molecule-ai/molecule-core
51
0
Fork 2
Code Issues 159 Pull Requests 163 Actions 15 Packages Projects Releases Wiki Activity

P2-A internal#718: bring provider registry to molecule-core via codegen + verify-CI (NO behavior change) #1970

Merged
hongming merged 2 commits from feat/internal-718-p2a-registry-codegen-distribution into main 2026-05-28 01:10:26 +00:00
Conversation 4 Commits 2 Files Changed 14
+3388
hongming commented 2026-05-28 00:42:39 +00:00
Owner
Copy Link
Copy Source

internal#718 P2-A — bring the provider registry to molecule-core (codegen + verify-CI)

NO BEHAVIOR CHANGE (additive, like P0). Distributes the provider-registry SSOT into molecule-core per the CTO-decided shape (internal#718 comment 2026-05-27: "Distribution = SDK via codegen + verify-CI", multi-repo branch "codegen-checked-into-each-repo + verify-CI").

molecule-core has no Go module dependency on molecule-controlplane, so this lands a synced copy of the canonical providers.yaml plus the loader, DeriveProvider/IsPlatform/ResolveUpstream, the generated Go projection (cmd/gen-providers), and the drift gates — a byte-faithful mirror of the controlplane P0/P1 machinery. Canonical SSOT stays in controlplane internal/providers/providers.yaml; fingerprint faffcbe59bb9f38c matches CP.

What lands

  • internal/providers/{providers.go,derive_provider.go,providers.yaml} — loader + synced canonical YAML.
  • internal/providers/gen/registry_gen.go — generated projection (drift-gated).
  • cmd/gen-providers — generator (go generate + -check).
  • .gitea/workflows/verify-providers-gen.yml — artifact ↔ synced-copy drift gate (mirror of CP).
  • .gitea/workflows/sync-providers-yaml.ymlNEW cross-repo gate: fetches the controlplane canonical and byte-compares (read-only AUTO_SYNC_TOKEN; degrades to warn if absent).
  • internal/providers/sync_canonical_test.go — hermetic sha pin (always-on backstop; catches a hand-edit with no network).
  • internal/providers/gen_import_boundary_test.go — arch-lint-equivalent AST gate (core has no go-arch-lint): no production package may import the raw gen projection. Proven load-bearing.

Both new workflows are standalone (not in ci.yml, not in branch protection) — same soak-then-promote posture as CP. NO production path imports the new package yet (P2-B wires the billing decision onto the loader).

Build/test

go build ./... (+ -tags=integration) green; providers/gen/gen-providers suites pass (incl. -race); gen -check in sync; gofmt + vet clean.

NO behavior change. Cross-link internal#718 (P2-A). Do NOT merge.

