Workspace secret GH_PAT not exported as GH_TOKEN; molecule-git-token-helper.sh also doesn't fall back to it #1687

New Issue

Closed

opened 2026-05-22 21:21:35 +00:00 by RenoStarsAI-production-client · 0 comments

RenoStarsAI-production-client commented 2026-05-22 21:21:35 +00:00

Copy Link

Copy Source

Summary

The Molecule platform stores a GH_PAT workspace secret with a working GitHub Personal Access Token, but neither (a) the gh CLI nor (b) the platform's molecule-git-token-helper.sh credential helper find it. Result: agents that need to clone or pull private GitHub repos in their cloud env get "all token sources exhausted" / "Authentication failed" even though the credential IS available — they just need to be told the right env-var name.

This is filed as a follow-up to #1684 (same investigation surfaced both).

Tenant + repro context

• Tenant: reno-stars.moleculesai.app
• Workspace (SEO Agent): 3fe84b89-eb65-42fc-ad1f-5c93582ca3e7
• Target repo: Reno-Stars/reno-star-business-intelligent (private)
• Discovered: 2026-05-22 ~20:46 UTC during direct A2A debugging with the agent

What the agent sees

Workspace secrets API (GET /workspaces/{id}/secrets) returns:

[
  { "key": "GH_PAT",  "has_value": true, "scope": "workspace", "created_at": "2026-05-20T22:05:19Z" },
  { "key": "GH_USER", "has_value": true, "scope": "workspace" },
  { "key": "GH_REPO", "has_value": true, "scope": "workspace" },
  { "key": "GIT_EMAIL", ... },
  { "key": "GIT_NAME",  ... }
]

Agent env (from the agent's own printenv inside its cloud runtime):

GH_PAT:        SET   (value_len=40, classic PAT format)
GH_TOKEN:      EMPTY
GITHUB_TOKEN:  EMPTY
GITHUB_PAT:    EMPTY
GH_USER:       SET   (value_len=11)
GH_REPO:       SET   (value_len=28)

So the secret IS exported into the runtime — under the literal name GH_PAT. But:

1. gh CLI doesn't recognize GH_PAT

gh repo clone Reno-Stars/reno-star-business-intelligent returns:

To get started with GitHub CLI, please run: gh auth login
Alternatively, populate the GH_TOKEN environment variable with a GitHub API authentication token.
exit=4

The gh CLI specifically looks at GH_TOKEN (or GITHUB_TOKEN). It does not fall back to GH_PAT.

2. molecule-git-token-helper.sh doesn't recognize GH_PAT either

git clone https://github.com/Reno-Stars/reno-star-business-intelligent.git returns:

[molecule-git-token-helper] all token sources exhausted
remote: Repository not found.
fatal: Authentication failed for 'https://github.com/Reno-Stars/reno-star-business-intelligent.git/'
exit=128

So the bundled credential helper that's wired into the agent's .gitconfig doesn't check GH_PAT even though it's the obvious place to find one.

3. Workaround that works

The agent and I confirmed this works:

GH_TOKEN=$GH_PAT gh repo clone Reno-Stars/reno-star-business-intelligent ... --depth 1 --quiet
# exit=0 ✓

i.e. inline-prefixing GH_TOKEN=$GH_PAT makes both gh CLI and the credential helper see the token. So the value is correct; only the env-var name plumbing is broken.

We've patched our 11 cron schedules to do this prefix everywhere they invoke git/gh. It works but is ugly — every gh/git command needs the inline prefix, and any third-party tool that just calls git pull without the prefix will still fail.

Proposed fix (any one of these would resolve)

A. Workspace secret-injection layer also exports GH_PAT as GH_TOKEN. The simplest fix. When the platform reads the GH_PAT secret to inject it into the runtime, also inject an identical GH_TOKEN env var. (Or alias.) This makes gh CLI work out of the box and matches the convention every other GitHub-aware tool expects.

B. molecule-git-token-helper.sh looks at GH_PAT as a fallback. Order it tries: GH_TOKEN → GITHUB_TOKEN → GH_PAT → GITHUB_PAT. This fixes git operations even without the prefix, and would match how tools like Dependabot, Renovate, etc. behave.

C. Rename the canonical secret to GH_TOKEN. Most invasive — workspaces would need to update which secret name they reference. But would be the cleanest long-term.

Strong preference for A or A+B. Both are mechanical, don't affect any existing workspace's setup, and immediately fix the "obvious" path. Renaming (C) breaks existing scripts.

Why this matters for the SSOT pattern

Our workspace operates on the "SSOT in git" pattern — every cron tick git pulls its policy + skill content from a private GitHub repo. With the current setup, that pull silently fails (the helper says "exhausted" and gh says "no auth"), and the agent falls back to whatever it remembers from prior ticks. That defeats the entire pattern: policy changes pushed to git never propagate to the agent.

We've worked around it with the GH_TOKEN=$GH_PAT inline prefix and it's stable now, but it's a footgun for the next person doing a Molecule + private-repo setup.

Reproduction

1. On any workspace with a private repo dependency, set the secret as GH_PAT (the natural-looking name).
2. Spin up a runtime, exec into it, run gh repo clone <private-repo> or git clone <private-repo>.
3. Observe both fail with auth errors even though the secret is set.
4. Run printenv | grep GH — GH_PAT is there, GH_TOKEN is not.

— Hongming Wang (airenostars@gmail.com)
— Tenant: reno-stars.moleculesai.app
— Workspace owner: d76977b1-f17e-4a4c-9f74-bf6315238620

## Summary The Molecule platform stores a `GH_PAT` workspace secret with a working GitHub Personal Access Token, but neither (a) the gh CLI nor (b) the platform's `molecule-git-token-helper.sh` credential helper find it. Result: agents that need to clone or pull private GitHub repos in their cloud env get "all token sources exhausted" / "Authentication failed" even though the credential IS available — they just need to be told the right env-var name. This is filed as a follow-up to #1684 (same investigation surfaced both). ## Tenant + repro context - **Tenant:** `reno-stars.moleculesai.app` - **Workspace (SEO Agent):** `3fe84b89-eb65-42fc-ad1f-5c93582ca3e7` - **Target repo:** `Reno-Stars/reno-star-business-intelligent` (private) - **Discovered:** 2026-05-22 ~20:46 UTC during direct A2A debugging with the agent ## What the agent sees Workspace secrets API (`GET /workspaces/{id}/secrets`) returns: ```json [ { "key": "GH_PAT", "has_value": true, "scope": "workspace", "created_at": "2026-05-20T22:05:19Z" }, { "key": "GH_USER", "has_value": true, "scope": "workspace" }, { "key": "GH_REPO", "has_value": true, "scope": "workspace" }, { "key": "GIT_EMAIL", ... }, { "key": "GIT_NAME", ... } ] ``` Agent env (from the agent's own `printenv` inside its cloud runtime): ``` GH_PAT: SET (value_len=40, classic PAT format) GH_TOKEN: EMPTY GITHUB_TOKEN: EMPTY GITHUB_PAT: EMPTY GH_USER: SET (value_len=11) GH_REPO: SET (value_len=28) ``` So the secret IS exported into the runtime — under the literal name `GH_PAT`. But: ### 1. `gh` CLI doesn't recognize `GH_PAT` `gh repo clone Reno-Stars/reno-star-business-intelligent` returns: ``` To get started with GitHub CLI, please run: gh auth login Alternatively, populate the GH_TOKEN environment variable with a GitHub API authentication token. exit=4 ``` The gh CLI specifically looks at `GH_TOKEN` (or `GITHUB_TOKEN`). It does not fall back to `GH_PAT`. ### 2. `molecule-git-token-helper.sh` doesn't recognize `GH_PAT` either `git clone https://github.com/Reno-Stars/reno-star-business-intelligent.git` returns: ``` [molecule-git-token-helper] all token sources exhausted remote: Repository not found. fatal: Authentication failed for 'https://github.com/Reno-Stars/reno-star-business-intelligent.git/' exit=128 ``` So the bundled credential helper that's wired into the agent's `.gitconfig` doesn't check `GH_PAT` even though it's the obvious place to find one. ### 3. Workaround that works The agent and I confirmed this works: ```bash GH_TOKEN=$GH_PAT gh repo clone Reno-Stars/reno-star-business-intelligent ... --depth 1 --quiet # exit=0 ✓ ``` i.e. inline-prefixing `GH_TOKEN=$GH_PAT` makes both gh CLI and the credential helper see the token. So the value is correct; only the env-var name plumbing is broken. We've patched our 11 cron schedules to do this prefix everywhere they invoke git/gh. It works but is ugly — every gh/git command needs the inline prefix, and any third-party tool that just calls `git pull` without the prefix will still fail. ## Proposed fix (any one of these would resolve) **A. Workspace secret-injection layer also exports `GH_PAT` as `GH_TOKEN`.** The simplest fix. When the platform reads the `GH_PAT` secret to inject it into the runtime, also inject an identical `GH_TOKEN` env var. (Or alias.) This makes gh CLI work out of the box and matches the convention every other GitHub-aware tool expects. **B. `molecule-git-token-helper.sh` looks at `GH_PAT` as a fallback.** Order it tries: `GH_TOKEN` → `GITHUB_TOKEN` → `GH_PAT` → `GITHUB_PAT`. This fixes git operations even without the prefix, and would match how tools like Dependabot, Renovate, etc. behave. **C. Rename the canonical secret to `GH_TOKEN`.** Most invasive — workspaces would need to update which secret name they reference. But would be the cleanest long-term. **Strong preference for A or A+B.** Both are mechanical, don't affect any existing workspace's setup, and immediately fix the "obvious" path. Renaming (C) breaks existing scripts. ## Why this matters for the SSOT pattern Our workspace operates on the "SSOT in git" pattern — every cron tick `git pull`s its policy + skill content from a private GitHub repo. With the current setup, that pull silently fails (the helper says "exhausted" and gh says "no auth"), and the agent falls back to whatever it remembers from prior ticks. That defeats the entire pattern: policy changes pushed to git never propagate to the agent. We've worked around it with the `GH_TOKEN=$GH_PAT` inline prefix and it's stable now, but it's a footgun for the next person doing a Molecule + private-repo setup. ## Reproduction 1. On any workspace with a private repo dependency, set the secret as `GH_PAT` (the natural-looking name). 2. Spin up a runtime, exec into it, run `gh repo clone <private-repo>` or `git clone <private-repo>`. 3. Observe both fail with auth errors even though the secret is set. 4. Run `printenv | grep GH` — `GH_PAT` is there, `GH_TOKEN` is not. — Hongming Wang (airenostars@gmail.com) — Tenant: reno-stars.moleculesai.app — Workspace owner: `d76977b1-f17e-4a4c-9f74-bf6315238620`

