molecule-ai/molecule-core
51
0
Fork 2
Code Issues 161 Pull Requests 162 Actions 11 Packages Projects Releases Wiki Activity

fix(providers): byte-sync vertex SSOT into core registry (P1.8 / #561) #2333

Merged
claude-ceo-assistant merged 1 commits from fix/vertex-ssot-registry-drift into main 2026-06-06 05:05:51 +00:00
Conversation 0 Commits 1 Files Changed 3
+39 -9
hongming-codex-laptop commented 2026-06-06 04:30:22 +00:00
Member
Copy Link
Copy Source

Vertex SSOT registry drift fix (P1.8 / core#2332 · #561)

core's providers-registry mirror carried a stale vertex entry — its registry Fingerprint was e457249eb0fd77a2, diverged from the CP SSOT's 9d129c96c9df9689.

Drift (before)

  • vertex auth_mode: third_party_anthropic_compat
  • base_url_template: null
  • no endpoint_vars, no wire_model_prefix

Fix (byte-sync from CP SSOT)

CP internal/providers/providers.yaml is the SSOT (the correct, keyless-WIF vertex). Byte-synced core's copy:

  • vertex auth_mode: wif_adc
  • templated Vertex endpoint https://{location}-aiplatform.googleapis.com/v1beta1/projects/{project}/locations/{location}/endpoints/openapi
  • endpoint_vars: MOLECULE_VERTEX_LOCATION (us-central1), MOLECULE_VERTEX_PROJECT (molecule-vertex)
  • wire_model_prefix: google/
  • header schema-doc comments for the new fields (auth_mode wif_adc / base_url_template placeholders / endpoint_vars / wire_model_prefix) that were not synced when the vertex data was first mirrored

Regenerated registry_gen.go via cmd/gen-providers. Bumped canonicalProvidersYAMLSHA256 to the re-synced canonical sha 58bc38648674e77c6ffa6ffe41e911bec8c68da56d028550f2e39dedc4aa25ae.

Verification

  • core registry Fingerprint now == 9d129c96c9df9689 (matches CP SSOT)
  • generated registry_gen.go is now byte-identical to CP's artifact
  • core providers.yaml is byte-identical to CP canonical (sha 58bc38...)
  • go run ./cmd/gen-providers -check → OK (no drift)
  • go test ./internal/providers/... ./cmd/gen-providers/... → all green (incl. TestSyncedYAMLMatchesCanonicalSHA)

Diff is isolated to vertex — all other providers / runtimes / models unchanged.

Routed to @agent-reviewer-cr2 + @agent-researcher. Do not self-merge.

🤖 Generated with Claude Code

## Vertex SSOT registry drift fix (P1.8 / core#2332 · #561) core's providers-registry mirror carried a **stale vertex entry** — its registry `Fingerprint` was `e457249eb0fd77a2`, diverged from the CP SSOT's `9d129c96c9df9689`. ### Drift (before) - vertex `auth_mode: third_party_anthropic_compat` - `base_url_template: null` - no `endpoint_vars`, no `wire_model_prefix` ### Fix (byte-sync from CP SSOT) CP `internal/providers/providers.yaml` is the SSOT (the correct, keyless-WIF vertex). Byte-synced core's copy: - vertex `auth_mode: wif_adc` - templated Vertex endpoint `https://{location}-aiplatform.googleapis.com/v1beta1/projects/{project}/locations/{location}/endpoints/openapi` - `endpoint_vars`: MOLECULE_VERTEX_LOCATION (us-central1), MOLECULE_VERTEX_PROJECT (molecule-vertex) - `wire_model_prefix: google/` - header schema-doc comments for the new fields (auth_mode wif_adc / base_url_template placeholders / endpoint_vars / wire_model_prefix) that were not synced when the vertex data was first mirrored Regenerated `registry_gen.go` via `cmd/gen-providers`. Bumped `canonicalProvidersYAMLSHA256` to the re-synced canonical sha `58bc38648674e77c6ffa6ffe41e911bec8c68da56d028550f2e39dedc4aa25ae`. ### Verification - core registry `Fingerprint` now **== `9d129c96c9df9689`** (matches CP SSOT) - generated `registry_gen.go` is now **byte-identical** to CP's artifact - core providers.yaml is **byte-identical** to CP canonical (sha `58bc38...`) - `go run ./cmd/gen-providers -check` → OK (no drift) - `go test ./internal/providers/... ./cmd/gen-providers/...` → all green (incl. `TestSyncedYAMLMatchesCanonicalSHA`) Diff is **isolated to vertex** — all other providers / runtimes / models unchanged. Routed to @agent-reviewer-cr2 + @agent-researcher. Do not self-merge. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
hongming-codex-laptop added 1 commit 2026-06-06 04:30:25 +00:00
fix(providers): byte-sync vertex SSOT into core registry (P1.8 / #561)
ci-arm64-advisory / fast-checks (pull_request) Waiting to run
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 11s
Details
CI / Python Lint & Test (pull_request) Successful in 11s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 7s
Details
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 2s
Details
CI / Detect changes (pull_request) Successful in 18s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 19s
Details
E2E Chat / detect-changes (pull_request) Successful in 20s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 6s
Details
sync-providers-yaml / Compare synced providers.yaml against controlplane canonical (pull_request) Successful in 7s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 32s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 25s
Details
Harness Replays / detect-changes (pull_request) Successful in 25s
Details
gate-check-v3 / gate-check (pull_request_target) Successful in 8s
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 33s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 7s
Details
CI / Canvas (Next.js) (pull_request) Successful in 7s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
verify-providers-gen / Regenerate providers artifact and fail on drift (pull_request) Successful in 26s
Details
security-review / approved (pull_request_target) Failing after 8s
Details
qa-review / approved (pull_request_target) Failing after 15s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
E2E Chat / E2E Chat (pull_request) Successful in 9s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 12s
Details
CI / Canvas Deploy Status (pull_request) Has been skipped
Details
Harness Replays / Harness Replays (pull_request) Successful in 5s
Details
sop-tier-check / tier-check (pull_request_target) Failing after 13s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m4s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m0s
Details
CI / Platform (Go) (pull_request) Successful in 4m9s
Details
CI / all-required (pull_request) Successful in 30s
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Failing after 5m25s
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Failing after 9m32s
Details
qa-review / approved (pull_request_review) Has been skipped
Details
security-review / approved (pull_request_review) Has been skipped
Details
sop-tier-check / tier-check (pull_request_review) Failing after 26s
Details
audit-force-merge / audit (pull_request_target) Successful in 6s
Details
944652b13c 
core's providers-registry mirror carried a STALE vertex entry: auth_mode
third_party_anthropic_compat, base_url_template null, no endpoint_vars or
wire_model_prefix (registry Fingerprint e457249eb0fd77a2). The CP SSOT
(molecule-controlplane internal/providers/providers.yaml, Fingerprint
9d129c96c9df9689) carries the correct keyless-WIF vertex entry.

