molecule-ai/molecule-core
52
0
Fork 2
Code Issues 184 Pull Requests 27 Actions 18 Packages Projects Releases Wiki Activity

fix(secrets): log rows.Scan error in restartAllAffectedByGlobalKey #2079

Closed
core-be wants to merge 40 commits from fix/secrets-scan-error-restart into main
pull from: fix/secrets-scan-error-restart
merge into: molecule-ai:main
Conversation 0 Commits 40 Files Changed 46
+3575 -129
core-be commented 2026-06-01 04:59:14 +00:00
Member
Copy Link
Copy Source
No description provided.
core-be added 40 commits 2026-06-01 04:59:15 +00:00
fix(workspace-server): persist poll-mode canvas user message synchronously before queued 200 159b3978c1 
Sibling of #1347/internal#470 — the POLL-mode arm of the canvas
user-message data-loss bug Hongming reported ("i sometimes lose my own
message when i exit chat", 2026-05-16).

Hongming's tenant is entirely poll-mode (4 external workspaces, no URL —
verified empirically: every workspace returns the {delivery_mode:poll,
status:queued} short-circuit envelope), so #1347 (push-mode only,
persists AFTER the poll short-circuit) structurally cannot cover his
reported case. #1347's "poll-mode was never affected" framing is
overstated: logA2AReceiveQueued's durable activity_logs INSERT ran
inside h.goAsync(...) — a detached goroutine with no happens-before
barrier against the synthetic {status:queued} 200. The canvas sees the
send acknowledged while the row may still be racing; a workspace-server
restart / deploy / OOM / EC2 hibernation between the 200 and the
goroutine's commit loses the message permanently (chat-history reads
activity_logs; missing row = message gone on reopen). No fallback
either, unlike push-mode's legacy-INSERT path.

Fix: make the poll-mode ingest persist SYNCHRONOUS — committed before
the queued 200 — on a context.WithoutCancel context (parity with
persistUserMessageAtIngest). Best-effort preserved (LogActivity
logs+swallows INSERT errors, never blocks the send). Post-commit
broadcast still fires inside LogActivity (a missed WS event is not data
loss; the durable row is the truth chat-history re-reads on reopen).

TDD: a2a_poll_ingest_persist_test.go — deterministic RED (queued 200
returned in ~0.5ms, before the 150ms INSERT → DATA LOSS) → GREEN after
fix. Full internal/handlers + internal/messagestore suites green; vet
clean.

Refs: molecule-ai/internal#471 (tracking), molecule-ai/internal#470 (push-mode sibling, PR #1347)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fix(handlers): prevent poll-mode sync-persist test from hanging CI b6eecb58d7 
sqlmock.ExpectationsWereMet() hangs indefinitely when the expected INSERT
mock never fires. If the production code ever regresses to goAsync
(pre-fix shape), the handler returns before the INSERT fires, the mock
never fires, and ExpectationsWereMet() blocks for the full test/-suite
timeout — wedging the CI run with no diagnostic.

Fix: check expectations in a goroutine with a 2s hard timeout. When
the mock has fired (synchronous production code), ExpectationsWereMet()
returns <1ms and the select fires the `case err := <-expectDone` arm.
When the mock has NOT fired (async regression), the 2s timeout fires and
the test fails with a clear message instead of hanging.

Also reduce insertDelay from 150ms → 50ms. 50ms is ~50× the normal INSERT
latency and sufficient to prove synchronous blocking; the larger value
was adding unnecessary suite-level wall-clock under -race detection,
where mock delays are amplified by the instrumenter's goroutine overhead.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(runtime+canvas): surface actionable provider error reason instead of opaque "Agent error (Exception)" 44b78e28c8 
internal#212 (P0 from internal#211). When the embedded `claude` CLI emits a
terminal result message with is_error=true (e.g. 403 oauth_org_not_allowed
"Your organization has disabled Claude subscription access · Use an
Anthropic API key instead, or ask your admin to enable access"), the user
saw only `Agent error (Exception) — see workspace logs for details.` — a
dead end (no such logs UI) that discards the exact secret-safe, actionable
text the user needs.

