From 558e4fee4803c93ab688f259fb01e4225cda7899 Mon Sep 17 00:00:00 2001 From: claude-ceo-assistant Date: Fri, 8 May 2026 11:50:55 -0700 Subject: [PATCH 1/2] =?UTF-8?q?chore(ci):=20document=20#192=20root=20cause?= =?UTF-8?q?=20=E2=80=94=20workspace-template=20repos=20public=20per=20OSS-?= =?UTF-8?q?first?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 5 of 9 workspace-template repos (openclaw, codex, crewai, deepagents, gemini-cli) had been marked private with no team grant for AUTO_SYNC_TOKEN bearer (devops-engineer persona). Pre-clone manifest deps step 404'd on the first private repo encountered, failing every Harness Replays run. Resolution path taken: 1. Flipped the 5 to public per `feedback_oss_first_repo_visibility_default` — runtime/template/plugin repos default public; that's what makes them OSS surface. 2. Scoped existing `ci-readonly` org team to legitimately-internal repos only (compliance docs, RFCs-in-flight). Workspace templates removed from it. 3. Filed internal#102 RFC for Layer-3 (customer-owned + marketplace third-party private repos) — that's a different shape entirely; needs per-tenant credential-resolver, not org-team grants. This commit is a documentation-only touch on the workflow file to (a) record the root cause inline next to the existing pre-clone-fail narrative, (b) trigger a fresh Harness Replays run that should now pass the clone step. Closes #192. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/harness-replays.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/harness-replays.yml b/.github/workflows/harness-replays.yml index b53d0b3f..23681ff7 100644 --- a/.github/workflows/harness-replays.yml +++ b/.github/workflows/harness-replays.yml @@ -119,6 +119,17 @@ jobs: # symptom, different root cause: staging still has the in-image # clone path, hits the auth error directly). # + # 2026-05-08 sub-finding (#192): the clone step ALSO fails when + # any referenced workspace-template repo is private and the + # AUTO_SYNC_TOKEN bearer (devops-engineer persona) lacks read + # access. Root cause: 5 of 9 workspace-template repos + # (openclaw, codex, crewai, deepagents, gemini-cli) had been + # marked private with no team grant. Resolution: flipped them + # to public per `feedback_oss_first_repo_visibility_default` + # (the OSS surface should be public). Layer-3 (customer-private + + # marketplace third-party repos) tracked separately in + # internal#102. + # # Token shape matches publish-workspace-server-image.yml: AUTO_SYNC_TOKEN # is the devops-engineer persona PAT, NOT the founder PAT (per # `feedback_per_agent_gitea_identity_default`). clone-manifest.sh -- 2.45.2 From 15935143c8d20217fa3cbc818e1a6fca2a65cb77 Mon Sep 17 00:00:00 2001 From: claude-ceo-assistant Date: Fri, 8 May 2026 11:58:09 -0700 Subject: [PATCH 2/2] chore(manifest): drop reno-stars + 5 org-templates flipped public; document OSS-surface contract MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up to the workspace-template visibility flip in 558e4fee. After flipping the 5 private workspace-templates public (#192 root cause), the harness-replays clone moved one step deeper to the org-templates list, where 6 of 7 were also private. Hongming-confirmed flip plan: - 5 of 6 (molecule-dev, free-beats-all, medo-smoke, molecule-worker-gemini, ux-ab-lab) — flipped public per `feedback_oss_first_repo_visibility_default`. These are unambiguously OSS-template-shape: generic README, no customer-shaped names, no creds in content. - 1 of 6 (reno-stars) — name itself is customer-shaped (would expose customer/tenant identity). Kept private; removed from manifest.json per Hongming. Will be handled at provision-time via the per-tenant credential resolver designed in internal#102 (Layer-3 RFC). Documents the OSS-surface contract in two places: - manifest.json _comment: every entry MUST be public; Layer-3 lives elsewhere - clone-manifest.sh comment block: rationale + the explicit ci-readonly team-grant escape hatch (review-gated, not default). Closes the second clone-fail layer of #192. Combined with 558e4fee + the workspace-template visibility flips, the Pre-clone manifest deps step should now succeed anonymously for the full registered set. Co-Authored-By: Claude Opus 4.7 (1M context) --- manifest.json | 3 +-- scripts/clone-manifest.sh | 31 ++++++++++++++----------------- 2 files changed, 15 insertions(+), 19 deletions(-) diff --git a/manifest.json b/manifest.json index e7b69ef7..2ac2f462 100644 --- a/manifest.json +++ b/manifest.json @@ -1,5 +1,5 @@ { - "_comment": "Pin refs to release tags for reproducible builds. 