-coverage

test/chat-attachment-views-coverage

test/attachment-video-coverage

infra/option-b-status-reaper

infra/gate-check-v3-timeout

infra/576-docker-runner-label

fix/593-filetab-tests

test/files-tab-notavailablepanel-coverage

fix/591-forminputs-tests

fix/471-cwe117-stderr-scrubbing

infra/diagnostic-publish-workspace-server-image

fix/582-bundle-import-tests

test/form-inputs-coverage

fix/publish-workspace-server-image-json5-comments

sre/fix-all-required-null-result

fix/publish-workspace-server-image-optional-token

pr-251

test/ui-statusbadge-coverage

fix/all-required-null-result-assertion

fix/568-palette-context-tests

pr-527

infra/merge-563-autobump-fix

test/mobile-palette-context-coverage

sre/fix-gate-check-v3-combined-state-loop

ci/540-review-check-bats-tests

fix/publish-runtime-autobump-push-condition

ci/558-verify-publish-runtime-marker

test/canvas-empty-state-coverage

infra/publish-runtime-verify-2026-05-11

ci/554-oci-labels-publish-workflow

infra/drift-bot-token

infra/rfc-219-phase-4-all-required-sentinel

ci/551-gate-checkout-trusted-ref

fix/gate-check-v3-pr-HEAD-security

fix/541-token-argv-security

sre/fix-gate-check-v3-bugs

fix/537-cwe117-a2a-tools-sanitize

fix/gate-check-v3-http-error-crash

sre/fix-localbuild-preflight

infra/rfc-324-workflow-add

test/offsec-003-sanitization-backstop

fix/test-sanitize-agent-error-stderr-exc

fix/approval-banner-test-isolation

infra/scope-workflows-fix

sre/fix-pr530-deadlock

sre/reopen-516-gate-check-fix

fix/ci-scope-operational-workflows-504-419

sre/scope-operational-workflows-to-schedule

ci/harness-replays-detect-changes-quoting-fix

fix/test-blocks-until-inflight-completes

fix/test-enrich-peer-metadata-nonblocking

sre/fix-enrich-nonblocking-cache-check

merge-pr490

runtime/fix-offsec-003-tool-delegate-task

fix/508-update-boundary-assertions

sre/fix-test-delegation-sync-polling-assertions

fix/366-shared-runtime-coverage

fix/506-unused-imports

ci/lint-fixes

fix/367-a2a-tools-coverage

test/a2a-client-enrich-peer-rebase

fix/354-delegation-auto-resume-rebase

ci/fix-detect-changes-commits-array

fix/307-async-rebase

runtime/fix-harness-replays-push-event

sre/fix-test-polling-sanitization

fix/harness-replays-detect-changes-gitea-api

ci/fix-test-polling-sanitization

test/eventstab

runtime/335-rebase-platfrom-url

hotfix/491-offsec-003-staging-v2

fix/pr477-test-fixes

runtime/335-rebase-platform-url

fix/354-auto-resume-delegations

fix/368-audit-hooks-coverage

runtime/temporal-platform-url-fix

infra/secret-reconciliation-v2

fix/purchase-success-modal-test-isolation

pr-476

sre/fix-gitea-runbook-network-quirks

tools/gate-check-v3

fix/376-activity-delegation-polling

runtime/platform-url-fix-merge

fix/canvas-purchase-success-modal-test-timing

fix/secret-naming-reconciliation

docs/gitea-operational-quirks-runbook

test/canvas-toolbar-coverage

fix/canvas-tier-config-v2

fix/455-offsec003-sanitize-alignment

fix/sweep-stale-e2e-orgs-secret-name

fix/approvalbanner-mockreset-452

fix/canvas-approvalbanner-mockreset

fix/publish-runtime-autobump-fetch-depth

fix/321-cwe22-loadWorkspaceEnv-path-traversal

fix/canonicalize-staging-admin-token-rebase-462

canvas-followup

fix/canonicalize-staging-admin-token-rest

refactor/drop-canary-prefix

fix/canvas-test-and-design-fixes

runtime/432-followup-helper-extraction

fix/harness-replays-detect-changes-fetch-depth

fix/stderr-include-a2a-error-response

feat/internal-292-sop-tier-refire

docs/update-remote-agent-tutorial-sdk-api

fix/canvas-confirm-dialog-backdrop-a11y-v3

fix/canvas-confirm-dialog-backdrop-a11y-v2

fix/388-github-token-501-gitea-staging

fix/dialog-backdrop-a11y

runtime/414-idle-loop-skip-pending-results-v3

fix/test-extract-tool-trace

fix/test-plugins-atomic-tar-coverage

