molecule-ai/molecule-core
53
0
Fork 2
Code Issues 183 Pull Requests 41 Actions Packages Projects Releases Wiki Activity

dashboard org-key mint broken by the #2579 approval gate — human session must not need agent-grade approval; UI shows raw 400/202; provisioner must project MOLECULE_PLATFORM_WORKSPACE_ID #2593

New Issue
Open
opened 2026-06-11 16:41:25 +00:00 by core-devops · 0 comments
core-devops commented 2026-06-11 16:41:25 +00:00
Member
Copy Link
Copy Source

Live report (agents-team, 2026-06-11 09:37 local): minting an Organization API Key from Settings → Org API Keys fails with the raw error:

API POST /org/tokens: 400 {"error":"no approval anchor for this caller class — set MOLECULE_PLATFORM_WORKSPACE_ID for admin-token callers, or call via a session / org-token with a valid org"}

This is fallout from #2574→#2579 (org_token_mint approval gate — correct fix, incomplete rollout):

  1. The dashboard's mint reaches the tenant as the admin-token caller class (the app/edge calls server-side with ADMIN_TOKEN; orgTokenActor only detects session via Cookie header, which doesn't survive the proxy hop). So a HUMAN clicking + New Key gets the agent-grade gate.
  2. No tenant has MOLECULE_PLATFORM_WORKSPACE_ID set — the provisioner never projects it — so the anchor derivation fails → hard 400. I hand-fixed agents-team (env-carry recreate of molecule-tenant with MOLECULE_PLATFORM_WORKSPACE_ID=); verified the gate then behaves as designed: POST → 202 {approval_id, pending_approval}; deny works. This hand-fix dies on next redeploy and covers ONE tenant.
  3. The UI doesn't speak the gate protocol: raw 400 (and presumably 202) rendered as an error string.

Asks:

  • (design) Human-initiated mints (dashboard) should NOT require an approval round-trip — the human IS the approver. Either propagate the user identity/session through the edge so the handler can distinguish human vs agent admin-token calls, or have the dashboard pre-create+auto-approve in one step. Keep the full gate for agent callers (the #2574 incident class).
  • (provisioner, CP) Project MOLECULE_PLATFORM_WORKSPACE_ID=<uuidv5(org,"molecule-platform-agent")> into tenant user-data + redeploy path so every tenant has a valid anchor.
  • (UI) Handle 202 pending_approval (link to the approvals pane) instead of rendering raw JSON as error.
  • Tests: dashboard-mint e2e (human path), agent-mint integration (202 + decide + consume).

🤖 Generated with Claude Code

Live report (agents-team, 2026-06-11 09:37 local): minting an Organization API Key from Settings → Org API Keys fails with the raw error: ``` API POST /org/tokens: 400 {"error":"no approval anchor for this caller class — set MOLECULE_PLATFORM_WORKSPACE_ID for admin-token callers, or call via a session / org-token with a valid org"} ``` This is fallout from #2574→#2579 (org_token_mint approval gate — correct fix, incomplete rollout): 1. **The dashboard's mint reaches the tenant as the admin-token caller class** (the app/edge calls server-side with ADMIN_TOKEN; `orgTokenActor` only detects session via Cookie header, which doesn't survive the proxy hop). So a HUMAN clicking + New Key gets the agent-grade gate. 2. **No tenant has MOLECULE_PLATFORM_WORKSPACE_ID set** — the provisioner never projects it — so the anchor derivation fails → hard 400. I hand-fixed agents-team (env-carry recreate of molecule-tenant with MOLECULE_PLATFORM_WORKSPACE_ID=<concierge uuidv5>); verified the gate then behaves as designed: POST → 202 {approval_id, pending_approval}; deny works. **This hand-fix dies on next redeploy and covers ONE tenant.** 3. **The UI doesn't speak the gate protocol**: raw 400 (and presumably 202) rendered as an error string. Asks: - **(design)** Human-initiated mints (dashboard) should NOT require an approval round-trip — the human IS the approver. Either propagate the user identity/session through the edge so the handler can distinguish human vs agent admin-token calls, or have the dashboard pre-create+auto-approve in one step. Keep the full gate for agent callers (the #2574 incident class). - **(provisioner, CP)** Project `MOLECULE_PLATFORM_WORKSPACE_ID=<uuidv5(org,"molecule-platform-agent")>` into tenant user-data + redeploy path so every tenant has a valid anchor. - **(UI)** Handle 202 pending_approval (link to the approvals pane) instead of rendering raw JSON as error. - Tests: dashboard-mint e2e (human path), agent-mint integration (202 + decide + consume). 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2593
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?