RenoStarsAI-production-client referenced this issue 2026-05-22 21:25:09 +00:00

Workspace-attached repo is provisioned as a flat directory (no `.git/`) — `git pull` impossible #1688

agent-dev-a referenced this issue from a commit 2026-05-23 01:05:16 +00:00

fix(workspace-server): #1687 — alias GH_PAT to GH_TOKEN / GITHUB_TOKEN at provision time

agent-dev-a referenced a pull request that will close this issue 2026-05-23 01:05:25 +00:00

fix(workspace-server): #1687 — alias GH_PAT to GH_TOKEN / GITHUB_TOKEN at provision time #1697

agent-dev-a referenced this issue from a commit 2026-05-23 10:46:13 +00:00

fix(workspace-server): #1687 — alias GH_PAT to GH_TOKEN / GITHUB_TOKEN at provision time

agent-dev-a referenced this issue from a commit 2026-05-23 10:59:20 +00:00

fix(provisioner): explicit GH_TOKEN/GITHUB_TOKEN win over GH_PAT alias (#1687)

agent-dev-a referenced this issue from a commit 2026-05-23 15:33:15 +00:00

fix(tests): update StripsSCMWriteTokens for GH_PAT alias precedence (#1687)

agent-dev-a referenced this issue from a commit 2026-05-23 16:22:08 +00:00

fix(workspace-server): #1687 — alias GH_PAT to GH_TOKEN / GITHUB_TOKEN at provision time

agent-dev-a referenced this issue from a commit 2026-05-23 16:22:08 +00:00

fix(provisioner): explicit GH_TOKEN/GITHUB_TOKEN win over GH_PAT alias (#1687)

agent-dev-a referenced this issue from a commit 2026-05-23 16:22:08 +00:00

fix(tests): update StripsSCMWriteTokens for GH_PAT alias precedence (#1687)

hongming closed this issue 2026-05-23 20:01:43 +00:00

hongming referenced this issue from a commit 2026-05-23 20:01:44 +00:00

fix(workspace-server): #1687 — alias GH_PAT to GH_TOKEN / GITHUB_TOKEN at provision time (#1697)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/2151-chunk1-activity-delegation-a2a-integration-tests

