feat(canvas): add lib unit tests for design-tokens, palette-context, theme-provider #1466
Open
fullstack-engineer
wants to merge 481 commits from
feat/canvas-lib-tests into staging
pull from: feat/canvas-lib-tests
merge into: molecule-ai:staging
molecule-ai:main
molecule-ai:fix/2500-register-boot-logging
molecule-ai:fix/heartbeat-promote-provisioning-to-online
molecule-ai:fix/gate-check-v3-timeout
molecule-ai:fix/2490-add-volumeRemove-assertion
molecule-ai:fix/core-2508-install-platform-agent-hardening
molecule-ai:fix/lint-setup-go-cache-flip-hard-gate
molecule-ai:fix/platform-agent-install-runtime-on-conflict
molecule-ai:fix/2490-rebased
molecule-ai:ci/guard-setup-go-cache
molecule-ai:fix/core-2525-self-approval-authz-gap
molecule-ai:fix/sev-2500-status-transition
molecule-ai:test/2490-migrate-failed-copy-regression
molecule-ai:fix/core-2490-bootstrapfailed-rescue-race
molecule-ai:fix/core-2528-compile
molecule-ai:fix/merge-queue-silent-base-skip
molecule-ai:fix/sev-2499-status-transition-followup
molecule-ai:fix/ops-scripts-snapshot-frozen-ts-2550
molecule-ai:feat/canvas-chat-queue-and-child-lock
molecule-ai:fix/KI-013-migrate-legacy-names
molecule-ai:feat/2489-ssot-compute-metadata
molecule-ai:fix/setup-go-cache-vs-bind-mount
molecule-ai:fix/sev-2499-ssot-volume-names
molecule-ai:fix/review-check-tests-jq-fail-closed
molecule-ai:feat/2507-kind-wire-contract-truth-up
molecule-ai:fix/sev-2499-shared-volume-name-helper
molecule-ai:fix/sev-2499-enhanced-drift-guard
molecule-ai:fix/core-2517-memory-write-fk-integration-test
molecule-ai:harden/e2e-ki013-drift-guard
molecule-ai:ci/guard-no-coe-on-required
molecule-ai:feat/agent-liveness-a2-stall-watchdog
molecule-ai:fix/agent-stale-window-and-heartbeat
molecule-ai:test/backward-compat-migrate-unit-tests
molecule-ai:fix/core-2509-org-switcher
molecule-ai:fix/add-missing-provisioner-unit-tests
molecule-ai:docs/rfc-agent-liveness
molecule-ai:feat/unified-requests-inbox-p3-canvas
molecule-ai:feat/unified-requests-inbox-p4-nudge
molecule-ai:fix/concierge-mcp-declaration
molecule-ai:feat/unified-requests-inbox-p1
molecule-ai:feat/envelope-bounce-animation
molecule-ai:feat/support-claude-fable-5
molecule-ai:fix/memories-http-upsert-namespace
molecule-ai:fix/chat-timeout-not-unreachable
molecule-ai:feat/2502-consume-conductor-snapshot
molecule-ai:ci/publish-image-registry-layer-cache
molecule-ai:test/backward-compat-migrate-unit-tests-v2
molecule-ai:fix/concierge-home-chat-follows-selection
molecule-ai:fix/sev-2499-e2e-ki013-full-id-names
molecule-ai:feat/cp-provision-forward-kind
molecule-ai:feat/canvas-org-switcher
molecule-ai:fix/ssot-consolidate-compute-options
molecule-ai:fix/KI-013-provisioner-uuid-truncation
molecule-ai:fix/add-missing-scheduler-unit-tests
molecule-ai:pr2485-merge-test
molecule-ai:fix/add-missing-middleware-unit-tests
molecule-ai:fix/deploy-straggler-tolerance
molecule-ai:fix/e2e-chat-testcontainer-leak
molecule-ai:fix/audit-force-merge-stale-contexts
molecule-ai:fix/sop-checklist-author-self-ack
molecule-ai:fix/remove-dead-code-QueueDepth
molecule-ai:fix/1093-adapter-py-test-margin
molecule-ai:fix/local-provision-e2e-ipv4-hardcode
molecule-ai:fix/main-red-e2e-act-runner-docker-detect
molecule-ai:staging
molecule-ai:test/2148-registry-auth-real-postgres-v2
molecule-ai:fix/all-required-aggregate-fail-closed
molecule-ai:fix/envelope-anchor-dot-and-scale
molecule-ai:test/2148-registry-auth-real-postgres
molecule-ai:fix/main-red-e2e-ssrf-publish-retry
molecule-ai:fix/status-reader-paginate-to-exhaustion
molecule-ai:feat/in-place-provider-switch
molecule-ai:test/2391-hydrate-inflight-turn-status
molecule-ai:fix/2450-local-provision-dynamic-port
molecule-ai:refile/2155-migration-replay-from-scratch
molecule-ai:fix/2448-ops-scripts-fail-closed-zero-tests
molecule-ai:fix/handlers-pg-required-tables-widen
molecule-ai:fix/ci-fail-on-zero-tests-collected
molecule-ai:fix/2421-heartbeat-backfill-agent-card
molecule-ai:fix/scheduler-enqueue-cron-on-busy
molecule-ai:fix/sev1-812-approval-validator
molecule-ai:fix/2442-chat-desktop-enter-map-view
molecule-ai:feat/a2a-message-flight-envelope
molecule-ai:fix/e2e-chat-desktop-concierge-reskin-selector
molecule-ai:fix/concierge-role-truncate
molecule-ai:fix/2429-case-fold-trailing-dot-tunnel-hostname
molecule-ai:fix/provider-on-isrunning-status
molecule-ai:feat/canvas-concierge-ui
molecule-ai:feat/ws-switch-provider-endpoint
molecule-ai:fix/platform-tunnel-hostname-normalize
molecule-ai:fix/validate-agent-url-pending-tunnel
molecule-ai:fix/2248-canvas-platform-managed-credential-gating
molecule-ai:fix/memories-commit-error-server-log
molecule-ai:fix/gate-context-target-suffix
molecule-ai:feat/ws-compute-provider-validation
molecule-ai:fix/2396-sop-auto-tier-and-trigger
molecule-ai:fix/1306-gitea-label-singular
molecule-ai:remove/data-residency-banner
molecule-ai:fix/2392-stop-by-instance-id-on-persist-fail
molecule-ai:harden/merge-control-required-checks-json
molecule-ai:fix/2396-sop-auto-tier-qa-security-auto-trigger
molecule-ai:fix/2398-enrich-commit-memory-log
molecule-ai:fix/ec2-orphan-instance-id-persist-failure
molecule-ai:fix/merge-control-script-hardening
molecule-ai:fix/provider-derivation-fail-closed
molecule-ai:fix/restart-sync-update-status-guard
molecule-ai:fix/restart-guard-removed-workspace
molecule-ai:fix/fail-open-status-persist-trio
molecule-ai:fix/2248-suppress-platform-managed-credentials
molecule-ai:fix/2386-send-provider-on-deprovision
molecule-ai:fix/delegate-task-async-sender-pushback-2244
molecule-ai:fix/2331-sop-ceremony-required-checks
molecule-ai:feat/platform-agent-gate-wiring
molecule-ai:fix/umbrella-reaper-1780
molecule-ai:fix/block-internal-paths-hard-gate
molecule-ai:fix/backends-md-drift-risk-6-stale
molecule-ai:cp455-minimal-cell-boot-e2e-stage1
molecule-ai:fix/chat-seed-admin-auth
molecule-ai:fix/goroutine-panic-recovery
molecule-ai:fix/1080-org-helpers-typo-main
molecule-ai:fix/canvas-e2e-transient-failed-2632
molecule-ai:fix/admin-images-codex-and-std-encoding
molecule-ai:fix/render-status-body-state
molecule-ai:fix/memory-section-marker
molecule-ai:test-1675-canvas-user-activity-log-regression
molecule-ai:design/secrets-accessibility-fix
molecule-ai:test/canvas/Toolbar-a11y
molecule-ai:fix/channels-matchesChatID-tests
molecule-ai:fix/workspace-server-healthcheck
molecule-ai:fix/ci-org-helpers-demorgan
molecule-ai:test/delegate-record-db-errors
molecule-ai:infra-sre/fix-platform-go-test
molecule-ai:fix/ci-drift-pagination
molecule-ai:fix/merge-queue-direct-merge-no-update-churn
molecule-ai:fix/stdio-clean
molecule-ai:feat/platform-agent-install
molecule-ai:fix/audit-force-merge-curl-fail-closed
molecule-ai:fix/fail-closed-hardening-trio
molecule-ai:feat/platform-agent-kind
molecule-ai:docs/mark-drift-risk-6-resolved
molecule-ai:feat/byok-create-gate-and-liveness
molecule-ai:feat/workspace-provider-field
molecule-ai:fix/main-red-2308-lint-trackers-fast
molecule-ai:fix/status-reaper-observability
molecule-ai:fix/internal-805-sweep-cf-cloudflare-fallback-clean
molecule-ai:feat/platform-agent-approval-gate
molecule-ai:fix/lint-pre-flip-fail-closed-clean
molecule-ai:fix/main-red-2305-lint-and-e2e-platform-managed
molecule-ai:fix/sop-checklist-hold
molecule-ai:fix/main-red-e2e-chat-auth-token
molecule-ai:fix/internal-802-bp-directive-comments
molecule-ai:fix/reconciler-debounce-coupling-2284
molecule-ai:fix/main-red-canvas-e2e-tablist-strict-mode
molecule-ai:fix/canvas-pause-resume-cascade-param-2122-followup
molecule-ai:fix/2251-delegate-task-message-role-contract-test
molecule-ai:fix/internal-797-postgres-integration-runner-label
molecule-ai:fix/817-canvas-deploy-reminder-per-step-gate
molecule-ai:fix/2139-sop-tier-check-real-qa-security-teams
molecule-ai:fix/sop-checklist-hold-volume-skip
molecule-ai:fix/lint-pre-flip-fail-closed
molecule-ai:feat/2185-manifest-entry-existence-check
molecule-ai:feat/2151-chunk2-integration-tests
molecule-ai:cr2/sec-c-2130-transcript-ssrf
molecule-ai:fix/status-reaper-pagination-observability
molecule-ai:fix/http-client-timeout-panic-recovery-main
molecule-ai:fix/pause-resume-cascade-opt-in-1991
molecule-ai:fix/plugin-uninstall-exec-errors
molecule-ai:fix/gitea-merge-queue-pagination
molecule-ai:fix/review-check-remove-generic-comment-bypass
molecule-ai:fix/sop-tier-remove-fail-open-dead-code
molecule-ai:fix/sop-tier-check-remove-fail-open-core
molecule-ai:feat/merge-queue-auto-discovery
molecule-ai:rfc/platform-agent
molecule-ai:test/flip-probe-governance-gates-2331
molecule-ai:fix/block-internal-paths-fail-open
molecule-ai:test/governance-gate-flip-probe-2331
molecule-ai:fix/merge-queue-hold-on-409-conflict-update
molecule-ai:fix/e2e-smoke-diagnose-detail-767
molecule-ai:fix/sop-checklist-emdash-slug-parse
molecule-ai:fix/2352-merge-queue-409-hold
molecule-ai:fix/merge-queue-autonomous-genuine-approvals
molecule-ai:researcher-gate-probe-1780730963
molecule-ai:fix/578-google-adk-image-refresh-allowlist
molecule-ai:e2e/data-persistence-recreate-2332
molecule-ai:fix/channels-unmarshal-fallback-invalid-json
molecule-ai:feat/workspace-provider-routing
molecule-ai:fix/google-adk-model-registration-coremirror
molecule-ai:fix/renew-lint-coe-tracker-837-clean
molecule-ai:fix/renew-lint-coe-tracker-837
molecule-ai:test/channels-dataprune-e2e-p110
molecule-ai:core2332-p110-workspace-lifecycle-staginge2e
molecule-ai:chore/providers-gen-docker-target
molecule-ai:feat/core-2332-display-reconnect-renewal-e2e
molecule-ai:cr2/google-adk-e2e-coverage
molecule-ai:fix/vertex-ssot-registry-drift
molecule-ai:fix/port-cp544-fail-closed
molecule-ai:fix/sop-tier-authz-no-org-fallback
molecule-ai:fix/core-ci-fail-closed
molecule-ai:docs/sop-fail-closed-ci
molecule-ai:fix/restore-seo-adk-templates-manifest-auth
molecule-ai:rfc/byok-fail-closed-billing
molecule-ai:fix/forensic145-preserve-workspace-scm-token
molecule-ai:fix/ci-coe-trackers-e2e-chat-staging-external
molecule-ai:fix/e2e-reconciler-platform-model-and-boot-error
molecule-ai:fix/e2e-saas-step9-hma-surface
molecule-ai:fix/e2e-staging-byok-opt-in-before-vendor-key
molecule-ai:fix/e2e-saas-model-slug-bare
molecule-ai:fix/e2e-claude-code-minimax-bare-slug
molecule-ai:fix/e2e-tenant-call-surface-body
molecule-ai:fix/main-red-peer-visibility-platform-managed-secrets
molecule-ai:fix/main-red-minimax-model-slug
molecule-ai:fix/sop-tier-check-and-token-parse
molecule-ai:harden/staging-saas-all-runtimes
molecule-ai:harden/no-fail-open-auth
molecule-ai:fix/main-red-lint-continue-on-error-2294
molecule-ai:harden/keyless-feature-e2e-coverage
molecule-ai:harden/derive-provider-matrix-e2e
molecule-ai:harden/enforce-ci-gates-core-v2
molecule-ai:fix/cascade-true-callers-ahead-of-2122
molecule-ai:fix/2151-chunk1-activity-delegation-a2a-integration-tests
molecule-ai:harden/sop-tier-check-remove-expired-coe
molecule-ai:fix/2255-e2e-smoke-poll-parser-kind-discriminator
molecule-ai:fix/a2a-2251-go-role-default
molecule-ai:fix/2140-sop-tier-refire-real-exit-code
molecule-ai:harden/regression-coverage-v2
molecule-ai:fix/521-claude-code-colon-form-overclaim
molecule-ai:fix/core2261-reconciler-toctou-degraded-hardening
molecule-ai:fix/core2261-providers-byte-sync-cp521
molecule-ai:fix/core2261-e2e-instanceid-tag-fallback
molecule-ai:fix/core2261-reconciler-e2e-create
molecule-ai:fix/cascade-canvas-callers
molecule-ai:harden/e2e-staging-saas-failclosed
molecule-ai:harden/e2e-staging-external-chat-failclosed
molecule-ai:harden/e2e-staging-canvas-deflake
molecule-ai:feat/umbrella-reaper
molecule-ai:feat/2261-gap1-takecontrol-e2e
molecule-ai:fix/1997-canary-minimax-m2.7
molecule-ai:fix/2263-staging-canary-namespaced-model
molecule-ai:fix/security-review-owners-na-eligibility
molecule-ai:feat/core2261-reconciler-live-e2e
molecule-ai:feat/core2261-takecontrol-wsproxy-test
molecule-ai:feat/security-review-owners-na-eligibility
molecule-ai:feat/core2261-instance-state-reconciler
molecule-ai:fix/cp529-enforcer-test-unbreak-main
molecule-ai:feat/cp529-byok-vendor-providers
molecule-ai:fix/activity-feed-stable-ordering
molecule-ai:fix/2245-platform-managed-provider-credential-gate
molecule-ai:fix/2245-platform-managed-no-cred
molecule-ai:harden/contract-tests-core
molecule-ai:feat/cp529-byok-routability-enforcer
molecule-ai:feat/core2235-canvas-buildinfo
molecule-ai:fix/2235-canvas-buildinfo-docker-sha
molecule-ai:review/pr3029-pr3033-local
molecule-ai:feat/traces-v1-workspace-secrets-2976
molecule-ai:fix/816-sop-tier-check-stale-reviews
molecule-ai:fix/818-sop-checklist-na-declarations-terminal-success
molecule-ai:fix/core2226-canvas-ordered-deploy
molecule-ai:fix/2222-a2a-delegate-task-attachments
molecule-ai:chore/cp514-byte-sync-drop-vertex-arm
molecule-ai:fix/2205-e2e-api-health-wait-migration-gate
molecule-ai:fix/core2225-staging-canvas-e2e-fixture
molecule-ai:fix/2225-e2e-canvas-stale-hermes-model
molecule-ai:fix/2185-bp-directive-window
molecule-ai:fix/2192-manifest-repo-existence-check-v2
molecule-ai:fix/desktop-takecontrol-reconnect-renewal
molecule-ai:fix/2212-peer-visibility-missing-model
molecule-ai:fix/2172-provider-validation-setmodel
molecule-ai:fix/2192-manifest-repo-existence-check
molecule-ai:fix/prod-deploy-verify-tenant-lag-2213
molecule-ai:fix/2204-liveness-probe-max-tokens
molecule-ai:fix/internal-805-cf-auth-drift
molecule-ai:fix/internal-804-parser-json-variant
molecule-ai:fix/peer-visibility-test-model-required-2212
molecule-ai:fix/77-bp-directive-4-emitters
molecule-ai:fix/e2e-api-health-wait-migration-chain
molecule-ai:devops/saas-a2a-empty-completion-diagnostic
molecule-ai:fix/e2e-staging-canvas-tabs-red
molecule-ai:fix/e2e-chat-readiness-curl-tempfile-2198
molecule-ai:test/provider-matrix-boot-regression-moonshot
molecule-ai:sre/fix-auto-deploy-writable-home-2193
