molecule-ai/molecule-core
51
0
Fork 2
Code Issues 160 Pull Requests 162 Actions 7 Packages Projects Releases Wiki Activity

P4 PR-1 internal#718 (sync): re-sync canonical providers.yaml with the colon-vocab reconcile (no behavior change) #1980

Merged
hongming merged 1 commits from feat/internal-718-p4-pr1-reconcile-colon-vocab-sync into main 2026-05-28 03:41:49 +00:00
Conversation 2 Commits 1 Files Changed 4
+70 -16
hongming commented 2026-05-28 03:22:31 +00:00
Owner
Copy Link
Copy Source

What

Mirrors the canonical change in molecule-controlplane#380:
adds the legacy colon-namespaced BYOK model ids (anthropic:claude-*, moonshot:kimi-k2.*, minimax:MiniMax-M2*) to each runtime native set so DeriveProvider / Manifest.ModelsForRuntime returns true for every legitimate model in the live workspace-create corpus.

Why

The canonical SSOT is molecule-controlplane/internal/providers/providers.yaml. molecule-core carries a synced copy + a sha pin (sync_canonical_test.go); the cross-repo sync-providers-yaml CI workflow live-diffs them on every change.

This PR follows the canonical re-sync procedure documented in sync_canonical_test.go:

  1. Copied molecule-controlplane/internal/providers/providers.yaml verbatim over the synced copy.
  2. Regenerated internal/providers/gen/registry_gen.go via go run ./cmd/gen-providers.
  3. Bumped canonicalProvidersYAMLSHA256 to the new canonical sha (73e8003062edaa4ce75bfb324be615b6e2b380f07487e3af4dc16cb644dc12bc).
  4. Synced runtimes_test.go to match the CP-side expanded claude-code expectation set.

Behavior delta

ZERO in core. The WARN-mode validateRegisteredModelForRuntime gate (workspace.go:451-456) just goes silent for the now-registered colon-form models; the X-Molecule-Model-Unregistered response header stops being emitted for legitimate colon-form workspaces. No new rejection path; no proxy/billing-derive change.

P4 PR-2 (feat/internal-718-p4-pr2-hard-reject-unregistered, stacked on this branch) is where the gate flips to 422 — that depends on this reconcile landing first so the flip does not 422 the live colon-vocab corpus.

Tests

  • internal/providers/... green (the SHA pin + runtimes_test exact-set assertions are the gates).
  • Full core test suite green (go test -short ./...) and integration-tagged for handlers + providers green.
  • sync-providers-yaml CI gate stays green once CP#380 lands canonical-side.

Stack

Merge order: molecule-controlplane#380 → this PR → core P4 PR-2 (feat/internal-718-p4-pr2-hard-reject-unregistered).

Refs internal#718.

🤖 Generated with Claude Code

## What Mirrors the canonical change in molecule-controlplane#380: adds the legacy colon-namespaced BYOK model ids (`anthropic:claude-*`, `moonshot:kimi-k2.*`, `minimax:MiniMax-M2*`) to each runtime native set so `DeriveProvider` / `Manifest.ModelsForRuntime` returns true for every legitimate model in the live workspace-create corpus. ## Why The canonical SSOT is `molecule-controlplane/internal/providers/providers.yaml`. molecule-core carries a synced copy + a sha pin (`sync_canonical_test.go`); the cross-repo `sync-providers-yaml` CI workflow live-diffs them on every change. This PR follows the canonical re-sync procedure documented in `sync_canonical_test.go`: 1. Copied `molecule-controlplane/internal/providers/providers.yaml` verbatim over the synced copy. 2. Regenerated `internal/providers/gen/registry_gen.go` via `go run ./cmd/gen-providers`. 3. Bumped `canonicalProvidersYAMLSHA256` to the new canonical sha (`73e8003062edaa4ce75bfb324be615b6e2b380f07487e3af4dc16cb644dc12bc`). 4. Synced `runtimes_test.go` to match the CP-side expanded claude-code expectation set. ## Behavior delta **ZERO** in core. The WARN-mode `validateRegisteredModelForRuntime` gate (workspace.go:451-456) just goes silent for the now-registered colon-form models; the `X-Molecule-Model-Unregistered` response header stops being emitted for legitimate colon-form workspaces. No new rejection path; no proxy/billing-derive change. P4 PR-2 (`feat/internal-718-p4-pr2-hard-reject-unregistered`, stacked on this branch) is where the gate flips to 422 — that depends on this reconcile landing first so the flip does not 422 the live colon-vocab corpus. ## Tests - `internal/providers/...` green (the SHA pin + runtimes_test exact-set assertions are the gates). - Full core test suite green (`go test -short ./...`) and integration-tagged for handlers + providers green. - `sync-providers-yaml` CI gate stays green once CP#380 lands canonical-side. ## Stack Merge order: molecule-controlplane#380 → this PR → core P4 PR-2 (`feat/internal-718-p4-pr2-hard-reject-unregistered`). Refs internal#718. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
hongming added 1 commit 2026-05-28 03:22:31 +00:00
P4 PR-1 sync internal#718: re-sync canonical providers.yaml from molecule-controlplane (colon-vocab reconcile)
ci-arm64-advisory / fast-checks (pull_request) Waiting to run
Details
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 11s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 12s
Details
CI / Python Lint & Test (pull_request) Successful in 20s
Details
CI / Detect changes (pull_request) Successful in 21s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 17s
Details
E2E Chat / detect-changes (pull_request) Successful in 17s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 18s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 11s
Details
Harness Replays / detect-changes (pull_request) Successful in 9s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 8s
Details
Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 8s
Details
sync-providers-yaml / Compare synced providers.yaml against controlplane canonical (pull_request) Failing after 7s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s
Details
qa-review / approved (pull_request) Failing after 10s
Details
gate-check-v3 / gate-check (pull_request) Successful in 10s
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
sop-checklist / all-items-acked (pull_request) Successful in 11s
Details
sop-checklist / review-refire (pull_request) Has been skipped
Details
security-review / approved (pull_request) Failing after 11s
Details
verify-providers-gen / Regenerate providers artifact and fail on drift (pull_request) Successful in 31s
Details
sop-tier-check / tier-check (pull_request) Successful in 6s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m9s
Details
CI / Canvas (Next.js) (pull_request) Successful in 2s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 3s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 6s
Details
E2E Chat / E2E Chat (pull_request) Successful in 7s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s
Details
Harness Replays / Harness Replays (pull_request) Successful in 4s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m55s
Details
CI / Platform (Go) (pull_request) Successful in 5m7s
Details
CI / all-required (pull_request) Successful in 11m56s
Details
audit-force-merge / audit (pull_request) Successful in 25s
Details
7bc52017ed 
Mirrors the canonical change in molecule-controlplane PR feat/internal-718-p4-pr1-reconcile-colon-vocab:
adds the legacy colon-namespaced BYOK model ids (anthropic:claude-*, moonshot:kimi-k2.*, minimax:MiniMax-M2*) to each runtime native set so DeriveProvider / Manifest.ModelsForRuntime returns true for every legitimate model in the live workspace-create corpus (canvas/ConfigTab default + ~44 test files + openclaw template precedent).

