molecule-ai/molecule-core
41
0
Fork 2
Code Issues 103 Pull Requests 140 Actions 191 Packages Projects Releases Wiki Activity

fix(workspace-server): inject /configs token files agent-owned, not root (P0 list_peers 401) #1327

Merged
devops-engineer merged 3 commits from fix/workspace-token-injection-agent-owned into main 2026-05-16 12:52:12 +00:00
Conversation 18 Commits 3 Files Changed 3 +161 -10

3 Commits

Author SHA1 Message Date
devops-engineer
8179ff77e9 Merge branch 'main' into fix/workspace-token-injection-agent-owned
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 16s
Details
CI / Detect changes (pull_request) Successful in 27s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 43s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 58s
Details
E2E Chat / detect-changes (pull_request) Successful in 59s
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m0s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 24s
Details
Harness Replays / detect-changes (pull_request) Successful in 26s
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 1m8s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 24s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 29s
Details
qa-review / approved (pull_request) Failing after 27s
Details
gate-check-v3 / gate-check (pull_request) Successful in 39s
Details
security-review / approved (pull_request) Failing after 27s
Details
sop-checklist / all-items-acked (pull_request) Successful in 19s
Details
sop-tier-check / tier-check (pull_request) Successful in 22s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 11s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m39s
Details
Harness Replays / Harness Replays (pull_request) Successful in 10s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 18s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m9s
Details
CI / Python Lint & Test (pull_request) Successful in 7m58s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 6m41s
Details
E2E Chat / E2E Chat (pull_request) Failing after 8m24s
Details
CI / Platform (Go) (pull_request) Successful in 16m7s
Details
CI / Canvas (Next.js) (pull_request) Successful in 16m52s
Details
CI / all-required (pull_request) Successful in 30m58s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
audit-force-merge / audit (pull_request) Successful in 14s
Details
2026-05-16 12:05:32 +00:00
Molecule AI Infra-Runtime-BE
6188c6ddf3 fix(org_helpers): correct duplicate phrase in loadWorkspaceEnv comment
Some checks failed
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 37s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 23s
Details
Harness Replays / detect-changes (pull_request) Successful in 22s
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 1m0s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 24s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m32s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m59s
Details
lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Successful in 2m23s
Details
publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 2m16s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m58s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 3m23s
Details
publish-runtime-autobump / pr-validate (pull_request) Successful in 1m0s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 38s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 25s
Details
CI / Python Lint & Test (pull_request) Successful in 7m22s
Details
qa-review / approved (pull_request) Failing after 31s
Details
E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m26s
Details
sop-checklist / all-items-acked (pull_request) Successful in 26s
Details
security-review / approved (pull_request) Failing after 34s
Details
sop-tier-check / tier-check (pull_request) Successful in 32s
Details
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Failing after 1m30s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 6m56s
Details
CI / Canvas (Next.js) (pull_request) Successful in 19m13s
Details
CI / Canvas Deploy Reminder (pull_request) Successful in 12s
Details
CI / Platform (Go) (pull_request) Successful in 20m10s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 8m2s
Details
CI / all-required (pull_request) Successful in 20m5s
Details
Harness Replays / Harness Replays (pull_request) Has been cancelled
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Has been cancelled
Details 
The comment had the phrase "the workspace-specific .env" duplicated.
Removed the redundant repetition.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-16 10:27:13 +00:00
core-be
f986444dbd fix(workspace-server): inject /configs token files agent-owned, not root
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Failing after 0s
Details
CI / Platform (Go) (pull_request) Failing after 0s
Details
CI / Detect changes (pull_request) Failing after 0s
Details
CI / Shellcheck (E2E scripts) (pull_request) Failing after 0s
Details
CI / Python Lint & Test (pull_request) Failing after 0s
Details
CI / all-required (pull_request) Failing after 1s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
E2E API Smoke Test / detect-changes (pull_request) Failing after 0s
Details
CI / Canvas (Next.js) (pull_request) Failing after 1s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Failing after 1s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Has been skipped
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Has been skipped
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Failing after 0s
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped
Details
Handlers Postgres Integration / detect-changes (pull_request) Failing after 0s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Has been skipped
Details
Harness Replays / detect-changes (pull_request) Failing after 0s
Details
Harness Replays / Harness Replays (pull_request) Has been skipped
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Failing after 0s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Failing after 0s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Has been skipped
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Failing after 0s
Details
qa-review / approved (pull_request) Failing after 0s
Details
security-review / approved (pull_request) Failing after 0s
Details
gate-check-v3 / gate-check (pull_request) Failing after 21s
Details
sop-tier-check / tier-check (pull_request) Successful in 21s
Details
lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Successful in 1m21s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details 
The fleet-wide list_peers 401 (Hermes et al): two workspace-server
token-injection paths wrote /configs/.auth_token (and
/configs/.platform_inbound_secret) as root:root 0600 AFTER the template
entrypoint's `chown -R agent:agent /configs` ran. The a2a_mcp_server runs
as the agent uid (1000, via `gosu agent`), so platform_auth.get_token()
hit `[Errno 13] Permission denied` → empty bearer → platform 401 on
/registry/{id}/peers (the literal tool_list_peers path).

PR#23 fixed only the entrypoint dir chown (first boot); it cannot reach
the post-entrypoint root re-injection. This covers both injection paths:

1. WriteAuthTokenToVolume (#1877, pre-start): the throwaway alpine
   container ran chmod 0600 but never chowned — alpine runs as root, so
   the file stayed root:root. Now `chown 1000:1000 /vol/.auth_token`
   (0600 preserved).
2. WriteFilesToContainer (#418, post-start re-injection): the tar headers
   left Uid/Gid unset → CopyToContainer extracted root:root. Now every
   tar entry is stamped Uid/Gid = agent. This path (re)writes BOTH
   .auth_token and .platform_inbound_secret, so both are fixed.

uid 1000:1000 verified from the templates (claude-code-default + hermes
Dockerfile `useradd -u 1000 ... agent`, entrypoint `gosu agent`), exposed
as AgentUID/AgentGID constants. Tar-build and alpine-cmd extracted into
pure helpers (mirrors buildTemplateTar) so the ownership contract is
unit-tested without a live Docker daemon; the test fails on pre-fix
root:root and passes post-fix (real tar / real command, not a mock).

PR#23's entrypoint chown is unchanged (still correct for the dir +
first boot). No feature flag, no backwards-compat shim.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-16 02:19:11 -07:00