ci: synthetic-check cron for AUTO_SYNC_TOKEN rotation drift detection (post-#66 hostile-self-review #3) #72

New Issue

Closed

opened 2026-05-07 22:20:17 +00:00 by claude-ceo-assistant · 2 comments

claude-ceo-assistant commented 2026-05-07 22:20:17 +00:00

Owner

Copy Link

Context

PR #66 fixed auto-sync main→staging by replacing the broken gh pr create (Gitea 405 on GraphQL) with a direct git push from the devops-engineer persona's AUTO_SYNC_TOKEN. The hostile self-review of that PR flagged weakest-spot #3:

Token rotation silently breaks auto-sync. If AUTO_SYNC_TOKEN is rotated without updating the repo secret, every push to main fails red on the auto-sync push step. The workflow surfaces the failure mode in the step summary (failure mode B in the header), but there's no proactive monitoring. Detection latency: rotation is only caught when the next main push triggers auto-sync.

In the worst case (slow main-push cadence), the gap between rotation and detection could be many hours. During that window, every commit to main fails to propagate to staging — auto-promote-staging.yml then sees a divergent staging that isn't a superset of main, and the staging is a superset of main invariant is silently broken.

What this issue tracks

Add a low-frequency cron-triggered synthetic check that fires the auto-sync auth surface (or a cheap variant) and emits a clear red signal if AUTO_SYNC_TOKEN has drifted out of validity.

Investigation findings

What AUTO_SYNC_TOKEN does today

Used in three workflows:

• auto-sync-main-to-staging.yml — PR #66's direct push from devops-engineer persona
• publish-workspace-server-image.yml — oauth2:<token> basic-auth for cloning manifest deps in CI
• (any other? — only these two on grep)

Failure modes from the auto-sync header:

• A: staging conflicts with main → already detected immediately on merge, no synthetic check needed
• B: token rotated / wrong scope → THIS IS WHAT THIS ISSUE ADDRESSES
• C: branch protection no longer whitelists devops-engineer → already monitored by branch-protection-drift.yml (daily cron)
• D: concurrent push race → handled by workflow concurrency group

So: synthetic check focuses on B.

Decision: Option B (read-only verify), rejecting A and C

Option A — full auto-sync on schedule: REJECTED. Every 6h × 4 = 4 synthetic merge commits per day on staging when main hasn't advanced. That's pure history clutter. Worse: if main has advanced, the scheduled run races the real push: trigger.

Option B — token-validity probe (pick this): cron-triggered workflow that does:

1. GET /api/v1/user against Gitea with the token → validates auth + identity (expects username == devops-engineer)
2. GET /api/v1/repos/molecule-ai/molecule-core with the token → validates read:repository scope on this repo
3. git ls-remote https://oauth2:$AUTO_SYNC_TOKEN@git.moleculesai.app/molecule-ai/molecule-core staging → validates the exact HTTPS auth path used by actions/checkout step in the real workflow
4. (Optional) git push --dry-run origin staging from a noop synthetic branch — exercises the connection + ref-negotiation path, but does NOT exercise pre-receive hook (so does not validate authz; Option C does, but authz is already covered by branch-protection-drift)

Pros: cheap (~3 HTTPS calls, ~5s wall-clock), zero side-effects on staging, no branch noise.
Cons: doesn't validate the protected-branch push whitelist authz on its own. (Branch-protection-drift.yml is the canonical gate for that, daily.)

Option C — push to dedicated auto-sync-canary branch: REJECTED. Tests authz too, but: (a) branch noise on Gitea, (b) requires adding the canary branch to staging's push_whitelist or a new protection — more YAML drift, (c) authz validation is already done daily by branch-protection-drift.yml. Don't duplicate.

Prior art

• Cloudflare API tokens: have a dedicated /user/tokens/verify endpoint specifically for canary scripts to validate "is this token still good" with no side effects. Gitea's equivalent is GET /api/v1/user.
• AWS Secrets Manager rotation Lambda: includes a testSecret step that calls the target service with the new credential before promoting AWSPENDING to AWSCURRENT. Same shape — auth probe before commit.
• HashiCorp Vault: secret_id periodic health checks via vault token lookup to detect renewal failures.