Root cause was a multi-cut loss of the CLI's result/error/api_error_status:

  cut #2  sanitize_agent_error reduced every failure to type(exc).__name__.
          → add a `reason` passthrough: a pre-curated, user-actionable,
            secret-safe explanation is surfaced verbatim (still scrubbed for
            key/token/bearer as a second pass). reason wins over stderr;
            omitting it preserves the prior generic behavior exactly.

  cut #3a workspace-server dropped error_detail from the live
          ACTIVITY_LOGGED websocket broadcast (it was persisted to the DB
          column but never sent), so the canvas had nothing to render.
          → include error_detail in the broadcast payload (already capped
            at 4096 by the runtime's report_activity helper).

  cut #3b canvas useChatSocket hardcoded the opaque string, ignoring even
          the activity summary.
          → render error_detail (fallback: summary, then a generic retry
            hint). The dead "see workspace logs for details." phrase that
            pointed at nonexistent UI is removed (a full logs tab is a
            separate larger follow-up, not this PR — reason-first per CTO).

The runtime-side cut #1 (template-claude-code claude_sdk_executor._run_query
ignoring is_error and the SDK collapsing errors[] to the bare subtype
"success") is fixed in a stacked PR on
molecule-ai-workspace-template-claude-code (depends on this PR's
sanitize_agent_error `reason` kwarg, which ships via the
molecule-ai-workspace-runtime package).

Tests: 4 new sanitize_agent_error reason tests (verbatim surfacing, secret
scrub still applied, reason>stderr precedence, no-reason unchanged). Verified
fail-before / pass-after; full sanitize suite green; no new regressions (the
2 pre-existing test_get_a2a_instructions_mcp failures are unrelated).

Refs: internal#211, internal#212

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
harden(runtime): scrub bare sk-ant keys, JSON-quoted token/apiKey, aws_secret_access_key in _sanitize_for_external 7d2eaa3748 
Addresses internal#212 PR#1420 dual-review SECURITY finding (infra-sre /
infra-runtime-be): _sanitize_for_external missed three real credential
shapes because the legacy regex requires a `[ :=]+` separator after the
prefix:
- bare `sk-ant-api03-…` keys (real key uses `-`, not `[ :=]`)
- JSON-quoted "token"/"apiKey"/"secret"/"password" values
- `aws_secret_access_key=…`

Added three narrowly-scoped regexes (length thresholds tuned so curated
short examples like `sk-ant-EXAMPLE-SHORT` / `ghp_SHORT_TOKEN` and all
actionable auth/quota/HTTP guidance still pass through). Extended the unit
test with test_sanitize_agent_error_reason_scrubs_all_secret_formats
asserting redaction for all three new formats plus the original Bearer
regression. Full sanitize suite green; existing passthrough assertions
unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fix(tests)+build: unblock secret scan and Runtime PR-Built on #1420 fb2fd20c9e 
Two CI failures blocking PR #1420:
1. Secret scan: `workspace/tests/test_executor_helpers.py` contains two
   `sk-ant-DEADBEEF...` fixtures matching `sk-ant-[A-Za-z0-9_-]{40,}`.
   Replaced both with PLACEHOLDER_LONG_TOKEN_... (≥40 chars, no sk-ant-
   prefix — scrubber path still exercised).
2. Runtime PR-Built: `workspace/a2a_tools_identity.py` missing from
   TOP_LEVEL_MODULES in scripts/build_runtime_package.py, causing build
   failure with "TOP_LEVEL_MODULES drifted". Added it.

Both fixes verified locally:
- pytest affected tests: 3/3 PASSED
- build_runtime_package.py: builds cleanly

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Merge pull request 'fix(tests)+build: unblock secret scan and Runtime PR-Built on #1420' (#1430) from runtime/fix-test-fixture-v3 into fix/issue212-actionable-agent-error-reason 699b5fb275
fix(tests): replace remaining sk-ant-api03- fixtures with non-matching tokens 335796b0b4 
The secret-scan workflow flags sk-ant-[A-Za-z0-9_-]{40,} patterns.
Two sk-ant-api03-* fixture tokens (47 and 62 chars) were present in
test_sanitize_agent_error_reason_scrubs_all_secret_formats. They were
not replaced by PR #1430 (which only fixed the sk-ant-DEADBEEF* tokens).

Replace with tokens that still exercise the same scrubber paths:

- BARE sk-* case (≥24 chars after "sk-"): use sk-FAKEPLACEHOLDER...
  (53 chars total; starts with "sk-" so the bare-pattern scrubber catches
  it, but lacks "sk-ant-" so the secret-scan pattern does not fire).