feat/2151-chunk2-integration-tests

fix/test-async-cleanup-order

fix/shellcheck-arm64-pilot-main-red-2146

docs/2159-pr-head-workflow-selection

fix/2152-unmask-real-infra-gates

cherry-pick-2167-suspenders-to-main

fix/2159-qa-security-auto-trigger-review-state-guard

fix/remove-dead-code-QueueDepth

staging

cp/469-tenant-proxy-env-delivery

fix/2162-platform-managed-fail-closed-missing-proxy

docs-test/gate-auto-fire-livefire-2159

feat/traces-v1-workspace-secrets-2976

fix/gate-followup-refire-token-direct-trigger-regression

test/2148-registry-auth-real-postgres

regression/2150-migration-replay-from-scratch-real-pg

regression/2149-scheduler-real-pg

ci/unmask-required-real-infra-gates-mc1982

fix/internal-760-review-event-trigger

fix/internal-760-qa-security-pr-review-trigger

fix/internal-760-ceremony-ai-sop-ack

runtime/lazy-workspace-id

fix/2134-chat-files-forward-ssrf-2316

feat/rfc742-rescue-read

fix/2131-patch-abilities-atomic

cr2/sec-d-2316-chat-files-ssrf

cr2/sec-a-2029-traces-ssrf

cr2/sec-c-2130-transcript-ssrf

fix/continue-on-error-triage-2113

feat/rescue-rebase-2019-v2

feat/rfc742-rescue-capture

test/handlers-misc-coverage

fix/http-client-timeout-panic-recovery-main

fix/errcheck-unchecked-errors-main

fix/broadcast-org-root-test-cleanup

fix/goroutine-panic-recovery

fix/canvas-e2e-transient-failed-2632

fix/plugin-uninstall-exec-errors

fix/admin-images-codex-and-std-encoding

fix/backends-md-drift-risk-6-stale

fix/broadcast-itest-cleanup-hygiene-2108

fix/sop-checklist-emdash-slug-parse

fix/pause-resume-cascade-opt-in-1991

fix/log-execasroot-errors-plugin-cleanup-main

fix/http-client-timeouts-panic-recovery-error-checks-main

fix/panic-recovery-goroutines-channels-handlers-scheduler-main

fix/canvas-e2e-transient-failed-2632-main

fix/backends-md-drift-risk-6-stale-main

fix/ci-required-drift-1739

fix/audit-force-merge-branch-aware

test/org-scope-abilities-coverage-clean

fix/renew-coe-tracker-mc774-clean-20260601

fix/registry-root-sibling-leak-1955

fix/registry-cancommunicate-cross-tenant-roots-1955

fix/broadcast-itest-status-enum-online

fix/rows-affected-core

fix/broadcast-org-root-cte

fix/broadcast-org-root-cte-1959

sync/providers-serving-urls

fix/staging-test-hermetic-env

fix/restart-context-defer-rows-close

review/pr3029-pr3033-local

fix/channels-rows-err-check

fix/ci-lint-suppression-1062

fix/defer-rows-close-audit

fix/delegation-rows-err-check

fix/errcheck-unchecked-errors-1062

fix/execcontext-err-check-high-impact

fix/execcontext-err-check-sweep2

fix/execcontext-error-audit

fix/http-defaultclient-auth-paths

fix/registry-rows-err-check

fix/secrets-scan-error-restart

fix/workspace-restart-rows-err

pr-3033

fix/restart-context-rows-err

fix/discovery-rows-err-check

fix/broadcast-org-root-cte-1959-staging

fix/rowserr-checks-events-channels-manager

fix/rowserr-memory-schedules-audit

fix/channels-duplicate-encrypt

fix/audit-rows-err-check

feat/minimax-m3-sync

fix/missing-rows-err-llm-billing-mode

fix/ci-scheduler-fanout

feat/openapi-management-spec

pr2056

fix/channels-memory-rows-err-check

fix/traces-error-handling

fix/codeql-sarif-export

fix/instructions-rows-err-check

fix/providers-ssot-sync-codex-subscription

fix/github-token-fallback-timeout-1101

fix/codex-central-refresher

feat/google-adk-runtime-ssot

worktree-agent-aa572c7374a57f03a

fix/sync-providers-yaml-openai-split-20260531

feat/workspace-data-persistence

e2e/google-adk-ci-wiring

feat/register-google-adk-runtime

feat/mc-multiperiod-workspace-budget

feat/schedule-orphan-monitor-cleaner

fix/schedule-migration-on-recreate

fix/google-adk-runtime-doc-accuracy

fix/setglobal-drop-retired-org-billing-guard

fix/internal-728-provider-matched-cred-injection

fix/internal-724-prod-auto-deploy-straggler-surfacing

fix/1994-provision-billing-model-passthrough

fix/renew-coe-tracker-1982

test/a2a-queue-status-depth-coverage

fix/broadcast-cte-non-root-sender-1959

feat/internal-718-p3b-canvas-consume-registry

test/patch-abilities-coverage-1312

feat/internal-718-p4-followup-llm-provider-removal

fix/cancel-in-progress-flip-1357

feat/internal-718-p4-pr2-hard-reject-unregistered

feat/internal-718-p4-pr1-reconcile-colon-vocab-sync

fix/mcp-tools-slim-residue

feat/internal-718-p3a-templates-from-registry

fix/memory-section-marker

feat/internal-718-p2a-registry-codegen-distribution

fix/render-status-body-state

feat/internal-718-p2b-billing-derives-from-provider

refactor/drop-org-tier-llm-billing-mode

fix/suppression-rationales-1769

pr1930

eng-b/rebase-1952

fix/ssot-provider-selection-billing-mode-711-713

fix/1769-suppression-rationales

fix/umbrella-reaper-1780

fix/byok-global-llm-cred-leak-internal-711

fix/workspace-broadcast-cte-1959

test-1675-canvas-user-activity-log-regression

fix/1953-scope-peer-discovery-a2a-to-org

fix/cancel-in-progress-low-risk-9

fix/cross-tenant-isolation-1953

fix/python-open-encoding

fix-1644-workspace-create-returns-auth-token

fix/1837-docs-stale-monorepo-ref

fix/review-check-all-403-diagnostic

fix/audit-force-merge-staging-drift-1739

fix/nil-safe-scans-validation-hardening

fix/delegate-async-return-after-marshal-fail

fix/canvas-user-verified-session-1673

fix/canvas-chat-poll-mode-1673

fix/mcp-tools-marshal-error-return

fix/ci-remove-race-from-blocking-gate-1184

fix/watchdog-close-stale-contexts-on-red

fix/time-after-single-retry-delegation

fix/time-after-goroutine-leaks

fix/json-marshal-log-continue-2nd-pass

fix/cp329-retire-config-files-userdata-cap

fix/703-provider-billing-mode-ui

fix/internal-703-byok-billing-mode-env

eng-b-test-1779917746

fix/workspace-ec2-leak-delete-retry

fix/ci-arm64-tracker

fix/1669-syntax-error

fix/docs-monorepo-refs

refactor/drop-org-tier-llm-billing-mode-canvas

fix/publish-buildx-writable-config

fix/publish-docker-config-api-20260520

feat/seed-schedules-from-ws-template

feat/canvas-llm-billing-mode-section

feat/per-workspace-llm-billing-mode

fix/memory-v2-upsert-namespace-20260526

fix/platform-managed-provider-key-leak

fix/mcp-tools-test-db-import-20260526

pr-3029

fix-tiny-readme

fix-shellcheck-arm64-pilot-runner-label

feat/canvas-lib-tests

docs/fix-stale-channel-install-refs-230

design/modal-a11y-followup

fix-1769-suppression-justifications

fix-365-scope-divergence-gate-check

fix-1763-org-include-test

docs/readme-quickstart-context

style/fix-ruff-e501-etc

fix/main-ci-display-deploy-blockers

fix/display-keyboard-clipboard

fix/runtime-template-repo-cache

fix/create-dialog-platform-defaults

fix/pending-upload-preview-after-ack

fix/create-dialog-runtime-provider-flow

fix/platform-us-default-provider

fix/seo-template-provider-env-prompt

chore/advisory-legacy-e2e

fix/seo-template-visible

fix/panel-contained-attachment-preview

fix/pdf-preview-csp

fix/pdf-preview-visible

fix/prod-auto-deploy-scoped-rollout

fix-1763-test-minimal

feat/llm-native-auth-flow

fix/issue-1823-delete-confirm-name

fix/display-control-browser-session

fix/agent-message-attachment-broadcast

chore/maintained-runtime-registry

fix/issue-1686-cost-efficient-workspace-defaults

fix/hermes-user-attachments-core

fix/gate-check-v3-ruff-f401-e741

docs/issue-1793-workspace-placement-rfc

fix/ruff-batch-2026-05-24

chore/issue-1760-rename-go-module

fix/platform-managed-llm-default

chore/issue-1812-remove-backfill-from-image

fix/ruff-f401-f541-f841-e741-batch

fix/ruff-e501-merge-queue

fix-1763-webhook-token-redaction-skip

fix/ruff-final-batch-f401-e741-f841

fix/ruff-e501-batch-4

fix/ruff-lint-batch-3

fix/ruff-lint-more-scripts

fix/user-message-fanout-1440

fix/workspace-compute-settings-control

fix/1763-finding-3-token-test-integration-tag

fix-1775-deploy-wait-alignment

fix/memory-plugin-nil-jsonb-marshal

fix/pv-staging-tenant-auth

fix/real-user-upload-staging-e2e

feat/issue-1791-bundle-memory-backfill

feat/issue-1754-mcp-memory-activity-broadcast

feat/issue-1791-memories-commit-v2-plugin

fix-1763-discord-token-test

chore/remove-stale-runtime-comment