## internal#718 P2-A — bring the provider registry to molecule-core (codegen + verify-CI) **NO BEHAVIOR CHANGE (additive, like P0).** Distributes the provider-registry SSOT into molecule-core per the CTO-decided shape (internal#718 comment 2026-05-27: "Distribution = SDK via codegen + verify-CI", multi-repo branch "codegen-checked-into-each-repo + verify-CI"). molecule-core has no Go module dependency on molecule-controlplane, so this lands a **synced copy** of the canonical `providers.yaml` plus the loader, `DeriveProvider`/`IsPlatform`/`ResolveUpstream`, the generated Go projection (`cmd/gen-providers`), and the drift gates — a byte-faithful mirror of the controlplane P0/P1 machinery. **Canonical SSOT stays in controlplane** `internal/providers/providers.yaml`; fingerprint `faffcbe59bb9f38c` matches CP. ### What lands - `internal/providers/{providers.go,derive_provider.go,providers.yaml}` — loader + synced canonical YAML. - `internal/providers/gen/registry_gen.go` — generated projection (drift-gated). - `cmd/gen-providers` — generator (`go generate` + `-check`). - `.gitea/workflows/verify-providers-gen.yml` — artifact ↔ synced-copy drift gate (mirror of CP). - `.gitea/workflows/sync-providers-yaml.yml` — **NEW cross-repo gate**: fetches the controlplane canonical and byte-compares (read-only AUTO_SYNC_TOKEN; degrades to warn if absent). - `internal/providers/sync_canonical_test.go` — hermetic sha pin (always-on backstop; catches a hand-edit with no network). - `internal/providers/gen_import_boundary_test.go` — arch-lint-equivalent AST gate (core has no go-arch-lint): no production package may import the raw gen projection. **Proven load-bearing.** Both new workflows are standalone (not in `ci.yml`, not in branch protection) — same soak-then-promote posture as CP. NO production path imports the new package yet (P2-B wires the billing decision onto the loader). ### Build/test `go build ./...` (+ `-tags=integration`) green; providers/gen/gen-providers suites pass (incl. `-race`); `gen -check` in sync; gofmt + vet clean. **NO behavior change.** Cross-link internal#718 (P2-A). **Do NOT merge.**
hongming added 1 commit 2026-05-28 00:42:40 +00:00
feat(providers): P2-A internal#718 — bring the provider registry to molecule-core via codegen + verify-CI (additive, zero behavior change)
ci-arm64-advisory / fast-checks (pull_request) Waiting to run
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 4s
Details
CI / Python Lint & Test (pull_request) Successful in 5s
Details
CI / Detect changes (pull_request) Successful in 7s
Details
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 11s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 6s
Details
E2E Chat / detect-changes (pull_request) Successful in 10s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 10s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 9s
Details
Harness Replays / detect-changes (pull_request) Successful in 6s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 5s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 8s
Details
Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 10s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m10s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m3s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m21s
Details
lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 5s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s
Details
sync-providers-yaml / Compare synced providers.yaml against controlplane canonical (pull_request) Failing after 5s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 1m36s
Details
gate-check-v3 / gate-check (pull_request) Successful in 12s
Details
verify-providers-gen / Regenerate providers artifact and fail on drift (pull_request) Successful in 38s
Details
qa-review / approved (pull_request) Failing after 6s
Details
security-review / approved (pull_request) Failing after 7s
Details
sop-checklist / review-refire (pull_request) Has been skipped
Details
sop-tier-check / tier-check (pull_request) Successful in 7s
Details
CI / Canvas (Next.js) (pull_request) Successful in 2s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 3s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5s
Details
E2E Chat / E2E Chat (pull_request) Successful in 3s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 14s
Details
Harness Replays / Harness Replays (pull_request) Successful in 7s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m34s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m34s
Details
CI / Platform (Go) (pull_request) Successful in 5m44s
Details
CI / all-required (pull_request) Successful in 8m39s
Details
sop-checklist / all-items-acked (pull_request) [info tier:low] acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, l
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
71c68e44f2 
Distributes the provider-registry SSOT into molecule-core per the CTO-decided
shape (internal#718 comment, 2026-05-27): "Distribution = SDK via codegen +
verify-CI", multi-repo branch "codegen-checked-into-each-repo + verify-CI".

molecule-core has no Go module dependency on molecule-controlplane, so this
lands a SYNCED COPY of the canonical providers.yaml plus the loader,
DeriveProvider/IsPlatform/ResolveUpstream, the generated Go projection
(cmd/gen-providers), and the drift gates — a byte-faithful mirror of the
controlplane P0/P1 machinery. Canonical SSOT stays in controlplane
internal/providers/providers.yaml.

ZERO behavior change (additive, like P0): NO production code path imports the
new package yet. P2-B wires the billing/credential decision onto the loader.

What lands:
- internal/providers/{providers.go,derive_provider.go,providers.yaml} — mirror
  of the controlplane loader + canonical YAML (synced copy).
- internal/providers/gen/registry_gen.go — generated projection; fingerprint
  faffcbe59bb9f38c matches controlplane.
- cmd/gen-providers — the generator (go generate + -check drift mode).
- .gitea/workflows/verify-providers-gen.yml — artifact ↔ synced-copy drift gate
  (mirror of the controlplane workflow; standalone, not in branch protection
  yet — same soak-then-promote posture).
- .gitea/workflows/sync-providers-yaml.yml — NEW cross-repo gate: fetches the
  controlplane canonical providers.yaml and byte-compares against core's synced
  copy (RED on canonical drift). Read-only AUTO_SYNC_TOKEN; degrades to a
  warning if the token is absent.
- internal/providers/sync_canonical_test.go — hermetic sha pin of the synced
  copy (the always-on backstop; catches a hand-edit even with no network).
- internal/providers/gen_import_boundary_test.go — arch-lint-equivalent AST gate
  (core has no go-arch-lint): no production package may import the raw gen
  projection. Proven load-bearing.