The canonical pattern is: a dedicated read-only auth-validity endpoint + cron canary. Option B applies that pattern verbatim.

Cadence

6h is the brief's suggestion. Justification:

• Cost: 4 runs/day × ~5s × ~3 HTTPS calls = trivial (Gitea is self-hosted, no API quota)
• Detection latency: average 3h between rotation and red signal, max 6h. Acceptable for an event that happens at most a few times per quarter.
• Alternative 1h: 24× the runs, 6× shorter latency. Marginal benefit for our rotation cadence.
• Alternative daily: 6× cheaper, 6× longer latency. Auto-sync would silently fail on every main push for up to 24h — worse than the status quo (we'd still notice on the first main push).

6h dominates daily, and the marginal benefit of 1h doesn't justify 24× the noise in actions feed.

Token-scoping security

No new token. Reuses secrets.AUTO_SYNC_TOKEN (read scope is sufficient — Option B does not push). The synthetic check has the same blast-radius profile as the workflow it's monitoring.

Surfaces affected

• New: .github/workflows/auto-sync-canary.yml
• No code changes
• No script changes (curl + git suffice in inline shell)
• Runbook: brief inline in the workflow header (matches the auto-sync workflow's own header convention)

Plan (Phase 2 design → Phase 3 implement → Phase 4 verify)

• One new workflow file, one PR
• Header comment in PR #66 shape: what / why / failure modes / runbook
• Mutation test: temporarily set token to junk in a fork branch, confirm RED with actionable message
• No follow-up issues unless a richer alerting surface (Slack/Discord webhook) is requested — current proposal: red workflow status only, operator polls Gitea actions feed (which is the same surface used by auto-promote-stale-alarm.yml).

Coordination

• 3 sister agents in flight (provisioner #194, retarget bundle #195+#196, sweep agent #197). New file, no overlap with their existing-workflow edits.
• core/main is 20/20 GREEN post-#66.

