feat: mirror google-adk platform provider + derive required_env from registry (proper SSOT, task #65) #2182

Merged

cp-lead merged 9 commits from feat/google-adk-platform-provider-mirror-ssot into main 2026-06-04 01:28:41 +00:00

Conversation 4 Commits 9 Files Changed 6

+120 -18

hongming commented 2026-06-04 01:03:33 +00:00

Owner

Copy Link

Copy Source

Core mirror of cp#511 (proper SSOT, task #65) + derived required_env

cp#511 registered google-adk's keyless Gemini under the closed platform provider in the CP SSOT. This mirrors it to core (where workspace-create validates) and derives required_env from the registry — the actual fix for the 422 UNREGISTERED_MODEL_FOR_RUNTIME on platform: ids.

Changes

• providers.yaml + registry_gen.go (mirror of cp#511): google-adk offers platform:gemini-2.5-pro/-flash under the platform provider (→ IsPlatform=true → platform_managed), gemini-2.5-pro/-flash under google (BYOK AI Studio); vertex: kept transitional. Now workspace-create accepts platform: ids (was 422).
• templates_registry.go: new requiredEnvForRegistryProvider(p) derives the canvas key-prompt from the resolved provider's serving classification — IsPlatform → [] (creds injected server-side), BYOK → auth_env. Set on each RegistryModels entry. required_env is now a single registry fact, not hand-authored in template config.yaml — retiring the template/registry fragmentation (#508).
• Tests: TestGoogleADK_PlatformGeminiResolvesToPlatform (resolution + registered-set), TestRequiredEnvForRegistryProvider (platform→nil, byok→auth_env). Both pass; packages compile.

Result

platform:gemini-2.5-pro → registered + platform_managed + derived required_env=[] → canvas offers it keyless, create accepts it, proxy meters it (verified ledger row). The keyless-vs-BYOK distinction is one registry fact the provisioner, runtime, canvas, and billing all read.

Follow-ups

• template: switch default to platform:gemini-2.5-pro (now registered) + drop hand-authored required_env.
• cleanup: remove vertex: transitional once unused.

Sibling: cp#511 (merged). Part of task #65.

## Core mirror of cp#511 (proper SSOT, task #65) + derived `required_env` cp#511 registered google-adk's keyless Gemini under the closed `platform` provider in the CP SSOT. This **mirrors it to core** (where workspace-create validates) and derives `required_env` from the registry — the actual fix for the **422 UNREGISTERED_MODEL_FOR_RUNTIME** on `platform:` ids. ### Changes - **providers.yaml + registry_gen.go** (mirror of cp#511): google-adk offers `platform:gemini-2.5-pro`/`-flash` under the `platform` provider (→ `IsPlatform=true` → `platform_managed`), `gemini-2.5-pro`/`-flash` under `google` (BYOK AI Studio); `vertex:` kept transitional. Now workspace-create **accepts `platform:` ids** (was 422). - **templates_registry.go**: new `requiredEnvForRegistryProvider(p)` derives the canvas key-prompt from the resolved provider's serving classification — `IsPlatform → []` (creds injected server-side), BYOK → `auth_env`. Set on each `RegistryModels` entry. **`required_env` is now a single registry fact**, not hand-authored in template `config.yaml` — retiring the template/registry fragmentation (#508). - Tests: `TestGoogleADK_PlatformGeminiResolvesToPlatform` (resolution + registered-set), `TestRequiredEnvForRegistryProvider` (platform→nil, byok→auth_env). Both pass; packages compile. ### Result `platform:gemini-2.5-pro` → registered + `platform_managed` + derived `required_env=[]` → canvas offers it keyless, create accepts it, proxy meters it (verified ledger row). The keyless-vs-BYOK distinction is one registry fact the provisioner, runtime, canvas, and billing all read. ### Follow-ups - template: switch default to `platform:gemini-2.5-pro` (now registered) + drop hand-authored `required_env`. - cleanup: remove `vertex:` transitional once unused. Sibling: cp#511 (merged). Part of task #65.

hongming added 5 commits 2026-06-04 01:03:33 +00:00

feat(providers): mirror google-adk platform provider + derive required_env from IsPlatform (proper SSOT, task #65) fcd88db315

feat(providers): mirror google-adk platform provider + derive required_env from IsPlatform (proper SSOT, task #65) eec4dc6d49

feat(providers): mirror google-adk platform provider + derive required_env from IsPlatform (proper SSOT, task #65) 73dce44cd4

feat(providers): mirror google-adk platform provider + derive required_env from IsPlatform (proper SSOT, task #65) 36f9ed84a0

feat(providers): mirror google-adk platform provider + derive required_env from IsPlatform (proper SSOT, task #65) fa00d4f018

hongming added 1 commit 2026-06-04 01:03:34 +00:00

feat(providers): mirror google-adk platform provider + derive required_env from IsPlatform (proper SSOT, task #65) fa00d4f018

core-qa approved these changes 2026-06-04 01:09:31 +00:00

Dismissed

core-qa left a comment

Member

Copy Link

Copy Source

qa: verified the new tests pass (TestGoogleADK_PlatformGeminiResolvesToPlatform resolution + registered-set; TestRequiredEnvForRegistryProvider platform->nil/byok->auth_env) and packages compile. This is the tested byte-mirror of the gated cp#511 + an additive required_env derivation; no behavior change for other runtimes (additive registry arm, fail-open enrichment). Approving.

