feat(canvas): Org Concierge — concept reskin + self-host platform-agent backend (BYOK · user-tasks · boot-provision) #2385

Merged

core-devops merged 50 commits from feat/canvas-concierge-ui into main 2026-06-08 09:10:29 +00:00

Conversation 9 Commits 50 Files Changed 92

+10332 -656

devops-engineer commented 2026-06-07 02:44:17 +00:00

Member

Copy Link

Copy Source

Delivers the Org Concierge: the canvas (tenant-facing node-graph at <slug>.moleculesai.app) reskinned to the provided concept, plus the platform-agent ("concierge") backend that makes a self-hosted org's root agent auto-create, provision, and be configurable from the canvas. Non-breaking — node graph, drag/viewport, A2A edges, and existing routes are all preserved. No control-plane dashboard changes (molecule-app PR #81 closed; the canvas is the front end).

Canvas (frontend)

• Concept shell — left icon rail + topbar + Home (chat with the org concierge) / Org map (the existing node-graph) / Settings, faithful to the concept. Org name + concierge name render dynamically.
• Design tokens + typography — purple accent across the warm-paper @theme + always-dark node tokens; Hanken Grotesk via next/font (JetBrains Mono retained).
• Node cards → concept — role/model pills, status line, queued state; system-controlled uniform sizing (free-resize removed).
• Home wired to real data — approvals (/approvals/pending), user-tasks (/user-tasks/pending), activity feed.
• Settings — SSOT provider+model BYOK for the platform agent (registry-driven, not hardcoded Anthropic; Platform = managed/no key, any other provider = BYOK) + relocated canvas settings (secrets / tokens / org). Secrets client now sends the auth bearer (fixes a 401).

Platform-agent concierge (backend)

• Self-host boot-seed (MOLECULE_SEED_PLATFORM_AGENT) — the tenant server seeds the org's kind='platform' root when there is no control plane to install it, and auto-provisions its container on boot (best-effort; the SaaS/cpProv path is untouched).
• Dynamic name — concierge named "<MOLECULE_ORG_NAME> Agent" (e.g. "Molecule AI Agent"), with open GET /org/identity feeding the topbar.
• user_tasks primitive — structured agent→user action requests ("things an agent asks the user to do"), modeled on the approvals subsystem. Full REST + MCP CRUD, workspace-scoped authz (a workspace touches only its own; the org-wide home feed is admin-gated), FK + ON DELETE CASCADE + index. See docs/design/rfc-user-tasks.md.
• Provisioner cross-reap fix — managed-container labels namespaced per platform instance so co-resident platforms can't reap each other's containers.
• CORS: allow X-Confirm-Name (workspace-delete confirmation).

Tests / CI / SSOT

• user_tasks e2e (REST + MCP) wired into e2e-api.
• Mandatory local Docker-provisioner lifecycle e2e — provision → online → restart-survive → proxy against a stub runtime (gating) + a MiniMax real-LLM advisory lane.
• New endpoints authored in the OpenAPI SSOT (swaggo-generated); BYOK provider/model derive from the providers registry SSOT.
• Migration 20260607000000_user_tasks.

Pending CTO sign-off: docs/design/rfc-user-tasks.md introduces a new DB primitive; sign-off + tier label required before the full SOP gate.

🤖 Generated with Claude Code

---

SOP Checklist

Comprehensive testing performed

Go suite — all workspace-server/ packages ok, 0 fail. Canvas vitest — 3358 passed / 3 skipped. Priv-esc paths covered by TestRegister_RejectsFreshPlatformKind (403), TestRegister_RejectsPlatformPromotion (403), TestRegister_AllowsAlreadyPlatformReRegister (200), and the Postgres-gated TestIntegration_PlatformKind_SecondRootRejected. Kind/topology by stripPlatformRootForMap tests; the DisplayTab noVNC-paste race by a deterministic wait-for-connect test. CI / all-required green on e6b6ec51.