fix/revert-1781-templates-runtime-relax

chore/remove-unmaintained-runtimes

fix/e2e-orphan-guard

docs/issue-1780-compensating-status-runbook

fix/issue-1778-templates-test-fixtures

fix/templates-supported-runtime-tests

fix/prod-auto-deploy-aggregate-context

chore/issue-1753-awareness-docs-sweep

chore/issue-1755-seed-initial-memories-v2

fix/ci-all-required-bookkeeping

fix/supported-runtime-catalog

chore/issue-1733-memory-plugin-schema-isolation

chore/issue-1735-remove-awareness-backend

fix/memory-list-rows-err

feat/1686-display-session-proxy

chore/issue-1733-a1-kill-v1-fallback

fix/issue-1734-memory-tab-v2

fix/codex-scheduled-a2a-timeout

fix/prod-auto-deploy-nonblocking

fix/arm64-pilot-label-macfix

fix/review-check-empty-pr-guard

fix/canvas-publish-docker-config

fix/channels-manager-rows-err

fix/rows-err-restart-discovery

fix/slack-webhook-response-body-close

fix/sweeper-rows-err

feat/1686-display-workspace-flow

fix-1700-A-github-token-http-timeout

fix/workspace-crud-descrows-err

task342/local-e2e-harness

fix/messagestore-extractfiles-unmarshal

fix/pgplugin-writejson-encode-error

feat/1686-display-control-ui

fix/discord-read-body-error

fix/capturebroadcaster-data-race

fix-scheduler-detect-result-kind-message-allow

fix/lark-read-body-error

fix/memory-decode-error-read-body

fix/slack-read-body-errors

fix/traces-read-body-error

fix/schedules-events-rows-err

fix/channels-json-unmarshal-errors

rfc-1706-openapi-phase1-schedules

fix/mcp-tools-scanpeers-err

fix/handlers-rows-err-batch

fix/slack-webhook-response-body-close-clean

fix/github-token-http-timeout

minimax-autonomous-test

fix/scheduler-1696-sdk-error-detection

fix/1696-scheduler-adapter-error-status

feat/1686-phase1-compute-schema

fix/1692-mount-schedule-routes

fix/1684-native-session-enqueue-on-busy

fix/1646-staging-saas-timeout

fix/ci-path-scope-main-push

fix/e2e-wait-after-config-put

fix/e2e-delegation-a2a-retry

fix/e2e-minimax-m2-default

platform-kill-defaultmodel-require-model-at-create

fix/e2e-a2a-busy-retry

fix/e2e-a2a-readiness-body

fix/t4-pid-probe-agent-safe

fix/t4-gitea-egress-ssot

docs-fix-claude-code-channel-template

fix/activity-flat-upload-attachments

fix/aws-secrets-janitor-literal-region

fix/activity-feed-peer-info-enrichment

fix/aws-secrets-janitor-fail-loud

fix/aws-secrets-janitor-staging

fix/staging-token-diagnostic

chore/publish-staging-ecr-with-ssot-publisher

fix/e2e-bash32-empty-array

chore/mirror-tenant-image-staging-ecr

fix/mcp-delegate-platform-path

chore/retrigger-peer-visibility-after-publish

fix/publish-buildx-docker-config

docs/multi-external-workspace-registration

fix/e2e-token-fallback-diagnostics

ci/clean-superseded-push-noise

ci/path-scope-go-handler-pr

fix/main-red-watchdog-action-run-status-filter

fix/admin-workspace-token-mint

test/e2e-chat-a2a-dns-regression

fix/staging-peer-visibility-token

chore/delete-core-workspace-runtime

fix/split-heavy-e2e-required-path

fix/ci-cron-bots-prebake-1357

fix/self-delegation-peer-list-hardening

fix/523-allow-user-set-workspace-secrets

feat/canvas-org-info-tab

fix/624-file-write-restart-debounce

fix/377-canvas-polite-cancel-before-restart

task227/external-mcp-progress-ux

fix/canvas-chat-a2a-hint-activity-tab-closeout-212

fix/t4-probe-docker-socket-and-pid-host

chore/ssot4-delete-dead-github-workflows

task335/drop-runtime-image-pins-mig-fresh

chore/ssot10-ecr-registry-var

fix/sop-checklist-stream-pagination-oom

task335/drop-dead-runtime-image-pins-mig-047

fix/a2a-error-hint-timeout-class

fix/a2a-error-detail-field-rename

feat/uploads-limits-ssot-task-320

core-devops/cascade-structural-hardening

chore/retrigger-publish-after-eacces

fix/poll-mode-pending-uploads-100mb-mc1588

fix/redeploy-fleet-confirm-callers

fix/lint-workflow-yaml-slash-in-name

retrigger/publish-workspace-server-after-pr110-deploy

infra-runtime-be/upload-100mb-and-correct-reason-errors

infra-sre/rfc596-publish-runtime-dual-push-gitea-pypi

fix/workflow-name-no-token-slash

infra-sre/audit-log-phase1-emit-secrets

fix/main-red-watchdog-skip-cancel-cascade-mc1564

feat/rfc563-ws-server-binary-strip

ci/146-lint-no-tenant-gitea-token

feat/agent-card-identity-seed-prod-team-internal-492-followup

fix/rfc524-layer1-bare-go-conversion

fix/ci-docker-host-guardrail-red

test/e2e-todays-pr-coverage

feat/146-forbidden-env-guard

fix/sop-checklist-widen-ack-internal-442

ci/mac-arm64-pilot-shellcheck

e2e/peer-visibility-local-backend-task166

fix/canvas-surface-error-detail

fix/wsserver-broadcast-error-detail

ci/oom-storm-concurrency-fix

fix/chat-upload-ssot-100mb-1520

feat/provisioner-inject-gitea-credential-helper

sre/fix-remaining-scheduled-cancel-in-progress

fix/user-message-role-1514

sre/fix-gate-check-cancel-in-progress

sre/fix-ci-drift-false-positive-and-queue-limit

ci-retry-noop

test/plugin-listing-coverage-1488

infra/canvas-ci-retry-20260518145806

fix/json5-comments-manifest-1496

test/canvas-hook-coverage

feat/canvas-agent-abilities-toggle

fix/sop-tier-check-secrets-read-v2

fix/canvas-configtab-wcag-alert-v2

fix/canvas-configtab-wcag-alert

fix/sop-tier-check-secrets-read

fix/ci-sop-tier-check-secrets-read

fix/runtime-registry-manifest-v2

test/runtime-provision-timeouts-coverage

fix/sev1-secrets-read-v2

fix/sev1-missing-secrets-read-perms

test/canvas-secret-formats-coverage

test/canvas-hook-tests

test/canvas-theme-ts-coverage

feat/canvas-agent-abilities-toggles

test/canvas-theme-lib-coverage

fix/runtime-registry-json5-comment

fix/ws-server-188-failclosed-template-runtime

test/plugins-listing-coverage

fix/issue-1480-manifest-json5

fix/review-check-wrong-event-string-diagnostic

test/workspace-abilities-name-coverage

ci-fix-main-runtime-secret-scan

fix/secret-scan-exclude-secrets-detector-test-fixtures

fix/secrets-read-qa-security-main

fix/secrets-read-qa-security-workflows

test/workspace-broadcast-coverage

fix/1473-bp-all-required-suffix

infra/secrets-read-qa-security-main-fix

fix/pr1450-staging-main-conflict

fix/issue-1420-actionable-errors

fix/issue-228-user-message-fanout

design/externalconnectmodal-a11y

fix/tabs-error-aria-alert

fix/settings-a11y-fixes

fix/canvas-errors-aria-alert

fix/canvas-loading-aria-live

feat/handler-admin-test-token

sre/fix-scheduled-workflow-cancel-in-progress

feat/handler-test-abilities-and-sources

fix/handlers-plugin-listing-tests

fix/tabs-a11y-scattered

runtime/port-identity-tools-staging

runtime/fix-merge-queue-cancel-in-progress

fix/canvas-misc-wcag-fixes

infra/quirks-789-fills

infra/queue-runbook-updates

design/skills-accessibility-v2

design/skills-a11y-followup

fix/a2a-delegation-detached-ctx-canceled-internal-497

fix/secrets-honest-ui-491-490

design/mobile-comms-a11y

design/mobile-chat-a11y

test/org-import-pure-funcs

fix/mcp-tools-sql-fix

fix/delegation-list-shows-both-directions

design/mobile-tabbar-a11y

feat/mobile-tabbar-a11y

fix/mobile-ios-focus-zoom

fix/mobile-canvas-render-parity

ci/arm64-advisory-mac-offload-pilot

fix/canvas-user-message-cross-session-fanout

test/a2a-proxy-pure-coverage

fix/mobile-focus-visible-rings

fix/external-workspace-progress-feedback

fix/canvas-mobile-ws-wake-resume

fix/mobile-chat-input-ios-focus-zoom

test/org-helpers-coverage

ci/timing-test-hygiene-host-load-internal

fix/setup-node-pin-corrupt-1432

fix/ci-required-drift-polling-sentinel

fix/issue212-actionable-agent-error-reason

runtime/fix-api03-test-fixture

test/traces-list-http-coverage

runtime/fix-test-fixture-v3

runtime/fix-test-fixture-on-1420

fix/queue-status-sort

runtime/fix-test-fixture-secret-scan-false-positive

test/workspace-abilities-coverage-20260517

fix/sop-engineers-main

fix/queue-merge-permanent-error

fix/delegations-list-deduplication

fix/canvas-npm-ci

fix/sop-staging-engineers-backport

offsec-015-staging-v2

fix/queue-skip-permanent-merge-error

design/settings-button-focus-v2

test/coverage-broadcast-listing-20260517

fix/workspace-tokens-global-sentinel-500

