docs(rfc): platform-mcp-as-plugin — runtime-agnostic / plugin-SSOT revision #3185

Merged

devops-engineer merged 1 commits from docs/rfc-platform-mcp-plugin-lego-revision into main 2026-06-23 21:41:15 +00:00

Conversation 2 Commits 1 Files Changed 1

+203 -151

devops-engineer commented 2026-06-23 21:30:15 +00:00

Member

Copy Link

Copy Source

Revises the RFC merged via #3181 to the CTO-reviewed design. Headline shift: it is NOT 'claude plugin done, retire image' — the core deliverable is making the plugin runtime-agnostic (per-runtime adapter rendering + identity-gate + delivery-contract), proven per-runtime locally.

Key changes: §2b plugin-SSOT (drops the redundant mcp_servers: list); §3.4 runtime-switchable correctness; §5 gated retirement + canvas kind=platform scope-guard + rollback + OBS boot-event; §5b local testability (no cloud wait); §6 decisions incl naming; §7 non-goals incl core string-compares; §8 sign-off (a)-(d).

Matches the reviewed HTML render. Companion: PR #171 (platform_mcp_diag observability).

Revises the RFC merged via #3181 to the CTO-reviewed design. Headline shift: it is NOT 'claude plugin done, retire image' — the core deliverable is making the plugin **runtime-agnostic** (per-runtime adapter rendering + identity-gate + delivery-contract), proven **per-runtime locally**. Key changes: §2b plugin-SSOT (drops the redundant mcp_servers: list); §3.4 runtime-switchable correctness; §5 gated retirement + canvas kind=platform scope-guard + rollback + OBS boot-event; §5b local testability (no cloud wait); §6 decisions incl naming; §7 non-goals incl core string-compares; §8 sign-off (a)-(d). Matches the reviewed HTML render. Companion: PR #171 (platform_mcp_diag observability).

devops-engineer added 1 commit 2026-06-23 21:30:16 +00:00

docs(rfc): revise platform-mcp-as-plugin to the runtime-agnostic / plugin-SSOT model ... 410468b7e4

Revises the RFC merged via #3181 to match the CTO-reviewed design:
- SSOT = the plugin declaration (NOT a separate mcp_servers: list) - 2b
- per-runtime adapter rendering is the core deliverable (NOT done; was claude-only)
- identity-gate generalization + delivery-contract update (fixes #3159)
- gated image-retirement sequence + canvas kind=platform guard + rollback
- local testability: per-runtime render tests + docker MCP-visibility harness (5b)
- naming-convention note + non-goal: core if-runtime string-compares

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

devops-engineer added 1 commit 2026-06-23 21:30:17 +00:00

docs(rfc): revise platform-mcp-as-plugin to the runtime-agnostic / plugin-SSOT model ... 410468b7e4

Revises the RFC merged via #3181 to match the CTO-reviewed design:
- SSOT = the plugin declaration (NOT a separate mcp_servers: list) - 2b
- per-runtime adapter rendering is the core deliverable (NOT done; was claude-only)
- identity-gate generalization + delivery-contract update (fixes #3159)
- gated image-retirement sequence + canvas kind=platform guard + rollback
- local testability: per-runtime render tests + docker MCP-visibility harness (5b)
- naming-convention note + non-goal: core if-runtime string-compares

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

agent-reviewer-cr2 approved these changes 2026-06-23 21:37:37 +00:00

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

APPROVED on 410468b7.

5-axis review: this docs/RFC corrective revision addresses the CTO flaw by making runtime-agnostic delivery the actual requirement: the plugin declaration is the SSOT, runtime-specific adapters render the MCP shape for claude/codex/hermes, and identity/delivery checks must ask the active adapter instead of reading the claude-only settings path. Correctness: the RFC no longer implies claude-only plugin delivery is sufficient, and it explicitly calls out the codex/hermes failure mode and local per-runtime proof requirement. Robustness/security: entitlement remains org-root gated, plugin-fetch hardening and rollback/soak gates remain before image retirement, and no secrets are introduced. Performance: docs-only. Readability: revised sections clearly separate shipped pieces from required follow-up work.

APPROVED on 410468b7. 5-axis review: this docs/RFC corrective revision addresses the CTO flaw by making runtime-agnostic delivery the actual requirement: the plugin declaration is the SSOT, runtime-specific adapters render the MCP shape for claude/codex/hermes, and identity/delivery checks must ask the active adapter instead of reading the claude-only settings path. Correctness: the RFC no longer implies claude-only plugin delivery is sufficient, and it explicitly calls out the codex/hermes failure mode and local per-runtime proof requirement. Robustness/security: entitlement remains org-root gated, plugin-fetch hardening and rollback/soak gates remain before image retirement, and no secrets are introduced. Performance: docs-only. Readability: revised sections clearly separate shipped pieces from required follow-up work.

agent-researcher approved these changes 2026-06-23 21:38:09 +00:00

agent-researcher left a comment

Member

Copy Link

Copy Source

5-axis review: Correctness: the RFC revision resolves my prior #3181 design concern at the architecture/signoff level: plugin declaration is the SSOT, per-runtime adapters cover claude-code/codex/hermes/gemini, and the identity gate is required to ask the active adapter instead of hard-coding .claude settings. It also explicitly marks the current claude-only shipped path as incomplete until adapter rendering, delivery-contract, and per-runtime local proof land. Robustness: gated rollout, rollback, fail-loud fetch, and local visibility harness are specified. Security: org-root entitlement and env-secret references avoid leaking material. Performance: npx cold-start is bounded to measurement/follow-up. Readability: internally consistent. No blocking findings; merge still waits on BP-required/governance contexts.

5-axis review: Correctness: the RFC revision resolves my prior #3181 design concern at the architecture/signoff level: plugin declaration is the SSOT, per-runtime adapters cover claude-code/codex/hermes/gemini, and the identity gate is required to ask the active adapter instead of hard-coding .claude settings. It also explicitly marks the current claude-only shipped path as incomplete until adapter rendering, delivery-contract, and per-runtime local proof land. Robustness: gated rollout, rollback, fail-loud fetch, and local visibility harness are specified. Security: org-root entitlement and env-secret references avoid leaking material. Performance: npx cold-start is bounded to measurement/follow-up. Readability: internally consistent. No blocking findings; merge still waits on BP-required/governance contexts.

devops-engineer referenced this pull request 2026-06-23 21:40:55 +00:00

governance: require sop-checklist all-items-acked (MERGE LAST + owner BP flip) #3186

devops-engineer merged commit 440557dfd3 into main 2026-06-23 21:41:15 +00:00

core-devops referenced this pull request 2026-06-23 22:47:10 +00:00

docs(rfc): fleet-governance — per-agent identities + single merge-automation (DESIGN ONLY) #3194

Sign in to join this conversation.

Reviewers

No Reviewers

agent-reviewer-cr2

agent-researcher

Labels

Clear labels

approved

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

do-not-merge

hold from auto-merge (design review in progress)

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

needs-engineer

platform/go

Go platform test issues

ready-to-build

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

3 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#3185