- JSON-quoted apiKey value (≥24 chars): use anon_fakefakefake...
  (45 chars; satisfies the JSON-quoted redaction path; does not match
  any secret-scan credential pattern).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Merge pull request 'fix(tests)+build: complete secret-scan fixture cleanup for #1420' (#1431) from runtime/fix-api03-test-fixture into fix/issue212-actionable-agent-error-reason 50dea87a9d
trigger: re-fire CI all-required sentinel (Gitea 1.22.6 skipped-sentinel rerun; no code change) 878e08c7fc 
The CI / all-required sentinel job was never scheduled in the prior
ci.yml run (documented Gitea-1.22/act_runner skipped-sentinel quirk), so
it never posted its terminal status and the required context stayed
pending. Empty-tree commit is the sanctioned 1.22.6 rerun mechanism — it
makes the real sentinel job actually schedule and post its genuine
status. No source change.
fix(canvas-mobile): chat composer font-size to 16px to stop iOS focus-zoom d8c03e9af5 
On the mobile PWA, tapping into the chat input scaled the whole
viewport up. Root cause: iOS Safari/WebKit auto-zooms on focus when
the focused field's effective font-size is < 16px. The mobile chat
composer <textarea> (MobileChat.tsx) used fontSize: 14.5.

Fix is the root-cause one: raise the composer font to 16px. This
suppresses the focus-zoom WITHOUT a maximum-scale / user-scalable
viewport lock, so pinch-to-zoom accessibility is preserved. The app
has no viewport export (Next.js default width=device-width,
initial-scale=1) — intentionally left untouched.

Adds a regression test asserting the composer font-size is >= 16px.
fix(canvas): mobile chat realtime — WS wake-recovery + resume back-fill 31fedd50af 
Root cause: agent chat replies arrive ONLY via live AGENT_MESSAGE /
A2A_RESPONSE WebSocket events (store/socket.ts ReconnectingSocket).
The socket had NO visibilitychange/pageshow/online/focus recovery
anywhere — reconnect was driven solely by ws.onclose. iOS Safari /
Chrome-mobile freeze the page and silently tear the WS down WITHOUT
firing onclose when backgrounded / device-locked; on thaw nothing
re-arms (onclose never ran, interval timers were suspended), so the
socket is dead and every reply during suspension is lost.
store.rehydrate() only re-pulls /workspaces status, not chat, and
useChatHistory fetches DB history mount-only — so missed replies
never back-fill until remount (navigate away+back) or hard refresh.
Desktop never hits this (its onclose fires promptly). Not forked
code: MobileChat and desktop ChatTab share useChatSocket /
useChatHistory; the divergence is purely mobile browser lifecycle.

Fix (shared by desktop + mobile, restores the unified path):
- ReconnectingSocket installs visibilitychange/pageshow/online/focus
  listeners that force a reconnect when the page is foregrounded and
  the socket isn't OPEN/CONNECTING (no-ops on desktop where onclose
  already handled it; SSR-safe via typeof guards).
- On an open that follows a real loss, emit a socket-resume signal.
- useChatHistory subscribes to resume and re-runs loadInitial(), so
  chat threads back-fill the persisted messages missed while frozen —
  exactly what a remount does today, automatically.

Verification: code analysis + 9 new unit tests (socket.test.ts)
simulating background-suspend + visibility/pageshow/online/focus
transitions, asserting reconnect + resume emission + listener
teardown; full canvas suite green (3315 passed, 0 fail); npm run
build green. Mobile real-device confirmation still needed (cannot
be proven without a physical device) — see PR body.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fix(canvas): keep "agent is working" indicator alive for external/poll-mode turns 3fd38e6deb 
External / MCP-registered workspaces (delivery_mode=poll, e.g. the
local-Mac orchestrator) have no public URL: POST /workspaces/:id/a2a
short-circuits server-side (a2a_proxy.go:402) and returns a synthetic
{status:"queued", delivery_mode:"poll"} envelope IMMEDIATELY with no
reply. useChatSend treated that as a terminal response and called
releaseSendGuards() → `sending` went false the instant the POST
returned → the ChatTab thinking indicator vanished and the external
turn looked dead, even though the agent had not started. Internal
agents reply on the same synchronous POST so their indicator naturally
holds — that's the whole asymmetry; the transport is shared.

Fix (Tier A, minimal, client-only): detect the synthetic poll envelope
and KEEP `sending` true so the existing internal working-indicator
persists as a "received — agent is working" state. The eventual reply
already flows AgentMessageWriter → AGENT_MESSAGE WS push →
useChatSocket onAgentMessage/onSendComplete → releaseSendGuards, i.e.
the external reply now drives the indicator through the exact same path
an internal async reply uses — no parallel system. A generous 15-min
safety timer surfaces an honest, actionable error instead of an
infinite spinner if an offline poll agent never replies.