Build/test: go build ./... (+ -tags=integration) green; providers/gen/
gen-providers suites pass (incl. -race); gen -check in sync; gofmt + vet clean.

internal#718 P2-A. NO behavior change. Not merged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hongming added the tier:low label 2026-05-28 00:43:39 +00:00
agent-reviewer requested changes 2026-05-28 00:52:12 +00:00
Dismissed
agent-reviewer left a comment
Member
Copy Link
Copy Source

Independent Five-Axis review — molecule-core PR #1970 (provider-SSOT P2-A)

Verdict: REQUEST_CHANGES (one Required bug in the new cross-repo sync gate). Everything else verified clean — the NO-behavior-change claim and canonical fidelity both hold; the AST gate is proven load-bearing. The single blocker is a wrong-endpoint bug that makes sync-providers-yaml.yml a non-functional gate (permanently RED, can't report a true verdict), which trips the SOP invariant "the sync gate actually fetches CP + byte-compares… verify it's not a no-op."

Reviewed at head 71c68e44; static review + throwaway build/test on the op-host. Nothing merged/pushed.

Invariant 1 — NO behavior change CONFIRMED

  • All 14 files are A (added); zero existing files modified, zero deletions (git diff --name-status base..head).
  • No production (non-test) Go file anywhere in the repo imports the new loader package or the gen package (repo-wide grep: NONE outside internal/providers/ + cmd/gen-providers/).
  • AST gate proven load-bearing: I injected a production package internal/fakeprodconsumer importing the raw gen projection → TestNoProductionImportOfGenPackage flipped RED and named the offender; removed it → green. So the no-prod-import-of-gen invariant is enforced, not decorative (gen_import_boundary_test.go:55, error at :86). Pure additive plumbing.

Invariant 2 — Canonical fidelity mostly, ⚠️ one Required bug in the live gate

  • Synced copy is byte-identical to CP canonical. Fetched CP internal/providers/providers.yaml@main and byte-compared: identical, sha256 48a669210494f3fded2315eb59a5549bc7632676e6d2e29db58a67273184ce76. CP's last_commit_sha is a91b1f897c… = the cp#377 CONVERGED commit — core synced from current CP HEAD. SSOT stays in CP.

  • Hermetic sha pin is real + hermetic. sync_canonical_test.go:38 pins canonicalProvidersYAMLSHA256 = 48a66921…, which exactly equals the sha of the //go:embed providers.yaml embeddedYAML (providers.go:54). Test passes under -race. This is the always-on backstop and it is sound.

  • Generated artifact matches CP (fingerprint). Core gen/registry_gen.go:19 Fingerprint = "faffcbe59bb9f38c"; CP internal/providers/gen/registry_gen.go:19 Fingerprint = "faffcbe59bb9f38c" — identical schema_version + fingerprint across both repos. Generator is deterministic (sorts runtime map keys; sha256 of the structured projection, not raw bytes; gofmt'd) — cmd/gen-providers/main.go:181.

  • Required: sync-providers-yaml.yml uses the wrong fetch endpoint → permanent false RED (non-functional live gate).
    The step fetches via the contents endpoint with the raw media header:
    GET /api/v1/repos/molecule-ai/molecule-controlplane/contents/internal/providers/providers.yaml?ref=main + Accept: application/vnd.gitea.raw (sync-providers-yaml.yml, "Fetch canonical… and byte-compare" step).
    On this Gitea 1.22.6 that header is NOT honored on the contents endpoint — it returns the JSON-wrapped base64 envelope ({"name":"providers.yaml","path":…,"content":"<base64>"}, ~45.6 KB), not the file bytes. I verified directly: the contents+raw-header response begins {"name":"providers.yaml"...; the dedicated /raw/ endpoint returns the real 33319-byte file (sha 48a66921…).
    Because AUTO_SYNC_TOKEN is provisioned (both repo- and org-level), the soft-fail/exit 0 branch never fires — the job hits the broken path and diff -u compares a JSON envelope against raw YAML, so it exits 1 (RED) on every run even when byte-identical. The gate can never report "in sync," so it cannot detect real drift either: it is effectively a no-op-that-always-blocks rather than a working canonical-drift detector.
    Fix (one line): fetch from the raw endpoint instead —
    ${API_ROOT}/repos/molecule-ai/molecule-controlplane/raw/internal/providers/providers.yaml?ref=main (drop the vnd.gitea.raw accept header; the /raw/ route returns bytes directly). I confirmed that endpoint returns the correct 33319-byte file with the matching sha.
    Blast radius is contained: the gate is standalone and NOT in main branch protection (status_check_contexts = CI/all-required, E2E API Smoke, Handlers Postgres Integration only), so the false RED doesn't block merge; and the hermetic sha pin still catches hand-edits. But the live cross-repo drift detection this PR adds is currently inert, so the fidelity story rests entirely on the sha pin until this is fixed.

