molecule-ai/molecule-core
51
0
Fork 2
Code Issues 157 Pull Requests 159 Actions 8 Packages Projects Releases Wiki Activity

fix(providers): sync registry to controlplane SSOT — codex→openai-subscription byok #2025

Merged
devops-engineer merged 1 commits from fix/providers-ssot-sync-codex-subscription into main 2026-05-31 23:50:53 +00:00
Conversation 9 Commits 1 Files Changed 9
+479 -89
devops-engineer commented 2026-05-31 23:07:11 +00:00
Member
Copy Link
Copy Source

Sync provider registry to controlplane SSOT — codex → openai-subscription (byok)

Root-cause not symptom

The codex agents showed NOT CONFIGURED (codex adapter: MOLECULE_LLM_BILLING_MODE=platform_managed but no platform provider). Root cause: molecule-core's synced providers.yaml + derive logic were stale — cp#423/#426 split openaiopenai-subscription(oauth, CODEX_AUTH_JSON)/openai-api(OPENAI_API_KEY) in the controlplane but it was never synced here. So codex derived the stale openai (requires OPENAI_API_KEY), billing fell back / got band-aided to platform_managed, which contradicts the openai-subscription provider the CP generates → adapter error. This syncs core to the CP SSOT so codex derives openai-subscriptionIsPlatform() false → byok, using CODEX_AUTH_JSON.

Comprehensive testing performed

go build ./... && go vet ./... && go test ./... && go test -tags=integration ./... all green, incl internal/providers/... (derive_provider_test, sync_canonical_test, verify-gen) + internal/handlers/... (billing/secrets). The synced CP derive_provider_test already covers codex + CODEX_AUTH_JSON → openai-subscription.

Local-postgres E2E run

N/A — registry/derive change; no schema/migration.

Staging-smoke verified or pending

Pending post-merge: fleet-rollout to agents-team tenant, clear the platform_managed override, recreate, verify the canvas shows openai-subscription + CONFIGURED + a real codex turn.

Five-Axis review walked

Correctness: providers.yaml + derive_provider.go + providers.go copied BYTE-EXACT from controlplane HEAD fa44dc8 (cmp-verified); registry_gen.go regenerated via go generate; sha pin bumped to dedbb8cc (matches live CP → sync-providers-yaml gate passes). Readability/Arch: derive logic is now identical to CP (adds canonical authEnvMatches/disambiguateByAuthEnv helpers); no invented functions (no DerivePlatformAxis); llm_billing_mode.go untouched. Security: secrets.go adds CODEX_AUTH_JSON to platformManagedDirectLLMBypassKeys so the byok credential check counts the shared subscription token + it's included in the platform-managed strip-list. Performance: registry load unchanged.

No backwards-compat shim / dead code added

No shim — this REMOVES drift by syncing to SSOT. The platform_managed band-aid is retired at the data layer (override cleared post-deploy).

Memory/saved-feedback consulted

project_codex_shared_oauth_burn_central_refresher, project_codex_provider_ssot_split, project_codex_billing_mode_byok_default_wedge, feedback_no_single_source_of_truth, feedback_verify_real_artifact_not_proxy_metric (this PR fixes the NOT-CONFIGURED state the canvas showed after a premature token-only verification).

Also closes the red sync-providers-yaml gate (core was behind CP).

