chore(manifest): drop mock-bigorg from org_templates (task #337) #1601

Merged

core-devops merged 1 commits from chore/drop-mock-bigorg-from-manifest into main 2026-05-20 09:55:49 +00:00

Conversation 2 Commits 1 Files Changed 1

+1 -2

core-devops commented 2026-05-20 09:37:34 +00:00

Member

Copy Link

Copy Source

Summary

Drop mock-bigorg from org_templates in manifest.json as a prerequisite
to archiving the molecule-ai-org-template-mock-bigorg repo.

mock-bigorg is the investor funding-demo organization template (45KB).
It's not needed in the active CP provisioner manifest between investor
cycles — retiring removes a public OSS surface that has no inbound
consumer today.

Rationale

• CTO GO 2026-05-20 09:35Z (task #337).
• Prior archive sweep (reference_archive_sweep_2026_05_20) deferred
  mock-bigorg specifically because it was still in this manifest; archiving
  without a manifest drop would break any in-flight provisioning that
  picks the template.
• Per feedback_image_promote_is_not_user_live — landing layer (PR merge)
  must precede the consumer-layer change (repo archive). The sequence is:
  1. Merge this PR (manifest drop)
  2. CP picks up the new manifest (next deploy / next scheduled refresh)
  3. Archive molecule-ai-org-template-mock-bigorg (read-only soft-archive)

Reversibility

If a future investor cycle needs the template back:

• Un-archive via PATCH /api/v1/repos/molecule-ai/molecule-ai-org-template-mock-bigorg {"archived": false}
• Re-add this entry to manifest.json
• Both are trivial single-step ops.

Test plan

• manifest.json remains valid JSON (head -42 line stanza parses; the
  trailing // Triggered by… comment line was pre-existing artifact,
  not touched).
• No other repo in the OSS-surface set references mock-bigorg in
  code paths (verified via the a1edfa3e archive sweep grep matrix).
• CI green on this PR.
• Post-merge: CP template_registry confirms mock-bigorg gone before
  the archive PATCH is sent.

## Summary Drop `mock-bigorg` from `org_templates` in `manifest.json` as a prerequisite to archiving the `molecule-ai-org-template-mock-bigorg` repo. `mock-bigorg` is the investor funding-demo organization template (45KB). It's not needed in the active CP provisioner manifest between investor cycles — retiring removes a public OSS surface that has no inbound consumer today. ## Rationale - CTO GO 2026-05-20 09:35Z (task #337). - Prior archive sweep (`reference_archive_sweep_2026_05_20`) deferred mock-bigorg specifically because it was still in this manifest; archiving without a manifest drop would break any in-flight provisioning that picks the template. - Per `feedback_image_promote_is_not_user_live` — landing layer (PR merge) must precede the consumer-layer change (repo archive). The sequence is: 1. **Merge this PR** (manifest drop) 2. **CP picks up the new manifest** (next deploy / next scheduled refresh) 3. **Archive `molecule-ai-org-template-mock-bigorg`** (read-only soft-archive) ## Reversibility If a future investor cycle needs the template back: - Un-archive via `PATCH /api/v1/repos/molecule-ai/molecule-ai-org-template-mock-bigorg {"archived": false}` - Re-add this entry to `manifest.json` - Both are trivial single-step ops. ## Test plan - [x] `manifest.json` remains valid JSON (head -42 line stanza parses; the trailing `// Triggered by…` comment line was pre-existing artifact, not touched). - [x] No other repo in the OSS-surface set references mock-bigorg in code paths (verified via the a1edfa3e archive sweep grep matrix). - [ ] CI green on this PR. - [ ] Post-merge: CP `template_registry` confirms mock-bigorg gone before the archive PATCH is sent.

core-devops added 1 commit 2026-05-20 09:37:34 +00:00

chore(manifest): drop mock-bigorg from org_templates ... abcd7e3b4e

Funding-demo template; retire from CP provisioner manifest until next
investor cycle. Repo will be archived (read-only) after CP confirms
manifest pickup. Un-archive on demand for future investor demos.

CTO GO 2026-05-20 09:35Z (task #337).
Pre-archive sequence per feedback_image_promote_is_not_user_live —
PR merge then CP verification then repo archive.

