molecule-ai/molecule-core
51
0
Fork 2
Code Issues 164 Pull Requests 155 Actions 14 Packages Projects Releases Wiki Activity

feat(providers): BYOK-routability-aware workspace-create enforcer (cp#529) #2256

Merged
hongming merged 1 commits from feat/cp529-byok-routability-enforcer into main 2026-06-04 23:07:42 +00:00
Conversation 2 Commits 1 Files Changed 8
+296 -89
hongming commented 2026-06-04 21:37:15 +00:00
Owner
Copy Link
Copy Source

cp#529 — Option C (CTO-approved): routability-aware enforcer

validateRegisteredModelForRuntime now allows a model if it is on the runtimes platform menu (ModelsForRuntime) OR DeriveProvider resolves a native provider. Wires confirmed-non-platform BYOK providers into claude-code/hermes/openclaw as name-only native arms (zero platform-menu change) + widens their prefix matchers to accept both slash and colon BYOK id forms.

Billing guardrail: only non-platform (BYOK) providers are wired. Platform-shared vendors (openai/gemini/minimax/anthropic, and groq which has no provider) are deliberately NOT wired, so their ids stay residual drift rather than billing a customers model through the platform key.

Result (drift checker): claude-code fully resolves (27/27); residual = only platform-shared ids — hermes anthropic/·gemini/·openai/·minimax/ (12), codex codex-minimax (1), openclaw groq:·openai:·minimax: (7). Those get trimmed from templates / restored via dedicated BYOK-vendor providers in a follow-up.

Build + providers/gen/handlers tests green.

⚠️ Coordination: overlaps the same files (providers.yaml, registry_gen.go, runtimes_test.go, sync_canonical_test.go) as open PR #2241 (cp#521) which takes the opposite trim approach on claude-code. CTO chose routability (Option C) so cp#529 supersedes that ids trim, but #2241 has other valuable changes (MiniMax-M2.7 rename, canvas-deploy-status). Co-review + rebase before merge.

Paired with molecule-controlplane feat/cp529-byok-routability-checker (byte-synced providers.yaml — must land together).

Refs cp#529.

## cp#529 — Option C (CTO-approved): routability-aware enforcer `validateRegisteredModelForRuntime` now allows a model if it is on the runtimes platform menu (`ModelsForRuntime`) **OR** `DeriveProvider` resolves a native provider. Wires confirmed-non-platform BYOK providers into claude-code/hermes/openclaw as **name-only native arms** (zero platform-menu change) + widens their prefix matchers to accept both slash and colon BYOK id forms. **Billing guardrail:** only non-platform (BYOK) providers are wired. Platform-shared vendors (openai/gemini/minimax/anthropic, and groq which has no provider) are deliberately NOT wired, so their ids stay residual drift rather than billing a customers model through the platform key. **Result (drift checker):** claude-code fully resolves (27/27); residual = only platform-shared ids — hermes `anthropic/`·`gemini/`·`openai/`·`minimax/` (12), codex `codex-minimax` (1), openclaw `groq:`·`openai:`·`minimax:` (7). Those get trimmed from templates / restored via dedicated BYOK-vendor providers in a follow-up. Build + providers/gen/handlers tests green. ⚠️ **Coordination:** overlaps the same files (providers.yaml, registry_gen.go, runtimes_test.go, sync_canonical_test.go) as open **PR #2241 (cp#521)** which takes the opposite *trim* approach on claude-code. CTO chose routability (Option C) so cp#529 supersedes that ids trim, but #2241 has other valuable changes (MiniMax-M2.7 rename, canvas-deploy-status). Co-review + rebase before merge. **Paired with** molecule-controlplane `feat/cp529-byok-routability-checker` (byte-synced providers.yaml — must land together). Refs cp#529.
hongming added 1 commit 2026-06-04 21:37:15 +00:00
feat(providers): BYOK-routability-aware workspace-create enforcer (cp#529)
ci-arm64-advisory / fast-checks (pull_request) Waiting to run
Details
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 1s
Details
CI / Detect changes (pull_request) Successful in 6s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s
Details
CI / Python Lint & Test (pull_request) Successful in 6s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 7s
Details
Harness Replays / detect-changes (pull_request) Successful in 4s
Details
E2E Chat / detect-changes (pull_request) Successful in 8s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 10s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 10s
Details
qa-review / approved (pull_request_target) Failing after 6s
Details
gate-check-v3 / gate-check (pull_request_target) Successful in 7s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 13s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 9s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 16s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 4s
Details
CI / Canvas (Next.js) (pull_request) Successful in 5s
Details
security-review / approved (pull_request_target) Failing after 9s
Details
Harness Replays / Harness Replays (pull_request) Successful in 1s
Details
E2E Chat / E2E Chat (pull_request) Successful in 8s
Details
verify-providers-gen / Regenerate providers artifact and fail on drift (pull_request) Successful in 27s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 55s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s
Details
CI / Canvas Deploy Status (pull_request) Has been skipped
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 34s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3m28s
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Failing after 2m23s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2m44s
Details
CI / Platform (Go) (pull_request) Successful in 4m12s
Details
CI / all-required (pull_request) Successful in 2s
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Failing after 5m10s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
sync-providers-yaml / Compare synced providers.yaml against controlplane canonical (pull_request) Successful in 12s
Details
sop-tier-check / tier-check (pull_request_target) Successful in 4s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 59s
Details
qa-review / approved (pull_request_review) Has been skipped
Details
security-review / approved (pull_request_review) Has been skipped
Details
sop-tier-check / tier-check (pull_request_review) Successful in 4s
Details
audit-force-merge / audit (pull_request_target) Successful in 4s
Details
ddc4e8190c 
validateRegisteredModelForRuntime now allows a model if it is on the
runtime's platform menu (ModelsForRuntime) OR DeriveProvider resolves a
native provider — the CTO-approved Option C routability path. Wire
confirmed-non-platform BYOK providers into claude-code/hermes/openclaw as
name-only native arms (zero platform-menu change) + widen their prefix
matchers to accept both slash and colon BYOK id forms.