Tier B (lifecycle-driven interim progress) and Tier C (tool-call
parity — has an operator-privacy tradeoff, CTO decision required) are
designed in internal RFC external-workspace-canvas-progress-feedback,
not in this PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
test(handlers): add filesystem suite for ListRegistry (plugins_listing.go) b8583ef019 
Tests listRegistryFiltered and ListRegistry endpoint:
  - empty dir → empty list
  - files (non-dirs) → ignored
  - single plugin with plugin.yaml → appears in list
  - runtime filter: claude-code plugin matches, hermes plugin excluded
  - universal plugin (no runtimes field) → always included
  - nonexistent dir → empty list (ReadDir error is non-fatal)
  - HTTP endpoint: GET /plugins → 200 with JSON array

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
test: PatchAbilities handler + resolveWorkspaceName coverage (#1481) 1c61db9042 
Co-authored-by: Molecule AI Fullstack Engineer <fullstack-engineer@agents.moleculesai.app>
Co-committed-by: Molecule AI Fullstack Engineer <fullstack-engineer@agents.moleculesai.app>
test(handlers): add Uninstall 503 coverage for plugins_install.go (closes #1377) (#1378) 3d0d9b1818 
Co-authored-by: Molecule AI Fullstack Engineer <fullstack-engineer@agents.moleculesai.app>
Co-committed-by: Molecule AI Fullstack Engineer <fullstack-engineer@agents.moleculesai.app>
fix(ci): increase Go test timeouts for cold runner performance (#1175) 376f78278d 
Co-authored-by: Molecule AI Core-QA <core-qa@agents.moleculesai.app>
Co-committed-by: Molecule AI Core-QA <core-qa@agents.moleculesai.app>
test(handlers+canvas): BroadcastHandler sqlmock suite + extractAgentText tests (#1475) e84bf3a4c6 
Co-authored-by: Molecule AI Fullstack Engineer <fullstack-engineer@agents.moleculesai.app>
Co-committed-by: Molecule AI Fullstack Engineer <fullstack-engineer@agents.moleculesai.app>
test(canvas): add coverage for useKeyboardShortcut and useSocketEvent hooks e1112880fe 
- useKeyboardShortcut (11 tests): enabled=false, meta/ctrl modifier
  guards, no-modifier guard, key mismatch, count increments, cleanup
  on unmount. Uses renderHook + spy on window.addEventListener +
  direct handler invocation with Object.defineProperty for modifier keys.
- useSocketEvent (3 tests): mount calls subscribeSocketEvents,
  unsubscribe on unmount, called only once on re-renders.
  Uses module-level mock with shared state to avoid vi.mock hoisting.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
test(canvas): add coverage for cssVar in lib/theme.ts bbb7a3f57e 
Tests cssVar() for all 23 ColorToken values, verifies the
returned string is a valid CSS variable format, and confirms
inline style assignment works in the DOM.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
test(canvas): add coverage for ThemeProvider and useTheme d996d7bdce 
Tests theme-provider.tsx via renderHook so useEffect fires before
assertions. Covers: noopTheme fallback, initialTheme init, system
preference resolution, explicit theme override, setTheme state update,
and document.documentElement.dataset.theme sync on mount. matchMedia
stubbed via Object.defineProperty in beforeEach.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
test(canvas): add coverage for useWorkspaceName hook 04b4135741 
Tests the workspace ID→name resolver for known IDs, null input,
nodes without name, empty name fallback, unknown ID fallback,
and useCallback memoization stability across re-renders. Uses
stable reference for mock nodes so deps are stable.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
test(canvas): add coverage for formatAuditRelativeTime 8ba12898d6 
Tests the timestamp formatting helper exported from AuditTrailPanel:
just-now, minutes, hours, days boundaries, and exact boundary cases.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
test(canvas): add coverage for MemoryInspectorPanel helpers cd83022365 
Tests isPluginUnavailableError (MEMORY_PLUGIN_URL detection) and
formatTTL (null/undefined/expired/seconds/minutes/hours/days/invalid).
Uses vi.useFakeTimers + vi.setSystemTime for deterministic TTL tests.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(workspace-server): strip JSON5 // comments from manifest.json before parsing b1fac110f2 
Fixes E2E Chat deterministically failing in CI with
"invalid character '/' after top-level value".