fix/harness-replays-fetch-depth

fix/test-instructions-handler-coverage

sre/fix-workflow-secret-naming

fix/canvas-tiers-config-string-keys

fix/offsec-003-promote-to-main

fix/class-e-secret-name-reconciliation

fix/sop-tier-check-apt-get-first

fix/307-async-test-pollution

fix/sop-tier-check-jq-install-order

fix/canvas-test-failures-2026-05-10

runtime/fix-a2a-tools-duplicate-error-block-v2

infra/sop-tier-check-jq-install-fix

runtime/fix-a2a-push-delivery-mode

feat/main-never-red-watchdog-internal-420

feat/internal-219-phase-2bc-port-to-molecule-core

fix/a11y-canvas-clean

sweep/internal-219-cat-C1-port-gates-lints

sweep/internal-219-cat-B-delete-github-only

sweep/internal-219-cat-A-delete-mirrored

fix/offsec-003-json-endpoint-sanitize

sweep/internal-219-cat-C3-port-deploy-janitors

sweep/internal-219-cat-C2-port-e2e

fix/publish-runtime-cascade-sha-capture

feat/internal-219-phase-3-port-ci-yml

fix/413-a2a-delegation-offsec-003

runtime/381-idle-loop-pending-messages

fix/delegations-rows-err-check

fix/a11y-canvas-buttons-staging

runtime/fix-399-a2a-delegation-missing-import-v2

fix/380-cwe59-symlink-traversal

fix/388-github-token-501-staging

fix/confirm-dialog-wcag-backdrop

infra/sop-tier-check-jq-script-fallback

fix/revert-391-broken-jq-install

fix/a2a-tools-duplicate-dead-code

fix/confirm-dialog-backdrop

fix/canvas-confirm-dialog-backdrop-a11y

infra/jq-install-main

fix/sop-tier-check-jq-main

fix/canvas-dialog-backdrop-a11y

fix/388-github-token-501

runtime/offsec-003-polling-path-v2

fix/361-sanitize-delegation-results

runtime/offsec-003-executor-sanitize

fix/cwe22-loadWorkspaceEnv-main

fix/qa-audit-307-308-clean

ci/fix-293-sqlalchemy-pip-install

fix/354-delegation-auto-resume

runtime/platform-url-host-docker-internal

fix/canvas-repair-tests-344

fix/canvas-statusdot-ts-errors

test/molecule-audit-hooks-coverage

test/a2a-tools-and-send-message-coverage

fix/sop-tier-check-jq-install

test/shared-runtime-helpers-coverage

fix/canvas-topology-sort-orphan

fix/executor-helpers-offsec-003-sanitize

runtime/offsec-003-polling-path

fix/354-a2a-delegation-auto-resume

runtime/fix-a2a-push-delivery-mode-v2

fix/publish-runtime-add-_sanitize_a2a-to-allowlist

fix/publish-runtime-missing-working-directory

ci/add-sqlalchemy-to-pip-install

ci-resolve-github-gitea-triplicate

sre/offsec-003-boundary-escape

fix/sec-321-path-traversal-clean

fix/a2a-proxy-response-header-timeout-v2

fix/publish-runtime-workflow-dispatch-inputs

fix/a2a-push-mode-queue-envelope

fix/351-split-publish-runtime-triggers

feat/348-publish-runtime-restore-path-trigger

fix/issue-workspace-dup-name-409-autosuffix

fix/security-OFFSEC003-boundary-escape-334

fix/security-CWE22-loadWorkspaceEnv-330

fix/canvas-test-fixes-20260510

fix/canvas-extractMessageText

fix/qa-307-async-pollution-direct

test/a2a-client-enrich-peer-metadata

fix/docs-309-remote-faq-staging-env

fix/qa-308-push-mode-queue-tests

fix/qa-307-async-pollution

runtime/fix-plugin-registry-import-path

fix/a2a-proxy-response-header-timeout-clean

fix/publish-workspace-server-ci-clone-manifest-retry-main

infra/remove-pr303-tracking

fix/issue-296-plugin-registry-sysmodules

infra/pin-compose-image-digests

chore/sync-main-to-staging

fix/sec-321-path-traversal

fix/a2a-proxy-response-header-timeout

docs/a11y-billing-wcag-patterns

fix/qa-307-test-a2a-inbox-wrappers-asyncio-refactor

runtime/fix-test-config-model-isolation

ci/docker-daemon-health-guard

docs/fix-remote-workspaces-faq

fix/publish-workspace-server-ci-clone-manifest-retry

fix/test-config-env-isolation

ci/staging-sha-pinning

fix/external-connection-user-facing-urls

fix/workspace-server-registry-config-helper

fix/issue-272-sqlalchemy-ci-install

fix/canvas-yaml-utils-nested-arrays-clean

