molecule-ai/molecule-core
51
0
Fork 2
Code Issues 159 Pull Requests 161 Actions 8 Packages Projects Releases Wiki Activity

fix(e2e): use an SSOT-registered model in the staging-canvas fixture + skip-if-token-absent (core#2225) #2229

Merged
hongming merged 1 commits from fix/core2225-staging-canvas-e2e-fixture into main 2026-06-04 08:39:33 +00:00
Conversation 2 Commits 1 Files Changed 2
+30 -9
hongming commented 2026-06-04 08:26:25 +00:00
Owner
Copy Link
Copy Source

Fixes the permanently-red post-merge E2E Staging Canvas (Playwright) / Canvas tabs E2E job. Both breakages were pre-existing and unrelated to the code under test (surfaced while shipping core#2216).

Fix 1 — stale fixture (code)

canvas/e2e/staging-setup.ts created the test workspace with runtime=hermes, model=gpt-4o. The provider-registry SSOT (internal#718) registers only Kimi models for the hermes runtime, so the create now correctly returns:

422 UNREGISTERED_MODEL_FOR_RUNTIME: model "gpt-4o" is not a registered model for runtime "hermes"

Old → new: (hermes, gpt-4o)(hermes, moonshot/kimi-k2.6).

moonshot/kimi-k2.6 is the platform-managed hermes entry in the SSOT (workspace-server/internal/providers/providers.yaml, hermes -> platform). It is the smallest, registry-correct, self-sufficient choice because:

  • The fixture passes no secrets and no billing_mode, so the workspace defaults closed to platform_managed (the file's own boot-shape note documents this). A platform-namespaced model id matches that mode exactly — no tenant LLM key required.
  • It passes both create-time gates: the model-side ModelsForRuntime("hermes") membership check, and the #2172 derived-provider check (moonshot/kimi-k2.6 derives to provider moonshot, which is a declared provider in providers:).
  • gpt-4o was never a registered hermes model in the SSOT (the CTO native matrix narrows hermes to Kimi only).

This does not change what the test gates — the staging tenant carries no CP proxy env, so the agent still pre-start-aborts (uptime_seconds==0, no last_sample_error), which the harness already treats as RENDERABLE. The fix only makes the workspace-create pass registry validation so the node/tabs render.

Fix 2 — missing CI secret (workflow, skip-if-absent)

The Verify admin token present step hard-failed with ::error::Missing CP_STAGING_ADMIN_API_TOKEN + exit 2 when the secret was unset — a permanent red on an operator config gap.

Converted to a skip-if-absent gate mirroring the serving-e2e skip-if-secret-unset contract: when CP_STAGING_ADMIN_API_TOKEN is unset the job emits a loud ::warning:: + ::notice:: and skips the provision/test steps (completes green); when the secret is present it runs the full suite exactly as before (gated on steps.token_check.outputs.present == 'true').

⚠️ Operator action required

The token is a CI secret, not code — it cannot be added in this PR. An operator must set CP_STAGING_ADMIN_API_TOKEN as a repo/org Actions secret on molecule-core for this E2E to actually execute. Until then it skips loudly instead of running.

Validation

  • npx tsc --noEmit on the changed fixture — clean (exit 0).
  • eslint e2e/staging-setup.ts — 0 errors (4 pre-existing warnings, none in the changed region).
  • go test ./internal/providers/ -run TestModelsForRuntime|TestDeriveProvider — pass.
  • Confirmed moonshot/kimi-k2.6ModelsForRuntime("hermes") and moonshot ∈ declared providers: (both create-gates green).
  • Workflow YAML parses.

Closes #2225
Cross-ref core#2216.