molecule-ai:fix/e2e-chat-mobile-history-reload-flake
molecule-ai:fix/deploy-production-superseded-false-stale
molecule-ai:fix/manifest-rm-deleted-org-templates
molecule-ai:fix/2158-auto-sync-token-hard-fail
molecule-ai:fix/create-dialog-registry-provider-catalog
molecule-ai:fix/ensure-default-config-stamp-derived-provider
molecule-ai:fix/2183-remove-missing-free-beats-all
molecule-ai:feat/google-adk-platform-provider-mirror-ssot
molecule-ai:fix/core-2176-a2a-full-body-guard
molecule-ai:fix/publish-latest-tag-platform-tenant
molecule-ai:feat/2172-config-save-provider-validation
molecule-ai:feat/handler-admin-test-token
molecule-ai:feat/plugins-listing-and-sources-coverage
molecule-ai:feat-handler-admin-test-token
molecule-ai:test/2175-a2a-full-body-delivery-guard
molecule-ai:regression/2149-scheduler-real-pg
molecule-ai:fix/internal-760-review-event-trigger
molecule-ai:fix/2166-blocker2-integration-fail-open
molecule-ai:dev-b/sec-c-2132-reorder
molecule-ai:fix/2163-cr2-live-fire-freshness
molecule-ai:fix/test-async-cleanup-order
molecule-ai:fix/shellcheck-arm64-pilot-main-red-2146
molecule-ai:docs/2159-pr-head-workflow-selection
molecule-ai:fix/2152-unmask-real-infra-gates
molecule-ai:cherry-pick-2167-suspenders-to-main
molecule-ai:fix/2159-qa-security-auto-trigger-review-state-guard
molecule-ai:cp/469-tenant-proxy-env-delivery
molecule-ai:fix/2162-platform-managed-fail-closed-missing-proxy
molecule-ai:docs-test/gate-auto-fire-livefire-2159
molecule-ai:fix/gate-followup-refire-token-direct-trigger-regression
molecule-ai:regression/2150-migration-replay-from-scratch-real-pg
molecule-ai:ci/unmask-required-real-infra-gates-mc1982
molecule-ai:fix/internal-760-qa-security-pr-review-trigger
molecule-ai:fix/internal-760-ceremony-ai-sop-ack
molecule-ai:runtime/lazy-workspace-id
molecule-ai:fix/2134-chat-files-forward-ssrf-2316
molecule-ai:feat/rfc742-rescue-read
molecule-ai:fix/2131-patch-abilities-atomic
molecule-ai:cr2/sec-d-2316-chat-files-ssrf
molecule-ai:cr2/sec-a-2029-traces-ssrf
molecule-ai:fix/continue-on-error-triage-2113
molecule-ai:feat/rescue-rebase-2019-v2
molecule-ai:feat/rfc742-rescue-capture
molecule-ai:test/handlers-misc-coverage
molecule-ai:fix/errcheck-unchecked-errors-main
molecule-ai:fix/broadcast-org-root-test-cleanup
molecule-ai:fix/broadcast-itest-cleanup-hygiene-2108
molecule-ai:fix/log-execasroot-errors-plugin-cleanup-main
molecule-ai:fix/http-client-timeouts-panic-recovery-error-checks-main
molecule-ai:fix/panic-recovery-goroutines-channels-handlers-scheduler-main
molecule-ai:fix/canvas-e2e-transient-failed-2632-main
molecule-ai:fix/backends-md-drift-risk-6-stale-main
molecule-ai:fix/ci-required-drift-1739
molecule-ai:fix/audit-force-merge-branch-aware
molecule-ai:test/org-scope-abilities-coverage-clean
molecule-ai:fix/renew-coe-tracker-mc774-clean-20260601
molecule-ai:fix/registry-root-sibling-leak-1955
molecule-ai:fix/registry-cancommunicate-cross-tenant-roots-1955
molecule-ai:fix/broadcast-itest-status-enum-online
molecule-ai:fix/rows-affected-core
molecule-ai:fix/broadcast-org-root-cte
molecule-ai:fix/broadcast-org-root-cte-1959
molecule-ai:sync/providers-serving-urls
molecule-ai:fix/staging-test-hermetic-env
molecule-ai:fix/restart-context-defer-rows-close
molecule-ai:fix/channels-rows-err-check
molecule-ai:fix/ci-lint-suppression-1062
molecule-ai:fix/defer-rows-close-audit
molecule-ai:fix/delegation-rows-err-check
molecule-ai:fix/errcheck-unchecked-errors-1062
molecule-ai:fix/execcontext-err-check-high-impact
molecule-ai:fix/execcontext-err-check-sweep2
molecule-ai:fix/execcontext-error-audit
molecule-ai:fix/http-defaultclient-auth-paths
molecule-ai:fix/registry-rows-err-check
molecule-ai:fix/secrets-scan-error-restart
molecule-ai:fix/workspace-restart-rows-err
molecule-ai:pr-3033
molecule-ai:fix/restart-context-rows-err
molecule-ai:fix/discovery-rows-err-check
molecule-ai:fix/broadcast-org-root-cte-1959-staging
molecule-ai:fix/rowserr-checks-events-channels-manager
molecule-ai:fix/rowserr-memory-schedules-audit
molecule-ai:fix/channels-duplicate-encrypt
molecule-ai:fix/audit-rows-err-check
molecule-ai:feat/minimax-m3-sync
molecule-ai:fix/missing-rows-err-llm-billing-mode
molecule-ai:fix/ci-scheduler-fanout
molecule-ai:feat/openapi-management-spec
molecule-ai:pr2056
molecule-ai:fix/channels-memory-rows-err-check
molecule-ai:fix/traces-error-handling
molecule-ai:fix/codeql-sarif-export
molecule-ai:fix/instructions-rows-err-check
molecule-ai:fix/providers-ssot-sync-codex-subscription
molecule-ai:fix/github-token-fallback-timeout-1101
molecule-ai:fix/codex-central-refresher
molecule-ai:feat/google-adk-runtime-ssot
molecule-ai:worktree-agent-aa572c7374a57f03a
molecule-ai:fix/sync-providers-yaml-openai-split-20260531
molecule-ai:feat/workspace-data-persistence
molecule-ai:e2e/google-adk-ci-wiring
molecule-ai:feat/register-google-adk-runtime
molecule-ai:feat/mc-multiperiod-workspace-budget
molecule-ai:feat/schedule-orphan-monitor-cleaner
molecule-ai:fix/schedule-migration-on-recreate
molecule-ai:fix/google-adk-runtime-doc-accuracy
molecule-ai:fix/setglobal-drop-retired-org-billing-guard
molecule-ai:fix/internal-728-provider-matched-cred-injection
molecule-ai:fix/internal-724-prod-auto-deploy-straggler-surfacing
molecule-ai:fix/1994-provision-billing-model-passthrough
molecule-ai:fix/renew-coe-tracker-1982
molecule-ai:test/a2a-queue-status-depth-coverage
molecule-ai:fix/broadcast-cte-non-root-sender-1959
molecule-ai:feat/internal-718-p3b-canvas-consume-registry
molecule-ai:test/patch-abilities-coverage-1312
molecule-ai:feat/internal-718-p4-followup-llm-provider-removal
molecule-ai:fix/cancel-in-progress-flip-1357
molecule-ai:feat/internal-718-p4-pr2-hard-reject-unregistered
molecule-ai:feat/internal-718-p4-pr1-reconcile-colon-vocab-sync
molecule-ai:fix/mcp-tools-slim-residue
molecule-ai:feat/internal-718-p3a-templates-from-registry
molecule-ai:feat/internal-718-p2a-registry-codegen-distribution
molecule-ai:feat/internal-718-p2b-billing-derives-from-provider
molecule-ai:refactor/drop-org-tier-llm-billing-mode
molecule-ai:fix/suppression-rationales-1769
molecule-ai:pr1930
molecule-ai:eng-b/rebase-1952
molecule-ai:fix/ssot-provider-selection-billing-mode-711-713
molecule-ai:fix/1769-suppression-rationales
molecule-ai:fix/byok-global-llm-cred-leak-internal-711
molecule-ai:fix/workspace-broadcast-cte-1959
molecule-ai:fix/1953-scope-peer-discovery-a2a-to-org
molecule-ai:fix/cancel-in-progress-low-risk-9
molecule-ai:fix/cross-tenant-isolation-1953
molecule-ai:fix/python-open-encoding
molecule-ai:fix-1644-workspace-create-returns-auth-token
molecule-ai:fix/1837-docs-stale-monorepo-ref
molecule-ai:fix/review-check-all-403-diagnostic
molecule-ai:fix/audit-force-merge-staging-drift-1739
molecule-ai:fix/nil-safe-scans-validation-hardening
molecule-ai:fix/delegate-async-return-after-marshal-fail
molecule-ai:fix/canvas-user-verified-session-1673
molecule-ai:fix/canvas-chat-poll-mode-1673
molecule-ai:fix/mcp-tools-marshal-error-return
molecule-ai:fix/ci-remove-race-from-blocking-gate-1184
molecule-ai:fix/watchdog-close-stale-contexts-on-red
molecule-ai:fix/time-after-single-retry-delegation
molecule-ai:fix/time-after-goroutine-leaks
molecule-ai:fix/json-marshal-log-continue-2nd-pass
molecule-ai:fix/cp329-retire-config-files-userdata-cap
molecule-ai:fix/703-provider-billing-mode-ui
molecule-ai:fix/internal-703-byok-billing-mode-env
molecule-ai:eng-b-test-1779917746
molecule-ai:fix/workspace-ec2-leak-delete-retry
molecule-ai:fix/ci-arm64-tracker
molecule-ai:fix/1669-syntax-error
molecule-ai:fix/docs-monorepo-refs
molecule-ai:refactor/drop-org-tier-llm-billing-mode-canvas
molecule-ai:fix/publish-buildx-writable-config
molecule-ai:fix/publish-docker-config-api-20260520
molecule-ai:feat/seed-schedules-from-ws-template
molecule-ai:feat/canvas-llm-billing-mode-section
molecule-ai:feat/per-workspace-llm-billing-mode
molecule-ai:fix/memory-v2-upsert-namespace-20260526
molecule-ai:fix/platform-managed-provider-key-leak
molecule-ai:fix/mcp-tools-test-db-import-20260526
molecule-ai:pr-3029
molecule-ai:fix-tiny-readme
molecule-ai:fix-shellcheck-arm64-pilot-runner-label
molecule-ai:docs/fix-stale-channel-install-refs-230
molecule-ai:design/modal-a11y-followup
molecule-ai:fix-1769-suppression-justifications
molecule-ai:fix-365-scope-divergence-gate-check
molecule-ai:fix-1763-org-include-test
molecule-ai:docs/readme-quickstart-context
molecule-ai:style/fix-ruff-e501-etc
molecule-ai:fix/main-ci-display-deploy-blockers
molecule-ai:fix/display-keyboard-clipboard
molecule-ai:fix/runtime-template-repo-cache
molecule-ai:fix/create-dialog-platform-defaults
molecule-ai:fix/pending-upload-preview-after-ack
molecule-ai:fix/create-dialog-runtime-provider-flow
molecule-ai:fix/platform-us-default-provider
molecule-ai:fix/seo-template-provider-env-prompt
molecule-ai:chore/advisory-legacy-e2e
molecule-ai:fix/seo-template-visible
molecule-ai:fix/panel-contained-attachment-preview
molecule-ai:fix/pdf-preview-csp
molecule-ai:fix/pdf-preview-visible
molecule-ai:fix/prod-auto-deploy-scoped-rollout
molecule-ai:fix-1763-test-minimal
molecule-ai:feat/llm-native-auth-flow
molecule-ai:fix/issue-1823-delete-confirm-name
molecule-ai:fix/display-control-browser-session
molecule-ai:fix/agent-message-attachment-broadcast
molecule-ai:chore/maintained-runtime-registry
molecule-ai:fix/issue-1686-cost-efficient-workspace-defaults
molecule-ai:fix/hermes-user-attachments-core
molecule-ai:fix/gate-check-v3-ruff-f401-e741
molecule-ai:docs/issue-1793-workspace-placement-rfc
molecule-ai:fix/ruff-batch-2026-05-24
molecule-ai:chore/issue-1760-rename-go-module
molecule-ai:fix/platform-managed-llm-default
molecule-ai:chore/issue-1812-remove-backfill-from-image
molecule-ai:fix/ruff-f401-f541-f841-e741-batch
molecule-ai:fix/ruff-e501-merge-queue
molecule-ai:fix-1763-webhook-token-redaction-skip
molecule-ai:fix/ruff-final-batch-f401-e741-f841
molecule-ai:fix/ruff-e501-batch-4
molecule-ai:fix/ruff-lint-batch-3
molecule-ai:fix/ruff-lint-more-scripts
molecule-ai:fix/user-message-fanout-1440
molecule-ai:fix/workspace-compute-settings-control
molecule-ai:fix/1763-finding-3-token-test-integration-tag
molecule-ai:fix-1775-deploy-wait-alignment
molecule-ai:fix/memory-plugin-nil-jsonb-marshal
molecule-ai:fix/pv-staging-tenant-auth
molecule-ai:fix/real-user-upload-staging-e2e
molecule-ai:feat/issue-1791-bundle-memory-backfill
molecule-ai:feat/issue-1754-mcp-memory-activity-broadcast
molecule-ai:feat/issue-1791-memories-commit-v2-plugin
molecule-ai:fix-1763-discord-token-test
molecule-ai:chore/remove-stale-runtime-comment
molecule-ai:fix/revert-1781-templates-runtime-relax
molecule-ai:chore/remove-unmaintained-runtimes
molecule-ai:fix/e2e-orphan-guard
molecule-ai:docs/issue-1780-compensating-status-runbook
molecule-ai:fix/issue-1778-templates-test-fixtures
molecule-ai:fix/templates-supported-runtime-tests
molecule-ai:fix/prod-auto-deploy-aggregate-context
molecule-ai:chore/issue-1753-awareness-docs-sweep
molecule-ai:chore/issue-1755-seed-initial-memories-v2
molecule-ai:fix/ci-all-required-bookkeeping
molecule-ai:fix/supported-runtime-catalog
molecule-ai:chore/issue-1733-memory-plugin-schema-isolation
molecule-ai:chore/issue-1735-remove-awareness-backend
molecule-ai:fix/memory-list-rows-err
molecule-ai:feat/1686-display-session-proxy
molecule-ai:chore/issue-1733-a1-kill-v1-fallback
molecule-ai:fix/issue-1734-memory-tab-v2
molecule-ai:fix/codex-scheduled-a2a-timeout
molecule-ai:fix/prod-auto-deploy-nonblocking
molecule-ai:fix/arm64-pilot-label-macfix
molecule-ai:fix/review-check-empty-pr-guard
molecule-ai:fix/canvas-publish-docker-config
molecule-ai:fix/channels-manager-rows-err
molecule-ai:fix/rows-err-restart-discovery
molecule-ai:fix/slack-webhook-response-body-close
molecule-ai:fix/sweeper-rows-err
molecule-ai:feat/1686-display-workspace-flow
molecule-ai:fix-1700-A-github-token-http-timeout
molecule-ai:fix/workspace-crud-descrows-err
molecule-ai:task342/local-e2e-harness
molecule-ai:fix/messagestore-extractfiles-unmarshal
molecule-ai:fix/pgplugin-writejson-encode-error
molecule-ai:feat/1686-display-control-ui
molecule-ai:fix/discord-read-body-error
molecule-ai:fix/capturebroadcaster-data-race
molecule-ai:fix-scheduler-detect-result-kind-message-allow
molecule-ai:fix/lark-read-body-error
molecule-ai:fix/memory-decode-error-read-body
molecule-ai:fix/slack-read-body-errors
molecule-ai:fix/traces-read-body-error
molecule-ai:fix/schedules-events-rows-err
molecule-ai:fix/channels-json-unmarshal-errors
molecule-ai:rfc-1706-openapi-phase1-schedules
molecule-ai:fix/mcp-tools-scanpeers-err
molecule-ai:fix/handlers-rows-err-batch
molecule-ai:fix/slack-webhook-response-body-close-clean
molecule-ai:fix/github-token-http-timeout
molecule-ai:minimax-autonomous-test
molecule-ai:fix/scheduler-1696-sdk-error-detection
molecule-ai:fix/1696-scheduler-adapter-error-status
molecule-ai:feat/1686-phase1-compute-schema
molecule-ai:fix/1692-mount-schedule-routes
molecule-ai:fix/1684-native-session-enqueue-on-busy
molecule-ai:fix/1646-staging-saas-timeout
molecule-ai:fix/ci-path-scope-main-push
molecule-ai:fix/e2e-wait-after-config-put
molecule-ai:fix/e2e-delegation-a2a-retry
molecule-ai:fix/e2e-minimax-m2-default
molecule-ai:platform-kill-defaultmodel-require-model-at-create
molecule-ai:fix/e2e-a2a-busy-retry
molecule-ai:fix/e2e-a2a-readiness-body
molecule-ai:fix/t4-pid-probe-agent-safe
molecule-ai:fix/t4-gitea-egress-ssot
molecule-ai:docs-fix-claude-code-channel-template
molecule-ai:fix/activity-flat-upload-attachments
molecule-ai:fix/aws-secrets-janitor-literal-region
molecule-ai:fix/activity-feed-peer-info-enrichment
molecule-ai:fix/aws-secrets-janitor-fail-loud
molecule-ai:fix/aws-secrets-janitor-staging
molecule-ai:fix/staging-token-diagnostic
molecule-ai:chore/publish-staging-ecr-with-ssot-publisher