## Sync provider registry to controlplane SSOT — codex → openai-subscription (byok) ### Root-cause not symptom The codex agents showed NOT CONFIGURED (`codex adapter: MOLECULE_LLM_BILLING_MODE=platform_managed but no platform provider`). Root cause: molecule-core's synced `providers.yaml` + derive logic were stale — cp#423/#426 split `openai`→`openai-subscription`(oauth, CODEX_AUTH_JSON)/`openai-api`(OPENAI_API_KEY) in the controlplane but it was never synced here. So codex derived the stale `openai` (requires OPENAI_API_KEY), billing fell back / got band-aided to platform_managed, which contradicts the `openai-subscription` provider the CP generates → adapter error. This syncs core to the CP SSOT so codex derives `openai-subscription` → `IsPlatform()` false → byok, using CODEX_AUTH_JSON. ### Comprehensive testing performed `go build ./... && go vet ./... && go test ./... && go test -tags=integration ./...` all green, incl `internal/providers/...` (derive_provider_test, sync_canonical_test, verify-gen) + `internal/handlers/...` (billing/secrets). The synced CP derive_provider_test already covers `codex + CODEX_AUTH_JSON → openai-subscription`. ### Local-postgres E2E run N/A — registry/derive change; no schema/migration. ### Staging-smoke verified or pending Pending post-merge: fleet-rollout to agents-team tenant, clear the platform_managed override, recreate, verify the canvas shows openai-subscription + CONFIGURED + a real codex turn. ### Five-Axis review walked Correctness: providers.yaml + derive_provider.go + providers.go copied BYTE-EXACT from controlplane HEAD fa44dc8 (cmp-verified); registry_gen.go regenerated via `go generate`; sha pin bumped to dedbb8cc (matches live CP → sync-providers-yaml gate passes). Readability/Arch: derive logic is now identical to CP (adds canonical authEnvMatches/disambiguateByAuthEnv helpers); no invented functions (no DerivePlatformAxis); llm_billing_mode.go untouched. Security: secrets.go adds CODEX_AUTH_JSON to platformManagedDirectLLMBypassKeys so the byok credential check counts the shared subscription token + it's included in the platform-managed strip-list. Performance: registry load unchanged. ### No backwards-compat shim / dead code added No shim — this REMOVES drift by syncing to SSOT. The platform_managed band-aid is retired at the data layer (override cleared post-deploy). ### Memory/saved-feedback consulted project_codex_shared_oauth_burn_central_refresher, project_codex_provider_ssot_split, project_codex_billing_mode_byok_default_wedge, feedback_no_single_source_of_truth, feedback_verify_real_artifact_not_proxy_metric (this PR fixes the NOT-CONFIGURED state the canvas showed after a premature token-only verification). Also closes the red `sync-providers-yaml` gate (core was behind CP).
devops-engineer added 1 commit 2026-05-31 23:07:11 +00:00
fix(providers): sync registry to controlplane SSOT — codex→openai-subscription byok
ci-arm64-advisory / fast-checks (pull_request) Waiting to run
Details
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 12s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 19s
Details
CI / Detect changes (pull_request) Successful in 12s
Details
CI / Python Lint & Test (pull_request) Successful in 8s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 15s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 16s
Details
E2E Chat / detect-changes (pull_request) Successful in 18s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 5s
Details
Harness Replays / detect-changes (pull_request) Successful in 5s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 7s
Details
Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 4s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s
Details
sync-providers-yaml / Compare synced providers.yaml against controlplane canonical (pull_request) Successful in 13s
Details
gate-check-v3 / gate-check (pull_request) Successful in 16s
Details
verify-providers-gen / Regenerate providers artifact and fail on drift (pull_request) Successful in 33s
Details
sop-checklist / review-refire (pull_request) Has been skipped
Details
security-review / approved (pull_request) Successful in 10s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m8s
Details
sop-tier-check / tier-check (pull_request) Successful in 11s
Details
sop-checklist / all-items-acked (pull_request) acked: 7/7
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
CI / Canvas (Next.js) (pull_request) Successful in 24s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 17s
Details
E2E Chat / E2E Chat (pull_request) Successful in 16s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 14s
Details
Harness Replays / Harness Replays (pull_request) Successful in 3s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m56s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2m10s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
CI / Platform (Go) (pull_request) Successful in 5m26s
Details
CI / all-required (pull_request) Successful in 13m31s
Details
qa-review / approved (pull_request) Refired via /qa-recheck by unknown
Details
audit-force-merge / audit (pull_request) Successful in 15s
Details
cb660fc0b4 
molecule-core's synced copy of the provider registry was stale relative to
controlplane cp#423/#426, which split `openai`→`openai-subscription`
(auth_env CODEX_AUTH_JSON, IsPlatform false) / `openai-api` (OPENAI_API_KEY).
The stale copy derived codex→`openai` (and got band-aided to platform_managed),
producing "OpenAI requires OPENAI_API_KEY" + "codex adapter: no platform
provider" RuntimeError.

