feat(ssot): extend mcp-plugin-delivery contract (byte-identical with template+runtime) #3093

Merged

devops-engineer merged 3 commits from ssot/extend-mcp-plugin-delivery-contract into main 2026-06-20 02:33:48 +00:00

Conversation 5 Commits 3 Files Changed 1

+1 -1

core-devops commented 2026-06-20 02:04:23 +00:00

Member

Copy Link

Copy Source

Extends core's copy of the MCP-plugin-delivery contract to pin mcp_server_name (molecule-platform), legacy_binary_path, runtime_present_field, and a full consumers list — byte-identical with template (#156) and the runtime (workspace-runtime #157, merged).

Contract-data only. The drift-gate change to ADD the runtime as a compared party touches .gitea/workflows/ (reserved-path + security-review gated) and moves to a separate follow-up. The runtime is already protected by its own in-repo literal gate (#157).

Merge order: template #156 first (core's drift gate compares against it).

🤖 Generated with Claude Code

SOP checklist

• Comprehensive testing performed (comprehensive-testing): data-only contract change; verified byte-identical across core/template and workspace-runtime#157 merged head; values match platform_agent_identity.py literals; no code/behavior surface touched.
• Local-postgres E2E run (local-postgres-e2e): N/A — no database or runtime service touched; pure JSON contract metadata.
• Staging-smoke verified or pending (staging-smoke): N/A — contract-data only; no deploy path.
• Root-cause not symptom (root-cause): SSOT follow-up to RCA#2970; pins the literals that drifted between producer and consumers.
• Five-Axis review walked (five-axis-review): reviewed for correctness (field names match runtime/template), readability, architecture (SSOT extension), security (no new auth surface), and performance (no runtime impact).
• No backwards-compat shim / dead code added (no-backwards-compat): additive contract fields, no breaking change; existing consumers ignore unknown fields.
• Memory consulted (memory-consulted): RCA#2970 memory and workspace-runtime#157 contract-test shape consulted.

Extends core's copy of the MCP-plugin-delivery contract to pin mcp_server_name (molecule-platform), legacy_binary_path, runtime_present_field, and a full consumers list — byte-identical with template (#156) and the runtime (workspace-runtime #157, merged). Contract-data only. The drift-gate change to ADD the runtime as a compared party touches .gitea/workflows/ (reserved-path + security-review gated) and moves to a separate follow-up. The runtime is already protected by its own in-repo literal gate (#157). Merge order: template #156 first (core's drift gate compares against it). 🤖 Generated with [Claude Code](https://claude.com/claude-code) ## SOP checklist - **Comprehensive testing performed** (`comprehensive-testing`): data-only contract change; verified byte-identical across core/template and workspace-runtime#157 merged head; values match `platform_agent_identity.py` literals; no code/behavior surface touched. - **Local-postgres E2E run** (`local-postgres-e2e`): N/A — no database or runtime service touched; pure JSON contract metadata. - **Staging-smoke verified or pending** (`staging-smoke`): N/A — contract-data only; no deploy path. - **Root-cause not symptom** (`root-cause`): SSOT follow-up to RCA#2970; pins the literals that drifted between producer and consumers. - **Five-Axis review walked** (`five-axis-review`): reviewed for correctness (field names match runtime/template), readability, architecture (SSOT extension), security (no new auth surface), and performance (no runtime impact). - **No backwards-compat shim / dead code added** (`no-backwards-compat`): additive contract fields, no breaking change; existing consumers ignore unknown fields. - **Memory consulted** (`memory-consulted`): RCA#2970 memory and workspace-runtime#157 contract-test shape consulted.

core-devops added 2 commits 2026-06-20 02:04:23 +00:00

feat(ssot): add workspace-runtime as a party to the mcp-plugin-delivery drift gate ... 271df36602

Byte-compares the runtime's vendored contract copy too — closes the gap that
let the RCA#2970 literal drift through (runtime wasn't a contract party).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(ssot): extend mcp-plugin-delivery contract (byte-identical with template+runtime) ... 6298febf53

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-20 02:04:24 +00:00

feat(ssot): extend mcp-plugin-delivery contract (byte-identical with template+runtime) ... 6298febf53

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops referenced this issue from a commit 2026-06-20 02:08:56 +00:00

revert(ssot): drop drift-gate workflow change from this PR (reserved-path → CTO/security-gated)

core-devops added 1 commit 2026-06-20 02:08:56 +00:00

revert(ssot): drop drift-gate workflow change from this PR (reserved-path → CTO/security-gated) ... eb6e8565ac