molecule-ai:fix/e2e-bash32-empty-array
molecule-ai:chore/mirror-tenant-image-staging-ecr
molecule-ai:fix/mcp-delegate-platform-path
molecule-ai:chore/retrigger-peer-visibility-after-publish
molecule-ai:fix/publish-buildx-docker-config
molecule-ai:docs/multi-external-workspace-registration
molecule-ai:fix/e2e-token-fallback-diagnostics
molecule-ai:ci/clean-superseded-push-noise
molecule-ai:ci/path-scope-go-handler-pr
molecule-ai:fix/main-red-watchdog-action-run-status-filter
molecule-ai:fix/admin-workspace-token-mint
molecule-ai:test/e2e-chat-a2a-dns-regression
molecule-ai:fix/staging-peer-visibility-token
molecule-ai:chore/delete-core-workspace-runtime
molecule-ai:fix/split-heavy-e2e-required-path
molecule-ai:fix/ci-cron-bots-prebake-1357
molecule-ai:fix/self-delegation-peer-list-hardening
molecule-ai:fix/523-allow-user-set-workspace-secrets
molecule-ai:feat/canvas-org-info-tab
molecule-ai:fix/624-file-write-restart-debounce
molecule-ai:fix/377-canvas-polite-cancel-before-restart
molecule-ai:task227/external-mcp-progress-ux
molecule-ai:fix/canvas-chat-a2a-hint-activity-tab-closeout-212
molecule-ai:fix/t4-probe-docker-socket-and-pid-host
molecule-ai:chore/ssot4-delete-dead-github-workflows
molecule-ai:task335/drop-runtime-image-pins-mig-fresh
molecule-ai:chore/ssot10-ecr-registry-var
molecule-ai:fix/sop-checklist-stream-pagination-oom
molecule-ai:task335/drop-dead-runtime-image-pins-mig-047
molecule-ai:fix/a2a-error-hint-timeout-class
molecule-ai:fix/a2a-error-detail-field-rename
molecule-ai:feat/uploads-limits-ssot-task-320
molecule-ai:core-devops/cascade-structural-hardening
molecule-ai:chore/retrigger-publish-after-eacces
molecule-ai:fix/poll-mode-pending-uploads-100mb-mc1588
molecule-ai:fix/redeploy-fleet-confirm-callers
molecule-ai:fix/lint-workflow-yaml-slash-in-name
molecule-ai:retrigger/publish-workspace-server-after-pr110-deploy
molecule-ai:infra-runtime-be/upload-100mb-and-correct-reason-errors
molecule-ai:infra-sre/rfc596-publish-runtime-dual-push-gitea-pypi
molecule-ai:fix/workflow-name-no-token-slash
molecule-ai:infra-sre/audit-log-phase1-emit-secrets
molecule-ai:fix/main-red-watchdog-skip-cancel-cascade-mc1564
molecule-ai:feat/rfc563-ws-server-binary-strip
molecule-ai:ci/146-lint-no-tenant-gitea-token
molecule-ai:feat/agent-card-identity-seed-prod-team-internal-492-followup
molecule-ai:fix/rfc524-layer1-bare-go-conversion
molecule-ai:fix/ci-docker-host-guardrail-red
molecule-ai:test/e2e-todays-pr-coverage
molecule-ai:feat/146-forbidden-env-guard
molecule-ai:fix/sop-checklist-widen-ack-internal-442
molecule-ai:ci/mac-arm64-pilot-shellcheck
molecule-ai:e2e/peer-visibility-local-backend-task166
molecule-ai:fix/canvas-surface-error-detail
molecule-ai:fix/wsserver-broadcast-error-detail
molecule-ai:ci/oom-storm-concurrency-fix
molecule-ai:fix/chat-upload-ssot-100mb-1520
molecule-ai:feat/provisioner-inject-gitea-credential-helper
molecule-ai:sre/fix-remaining-scheduled-cancel-in-progress
molecule-ai:fix/user-message-role-1514
molecule-ai:sre/fix-gate-check-cancel-in-progress
molecule-ai:sre/fix-ci-drift-false-positive-and-queue-limit
molecule-ai:ci-retry-noop
molecule-ai:test/plugin-listing-coverage-1488
molecule-ai:infra/canvas-ci-retry-20260518145806
molecule-ai:fix/json5-comments-manifest-1496
molecule-ai:test/canvas-hook-coverage
molecule-ai:feat/canvas-agent-abilities-toggle
molecule-ai:fix/sop-tier-check-secrets-read-v2
molecule-ai:fix/canvas-configtab-wcag-alert-v2
molecule-ai:fix/canvas-configtab-wcag-alert
molecule-ai:fix/sop-tier-check-secrets-read
molecule-ai:fix/ci-sop-tier-check-secrets-read
molecule-ai:fix/runtime-registry-manifest-v2
molecule-ai:test/runtime-provision-timeouts-coverage
molecule-ai:fix/sev1-secrets-read-v2
molecule-ai:fix/sev1-missing-secrets-read-perms
molecule-ai:test/canvas-secret-formats-coverage
molecule-ai:test/canvas-hook-tests
molecule-ai:test/canvas-theme-ts-coverage
molecule-ai:feat/canvas-agent-abilities-toggles
molecule-ai:test/canvas-theme-lib-coverage
molecule-ai:fix/runtime-registry-json5-comment
molecule-ai:fix/ws-server-188-failclosed-template-runtime
molecule-ai:test/plugins-listing-coverage
molecule-ai:fix/issue-1480-manifest-json5
molecule-ai:fix/review-check-wrong-event-string-diagnostic
molecule-ai:test/workspace-abilities-name-coverage
molecule-ai:ci-fix-main-runtime-secret-scan
molecule-ai:fix/secret-scan-exclude-secrets-detector-test-fixtures
molecule-ai:fix/secrets-read-qa-security-main
molecule-ai:fix/secrets-read-qa-security-workflows
molecule-ai:test/workspace-broadcast-coverage
molecule-ai:fix/1473-bp-all-required-suffix
molecule-ai:infra/secrets-read-qa-security-main-fix
molecule-ai:fix/pr1450-staging-main-conflict
molecule-ai:fix/issue-1420-actionable-errors
molecule-ai:fix/issue-228-user-message-fanout
molecule-ai:design/externalconnectmodal-a11y
molecule-ai:fix/tabs-error-aria-alert
molecule-ai:fix/settings-a11y-fixes
molecule-ai:fix/canvas-errors-aria-alert
molecule-ai:fix/canvas-loading-aria-live
molecule-ai:sre/fix-scheduled-workflow-cancel-in-progress
molecule-ai:feat/handler-test-abilities-and-sources
molecule-ai:fix/handlers-plugin-listing-tests
molecule-ai:fix/tabs-a11y-scattered
molecule-ai:runtime/port-identity-tools-staging
molecule-ai:runtime/fix-merge-queue-cancel-in-progress
molecule-ai:fix/canvas-misc-wcag-fixes
molecule-ai:infra/quirks-789-fills
molecule-ai:infra/queue-runbook-updates
molecule-ai:design/skills-accessibility-v2
molecule-ai:design/skills-a11y-followup
molecule-ai:fix/a2a-delegation-detached-ctx-canceled-internal-497
molecule-ai:fix/secrets-honest-ui-491-490
molecule-ai:design/mobile-comms-a11y
molecule-ai:design/mobile-chat-a11y
molecule-ai:test/org-import-pure-funcs
molecule-ai:fix/mcp-tools-sql-fix
molecule-ai:fix/delegation-list-shows-both-directions
molecule-ai:design/mobile-tabbar-a11y
molecule-ai:feat/mobile-tabbar-a11y
molecule-ai:fix/mobile-ios-focus-zoom
molecule-ai:fix/mobile-canvas-render-parity
molecule-ai:ci/arm64-advisory-mac-offload-pilot
molecule-ai:fix/canvas-user-message-cross-session-fanout
molecule-ai:test/a2a-proxy-pure-coverage
molecule-ai:fix/mobile-focus-visible-rings
molecule-ai:fix/external-workspace-progress-feedback
molecule-ai:fix/canvas-mobile-ws-wake-resume
molecule-ai:fix/mobile-chat-input-ios-focus-zoom
molecule-ai:test/org-helpers-coverage
molecule-ai:ci/timing-test-hygiene-host-load-internal
molecule-ai:fix/setup-node-pin-corrupt-1432
molecule-ai:fix/ci-required-drift-polling-sentinel
molecule-ai:fix/issue212-actionable-agent-error-reason
molecule-ai:runtime/fix-api03-test-fixture
molecule-ai:test/traces-list-http-coverage
molecule-ai:runtime/fix-test-fixture-v3
molecule-ai:runtime/fix-test-fixture-on-1420
molecule-ai:fix/queue-status-sort
molecule-ai:runtime/fix-test-fixture-secret-scan-false-positive
molecule-ai:test/workspace-abilities-coverage-20260517
molecule-ai:fix/sop-engineers-main
molecule-ai:fix/queue-merge-permanent-error
molecule-ai:fix/delegations-list-deduplication
molecule-ai:fix/canvas-npm-ci
molecule-ai:fix/sop-staging-engineers-backport
molecule-ai:offsec-015-staging-v2
molecule-ai:fix/queue-skip-permanent-merge-error
molecule-ai:design/settings-button-focus-v2
molecule-ai:test/coverage-broadcast-listing-20260517
molecule-ai:fix/workspace-tokens-global-sentinel-500
molecule-ai:fix/sop-workflow-secrets-read
molecule-ai:test/coverage-abilities-design-tokens-20260517
molecule-ai:design/agentcomms-focus-visible
molecule-ai:design/skills-aria-accessibility
molecule-ai:infra/action-sha-pin-e2e-chat
molecule-ai:fix/sop-checklist-na-gate-probe-bug
molecule-ai:test/coverage-2026-05-17
molecule-ai:fix/queue-merge-error-surfacing-v2
molecule-ai:test/all-coverage-v5
molecule-ai:fix/settings-panel-focus-visible
molecule-ai:sre/ci-coldrunner-main-fix
molecule-ai:fix/skills-tab-focus-visible
molecule-ai:test/all-coverage-v4
molecule-ai:test/all-coverage-v3
molecule-ai:fix/aria-live-errors-v2
molecule-ai:fix/canvas-attachment-focus-visible
molecule-ai:fix/queue-merge-error-surfacing
molecule-ai:test/all-coverage-v2
molecule-ai:fix/app-page-focus-v2
molecule-ai:fix/app-page-focus-visible
molecule-ai:fix/delete-dialog-focus
molecule-ai:fix/sop-checklist-probe-na-gate
molecule-ai:test/all-handler-lib-coverage
molecule-ai:test/handlers-and-lib-coverage-v2
molecule-ai:test/delegation-sweeper-pure-funcs
molecule-ai:fix/queue-update-then-wait-loop
molecule-ai:fix/workspace-abilities-test-coverage
molecule-ai:test/workspace-crud-validators
molecule-ai:fix/canvas-user-message-persist-at-ingest
molecule-ai:test/handlers-and-lib-coverage
molecule-ai:fix/filetree-wcag-icons
molecule-ai:fix/mobile-wcag-focus-visible
molecule-ai:sre/pr1381-retrigger
molecule-ai:infra/add-missing-workflow-concurrency
molecule-ai:infra/scheduled-workflow-cancel-in-progress
molecule-ai:fix/canvas-wcag-focus-visible-2
molecule-ai:ci/twine-verbose-403-reason-body
molecule-ai:test/handlers-and-theme-coverage
molecule-ai:fix/ci-required-drift-skip-f1
molecule-ai:fix/sop-checklist-na-declarations
molecule-ai:test/workspace-abilities-and-theme
molecule-ai:test/plugins-sources-and-theme
molecule-ai:sre/comment-dispatch-consolidation-v2
molecule-ai:chore/remove-crewai-deepagents-gemini-cli
molecule-ai:test/workspace-broadcast-handler
molecule-ai:test/workspace-abilities-patch
molecule-ai:fix/inbox-self-echo
molecule-ai:feat/test-status-config-constants
molecule-ai:feat/test-plugins-install-handlers
molecule-ai:test/local-provisioner-token-ownership-parity
molecule-ai:infra/internal-462-publish-deploy-lane
molecule-ai:fix/staging-sync-persist-fix
molecule-ai:feat/broadcast-coverage
molecule-ai:__disk-test-137017
molecule-ai:fix/main-red-watchdog-close-on-pending
molecule-ai:fix/review-refire-comments-token-scope
molecule-ai:feat/canvas-abilities-banner-test
molecule-ai:pr-1307
molecule-ai:staging-dev-lead-test-4107230
molecule-ai:feat/workspace-abilities-test-coverage
molecule-ai:ci/scheduled-cancel-in-progress-1357
molecule-ai:feat/broadcast-test-coverage
molecule-ai:fix/a2a-queue-status-coverage
molecule-ai:pr-1351
molecule-ai:ci/e2e-peer-visibility-bp-pending-1296
molecule-ai:ci/e2e-peer-visibility-bp-required-1328
molecule-ai:fix/review-refire-conflict
molecule-ai:sre/consolidated-main-to-staging
molecule-ai:fix/org-helpers-duplicate-comment
molecule-ai:fix/a2a-self-delegation-echo-inbox
molecule-ai:perf/canvas-favicon-shrink
molecule-ai:perf/canvas-toolbar-logo-shrink
molecule-ai:perf/canvas-bundle-analyzer-optimize-imports
molecule-ai:fix/offsec-015-staging
molecule-ai:fix/workspace-token-injection-agent-owned
molecule-ai:ci/sop-checklist-narrow-issue-comment-trigger
molecule-ai:fix/broadcast-handler-coverage-1343
molecule-ai:fix/test-patchAbilities-toolbar-1313-1334
molecule-ai:docs/gitea-actions-quirks-runbook
molecule-ai:fix/1256-enable-button-focus-ring
molecule-ai:pr-1327
molecule-ai:feat/workspace-sizing-override
molecule-ai:fix/sop-checklist-na-post
molecule-ai:canvas/broadcast-chat-wcag
molecule-ai:fix/test-matchesChatID-1304
molecule-ai:test/canvas/FileTree-render-a11y
molecule-ai:test/canvas/ChatTab-subtab-a11y
molecule-ai:test/canvas/SidePanel-a11y-and-state
molecule-ai:enforce/peer-visibility-bp-directive-1296
molecule-ai:infra/main-ci-retrigger
molecule-ai:sre/queue-api-fix
molecule-ai:fix/handlers-untested-helpers-2026-05-16
molecule-ai:sre/sop-na-fix
molecule-ai:promote/staging-to-main
molecule-ai:infra/detect-changes-shallow-v2
molecule-ai:feat/publish-lane-runs-on-394
molecule-ai:test/canvas/FilesToolbar-a11y
molecule-ai:fix/workspace-abilities-coverage-1312
molecule-ai:fix/sop-checklist-merged-blank-line
molecule-ai:fix/e2e-chat-setup-node-mirror-sha
molecule-ai:e2e/peer-visibility-local-backend
molecule-ai:fix/secrets-coverage-compile-err-1274
molecule-ai:e2e/peer-visibility-mcp-gate
molecule-ai:fix/e2e-chat-setup-node-mirror
molecule-ai:fix/canvas-arrangeChildren-coverage
molecule-ai:sre/fix-queue-null-created-at-sort
molecule-ai:fix/sop-checklist-blank-line-detect
molecule-ai:fix/a2a-proxy-test-async-drain
molecule-ai:fix/handlers-admin-delegations-coverage
molecule-ai:sre/platform-go-timeout-60m
molecule-ai:infra/sop-tier-check-token-guard
molecule-ai:fix/handlers-test-async-drain
molecule-ai:fix/gate-check-login-aliases
molecule-ai:fix/secrets-scan-test-fixture-exclusion
molecule-ai:fix/secrets-coverage-tests-v2
molecule-ai:fix/ci-concurrency-cancel-superseded-storm
molecule-ai:fix/secret-scan-exclude-secrets-tests
molecule-ai:fix/secrets-patterns-100pct-coverage
molecule-ai:fix/secrets-100-coverage
molecule-ai:standalone/review-check-403-fix
molecule-ai:feat/files-agent-home-stub
molecule-ai:feat/agent-home-docker-exec-internal-425-phase-2b
molecule-ai:sre/secret-scan-timeout
molecule-ai:feat/canvas-files-agent-home-internal-425-phase-3
molecule-ai:fix/top-level-modules-add-a2a-tools-identity
molecule-ai:feat/secrets-patterns-ssot-internal-425-phase-2a
molecule-ai:stub/files-api-agent-home-root-2026-05-15
molecule-ai:fix/sop-n-a-v2
molecule-ai:fix/files-api-agent-home-stub
molecule-ai:be/workspace-server-accumulated-fixes
molecule-ai:fix/sop-n-a-clean
molecule-ai:design/themetoggle-test-teardown-fix
molecule-ai:feat/canvas-growParentsToFitChildren-coverage
molecule-ai:fix/openclaw-skip-config-write-and-canvas-timeout-to-main
molecule-ai:feat/agent-card-update-and-runtime-identity-tools-relocated
molecule-ai:fix/openclaw-skip-config-write-and-canvas-timeout
molecule-ai:fix/prod-auto-deploy-timeout
molecule-ai:feat/chat-unify-clean
molecule-ai:fix/autobump-skip-existing-tags
molecule-ai:fix/issue-1187-broadcast-abilities-coverage
molecule-ai:fix/runtime-autobump-next-free-tag
molecule-ai:pr-1211
molecule-ai:feat/queue-status-abilities-handler-tests
molecule-ai:fix/queue-channels-coverage
molecule-ai:infra-sre/golangci-lint-connectivity-fix