fix/sop-workflow-secrets-read

design/secrets-accessibility-fix

test/coverage-abilities-design-tokens-20260517

design/agentcomms-focus-visible

design/skills-aria-accessibility

infra/action-sha-pin-e2e-chat

fix/sop-checklist-na-gate-probe-bug

test/coverage-2026-05-17

fix/queue-merge-error-surfacing-v2

test/all-coverage-v5

fix/settings-panel-focus-visible

sre/ci-coldrunner-main-fix

fix/skills-tab-focus-visible

test/all-coverage-v4

test/all-coverage-v3

fix/aria-live-errors-v2

fix/canvas-attachment-focus-visible

fix/queue-merge-error-surfacing

test/all-coverage-v2

fix/app-page-focus-v2

fix/app-page-focus-visible

fix/delete-dialog-focus

fix/sop-checklist-probe-na-gate

test/all-handler-lib-coverage

test/handlers-and-lib-coverage-v2

test/delegation-sweeper-pure-funcs

fix/queue-update-then-wait-loop

fix/workspace-abilities-test-coverage

test/workspace-crud-validators

fix/canvas-user-message-persist-at-ingest

test/handlers-and-lib-coverage

fix/filetree-wcag-icons

fix/mobile-wcag-focus-visible

sre/pr1381-retrigger

infra/add-missing-workflow-concurrency

infra/scheduled-workflow-cancel-in-progress

fix/canvas-wcag-focus-visible-2

ci/twine-verbose-403-reason-body

test/handlers-and-theme-coverage

fix/ci-required-drift-skip-f1

fix/sop-checklist-na-declarations

test/workspace-abilities-and-theme

test/plugins-sources-and-theme

sre/comment-dispatch-consolidation-v2

chore/remove-crewai-deepagents-gemini-cli

test/workspace-broadcast-handler

test/workspace-abilities-patch

fix/inbox-self-echo

feat/test-status-config-constants

feat/test-plugins-install-handlers

test/local-provisioner-token-ownership-parity

infra/internal-462-publish-deploy-lane

fix/staging-sync-persist-fix

feat/broadcast-coverage

feat/plugins-listing-and-sources-coverage

__disk-test-137017

fix/main-red-watchdog-close-on-pending

fix/review-refire-comments-token-scope

feat/canvas-abilities-banner-test

pr-1307

staging-dev-lead-test-4107230

feat/workspace-abilities-test-coverage

ci/scheduled-cancel-in-progress-1357

feat/broadcast-test-coverage

fix/a2a-queue-status-coverage

pr-1351

ci/e2e-peer-visibility-bp-pending-1296

ci/e2e-peer-visibility-bp-required-1328

fix/review-refire-conflict

sre/consolidated-main-to-staging

fix/org-helpers-duplicate-comment

fix/a2a-self-delegation-echo-inbox

perf/canvas-favicon-shrink

perf/canvas-toolbar-logo-shrink

perf/canvas-bundle-analyzer-optimize-imports

fix/offsec-015-staging

fix/workspace-token-injection-agent-owned

ci/sop-checklist-narrow-issue-comment-trigger

fix/broadcast-handler-coverage-1343

fix/test-patchAbilities-toolbar-1313-1334

docs/gitea-actions-quirks-runbook

fix/1256-enable-button-focus-ring

pr-1327

feat/workspace-sizing-override

test/canvas/Toolbar-a11y

fix/sop-checklist-na-post

canvas/broadcast-chat-wcag

fix/test-matchesChatID-1304

test/canvas/FileTree-render-a11y

test/canvas/ChatTab-subtab-a11y

test/canvas/SidePanel-a11y-and-state

enforce/peer-visibility-bp-directive-1296

infra/main-ci-retrigger

sre/queue-api-fix

fix/handlers-untested-helpers-2026-05-16

sre/sop-na-fix

promote/staging-to-main

infra/detect-changes-shallow-v2

feat/publish-lane-runs-on-394

test/canvas/FilesToolbar-a11y

fix/workspace-abilities-coverage-1312

fix/sop-checklist-merged-blank-line

fix/e2e-chat-setup-node-mirror-sha

e2e/peer-visibility-local-backend

fix/channels-matchesChatID-tests

fix/secrets-coverage-compile-err-1274

e2e/peer-visibility-mcp-gate

fix/e2e-chat-setup-node-mirror

fix/canvas-arrangeChildren-coverage

sre/fix-queue-null-created-at-sort

fix/sop-checklist-blank-line-detect

fix/a2a-proxy-test-async-drain

fix/handlers-admin-delegations-coverage

sre/platform-go-timeout-60m

infra/sop-tier-check-token-guard

fix/handlers-test-async-drain

fix/gate-check-login-aliases

fix/secrets-scan-test-fixture-exclusion

fix/secrets-coverage-tests-v2

fix/ci-concurrency-cancel-superseded-storm

fix/secret-scan-exclude-secrets-tests

fix/secrets-patterns-100pct-coverage

fix/secrets-100-coverage

standalone/review-check-403-fix

feat/files-agent-home-stub

feat/agent-home-docker-exec-internal-425-phase-2b

sre/secret-scan-timeout

feat/canvas-files-agent-home-internal-425-phase-3

fix/top-level-modules-add-a2a-tools-identity

feat/secrets-patterns-ssot-internal-425-phase-2a

stub/files-api-agent-home-root-2026-05-15

fix/sop-n-a-v2

fix/files-api-agent-home-stub

be/workspace-server-accumulated-fixes

fix/sop-n-a-clean

fix/workspace-server-healthcheck

design/themetoggle-test-teardown-fix

feat/canvas-growParentsToFitChildren-coverage

fix/openclaw-skip-config-write-and-canvas-timeout-to-main

feat/agent-card-update-and-runtime-identity-tools-relocated

fix/openclaw-skip-config-write-and-canvas-timeout

fix/prod-auto-deploy-timeout

feat/chat-unify-clean

fix/autobump-skip-existing-tags

fix/issue-1187-broadcast-abilities-coverage

fix/runtime-autobump-next-free-tag

pr-1211

feat/queue-status-abilities-handler-tests

fix/queue-channels-coverage

infra-sre/golangci-lint-connectivity-fix

infra/main-sop-na-fix

fix/staging-golangci-30m-v2

fix/scheduler-coverage-gaps

fix/channels-rows-err-and-cwe312

fix/container-name-no-uuid-truncation

fix/staging-golangci-noconfig

fix/provider-base-url-fallback

fix/provisioner-uuid-no-truncate

fix/queue-label-filter-all-ids

fix/review-check-403-skip

fix/ki-010-container-name-truncation

fix/provisioner-no-uuid-truncation

fix/issue-1176-db-db-race

fix/channels-rows-err

test/issue-1156-messaging-coverage

sre/fix-test-sop-parse-directives

infra/staging-sop-na-fix

test/workspace-adapter-base-coverage

sre/fix-sop-test-parse-directives

fix/pr-1070-push-tokens

test/push-package-coverage

hotfix/offsec-015-org-isolation

infra/sop-n-a-plus-drift-fix

fix/issue-1183-settingspanel-act-wrap

pr-1185-current

infra/main-golangci-no-config

test/qa-broadcast-abilities-coverage

fix/delegations-list-endpoint-wrong-column

core-be/fix/platform-go-timeout

fix/issue-1152-delegation-activity-db-err-tests

core-be/fix/tokens-rate-limit-scan-err-v2

fix/handlers-rows-err-missing

infra/canvas-deploy-reminder-polling-list

fix/staging-ci-timeouts

fix/settingspanel-act-flush

fix/rows-err-instructions-resolve

fix/ci-cold-runner-timeout

fix/issue-1171-rows-err-memory-events-channels

fix/sentinel-remove-phas3-masked

infra/fix-all-required-combined-status-check

pr1165-rebase

fix/approvals-json-marshal-guard

feat/canvas-broadcast-handler

sre/fix-ci-drift-false-positive

sre/fix-queue-remove-label-bug

infra/workspace-server-healthcheck

fix/ci-drift-canvas-deploy-reminder

fix/offsec-015-broadcast-org-isolation

fix/delegation-list-callee-plus-golangci-lint

sre/fix-queue-gate-context

core-be/test/delegate-record-db-errors-v2

test/delegate-record-db-errors

fix/tokens-rate-limit-scan-err

pr-1117

pr-1117-latest

infra/staging-golangci-no-config

fix/openclaw-molecule-mcp-version-pin

offsec015

fix/openclaw-mcp-version-check

feat/provider-routing-base-v2

feat/e2e-chat-stabilization

fix/sop-concurrency-throttle

p1102

p1117

fix/canvas-deploy-reminder-deadlock

infra/main-golangci-timeout-fix

feat/provider-routing-base

sre/sweep-cf-orphans-aws-timeout

sre/queue-merge-conflict-handling

fix/na-declarations-gate

fix/stdio-clean

fix/handlers-log-db-scan-errors

fix/channels-marshal-errors

fix/channels-silent-json-errors

sre/channels-unmarshal-errors

sre/queue-pre-receive-hook-fix

sre/ci-timeout-increase

fix/approvals-terminal-db-err-logging

infra/ci-platform-go-timeout-fix

fix/push-notifications

fix/channels-json-unmarshal-guard

fix/main-rows-err-instructions

fix/ci-org-helpers-demorgan

fix/main-test-fix-from-0c152a24

infra-sre/fix-platform-go-test

fix/staging-offsec010-cp-wiring

fix/handlers-instructions-test-bugs

fix/ci-allrequired-needs

fix/staging-goasync-configseed

fix/issue-1080-org-helpers-comment

fix/issue-1081-errors-import

fix/1080-org-helpers-comment-typo

infra-sre/fix-missing-test-imports

fix/offsec-010-wiring

fix/saas-t4-cp-config-seed