## Context PR #66 fixed auto-sync main→staging by replacing the broken `gh pr create` (Gitea 405 on GraphQL) with a direct git push from the `devops-engineer` persona's `AUTO_SYNC_TOKEN`. The hostile self-review of that PR flagged weakest-spot #3: > Token rotation silently breaks auto-sync. If `AUTO_SYNC_TOKEN` is rotated without updating the repo secret, every push to main fails red on the auto-sync push step. The workflow surfaces the failure mode in the step summary (failure mode B in the header), but there's no proactive monitoring. **Detection latency**: rotation is only caught when the next main push triggers auto-sync. In the worst case (slow main-push cadence), the gap between rotation and detection could be many hours. During that window, every commit to main fails to propagate to staging — auto-promote-staging.yml then sees a divergent staging that isn't a superset of main, and the `staging is a superset of main` invariant is silently broken. ## What this issue tracks Add a low-frequency cron-triggered synthetic check that fires the auto-sync auth surface (or a cheap variant) and emits a clear red signal if `AUTO_SYNC_TOKEN` has drifted out of validity. ## Investigation findings ### What `AUTO_SYNC_TOKEN` does today Used in three workflows: - `auto-sync-main-to-staging.yml` — PR #66's direct push from devops-engineer persona - `publish-workspace-server-image.yml` — `oauth2:<token>` basic-auth for cloning manifest deps in CI - (any other? — only these two on grep) Failure modes from the auto-sync header: - **A**: staging conflicts with main → already detected immediately on merge, no synthetic check needed - **B**: token rotated / wrong scope → THIS IS WHAT THIS ISSUE ADDRESSES - **C**: branch protection no longer whitelists devops-engineer → already monitored by `branch-protection-drift.yml` (daily cron) - **D**: concurrent push race → handled by workflow concurrency group So: synthetic check focuses on B. ### Decision: Option B (read-only verify), rejecting A and C **Option A — full auto-sync on schedule**: REJECTED. Every 6h × 4 = 4 synthetic merge commits per day on staging when main hasn't advanced. That's pure history clutter. Worse: if main has advanced, the scheduled run races the real `push:` trigger. **Option B — token-validity probe (pick this)**: cron-triggered workflow that does: 1. `GET /api/v1/user` against Gitea with the token → validates auth + identity (expects `username == devops-engineer`) 2. `GET /api/v1/repos/molecule-ai/molecule-core` with the token → validates `read:repository` scope on this repo 3. `git ls-remote https://oauth2:$AUTO_SYNC_TOKEN@git.moleculesai.app/molecule-ai/molecule-core staging` → validates the exact HTTPS auth path used by `actions/checkout` step in the real workflow 4. (Optional) `git push --dry-run origin staging` from a noop synthetic branch — exercises the connection + ref-negotiation path, but does NOT exercise pre-receive hook (so does not validate authz; Option C does, but authz is already covered by branch-protection-drift) Pros: cheap (~3 HTTPS calls, ~5s wall-clock), zero side-effects on staging, no branch noise. Cons: doesn't validate the protected-branch push whitelist authz on its own. (Branch-protection-drift.yml is the canonical gate for that, daily.) **Option C — push to dedicated `auto-sync-canary` branch**: REJECTED. Tests authz too, but: (a) branch noise on Gitea, (b) requires adding the canary branch to staging's `push_whitelist` or a new protection — more YAML drift, (c) authz validation is already done daily by `branch-protection-drift.yml`. Don't duplicate. ### Prior art - **Cloudflare API tokens**: have a dedicated `/user/tokens/verify` endpoint specifically for canary scripts to validate "is this token still good" with no side effects. Gitea's equivalent is `GET /api/v1/user`. - **AWS Secrets Manager rotation Lambda**: includes a `testSecret` step that calls the target service with the new credential before promoting `AWSPENDING` to `AWSCURRENT`. Same shape — auth probe before commit. - **HashiCorp Vault**: `secret_id` periodic health checks via `vault token lookup` to detect renewal failures. The canonical pattern is: a dedicated read-only auth-validity endpoint + cron canary. Option B applies that pattern verbatim. ### Cadence 6h is the brief's suggestion. Justification: - Cost: 4 runs/day × ~5s × ~3 HTTPS calls = trivial (Gitea is self-hosted, no API quota) - Detection latency: average 3h between rotation and red signal, max 6h. Acceptable for an event that happens at most a few times per quarter. - Alternative 1h: 24× the runs, 6× shorter latency. Marginal benefit for our rotation cadence. - Alternative daily: 6× cheaper, 6× longer latency. Auto-sync would silently fail on every main push for up to 24h — worse than the status quo (we'd still notice on the first main push). 6h dominates daily, and the marginal benefit of 1h doesn't justify 24× the noise in actions feed. ### Token-scoping security No new token. Reuses `secrets.AUTO_SYNC_TOKEN` (read scope is sufficient — Option B does not push). The synthetic check has the same blast-radius profile as the workflow it's monitoring. ### Surfaces affected - New: `.github/workflows/auto-sync-canary.yml` - No code changes - No script changes (curl + git suffice in inline shell) - Runbook: brief inline in the workflow header (matches the auto-sync workflow's own header convention) ## Plan (Phase 2 design → Phase 3 implement → Phase 4 verify) - One new workflow file, one PR - Header comment in PR #66 shape: what / why / failure modes / runbook - Mutation test: temporarily set token to junk in a fork branch, confirm RED with actionable message - No follow-up issues unless a richer alerting surface (Slack/Discord webhook) is requested — current proposal: red workflow status only, operator polls Gitea actions feed (which is the same surface used by `auto-promote-stale-alarm.yml`). ## Coordination - 3 sister agents in flight (provisioner #194, retarget bundle #195+#196, sweep agent #197). New file, no overlap with their existing-workflow edits. - core/main is 20/20 GREEN post-#66.

claude-ceo-assistant referenced this issue from a commit 2026-05-07 22:23:47 +00:00

ci: add AUTO_SYNC_TOKEN rotation drift canary (#72)

claude-ceo-assistant referenced a pull request that will close this issue 2026-05-07 22:24:24 +00:00

ci: add AUTO_SYNC_TOKEN rotation drift canary (#72) #77

claude-ceo-assistant commented 2026-05-07 22:24:30 +00:00

Author

Owner

Copy Link

Implementation in PR #77 (fix/issue-72-auto-sync-token-canary-v2 → main). Phase 3 done; Phase 4 verification pending merge + manual trigger + mutation test.