molecule-ai:infra/main-sop-na-fix
molecule-ai:fix/staging-golangci-30m-v2
molecule-ai:fix/scheduler-coverage-gaps
molecule-ai:fix/channels-rows-err-and-cwe312
molecule-ai:fix/container-name-no-uuid-truncation
molecule-ai:fix/staging-golangci-noconfig
molecule-ai:fix/provider-base-url-fallback
molecule-ai:fix/provisioner-uuid-no-truncate
molecule-ai:fix/queue-label-filter-all-ids
molecule-ai:fix/review-check-403-skip
molecule-ai:fix/ki-010-container-name-truncation
molecule-ai:fix/provisioner-no-uuid-truncation
molecule-ai:fix/issue-1176-db-db-race
molecule-ai:fix/channels-rows-err
molecule-ai:test/issue-1156-messaging-coverage
molecule-ai:sre/fix-test-sop-parse-directives
molecule-ai:infra/staging-sop-na-fix
molecule-ai:test/workspace-adapter-base-coverage
molecule-ai:sre/fix-sop-test-parse-directives
molecule-ai:fix/pr-1070-push-tokens
molecule-ai:test/push-package-coverage
molecule-ai:hotfix/offsec-015-org-isolation
molecule-ai:infra/sop-n-a-plus-drift-fix
molecule-ai:fix/issue-1183-settingspanel-act-wrap
molecule-ai:pr-1185-current
molecule-ai:infra/main-golangci-no-config
molecule-ai:test/qa-broadcast-abilities-coverage
molecule-ai:fix/delegations-list-endpoint-wrong-column
molecule-ai:core-be/fix/platform-go-timeout
molecule-ai:fix/issue-1152-delegation-activity-db-err-tests
molecule-ai:core-be/fix/tokens-rate-limit-scan-err-v2
molecule-ai:fix/handlers-rows-err-missing
molecule-ai:infra/canvas-deploy-reminder-polling-list
molecule-ai:fix/staging-ci-timeouts
molecule-ai:fix/settingspanel-act-flush
molecule-ai:fix/rows-err-instructions-resolve
molecule-ai:fix/ci-cold-runner-timeout
molecule-ai:fix/issue-1171-rows-err-memory-events-channels
molecule-ai:fix/sentinel-remove-phas3-masked
molecule-ai:infra/fix-all-required-combined-status-check
molecule-ai:pr1165-rebase
molecule-ai:fix/approvals-json-marshal-guard
molecule-ai:feat/canvas-broadcast-handler
molecule-ai:sre/fix-ci-drift-false-positive
molecule-ai:sre/fix-queue-remove-label-bug
molecule-ai:infra/workspace-server-healthcheck
molecule-ai:fix/ci-drift-canvas-deploy-reminder
molecule-ai:fix/offsec-015-broadcast-org-isolation
molecule-ai:fix/delegation-list-callee-plus-golangci-lint
molecule-ai:sre/fix-queue-gate-context
molecule-ai:core-be/test/delegate-record-db-errors-v2
molecule-ai:fix/tokens-rate-limit-scan-err
molecule-ai:pr-1117
molecule-ai:pr-1117-latest
molecule-ai:infra/staging-golangci-no-config
molecule-ai:fix/openclaw-molecule-mcp-version-pin
molecule-ai:offsec015
molecule-ai:fix/openclaw-mcp-version-check
molecule-ai:feat/provider-routing-base-v2
molecule-ai:feat/e2e-chat-stabilization
molecule-ai:fix/sop-concurrency-throttle
molecule-ai:p1102
molecule-ai:p1117
molecule-ai:fix/canvas-deploy-reminder-deadlock
molecule-ai:infra/main-golangci-timeout-fix
molecule-ai:feat/provider-routing-base
molecule-ai:sre/sweep-cf-orphans-aws-timeout
molecule-ai:sre/queue-merge-conflict-handling
molecule-ai:fix/na-declarations-gate
molecule-ai:fix/handlers-log-db-scan-errors
molecule-ai:fix/channels-marshal-errors
molecule-ai:fix/channels-silent-json-errors
molecule-ai:sre/channels-unmarshal-errors
molecule-ai:sre/queue-pre-receive-hook-fix
molecule-ai:sre/ci-timeout-increase
molecule-ai:fix/approvals-terminal-db-err-logging
molecule-ai:infra/ci-platform-go-timeout-fix
molecule-ai:fix/push-notifications
molecule-ai:fix/channels-json-unmarshal-guard
molecule-ai:fix/main-rows-err-instructions
molecule-ai:fix/main-test-fix-from-0c152a24
molecule-ai:fix/staging-offsec010-cp-wiring
molecule-ai:fix/handlers-instructions-test-bugs
molecule-ai:fix/ci-allrequired-needs
molecule-ai:fix/staging-goasync-configseed
molecule-ai:fix/issue-1080-org-helpers-comment
molecule-ai:fix/issue-1081-errors-import
molecule-ai:fix/1080-org-helpers-comment-typo
molecule-ai:infra-sre/fix-missing-test-imports
molecule-ai:fix/offsec-010-wiring
molecule-ai:fix/saas-t4-cp-config-seed
molecule-ai:fix/offsec-010-clean
molecule-ai:fix/offsec-003-boundary-wrapping
molecule-ai:fix/offsec-003-escaped-markers-main
molecule-ai:fix/mobile-chat-history
molecule-ai:fix/staging-CWE-78-rows-err
molecule-ai:fix/1062-mobilechat-history
molecule-ai:hotfix/cwe-78-staging
molecule-ai:fix/stdio-v2
molecule-ai:fix/offsec-010-symlink-walkdir
molecule-ai:fix/test-stdio-function-name
molecule-ai:fix/offsec-010-symlink-walkdir-isSaaS-fix
molecule-ai:sre/fix-stale-platform-server-port
molecule-ai:fix/offsec-010-from-pr1047
molecule-ai:staging-v6
molecule-ai:fix/e2e-api-port-collision
molecule-ai:fix/main-async-db-race
molecule-ai:infra/sync-staging-v6-to-main
molecule-ai:pr/1030
molecule-ai:fix/handlers-instructions-test-compile
molecule-ai:fix/instructions-test-compile
molecule-ai:fix/openclaw-empty-required-keys
molecule-ai:sre/main-rows-err-checks
molecule-ai:fix/staging-v6-conflict-markers
molecule-ai:fix/delegation-list-test-conflict-marker
molecule-ai:fix/main-red-cdb0b040-ci-tests
molecule-ai:fix/theme-toggle-selector-main-red
molecule-ai:sre/ci-required-drift-canvas-reminder-skip
molecule-ai:test/instructions-handler-coverage
molecule-ai:sre/canvas-build-timeout
molecule-ai:test/externalconnectmodal
molecule-ai:fix/resolve-conflict-marker-delegation-list-test
molecule-ai:fix/1008-themetoggle-css-selector
molecule-ai:design/826-searchdialog-mount-v2
molecule-ai:test/orgcancelbutton
molecule-ai:fix/2088-themetoggle-queryselectorall-errors
molecule-ai:design/704-tree-test-fix
molecule-ai:fix/ci-required-drift-github-ref-skip
molecule-ai:ci/975-db-pollution-fix
molecule-ai:fix/968-remove-duplicate-test-declarations
molecule-ai:fix/980-schedules-handler-test-coverage
molecule-ai:design/tier-legend-contrast-2026-05-14
molecule-ai:sre/platform-go-timeout-fix
molecule-ai:fix/delegation-list-test-db-leak
molecule-ai:fix/984-delegation-id-response-body
molecule-ai:sre/queue-bot-fix-ctx-check
molecule-ai:fix/983-remove-duplicate-test-declarations
molecule-ai:fix/986-canvas-wcag-focus-rings
molecule-ai:fix/993-agent-handler-test-coverage
molecule-ai:design/wcag-focus-contrast-2026-05-14
molecule-ai:design/wcag-focus-rings-round5-2026-05-14
molecule-ai:fix/activity-logs-delegation-id-response-body
molecule-ai:fix/982-expand-posix-identifier-guard
molecule-ai:fix/test-offsec003-redundant-file
molecule-ai:feat/976-schedules-handler-test-coverage
molecule-ai:fix/org-helpers-test-panic
molecule-ai:promote/main-to-staging-v5
molecule-ai:fix/965-test-panic-resolveInsideRoot
molecule-ai:promote/main-to-staging-v4
molecule-ai:feat/delegation-list-tests
molecule-ai:fix/test-a2a-sanitization-v3
molecule-ai:promote/main-to-staging-v3
molecule-ai:fix/duplicate-test-declarations
molecule-ai:feat/org-helpers-security-tests
molecule-ai:fix/main-push-operational-red
molecule-ai:promote/main-to-staging-v2
molecule-ai:fix-sop-concurrency-v2
molecule-ai:fix/sop-checklist-gate-name
molecule-ai:fix/docker-info-pipefail
molecule-ai:fix/publish-healthcheck-pipefail
molecule-ai:fix/sop-checklist-workflow-rename
molecule-ai:promote/main-to-staging
molecule-ai:sre/fix-sop-checklist-context-name-mc948
molecule-ai:design/wcag-contrast-round4-2026-05-14
molecule-ai:fix/org-helper-tests
molecule-ai:fix/test-a2a-sanitization-main
molecule-ai:fix/publish-image-on-every-main-push
molecule-ai:fix/remove-canvas-reminder-from-all-required
molecule-ai:fix/staging-integration-test-ctx
molecule-ai:fix/staging-canvas-reminder-deadlock
molecule-ai:design/wcag-a11y-round3-2026-05-14
molecule-ai:ci/remove-canvas-reminder-from-all-required
molecule-ai:fix/test-a2a-sanitization-assertions
molecule-ai:fix/staging-ci-drift-canvas-reminder
molecule-ai:fix/handlers-pg-integ-event-before
molecule-ai:ci/platform-build-flip-coe
molecule-ai:fix/staging-python-test-and-tier-check-lint
molecule-ai:fix/offsec-006-slug-injection
molecule-ai:runtime/fix-pr916-integration-test-ctx
molecule-ai:design/chat-tab-wcag-contrast-2026-05-14
molecule-ai:fix/offsec-006-slug-validation
molecule-ai:design/wcag-contrast-fixes-2026-05-14
molecule-ai:fix/904-handler-test-blockers
molecule-ai:fix/ci-drift-canvas-reminder
molecule-ai:fix/comment-trigger-storm
molecule-ai:infra/660-codify-promote-tenant-image
molecule-ai:fix/917-canvas-test-failures
molecule-ai:fix/917-runtime-prbuild-detect-changes-fix
molecule-ai:fix/filesTab-test-stale-reference
molecule-ai:fix/files-tab-test-missing-helper
molecule-ai:fix/runtime-prbuild-compat-detect-changes
molecule-ai:fix/staging-test-compilation-fixes
molecule-ai:fix/qa-review-token-fallback-v2
molecule-ai:test/hydrate-canvas-coverage
molecule-ai:fix/contextmenu-react-error-185
molecule-ai:test/external-runtimes-coverage
molecule-ai:fix/main-sqlmock-import-ineffassign-20260513
molecule-ai:fix/redeploy-tenants-on-main-lint-cleanup
molecule-ai:sre/docker-daemon-gate-fix
molecule-ai:fix/897-listdelegations-use-ledger-table
molecule-ai:fix/901-listdelegations-ledger-table
molecule-ai:fix/core-main-handlers-hotfix
molecule-ai:fix/e2e-api-platform-port
molecule-ai:fix/main-green-monitor-status
molecule-ai:fix/mobile-MobileChat-infinite-render
molecule-ai:fix/delegations-ledger-fallback-rows-err
molecule-ai:fix/874-extractmessagetext-clean
molecule-ai:feat/881-untested-helpers
molecule-ai:fix/874-extractmessagetext-bug
molecule-ai:fix/status-reaper-api-timeout-retry-20260513130514
molecule-ai:fix/831-admin-token-placeholder-bootstrap
molecule-ai:feat/canvas-test-coverage-738
molecule-ai:feat/files-tab-tree-coverage
molecule-ai:feat/canvas-untested-components-coverage
molecule-ai:feat/canvas-tab-test-coverage-2
molecule-ai:fix/main-bundle-test-sqlmock-import
molecule-ai:fix/stdio-fallback-all-environments
molecule-ai:staging-sync-v3
molecule-ai:ci/burn-in-remove-sop-tier-check-coe
molecule-ai:fix/issue-860-delivery-mode-tests
molecule-ai:design/approval-banner-emerald-fix
molecule-ai:fix/issue-854-termsgate-a11y
molecule-ai:fix/issue-859-wcag-contrast
molecule-ai:fix/delegations-rows-err-bbc40cb8
molecule-ai:design/approvalbanner-a11y
molecule-ai:design/pricingtable-a11y
molecule-ai:design/toolbar-help-toggle-fix
molecule-ai:staging-sync-v2
molecule-ai:fix/canvas-approvalbanner-a11y
molecule-ai:feat/canvas-external-connect-modal-coverage
molecule-ai:staging-sync-rm
molecule-ai:fix/test-sanitize-agent-error-stderr
molecule-ai:test/a2a-queue-extractExpiresInSeconds
molecule-ai:fix/pr-829-test-issues
molecule-ai:design/826-searchdialog-mount
molecule-ai:fix/chat-createMessage-attachments-key
molecule-ai:fix/762-recall-memory-canary
molecule-ai:fix/367-a2a-tools-coverage-v2
molecule-ai:feat/search-dialog-mount
molecule-ai:feat/org-layout-test-coverage
molecule-ai:fix/offsec-003-builtin-a2a-sanitize
molecule-ai:fix/canvas-playwright-install-timeout
molecule-ai:fix/805-audit-force-merge-main-required-checks
molecule-ai:fix/cf-sweep-api-error
molecule-ai:fix/e2e-diagnose-detail
molecule-ai:fix/a2a-mcp-server-http-transport
molecule-ai:fix/core-main-red-golangci-install
molecule-ai:fix/test-declarations
molecule-ai:fix/sop-checklist-body-hard-gate
molecule-ai:merge-792
molecule-ai:feat/mcp-tools-test-coverage
molecule-ai:feat/workspace-crud-test-coverage
molecule-ai:feat/socket-handler-test-coverage
molecule-ai:fix/686-delegation-integration-tests
molecule-ai:feat/a2a-proxy-helpers-test-coverage
molecule-ai:fix/publish-canvas-disable-gha-cache-20260512
molecule-ai:fix/publish-canvas-docker-probe-20260512
molecule-ai:fix/canvas-image-ecr-20260512
molecule-ai:fix/687-send-ssh-public-key-detail
molecule-ai:feat/tier-2g-required-context-exists-in-bp
molecule-ai:feat/tier-2f-bp-emit-match
molecule-ai:fix/mc-664-class-2-mcp-offsec-contract-test
molecule-ai:fix/main-ci-green-20260512
molecule-ai:infra/dockerfile-add-docker-cli-for-local-build
molecule-ai:test/workspace-crud-helpers-coverage
molecule-ai:fix/681-recallmemory-offsec-contract
molecule-ai:fix/org-layout-helpers-test-coverage
molecule-ai:fix/735-extractResponseText-tests
molecule-ai:test/713-workspace-crud-validators
molecule-ai:test/713-org-helpers-pure-coverage
molecule-ai:fix/713-eic-diagnose-detail
molecule-ai:fix/730-filterpeers-nil-guard
molecule-ai:infra/all-required-coe-false-v2
molecule-ai:fix/phase3-tracker-comments
molecule-ai:fix/mc-664-class-1-delegation-tests-postgres-integration
molecule-ai:fix/canvas-keyboard-shortcuts-dialog-guard
molecule-ai:infra/664-lint-coe-trackers
molecule-ai:ci/lint-tracker-regex-fix-v2
molecule-ai:fix/731-nil-guard-filter-peers-by-query
molecule-ai:fix/lint-TRACKER_RE-mid-sentence
molecule-ai:ci-retrigger-747
molecule-ai:feat/709-handler-pure-coverage
molecule-ai:fix/697-canvas-geticon-topology
molecule-ai:ci/lint-tracker-regex-fix
molecule-ai:test/2071-canvas-drop-target-badge-coverage
molecule-ai:feat/2071-canvas-orgdeploystate-coverage
molecule-ai:feat/mobile-canvas-comms-spawn-coverage
molecule-ai:ci/lint-coe-self-fix
molecule-ai:fix/ssm-refresh-ecr-auth-json-escaping
molecule-ai:design/729-fix
molecule-ai:ci/gate-check-v3-permissions-fix
molecule-ai:fix/730-discovery-filter-nil-role
molecule-ai:infra/publish-docker-daemon-diagnostic
molecule-ai:fix/714-all-required-coe-false
molecule-ai:fix/717-mobile-agentMessages-selector
molecule-ai:infra/fix-all-required-status-reporting
molecule-ai:fix/687-e2e-surface-diagnose-detail
molecule-ai:infra/docker-runner-label
molecule-ai:test/701-canvas-hydrate-coverage
molecule-ai:test/mobile-primitives-coverage
molecule-ai:infra/664-interim-platform-build-exempt
molecule-ai:fix/693-offsec-recallmemory-scrub-staging
molecule-ai:sync/main-to-staging-514-v2
molecule-ai:fix/693-offsec-recallmemory-global-scrub
molecule-ai:fix/693-offsec-recallmemory-scrub
molecule-ai:fix/634-handler-test-fixes-to-main
molecule-ai:test/699-socket-handler-coverage
molecule-ai:sre/workflow-run-replacement
molecule-ai:infra/676-ssm-auth-json-hardening
molecule-ai:fix/offsec-001-method-scrub-hotfix