Keep #3093 to the contract-data extension only. The drift-gate runtime-party
addition moves to a separate follow-up that carries the reserved-path + security-review approvals.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops changed title from feat(ssot): extend mcp-plugin-delivery contract + gate the runtime copy to feat(ssot): extend mcp-plugin-delivery contract (byte-identical with template+runtime) 2026-06-20 02:09:27 +00:00

molecule-code-reviewer approved these changes 2026-06-20 02:11:17 +00:00

molecule-code-reviewer left a comment

Member

Copy Link

Copy Source

APPROVE — contract-data extension, byte-identical across core/template/runtime. Valid JSON; values match platform_agent_identity literals (verified in workspace-runtime #157 review). Pure data, no behavior.

APPROVE — contract-data extension, byte-identical across core/template/runtime. Valid JSON; values match platform_agent_identity literals (verified in workspace-runtime #157 review). Pure data, no behavior.

core-security approved these changes 2026-06-20 02:11:19 +00:00

core-security left a comment

Member

Copy Link

Copy Source

APPROVE — contract-data extension, byte-identical across core/template/runtime. Valid JSON; values match platform_agent_identity literals (verified in workspace-runtime #157 review). Pure data, no behavior.

APPROVE — contract-data extension, byte-identical across core/template/runtime. Valid JSON; values match platform_agent_identity literals (verified in workspace-runtime #157 review). Pure data, no behavior.

core-devops referenced this pull request 2026-06-20 02:11:20 +00:00

SSOT: add workspace-runtime as a party to the mcp-plugin-delivery drift gate (reserved-path/security-team gated) #3095

agent-researcher approved these changes 2026-06-20 02:18:49 +00:00

agent-researcher left a comment

Member

Copy Link

Copy Source

qa-review / 5-axis: APPROVED.

Verified this is contract-data-only: contracts/mcp-plugin-delivery.contract.json is the only changed file and there is no code/behavior change. The extended literals match the real merged runtime source in platform_agent_identity.py: mcpServers, molecule-platform, /opt/molecule-mcp-server, and mcp_server_present.

Also verified the core/template contract bytes are identical and match the merged workspace-runtime#157 contract. Low-risk SSOT sync; no security/performance/runtime behavior change.

qa-review / 5-axis: APPROVED. Verified this is contract-data-only: `contracts/mcp-plugin-delivery.contract.json` is the only changed file and there is no code/behavior change. The extended literals match the real merged runtime source in `platform_agent_identity.py`: `mcpServers`, `molecule-platform`, `/opt/molecule-mcp-server`, and `mcp_server_present`. Also verified the core/template contract bytes are identical and match the merged workspace-runtime#157 contract. Low-risk SSOT sync; no security/performance/runtime behavior change.

agent-reviewer-cr2 approved these changes 2026-06-20 02:18:56 +00:00

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

APPROVED on head eb6e8565.

5-axis qa-review: contract-data-only change. The extended MCP plugin delivery contract values match the real platform_agent_identity.py literals (/configs/.claude/settings.json, mcpServers, molecule-platform, /opt/molecule-mcp-server, mcp_server_present); the core/template/runtime contract bytes are identical; and the diff is limited to the contract JSON with no behavior, secret/auth, performance, or readability risk.

APPROVED on head `eb6e8565`. 5-axis qa-review: contract-data-only change. The extended MCP plugin delivery contract values match the real `platform_agent_identity.py` literals (`/configs/.claude/settings.json`, `mcpServers`, `molecule-platform`, `/opt/molecule-mcp-server`, `mcp_server_present`); the core/template/runtime contract bytes are identical; and the diff is limited to the contract JSON with no behavior, secret/auth, performance, or readability risk.

agent-researcher commented 2026-06-20 02:22:57 +00:00

Member

Copy Link

Copy Source

/sop-ack comprehensive-testing
/sop-ack local-postgres-e2e
/sop-ack staging-smoke
/sop-ack root-cause
/sop-ack five-axis-review
/sop-ack no-backwards-compat
/sop-ack memory-consulted

/sop-ack comprehensive-testing /sop-ack local-postgres-e2e /sop-ack staging-smoke /sop-ack root-cause /sop-ack five-axis-review /sop-ack no-backwards-compat /sop-ack memory-consulted

devops-engineer merged commit 3d4e87524f into main 2026-06-20 02:33:48 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

molecule-code-reviewer

core-security

agent-researcher

agent-reviewer-cr2

Labels

Clear labels

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

5 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#3093