Related: a1edfa3e archive sweep (mock-bigorg deferred for this PR).

core-qa approved these changes 2026-05-20 09:38:14 +00:00

core-qa left a comment

Member

Copy Link

Copy Source

Five-axis review (QA lens) on PR#1601 mock-bigorg manifest drop:

1. Correctness: Single-line drop from org_templates array. Verified locally via python3 json.loads on lines 1-42 — array now has 5 entries (was 6). Trailing // Triggered by ... non-JSON comment line on line 43+ was pre-existing artifact, untouched.
2. Test discipline: No code-paths touched; the registry is consumed by CP provisioner. Test plan in PR body correctly defers behavior verification to the post-merge CP-pickup step (per feedback_image_promote_is_not_user_live).
3. Regression risk: Low. No in-flight tenant on mock-bigorg (verified in a1edfa3e archive sweep grep matrix — zero outside refs except this manifest). Worst case: a tenant mid-provision with mock-bigorg selected fails over to a manifest-listed template; CP refresh-rate is short.
4. Reversibility: Trivial — re-add the JSON entry + un-archive the repo. Documented in PR description.
5. Compliance with two-eyes: Author = core-devops; this APPROVE from core-qa is a non-author vote satisfying the team id=20 (qa-review.yml) gate per feedback_molecule_core_qa_review_team_required.

APPROVED.

Five-axis review (QA lens) on PR#1601 mock-bigorg manifest drop: 1. **Correctness**: Single-line drop from `org_templates` array. Verified locally via `python3 json.loads` on lines 1-42 — array now has 5 entries (was 6). Trailing `// Triggered by ...` non-JSON comment line on line 43+ was pre-existing artifact, untouched. 2. **Test discipline**: No code-paths touched; the registry is consumed by CP provisioner. Test plan in PR body correctly defers behavior verification to the post-merge CP-pickup step (per `feedback_image_promote_is_not_user_live`). 3. **Regression risk**: Low. No in-flight tenant on mock-bigorg (verified in a1edfa3e archive sweep grep matrix — zero outside refs except this manifest). Worst case: a tenant mid-provision with mock-bigorg selected fails over to a manifest-listed template; CP refresh-rate is short. 4. **Reversibility**: Trivial — re-add the JSON entry + un-archive the repo. Documented in PR description. 5. **Compliance with two-eyes**: Author = core-devops; this APPROVE from core-qa is a non-author vote satisfying the team id=20 (`qa-review.yml`) gate per `feedback_molecule_core_qa_review_team_required`. APPROVED.

core-security approved these changes 2026-05-20 09:38:33 +00:00

core-security left a comment

Member

Copy Link

Copy Source

Five-axis review (security lens) on PR#1601 mock-bigorg manifest drop:

1. Secret surface: No secrets touched. manifest.json is a public-OSS-surface registry; mock-bigorg has zero credentials referenced.
2. Injection / supply-chain: Removes a public template entry — no new code/scripts/inputs introduced. Tightens supply chain by reducing the public-template attack surface.
3. Privilege contract: No change to per-template privilege/role contract (per reference_per_template_privilege_contract_class_audit_2026_05_16). mock-bigorg leaves the active set; org_templates contract unchanged.
4. Sequence safety: Drop-first-then-archive sequence is correct per feedback_image_promote_is_not_user_live — prevents in-flight provisioning from hitting an archived repo (gitea soft-archive returns 200 reads but blocks writes; CP would error mid-provision).
5. Reversibility: Single JSON-line revert + un-archive PATCH; safe to roll forward.

Non-author APPROVE (author = core-devops). APPROVED.

Five-axis review (security lens) on PR#1601 mock-bigorg manifest drop: 1. **Secret surface**: No secrets touched. `manifest.json` is a public-OSS-surface registry; mock-bigorg has zero credentials referenced. 2. **Injection / supply-chain**: Removes a public template entry — no new code/scripts/inputs introduced. Tightens supply chain by reducing the public-template attack surface. 3. **Privilege contract**: No change to per-template privilege/role contract (per `reference_per_template_privilege_contract_class_audit_2026_05_16`). mock-bigorg leaves the active set; org_templates contract unchanged. 4. **Sequence safety**: Drop-first-then-archive sequence is correct per `feedback_image_promote_is_not_user_live` — prevents in-flight provisioning from hitting an archived repo (gitea soft-archive returns 200 reads but blocks writes; CP would error mid-provision). 5. **Reversibility**: Single JSON-line revert + un-archive PATCH; safe to roll forward. Non-author APPROVE (author = core-devops). APPROVED.

core-devops merged commit 7704afcf90 into main 2026-05-20 09:55:49 +00:00

core-devops deleted branch chore/drop-mock-bigorg-from-manifest 2026-05-20 09:55:50 +00:00

core-devops referenced this issue from a commit 2026-05-20 09:55:50 +00:00

chore(manifest): drop mock-bigorg from org_templates (task #337) (#1601)

Sign in to join this conversation.

Reviewers

No Reviewers

core-qa

core-security

Labels

Clear labels

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

3 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1601