molecule-ai:fix/offsec-001-method-scrub-main
molecule-ai:feat/workspace-crud-validation-tests
molecule-ai:test/canvas-hydrate-coverage
molecule-ai:infra/lint-pre-flip-continue-on-error
molecule-ai:fix/workflow_run-to-push-gitea-1.22.6
molecule-ai:feat/tier-2e-tracking-issue
molecule-ai:fix/684-offsec-scrub-method-default
molecule-ai:feat/sop-checklist-gate-mvp
molecule-ai:feat/tier-2d-lint-mask-pr-atomicity
molecule-ai:infra/lint-workflow-yaml-hostile-shapes
molecule-ai:infra/lint-required-no-paths-filter
molecule-ai:cleanup/pr-641-clean
molecule-ai:feat/mobile-tabbar-wcag-a11y
molecule-ai:fix/canvas-mobile-chat-loop
molecule-ai:fix/651-canvas-chat-mobile-crash
molecule-ai:fix/664-interim-remask-platform-build
molecule-ai:fix/mobile-chat-max-update-depth
molecule-ai:infra/622-force-merge-protection-fix
molecule-ai:test/attachment-lightbox-clean-v2
molecule-ai:ci/652-gitea-1-22-status-key
molecule-ai:test/memorytab-2
molecule-ai:infra/status-reaper-rev4-status-key-fix
molecule-ai:infra/weekly-platform-go-vet-hard
molecule-ai:fix/audit-force-merge-pipefail
molecule-ai:infra/status-reaper-rev3-widen-window
molecule-ai:test/canvas-externalconnectmodal-coverage
molecule-ai:fix/sop-tier-check-token-graceful
molecule-ai:infra/ci-required-drift-token-scope
molecule-ai:test/console-modal-coverage
molecule-ai:ci/review-check-tests-wire
molecule-ai:test/canvas-workspacenode-coverage
molecule-ai:test/memorytab
molecule-ai:infra/interim-disable-reaper-watchdog-crons
molecule-ai:test/attachment-lightbox-coverage
molecule-ai:fix/issue-639-workspacenode-test-coverage
molecule-ai:test/channels-tab
molecule-ai:fix/canvas-searchdialog-test-fixtures
molecule-ai:fix/598-attachmentLightbox-tests
molecule-ai:fix/529-307-localbuild-async-test-fix
molecule-ai:fix/582-attachmentviews-tests
molecule-ai:fix/308-a2a-response-push-mode-tests
molecule-ai:fix/529-preflight-localbuild
molecule-ai:fix/sop-tier-check-token-graceful-staging
molecule-ai:fix/545-approvalbanner-isolation
molecule-ai:fix/519-memorytab-tests
molecule-ai:infra/status-reaper-rev2-sweep-recent-commits
molecule-ai:fix/handlers-test-fixtures
molecule-ai:test/skill-helpers-coverage
molecule-ai:test/ui-primitive-coverage
molecule-ai:docs/gitea-quirks-10-11
molecule-ai:test/platform-bundle-exporter-coverage
molecule-ai:infra/status-reaper-rev1-drop-concurrency
molecule-ai:fix/608-filesTab-focusTest
molecule-ai:test/budget-section-coverage
molecule-ai:infra/revert-docker-runner-label
molecule-ai:fix/weekly-platform-go-latent-error-surface
molecule-ai:infra/revert-publish-runs-on-pin
molecule-ai:sre/gate-check-timeout
molecule-ai:test/a2a-error-hint-coverage
molecule-ai:test/chat-attachment-views-coverage
molecule-ai:test/attachment-video-coverage
molecule-ai:infra/option-b-status-reaper
molecule-ai:infra/gate-check-v3-timeout
molecule-ai:infra/576-docker-runner-label
molecule-ai:fix/593-filetab-tests
molecule-ai:test/files-tab-notavailablepanel-coverage
molecule-ai:fix/591-forminputs-tests
molecule-ai:fix/471-cwe117-stderr-scrubbing
molecule-ai:infra/diagnostic-publish-workspace-server-image
molecule-ai:fix/582-bundle-import-tests
molecule-ai:test/form-inputs-coverage
molecule-ai:fix/publish-workspace-server-image-json5-comments
molecule-ai:sre/fix-all-required-null-result
molecule-ai:fix/publish-workspace-server-image-optional-token
molecule-ai:pr-251
molecule-ai:test/ui-statusbadge-coverage
molecule-ai:fix/all-required-null-result-assertion
molecule-ai:fix/568-palette-context-tests
molecule-ai:pr-527
molecule-ai:infra/merge-563-autobump-fix
molecule-ai:test/mobile-palette-context-coverage
molecule-ai:sre/fix-gate-check-v3-combined-state-loop
molecule-ai:ci/540-review-check-bats-tests
molecule-ai:fix/publish-runtime-autobump-push-condition
molecule-ai:ci/558-verify-publish-runtime-marker
molecule-ai:test/canvas-empty-state-coverage
molecule-ai:infra/publish-runtime-verify-2026-05-11
molecule-ai:ci/554-oci-labels-publish-workflow
molecule-ai:infra/drift-bot-token
molecule-ai:infra/rfc-219-phase-4-all-required-sentinel
molecule-ai:ci/551-gate-checkout-trusted-ref
molecule-ai:fix/gate-check-v3-pr-HEAD-security
molecule-ai:fix/541-token-argv-security
molecule-ai:sre/fix-gate-check-v3-bugs
molecule-ai:fix/537-cwe117-a2a-tools-sanitize
molecule-ai:fix/gate-check-v3-http-error-crash
molecule-ai:sre/fix-localbuild-preflight
molecule-ai:infra/rfc-324-workflow-add
molecule-ai:test/offsec-003-sanitization-backstop
molecule-ai:fix/test-sanitize-agent-error-stderr-exc
molecule-ai:fix/approval-banner-test-isolation
molecule-ai:infra/scope-workflows-fix
molecule-ai:sre/fix-pr530-deadlock
molecule-ai:sre/reopen-516-gate-check-fix
molecule-ai:fix/ci-scope-operational-workflows-504-419
molecule-ai:sre/scope-operational-workflows-to-schedule
molecule-ai:ci/harness-replays-detect-changes-quoting-fix
molecule-ai:fix/test-blocks-until-inflight-completes
molecule-ai:fix/test-enrich-peer-metadata-nonblocking
molecule-ai:sre/fix-enrich-nonblocking-cache-check
molecule-ai:merge-pr490
molecule-ai:runtime/fix-offsec-003-tool-delegate-task
molecule-ai:fix/508-update-boundary-assertions
molecule-ai:sre/fix-test-delegation-sync-polling-assertions
molecule-ai:fix/366-shared-runtime-coverage
molecule-ai:fix/506-unused-imports
molecule-ai:ci/lint-fixes
molecule-ai:fix/367-a2a-tools-coverage
molecule-ai:test/a2a-client-enrich-peer-rebase
molecule-ai:fix/354-delegation-auto-resume-rebase
molecule-ai:ci/fix-detect-changes-commits-array
molecule-ai:fix/307-async-rebase
molecule-ai:runtime/fix-harness-replays-push-event
molecule-ai:sre/fix-test-polling-sanitization
molecule-ai:fix/harness-replays-detect-changes-gitea-api
molecule-ai:ci/fix-test-polling-sanitization
molecule-ai:test/eventstab
molecule-ai:runtime/335-rebase-platfrom-url
molecule-ai:hotfix/491-offsec-003-staging-v2
molecule-ai:fix/pr477-test-fixes
molecule-ai:runtime/335-rebase-platform-url
molecule-ai:fix/354-auto-resume-delegations
molecule-ai:fix/368-audit-hooks-coverage
molecule-ai:runtime/temporal-platform-url-fix
molecule-ai:infra/secret-reconciliation-v2
molecule-ai:fix/purchase-success-modal-test-isolation
molecule-ai:pr-476
molecule-ai:sre/fix-gitea-runbook-network-quirks
molecule-ai:tools/gate-check-v3
molecule-ai:fix/376-activity-delegation-polling
molecule-ai:runtime/platform-url-fix-merge
molecule-ai:fix/canvas-purchase-success-modal-test-timing
molecule-ai:fix/secret-naming-reconciliation
molecule-ai:docs/gitea-operational-quirks-runbook
molecule-ai:test/canvas-toolbar-coverage
molecule-ai:fix/canvas-tier-config-v2
molecule-ai:fix/455-offsec003-sanitize-alignment
molecule-ai:fix/sweep-stale-e2e-orgs-secret-name
molecule-ai:fix/approvalbanner-mockreset-452
molecule-ai:fix/canvas-approvalbanner-mockreset
molecule-ai:fix/publish-runtime-autobump-fetch-depth
molecule-ai:fix/321-cwe22-loadWorkspaceEnv-path-traversal
molecule-ai:fix/canonicalize-staging-admin-token-rebase-462
molecule-ai:canvas-followup
molecule-ai:fix/canonicalize-staging-admin-token-rest
molecule-ai:refactor/drop-canary-prefix
molecule-ai:fix/canvas-test-and-design-fixes
molecule-ai:runtime/432-followup-helper-extraction
molecule-ai:fix/harness-replays-detect-changes-fetch-depth
molecule-ai:fix/stderr-include-a2a-error-response
molecule-ai:feat/internal-292-sop-tier-refire
molecule-ai:docs/update-remote-agent-tutorial-sdk-api
molecule-ai:fix/canvas-confirm-dialog-backdrop-a11y-v3
molecule-ai:fix/canvas-confirm-dialog-backdrop-a11y-v2
molecule-ai:fix/388-github-token-501-gitea-staging
molecule-ai:fix/dialog-backdrop-a11y
molecule-ai:runtime/414-idle-loop-skip-pending-results-v3
molecule-ai:fix/test-extract-tool-trace
molecule-ai:fix/test-plugins-atomic-tar-coverage
molecule-ai:fix/harness-replays-fetch-depth
molecule-ai:fix/test-instructions-handler-coverage
molecule-ai:sre/fix-workflow-secret-naming
molecule-ai:fix/canvas-tiers-config-string-keys
molecule-ai:fix/offsec-003-promote-to-main
molecule-ai:fix/class-e-secret-name-reconciliation
molecule-ai:fix/sop-tier-check-apt-get-first
molecule-ai:fix/307-async-test-pollution
molecule-ai:fix/sop-tier-check-jq-install-order
molecule-ai:fix/canvas-test-failures-2026-05-10
molecule-ai:runtime/fix-a2a-tools-duplicate-error-block-v2
molecule-ai:infra/sop-tier-check-jq-install-fix
molecule-ai:runtime/fix-a2a-push-delivery-mode
molecule-ai:feat/main-never-red-watchdog-internal-420
molecule-ai:feat/internal-219-phase-2bc-port-to-molecule-core
molecule-ai:fix/a11y-canvas-clean
molecule-ai:sweep/internal-219-cat-C1-port-gates-lints
molecule-ai:sweep/internal-219-cat-B-delete-github-only
molecule-ai:sweep/internal-219-cat-A-delete-mirrored
molecule-ai:fix/offsec-003-json-endpoint-sanitize
molecule-ai:sweep/internal-219-cat-C3-port-deploy-janitors
molecule-ai:sweep/internal-219-cat-C2-port-e2e
molecule-ai:fix/publish-runtime-cascade-sha-capture
molecule-ai:feat/internal-219-phase-3-port-ci-yml
molecule-ai:fix/413-a2a-delegation-offsec-003
molecule-ai:runtime/381-idle-loop-pending-messages
molecule-ai:fix/delegations-rows-err-check
molecule-ai:fix/a11y-canvas-buttons-staging
molecule-ai:runtime/fix-399-a2a-delegation-missing-import-v2
molecule-ai:fix/380-cwe59-symlink-traversal
molecule-ai:fix/388-github-token-501-staging
molecule-ai:fix/confirm-dialog-wcag-backdrop
molecule-ai:infra/sop-tier-check-jq-script-fallback
molecule-ai:fix/revert-391-broken-jq-install
molecule-ai:fix/a2a-tools-duplicate-dead-code
molecule-ai:fix/confirm-dialog-backdrop
molecule-ai:fix/canvas-confirm-dialog-backdrop-a11y
molecule-ai:infra/jq-install-main
molecule-ai:fix/sop-tier-check-jq-main
molecule-ai:fix/canvas-dialog-backdrop-a11y
molecule-ai:fix/388-github-token-501
molecule-ai:runtime/offsec-003-polling-path-v2
molecule-ai:fix/361-sanitize-delegation-results
molecule-ai:runtime/offsec-003-executor-sanitize
molecule-ai:fix/cwe22-loadWorkspaceEnv-main
molecule-ai:fix/qa-audit-307-308-clean
molecule-ai:ci/fix-293-sqlalchemy-pip-install
molecule-ai:fix/354-delegation-auto-resume
molecule-ai:runtime/platform-url-host-docker-internal
molecule-ai:fix/canvas-repair-tests-344
molecule-ai:fix/canvas-statusdot-ts-errors
molecule-ai:test/molecule-audit-hooks-coverage
molecule-ai:test/a2a-tools-and-send-message-coverage
molecule-ai:fix/sop-tier-check-jq-install
molecule-ai:test/shared-runtime-helpers-coverage
molecule-ai:fix/canvas-topology-sort-orphan
molecule-ai:fix/executor-helpers-offsec-003-sanitize
molecule-ai:runtime/offsec-003-polling-path
molecule-ai:fix/354-a2a-delegation-auto-resume
molecule-ai:runtime/fix-a2a-push-delivery-mode-v2
molecule-ai:fix/publish-runtime-add-_sanitize_a2a-to-allowlist
molecule-ai:fix/publish-runtime-missing-working-directory
molecule-ai:ci/add-sqlalchemy-to-pip-install
molecule-ai:ci-resolve-github-gitea-triplicate
molecule-ai:sre/offsec-003-boundary-escape
molecule-ai:fix/sec-321-path-traversal-clean
molecule-ai:fix/a2a-proxy-response-header-timeout-v2
molecule-ai:fix/publish-runtime-workflow-dispatch-inputs
molecule-ai:fix/a2a-push-mode-queue-envelope
molecule-ai:fix/351-split-publish-runtime-triggers
molecule-ai:feat/348-publish-runtime-restore-path-trigger
molecule-ai:fix/issue-workspace-dup-name-409-autosuffix
molecule-ai:fix/security-OFFSEC003-boundary-escape-334
molecule-ai:fix/security-CWE22-loadWorkspaceEnv-330
molecule-ai:fix/canvas-test-fixes-20260510
molecule-ai:fix/canvas-extractMessageText
molecule-ai:fix/qa-307-async-pollution-direct
molecule-ai:test/a2a-client-enrich-peer-metadata
molecule-ai:fix/docs-309-remote-faq-staging-env
molecule-ai:fix/qa-308-push-mode-queue-tests
molecule-ai:fix/qa-307-async-pollution
molecule-ai:runtime/fix-plugin-registry-import-path
molecule-ai:fix/a2a-proxy-response-header-timeout-clean
molecule-ai:fix/publish-workspace-server-ci-clone-manifest-retry-main
molecule-ai:infra/remove-pr303-tracking
molecule-ai:fix/issue-296-plugin-registry-sysmodules
molecule-ai:infra/pin-compose-image-digests
molecule-ai:chore/sync-main-to-staging
molecule-ai:fix/sec-321-path-traversal
molecule-ai:fix/a2a-proxy-response-header-timeout
molecule-ai:docs/a11y-billing-wcag-patterns
molecule-ai:fix/qa-307-test-a2a-inbox-wrappers-asyncio-refactor
molecule-ai:runtime/fix-test-config-model-isolation
molecule-ai:ci/docker-daemon-health-guard
molecule-ai:docs/fix-remote-workspaces-faq
molecule-ai:fix/publish-workspace-server-ci-clone-manifest-retry
molecule-ai:fix/test-config-env-isolation
molecule-ai:ci/staging-sha-pinning
molecule-ai:fix/external-connection-user-facing-urls
molecule-ai:fix/workspace-server-registry-config-helper
molecule-ai:fix/issue-272-sqlalchemy-ci-install
molecule-ai:fix/canvas-yaml-utils-nested-arrays-clean
molecule-ai:fix/self-delegation-guard
molecule-ai:promote/staging-to-main-100546
molecule-ai:fix/a2a-tools-v2
molecule-ai:fix/a2a-tools-and-workflow-cleanup
molecule-ai:fix/canvas-test-isolation-fixes-v2
molecule-ai:fix/molecule-model-env-go
molecule-ai:runtime/fix-delegate-empty-parts-regression
molecule-ai:infra/runtime-doc-playwright-limitation
molecule-ai:fix/offsec-001-error-message-scrubbing
molecule-ai:fix/offsec-001
molecule-ai:fix/a2a-tools-string-error-handling-clean
molecule-ai:fix/core-248-pluginresolver-and-plgh
molecule-ai:infra/fix-source-resolver-dup
molecule-ai:fix/model-provider-misnomer
molecule-ai:fix/a2a-tools-string-error-handling-v2
molecule-ai:fix/canvas-yaml-utils-test-failure
molecule-ai:fix/a2a-tools-string-error-handling
molecule-ai:fix/internal-214-gosum-vanity-import
molecule-ai:fix/canvas-test-isolation-fixes
molecule-ai:chore/canvas-statusbadge-test-fix-cherry-pick
molecule-ai:fix/canvas-statusbadge-test-role-ambiguity
molecule-ai:runtime/fix-mcp-client-localhost-default
molecule-ai:fix/core-257-delegation-test-stray-brace
molecule-ai:revert/core-d0126662-restart-signals-undefined-h
molecule-ai:revert/core-123-plugin-drift-detector