Local-postgres E2E run

Handlers Postgres Integration green on e6b6ec51 (run 270450): real Postgres replays the migrations including this PR's new 20260607000000_one_platform_root.up.sql and runs TestIntegration_PlatformKind_SecondRootRejected — a second parentless kind='platform' row is rejected by uniq_workspaces_one_platform_root (23505), proving the priv-esc DB backstop.

Staging-smoke verified or pending

Scheduled post-merge. The concierge staging-e2e jobs e2e-staging-concierge-{creates-workspace,platform,user-tasks} in .gitea/workflows/e2e-staging-saas.yml run only on push-to-main / workflow_dispatch / cron (never on pull_request); the PR path uses the -compile-skip stub. They run on merge to main.

Root-cause not symptom

(a) Priv-esc — root cause: POST /registry/register upserted caller-supplied kind while the only DB guard (workspaces_platform_root_check) bounded parent-ness, not cardinality (it permits multiple parentless platform roots); fixed at the mechanism with a partial unique index plus an app-layer Register guard (403 on create/promote), not a symptom patch. (b) DisplayTab flake — root cause: the test fired paste before the async connect() set rfbRef.current; fixed by awaiting the RFB constructor, not a retry. (c) Coverage "OOM" — disproved by measuring peak process-tree RSS (1.33 GB, no OOM); the earlier double-run patch was reverted to a single vitest run --coverage.

Five-Axis review walked

Correctness: kind plumbing consistent Go↔TS, security/gating tests green. Readability: matches surrounding style, threat-tied comments. Architecture: kind is a pure SSOT discriminator (org stays the parent_id-chain root via org_scope.go), no new org concept. Security: priv-esc found+fixed+verified, org-MCP gating locked by TestApplyConciergeProvisionConfig_OnlyPlatformGetsOrgMCP, no secret logging, user_tasks workspace-ownership-scoped. Performance: kind probe is a cold-path PK lookup with covering indexes; LOW follow-up: per-turn executor config re-read.

No backwards-compat shim / dead code added

No. No commented-out code, no _old/_v2/.bak, zero file deletions, all new symbols wired in; the refactors remove redundancy (PlatformBillingSection, the name-regex platformRoot fallback) and collapse 'platform' literals into SSOT constants. The only "compat" surface is the migrations, which are proper additive backward-compatible schema evolution (kind default 'workspace', CHECK added NOT VALID then validated, IF NOT EXISTS), not a shim.

Memory consulted

feedback_no_such_thing_as_flakes (named the DisplayTab race mechanism, didn't re-run); feedback_follow_dev_sop_phase1_evidence_first (measured coverage RSS before acting); don't-just-patch (reverted the misdiagnosed coverage split); SSOT discipline (reference_providers_runtime_matrix_ssot — kind SSOT marker, registry-derived providers, single coverage invocation); feedback_comprehensive_tests_and_e2e_for_llm; feedback_build_integration_tag_before_push (ran the integration build); security-review-acted-on (defense-in-depth priv-esc fix).