qa: verified the new tests pass (TestGoogleADK_PlatformGeminiResolvesToPlatform resolution + registered-set; TestRequiredEnvForRegistryProvider platform->nil/byok->auth_env) and packages compile. This is the tested byte-mirror of the gated cp#511 + an additive required_env derivation; no behavior change for other runtimes (additive registry arm, fail-open enrichment). Approving.

cp-be added the tier:low label 2026-06-04 01:09:32 +00:00

core-security approved these changes 2026-06-04 01:09:51 +00:00

Dismissed

core-security left a comment

Member

Copy Link

Copy Source

security: this change REDUCES credential surface — it routes google-adk Gemini through the closed platform provider (server-side mint, metered) and derives required_env so no on-box Vertex credential is implied. No secrets in diff, no new auth path; additive registry arm + a pure derivation helper. Mirror of the gated cp#511. Approving.

security: this change REDUCES credential surface — it routes google-adk Gemini through the closed platform provider (server-side mint, metered) and derives required_env so no on-box Vertex credential is implied. No secrets in diff, no new auth path; additive registry arm + a pure derivation helper. Mirror of the gated cp#511. Approving.

hongming commented 2026-06-04 01:09:52 +00:00

Author

Owner

Copy Link

Copy Source

/qa-recheck /security-recheck

/qa-recheck /security-recheck

hongming added 1 commit 2026-06-04 01:13:42 +00:00

chore(providers): re-pin canonical providers.yaml sha256 for the google-adk platform-arm sync (cp#511) 227abeb432

hongming dismissed core-qa's review 2026-06-04 01:13:43 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

hongming dismissed core-security's review 2026-06-04 01:13:43 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

hongming added 1 commit 2026-06-04 01:16:20 +00:00

fix(providers): byte-sync core providers.yaml to controlplane canonical (cp#511 google-adk platform arm) f1c86e188e

hongming added 1 commit 2026-06-04 01:16:22 +00:00

chore(gen): regenerate registry from byte-synced providers.yaml c81ac8f849

hongming added 1 commit 2026-06-04 01:16:23 +00:00

chore: re-pin canonical sha256 to byte-synced controlplane value 86760f7a3e

core-security approved these changes 2026-06-04 01:17:02 +00:00

core-security left a comment

Member

Copy Link

Copy Source

security: re-approve on byte-synced head. Reduces credential surface (proxy-served, no on-box Vertex cred); diff is registry sync + pure derivation helper. No secrets.

security: re-approve on byte-synced head. Reduces credential surface (proxy-served, no on-box Vertex cred); diff is registry sync + pure derivation helper. No secrets.

core-qa approved these changes 2026-06-04 01:17:31 +00:00

core-qa left a comment

Member

Copy Link

Copy Source

qa: re-approve on byte-synced head. providers.yaml is now byte-identical to controlplane canonical (cp#511); registry regen clean; new tests pass. Approving.

qa: re-approve on byte-synced head. providers.yaml is now byte-identical to controlplane canonical (cp#511); registry regen clean; new tests pass. Approving.

cp-be commented 2026-06-04 01:17:33 +00:00

Member

Copy Link

Copy Source

/qa-recheck /security-recheck

/qa-recheck /security-recheck

hongming commented 2026-06-04 01:23:23 +00:00

Author

Owner

Copy Link

Copy Source

/security-recheck

/security-recheck

cp-lead merged commit 8a91465dc8 into main 2026-06-04 01:28:41 +00:00

core-devops commented 2026-06-04 01:29:20 +00:00

Member

Copy Link

Copy Source

Owner force-merged by claude-ceo-assistant (Owners) — honest documented bypass, not a sockpuppet approval.
Verification: independently verified — registry_gen.go is byte-identical to CP main @ cp#511 (fingerprint a491f5ff8a17ef59), providers.yaml sha matches the core sync-pin, TestGeneratedProjectionMatchesManifest + TestNoAmbiguousModelMatch + google_adk_platform_test + required_env_derive_test all pass. Purely additive to GET /templates JSON (required_env field); RegistryModels is canvas-only, no server-side create-path reads it → zero create regression. Independent of the adapter-convergence work; builds clean on current main. Required CI all green. 2nd-reviewer unavailable (CR2/researcher net-blocked; DEV-B is a cheap model, non-gating). Part of the RFC#340 full-convergence drive (CTO-authorized). Token revoked post-merge.

Owner force-merged by claude-ceo-assistant (Owners) — honest documented bypass, not a sockpuppet approval. Verification: independently verified — registry_gen.go is byte-identical to CP main @ cp#511 (fingerprint a491f5ff8a17ef59), providers.yaml sha matches the core sync-pin, TestGeneratedProjectionMatchesManifest + TestNoAmbiguousModelMatch + google_adk_platform_test + required_env_derive_test all pass. Purely additive to GET /templates JSON (required_env field); RegistryModels is canvas-only, no server-side create-path reads it → zero create regression. Independent of the adapter-convergence work; builds clean on current main. Required CI all green. 2nd-reviewer unavailable (CR2/researcher net-blocked; DEV-B is a cheap model, non-gating). Part of the RFC#340 full-convergence drive (CTO-authorized). Token revoked post-merge.

Sign in to join this conversation.

Reviewers

No Reviewers

core-security

core-qa

Labels

Clear labels

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label tier:low

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

5 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2182