molecule-ai:ci/pin-action-and-base-images
molecule-ai:fix/org-232-per-workspace-required-env-preflight
molecule-ai:fix/ssrf-guard-before-begintx
molecule-ai:test/issue-232-per-workspace-required-env-preflight
molecule-ai:fix/issue232-org-import-required-env-aggregation
molecule-ai:fix/canvas-ts-test-errors
molecule-ai:fix/delegations-list-ledger-fallback
molecule-ai:wip-snapshot-2026-05-10/mac/molecule-core-tmp53-git-token-helper-wip
molecule-ai:wip-snapshot-2026-05-10/mac/molecules-org-molecule-core-registry-prefix
molecule-ai:fix/pluginresolver-conflict
molecule-ai:wip-snapshot-2026-05-10/core-be/fix-pluginresolver-conflict
molecule-ai:wip-snapshot-2026-05-10/core-qa/stash-package-lock-diff
molecule-ai:feat/keyboard-shortcuts-dialog
molecule-ai:wip-snapshot-2026-05-10/core-uiux/feat-keyboard-shortcuts-dialog
molecule-ai:wip-snapshot-2026-05-10/core-fe/test-canvas-design-tokens-config
molecule-ai:test/canvas-cssvar-tests
molecule-ai:fix/internal-229-sop-tier-check-tier-low-relaxation
molecule-ai:test/canvas-utility-pure-tests
molecule-ai:test/canvas-preflight-utils-tests
molecule-ai:test/canvas-runtimeprofiles-tests
molecule-ai:test/canvas-yaml-utils-tests
molecule-ai:test/canvas-pure-function-tests
molecule-ai:fix/ci-port-publish-workspace-server-image-228
molecule-ai:fix/ssrf-validate-agent-url-212
molecule-ai:ci/sop-tier-check-approver-teams-fix
molecule-ai:fix/sop-tier-check-legacy-flip-229
molecule-ai:wip-snapshot-2026-05-10/core-be/fix-ki001-telegram-disable-channel
molecule-ai:wip-snapshot-2026-05-10/core-be/feat-a2a-pre-restart-drain-125
molecule-ai:wip-snapshot-2026-05-10/core-be/feat-plugin-drift-queue-123
molecule-ai:fix/sweeper-race-error-counter
molecule-ai:infra/fix-issue-75-gh-cli-gitea-sweep
molecule-ai:wip-snapshot-2026-05-10/core-be/fix-gh-api-gitea-sweep-75
molecule-ai:feat/keyboard-shortcuts-dialog-test
molecule-ai:wip-snapshot-2026-05-10/core-be/fix-sweeper-test-isolation-86
molecule-ai:ci/fix-issue-87-root-skip
molecule-ai:fix/test-local-resolver-root-skip
molecule-ai:fix/workspace-tests-clear-auth-cache
molecule-ai:wip-snapshot-2026-05-10/core-be/fix-a2a-delegation-success-rendered-as-error
molecule-ai:wip-snapshot-2026-05-10/core-be/fix-files-restart-volume-sync
molecule-ai:wip-snapshot-2026-05-10/core-lead/tech-debt-rename-net
molecule-ai:wip-snapshot-2026-05-10/core-lead/fix-168-mine
molecule-ai:wip-snapshot-2026-05-10/core-lead/fix-167-uiux
molecule-ai:wip-snapshot-2026-05-10/core-fe/stash-canvas-agent-comms-show-task-text
molecule-ai:fix/canvas-agent-comms-show-task-text
molecule-ai:wip-snapshot-2026-05-10/core-lead/fix-vitest-pool
molecule-ai:fix/info-disclosure-errors
molecule-ai:infra/add-temporal-to-main-compose
molecule-ai:design/verify-canvas-design-system
molecule-ai:fix/workspace-persona-git-identity
molecule-ai:fix/175-env-matched-pair-guard
molecule-ai:wip-snapshot-2026-05-10/core-lead/fix-149
molecule-ai:refactor/sop-tier-check-extract-script
molecule-ai:fix/sop-tier-check-pr-target-security
molecule-ai:ci/sop-tier-check-deploy
molecule-ai:fix/issue53-admin-token-pair-guard
molecule-ai:fix/org-import-started-event-name
molecule-ai:refactor/delete-uses-cascade-helper
molecule-ai:fix/org-import-reconcile-and-audit
molecule-ai:fix/preserve-model-secret-on-restart
molecule-ai:feat/persona-bind-mount-local-dev
molecule-ai:feat/canary-tier-filter
molecule-ai:feat/plugin-version-subscription
molecule-ai:feat/plugin-hot-reload-classifier
molecule-ai:feat/plugin-atomic-install
molecule-ai:feat/air-hot-reload-dev
molecule-ai:feat/persona-env-injection
molecule-ai:fix/external-resolver-hardening
molecule-ai:fix/issue75-class-D-gh-api-to-gitea-rest
molecule-ai:fix/cherry-3-files-vitest-postgres-e2eapi
molecule-ai:fix/promote-vitest-postgres-fixes
molecule-ai:fix/saas-plugin-install-eic
molecule-ai:fix/issue-94-e2e-api-parallel-safe-class-b
molecule-ai:migrate/issue-71-vanity-imports
molecule-ai:fix/handlers-postgres-port-collision-class-b
molecule-ai:fix/issue-96-canvas-vitest-cold-start-timeout
molecule-ai:fix/hermes-agent-doc-gitea-migration
molecule-ai:fix/196-retarget-main-to-staging-gitea-rest
molecule-ai:fix/gitea-ci-flakes-issue-88
molecule-ai:fix/pin-upload-artifact-v3-gitea
molecule-ai:fix/issue-72-auto-sync-token-canary-v2
molecule-ai:fix/issue75-class-F-gh-run-list-to-statuses
molecule-ai:fix/issue75-class-A-gh-pr-to-gitea-rest
molecule-ai:feat/issue-63-local-build-from-gitea-v2
molecule-ai:fix/195-auto-promote-staging-gitea-rest
molecule-ai:fix/144-branch-protection-check-name-parity-audit
molecule-ai:fix/harness-replays-pre-clone-manifest
molecule-ai:chore/trigger-auto-sync-verification
molecule-ai:fix/codeql-stub-on-gitea-156
molecule-ai:chore/issue173-retrigger-after-ecr-repo-create
molecule-ai:fix/issue173-inline-aws-ecr-login
molecule-ai:fix/issue173-shell-docker-push
molecule-ai:chore/retrigger-harness-replays-post-class-g
molecule-ai:fix/issue173-buildx-driver-and-cache
molecule-ai:fix/post-suspension-clone-manifest
molecule-ai:fix/issue173-followup-platform-dockerfile
molecule-ai:fix/post-suspension-github-urls
molecule-ai:fix/170-goroutine-bleed-test-isolation
molecule-ai:fix/issue173-publish-workspace-server-image
molecule-ai:fix/issue36-a2a-proxy-preflight
molecule-ai:fix/codeql-continue-on-error-156
molecule-ai:feat/demo-mock-3-bigorg-mock-runtime
molecule-ai:feat/demo-mock-1-purchase-success-modal
molecule-ai:fix/publish-path-filter-add-scripts
molecule-ai:fix/clone-manifest-gitea
molecule-ai:chore/touch-publish-workflow-to-trigger
molecule-ai:chore/retrigger-publish-post-aws-secrets
molecule-ai:chore/cherry-pick-pr23-into-main
molecule-ai:chore/backsync-main-into-staging-task-166
molecule-ai:fix/auto-sync-use-devops-token
molecule-ai:chore/retrigger-staging-on-fixed-runner-image
molecule-ai:chore/drop-github-app-auth-and-ecr-swap
molecule-ai:docs/readme-comprehensive-refresh-2026-05-06
molecule-ai:feat/rfc-2945-pr-c-2-canvas-chat-history
molecule-ai:fix/issue10-runtime-aware-plugin-install
molecule-ai:fix/s8-bind-loopback-dev
molecule-ai:fix/14-cascade-gitea-dispatch
molecule-ai:docs/molecule-core-bulk-sed
molecule-ai:chore/pin-artifact-actions-v3
molecule-ai:fix/lowercase-org-slug
molecule-ai:fix/script-ghcr-and-lint-paths
molecule-ai:docs/workspace-runtime-readme-source-edit
molecule-ai:feat/eic-tunnel-pool-core-11
molecule-ai:chore/rfc-2945-pr-c-3-delete-historyhydration
molecule-ai:fix/2872-sqlmock-regex-tightening
molecule-ai:fix/cp-orphan-sweeper-2989
molecule-ai:feat/registry-prefix-env-driven-issue-6
molecule-ai:docs/readme-refresh-2026-05-06
Labels
Clear labels
area/ci
do-not-auto-merge
kind/infrastructure
merge-queue
merge-queue-hold
platform/go
release-blocker
release-test
security
test-label-sre
tier:high
tier:low
tier:medium
triage-test
wip
CI/CD pipeline issues
Opt out of autonomous merge-queue merging
Infrastructure-related issues
Ready for serialized Gitea merge queue
Temporarily hold PR in merge queue
Go platform test issues
Blocks the staging→main promotion / a release
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
test
Work in progress — do not auto-merge
No Label
tier:low
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
agent-dev-a
agent-dev-b
agent-pm
agent-researcher
agent-reviewer
agent-reviewer-1
agent-reviewer-cr2
app-fe (Molecule AI · app-fe)
app-lead (Molecule AI · app-lead)
app-qa (Molecule AI · app-qa)
claude-ceo-assistant
claude-ci-reader
claude-status-reaper
core-be (Molecule AI · core-be)
core-devops (Molecule AI · core-devops)
core-fe (Molecule AI · core-fe)
core-lead (Molecule AI · core-lead)
core-offsec (Molecule AI · core-offsec)
core-qa (Molecule AI · core-qa)
core-security (Molecule AI · core-security)
core-uiux (Molecule AI · core-uiux)
cp-be (Molecule AI · cp-be)
cp-lead (Molecule AI · cp-lead)
cp-qa (Molecule AI · cp-qa)
cp-security (Molecule AI · cp-security)
cui (Zhanlin Cui)
dev-lead (Molecule AI · dev-lead)
devops-engineer
documentation-specialist (Molecule AI · documentation-specialist)
fullstack-engineer (Molecule AI · fullstack-engineer)
hongming
hongming-ceo-delegated
hongming-codex-laptop
hongming-kimi-laptop
hongming-pc2
infra-lead (Molecule AI · infra-lead)
infra-runtime-be (Molecule AI · infra-runtime-be)
infra-sre (Molecule AI · infra-sre)
integration-tester (Molecule AI · integration-tester)
mc-drift-bot
molecule-code-reviewer
plugin-dev (Molecule AI · plugin-dev)
pm
publish-runtime-bot
pypi-publisher (Molecule AI PyPI Publisher (RFC#596))
release-manager (Molecule AI · release-manager)
sdk-dev (Molecule AI · sdk-dev)
sdk-lead (Molecule AI · sdk-lead)
sop-drift-bot
sop-tier-bot (SOP Tier-Check Bot)
technical-writer (Molecule AI · technical-writer)
triage-operator (Molecule AI · triage-operator)
Clear assignees
agent-dev-a
agent-dev-b
agent-pm
agent-researcher
agent-reviewer
agent-reviewer-1
agent-reviewer-cr2
app-fe (Molecule AI · app-fe)
app-lead (Molecule AI · app-lead)
app-qa (Molecule AI · app-qa)
claude-ceo-assistant
claude-ci-reader
claude-status-reaper
core-be (Molecule AI · core-be)
core-devops (Molecule AI · core-devops)
core-fe (Molecule AI · core-fe)
core-lead (Molecule AI · core-lead)
core-offsec (Molecule AI · core-offsec)
core-qa (Molecule AI · core-qa)
core-security (Molecule AI · core-security)
core-uiux (Molecule AI · core-uiux)
cp-be (Molecule AI · cp-be)
cp-lead (Molecule AI · cp-lead)
cp-qa (Molecule AI · cp-qa)
cp-security (Molecule AI · cp-security)
cui (Zhanlin Cui)
dev-lead (Molecule AI · dev-lead)
devops-engineer
documentation-specialist (Molecule AI · documentation-specialist)
fullstack-engineer (Molecule AI · fullstack-engineer)
hongming
hongming-ceo-delegated
hongming-codex-laptop
hongming-kimi-laptop
hongming-pc2
infra-lead (Molecule AI · infra-lead)
infra-runtime-be (Molecule AI · infra-runtime-be)
infra-sre (Molecule AI · infra-sre)
integration-tester (Molecule AI · integration-tester)
mc-drift-bot
molecule-code-reviewer
plugin-dev (Molecule AI · plugin-dev)
pm
publish-runtime-bot
pypi-publisher (Molecule AI PyPI Publisher (RFC#596))
release-manager (Molecule AI · release-manager)
sdk-dev (Molecule AI · sdk-dev)
sdk-lead (Molecule AI · sdk-lead)
sop-drift-bot
sop-tier-bot (SOP Tier-Check Bot)
technical-writer (Molecule AI · technical-writer)
triage-operator (Molecule AI · triage-operator)
No Assignees
fullstack-engineer
fullstack-engineer
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: molecule-ai/molecule-core#1466
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "feat/canvas-lib-tests"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
design-tokens.ts: STATUS_CONFIG, TIER_CONFIG, statusDotClass, COMM_TYPE_LABELSpalette-context.tsx: normalizeStatus, tierCode, getPalettetheme-provider.tsx: THEME_COOKIE, applyResolvedTheme, themeBootScriptTest plan
🤖 Generated with Claude Code
[core-qa-agent] APPROVED — +198/-151 canvas lib unit tests (design-tokens, palette-context). Run canvas suite.
SRE APPROVE. Canvas lib unit tests: design-tokens.test.ts (+98), palette-context.test.tsx (+54/-151), theme-provider.test.tsx (+46). Tests STATUS_CONFIG, TIER_CONFIG, statusDotClass, normalizeStatus, tierCode, getPalette. No SRE concerns.
[core-security-agent] N/A — non-security-touching.
Test-only: 3 new test files — design-tokens.test.ts (+98 lines, pure STATUS_CONFIG/TIER_CONFIG/COMM_TYPE_LABELS/unit tests), palette-context.test.tsx refactor (+108/-108, pure function tests), theme-provider.test.tsx (+46 lines). All test pure data transforms. No production code, no exec, no injection.
[core-uiux-agent]
Canvas WCAG review: lgtm. Pure test coverage for design-tokens, palette-context, and theme-provider. 43 new test cases. No UI changes. Tests verified green (3293/3293 on local).
[core-uiux-agent] LGTM — canvas design-system review
Reviewed the 3 new test files on the palette-context, design-tokens, and theme-provider exports.
Quality notes:
palette-context.test.tsx— 19 cases coveringnormalizeStatus,tierCode, andgetPalette. Assertions match the source precisely (e.g.degraded → bg-emerald-400at line 71 of palette-context.tsx,MOL_LIGHT.accent = "bg-blue-500"etc.). The identity-guard and non-mutation tests are good defensive coverage.design-tokens.test.ts— 15 cases covering STATUS_CONFIG, statusDotClass, TIER_CONFIG, COMM_TYPE_LABELS. Correct.theme-provider.test.tsx— light coverage (component-type check, re-exports). Acceptable givenapplyResolvedThemeis a DOM side-effect function that needs full browser env to test meaningfully.All 34 tests pass. No issues found.
tier:low
core-fe review: APPROVED with one note. The design-tokens.test.ts and new theme-provider.test.ts additions look solid. The palette-context.test.ts refactor (+54 -151) removes React context integration tests in favor of pure-function coverage. Trade-off: faster tests but MobileAccentProvider and usePalette no longer have direct coverage. Suggest adding those back as a follow-up if the integration is important to verify automatically. Overall: 43 new tests, 3 files, tier:low — good coverage addition.
Non-author Five-Axis review — APPROVE-WITH-NIT. +198/-151 test-only across canvas/src/lib/tests/. design-tokens.test.ts pins shape of STATUS_CONFIG/TIER_CONFIG/COMM_TYPE_LABELS + statusDotClass fallback (legit contract snapshot). palette-context.test.tsx refocuses on pure functions (correctly so, after jsdom plumbing tangle). theme-provider.test.tsx has 2 real assertions + 2 placeholder-ish (testing JSDOM, not the function).
5-axis: no blockers. Nit: replace placeholder theme-provider blocks or delete them; re-add MobileAccentProvider/usePalette coverage if those are on a live render path. CI: runner config NOT touched (zero sibling-suite risk). Gate on E2E Chat / Handlers Postgres / E2E API Smoke flipping green + second non-author APPROVE (infra-sre PENDING).