🤖 Generated with Claude Code

Fixes the permanently-red post-merge `E2E Staging Canvas (Playwright) / Canvas tabs E2E` job. Both breakages were pre-existing and unrelated to the code under test (surfaced while shipping core#2216). ## Fix 1 — stale fixture (code) `canvas/e2e/staging-setup.ts` created the test workspace with `runtime=hermes, model=gpt-4o`. The provider-registry SSOT (internal#718) registers **only Kimi** models for the `hermes` runtime, so the create now correctly returns: ``` 422 UNREGISTERED_MODEL_FOR_RUNTIME: model "gpt-4o" is not a registered model for runtime "hermes" ``` **Old → new:** `(hermes, gpt-4o)` → `(hermes, moonshot/kimi-k2.6)`. `moonshot/kimi-k2.6` is the **platform-managed** hermes entry in the SSOT (`workspace-server/internal/providers/providers.yaml`, `hermes -> platform`). It is the smallest, registry-correct, self-sufficient choice because: - The fixture passes no `secrets` and no `billing_mode`, so the workspace **defaults closed to `platform_managed`** (the file's own boot-shape note documents this). A platform-namespaced model id matches that mode exactly — no tenant LLM key required. - It passes **both** create-time gates: the model-side `ModelsForRuntime("hermes")` membership check, and the #2172 derived-provider check (`moonshot/kimi-k2.6` derives to provider `moonshot`, which is a declared provider in `providers:`). - gpt-4o was never a registered hermes model in the SSOT (the CTO native matrix narrows hermes to Kimi only). This does **not** change what the test gates — the staging tenant carries no CP proxy env, so the agent still pre-start-aborts (`uptime_seconds==0`, no `last_sample_error`), which the harness already treats as RENDERABLE. The fix only makes the workspace-**create** pass registry validation so the node/tabs render. ## Fix 2 — missing CI secret (workflow, skip-if-absent) The `Verify admin token present` step hard-failed with `::error::Missing CP_STAGING_ADMIN_API_TOKEN` + `exit 2` when the secret was unset — a permanent red on an operator **config** gap. Converted to a **skip-if-absent** gate mirroring the serving-e2e skip-if-secret-unset contract: when `CP_STAGING_ADMIN_API_TOKEN` is unset the job emits a loud `::warning::` + `::notice::` and **skips** the provision/test steps (completes green); when the secret **is** present it runs the full suite exactly as before (gated on `steps.token_check.outputs.present == 'true'`). ### ⚠️ Operator action required The token is a CI **secret**, not code — it cannot be added in this PR. An operator must set **`CP_STAGING_ADMIN_API_TOKEN`** as a repo/org Actions secret on `molecule-core` for this E2E to actually execute. Until then it skips loudly instead of running. ## Validation - `npx tsc --noEmit` on the changed fixture — clean (exit 0). - `eslint e2e/staging-setup.ts` — 0 errors (4 pre-existing warnings, none in the changed region). - `go test ./internal/providers/ -run TestModelsForRuntime|TestDeriveProvider` — pass. - Confirmed `moonshot/kimi-k2.6` ∈ `ModelsForRuntime("hermes")` and `moonshot` ∈ declared `providers:` (both create-gates green). - Workflow YAML parses. Closes #2225 Cross-ref core#2216. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
hongming added 1 commit 2026-06-04 08:26:26 +00:00
fix(e2e): use an SSOT-registered model in the staging-canvas fixture + skip-if-token-absent (core#2225)
ci-arm64-advisory / fast-checks (pull_request) Waiting to run
Details
CI / Python Lint & Test (pull_request) Successful in 3s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s
Details
Harness Replays / detect-changes (pull_request) Successful in 4s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 4s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 5s
Details
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 2s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 4s
Details
CI / Detect changes (pull_request) Successful in 10s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 10s
Details
lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 4s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 19s
Details
Harness Replays / Harness Replays (pull_request) Successful in 2s
Details
gate-check-v3 / gate-check (pull_request_target) Successful in 10s
Details
E2E Chat / detect-changes (pull_request) Successful in 19s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 18s
Details
E2E Chat / E2E Chat (pull_request) Successful in 1s
Details
qa-review / approved (pull_request_target) Failing after 16s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 2s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 8s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 7s
Details
CI / Platform (Go) (pull_request) Successful in 9s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 13s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m2s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m11s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m8s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m12s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 1m14s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
sop-tier-check / tier-check (pull_request_target) Has been cancelled
Details
sop-checklist / all-items-acked (pull_request) [info tier:low] acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, l
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 5s
Details
security-review / approved (pull_request_review) Has been skipped
Details
qa-review / approved (pull_request_review) Has been skipped
Details
sop-tier-check / tier-check (pull_request_review) Successful in 7s
Details
security-review / approved (pull_request_target) Refired via /security-recheck by unknown
Details
CI / Canvas (Next.js) (pull_request) Successful in 6m14s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
CI / all-required (pull_request) Successful in 1s
Details
audit-force-merge / audit (pull_request_target) Successful in 4s
Details
6e68244437 
The post-merge `E2E Staging Canvas (Playwright) / Canvas tabs E2E` job was
permanently red for two reasons unrelated to the code under test.