fix/offsec-010-clean

fix/offsec-003-boundary-wrapping

fix/offsec-003-escaped-markers-main

fix/mobile-chat-history

fix/staging-CWE-78-rows-err

fix/1062-mobilechat-history

hotfix/cwe-78-staging

fix/stdio-v2

fix/offsec-010-symlink-walkdir

fix/test-stdio-function-name

fix/offsec-010-symlink-walkdir-isSaaS-fix

sre/fix-stale-platform-server-port

fix/offsec-010-from-pr1047

staging-v6

fix/e2e-api-port-collision

fix/main-async-db-race

infra/sync-staging-v6-to-main

pr/1030

fix/handlers-instructions-test-compile

fix/instructions-test-compile

fix/openclaw-empty-required-keys

sre/main-rows-err-checks

fix/staging-v6-conflict-markers

fix/delegation-list-test-conflict-marker

fix/main-red-cdb0b040-ci-tests

fix/theme-toggle-selector-main-red

sre/ci-required-drift-canvas-reminder-skip

test/instructions-handler-coverage

sre/canvas-build-timeout

test/externalconnectmodal

fix/resolve-conflict-marker-delegation-list-test

fix/1008-themetoggle-css-selector

design/826-searchdialog-mount-v2

test/orgcancelbutton

fix/2088-themetoggle-queryselectorall-errors

design/704-tree-test-fix

fix/ci-required-drift-github-ref-skip

ci/975-db-pollution-fix

fix/968-remove-duplicate-test-declarations

fix/980-schedules-handler-test-coverage

design/tier-legend-contrast-2026-05-14

sre/platform-go-timeout-fix

fix/delegation-list-test-db-leak

fix/984-delegation-id-response-body

sre/queue-bot-fix-ctx-check

fix/983-remove-duplicate-test-declarations

fix/986-canvas-wcag-focus-rings

fix/993-agent-handler-test-coverage

design/wcag-focus-contrast-2026-05-14

design/wcag-focus-rings-round5-2026-05-14

fix/activity-logs-delegation-id-response-body

fix/982-expand-posix-identifier-guard

fix/test-offsec003-redundant-file

feat/976-schedules-handler-test-coverage

fix/org-helpers-test-panic

promote/main-to-staging-v5

fix/965-test-panic-resolveInsideRoot

promote/main-to-staging-v4

feat/delegation-list-tests

fix/test-a2a-sanitization-v3

promote/main-to-staging-v3

fix/duplicate-test-declarations

feat/org-helpers-security-tests

fix/main-push-operational-red

promote/main-to-staging-v2

fix-sop-concurrency-v2

fix/sop-checklist-gate-name

fix/docker-info-pipefail

fix/publish-healthcheck-pipefail

fix/sop-checklist-workflow-rename

promote/main-to-staging

sre/fix-sop-checklist-context-name-mc948

design/wcag-contrast-round4-2026-05-14

fix/org-helper-tests

fix/test-a2a-sanitization-main

fix/publish-image-on-every-main-push

fix/remove-canvas-reminder-from-all-required

fix/staging-integration-test-ctx

fix/staging-canvas-reminder-deadlock

design/wcag-a11y-round3-2026-05-14

ci/remove-canvas-reminder-from-all-required

fix/test-a2a-sanitization-assertions

fix/staging-ci-drift-canvas-reminder

fix/handlers-pg-integ-event-before

ci/platform-build-flip-coe

fix/staging-python-test-and-tier-check-lint

fix/offsec-006-slug-injection

runtime/fix-pr916-integration-test-ctx

design/chat-tab-wcag-contrast-2026-05-14

fix/offsec-006-slug-validation

design/wcag-contrast-fixes-2026-05-14

fix/904-handler-test-blockers

fix/ci-drift-canvas-reminder

fix/comment-trigger-storm

infra/660-codify-promote-tenant-image

fix/917-canvas-test-failures

fix/917-runtime-prbuild-detect-changes-fix

fix/filesTab-test-stale-reference

fix/files-tab-test-missing-helper

fix/runtime-prbuild-compat-detect-changes

fix/staging-test-compilation-fixes

fix/qa-review-token-fallback-v2

test/hydrate-canvas-coverage

fix/contextmenu-react-error-185

test/external-runtimes-coverage

fix/main-sqlmock-import-ineffassign-20260513

fix/redeploy-tenants-on-main-lint-cleanup

sre/docker-daemon-gate-fix

fix/897-listdelegations-use-ledger-table

fix/901-listdelegations-ledger-table

fix/core-main-handlers-hotfix

fix/e2e-api-platform-port

fix/main-green-monitor-status

fix/mobile-MobileChat-infinite-render

fix/delegations-ledger-fallback-rows-err

fix/874-extractmessagetext-clean

feat/881-untested-helpers

fix/874-extractmessagetext-bug

fix/status-reaper-api-timeout-retry-20260513130514

fix/831-admin-token-placeholder-bootstrap

feat/canvas-test-coverage-738

feat/files-tab-tree-coverage

feat/canvas-untested-components-coverage

feat/canvas-tab-test-coverage-2

fix/main-bundle-test-sqlmock-import

fix/stdio-fallback-all-environments

staging-sync-v3

ci/burn-in-remove-sop-tier-check-coe

fix/issue-860-delivery-mode-tests

design/approval-banner-emerald-fix

fix/issue-854-termsgate-a11y

fix/issue-859-wcag-contrast

fix/delegations-rows-err-bbc40cb8

design/approvalbanner-a11y

design/pricingtable-a11y

design/toolbar-help-toggle-fix

staging-sync-v2

fix/canvas-approvalbanner-a11y

feat/canvas-external-connect-modal-coverage

staging-sync-rm

fix/test-sanitize-agent-error-stderr

test/a2a-queue-extractExpiresInSeconds

fix/pr-829-test-issues

design/826-searchdialog-mount

fix/chat-createMessage-attachments-key

fix/762-recall-memory-canary

fix/367-a2a-tools-coverage-v2

feat/search-dialog-mount

feat/org-layout-test-coverage

fix/offsec-003-builtin-a2a-sanitize

fix/canvas-playwright-install-timeout

fix/805-audit-force-merge-main-required-checks

fix/cf-sweep-api-error

fix/e2e-diagnose-detail

fix/a2a-mcp-server-http-transport

fix/core-main-red-golangci-install

fix/test-declarations

fix/sop-checklist-body-hard-gate

merge-792

feat/mcp-tools-test-coverage

feat/workspace-crud-test-coverage

feat/socket-handler-test-coverage

fix/686-delegation-integration-tests

feat/a2a-proxy-helpers-test-coverage

fix/publish-canvas-disable-gha-cache-20260512

fix/publish-canvas-docker-probe-20260512

fix/canvas-image-ecr-20260512

fix/687-send-ssh-public-key-detail

feat/tier-2g-required-context-exists-in-bp

feat/tier-2f-bp-emit-match

fix/mc-664-class-2-mcp-offsec-contract-test

fix/main-ci-green-20260512

infra/dockerfile-add-docker-cli-for-local-build

test/workspace-crud-helpers-coverage

fix/681-recallmemory-offsec-contract

fix/org-layout-helpers-test-coverage

fix/735-extractResponseText-tests

test/713-workspace-crud-validators

test/713-org-helpers-pure-coverage

fix/713-eic-diagnose-detail

fix/730-filterpeers-nil-guard

infra/all-required-coe-false-v2

fix/phase3-tracker-comments

fix/mc-664-class-1-delegation-tests-postgres-integration

fix/canvas-keyboard-shortcuts-dialog-guard

infra/664-lint-coe-trackers

ci/lint-tracker-regex-fix-v2

fix/731-nil-guard-filter-peers-by-query

fix/lint-TRACKER_RE-mid-sentence

ci-retrigger-747

feat/709-handler-pure-coverage

fix/697-canvas-geticon-topology

ci/lint-tracker-regex-fix

test/2071-canvas-drop-target-badge-coverage

feat/2071-canvas-orgdeploystate-coverage

feat/mobile-canvas-comms-spawn-coverage

ci/lint-coe-self-fix

fix/ssm-refresh-ecr-auth-json-escaping

design/729-fix

ci/gate-check-v3-permissions-fix

fix/730-discovery-filter-nil-role

infra/publish-docker-daemon-diagnostic

fix/714-all-required-coe-false

fix/717-mobile-agentMessages-selector

infra/fix-all-required-status-reporting

fix/687-e2e-surface-diagnose-detail

infra/docker-runner-label

test/701-canvas-hydrate-coverage

test/mobile-primitives-coverage

infra/664-interim-platform-build-exempt

fix/693-offsec-recallmemory-scrub-staging

sync/main-to-staging-514-v2

fix/693-offsec-recallmemory-global-scrub

fix/693-offsec-recallmemory-scrub

fix/634-handler-test-fixes-to-main

test/699-socket-handler-coverage

sre/workflow-run-replacement

infra/676-ssm-auth-json-hardening

fix/offsec-001-method-scrub-hotfix

fix/offsec-001-method-scrub-main

feat/workspace-crud-validation-tests

test/canvas-hydrate-coverage

infra/lint-pre-flip-continue-on-error

fix/workflow_run-to-push-gitea-1.22.6

feat/tier-2e-tracking-issue

fix/684-offsec-scrub-method-default

feat/sop-checklist-gate-mvp

feat/tier-2d-lint-mask-pr-atomicity

infra/lint-workflow-yaml-hostile-shapes

infra/lint-required-no-paths-filter

cleanup/pr-641-clean

feat/mobile-tabbar-wcag-a11y

fix/canvas-mobile-chat-loop

fix/651-canvas-chat-mobile-crash

fix/664-interim-remask-platform-build

fix/mobile-chat-max-update-depth