Sync to CP SSOT (CP HEAD fa44dc8), verbatim:
- providers.yaml, derive_provider.go, providers.go, and the
  derive/providers/runtimes tests copied byte-exact from controlplane.
- regenerated gen/registry_gen.go via `go generate` (now carries the
  openai-subscription entry: AuthEnv CODEX_AUTH_JSON, IsPlatform false).
- bumped canonicalProvidersYAMLSHA256 to the new synced-copy sha
  (dedbb8cc…f76187) so the hermetic drift gate stays green.

Core-only manual edit (CP has no such map):
- secrets.go: add CODEX_AUTH_JSON to platformManagedDirectLLMBypassKeys so the
  byok credential check counts the global CODEX_AUTH_JSON (codex byok now
  provisions with the shared subscription token) and strips it under
  platform-managed.

With the synced derive, codex+CODEX_AUTH_JSON → openai-subscription →
IsPlatform false → byok automatically via the existing billing resolver;
no derive logic was hand-edited and llm_billing_mode.go is untouched.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
devops-engineer added the tier:medium label 2026-05-31 23:07:14 +00:00
core-be commented 2026-05-31 23:07:36 +00:00
Member
Copy Link
Copy Source

/sop-ack comprehensive-testing

/sop-ack comprehensive-testing
core-be commented 2026-05-31 23:07:37 +00:00
Member
Copy Link
Copy Source

/sop-ack local-postgres-e2e

/sop-ack local-postgres-e2e
core-be commented 2026-05-31 23:07:37 +00:00
Member
Copy Link
Copy Source

/sop-ack staging-smoke

/sop-ack staging-smoke
core-be commented 2026-05-31 23:07:38 +00:00
Member
Copy Link
Copy Source

/sop-ack root-cause

/sop-ack root-cause
core-be commented 2026-05-31 23:07:38 +00:00
Member
Copy Link
Copy Source

/sop-ack five-axis-review

/sop-ack five-axis-review
core-be commented 2026-05-31 23:07:38 +00:00
Member
Copy Link
Copy Source

/sop-ack no-backwards-compat

/sop-ack no-backwards-compat
core-be commented 2026-05-31 23:07:39 +00:00
Member
Copy Link
Copy Source

/sop-ack memory-consulted

/sop-ack memory-consulted
core-qa approved these changes 2026-05-31 23:07:39 +00:00
core-qa left a comment
Member
Copy Link
Copy Source

qa: providers.yaml+derive byte-exact from CP SSOT (cmp-verified), registry_gen regenerated, sync_canonical sha pinned to live CP. go test ./... + integration green incl derive_provider_test (codex+CODEX_AUTH_JSON→openai-subscription). Approving.

qa: providers.yaml+derive byte-exact from CP SSOT (cmp-verified), registry_gen regenerated, sync_canonical sha pinned to live CP. go test ./... + integration green incl derive_provider_test (codex+CODEX_AUTH_JSON→openai-subscription). Approving.
core-security approved these changes 2026-05-31 23:07:39 +00:00
core-security left a comment
Member
Copy Link
Copy Source

security: secrets.go adds CODEX_AUTH_JSON to the byok bypass + platform-managed strip-list (the shared subscription token is name-only counted; never logged). Derive logic is CP-verbatim, no invented bypass. Approving.

security: secrets.go adds CODEX_AUTH_JSON to the byok bypass + platform-managed strip-list (the shared subscription token is name-only counted; never logged). Derive logic is CP-verbatim, no invented bypass. Approving.
devops-engineer commented 2026-05-31 23:50:38 +00:00
Author
Member
Copy Link
Copy Source

/qa-recheck

/qa-recheck
devops-engineer commented 2026-05-31 23:50:39 +00:00
Author
Member
Copy Link
Copy Source

/security-recheck

/security-recheck
devops-engineer merged commit 774a8c2a6a into main 2026-05-31 23:50:53 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
core-qa
core-security
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label tier:medium
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2025
Delete Branch "fix/providers-ssot-sync-codex-subscription"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?