fix/self-delegation-guard

promote/staging-to-main-100546

fix/a2a-tools-v2

fix/a2a-tools-and-workflow-cleanup

fix/canvas-test-isolation-fixes-v2

fix/molecule-model-env-go

runtime/fix-delegate-empty-parts-regression

infra/runtime-doc-playwright-limitation

fix/offsec-001-error-message-scrubbing

fix/offsec-001

fix/a2a-tools-string-error-handling-clean

fix/core-248-pluginresolver-and-plgh

infra/fix-source-resolver-dup

fix/model-provider-misnomer

fix/a2a-tools-string-error-handling-v2

fix/canvas-yaml-utils-test-failure

fix/a2a-tools-string-error-handling

fix/internal-214-gosum-vanity-import

fix/canvas-test-isolation-fixes

chore/canvas-statusbadge-test-fix-cherry-pick

fix/canvas-statusbadge-test-role-ambiguity

runtime/fix-mcp-client-localhost-default

fix/core-257-delegation-test-stray-brace

revert/core-d0126662-restart-signals-undefined-h

revert/core-123-plugin-drift-detector

ci/pin-action-and-base-images

fix/org-232-per-workspace-required-env-preflight

fix/ssrf-guard-before-begintx

test/issue-232-per-workspace-required-env-preflight

fix/issue232-org-import-required-env-aggregation

fix/canvas-ts-test-errors

fix/delegations-list-ledger-fallback

wip-snapshot-2026-05-10/mac/molecule-core-tmp53-git-token-helper-wip

wip-snapshot-2026-05-10/mac/molecules-org-molecule-core-registry-prefix

fix/pluginresolver-conflict

wip-snapshot-2026-05-10/core-be/fix-pluginresolver-conflict

wip-snapshot-2026-05-10/core-qa/stash-package-lock-diff

feat/keyboard-shortcuts-dialog

wip-snapshot-2026-05-10/core-uiux/feat-keyboard-shortcuts-dialog

wip-snapshot-2026-05-10/core-fe/test-canvas-design-tokens-config

test/canvas-cssvar-tests

fix/internal-229-sop-tier-check-tier-low-relaxation

test/canvas-utility-pure-tests

test/canvas-preflight-utils-tests

test/canvas-runtimeprofiles-tests

test/canvas-yaml-utils-tests

test/canvas-pure-function-tests

fix/ci-port-publish-workspace-server-image-228

fix/ssrf-validate-agent-url-212

ci/sop-tier-check-approver-teams-fix

fix/sop-tier-check-legacy-flip-229

wip-snapshot-2026-05-10/core-be/fix-ki001-telegram-disable-channel

wip-snapshot-2026-05-10/core-be/feat-a2a-pre-restart-drain-125

wip-snapshot-2026-05-10/core-be/feat-plugin-drift-queue-123

fix/sweeper-race-error-counter

infra/fix-issue-75-gh-cli-gitea-sweep

wip-snapshot-2026-05-10/core-be/fix-gh-api-gitea-sweep-75

feat/keyboard-shortcuts-dialog-test

wip-snapshot-2026-05-10/core-be/fix-sweeper-test-isolation-86

ci/fix-issue-87-root-skip

fix/test-local-resolver-root-skip

fix/workspace-tests-clear-auth-cache

wip-snapshot-2026-05-10/core-be/fix-a2a-delegation-success-rendered-as-error

wip-snapshot-2026-05-10/core-be/fix-files-restart-volume-sync

wip-snapshot-2026-05-10/core-lead/tech-debt-rename-net

wip-snapshot-2026-05-10/core-lead/fix-168-mine

wip-snapshot-2026-05-10/core-lead/fix-167-uiux

wip-snapshot-2026-05-10/core-fe/stash-canvas-agent-comms-show-task-text

fix/canvas-agent-comms-show-task-text

wip-snapshot-2026-05-10/core-lead/fix-vitest-pool

fix/info-disclosure-errors

infra/add-temporal-to-main-compose

design/verify-canvas-design-system

fix/workspace-persona-git-identity

fix/175-env-matched-pair-guard

wip-snapshot-2026-05-10/core-lead/fix-149

refactor/sop-tier-check-extract-script

fix/sop-tier-check-pr-target-security

ci/sop-tier-check-deploy

fix/issue53-admin-token-pair-guard

fix/org-import-started-event-name

refactor/delete-uses-cascade-helper

fix/org-import-reconcile-and-audit

fix/preserve-model-secret-on-restart

feat/persona-bind-mount-local-dev

feat/canary-tier-filter

feat/plugin-version-subscription

feat/plugin-hot-reload-classifier

feat/plugin-atomic-install

feat/air-hot-reload-dev

feat/persona-env-injection

fix/external-resolver-hardening

fix/issue75-class-D-gh-api-to-gitea-rest