Invariant 3 — Drift gates wired CONFIRMED

  • verify-providers-gen.yml is load-bearing and dual-path: go run ./cmd/gen-providers -check (verified GREEN) plus an independent go generate ./... + git diff --quiet clean-tree assert (verified in-sync). Regenerating in place produced no diff.
  • Both new workflows are standalone — NOT jobs in ci.yml, NOT in branch protection — matching the stated soak-then-promote posture and the CP P0 precedent. CP correctly has only verify-providers-gen.yml and no sync-… (it is the canonical, no synced copy). Intentional ✓.

Invariant 4 — Build / security / CI CONFIRMED (on op-host, go1.23.4)

  • go test -race ./internal/providers/... ./cmd/gen-providers/... → all green.
  • go build ./... and go build -tags=integration ./... → both green (whole module).
  • go vet (plain and -tags=integration) → clean; gofmt -l → clean.
  • No secret-shaped literals in any added file; providers.yaml carries env-var NAMES only, zero secret values.
  • The synced loader/derive code is a byte-faithful mirror of CP's converged shape (Load/LoadManifest/parseManifest, upstream_vendor uniqueness, DeriveProvider, single ResolveUpstream over existing vendor entries — matches cp#377 CONVERGED). No divergent logic introduced.

Five-Axis

  • Correctness: Required — sync-gate wrong endpoint (above). Otherwise loader validation fails closed (unknown runtime, empty native set, dup ref, model-less ref, upstream_vendor uniqueness, RE2 compile); DeriveProvider exact-id > prefix > auth-env tie-break > error, never silent default.
  • Readability: No finding — names/comments match the CP mirror; doc headers state the additive/SSOT contract clearly.
  • Architecture: No finding — SSOT stays in CP; core carries a gated synced copy because there's no shared Go module; gen is checked-in drift-gated DATA fenced off by the AST gate. Fits the CTO codegen-checked-into-each-repo + verify-CI shape.
  • Security: No finding — env NAMES only, no secrets; workflow uses a read-scoped token and degrades to warn when absent; permissions: contents: read.
  • Performance: No finding — load is go:embed (no network at boot); gates are CI-only.

Net: additive, zero behavior change, fidelity holds — but the live canonical-drift gate this PR introduces is inert due to the endpoint bug. One-line fix to the /raw/ endpoint and this is an APPROVE. Requesting changes on that single item.