'main' is OK while all repos are internal.", + "_comment": "OSS surface registry — every repo listed here MUST be public on git.moleculesai.app. Layer-3 customer/private templates are NOT registered here; they are handled at provision-time via the per-tenant credential resolver (see internal#102 RFC). 'main' refs are pinned to tags before broad rollout.", "version": 1, "plugins": [ {"name": "browser-automation", "repo": "molecule-ai/molecule-ai-plugin-browser-automation", "ref": "main"}, @@ -40,7 +40,6 @@ {"name": "free-beats-all", "repo": "molecule-ai/molecule-ai-org-template-free-beats-all", "ref": "main"}, {"name": "medo-smoke", "repo": "molecule-ai/molecule-ai-org-template-medo-smoke", "ref": "main"}, {"name": "molecule-worker-gemini", "repo": "molecule-ai/molecule-ai-org-template-molecule-worker-gemini", "ref": "main"}, - {"name": "reno-stars", "repo": "molecule-ai/molecule-ai-org-template-reno-stars", "ref": "main"}, {"name": "ux-ab-lab", "repo": "molecule-ai/molecule-ai-org-template-ux-ab-lab", "ref": "main"}, {"name": "mock-bigorg", "repo": "molecule-ai/molecule-ai-org-template-mock-bigorg", "ref": "main"} ] diff --git a/scripts/clone-manifest.sh b/scripts/clone-manifest.sh index 3ad98580..4e9e5d99 100755 --- a/scripts/clone-manifest.sh +++ b/scripts/clone-manifest.sh @@ -8,27 +8,24 @@ # Requires: git, jq (lighter than python3 — ~2MB vs ~50MB in Alpine) # # Auth (optional): -# When MOLECULE_GITEA_TOKEN is set, embed it as the basic-auth password so -# private Gitea repos clone successfully. When unset, clone anonymously -# (works only for repos that are public on git.moleculesai.app). +# Post-2026-05-08 (#192): every repo in manifest.json is public on +# git.moleculesai.app. Anonymous clone works for the entire registered +# set. The OSS-surface contract is recorded in manifest.json's _comment +# — Layer-3 customer/private templates (e.g. reno-stars) are NOT in the +# manifest; they are handled at provision-time via the per-tenant +# credential resolver (internal#102 RFC). # -# This is the path the publish-workspace-server-image.yml workflow uses: -# it injects AUTO_SYNC_TOKEN (devops-engineer persona PAT, repo:read on -# the molecule-ai org) so the in-CI pre-clone step succeeds for ALL -# manifest entries — including the 5 private workspace-template-* repos -# (codex, crewai, deepagents, gemini-cli, langgraph) and all 7 -# org-template-* repos. +# MOLECULE_GITEA_TOKEN is therefore optional today. Kept supported for +# two reasons: (a) historical CI configs that still inject +# AUTO_SYNC_TOKEN remain harmless, (b) reserved for the case where a +# private internal-only template is later registered via a ci-readonly +# team grant — review must explicitly sign off on that, since it +# violates the public-OSS-surface contract. # -# The token never enters the Docker image: this script runs in the -# trusted CI context BEFORE `docker buildx build`, populates +# The token (when set) never enters the Docker image: this script runs +# in the trusted CI context BEFORE `docker buildx build`, populates # .tenant-bundle-deps/, then `Dockerfile.tenant` COPYs from there with # the .git directories already stripped (see line ~67 below). -# -# For backward compatibility — and so a fresh clone works without -# secrets when (eventually) the workspace-template-* repos flip public — -# the unset path remains a plain anonymous HTTPS clone. That path will -# FAIL with "could not read Username" on private repos today; CI MUST -# set MOLECULE_GITEA_TOKEN. set -euo pipefail -- 2.45.2