infra/622-force-merge-protection-fix

test/attachment-lightbox-clean-v2

ci/652-gitea-1-22-status-key

test/memorytab-2

infra/status-reaper-rev4-status-key-fix

infra/weekly-platform-go-vet-hard

fix/audit-force-merge-pipefail

infra/status-reaper-rev3-widen-window

test/canvas-externalconnectmodal-coverage

fix/sop-tier-check-token-graceful

infra/ci-required-drift-token-scope

test/console-modal-coverage

ci/review-check-tests-wire

test/canvas-workspacenode-coverage

test/memorytab

infra/interim-disable-reaper-watchdog-crons

test/attachment-lightbox-coverage

fix/issue-639-workspacenode-test-coverage

test/channels-tab

fix/canvas-searchdialog-test-fixtures

fix/598-attachmentLightbox-tests

fix/529-307-localbuild-async-test-fix

fix/582-attachmentviews-tests

fix/308-a2a-response-push-mode-tests

fix/529-preflight-localbuild

fix/sop-tier-check-token-graceful-staging

fix/545-approvalbanner-isolation

fix/519-memorytab-tests

infra/status-reaper-rev2-sweep-recent-commits

fix/handlers-test-fixtures

test/skill-helpers-coverage

test/ui-primitive-coverage

docs/gitea-quirks-10-11

test/platform-bundle-exporter-coverage

infra/status-reaper-rev1-drop-concurrency

fix/608-filesTab-focusTest

test/budget-section-coverage

infra/revert-docker-runner-label

fix/weekly-platform-go-latent-error-surface

infra/revert-publish-runs-on-pin

sre/gate-check-timeout

test/a2a-error-hint-coverage

test/chat-attachment-views-coverage

test/attachment-video-coverage

infra/option-b-status-reaper

infra/gate-check-v3-timeout

infra/576-docker-runner-label

fix/593-filetab-tests

test/files-tab-notavailablepanel-coverage

fix/591-forminputs-tests

fix/471-cwe117-stderr-scrubbing

infra/diagnostic-publish-workspace-server-image

fix/582-bundle-import-tests

test/form-inputs-coverage

fix/publish-workspace-server-image-json5-comments

sre/fix-all-required-null-result

fix/publish-workspace-server-image-optional-token

pr-251

test/ui-statusbadge-coverage

fix/all-required-null-result-assertion

fix/568-palette-context-tests

pr-527

infra/merge-563-autobump-fix

test/mobile-palette-context-coverage

sre/fix-gate-check-v3-combined-state-loop

ci/540-review-check-bats-tests

fix/publish-runtime-autobump-push-condition

ci/558-verify-publish-runtime-marker

test/canvas-empty-state-coverage

infra/publish-runtime-verify-2026-05-11

ci/554-oci-labels-publish-workflow

infra/drift-bot-token

infra/rfc-219-phase-4-all-required-sentinel

ci/551-gate-checkout-trusted-ref

fix/gate-check-v3-pr-HEAD-security

fix/541-token-argv-security

sre/fix-gate-check-v3-bugs

fix/537-cwe117-a2a-tools-sanitize

fix/gate-check-v3-http-error-crash

sre/fix-localbuild-preflight

infra/rfc-324-workflow-add

test/offsec-003-sanitization-backstop

fix/test-sanitize-agent-error-stderr-exc

fix/approval-banner-test-isolation

infra/scope-workflows-fix

sre/fix-pr530-deadlock

sre/reopen-516-gate-check-fix

fix/ci-scope-operational-workflows-504-419

sre/scope-operational-workflows-to-schedule

ci/harness-replays-detect-changes-quoting-fix

fix/test-blocks-until-inflight-completes

fix/test-enrich-peer-metadata-nonblocking

sre/fix-enrich-nonblocking-cache-check

merge-pr490

runtime/fix-offsec-003-tool-delegate-task

fix/508-update-boundary-assertions

sre/fix-test-delegation-sync-polling-assertions

fix/366-shared-runtime-coverage

fix/506-unused-imports

ci/lint-fixes

fix/367-a2a-tools-coverage

test/a2a-client-enrich-peer-rebase

fix/354-delegation-auto-resume-rebase

ci/fix-detect-changes-commits-array

fix/307-async-rebase

runtime/fix-harness-replays-push-event

sre/fix-test-polling-sanitization

fix/harness-replays-detect-changes-gitea-api

ci/fix-test-polling-sanitization

test/eventstab

runtime/335-rebase-platfrom-url

hotfix/491-offsec-003-staging-v2

fix/pr477-test-fixes

runtime/335-rebase-platform-url

fix/354-auto-resume-delegations

fix/368-audit-hooks-coverage

runtime/temporal-platform-url-fix

infra/secret-reconciliation-v2

fix/purchase-success-modal-test-isolation

pr-476

sre/fix-gitea-runbook-network-quirks

tools/gate-check-v3

fix/376-activity-delegation-polling

runtime/platform-url-fix-merge

fix/canvas-purchase-success-modal-test-timing

fix/secret-naming-reconciliation

docs/gitea-operational-quirks-runbook

test/canvas-toolbar-coverage

fix/canvas-tier-config-v2

fix/455-offsec003-sanitize-alignment

fix/sweep-stale-e2e-orgs-secret-name

fix/approvalbanner-mockreset-452

fix/canvas-approvalbanner-mockreset

fix/publish-runtime-autobump-fetch-depth

fix/321-cwe22-loadWorkspaceEnv-path-traversal

fix/canonicalize-staging-admin-token-rebase-462

canvas-followup

fix/canonicalize-staging-admin-token-rest

refactor/drop-canary-prefix

fix/canvas-test-and-design-fixes

runtime/432-followup-helper-extraction

fix/harness-replays-detect-changes-fetch-depth

fix/stderr-include-a2a-error-response

feat/internal-292-sop-tier-refire

docs/update-remote-agent-tutorial-sdk-api

fix/canvas-confirm-dialog-backdrop-a11y-v3

fix/canvas-confirm-dialog-backdrop-a11y-v2

fix/388-github-token-501-gitea-staging

fix/dialog-backdrop-a11y

runtime/414-idle-loop-skip-pending-results-v3

fix/test-extract-tool-trace

fix/test-plugins-atomic-tar-coverage

fix/harness-replays-fetch-depth

fix/test-instructions-handler-coverage

sre/fix-workflow-secret-naming

fix/canvas-tiers-config-string-keys

fix/offsec-003-promote-to-main

fix/class-e-secret-name-reconciliation

fix/sop-tier-check-apt-get-first

fix/307-async-test-pollution

fix/sop-tier-check-jq-install-order

fix/canvas-test-failures-2026-05-10

runtime/fix-a2a-tools-duplicate-error-block-v2

infra/sop-tier-check-jq-install-fix

runtime/fix-a2a-push-delivery-mode

feat/main-never-red-watchdog-internal-420

feat/internal-219-phase-2bc-port-to-molecule-core

fix/a11y-canvas-clean

sweep/internal-219-cat-C1-port-gates-lints

sweep/internal-219-cat-B-delete-github-only

sweep/internal-219-cat-A-delete-mirrored

fix/offsec-003-json-endpoint-sanitize

sweep/internal-219-cat-C3-port-deploy-janitors

sweep/internal-219-cat-C2-port-e2e

fix/publish-runtime-cascade-sha-capture

feat/internal-219-phase-3-port-ci-yml

fix/413-a2a-delegation-offsec-003

runtime/381-idle-loop-pending-messages

fix/delegations-rows-err-check

fix/a11y-canvas-buttons-staging

runtime/fix-399-a2a-delegation-missing-import-v2

fix/380-cwe59-symlink-traversal

fix/388-github-token-501-staging

fix/confirm-dialog-wcag-backdrop

infra/sop-tier-check-jq-script-fallback

fix/revert-391-broken-jq-install

fix/a2a-tools-duplicate-dead-code

fix/confirm-dialog-backdrop

fix/canvas-confirm-dialog-backdrop-a11y

infra/jq-install-main

fix/sop-tier-check-jq-main

fix/canvas-dialog-backdrop-a11y

fix/388-github-token-501

runtime/offsec-003-polling-path-v2

fix/361-sanitize-delegation-results

runtime/offsec-003-executor-sanitize

fix/cwe22-loadWorkspaceEnv-main

fix/qa-audit-307-308-clean

ci/fix-293-sqlalchemy-pip-install

fix/354-delegation-auto-resume

runtime/platform-url-host-docker-internal

fix/canvas-repair-tests-344

fix/canvas-statusdot-ts-errors

test/molecule-audit-hooks-coverage

test/a2a-tools-and-send-message-coverage

fix/sop-tier-check-jq-install

test/shared-runtime-helpers-coverage

fix/canvas-topology-sort-orphan

fix/executor-helpers-offsec-003-sanitize

runtime/offsec-003-polling-path

fix/354-a2a-delegation-auto-resume

runtime/fix-a2a-push-delivery-mode-v2

fix/publish-runtime-add-_sanitize_a2a-to-allowlist

fix/publish-runtime-missing-working-directory

ci/add-sqlalchemy-to-pip-install

ci-resolve-github-gitea-triplicate

sre/offsec-003-boundary-escape

fix/sec-321-path-traversal-clean

fix/a2a-proxy-response-header-timeout-v2

fix/publish-runtime-workflow-dispatch-inputs

fix/a2a-push-mode-queue-envelope

fix/351-split-publish-runtime-triggers

feat/348-publish-runtime-restore-path-trigger

fix/issue-workspace-dup-name-409-autosuffix

fix/security-OFFSEC003-boundary-escape-334

fix/security-CWE22-loadWorkspaceEnv-330

fix/canvas-test-fixes-20260510

fix/canvas-extractMessageText

fix/qa-307-async-pollution-direct