Implementation in PR #77 (`fix/issue-72-auto-sync-token-canary-v2` → `main`). Phase 3 done; Phase 4 verification pending merge + manual trigger + mutation test.

claude-ceo-assistant referenced this issue from a commit 2026-05-07 22:26:24 +00:00

ci(canary): route curl -w to tempfile to satisfy status-capture lint

claude-ceo-assistant referenced this issue from a commit 2026-05-07 22:34:39 +00:00

ci(canary): rewrite Probe 3 to actually validate auth (NOP push --dry-run)

claude-ceo-assistant commented 2026-05-07 22:36:19 +00:00

Author

Owner

Copy Link

Phase 4 verification update

Local probe verification (since Gitea 1.22.6 doesn't expose REST workflow_dispatch)

Ran all three probes against live Gitea using a real token, then mutated each.

Probe 1 — GET /api/v1/user:

• Valid token: HTTP 200, username == claude-ceo-assistant (when run with my token; will be devops-engineer in production).
• Junk token: HTTP 401, error message: Token rotation suspected: GET /api/v1/user returned HTTP 401 ... Likely cause: AUTO_SYNC_TOKEN has been rotated/revoked on Gitea but the repo Actions secret was not updated. Runbook: see header comment of this workflow file.
• Wrong-persona token (valid claude-ceo-assistant token but EXPECTED_PERSONA=devops-engineer): HTTP 200, then persona check fails with: Token resolves to user 'claude-ceo-assistant', expected 'devops-engineer'. AUTO_SYNC_TOKEN must be the devops-engineer persona PAT (not founder PAT, not another persona).

Probe 2 — GET /api/v1/repos/molecule-ai/molecule-core: HTTP 200 with valid token (read scope confirmed).

Probe 3 — original git ls-remote refs/heads/staging: REJECTED on review. Discovered Gitea falls back to anonymous read on public repos, so ls-remote succeeded even with a junk token. False-green — the worst possible canary failure mode. Rewrote to use git push --dry-run of current staging SHA back to staging:

• Valid token: Everything up-to-date, exit 0.
• Junk token: fatal: Authentication failed for ..., exit 128. Error message: Token rotation suspected: git push --dry-run against staging failed via the AUTO_SYNC_TOKEN HTTPS auth path (exit 128). This is the EXACT auth path that actions/checkout + git push use in auto-sync-main-to-staging.yml. Likely cause: AUTO_SYNC_TOKEN was rotated/revoked on Gitea but the repo Actions secret was not updated.

Because git push requires a local repo, the workflow now does git init in a tempdir (~50ms, ~1KB) instead of actions/checkout (which would clone hundreds of MB).

CI status on PR #77

• 22/24 required checks: GREEN (after fix on 0cef033a)
• 1 known infra issue: pr-guards / disable-auto-merge-on-push — depends on molecule-ai/molecule-ci reusable workflow that appears to be unavailable on Gitea. Pre-existing org-wide; not introduced by this PR. Deferred.
• 1 currently pending: another CI cycle running on the latest commit e4e1bf40 (post-self-review comment update); will settle GREEN/22-of-23 (excluding pr-guards).

Hostile self-review weakest-3

1. First-6h dark window: schedule trigger doesn't fire until ~6h post-merge (cron at :17 every 6h). Workflow_dispatch lets an operator run a manual probe immediately after merge — will do as a final verification step. Not a code defect.
2. EXPECTED_PERSONA hardcode coupling: persona rename requires updating both auto-sync-main-to-staging.yml and this canary's env var. Addressed by adding an inline comment pointing the next editor at both files (commit e4e1bf40).
3. Probe 3 race window: theoretical — staging deleted between ls-remote and push --dry-run. --dry-run semantics specifically don't transmit, so even in the race no actual ref-create happens. And branch protection prevents staging deletion. Documented for completeness.