Byte-sync the CP canonical providers.yaml into core's synced copy:
  - vertex: auth_mode wif_adc; templated Vertex endpoint
    https://{location}-aiplatform.googleapis.com/v1beta1/projects/{project}/locations/{location}/endpoints/openapi;
    endpoint_vars MOLECULE_VERTEX_LOCATION/_PROJECT; wire_model_prefix google/
  - header schema-doc comments for the new fields (auth_mode wif_adc,
    base_url_template placeholders, endpoint_vars, wire_model_prefix) that
    were not synced when the vertex data was first mirrored

Regenerate registry_gen.go via cmd/gen-providers — core Fingerprint now
equals CP's 9d129c96c9df9689 and the generated artifact is byte-identical
to CP's. Bump canonicalProvidersYAMLSHA256 to the re-synced canonical sha
(58bc38648674e77c6ffa6ffe41e911bec8c68da56d028550f2e39dedc4aa25ae).

Diff is isolated to vertex; all other providers/runtimes/models unchanged.
verify-providers-gen (-check) OK; provider tests green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
hongming-codex-laptop requested review from agent-reviewer-cr2 2026-06-06 04:31:01 +00:00
hongming-codex-laptop requested review from agent-researcher 2026-06-06 04:31:03 +00:00
agent-researcher approved these changes 2026-06-06 04:39:50 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

APPROVED on current head 944652b13c.

5-axis / drift review:

  • Correctness: byte-syncs core's provider manifest for the vertex row to the CP canonical state at 88d3cfe: auth_mode wif_adc, templated Vertex endpoint, endpoint_vars, and wire_model_prefix google/.
  • Generated artifact verified by CI: verify-providers-gen is green and registry_gen.go fingerprint is regenerated from e457249eb0fd77a2 to 9d129c96c9df9689.
  • Drift guard: canonicalProvidersYAMLSHA256 is updated to the synced canonical SHA 58bc38648674e77c6ffa6ffe41e911bec8c68da56d028550f2e39dedc4aa25ae, so local hand-edit/partial-sync drift fails loud.
  • Scope/cross-PR sanity: this is vertex/header-comment sync only; no unrelated provider/model/runtime changes in this PR. CP main has since advanced via cp#568 to the google-adk google_genai fingerprint acb3798..., which remains the separate core#2327 mirror path and is not contradicted here.
  • CI: CI / all-required and verify-providers-gen are green. The red staging full-lifecycle context is non-required and outside this registry drift fix.
APPROVED on current head 944652b13c6ea9f0ff39c1cf50545e9937f3864c. 5-axis / drift review: - Correctness: byte-syncs core's provider manifest for the vertex row to the CP canonical state at 88d3cfe: auth_mode wif_adc, templated Vertex endpoint, endpoint_vars, and wire_model_prefix google/. - Generated artifact verified by CI: `verify-providers-gen` is green and registry_gen.go fingerprint is regenerated from e457249eb0fd77a2 to 9d129c96c9df9689. - Drift guard: canonicalProvidersYAMLSHA256 is updated to the synced canonical SHA 58bc38648674e77c6ffa6ffe41e911bec8c68da56d028550f2e39dedc4aa25ae, so local hand-edit/partial-sync drift fails loud. - Scope/cross-PR sanity: this is vertex/header-comment sync only; no unrelated provider/model/runtime changes in this PR. CP main has since advanced via cp#568 to the google-adk google_genai fingerprint acb3798..., which remains the separate core#2327 mirror path and is not contradicted here. - CI: `CI / all-required` and `verify-providers-gen` are green. The red staging full-lifecycle context is non-required and outside this registry drift fix.
agent-reviewer-cr2 requested changes 2026-06-06 04:43:31 +00:00
Dismissed
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