test/a2a-client-enrich-peer-metadata

fix/docs-309-remote-faq-staging-env

fix/qa-308-push-mode-queue-tests

fix/qa-307-async-pollution

runtime/fix-plugin-registry-import-path

fix/a2a-proxy-response-header-timeout-clean

fix/publish-workspace-server-ci-clone-manifest-retry-main

infra/remove-pr303-tracking

fix/issue-296-plugin-registry-sysmodules

infra/pin-compose-image-digests

chore/sync-main-to-staging

fix/sec-321-path-traversal

fix/a2a-proxy-response-header-timeout

docs/a11y-billing-wcag-patterns

fix/qa-307-test-a2a-inbox-wrappers-asyncio-refactor

runtime/fix-test-config-model-isolation

ci/docker-daemon-health-guard

docs/fix-remote-workspaces-faq

fix/publish-workspace-server-ci-clone-manifest-retry

fix/test-config-env-isolation

ci/staging-sha-pinning

fix/external-connection-user-facing-urls

fix/workspace-server-registry-config-helper

fix/issue-272-sqlalchemy-ci-install

fix/canvas-yaml-utils-nested-arrays-clean

fix/self-delegation-guard

promote/staging-to-main-100546

fix/a2a-tools-v2

fix/a2a-tools-and-workflow-cleanup

fix/canvas-test-isolation-fixes-v2

fix/molecule-model-env-go

runtime/fix-delegate-empty-parts-regression

infra/runtime-doc-playwright-limitation

fix/offsec-001-error-message-scrubbing

fix/offsec-001

fix/a2a-tools-string-error-handling-clean

fix/core-248-pluginresolver-and-plgh

infra/fix-source-resolver-dup

fix/model-provider-misnomer

fix/a2a-tools-string-error-handling-v2

fix/canvas-yaml-utils-test-failure

fix/a2a-tools-string-error-handling

fix/internal-214-gosum-vanity-import

fix/canvas-test-isolation-fixes

chore/canvas-statusbadge-test-fix-cherry-pick

fix/canvas-statusbadge-test-role-ambiguity

runtime/fix-mcp-client-localhost-default

fix/core-257-delegation-test-stray-brace

revert/core-d0126662-restart-signals-undefined-h

revert/core-123-plugin-drift-detector

ci/pin-action-and-base-images

fix/org-232-per-workspace-required-env-preflight

fix/ssrf-guard-before-begintx

test/issue-232-per-workspace-required-env-preflight

fix/issue232-org-import-required-env-aggregation

fix/canvas-ts-test-errors

fix/delegations-list-ledger-fallback

wip-snapshot-2026-05-10/mac/molecule-core-tmp53-git-token-helper-wip

wip-snapshot-2026-05-10/mac/molecules-org-molecule-core-registry-prefix

fix/pluginresolver-conflict

wip-snapshot-2026-05-10/core-be/fix-pluginresolver-conflict

wip-snapshot-2026-05-10/core-qa/stash-package-lock-diff

feat/keyboard-shortcuts-dialog

wip-snapshot-2026-05-10/core-uiux/feat-keyboard-shortcuts-dialog

wip-snapshot-2026-05-10/core-fe/test-canvas-design-tokens-config

test/canvas-cssvar-tests

fix/internal-229-sop-tier-check-tier-low-relaxation

test/canvas-utility-pure-tests

test/canvas-preflight-utils-tests

test/canvas-runtimeprofiles-tests

test/canvas-yaml-utils-tests

test/canvas-pure-function-tests

fix/ci-port-publish-workspace-server-image-228

fix/ssrf-validate-agent-url-212

ci/sop-tier-check-approver-teams-fix

fix/sop-tier-check-legacy-flip-229

wip-snapshot-2026-05-10/core-be/fix-ki001-telegram-disable-channel

wip-snapshot-2026-05-10/core-be/feat-a2a-pre-restart-drain-125

wip-snapshot-2026-05-10/core-be/feat-plugin-drift-queue-123

fix/sweeper-race-error-counter

infra/fix-issue-75-gh-cli-gitea-sweep

wip-snapshot-2026-05-10/core-be/fix-gh-api-gitea-sweep-75

feat/keyboard-shortcuts-dialog-test

wip-snapshot-2026-05-10/core-be/fix-sweeper-test-isolation-86

ci/fix-issue-87-root-skip

fix/test-local-resolver-root-skip

fix/workspace-tests-clear-auth-cache

wip-snapshot-2026-05-10/core-be/fix-a2a-delegation-success-rendered-as-error

wip-snapshot-2026-05-10/core-be/fix-files-restart-volume-sync

wip-snapshot-2026-05-10/core-lead/tech-debt-rename-net

wip-snapshot-2026-05-10/core-lead/fix-168-mine

wip-snapshot-2026-05-10/core-lead/fix-167-uiux

wip-snapshot-2026-05-10/core-fe/stash-canvas-agent-comms-show-task-text

fix/canvas-agent-comms-show-task-text

wip-snapshot-2026-05-10/core-lead/fix-vitest-pool

fix/info-disclosure-errors

infra/add-temporal-to-main-compose

design/verify-canvas-design-system

fix/workspace-persona-git-identity

fix/175-env-matched-pair-guard

wip-snapshot-2026-05-10/core-lead/fix-149

refactor/sop-tier-check-extract-script

fix/sop-tier-check-pr-target-security

ci/sop-tier-check-deploy

fix/issue53-admin-token-pair-guard

fix/org-import-started-event-name

refactor/delete-uses-cascade-helper

fix/org-import-reconcile-and-audit

fix/preserve-model-secret-on-restart

feat/persona-bind-mount-local-dev

feat/canary-tier-filter

feat/plugin-version-subscription

feat/plugin-hot-reload-classifier

feat/plugin-atomic-install

feat/air-hot-reload-dev

feat/persona-env-injection

fix/external-resolver-hardening

fix/issue75-class-D-gh-api-to-gitea-rest

fix/cherry-3-files-vitest-postgres-e2eapi

fix/promote-vitest-postgres-fixes

fix/saas-plugin-install-eic

fix/issue-94-e2e-api-parallel-safe-class-b

migrate/issue-71-vanity-imports

fix/handlers-postgres-port-collision-class-b

fix/issue-96-canvas-vitest-cold-start-timeout

fix/hermes-agent-doc-gitea-migration

fix/196-retarget-main-to-staging-gitea-rest

fix/gitea-ci-flakes-issue-88

fix/pin-upload-artifact-v3-gitea

fix/issue-72-auto-sync-token-canary-v2

fix/issue75-class-F-gh-run-list-to-statuses

fix/issue75-class-A-gh-pr-to-gitea-rest

feat/issue-63-local-build-from-gitea-v2

fix/195-auto-promote-staging-gitea-rest

fix/144-branch-protection-check-name-parity-audit

fix/harness-replays-pre-clone-manifest

chore/trigger-auto-sync-verification

fix/codeql-stub-on-gitea-156

chore/issue173-retrigger-after-ecr-repo-create

fix/issue173-inline-aws-ecr-login

fix/issue173-shell-docker-push

chore/retrigger-harness-replays-post-class-g

fix/issue173-buildx-driver-and-cache

fix/post-suspension-clone-manifest

fix/issue173-followup-platform-dockerfile

fix/post-suspension-github-urls

fix/170-goroutine-bleed-test-isolation

fix/issue173-publish-workspace-server-image

fix/issue36-a2a-proxy-preflight

fix/codeql-continue-on-error-156

feat/demo-mock-3-bigorg-mock-runtime

feat/demo-mock-1-purchase-success-modal

fix/publish-path-filter-add-scripts

fix/clone-manifest-gitea

chore/touch-publish-workflow-to-trigger

chore/retrigger-publish-post-aws-secrets

chore/cherry-pick-pr23-into-main

chore/backsync-main-into-staging-task-166

fix/auto-sync-use-devops-token

chore/retrigger-staging-on-fixed-runner-image

chore/drop-github-app-auth-and-ecr-swap

docs/readme-comprehensive-refresh-2026-05-06

feat/rfc-2945-pr-c-2-canvas-chat-history

fix/issue10-runtime-aware-plugin-install

fix/s8-bind-loopback-dev

fix/14-cascade-gitea-dispatch

docs/molecule-core-bulk-sed

chore/pin-artifact-actions-v3

fix/lowercase-org-slug

fix/script-ghcr-and-lint-paths

docs/workspace-runtime-readme-source-edit

feat/eic-tunnel-pool-core-11

chore/rfc-2945-pr-c-3-delete-historyhydration

fix/2872-sqlmock-regex-tightening

fix/cp-orphan-sweeper-2989

feat/registry-prefix-env-driven-issue-6

docs/readme-refresh-2026-05-06

runtime-v0.1.1013

runtime-v0.1.1011

runtime-v0.1.1010

runtime-v0.1.1009

runtime-v0.1.1008

runtime-v0.1.1007

runtime-v0.1.1006

runtime-v0.1.1005

runtime-v0.1.1004

runtime-v0.1.1001

runtime-v0.1.1003

runtime-v0.1.1000

runtime-v0.1.131

runtime-v0.1.130

runtime-v1.0.0

runtime-v0.0.35

runtime-v0.0.34

runtime-v0.0.33

runtime-v0.0.32

runtime-v0.0.31

runtime-v0.0.30

runtime-v0.0.29

runtime-v0.0.28

runtime-v0.0.27

runtime-v0.0.26

runtime-v0.0.25

runtime-v0.0.24

runtime-v0.0.23

runtime-v0.0.22

runtime-v0.0.21

runtime-v0.0.20

runtime-v0.0.19

runtime-v0.0.18

runtime-v0.0.17

runtime-v0.0.16

runtime-v0.0.15

runtime-v0.0.14

runtime-v0.0.13

runtime-v0.0.12

runtime-v0.0.11

runtime-v0.0.10

runtime-v0.0.9

runtime-v0.0.8

runtime-v0.0.7

runtime-v0.0.6

runtime-v0.0.5

runtime-v0.0.4

runtime-v0.0.3

runtime-v0.0.2

runtime-v0.0.1

ci-trigger-1776771586

ci-retry-1776771601

ci-retrigger-1776771591

Labels

Clear labels

area/ci

CI/CD pipeline issues

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1687