## Independent Five-Axis review — molecule-core PR #1970 (provider-SSOT P2-A) **Verdict: REQUEST_CHANGES** (one Required bug in the new cross-repo sync gate). Everything else verified clean — the NO-behavior-change claim and canonical fidelity both hold; the AST gate is proven load-bearing. The single blocker is a wrong-endpoint bug that makes `sync-providers-yaml.yml` a non-functional gate (permanently RED, can't report a true verdict), which trips the SOP invariant "the sync gate actually fetches CP + byte-compares… verify it's not a no-op." Reviewed at head `71c68e44`; static review + throwaway build/test on the op-host. Nothing merged/pushed. --- ### Invariant 1 — NO behavior change ✅ CONFIRMED - All 14 files are `A` (added); zero existing files modified, zero deletions (`git diff --name-status` base..head). - No production (non-test) Go file anywhere in the repo imports the new loader package or the `gen` package (repo-wide grep: NONE outside `internal/providers/` + `cmd/gen-providers/`). - **AST gate proven load-bearing:** I injected a production package `internal/fakeprodconsumer` importing the raw `gen` projection → `TestNoProductionImportOfGenPackage` flipped RED and named the offender; removed it → green. So the no-prod-import-of-gen invariant is enforced, not decorative (`gen_import_boundary_test.go:55`, error at `:86`). Pure additive plumbing. ### Invariant 2 — Canonical fidelity ✅ mostly, ⚠️ one Required bug in the live gate - **Synced copy is byte-identical to CP canonical.** Fetched CP `internal/providers/providers.yaml@main` and byte-compared: identical, sha256 `48a669210494f3fded2315eb59a5549bc7632676e6d2e29db58a67273184ce76`. CP's `last_commit_sha` is `a91b1f897c…` = the cp#377 CONVERGED commit — core synced from current CP HEAD. SSOT stays in CP. - **Hermetic sha pin is real + hermetic.** `sync_canonical_test.go:38` pins `canonicalProvidersYAMLSHA256 = 48a66921…`, which exactly equals the sha of the `//go:embed providers.yaml` `embeddedYAML` (`providers.go:54`). Test passes under `-race`. This is the always-on backstop and it is sound. - **Generated artifact matches CP (fingerprint).** Core `gen/registry_gen.go:19` `Fingerprint = "faffcbe59bb9f38c"`; CP `internal/providers/gen/registry_gen.go:19` `Fingerprint = "faffcbe59bb9f38c"` — identical schema_version + fingerprint across both repos. Generator is deterministic (sorts runtime map keys; sha256 of the structured projection, not raw bytes; gofmt'd) — `cmd/gen-providers/main.go:181`. - **Required: `sync-providers-yaml.yml` uses the wrong fetch endpoint → permanent false RED (non-functional live gate).** The step fetches via the **contents** endpoint with the raw media header: `GET /api/v1/repos/molecule-ai/molecule-controlplane/contents/internal/providers/providers.yaml?ref=main` + `Accept: application/vnd.gitea.raw` (`sync-providers-yaml.yml`, "Fetch canonical… and byte-compare" step). On this Gitea **1.22.6** that header is NOT honored on the contents endpoint — it returns the **JSON-wrapped base64 envelope** (`{"name":"providers.yaml","path":…,"content":"<base64>"}`, ~45.6 KB), not the file bytes. I verified directly: the contents+raw-header response begins `{"name":"providers.yaml"...`; the **dedicated `/raw/` endpoint** returns the real 33319-byte file (sha `48a66921…`). Because `AUTO_SYNC_TOKEN` **is provisioned** (both repo- and org-level), the soft-fail/`exit 0` branch never fires — the job hits the broken path and `diff -u` compares a JSON envelope against raw YAML, so it **exits 1 (RED) on every run even when byte-identical**. The gate can never report "in sync," so it cannot detect real drift either: it is effectively a no-op-that-always-blocks rather than a working canonical-drift detector. **Fix (one line):** fetch from the raw endpoint instead — `${API_ROOT}/repos/molecule-ai/molecule-controlplane/raw/internal/providers/providers.yaml?ref=main` (drop the `vnd.gitea.raw` accept header; the `/raw/` route returns bytes directly). I confirmed that endpoint returns the correct 33319-byte file with the matching sha. *Blast radius is contained:* the gate is standalone and NOT in `main` branch protection (`status_check_contexts` = CI/all-required, E2E API Smoke, Handlers Postgres Integration only), so the false RED doesn't block merge; and the hermetic sha pin still catches hand-edits. But the live cross-repo drift detection this PR adds is currently inert, so the fidelity story rests entirely on the sha pin until this is fixed. ### Invariant 3 — Drift gates wired ✅ CONFIRMED - `verify-providers-gen.yml` is load-bearing and dual-path: `go run ./cmd/gen-providers -check` (verified GREEN) plus an independent `go generate ./...` + `git diff --quiet` clean-tree assert (verified in-sync). Regenerating in place produced no diff. - Both new workflows are standalone — NOT jobs in `ci.yml`, NOT in branch protection — matching the stated soak-then-promote posture and the CP P0 precedent. CP correctly has only `verify-providers-gen.yml` and no `sync-…` (it is the canonical, no synced copy). Intentional ✓. ### Invariant 4 — Build / security / CI ✅ CONFIRMED (on op-host, go1.23.4) - `go test -race ./internal/providers/... ./cmd/gen-providers/...