fix/cherry-3-files-vitest-postgres-e2eapi

fix/promote-vitest-postgres-fixes

fix/saas-plugin-install-eic

fix/issue-94-e2e-api-parallel-safe-class-b

migrate/issue-71-vanity-imports

fix/handlers-postgres-port-collision-class-b

fix/issue-96-canvas-vitest-cold-start-timeout

fix/hermes-agent-doc-gitea-migration

fix/196-retarget-main-to-staging-gitea-rest

fix/gitea-ci-flakes-issue-88

fix/pin-upload-artifact-v3-gitea

fix/issue-72-auto-sync-token-canary-v2

fix/issue75-class-F-gh-run-list-to-statuses

fix/issue75-class-A-gh-pr-to-gitea-rest

feat/issue-63-local-build-from-gitea-v2

fix/195-auto-promote-staging-gitea-rest

fix/144-branch-protection-check-name-parity-audit

fix/harness-replays-pre-clone-manifest

chore/trigger-auto-sync-verification

fix/codeql-stub-on-gitea-156

chore/issue173-retrigger-after-ecr-repo-create

fix/issue173-inline-aws-ecr-login

fix/issue173-shell-docker-push

chore/retrigger-harness-replays-post-class-g

fix/issue173-buildx-driver-and-cache

fix/post-suspension-clone-manifest

fix/issue173-followup-platform-dockerfile

fix/post-suspension-github-urls

fix/170-goroutine-bleed-test-isolation

fix/issue173-publish-workspace-server-image

fix/issue36-a2a-proxy-preflight

fix/codeql-continue-on-error-156

feat/demo-mock-3-bigorg-mock-runtime

feat/demo-mock-1-purchase-success-modal

fix/publish-path-filter-add-scripts

fix/clone-manifest-gitea

chore/touch-publish-workflow-to-trigger

chore/retrigger-publish-post-aws-secrets

chore/cherry-pick-pr23-into-main

chore/backsync-main-into-staging-task-166

fix/auto-sync-use-devops-token

chore/retrigger-staging-on-fixed-runner-image

chore/drop-github-app-auth-and-ecr-swap

docs/readme-comprehensive-refresh-2026-05-06

feat/rfc-2945-pr-c-2-canvas-chat-history

fix/issue10-runtime-aware-plugin-install

fix/s8-bind-loopback-dev

fix/14-cascade-gitea-dispatch

docs/molecule-core-bulk-sed

chore/pin-artifact-actions-v3

fix/lowercase-org-slug

fix/script-ghcr-and-lint-paths

docs/workspace-runtime-readme-source-edit

feat/eic-tunnel-pool-core-11

chore/rfc-2945-pr-c-3-delete-historyhydration

fix/2872-sqlmock-regex-tightening

fix/cp-orphan-sweeper-2989

feat/registry-prefix-env-driven-issue-6

docs/readme-refresh-2026-05-06

runtime-v0.1.1003

runtime-v0.1.1000

runtime-v0.1.131

runtime-v0.1.130

runtime-v1.0.0

runtime-v0.0.35

runtime-v0.0.34

runtime-v0.0.33

runtime-v0.0.32

runtime-v0.0.31

runtime-v0.0.30

runtime-v0.0.29

runtime-v0.0.28

runtime-v0.0.27

runtime-v0.0.26

runtime-v0.0.25

runtime-v0.0.24

runtime-v0.0.23

runtime-v0.0.22

runtime-v0.0.21

runtime-v0.0.20

runtime-v0.0.19

runtime-v0.0.18

runtime-v0.0.17

runtime-v0.0.16

runtime-v0.0.15

runtime-v0.0.14

runtime-v0.0.13

runtime-v0.0.12

runtime-v0.0.11

runtime-v0.0.10

runtime-v0.0.9

runtime-v0.0.8

runtime-v0.0.7

runtime-v0.0.6

runtime-v0.0.5

runtime-v0.0.4

runtime-v0.0.3

runtime-v0.0.2

runtime-v0.0.1

ci-trigger-1776771586

ci-retry-1776771601

ci-retrigger-1776771591

Labels

Clear labels   

area/ci

CI/CD pipeline issues

  

kind/infrastructure

Infrastructure-related issues

  

merge-queue

Ready for serialized Gitea merge queue

  

merge-queue-hold

Temporarily hold PR in merge queue

  

platform/go

Go platform test issues

  

release-blocker

Blocks the staging→main promotion / a release

  

release-test

  

security

  

test-label-sre

  

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

  

triage-test

test

No Label

area/ci

kind/infrastructure

merge-queue

merge-queue-hold

platform/go

release-blocker

release-test

security

test-label-sre

tier:high

tier:low

tier:medium

triage-test

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

3 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1352

No description provided.