The Integration Tester appends "// Triggered by <job>" to manifest.json
after cloning. Go's json.Unmarshal rejects JSON5-style // comments.
Added stripJSON5Comments() that strips // comments while preserving
URLs with // in them (e.g. https://), then call it before json.Unmarshal
in loadRuntimesFromManifest.

Added 8 new tests covering:
- stripJSON5Comments: standalone comments, trailing comments, URLs
  preserved, inline comments, Integration Tester append, no-op
- loadRuntimesFromManifest: with trailing // comment, with inline //
  comment

Closes #1496

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Merge pull request 'fix(runtime+canvas): surface actionable provider error reason instead of opaque "Agent error (Exception)"' (#1420) from fix/issue212-actionable-agent-error-reason into staging 1fb34aade5
Merge pull request 'fix(canvas-mobile): stop iOS focus-zoom on mobile chat input (16px font)' (#1434) from fix/mobile-chat-input-ios-focus-zoom into staging fe29717b86
Merge pull request 'fix(canvas): keep "agent is working" indicator alive for external/poll-mode turns' (#1437) from fix/external-workspace-progress-feedback into staging d39b1c92c5
fix(chat-upload): SSOT caps + Starlette max_part_size fix (#1520) 098faed185 
Empirically root-caused: workspace/internal_chat_uploads.py:153 called
request.form(max_files=64, max_fields=32) without max_part_size, so
Starlette 1.0's 1 MiB default raised MultiPartException on every
single-part > 1 MiB. The Cloudflare-chunked-encoding hypothesis from
the issue body was source-level disproven (Starlette doesn't read
Content-Length/TE).

Three coupled changes per CTO directive:

1) Single source of truth across Go ws-server + Python workspace
   runtime. The Go-side const chatUploadMaxFileBytes /
   chatUploadMaxBytes are exported at provision time via env vars
   CHAT_UPLOAD_MAX_FILE_BYTES / CHAT_UPLOAD_MAX_TOTAL_BYTES
   (workspace_provision_shared.go::applyChatUploadLimits, defaulting
   layer — pre-set values win). Python module init reads the env;
   unset env keeps the legacy 25 MB / 50 MB defaults so an
   unprovisioned worker doesn't regress.

2) Raise the user-visible ceiling to 100 MB per file + 100 MB total.
   Issue #1520 asked for >= 100 MB; matching per-file = total avoids
   the "fits the total but 413'd on per-file" surprise.

3) Surface the MultiPartException string in the 400 body's `detail`
   field (per feedback_surface_actionable_failure_reason_to_user).
   MultiPartException messages describe shape, not content — no
   secrets — and they tell the user WHY (e.g. "Invalid boundary",
   "Part exceeded maximum size of …"). Bounded at 200 chars.

Tests:
- workspace/tests/test_internal_chat_uploads.py: pin 2 MiB part is now
  accepted (regression for #1520), parse-error 400 includes `detail`,
  total-cap 413 still fires above a per-file pass, env-driven SSOT
  override works, malformed env value falls back to default.
- workspace-server/internal/handlers/chat_upload_limits_test.go: pin
  the env-injection contract (both vars set to byte-stringified Go
  consts, pre-existing values preserved, 100 MB floor invariant).

All 28 Python tests in test_internal_chat_uploads.py pass; full
workspace-server/internal/handlers Go test package passes (14.2s).
Merge pull request 'fix(chat-upload): SSOT caps + Starlette max_part_size fix (#1520)' (#1524) from fix/chat-upload-ssot-100mb-1520 into staging f7abe3c9fc
fix(delegation): emit error_detail alongside error in /delegations rows (P1 #348) 5d6dccfb18 
The Python poll-mode A2A consumer in a2a_tools_delegation.py:184 reads
`terminal.get("error_detail")` from `/workspaces/:id/delegations` rows,
but the Go listDelegations handlers emitted only `error`. When a
delegation failed, polling silently lost the failure reason and fell
through to the generic "delegation failed" string — leaving the canvas
"FAILED TO DELIVER" surface with no actionable detail.

Both ledger-path (listDelegationsFromLedger) and activity_logs-path
(listDelegationsFromActivityLogs) now emit BOTH keys: `error_detail`
(canonical, what poll-mode reads) and `error` (kept for back-compat
with existing canvas UI consumers).

Regression tests pin both keys for both code paths.

