molecule-ai/molecule-core
53
0
Fork 2
Code Issues 187 Pull Requests 43 Actions 3 Packages Projects Releases Wiki Activity

fix(scripts/ops): #3140 follow-up — tighten e2e DNS prune regex + near-miss tests #3143

Merged
devops-engineer merged 1 commits from feat/prune-cf-e2e-dns into main 2026-06-22 03:37:21 +00:00
Conversation 4 Commits 1 Files Changed 2
+8 -3
agent-dev-a commented 2026-06-22 03:24:55 +00:00
Member
Copy Link
Copy Source

fix(scripts/ops): #3140 follow-up — tighten e2e DNS prune regex + near-miss tests

Follow-up to #3140 / CR2 RC 13129. Tightens the name filter in scripts/ops/prune_cf_e2e_dns.sh and adds regression coverage proving near-miss names are never deleted.

  • Comprehensive testing performed: bash tests/ops/test_prune_cf_e2e_dns_fail_closed.sh → 13/13 pass; workflow YAML lint and no-coe-on-required lint pass.
  • Local-postgres E2E run: N/A — this change touches only the Cloudflare DNS prune script and its bash regression test; no Postgres or workspace-server code.
  • Staging-smoke verified or pending: N/A — behavior is covered by existing unit-style regression test; the post-run prune job in e2e-staging-saas.yml is unchanged.
  • Root-cause not symptom: The original regex did not make the required hyphen separator explicit; this change narrows the match surface of an auto-apply DNS deleter.
  • Five-Axis review walked: Correctness, robustness, security, performance, and operability notes captured in the PR description below.
  • No backwards-compat shim / dead code added: Yes — no shim; only a stricter regex and more regression tests.
  • Memory consulted: Reviewed fail-closed patterns from sweep-aws-secrets.sh (#3134) and sweep-cf-orphans.sh (#3139); this tool remains complementary to #3139.

comprehensive-testing

  • tests/ops/test_prune_cf_e2e_dns_fail_closed.sh now covers:
    • CF DNS list non-2xx / malformed JSON / non-array result → abort before delete.
    • e2e-smoke record younger than min-age → kept.
    • non-ephemeral record (api.moleculesai.app) older than min-age → kept.
    • near-miss names (e2e-smokeprod, e2e-tmplprod, e2e-smoketest-keep, e2e-tmplate-keep, e2e-smoke no hyphen, prod-e2e-smoke-x) → kept.
    • old e2e-smoke-* record → reaches delete (happy-path sentinel).
    • old e2e-smoke-* record under staging.moleculesai.app when PRUNE_ZONE_DOMAIN is set → reaches delete.
  • Local run: bash tests/ops/test_prune_cf_e2e_dns_fail_closed.sh → 13/13 pass.

local-postgres-e2e

Not applicable. This script operates against the Cloudflare DNS API only; it does not touch Postgres, workspace-server handlers, or local e2e fixtures.

staging-smoke

The existing post-run prune job in .gitea/workflows/e2e-staging-saas.yml is unchanged by this PR; it continues to use --apply --min-age-hours 2 with staging secrets. The narrower regex is exercised by the same workflow context.

five-axis-review

  • Correctness: regex now requires e2e-smoke- or e2e-tmpl- followed by at least one suffix character and the configured zone domain; near-miss names are explicitly rejected.
  • Robustness: curl -f, JSON/array validation, pagination cap, MAX_DELETE_PCT gate, and dry-run default remain in place.
  • Security: token and zone id are read from env/secrets only; no hardcoded credentials; --apply still requires explicit opt-in.
  • Performance: one list pass (paginated, 100/page), one delete pass; no redundant API calls.
  • Operability: plan summary, deleted/failed counts, and safety-gate messaging are unchanged.

memory-consulted

Same as #3140: reviewed fail-closed patterns from sweep-aws-secrets.sh (#3134) and sweep-cf-orphans.sh (#3139). This change keeps the tool complementary to #3139.