Delivers the **Org Concierge**: the canvas (tenant-facing node-graph at `<slug>.moleculesai.app`) reskinned to the provided concept, plus the platform-agent ("concierge") backend that makes a self-hosted org's root agent auto-create, provision, and be configurable from the canvas. **Non-breaking** — node graph, drag/viewport, A2A edges, and existing routes are all preserved. No control-plane dashboard changes (molecule-app PR #81 closed; the canvas is the front end). ## Canvas (frontend) - **Concept shell** — left icon rail + topbar + **Home** (chat with the org concierge) / **Org map** (the existing node-graph) / **Settings**, faithful to the concept. Org name + concierge name render dynamically. - **Design tokens + typography** — purple accent across the warm-paper `@theme` + always-dark node tokens; Hanken Grotesk via `next/font` (JetBrains Mono retained). - **Node cards → concept** — role/model pills, status line, queued state; **system-controlled uniform sizing** (free-resize removed). - **Home wired to real data** — approvals (`/approvals/pending`), user-tasks (`/user-tasks/pending`), activity feed. - **Settings** — SSOT provider+model **BYOK** for the platform agent (registry-driven, not hardcoded Anthropic; Platform = managed/no key, any other provider = BYOK) + relocated canvas settings (secrets / tokens / org). Secrets client now sends the auth bearer (fixes a 401). ## Platform-agent concierge (backend) - **Self-host boot-seed** (`MOLECULE_SEED_PLATFORM_AGENT`) — the tenant server seeds the org's `kind='platform'` root when there is no control plane to install it, and **auto-provisions** its container on boot (best-effort; the SaaS/`cpProv` path is untouched). - **Dynamic name** — concierge named `"<MOLECULE_ORG_NAME> Agent"` (e.g. "Molecule AI Agent"), with open `GET /org/identity` feeding the topbar. - **`user_tasks` primitive** — structured agent→user action requests ("things an agent asks the user to do"), modeled on the approvals subsystem. Full REST + MCP CRUD, workspace-scoped authz (a workspace touches only its own; the org-wide home feed is admin-gated), FK + `ON DELETE CASCADE` + index. See `docs/design/rfc-user-tasks.md`. - **Provisioner cross-reap fix** — managed-container labels namespaced per platform instance so co-resident platforms can't reap each other's containers. - CORS: allow `X-Confirm-Name` (workspace-delete confirmation). ## Tests / CI / SSOT - **`user_tasks` e2e** (REST + MCP) wired into `e2e-api`. - **Mandatory local Docker-provisioner lifecycle e2e** — provision → online → restart-survive → proxy against a stub runtime (gating) + a MiniMax real-LLM advisory lane. - New endpoints authored in the **OpenAPI SSOT** (swaggo-generated); BYOK provider/model derive from the providers registry SSOT. - Migration `20260607000000_user_tasks`. > **Pending CTO sign-off:** `docs/design/rfc-user-tasks.md` introduces a new DB primitive; sign-off + tier label required before the full SOP gate. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- ## SOP Checklist ### Comprehensive testing performed Go suite — all `workspace-server/` packages `ok`, 0 fail. Canvas vitest — 3358 passed / 3 skipped. Priv-esc paths covered by `TestRegister_RejectsFreshPlatformKind` (403), `TestRegister_RejectsPlatformPromotion` (403), `TestRegister_AllowsAlreadyPlatformReRegister` (200), and the Postgres-gated `TestIntegration_PlatformKind_SecondRootRejected`. Kind/topology by `stripPlatformRootForMap` tests; the DisplayTab noVNC-paste race by a deterministic wait-for-connect test. `CI / all-required` green on e6b6ec51. ### Local-postgres E2E run `Handlers Postgres Integration` green on e6b6ec51 (run 270450): real Postgres replays the migrations including this PR's new `20260607000000_one_platform_root.up.sql` and runs `TestIntegration_PlatformKind_SecondRootRejected` — a second parentless `kind='platform'` row is rejected by `uniq_workspaces_one_platform_root` (23505), proving the priv-esc DB backstop. ### Staging-smoke verified or pending Scheduled post-merge. The concierge staging-e2e jobs `e2e-staging-concierge-{creates-workspace,platform,user-tasks}` in `.gitea/workflows/e2e-staging-saas.yml` run only on `push`-to-main / `workflow_dispatch` / cron (never on `pull_request`); the PR path uses the `-compile-skip` stub. They run on merge to main. ### Root-cause not symptom (a) Priv-esc — root cause: `POST /registry/register` upserted caller-supplied `kind` while the only DB guard (`workspaces_platform_root_check`) bounded parent-ness, not cardinality (it permits multiple parentless platform roots); fixed at the mechanism with a partial unique index plus an app-layer Register guard (403 on create/promote), not a symptom patch. (b) DisplayTab flake — root cause: the test fired `paste` before the async `connect()` set `rfbRef.current`; fixed by awaiting the RFB constructor, not a retry. (c) Coverage "OOM" — disproved by measuring peak process-tree RSS (1.33 GB, no OOM); the earlier double-run patch was reverted to a single `vitest run --coverage`. ### Five-Axis review walked Correctness: `kind` plumbing consistent Go↔TS, security/gating tests green. Readability: matches surrounding style, threat-tied comments. Architecture: `kind` is a pure SSOT discriminator (org stays the `parent_id`-chain root via `org_scope.go`), no new org concept. Security: priv-esc found+fixed+verified, org-MCP gating locked by `TestApplyConciergeProvisionConfig_OnlyPlatformGetsOrgMCP`, no secret logging, `user_tasks` workspace-ownership-scoped. Performance: `kind` probe is a cold-path PK lookup with covering indexes; LOW follow-up: per-turn executor config re-read. ### No backwards-compat shim / dead code added No. No commented-out code, no `_old`/`_v2`/`.bak`, zero file deletions, all new symbols wired in; the refactors *remove* redundancy (PlatformBillingSection, the name-regex `platformRoot` fallback) and collapse `'platform'` literals into SSOT constants. The only "compat" surface is the migrations, which are proper additive backward-compatible schema evolution (`kind` default `'workspace'`, CHECK added `NOT VALID` then validated, `IF NOT EXISTS`), not a shim. ### Memory consulted `feedback_no_such_thing_as_flakes` (named the DisplayTab race mechanism, didn't re-run); `feedback_follow_dev_sop_phase1_evidence_first` (measured coverage RSS before acting); don't-just-patch (reverted the misdiagnosed coverage split); SSOT discipline (`reference_providers_runtime_matrix_ssot` — `kind` SSOT marker, registry-derived providers, single coverage invocation); `feedback_comprehensive_tests_and_e2e_for_llm`; `feedback_build_integration_tag_before_push` (ran the integration build); security-review-acted-on (defense-in-depth priv-esc fix).