Per the sync_canonical_test.go header procedure:
  1. Copied molecule-controlplane/internal/providers/providers.yaml verbatim.
  2. Regenerated internal/providers/gen/registry_gen.go via go run ./cmd/gen-providers.
  3. Bumped canonicalProvidersYAMLSHA256 to the new canonical sha (73e8003062edaa4ce75bfb324be615b6e2b380f07487e3af4dc16cb644dc12bc).
  4. Synced runtimes_test.go to match CP's expanded claude-code expectation set.

ZERO behavior change in core: the WARN-mode validateRegisteredModelForRuntime gate (workspace.go:451-456) just goes silent for the now-registered colon-form models; the X-Molecule-Model-Unregistered response header stops being emitted for legitimate colon-form workspaces. No new rejection path; no proxy/billing-derive change.

Stacked atop molecule-controlplane PR-1 — merge order: CP PR-1 → core PR-1 sync. The cross-repo sync-providers-yaml CI gate stays green once the canonical lands.

Refs internal#718.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
agent-reviewer approved these changes 2026-05-28 03:40:23 +00:00
agent-reviewer left a comment
Member
Copy Link
Copy Source

Dev-SOP Five-Axis review (independent, no prior context). APPROVED.

Verification (cite file:line)

  1. Byte-identical to CP#380 canonicalsha256(workspace-server/internal/providers/providers.yaml) = 73e8003062edaa4ce75bfb324be615b6e2b380f07487e3af4dc16cb644dc12bc, matches both the pin in internal/providers/sync_canonical_test.go:32 and the canonical at molecule-controlplane@feat/internal-718-p4-pr1-reconcile-colon-vocab:internal/providers/providers.yaml (verified via shasum -a 256; diff against the CP-side head is empty).
  2. Only the 4 declared files change vs maindiff -qr shows ONLY internal/providers/{providers.yaml, gen/registry_gen.go, runtimes_test.go, sync_canonical_test.go} differ. The diff in sync_canonical_test.go is a single line (the sha pin) at :32. No production-code path edited.
  3. verify-providers-gen regenerates cleango run ./cmd/gen-providers produces a registry_gen.go byte-identical to the committed artifact (Fingerprint cbd39dfe934302e0); the workflow status on the head commit shows verify-providers-gen / Regenerate providers artifact and fail on drift = success.
  4. sync-providers-yaml red is the EXPECTED order — the workflow at .gitea/workflows/sync-providers-yaml.yml:82 fetches CP main; CP#380 has not landed yet (merged: false). It will flip green once CP#380 merges. The workflow is intentionally NOT in branch protection (lines 23–26: standalone, not in ci.yml's required set), and the hermetic SHA pin in sync_canonical_test.go is the always-on backstop — so this red does not gate merge order downstream of CP#380. Acknowledged.
  5. No behavior change for live codegrep -rn 'internal/providers/gen' on *.go shows zero production importers; only internal/providers/gen_import_boundary_test.go:29 references the path (as a const for the AST gate). Gate is load-bearing (TestNoProductionImportOfGenPackage). The runtimes_test.go additions are exact-set assertions matching the new YAML's colon-vocab additions (mirrors CP-side test file byte-identically); go test ./internal/providers/... green locally (incl. TestDeriveProvider_RealManifest, TestResolveUpstream_RealManifest, the canonical SHA pin, the gen-fingerprint pin, and the AST gate).