` → all green. - `go build ./...` and `go build -tags=integration ./...` → both green (whole module). - `go vet` (plain and `-tags=integration`) → clean; `gofmt -l` → clean. - No secret-shaped literals in any added file; `providers.yaml` carries env-var NAMES only, zero secret values. - The synced loader/derive code is a byte-faithful mirror of CP's converged shape (`Load`/`LoadManifest`/`parseManifest`, upstream_vendor uniqueness, `DeriveProvider`, single `ResolveUpstream` over existing vendor entries — matches cp#377 CONVERGED). No divergent logic introduced. --- ### Five-Axis - **Correctness:** Required — sync-gate wrong endpoint (above). Otherwise loader validation fails closed (unknown runtime, empty native set, dup ref, model-less ref, upstream_vendor uniqueness, RE2 compile); DeriveProvider exact-id > prefix > auth-env tie-break > error, never silent default. - **Readability:** No finding — names/comments match the CP mirror; doc headers state the additive/SSOT contract clearly. - **Architecture:** No finding — SSOT stays in CP; core carries a gated synced copy because there's no shared Go module; gen is checked-in drift-gated DATA fenced off by the AST gate. Fits the CTO codegen-checked-into-each-repo + verify-CI shape. - **Security:** No finding — env NAMES only, no secrets; workflow uses a read-scoped token and degrades to warn when absent; `permissions: contents: read`. - **Performance:** No finding — load is go:embed (no network at boot); gates are CI-only. **Net:** additive, zero behavior change, fidelity holds — but the live canonical-drift gate this PR introduces is inert due to the endpoint bug. One-line fix to the `/raw/` endpoint and this is an APPROVE. Requesting changes on that single item.
hongming added 1 commit 2026-05-28 00:55:10 +00:00
fix(ci): sync-providers-yaml gate fetch canonical via /raw not /contents
ci-arm64-advisory / fast-checks (pull_request) Waiting to run
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s
Details
CI / Detect changes (pull_request) Successful in 7s
Details
CI / Python Lint & Test (pull_request) Successful in 6s
Details
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 10s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 8s
Details
E2E Chat / detect-changes (pull_request) Successful in 8s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 9s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 10s
Details
Harness Replays / detect-changes (pull_request) Successful in 7s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 4s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 4s
Details
Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 7s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Failing after 1m3s
Details
lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 5s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 1m18s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m21s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m17s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s
Details
sync-providers-yaml / Compare synced providers.yaml against controlplane canonical (pull_request) Successful in 4s
Details
gate-check-v3 / gate-check (pull_request) Failing after 10s
Details
qa-review / approved (pull_request) Failing after 9s
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
security-review / approved (pull_request) Failing after 13s
Details
sop-checklist / review-refire (pull_request) Has been skipped
Details
sop-checklist / all-items-acked (pull_request) Successful in 14s
Details
verify-providers-gen / Regenerate providers artifact and fail on drift (pull_request) Successful in 31s
Details
sop-tier-check / tier-check (pull_request) Successful in 7s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m22s
Details
CI / Canvas (Next.js) (pull_request) Successful in 4s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 6s
Details
E2E Chat / E2E Chat (pull_request) Successful in 8s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 9s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 14s
Details
Harness Replays / Harness Replays (pull_request) Successful in 11s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m20s
Details
CI / Platform (Go) (pull_request) Successful in 5m10s
Details
CI / all-required (pull_request) Successful in 8m18s
Details
audit-force-merge / audit (pull_request) Successful in 7s
Details
11b0646b37 
The cross-repo drift gate fetched controlplane providers.yaml from the
Gitea /contents endpoint with Accept: application/vnd.gitea.raw. On this
Gitea (1.22.6) that header is NOT honored on /contents -- it returns the
JSON+base64 envelope ({"name":"providers.yaml","content":"<base64>"...},
~45.6 KB), not raw bytes. So diff -u compared JSON-vs-YAML and exited 1
(RED) on every run even when byte-identical, making the gate inert
(detected neither sync nor real drift).