Independent non-author second-eyes review (reviewer = hongming-pc2, not the author).
Verified against current head
3ba08a2dc860. Tests-only refactor, 3 files, +198/-151.Read the full 420-line diff. Three test files:
design-tokens.test.ts(new, +98 lines) — clean coverage of the 4 exports the file owns:STATUS_CONFIGshape + canonical-status presence (7 statuses) + spot-checks (provisioninghasanimate-pulsefor motion-safe rendering,failed/degradedhaveglowclasses).statusDotClassknown/unknown/empty cases (returnsbg-zinc-500fallback for non-match, which is the safe-default I'd expect).TIER_CONFIGshape + T1-T4 label correctness + tier→color semantics (tier 1 = ink-mid safe/read-only,tier 2 = accent full agents,tier 3 = violet privileged,tier 4 = warm full-host). These assertions encode an intent contract: if someone refactors the tier colors and breaks the semantic mapping, the test fires.COMM_TYPE_LABELSa2a_send → "sent"/a2a_receive → "received".palette-context.test.tsx(refactored, 205 → 108 lines) — drops the oldMobileAccentProvider/usePalettecontext-rendering tests and keeps only pure-function tests fornormalizeStatus,tierCode,getPalette. Wave 2 cross-checked that pure-fn coverage is equivalent post-refactor; my read agrees the pure-fn assertions are well-shaped (all status→bg-* mappings +unknown//offline/provisioning/nonsense/""→bg-zinc-400fallback path verified; T1-T4 mapping verified).Open question I'm flagging (not a blocker): the old
MobileAccentProvider/usePalettetests were dropped. If those exports still exist inpalette-context.tsx, this PR reduces coverage; if they were already moved/removed in a prior PR, the old tests were stale and this cleans up. The new test file's imports (normalizeStatus,tierCode,getPalette,MOL_LIGHT,MOL_DARK) omit the context bits, suggesting they've been moved — probably totheme-provider.tsxbased on the third file in this PR. If the React context is now intheme-provider, the placeholder tests below should ideally grow into real context tests in a follow-up.theme-provider.test.tsx(new, 46 lines) — Wave 2's documented nit, confirmed by my read. 4 tests; 2 are placeholders that don't really exercise thetheme-provider.tsxmodule:applyResolvedThemetest setsdocument.documentElement.dataset.themedirectly and reads it back — it's testing the DOM API, not the provider's logic.ThemeProvider is a functiontest just assertstypeof === "function"— TypeScript already enforces this.The other 2 are real lightweight smoke tests on re-exports (
THEME_COOKIE = 'mol_theme'+themeBootScriptis a non-empty string). Those are valid — they catch the case where the re-export gets refactored out by accident.Agree with Wave 2's classification: nit, not a blocker. A real follow-up PR should add tests that actually render
<ThemeProvider>and verify it setsdata-themebased on cookie/system-preference resolution. Filing that as worth raising but not requesting changes for this PR — it's a documented "placeholder file for future expansion" pattern and the placeholders don't break anything.No code-side changes; purely test surface. Risk = zero for runtime behavior.
LGTM with the documented nit. Approving.
Tests in ExternalConnectModal.test.tsx used document.querySelector("pre") which returns the first pre in DOM order. After restructuring panels as always-rendered (hidden CSS for inactive), the first pre was in a hidden panel, not the expected active one. Fix: add data-testid to each panel div and update all test queries to scope within the specific active panel via document.querySelector("[data-testid='panel-...']"). All 18 tests pass. Build passes. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>core-qa-agent and core-security-agent approve PRs via issue comments, not the reviews API. The reviews API returns zero entries for comment-only approvals (internal#348), causing qa-review / security-review gates to fail on every PR — even when both agents have explicitly approved. Changes: - review-check.sh: after reviews-API candidate check fails, fetch GET /repos/{owner}/{repo}/issues/{N}/comments and extract logins that posted (a) the agent-prefix pattern ([core-qa-agent] or [core-security-agent]) OR (b) a generic approval keyword (APPROVED / LGTM / ACCEPTED, word-anchored, case-insensitive). Non-author filter is applied. Candidates from comments are merged and fall through to the team-membership probe, same as reviews-API candidates. - _review_check_fixture.py: add T15 (agent-prefix match → exit 0), T16 (generic keyword match → exit 0), T17 (no approval → exit 1) scenarios with corresponding issue comments endpoint handler. - test_review_check.sh: add T15, T16, T17 regression tests. Also fixes a JQ operator-precedence bug in an earlier draft where `| $cmt.user.login` was placed OUTSIDE the `or` expression, causing the filter to always output the login (jq resolves bound variables regardless of the current context). Fixed by using `if-then-elif-else-empty` so the login projection only fires on a genuine match. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>Tests in ExternalConnectModal.test.tsx used document.querySelector("pre") which returns the first pre in DOM order. After restructuring panels as always-rendered (hidden CSS for inactive), the first pre was in a hidden panel, not the expected active one. Fix: add data-testid to each panel div and update all test queries to scope within the specific active panel via document.querySelector("[data-testid='panel-...']"). All 18 tests pass. Build passes. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>Wire container-side `git` HTTPS authentication to the persona credentials that already arrive via workspace_secrets (GITEA_USER / GITEA_TOKEN, GIT_HTTP_USERNAME / GIT_HTTP_PASSWORD) without mutating ~/.gitconfig or ~/.git-credentials inside the container. Mechanism: 1. New generic GIT_ASKPASS helper baked into the workspace runtime image at /usr/local/bin/molecule-askpass. Script body is hostname- free and vendor-neutral — the deployer decides which remote the credentials apply to by virtue of populating the env vars. 2. applyAgentGitIdentity (already the per-agent commit-identity chokepoint at workspace_provision_shared.go:134) now also sets GIT_ASKPASS=/usr/local/bin/molecule-askpass via the new applyGitAskpass helper. Idempotent — respects pre-existing workspace_secret / env-mutator overrides. When git encounters an HTTPS auth challenge on a host with no configured credential.helper, it invokes GIT_ASKPASS to read the username + password from env. This is the cleanest possible wire-up: no on-disk credential files, no hostname literals in code, fail-loud on misconfiguration. Tests added: GIT_ASKPASS set on success, operator-override respected, empty-name no-op symmetry, nil-map safety. Companion PRs on the 3 open-source workspace templates ship the same generic askpass script at scripts/git-askpass.sh → identical install path. Image build + helper script are intentionally split so the platform PR can ship without breaking external template builds, and vice versa: applyGitAskpass setting a missing helper is harmless (git would just emit "exec: not found" and fall through to whatever auth chain existed before — same baseline as no env-only patch at all). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>Adds workspace-server/internal/provisioner/t4_privilege_contract.go as the single source of truth for the T4 ("full machine access") capability set that template-repo CI workflows currently re-implement as bespoke shell. Today's t4-conformance gates in template-claude-code / template-hermes / template-codex each hand-assert agent-uid + token-ownership + host-root reach. The shell drifts (the very Hermes 401 class bug came from drift), and there's no way to add a new capability fleet-wide without N template PRs. This contract: * Defines T4Capability as code (Name/Description/Probe/Severity/Source) * Lists the closure: agent_uid_1000, auth_token_agent_owned, host_root_reach_via_nsenter, host_fs_write_readback, docker_socket_reachable, list_peers_http_200, agent_home_writable, network_egress_https, privileged_flag_observable, pid_host_visible * Renders to YAML via AsYAML() and cmd/t4-contract-dump so any template CI can do: go run ./workspace-server/cmd/t4-contract-dump > t4_capabilities.yaml and iterate capabilities — new capabilities propagate without per-template PRs. * Pure stdlib + no Molecule-AI-internal deps so fork users can adopt the same contract. Anti-drift unit tests (7, all green): - all caps have required fields - names unique - core closure (RFC#456 + task #128/#174) is present - hard-severity is strict majority - YAML is deterministic + escapes double quotes - YAML header cites internal#456 - AgentUID const consistent with probes Does NOT change Docker/Dockerfile or any existing emit-side behavior; this is purely additive. The provisioner.go T4 branch is unchanged. Templates adopt the YAML in a separate PR (pilot: template-claude-code). Refs: RFC internal#456, task #174, memory reference_per_template_privilege_contract_class_audit_2026_05_16, memory feedback_hermes_listpeers_401_token_root600_unreadable_by_uid1000. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>The Universal MCP install snippet hardcoded `claude mcp add molecule -s user` — `claude mcp add` keys entries by name, so installing for workspace B silently overwrote workspace A in the user's ~/.claude.json. A single external Claude Code session ended up able to talk to only ONE molecule workspace at a time — the CTO-observed "this is per-session" UX (2026-05-18 22:28Z). MCP itself supports many servers per session; the install snippet was the only thing standing in the way. Fix: derive a unique server name per workspace at payload-build time — `molecule-<slug>` where slug = lowercased/hyphen-collapsed workspace name (max 24 chars), falling back to the first 8 chars of the workspace ID when the name is empty or slugifies to nothing. The result is alphanumeric + hyphens only (URL-safe + Claude-Code-name-safe). Plumbed through all 3 callers of BuildExternalConnectionPayload: - Create (workspace.go) passes payload.Name directly. - Rotate / GetExternalConnection (external_rotate.go) extend the existing runtime lookup to also SELECT name in the same round-trip (lookupWorkspaceRuntimeAndName replaces lookupWorkspaceRuntime — one query, no extra DB load). Snippet header now documents the multi-workspace contract: re-running the snippet from another workspace's modal ADDS another entry; same- name workspaces collide by design, rename one to disambiguate. Surgical: only externalUniversalMcpTemplate gained a {{MCP_SERVER_NAME}} placeholder. Other tabs (Python SDK / curl / Hermes / codex / openclaw / kimi) already use distinct config keys per provider and aren't affected. Tests: TestBuildExternalConnectionPayload_McpServerNameUniquePerWorkspace pins 4 cases (plain name, name w/ spaces+caps, name w/ symbols, empty name fallback to UUID prefix) — would have caught the original "claude mcp add molecule" regression. Existing rotate/get tests updated for the 2-column SELECT. Related: task #229 (molecule-mcp-claude-channel install-doc blockers). This is the canvas-side counterpart — that PR fixed the plugin docs, this PR fixes the modal-generator snippet operators actually copy. Sample generated lines (was → now): was: claude mcp add molecule -s user -- env WORKSPACE_ID=... molecule-mcp now: claude mcp add molecule-my-bot -s user -- env WORKSPACE_ID=... molecule-mcp (where "my-bot" is the workspace name; "molecule-12345678" if unnamed) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>## Summary - mc#1535 fixed the per-session-overwrite bug in the Universal MCP snippet (`claude mcp add molecule -s user` keyed by `molecule`, so installing for a second workspace silently replaced the first). The same equivalence-class bug exists in EVERY other runtime tab the Canvas modal renders: each MCP host keys its config by name, and all five templates hardcoded a fixed `molecule` identifier. - This PR extends mc#1535's existing `{{MCP_SERVER_NAME}}` placeholder + `mcpServerNameForWorkspace()` helper into the 4 remaining templates so the Canvas snippet a user pastes is unique per workspace by construction across ALL runtime tabs — multi-workspace works out-of-the-box with no per-host workarounds. ## Bug shape per runtime tab (mc#1535 sibling) - **codex** (`~/.codex/config.toml`): `[mcp_servers.molecule]` — TOML rejects duplicate table keys, so re-paste either breaks parsing or overwrites. - **openclaw** (`~/.openclaw/mcp/molecule.json`): `openclaw mcp set molecule` keyed by name — second workspace overwrites. - **hermes** (`~/.hermes/config.yaml`): `plugin_platforms.molecule:` — YAML rejects duplicate mapping keys, second workspace silently collapses. - **kimi** (`~/.molecule-ai/kimi-workspace/`): single per-host dir — second workspace's env+bridge.py overwrites the first. ## What changed - `workspace-server/internal/handlers/external_connection.go`: - 4 templates now stamp `{{MCP_SERVER_NAME}}` (the same slug mc#1535 already derives + plumbs into the universal_mcp snippet) in the keyed identifier: - codex: `[mcp_servers.{{MCP_SERVER_NAME}}]` + `.env` table. - openclaw: `openclaw mcp set {{MCP_SERVER_NAME}}` + log path. - hermes: `plugin_platforms.{{MCP_SERVER_NAME}}:`. - kimi: `~/.molecule-ai/kimi-{{MCP_SERVER_NAME}}/` dir + embedded python `ENV` path. - Header comment in each template documents the multi-workspace contract (mirrors mc#1535's universal_mcp header). - `workspace-server/internal/handlers/external_rotate_test.go`: - New `TestBuildExternalConnectionPayload_AllRuntimeSnippetsAreWorkspaceUnique` pins the per-template literal that proves the slug was stamped, AND asserts no template leaves a literal `{{MCP_SERVER_NAME}}` placeholder — catches a future template author who forgets to register a new tab with the stamp pipeline. - `workspace/a2a_mcp_server.py`: - Comment-only update on `serverInfo.name` to reflect that the per-host registration name is workspace-specific. No code change; `serverInfo.name` stays the generic `"molecule"` self-label. - `scripts/build_runtime_package.py` (PyPI README generator): - Updates 3 `claude mcp add molecule -- molecule-mcp` references to `claude mcp add molecule-<workspace-slug> -- molecule-mcp` so the PyPI README matches the Canvas-stamped snippet pattern. - Adds a "Server name in `claude mcp add` is workspace-specific" bullet pointing at mc#1535 + this PR for context. ## Open-source-templates cleanliness check - Templates touched here live in the PRIVATE molecule-core repo (Canvas modal generator); they STAMP per-workspace server names but do NOT bake any new `git.moleculesai.app` literal or other org-internal infra. Generic `pip install 'git+https://git.moleculesai.app/molecule-ai/hermes-channel-molecule.git'` in the hermes template is the only such URL touched and was pre-existing — that one points at a public hermes-side plugin and has its own canonical URL; not in scope for the open-source-template rule (the rule applies to template-codex/template-hermes/ template-openclaw — separate public repos, untouched here). - No `.moleculesai.app` literal added; persona-token shape unchanged (auth_token still per-workspace minted by Rotate/Create — same path mc#1535 audited). ## Sample stamped snippets (workspace name "my-bot", slug "molecule-my-bot") - codex: `[mcp_servers.molecule-my-bot]` + `[mcp_servers.molecule-my-bot.env]` - openclaw: `openclaw mcp set molecule-my-bot "$(cat <<EOF ... )"` - hermes: `plugin_platforms:\n molecule-my-bot:\n enabled: true` - kimi: `~/.molecule-ai/kimi-molecule-my-bot/{env,kimi_bridge.py}` ## Diff size - 4 files, +135/-40 LoC. Most of it is comment text + the new test. - Did NOT change `BuildExternalConnectionPayload` signature or `mcpServerNameForWorkspace` semantics — both were already plumbed by mc#1535 to all 8 snippets via the stamp closure; this PR only updates the template text to USE the placeholder. ## Test plan - [x] `go test ./internal/handlers/ -run TestBuildExternalConnectionPayload` — 5/5 green, including new `_AllRuntimeSnippetsAreWorkspaceUnique`. - [x] `go test ./internal/handlers/` full package — 15.9s green. - [x] `go vet ./internal/handlers/` — clean. - [ ] Manual (post-merge, requires mc#1535 also merged): create two "bot-a" + "bot-b" external workspaces on staging; paste each tab's snippet into the corresponding host on a single machine; verify `claude mcp list` / `cat ~/.codex/config.toml` / `openclaw mcp list` / `~/.hermes/config.yaml` / `ls ~/.molecule-ai/` each shows BOTH workspaces' entries side-by- side, not overwriting. ## Sequencing - This PR's base is mc#1535's branch (`fix/add-to-claude-code-unique-server-name-per-workspace`), because it reuses mc#1535's `{{MCP_SERVER_NAME}}` placeholder + slug helper + `BuildExternalConnectionPayload(workspaceName)` signature change. Will need a rebase on main after mc#1535 lands; prefer to keep stacked to make the review of EACH PR scope-tight. - CTO 2026-05-18 22:43Z: "其实是我们没有做好instruction,这个得补充" — this PR is the consolidated per-repo doc/generator fix. ## Related - Sibling: mc#1535 (Universal MCP snippet, already open). - Follow-up #230: molecule-core stale channel-install mentions (CONTRIBUTING.md:195, etc.) — separate scope. Author identity: core-devops (per-role persona; not founder-PAT). Opened for non-author review, NOT auto-merged. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>Adds the standard Next.js App-Router SEO surface to the canvas landing so the marketing push has crawlable metadata + structured data on day one. What landed: - layout.tsx — Metadata API: title.template, description, keywords, canonical, metadataBase, OG/Twitter text fields, robots index:true. JSON-LD @graph (Organization + WebSite + SoftwareApplication) injected with the per-request CSP nonce. - robots.ts — allow public marketing routes (/, /pricing, /blog), disallow /orgs, /api/, /cp/, /checkout/; declares sitemap + canonical host. - sitemap.ts — apex + pricing + live blog post; authed routes excluded by construction. - opengraph-image.tsx — segment-level dynamic OG card via next/og ImageResponse (1200x630); no static binary blob. - __tests__/seo-routes.test.ts — pins the crawler contract (10 cases) so a future refactor can't silently flip the marketing surface to noindex or drop the sitemap. Out of scope (per issue): design copy, hero rewrite, Lighthouse CWV tuning. Those are CTO/marketing inputs and a separate ticket. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>Three-layer cohesive fix for the 2026-05-19 ~00:05-00:09Z 4x reprov thrash class observed on prod-Reviewer + prod-Researcher: a single secrets PUT fanned out into 4x stop+provision cycles per workspace within 4 min, each stopping the just-launched (still-pending) EC2 of the previous cycle. Root-caused via Loki (provision.ec2_started / ec2_stopped pairs). Empirical chain (all in workspace-server/internal/handlers/): 1. secrets.go SetSecret → go h.restartFunc → coalesceRestart cycle. 2. runRestartCycle sets url='' synchronously, then async provisions EC2. 3. During 20-30s pending window: url='' AND cpProv.IsRunning()==false — indistinguishable from a dead container. 4. Canvas /delegations poll OR the trailing restart-context probe fires ProxyA2A → maybeMarkContainerDead OR preflightContainerHealth → RestartByID → loop. 5. coalesceRestart's pending flag drains by running ANOTHER full cycle → ec2_stopped of the just-booted instance → re-provision. Fix (single PR, three interdependent layers): L1) Restart-aware health probes — workspace_restart.go exposes isRestarting(workspaceID) bool. Both maybeMarkContainerDead and preflightContainerHealth early-return false/nil while a restart cycle is in flight. Breaks the self-fire at the probe layer. L2) Restart-context probe gate — sendRestartContext now requires url != '' AND last_heartbeat_at > restart_start_ts before firing the trailing ProxyA2A probe. Adds waitForFreshHeartbeat() next to waitForWorkspaceOnline. Belt-and-suspenders so the probe never tries until the new container is actually addressable. L3) RestartByID debounce — silent-drop successive RestartByID calls within restartDebounceWindow=60s of restartStartedAt. Not coalesce (which would still drain to another full cycle). Drop is observable via restartByIDDropCounter (atomic.Uint64) + the dropped log line. Only programmatic path; HTTP Restart handler is unaffected. Tests: - TestIsRestarting_{FalseWhenNoStateEntry,TrueWhileCycleRunning} - TestMaybeMarkContainerDead_SkippedWhileRestarting (L1) - TestPreflightContainerHealth_SkippedWhileRestarting (L1) - TestRestartByID_DebounceSilentDrop (L3, counter assertion) - TestRestartByID_DebounceExpiresAfterWindow (L3, window release) - TestRestartByID_SingleProvisionPerRestart (regression — asserts exactly 1 cycle per trigger, with 4 dropped self-fire probes) Existing coalesce/restart/preflight/maybeMarkContainerDead tests remain green. Full handlers suite: ok in 15.8s. Closes internal#544. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>Mirror the pattern already used in molecule-controlplane/Dockerfile. Currently workspace-server only sets -X buildinfo.GitSHA; add -trimpath plus -s -w (strip symbol table + DWARF debug info) inside the same -ldflags string. The -X GitSHA injection is preserved (verified via strings(1) on locally-built binary). Empirical local measurement (CGO_ENABLED=0 GOOS=linux GOARCH=amd64, go 1.26.3, /platform binary only): before 44,669,544 bytes (42 MB) after 31,191,202 bytes (29 MB) delta 13,478,342 bytes (12 MB) — 30.2% reduction RFC#563 reports the published *image* deltas as 87 -> 61 MB (-26 MB, ~29%); the per-image figure is larger than the per-binary figure because both /platform and /memory-plugin are stripped, and the binary is one layer of the multi-layer image. Flag semantics (Go 1.26): -trimpath strip absolute build-host paths from object code (also improves reproducibility) -ldflags "-s -w" linker drops symbol table (-s) and DWARF debug info (-w); -X-injected strings are NOT in the symbol table so GitSHA survives stripping Single-purpose change: only ws-server Dockerfile + Dockerfile.tenant touched; no behavioral changes to the binaries themselves.Add internal/audit with single Emit(ctx, event_type, fields) entrypoint that ships JSON-encoded records via two transports: 1. audit:-prefixed stdout line — tenant Vector docker-logs source already ships this to Loki. No obs-stack change required. 2. Best-effort append to /var/log/molecule-audit.jsonl — durable forensic copy, target for the dedicated Vector file source in Phase 2. Schema is stable v1 (ts, event_type, workspace_id, user_id, actor_kind, correlation_id, fields). Cardinality budget keeps workspace_id + user_id + correlation_id OUT of Loki labels (JSON body only) — fleet active-stream count ~200, well within Loki headroom. Phase 1 wires secret.set and secret.delete on the workspace-scoped (POST/PUT/DELETE /workspaces/:id/secrets) and admin-scoped (POST/DELETE /admin/secrets, /settings/secrets) handlers. value_hash is the first 8 hex chars of sha256(value) — never the raw value. Tests cover: stdout emit, JSONL append, file-failure fallback, concurrent integrity, hash bounds, raw-value-never-emitted contract. Vet + handler-secret tests pass. See: rfc internal/rfcs/audit-log-to-loki.mdCTO 2026-05-19 directive on forensic a99ab0a1 (reno-stars >50MB upload that surfaced "signal timed out" when the real cause was file-size + a fixed 60s client timeout): "if its file size issue, should have error that instead saying timeout which is wrong" Bundles the cap raise + the wrong-reason fix in ONE PR because the two are coupled — bumping the server alone would still leak the fixed-60s timeout for legitimate slow uploads; fixing the client alone would 413 every >50MB attempt. Server (push-mode, EC2 workspace): - workspace-server/internal/handlers/chat_files.go: chatUploadMaxBytes 50→100 MB httpClient.Timeout 120→1200 s (matches the new slow-uplink budget) - workspace/internal_chat_uploads.py: CHAT_UPLOAD_MAX_BYTES 50→100 MB CHAT_UPLOAD_MAX_FILE_BYTES 25→100 MB (aligned with total so a single legitimate large file succeeds end-to-end) Canvas: - canvas/src/components/tabs/chat/uploads.ts: MAX_UPLOAD_BYTES 100 MB constant + FileTooLargeError class pre-flight gate: file-size violation throws BEFORE any fetch, with the actionable "File too large (got X MB) — limit is 100MB" computeUploadTimeoutMs: 60s floor + 100 KB/s scaled deadline (was a fixed 60s — the root cause of the forensic) - canvas/src/components/tabs/chat/hooks/useChatSend.ts: mapUploadErrorToReason: routes each cause to ITS OWN message (FileTooLargeError | TimeoutError | server-Error | fallback) no conflation between file-size and connection-too-slow Tests: - workspace-server chat_files_test.go: pins 100 MB constant, asserts sub-cap forwards + over-cap non-2xx - canvas uploads.cap.test.ts (10 cases): pre-flight gate, exact-cap edge, scaled-timeout curve, server-413 propagation, AbortSignal shape — explicit negative on "TimeoutError ≠ FileTooLargeError" - canvas useChatSend.errorReason.test.ts (5 cases): per-cause message contract, explicit negatives that guard against the wrong-reason conflation Test harness mirror: - tests/harness/cf-proxy/nginx.conf: client_max_body_size 50m→100m (this is the harness mirror; the production CF / nginx tier is out-of-repo. If prod still caps at 50m, this mirror passes while prod 413s — surface to ops.) Follow-up (SSOT, NOT in this PR): The 100 MB constant now lives in THREE mirror sites (canvas TS + workspace Python + platform Go). Per feedback_no_single_source_of_truth, the proper fix is exposing the cap via GET /uploads/limits so the client fetches the live value. Filing as a separate issue. References: - task #295 (internal tracker; CTO-authorized this work) - forensic a99ab0a1 (reno-stars 2026-05-19) - feedback_surface_actionable_failure_reason_to_user (CTO 2026-05-17) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>Adds a self-contained docker-compose harness in local-e2e/ that gates RFC#600-class template changes BEFORE customer canary. Implements the 4 canonical canaries: 1. 2-turn name continuity — SessionStore key derivation 2. File-only message — no caption drop-to-empty-prompt regress 3. File + prompt (multimodal) — multimodal happy path 4. Cross-session memory — explicit memory tool, distinct context_ids Architecture is deliberately lean per CTO "separate CI as possible": local-e2e/ docker-compose.yml # runtime + cp_sim ONLY (no platform Go, no pg) cp_sim/ # ~250 LoC Python A2A wire-shape emitter cp_sim/canary/ # 4 canary scenarios + layer-isolation probes scripts/run-canary.sh # one-shot orchestration (target <3 min) scripts/onboard-template.sh # gitops helper for cascade templates/session-continuity-e2e.yml # canonical workflow shim Rationale for a Python tenant-CP simulator (not the real workspace-server): SessionStore behaviour is fully owned by workspace/a2a_executor.py + executor_helpers.py — the Go platform service doesn't touch session continuity. Excising it gets the harness to <3 min cold-boot on docker-host runners and keeps the surface small enough to debug fast. The simulator emits the byte-identical JSON-RPC message/send envelope that workspace-server POSTs (cross-checked against tests/e2e/test_chat_attachments_e2e.sh and workspace/a2a_executor.py :_core_execute). Per feedback_no_single_source_of_truth: the harness IS the canonical session-continuity validator across templates. Per-template unit tests keep covering their own guard logic. Per feedback_image_promote_is_not_user_live + feedback_verify_actual_ endstate_not_ack_follow_sop: every canary asserts at the running- container layer; artifacts dump SessionStore state + runtime logs on failure for post-mortem. Rollout (deliberate sequencing, per task #342): 1. THIS PR — lands harness in molecule-core. NOT yet wired to any template repo. 2. Companion PR in molecule-ai-workspace-template-hermes — adds .gitea/workflows/session-continuity-e2e.yml. NOT required yet. 3. Bake on hermes for ≥5 business days. 4. Cascade to remaining 6 templates via onboard-template.sh. 5. Per-template BP flip — add "session-continuity-e2e (pull_request)" to status_check_contexts on each repo, hermes first. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>Eliminates the upload-cap drift class that produced mc#1588 (push-mode bumped to 100MB) and mc#1589 (poll-mode + DB CHECK catch-up one day later). The same five surfaces had to be hand-synced for every cap change; this PR collapses the Go-side mirrors into a single source (internal/uploads) and exposes that source via a public GET /uploads/limits endpoint so the out-of-process consumers (canvas TS, workspace Python push + poll) can converge in Phase 2 follow-ups. Source: * internal/uploads/limits.go — UploadLimits struct + DefaultUploadLimits() (per_file_bytes=100MB, per_request_bytes=100MB, max_attachments_per_message=10). JSON-tagged shape is the stable wire contract. * Pinned by internal/uploads/limits_test.go — every cap change must update this test as part of the same PR (forces a reviewer to see the cap move and audit the matching DB migration + nginx config). Endpoint: * GET /uploads/limits — public, no auth, mirrors /buildinfo rationale (platform constraint, not operational state; gating it would force pre-auth UX before learning the cap). * Cached in the binary via DefaultUploadLimits(); zero per-request DB round-trip. Go consumer convergence: * pendinguploads.MaxFileBytes — now var derived from uploads.DefaultUploadLimits().PerFileBytes (int cast preserves the int-typed API surface so len() comparisons and make([]byte, N+1) sites keep working). * handlers.chatUploadMaxBytes — now var derived from uploads.DefaultUploadLimits().PerRequestBytes (int64 for http.MaxBytesReader). * chat_files.go line 631: int64(pendinguploads.MaxFileBytes) conversion for fh.Size (multipart.FileHeader.Size is int64). * chat_files_poll_test.go: matching int64 cast in the skip-guard that compares per-file vs body cap. Tests: * internal/uploads/limits_test.go — pins values + JSON wire shape. * internal/router/uploads_limits_route_test.go — pins endpoint is public + 200 + payload matches DefaultUploadLimits + in-tree Go consumers agree with the SSOT. * Full workspace-server test suite green (go test ./... — all packages ok). Boundaries (intentional non-changes): * Cap value stays at 100MB everywhere — no behavior change for any upload. The 25→100MB bump landed in mc#1588 + mc#1589; this PR is purely the SSOT refactor. * Migration's pending_uploads.size_bytes CHECK upper bound stays at 104857600 — DB constraints can't read Go vars at runtime, so this constant lives in lockstep with DefaultUploadLimits and the migration's --comment notes the dependency. Bumping the cap is still a two-step coordinated dance (Go default + matching migration) but step 1 is now one line. * Canvas TS (MAX_UPLOAD_BYTES) + workspace Python (CHAT_UPLOAD_MAX_BYTES / MAX_FILE_BYTES) stay as their own pinned-100MB constants for this PR; the Phase 2 follow-up migrates them to fetch /uploads/limits at startup with a cache. The doc comments in chat_files.go point at this PR so reviewers of the Phase 2 PR can trace the SSOT lineage. Why the canvas + Python migrations are NOT in this PR: Each consumer needs a different cache+retry shape (canvas at app-init in a browser, workspace Python at module-load in the container, python ingest similar but distinct). Bundling all of them into a single mega-PR fails the review-able-unit test and blocks CI for hours on a single conflict. The source-first sequencing (this PR) + per-consumer follow-up PRs ships faster through 2-eye review per CTO 2026-05-19 move-fast directive.Extends extractAttachmentsFromRequestBody to handle canvas-direct file pastes / drag-drops (method=chat_upload_receive) where request_body is a flat upload manifest {uri, name, size, file_id, mimeType} with no parts[] wrapper. - New extractAttachmentFromFlatUploadManifest fallback arm (after the existing message-parts arm) - mimeType (canvas camelCase) -> mime_type (snake_case) normalization - kindFromMimeType: image/audio/video prefix -> matching kind, else file - Min-info skip when neither uri nor name present - message-parts arm takes precedence (pinned by test) Approved by core-be + core-qa onb6f2b90e9d, gated on required-context CI / all-required (pull_request) == success (per fixed dispatch hygiene that reads BP required_status_check_contexts rather than combined_state). Downstream: workspace-runtime#37 follow-up arm mirrors this for Python pre-L1 platforms; channel-plugin one-liner adds ?include=peer_info to pollWorkspace so the adapter actually receives the L1 projection. Co-authored-by: hongming-pc2 <hongming-pc2@moleculesai.app> Co-committed-by: hongming-pc2 <hongming-pc2@moleculesai.app>Adds a heuristic that detects stale PR branches where the base SHA has drifted behind target HEAD. Distinguishes files that are "inherited" from base divergence (already on target via prior commits) from genuinely new PR work, preventing misattribution of scope creep when branches are stale. Implementation: - New signal_4_branch_divergence() compares PR.base.sha to current target-branch HEAD via the Gitea API. - If diverged, paginates /commits to count commits behind and collect filenames changed on target since base. - Cross-references with /pulls/{n}/files to compute inherited vs new-work fractions. - Emits WARNING when >50% inherited or >5 commits behind with overlap. - Advisory only — never blocks merge (WARNING is not in blockers list). Updates: - VERDICT_ORDER expanded with WARNING between N/A and CLEAR. - format_comment renders divergence stats + inherited file list. - Workflow YAML comment block updated to list signal 4. - 4 new unit tests cover: no-divergence, inherited-files WARNING, no-overlap CLEAR, and API-error N/A fallback. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>The integration test clones molecule-ai-org-template-molecule-dev via HTTPS using exec.Command("git", "clone", ...). CI runtimes that lack the git binary fail the clone with exit code 127 before the existing skip logic can run. Add an exec.LookPath("git") guard at the top of the test body so it skips cleanly with t.Skip when git is absent. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>Gitea can return reviews with user: null (deleted account / bot edge case). signal_1_comment_scan crashed with AttributeError when calling .get() on None. Fixed both occurrences: - reviews loop: r.get("user", {}).get("login", "") → (r.get("user") or {}).get("login", "") - comments loop: c.get("user", {}).get("login", "") → (c.get("user") or {}).get("login", "") Added regression test test_signal_1_null_user_in_review_does_not_crash. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>When the token owner is not in the queried team, Gitea 1.22.6 returns 403 on GET /teams/{id}/members/{user}. Previously review-check.sh immediately exited 1 on the first 403, which failed the entire gate even if other valid team-member candidates existed. Change to continue (skip the candidate) so the gate only fails when NO candidate can be verified. This closes the RFC#324 token-scope gap for multi-reviewer PRs while keeping fail-closed semantics when all candidates are unverifiable. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>New commits pushed, approval review dismissed automatically according to repository settings
New commits pushed, approval review dismissed automatically according to repository settings
REQUEST_CHANGES after 5-axis review on current head
8b25aec245.Correctness: the PR title/body say this adds Canvas lib unit tests for design-tokens, palette-context, and theme-provider. The current diff does not match that scope: it is ~137k lines and changes .env.example, CI drift scripts, deploy/review/status tooling, SOP checklist logic/config/tests, multiple workflows, and more. This cannot be approved as the stated Canvas unit-test PR.
Robustness: the diff changes broad CI/deploy/SOP enforcement behavior, including new path-filter helpers and workflow rewrites. Those changes need focused PRs with dedicated rationale and validation, not a large unrelated bundle under a Canvas test title.
Security: broad workflow and deployment-script changes can affect enforcement and secret-handling surfaces; they require focused review. No approval from this title/scope.
Performance: CI path-filter/deploy/status tooling changes can affect runner behavior and gate latency; not acceptable as incidental drift.
Readability: the title/body are stale relative to the current head, making reviewer intent and merge risk unclear.
Please replace this with the stated Canvas unit-test-only diff, or split/retitle the CI/SOP/deploy changes into focused PRs.
View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.