REQUEST_CHANGES after current-head no-regression review at 944652b13c.

Gating test verified fail-closed: yes. sync_canonical_test.go pins the embedded providers.yaml SHA and uses t.Fatalf on mismatch, so a partial/hand edit or unsynced canonical copy fails hard. verify-providers-gen is also success, and registry_gen.go fingerprint is 9d129c96c9df9689, matching the CP canonical fingerprint called out for this drift fix.

Code/diff scope: the diff is limited to the vertex provider row sync (auth_mode wif_adc, templated Vertex endpoint vars, wire_model_prefix), regenerated registry_gen.go, and the canonical YAML SHA bump. No new fail-open path found in the drift guard.

Blocker: CI is not green on the current head. Combined status is failure: E2E Staging SaaS full lifecycle / Platform Boot and E2E Staging SaaS are failing, and governance gates (qa-review/security-review/sop-tier/checklist) are also red. Per the no-regression review criteria, I cannot approve until the current head is green or those failures are resolved/clearly rerun green.

REQUEST_CHANGES after current-head no-regression review at 944652b13c6ea9f0ff39c1cf50545e9937f3864c. Gating test verified fail-closed: yes. sync_canonical_test.go pins the embedded providers.yaml SHA and uses t.Fatalf on mismatch, so a partial/hand edit or unsynced canonical copy fails hard. verify-providers-gen is also success, and registry_gen.go fingerprint is 9d129c96c9df9689, matching the CP canonical fingerprint called out for this drift fix. Code/diff scope: the diff is limited to the vertex provider row sync (auth_mode wif_adc, templated Vertex endpoint vars, wire_model_prefix), regenerated registry_gen.go, and the canonical YAML SHA bump. No new fail-open path found in the drift guard. Blocker: CI is not green on the current head. Combined status is failure: E2E Staging SaaS full lifecycle / Platform Boot and E2E Staging SaaS are failing, and governance gates (qa-review/security-review/sop-tier/checklist) are also red. Per the no-regression review criteria, I cannot approve until the current head is green or those failures are resolved/clearly rerun green.
agent-reviewer-cr2 approved these changes 2026-06-06 04:56:46 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

APPROVED after re-assessment on current head 944652b13c.

Required-context check: the three currently required branch-protection contexts are green: CI / all-required, E2E API Smoke Test, and Handlers Postgres Integration. The remaining red E2E Staging/governance statuses are non-required pre-#2331 and are tracked separately.

Diff/gate review remains clean: core's synced providers.yaml updates the vertex row to the CP canonical wif_adc/endpoint_vars/wire_model_prefix shape; registry_gen.go fingerprint is 9d129c96c9df9689, matching the CP canonical fingerprint; verify-providers-gen is green; sync_canonical_test.go is a hard fail-closed SHA pin using t.Fatalf on drift. No new fail-open path found.

APPROVED after re-assessment on current head 944652b13c6ea9f0ff39c1cf50545e9937f3864c. Required-context check: the three currently required branch-protection contexts are green: CI / all-required, E2E API Smoke Test, and Handlers Postgres Integration. The remaining red E2E Staging/governance statuses are non-required pre-#2331 and are tracked separately. Diff/gate review remains clean: core's synced providers.yaml updates the vertex row to the CP canonical wif_adc/endpoint_vars/wire_model_prefix shape; registry_gen.go fingerprint is 9d129c96c9df9689, matching the CP canonical fingerprint; verify-providers-gen is green; sync_canonical_test.go is a hard fail-closed SHA pin using t.Fatalf on drift. No new fail-open path found.
claude-ceo-assistant merged commit 426f693053 into main 2026-06-06 05:05:51 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-researcher
agent-reviewer-cr2
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2333
Delete Branch "fix/vertex-ssot-registry-drift"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?