Switch the fetch to the /raw endpoint, which returns the file bytes
directly (33319 B, sha256 48a66921...), byte-identical to core's synced
copy. diff now exits 0 on the in-sync state and goes RED on real drift.
Authorization: token header kept; soft-fail backstop and the hermetic
sha-pin in sync_canonical_test.go are untouched.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hongming commented 2026-05-28 00:55:38 +00:00
Author
Owner
Copy Link
Copy Source

Pushed a focused one-line(ish) fix to this branch (commit 11b0646b) for the sync-providers-yaml cross-repo drift gate.

Bug: the gate fetched the controlplane canonical providers.yaml from the Gitea /contents/... endpoint with Accept: application/vnd.gitea.raw. On our Gitea 1.22.6 that header is not honored on /contents — it returns the JSON+base64 envelope ({"name":"providers.yaml","content":"<base64>"...}, ~45.6 KB), not raw bytes. So diff -u compared JSON-vs-YAML and exited 1 (RED) on every run even when byte-identical, making the gate inert (detected neither sync nor real drift).

Fix: switch the fetch to the /raw endpoint and drop the ignored Accept header (kept the Authorization: token header):

-CANON_URL="${API_ROOT}/repos/molecule-ai/molecule-controlplane/contents/internal/providers/providers.yaml?ref=main"
-          curl -fsS -H "Authorization: token ${AUTO_SYNC_TOKEN}" -H "Accept: application/vnd.gitea.raw" "${CANON_URL}" -o /tmp/canonical-providers.yaml
+CANON_URL="${API_ROOT}/repos/molecule-ai/molecule-controlplane/raw/internal/providers/providers.yaml?ref=main"
+          curl -fsS -H "Authorization: token ${AUTO_SYNC_TOKEN}" "${CANON_URL}" -o /tmp/canonical-providers.yaml

Verified (ran the corrected fetch with the cross-repo token):

  • /raw returns the real YAML: 33319 bytes, sha256 48a669210494f3fded2315eb59a5549bc7632676e6d2e29db58a67273184ce76byte-identical to core's synced copy workspace-server/internal/providers/providers.yaml (same size, same sha). So the gate now reports truthfully GREEN on the current in-sync state (diff exits 0).
  • Confirmed the old /contents fetch returned 45635 bytes of JSON envelope (the source of the permanent false RED).
  • Sanity-checked RED-on-drift: a 1-byte change to the core copy makes diff exit nonzero → gate goes RED correctly.

Scope: only .gitea/workflows/sync-providers-yaml.yml changed (5 insertions / 4 deletions, the URL + dropped header + updated comment). The soft-fail backstop (missing AUTO_SYNC_TOKEN::warning:: + exit 0) and the hermetic sha-pin in sync_canonical_test.go are untouched. Not merged.

Pushed a focused one-line(ish) fix to this branch (commit `11b0646b`) for the `sync-providers-yaml` cross-repo drift gate. **Bug:** the gate fetched the controlplane canonical `providers.yaml` from the Gitea `/contents/...` endpoint with `Accept: application/vnd.gitea.raw`. On our Gitea **1.22.6** that header is **not** honored on `/contents` — it returns the JSON+base64 envelope (`{"name":"providers.yaml","content":"<base64>"...}`, ~45.6 KB), not raw bytes. So `diff -u` compared JSON-vs-YAML and exited 1 (RED) on **every** run even when byte-identical, making the gate inert (detected neither sync nor real drift). **Fix:** switch the fetch to the `/raw` endpoint and drop the ignored Accept header (kept the `Authorization: token` header): ```diff -CANON_URL="${API_ROOT}/repos/molecule-ai/molecule-controlplane/contents/internal/providers/providers.yaml?ref=main" - curl -fsS -H "Authorization: token ${AUTO_SYNC_TOKEN}" -H "Accept: application/vnd.gitea.raw" "${CANON_URL}" -o /tmp/canonical-providers.yaml +CANON_URL="${API_ROOT}/repos/molecule-ai/molecule-controlplane/raw/internal/providers/providers.yaml?ref=main" + curl -fsS -H "Authorization: token ${AUTO_SYNC_TOKEN}" "${CANON_URL}" -o /tmp/canonical-providers.yaml ``` **Verified (ran the corrected fetch with the cross-repo token):** - `/raw` returns the real YAML: **33319 bytes**, sha256 `48a669210494f3fded2315eb59a5549bc7632676e6d2e29db58a67273184ce76` — **byte-identical** to core's synced copy `workspace-server/internal/providers/providers.yaml` (same size, same sha). So the gate now reports truthfully **GREEN** on the current in-sync state (`diff` exits 0). - Confirmed the old `/contents` fetch returned 45635 bytes of JSON envelope (the source of the permanent false RED). - Sanity-checked RED-on-drift: a 1-byte change to the core copy makes `diff` exit nonzero → gate goes RED correctly. **Scope:** only `.gitea/workflows/sync-providers-yaml.yml` changed (5 insertions / 4 deletions, the URL + dropped header + updated comment). The soft-fail backstop (missing `AUTO_SYNC_TOKEN` → `::warning::` + exit 0) and the hermetic sha-pin in `sync_canonical_test.go` are untouched. Not merged.
agent-reviewer approved these changes 2026-05-28 01:01:11 +00:00
agent-reviewer left a comment
Member
Copy Link
Copy Source

Re-review at head 11b0646b — APPROVED.

The single bug from review #7777 (REQUEST_CHANGES) is fixed and nothing else regressed.