Refs P1 #348, RFC #2829 PR-2 follow-up.
fix(canvas/a2a-hint): route poll-mode budget timeout away from restart anti-pattern (P1 #348) dd3d11c51d 
Per `feedback_surface_actionable_failure_reason_to_user`, an opaque
"workspace restart is the safe first move" prompt is the anti-pattern
when the underlying error is a still-in-flight long-running task —
which is exactly the canonical PM→Researcher codex coordination case
that surfaces "FAILED TO DELIVER" today.

Three improvements:

1. New `polling timeout after`/`check_task_status` pattern, ordered
   ABOVE the generic timeout bucket, routes to a hint that explicitly
   tells the user NOT to restart and to call check_task_status with
   the delegation_id to retrieve the in-flight result.

2. New optional `context.peerKind` parameter. When the caller knows
   the callee is a codex runtime, the empty-detail and generic-timeout
   hints specialise to call out that codex tasks can legitimately
   exceed the 600s sync-proxy budget.

3. The empty-detail branch (the most common "useless hint" path) no
   longer claims "restart is the safe first move" by default — it now
   tells the user to check the callee's Activity tab before restarting.

Existing single-arg callers continue to compile unchanged (context is
optional). Regression test count goes 9 → 17.

Refs P1 #348, feedback_surface_actionable_failure_reason_to_user.
Merge pull request 'fix(delegation): emit error_detail alongside error in /delegations rows (P1 #348)' (#1606) from fix/a2a-error-detail-field-rename into staging 3a1654818c
Merge pull request 'fix(canvas/a2a-hint): route poll-mode budget timeout away from restart anti-pattern (P1 #348)' (#1607) from fix/a2a-error-hint-timeout-class into staging c3ba26ead2
Merge pull request 'test(canvas): add coverage for useKeyboardShortcut, useSocketEvent, cssVar, ThemeProvider, useWorkspaceName, AuditTrailPanel, MemoryInspectorPanel' (#1508) from test/canvas-hook-coverage into staging f3b168b867
Merge pull request 'test(handlers): ListRegistry filesystem suite (plugins_listing.go)' (#1462) from feat/handler-plugins-listing into staging b278623662
fix(both): fan user's own outbound message to all canvas sessions (#228) 5ca1911906 
Adds USER_MESSAGE WebSocket broadcast so a user's own outbound message
appears live on all their other sessions without requiring a manual
refresh.

**Server (Go)**
- New `EventUserMessage` constant in `events/types.go`
- New `extractCanvasUserMessage()` in `a2a_proxy_helpers.go` — parses
  A2A JSON-RPC request body, extracts text parts + file attachments
  from user-role message/send calls
- `logA2ASuccess()` now broadcasts `USER_MESSAGE` when canvas sends a
  message (callerID == "" + method == "message/send" + 2xx)

**Canvas (TypeScript)**
- `useChatSocket`: new `onUserMessage` callback + `USER_MESSAGE` handler
  in the socket event listener
- `ChatTab`: wires `onUserMessage` via `appendMessageDeduped`
- `MobileChat`: same wiring for mobile variant
- New test file: 9 tests covering text/file/text+file/wrong-workspace/
  empty/no-callback/other-events/replay/attachment-filtering cases

**Dedup contract**: the originating session's optimistic insert (useChatSend
step 2) and the incoming USER_MESSAGE broadcast share the same
`appendMessageDeduped` path — within the 3-second window the two collapse
into one bubble, so the user sees exactly one message bubble.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Merge pull request 'fix(workspace-server): strip JSON5 // comments from manifest.json before parsing' (#1510) from fix/json5-comments-manifest-1496 into staging 212471798c
Merge pull request 'fix(canvas): mobile chat realtime — WS wake-recovery + resume back-fill' (#1435) from fix/canvas-mobile-ws-wake-resume into staging 63867d5ea5
Merge pull request 'fix(handlers): sync-persist poll-mode A2A message in staging (internal#471)' (#1375) from fix/staging-sync-persist-fix into staging 7e130daef2
fix(secrets): log rows.Scan error in restartAllAffectedByGlobalKey 5c9bfddcf6 
Previously a scan failure in the affected-workspace query was silently
dropped, meaning the workspace would not be auto-restarted and the
operator would never know. Now the error is logged so DB schema drift
or corrupted rows surface in the logs.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
core-be closed this pull request 2026-06-01 05:03:14 +00:00

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
approved
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 needs-engineer
platform/go
Go platform test issues
 ready-to-build
release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2079
Delete Branch "fix/secrets-scan-error-restart"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?