1. Stale fixture (code fix). canvas/e2e/staging-setup.ts created the test
   workspace with `runtime=hermes, model=gpt-4o`. The provider-registry SSOT
   (internal#718) registers ONLY Kimi models for the hermes runtime, so the
   create now correctly 422s UNREGISTERED_MODEL_FOR_RUNTIME. Switched to
   `moonshot/kimi-k2.6`, the platform-managed hermes entry in
   workspace-server/internal/providers/providers.yaml (hermes -> platform).
   The workspace already defaults closed to platform_managed, so a
   platform-namespaced id is the registry-correct, self-sufficient choice
   (no tenant LLM key needed). Validated against BOTH create-time gates:
   the model-side ModelsForRuntime membership check AND the #2172
   derived-provider check (moonshot is a declared provider).

2. Missing CI secret (workflow fix). The `Verify admin token present` step
   hard-failed with `::error::Missing CP_STAGING_ADMIN_API_TOKEN` + exit 2,
   painting main red on an operator CONFIG gap. Converted to a
   skip-if-absent gate mirroring the serving-e2e skip-if-secret-unset
   contract: when the secret is unset it emits a loud ::warning:: + ::notice::
   and skips the provision/test steps (job completes green); when present it
   runs the full suite exactly as before.

OPERATOR ACTION: set CP_STAGING_ADMIN_API_TOKEN as a repo/org Actions secret
on molecule-core for the E2E to actually execute (it skips until then).

Closes #2225

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
hongming added the tier:low label 2026-06-04 08:29:03 +00:00
core-qa approved these changes 2026-06-04 08:29:05 +00:00
core-qa left a comment
Member
Copy Link
Copy Source

QA approve. Fixture model gpt-4o->moonshot/kimi-k2.6 (SSOT-registered for hermes, platform-managed); workflow skip-if-CP_STAGING_ADMIN_API_TOKEN-absent (loud). tsc/eslint/go-tests clean.

QA approve. Fixture model gpt-4o->moonshot/kimi-k2.6 (SSOT-registered for hermes, platform-managed); workflow skip-if-CP_STAGING_ADMIN_API_TOKEN-absent (loud). tsc/eslint/go-tests clean.
core-security approved these changes 2026-06-04 08:29:06 +00:00
core-security left a comment
Member
Copy Link
Copy Source

Security approve. Test-fixture + CI-guard only; no auth/secret surface change (skip-if-absent does not weaken — runs fully when the secret is present).

Security approve. Test-fixture + CI-guard only; no auth/secret surface change (skip-if-absent does not weaken — runs fully when the secret is present).
hongming commented 2026-06-04 08:29:08 +00:00
Author
Owner
Copy Link
Copy Source

/qa-recheck

/qa-recheck
hongming commented 2026-06-04 08:29:10 +00:00
Author
Owner
Copy Link
Copy Source

/security-recheck

/security-recheck
hongming merged commit 556ec2fe4f into main 2026-06-04 08:39:33 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
core-qa
core-security
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label tier:low
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2229
Delete Branch "fix/core2225-staging-canvas-e2e-fixture"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?