FIX VERIFIED (only file changed: .gitea/workflows/sync-providers-yaml.yml):

  • Endpoint switched from /repos/.../contents/internal/providers/providers.yaml?ref=main (with the Accept: application/vnd.gitea.raw header that Gitea 1.22.6 ignores on /contents, yielding the JSON+base64 envelope) to /repos/.../raw/internal/providers/providers.yaml?ref=main, which returns the file bytes directly.
  • The ignored Accept header is dropped; Authorization: token $AUTO_SYNC_TOKEN is kept.
  • The AUTO_SYNC_TOKEN-absent soft-fail (::warning:: + exit 0, hermetic sha pin as backstop) is intact.

GATE NOW TRUTHFUL (was a permanent false RED):

  • Canonical via /raw = 33319 bytes, sha256 48a669210494f3fded2315eb59a5549bc7632676e6d2e29db58a67273184ce76 — byte-identical to core's synced workspace-server/internal/providers/providers.yaml. So the diff exits 0 (GREEN) now and would go RED on real drift.
  • CI: sync-providers-yaml / Compare = success on 11b0646b (it was failure on parent 71c68e44).

NO REGRESSION (single-commit, single-file vs parent):

  • Previously-verified P2-A invariants (additive / no behavior change, AST gen-import gate load-bearing, canonical byte-identical to CP, sha-pin backstop, builds green) untouched. verify-providers-gen = success.

REMAINING REDS ARE NOT CAUSED BY THIS DIFF:

  • gate-check-v3 = BLOCKED solely on request_changes_reviews -> review 7777 (this very stale REQUEST_CHANGES); clears on this APPROVED.
  • lint-continue-on-error-tracking (itself continue-on-error / non-blocking) = mc#774 tracker crossed the 14-day age cap (37 directives across 57 unrelated workflow files); repo-wide, not this PR.
  • qa-review / security-review / lint-required-context-exists-in-bp = pre-existing reds on the parent too (approval/process gates), not diff-caused.
Re-review at head 11b0646b — APPROVED. The single bug from review #7777 (REQUEST_CHANGES) is fixed and nothing else regressed. FIX VERIFIED (only file changed: .gitea/workflows/sync-providers-yaml.yml): - Endpoint switched from /repos/.../contents/internal/providers/providers.yaml?ref=main (with the Accept: application/vnd.gitea.raw header that Gitea 1.22.6 ignores on /contents, yielding the JSON+base64 envelope) to /repos/.../raw/internal/providers/providers.yaml?ref=main, which returns the file bytes directly. - The ignored Accept header is dropped; Authorization: token $AUTO_SYNC_TOKEN is kept. - The AUTO_SYNC_TOKEN-absent soft-fail (::warning:: + exit 0, hermetic sha pin as backstop) is intact. GATE NOW TRUTHFUL (was a permanent false RED): - Canonical via /raw = 33319 bytes, sha256 48a669210494f3fded2315eb59a5549bc7632676e6d2e29db58a67273184ce76 — byte-identical to core's synced workspace-server/internal/providers/providers.yaml. So the diff exits 0 (GREEN) now and would go RED on real drift. - CI: sync-providers-yaml / Compare = success on 11b0646b (it was failure on parent 71c68e44). NO REGRESSION (single-commit, single-file vs parent): - Previously-verified P2-A invariants (additive / no behavior change, AST gen-import gate load-bearing, canonical byte-identical to CP, sha-pin backstop, builds green) untouched. verify-providers-gen = success. REMAINING REDS ARE NOT CAUSED BY THIS DIFF: - gate-check-v3 = BLOCKED solely on request_changes_reviews -> review 7777 (this very stale REQUEST_CHANGES); clears on this APPROVED. - lint-continue-on-error-tracking (itself continue-on-error / non-blocking) = mc#774 tracker crossed the 14-day age cap (37 directives across 57 unrelated workflow files); repo-wide, not this PR. - qa-review / security-review / lint-required-context-exists-in-bp = pre-existing reds on the parent too (approval/process gates), not diff-caused.
claude-ceo-assistant approved these changes 2026-05-28 01:02:05 +00:00
claude-ceo-assistant left a comment
Owner
Copy Link
Copy Source

2nd approval (claude-ceo-assistant). Concur with agent-reviewer Five-Axis verdict (CTO-approved batch). Merge once required checks green.

2nd approval (claude-ceo-assistant). Concur with agent-reviewer Five-Axis verdict (CTO-approved batch). Merge once required checks green.
hongming merged commit 866a71777f into main 2026-05-28 01:10:26 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer
claude-ceo-assistant
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label tier:low
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1970
Delete Branch "feat/internal-718-p2a-registry-codegen-distribution"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?