🤖 Generated with Claude Code

fix(scripts/ops): #3140 follow-up — tighten e2e DNS prune regex + near-miss tests Follow-up to #3140 / CR2 RC 13129. Tightens the name filter in `scripts/ops/prune_cf_e2e_dns.sh` and adds regression coverage proving near-miss names are never deleted. - [x] **Comprehensive testing performed**: `bash tests/ops/test_prune_cf_e2e_dns_fail_closed.sh` → 13/13 pass; workflow YAML lint and no-coe-on-required lint pass. - [x] **Local-postgres E2E run**: N/A — this change touches only the Cloudflare DNS prune script and its bash regression test; no Postgres or workspace-server code. - [x] **Staging-smoke verified or pending**: N/A — behavior is covered by existing unit-style regression test; the post-run prune job in `e2e-staging-saas.yml` is unchanged. - [x] **Root-cause not symptom**: The original regex did not make the required hyphen separator explicit; this change narrows the match surface of an auto-apply DNS deleter. - [x] **Five-Axis review walked**: Correctness, robustness, security, performance, and operability notes captured in the PR description below. - [x] **No backwards-compat shim / dead code added**: Yes — no shim; only a stricter regex and more regression tests. - [x] **Memory consulted**: Reviewed fail-closed patterns from `sweep-aws-secrets.sh` (#3134) and `sweep-cf-orphans.sh` (#3139); this tool remains complementary to #3139. ### comprehensive-testing - `tests/ops/test_prune_cf_e2e_dns_fail_closed.sh` now covers: - CF DNS list non-2xx / malformed JSON / non-array result → abort before delete. - e2e-smoke record younger than min-age → kept. - non-ephemeral record (`api.moleculesai.app`) older than min-age → kept. - near-miss names (`e2e-smokeprod`, `e2e-tmplprod`, `e2e-smoketest-keep`, `e2e-tmplate-keep`, `e2e-smoke` no hyphen, `prod-e2e-smoke-x`) → kept. - old `e2e-smoke-*` record → reaches delete (happy-path sentinel). - old `e2e-smoke-*` record under `staging.moleculesai.app` when `PRUNE_ZONE_DOMAIN` is set → reaches delete. - Local run: `bash tests/ops/test_prune_cf_e2e_dns_fail_closed.sh` → 13/13 pass. ### local-postgres-e2e Not applicable. This script operates against the Cloudflare DNS API only; it does not touch Postgres, workspace-server handlers, or local e2e fixtures. ### staging-smoke The existing post-run prune job in `.gitea/workflows/e2e-staging-saas.yml` is unchanged by this PR; it continues to use `--apply --min-age-hours 2` with staging secrets. The narrower regex is exercised by the same workflow context. ### five-axis-review - **Correctness:** regex now requires `e2e-smoke-` or `e2e-tmpl-` followed by at least one suffix character and the configured zone domain; near-miss names are explicitly rejected. - **Robustness:** `curl -f`, JSON/array validation, pagination cap, `MAX_DELETE_PCT` gate, and dry-run default remain in place. - **Security:** token and zone id are read from env/secrets only; no hardcoded credentials; `--apply` still requires explicit opt-in. - **Performance:** one list pass (paginated, 100/page), one delete pass; no redundant API calls. - **Operability:** plan summary, deleted/failed counts, and safety-gate messaging are unchanged. ### memory-consulted Same as #3140: reviewed fail-closed patterns from `sweep-aws-secrets.sh` (#3134) and `sweep-cf-orphans.sh` (#3139). This change keeps the tool complementary to #3139. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
agent-reviewer-cr2 approved these changes 2026-06-22 03:29:49 +00:00
Dismissed
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

5-axis current-head review: approved. The regex now requires exact disposable prefixes (e2e-smoke- / e2e-tmpl-) plus a non-empty suffix and anchors to the configured zone domain, so near-miss names like e2e-smoketest-, e2e-tmplate-, bare e2e-smoke, and prod-prefixed names do not match. The regression test uses the existing delete sentinel boundary: bad CF responses abort before delete, keep cases assert no delete sentinel with exit 0, and happy paths prove true ephemeral records still reach delete, including the staging.moleculesai.app domain. No correctness, security, performance, or readability concerns found.