Outstanding follow-ups

None within scope. Possible future enhancements (out of scope for this issue):

• Slack/Discord webhook on RED instead of relying on operator polling Gitea actions feed
• Extend canary to validate the full v2 scope contract (write:repository, read:user, etc.) — currently only validates the read paths the canary itself uses

## Phase 4 verification update ### Local probe verification (since Gitea 1.22.6 doesn't expose REST workflow_dispatch) Ran all three probes against live Gitea using a real token, then mutated each. **Probe 1 — `GET /api/v1/user`**: - Valid token: HTTP 200, `username == claude-ceo-assistant` (when run with my token; will be `devops-engineer` in production). - Junk token: HTTP 401, error message: `Token rotation suspected: GET /api/v1/user returned HTTP 401 ... Likely cause: AUTO_SYNC_TOKEN has been rotated/revoked on Gitea but the repo Actions secret was not updated. Runbook: see header comment of this workflow file.` - Wrong-persona token (valid claude-ceo-assistant token but EXPECTED_PERSONA=devops-engineer): HTTP 200, then persona check fails with: `Token resolves to user 'claude-ceo-assistant', expected 'devops-engineer'. AUTO_SYNC_TOKEN must be the devops-engineer persona PAT (not founder PAT, not another persona).` **Probe 2 — `GET /api/v1/repos/molecule-ai/molecule-core`**: HTTP 200 with valid token (read scope confirmed). **Probe 3 — original `git ls-remote refs/heads/staging`**: REJECTED on review. Discovered Gitea falls back to anonymous read on public repos, so `ls-remote` succeeded even with a junk token. False-green — the worst possible canary failure mode. Rewrote to use `git push --dry-run` of current staging SHA back to staging: - Valid token: `Everything up-to-date`, exit 0. - Junk token: `fatal: Authentication failed for ...`, exit 128. Error message: `Token rotation suspected: git push --dry-run against staging failed via the AUTO_SYNC_TOKEN HTTPS auth path (exit 128). This is the EXACT auth path that actions/checkout + git push use in auto-sync-main-to-staging.yml. Likely cause: AUTO_SYNC_TOKEN was rotated/revoked on Gitea but the repo Actions secret was not updated.` Because `git push` requires a local repo, the workflow now does `git init` in a tempdir (~50ms, ~1KB) instead of `actions/checkout` (which would clone hundreds of MB). ### CI status on PR #77 - 22/24 required checks: GREEN (after fix on 0cef033a) - 1 known infra issue: `pr-guards / disable-auto-merge-on-push` — depends on `molecule-ai/molecule-ci` reusable workflow that appears to be unavailable on Gitea. Pre-existing org-wide; not introduced by this PR. Deferred. - 1 currently pending: another CI cycle running on the latest commit e4e1bf40 (post-self-review comment update); will settle GREEN/22-of-23 (excluding pr-guards). ### Hostile self-review weakest-3 1. **First-6h dark window**: schedule trigger doesn't fire until ~6h post-merge (cron at :17 every 6h). Workflow_dispatch lets an operator run a manual probe immediately after merge — will do as a final verification step. Not a code defect. 2. **EXPECTED_PERSONA hardcode coupling**: persona rename requires updating both `auto-sync-main-to-staging.yml` and this canary's env var. Addressed by adding an inline comment pointing the next editor at both files (commit e4e1bf40). 3. **Probe 3 race window**: theoretical — staging deleted between `ls-remote` and `push --dry-run`. `--dry-run` semantics specifically don't transmit, so even in the race no actual ref-create happens. And branch protection prevents staging deletion. Documented for completeness. ### Outstanding follow-ups None within scope. Possible future enhancements (out of scope for this issue): - Slack/Discord webhook on RED instead of relying on operator polling Gitea actions feed - Extend canary to validate the full v2 scope contract (`write:repository`, `read:user`, etc.) — currently only validates the read paths the canary itself uses

claude-ceo-assistant closed this issue 2026-05-07 23:45:25 +00:00

claude-ceo-assistant referenced this issue from a commit 2026-05-07 23:45:26 +00:00

ci(canary): synthetic-check cron for AUTO_SYNC_TOKEN rotation drift (#77)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/175-env-matched-pair-guard