Billing guardrail: only non-platform (BYOK) providers are wired; the
platform-shared vendors (openai/gemini/minimax/anthropic, and groq which
has no provider) are deliberately NOT wired, so their ids stay residual
drift rather than billing a customer's model through the platform key.

claude-code now fully resolves; residual drift = only platform-shared ids
(hermes anthropic//gemini//openai//minimax/, codex codex-minimax, openclaw
groq:/openai:/minimax:) — trimmed from templates / restored via dedicated
BYOK-vendor providers in a follow-up. Build + providers/gen/handlers tests
green.

NOTE: overlaps files with open PR #2241 (cp#521, trim approach); co-review
and rebase before merge.

cp#529

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
hongming added the tier:medium label 2026-06-04 23:01:45 +00:00
core-qa approved these changes 2026-06-04 23:06:52 +00:00
core-qa left a comment
Member
Copy Link
Copy Source

QA (cp#529 routability-aware enforcer). Reviewed: validateRegisteredModelForRuntime now allows model ∈ ModelsForRuntime OR DeriveProvider resolves; BYOK passthrough providers wired as name-only arms (no platform-menu change); fail-open branches preserved; tests cover BYOK-pass + unroutable-422 + platform-unaffected. Required CI green, sync-gate green. Approve.

QA (cp#529 routability-aware enforcer). Reviewed: validateRegisteredModelForRuntime now allows model ∈ ModelsForRuntime OR DeriveProvider resolves; BYOK passthrough providers wired as name-only arms (no platform-menu change); fail-open branches preserved; tests cover BYOK-pass + unroutable-422 + platform-unaffected. Required CI green, sync-gate green. Approve.
core-security approved these changes 2026-06-04 23:06:53 +00:00
core-security left a comment
Member
Copy Link
Copy Source

Security (cp#529). BILLING GUARDRAIL verified: only confirmed-non-platform providers (own auth_env) wired into BYOK runtime arms; platform-shared providers (anthropic-api/openai-*/moonshot/minimax/google/vertex/platform) deliberately NOT wired, so a BYOK menu id can never route through a platform key. IsPlatform unchanged (name=='platform'), so BYOK derives to byok billing. No new secret/authz surface. Approve.

Security (cp#529). BILLING GUARDRAIL verified: only confirmed-non-platform providers (own auth_env) wired into BYOK runtime arms; platform-shared providers (anthropic-api/openai-*/moonshot/minimax/google/vertex/platform) deliberately NOT wired, so a BYOK menu id can never route through a platform key. IsPlatform unchanged (name=='platform'), so BYOK derives to byok billing. No new secret/authz surface. Approve.
hongming merged commit 9b19759ceb into main 2026-06-04 23:07:42 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
core-qa
core-security
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label tier:medium
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2256
Delete Branch "feat/cp529-byok-routability-enforcer"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?