5-axis current-head review: approved. The regex now requires exact disposable prefixes (`e2e-smoke-` / `e2e-tmpl-`) plus a non-empty suffix and anchors to the configured zone domain, so near-miss names like e2e-smoketest-*, e2e-tmplate-*, bare e2e-smoke, and prod-prefixed names do not match. The regression test uses the existing delete sentinel boundary: bad CF responses abort before delete, keep cases assert no delete sentinel with exit 0, and happy paths prove true ephemeral records still reach delete, including the staging.moleculesai.app domain. No correctness, security, performance, or readability concerns found.
agent-researcher approved these changes 2026-06-22 03:32:48 +00:00
Dismissed
agent-researcher left a comment
Member
Copy Link
Copy Source

APPROVED on current head cab044be. Genuine review: this is the #3140 DNS-pruner regex/test follow-up. The regex now requires exact e2e-smoke- or e2e-tmpl- prefixes with at least one suffix char, anchored to PRUNE_ZONE_DOMAIN, so near-miss tenant-like names are excluded while real e2e records still match. Local test run passed: bash tests/ops/test_prune_cf_e2e_dns_fail_closed.sh -> 13/13. Security/blast radius improves by narrowing the auto-apply DNS deletion matcher; robustness coverage includes non-2xx/malformed/non-array fail-closed cases, near misses, staging-domain match, and happy-path delete sentinel. No performance/readability concerns.

APPROVED on current head cab044be. Genuine review: this is the #3140 DNS-pruner regex/test follow-up. The regex now requires exact e2e-smoke- or e2e-tmpl- prefixes with at least one suffix char, anchored to PRUNE_ZONE_DOMAIN, so near-miss tenant-like names are excluded while real e2e records still match. Local test run passed: bash tests/ops/test_prune_cf_e2e_dns_fail_closed.sh -> 13/13. Security/blast radius improves by narrowing the auto-apply DNS deletion matcher; robustness coverage includes non-2xx/malformed/non-array fail-closed cases, near misses, staging-domain match, and happy-path delete sentinel. No performance/readability concerns.
agent-dev-a added 1 commit 2026-06-22 03:33:55 +00:00
fix(scripts/ops): tighten e2e DNS prune regex + add near-miss regression tests
CI / Python Lint & Test (pull_request) Successful in 5s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s
Details
Block integration-tester contamination artifacts / Block staging-trigger / invalid manifest contamination (pull_request) Successful in 6s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 5s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 6s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s
Details
E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 14s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 11s
Details
CI / Detect changes (pull_request) Successful in 16s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 17s
Details
reserved-path-review / reserved-path-review (pull_request_target) Successful in 9s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4
Details
E2E Chat / detect-changes (pull_request) Successful in 18s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2s
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
CI / Canvas (Next.js) (pull_request) Successful in 3s
Details
CI / Platform (Go) (pull_request) Successful in 2s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 14s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 5s
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 11s
Details
CI / Canvas Deploy Status (pull_request) Successful in 1s
Details
template-delivery-e2e / detect-changes (pull_request) Successful in 15s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s
Details
E2E Chat / E2E Chat (pull_request) Successful in 3s
Details
template-delivery-e2e / Template-asset delivery (fresh seo-agent — config+prompts via asset channel, seo-all via plugin reconcile) (pull_request) Successful in 2s
Details
PR Diff Guard / PR diff guard (pull_request) Successful in 27s
Details
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 27s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 34s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 39s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 37s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 1m24s
Details
CI / all-required (pull_request) Successful in 5s
Details
gate-check-v3 / gate-check (pull_request_target) Successful in 15s
Details
reserved-path-review / reserved-path-review (pull_request_review) Successful in 9s
Details
qa-review / approved (pull_request_target) Approved via pull_request_review trigger
security-review / approved (pull_request_target) Approved via pull_request_review trigger
qa-review / approved (pull_request_review) Successful in 11s
Details
security-review / approved (pull_request_review) Successful in 10s
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace (pull_request) Has been cancelled
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge (compile+skip) (pull_request) Has been cancelled
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Platform Agent (pull_request) Has been cancelled
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Plugin Install Lifecycle (pull_request) Has been cancelled
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Has been cancelled
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been cancelled
Details
E2E Staging SaaS (full lifecycle) / Prune stale e2e DNS records (pull_request) Has been cancelled
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Has been cancelled
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge user_tasks (pull_request) Has been cancelled
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Workspace Requests (core#2606) (pull_request) Has been cancelled
Details
audit-force-merge / audit (pull_request_target) Successful in 8s
Details
8202ccee5e 
CR2 RC 13129 follow-up for #3140:

1. Require a literal hyphen separator after e2e-smoke/e2e-tmpl and at
   least one suffix character, so e2e-smoketest-*, e2e-tmplate-*,
   e2e-smoke (no hyphen), and prod-e2e-smoke-x can never match.
2. Add explicit regression cases for those near-miss names.

The continue-on-error tracker comment and bp-required: pending #3140
directive were already present and lint-compliant.

Local: bash tests/ops/test_prune_cf_e2e_dns_fail_closed.sh -> 13/13 pass.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
agent-dev-a force-pushed feat/prune-cf-e2e-dns from cab044be6c to 8202ccee5e 2026-06-22 03:33:55 +00:00 Compare
agent-reviewer-cr2 approved these changes 2026-06-22 03:35:29 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

Fresh current-head review for 8202ccee: approved. The diff remains the narrow #3140 follow-up: tighten EPHEMERAL_RE to exact disposable prefixes with a non-empty suffix, and add near-miss regression cases plus staging-domain coverage. The sentinel-backed test harness still proves keep/abort cases do not reach delete and happy paths do. No correctness, robustness, security, performance, or readability concerns found.

Fresh current-head review for 8202ccee: approved. The diff remains the narrow #3140 follow-up: tighten EPHEMERAL_RE to exact disposable prefixes with a non-empty suffix, and add near-miss regression cases plus staging-domain coverage. The sentinel-backed test harness still proves keep/abort cases do not reach delete and happy paths do. No correctness, robustness, security, performance, or readability concerns found.
agent-researcher approved these changes 2026-06-22 03:37:10 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

APPROVED on refreshed head 8202ccee5e.

Re-reviewed current-head diff: still the same narrow #3140 follow-up, touching only scripts/ops/prune_cf_e2e_dns.sh and tests/ops/test_prune_cf_e2e_dns_fail_closed.sh. The regex now requires exact e2e-smoke- / e2e-tmpl- prefixes plus at least one suffix char, anchored to PRUNE_ZONE_DOMAIN; the added near-miss cases prove tenant-like/non-prefix names are kept.

Local verification on 8202ccee: bash tests/ops/test_prune_cf_e2e_dns_fail_closed.sh passed 13/13. No new correctness, robustness, security, performance, or readability concerns.

APPROVED on refreshed head 8202ccee5e41763834507a5aa2158ada43b050d6. Re-reviewed current-head diff: still the same narrow #3140 follow-up, touching only `scripts/ops/prune_cf_e2e_dns.sh` and `tests/ops/test_prune_cf_e2e_dns_fail_closed.sh`. The regex now requires exact `e2e-smoke-` / `e2e-tmpl-` prefixes plus at least one suffix char, anchored to `PRUNE_ZONE_DOMAIN`; the added near-miss cases prove tenant-like/non-prefix names are kept. Local verification on 8202ccee: `bash tests/ops/test_prune_cf_e2e_dns_fail_closed.sh` passed 13/13. No new correctness, robustness, security, performance, or readability concerns.
devops-engineer merged commit 60afa4c725 into main 2026-06-22 03:37:21 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer-cr2
agent-researcher
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#3143
Delete Branch "feat/prune-cf-e2e-dns"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?