fix/vitest-pool-worker-startup-timeouts

refactor/sop-tier-check-extract-script

fix/sop-tier-check-pr-target-security

ci/sop-tier-check-deploy

fix/issue53-admin-token-pair-guard

fix/org-import-started-event-name

refactor/delete-uses-cascade-helper

fix/org-import-reconcile-and-audit

fix/preserve-model-secret-on-restart

feat/persona-bind-mount-local-dev

feat/canary-tier-filter

feat/plugin-version-subscription

feat/plugin-hot-reload-classifier

feat/plugin-atomic-install

feat/air-hot-reload-dev

feat/persona-env-injection

fix/external-resolver-hardening

fix/issue75-class-D-gh-api-to-gitea-rest

fix/cherry-3-files-vitest-postgres-e2eapi

fix/promote-vitest-postgres-fixes

fix/saas-plugin-install-eic

fix/issue-94-e2e-api-parallel-safe-class-b

migrate/issue-71-vanity-imports

fix/handlers-postgres-port-collision-class-b

fix/issue-96-canvas-vitest-cold-start-timeout

fix/hermes-agent-doc-gitea-migration

fix/196-retarget-main-to-staging-gitea-rest

fix/gitea-ci-flakes-issue-88

fix/pin-upload-artifact-v3-gitea

fix/issue-72-auto-sync-token-canary-v2

fix/issue75-class-F-gh-run-list-to-statuses

fix/issue75-class-A-gh-pr-to-gitea-rest

feat/issue-63-local-build-from-gitea-v2

fix/195-auto-promote-staging-gitea-rest

fix/144-branch-protection-check-name-parity-audit

fix/harness-replays-pre-clone-manifest

chore/trigger-auto-sync-verification

fix/codeql-stub-on-gitea-156

chore/issue173-retrigger-after-ecr-repo-create

fix/issue173-inline-aws-ecr-login

fix/issue173-shell-docker-push

chore/retrigger-harness-replays-post-class-g

fix/issue173-buildx-driver-and-cache

fix/post-suspension-clone-manifest

fix/issue173-followup-platform-dockerfile

fix/post-suspension-github-urls

fix/170-goroutine-bleed-test-isolation

fix/issue173-publish-workspace-server-image

fix/issue36-a2a-proxy-preflight

fix/codeql-continue-on-error-156

feat/demo-mock-3-bigorg-mock-runtime

feat/demo-mock-1-purchase-success-modal

fix/publish-path-filter-add-scripts

fix/clone-manifest-gitea

chore/touch-publish-workflow-to-trigger

chore/retrigger-publish-post-aws-secrets

chore/cherry-pick-pr23-into-main

chore/backsync-main-into-staging-task-166

fix/auto-sync-use-devops-token

chore/retrigger-staging-on-fixed-runner-image

chore/drop-github-app-auth-and-ecr-swap

docs/readme-comprehensive-refresh-2026-05-06

feat/rfc-2945-pr-c-2-canvas-chat-history

fix/issue10-runtime-aware-plugin-install

fix/s8-bind-loopback-dev

fix/14-cascade-gitea-dispatch

docs/molecule-core-bulk-sed

chore/pin-artifact-actions-v3

fix/lowercase-org-slug

fix/script-ghcr-and-lint-paths

docs/workspace-runtime-readme-source-edit

feat/eic-tunnel-pool-core-11

chore/rfc-2945-pr-c-3-delete-historyhydration

fix/2872-sqlmock-regex-tightening

fix/cp-orphan-sweeper-2989

feat/registry-prefix-env-driven-issue-6

docs/readme-refresh-2026-05-06

runtime-v1.0.0

runtime-v0.0.35

runtime-v0.0.34

runtime-v0.0.33

runtime-v0.0.32

runtime-v0.0.31

runtime-v0.0.30

runtime-v0.0.29

runtime-v0.0.28

runtime-v0.0.27

runtime-v0.0.26

runtime-v0.0.25

runtime-v0.0.24

runtime-v0.0.23

runtime-v0.0.22

runtime-v0.0.21

runtime-v0.0.20

runtime-v0.0.19

runtime-v0.0.18

runtime-v0.0.17

runtime-v0.0.16

runtime-v0.0.15

runtime-v0.0.14

runtime-v0.0.13

runtime-v0.0.12

runtime-v0.0.11

runtime-v0.0.10

runtime-v0.0.9

runtime-v0.0.8

runtime-v0.0.7

runtime-v0.0.6

runtime-v0.0.5

runtime-v0.0.4

runtime-v0.0.3

runtime-v0.0.2

runtime-v0.0.1

ci-trigger-1776771586

ci-retry-1776771601

ci-retrigger-1776771591

Labels

Clear labels   

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

No Label

tier:high

tier:low

tier:medium

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#72

No description provided.