Five-Axis summary

  • Correctness: data-only sync; sha pin + gen artifact + runtimes_test.go exact-set assertions all consistent. WARN-mode validateRegisteredModelForRuntime goes silent for colon-form models, matching the PR body's behavior delta.
  • Tests: providers/... green locally; the SHA pin + boundary gate + gen fingerprint pin all pass with the new artifact.
  • Security: no secret/cred surface touched; no auth changes; no new network calls.
  • Architecture: synced-copy + sha-pin pattern preserved; cross-repo distribution model unchanged; AST boundary still load-bearing.
  • Ops: expected cross-repo gate red until CP#380 lands (documented in PR body + workflow header); not in branch protection.

Do not merge until CP#380 lands on main and sync-providers-yaml goes green.

Reviewer: agent-reviewer (independent post-Stage-C dev-SOP gate).

Dev-SOP Five-Axis review (independent, no prior context). APPROVED. ## Verification (cite file:line) 1. **Byte-identical to CP#380 canonical** — `sha256(workspace-server/internal/providers/providers.yaml)` = `73e8003062edaa4ce75bfb324be615b6e2b380f07487e3af4dc16cb644dc12bc`, matches both the pin in `internal/providers/sync_canonical_test.go:32` and the canonical at `molecule-controlplane@feat/internal-718-p4-pr1-reconcile-colon-vocab:internal/providers/providers.yaml` (verified via `shasum -a 256`; `diff` against the CP-side head is empty). 2. **Only the 4 declared files change vs `main`** — `diff -qr` shows ONLY `internal/providers/{providers.yaml, gen/registry_gen.go, runtimes_test.go, sync_canonical_test.go}` differ. The diff in `sync_canonical_test.go` is a single line (the sha pin) at `:32`. No production-code path edited. 3. **`verify-providers-gen` regenerates clean** — `go run ./cmd/gen-providers` produces a `registry_gen.go` byte-identical to the committed artifact (Fingerprint `cbd39dfe934302e0`); the workflow status on the head commit shows `verify-providers-gen / Regenerate providers artifact and fail on drift` = success. 4. **`sync-providers-yaml` red is the EXPECTED order** — the workflow at `.gitea/workflows/sync-providers-yaml.yml:82` fetches CP `main`; CP#380 has not landed yet (`merged: false`). It will flip green once CP#380 merges. The workflow is intentionally NOT in branch protection (lines 23–26: standalone, not in `ci.yml`'s required set), and the hermetic SHA pin in `sync_canonical_test.go` is the always-on backstop — so this red does not gate merge order downstream of CP#380. Acknowledged. 5. **No behavior change for live code** — `grep -rn 'internal/providers/gen'` on `*.go` shows zero production importers; only `internal/providers/gen_import_boundary_test.go:29` references the path (as a const for the AST gate). Gate is load-bearing (`TestNoProductionImportOfGenPackage`). The runtimes_test.go additions are exact-set assertions matching the new YAML's colon-vocab additions (mirrors CP-side test file byte-identically); `go test ./internal/providers/...` green locally (incl. `TestDeriveProvider_RealManifest`, `TestResolveUpstream_RealManifest`, the canonical SHA pin, the gen-fingerprint pin, and the AST gate). ## Five-Axis summary - **Correctness**: data-only sync; sha pin + gen artifact + runtimes_test.go exact-set assertions all consistent. WARN-mode `validateRegisteredModelForRuntime` goes silent for colon-form models, matching the PR body's behavior delta. - **Tests**: providers/... green locally; the SHA pin + boundary gate + gen fingerprint pin all pass with the new artifact. - **Security**: no secret/cred surface touched; no auth changes; no new network calls. - **Architecture**: synced-copy + sha-pin pattern preserved; cross-repo distribution model unchanged; AST boundary still load-bearing. - **Ops**: expected cross-repo gate red until CP#380 lands (documented in PR body + workflow header); not in branch protection. Do not merge until CP#380 lands on main and `sync-providers-yaml` goes green. Reviewer: agent-reviewer (independent post-Stage-C dev-SOP gate).
claude-ceo-assistant approved these changes 2026-05-28 03:41:47 +00:00
claude-ceo-assistant left a comment
Owner
Copy Link
Copy Source

2nd approval (claude-ceo-assistant). Concur with agent-reviewer Five-Axis verdict (CTO-approved batch). Merge once required checks green.

2nd approval (claude-ceo-assistant). Concur with agent-reviewer Five-Axis verdict (CTO-approved batch). Merge once required checks green.
hongming merged commit 930f8753a9 into main 2026-05-28 03:41:49 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer
claude-ceo-assistant
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1980
Delete Branch "feat/internal-718-p4-pr1-reconcile-colon-vocab-sync"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?