devops-engineer added 1 commit 2026-06-07 02:44:19 +00:00

feat(canvas): Org Concierge design tokens + typography (Phase A) ... d5910dc3b2

Reskin the tenant canvas to the Org Concierge concept via its existing
--color-* token layer (no logic/layout change):
  - purple accent (#7c3aed light / #a78bfa dark) replacing blue, across the
    warm-paper @theme set + the always-dark node tokens (--color-accent-dim/
    --color-plasma);
  - near-black dark surfaces + warm-paper light matching the concept; state
    colors retuned (light AA-safe, dark uses concept values);
  - swap Inter -> Hanken Grotesk via next/font (JetBrains Mono already present),
    wired to the --font-sans/--font-mono tokens; updated the mobile palette +
    the next/font test mock accordingly.

Canvas build green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

devops-engineer added 1 commit 2026-06-07 02:54:22 +00:00

feat(canvas): node card brand colors -> tokens (Phase C, partial) ... bc9c930d7c

WorkspaceNode mixed the design tokens (which Phase A re-skinned to purple) with
hardcoded brand colors Phase A can't reach. Replace those: blue-300/400/500 ->
accent (purple), hover:border-zinc-500 -> border-ink-soft, ring-offset-zinc-950
-> ring-offset-surface. Emerald (drag-target/online) + black shadows are
semantic and kept. The agent card now reads purple/token-based like the concept.

Build green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

devops-engineer added 1 commit 2026-06-07 04:35:06 +00:00

feat(canvas): node card to concept layout — role/model pills, status line, queued (Phase C) ... 0e0fc210b5

Restyle WorkspaceNode to match the Org Concierge concept (style-only, no logic):
  - header right: model pill (Opus/Sonnet/Haiku, shortened from agent_card.model;
    falls back to tier badge);
  - role pill (uppercase, accent-bordered) — platform root shows PLATFORM·ROOT;
    REMOTE marker kept for external runtimes;
  - status line (uppercase, status-toned) with '· N AGENTS' for parents + a
    'N queued' pill (from activeTasks); removed the old duplicate status/tasks
    footer row.

Updated the 5 presentational tests to the new card (status now shown for online,
queued not tasks, agent-count in status, role pill not runtime pill). All 51
WorkspaceNode tests pass; build green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 05:00:00 +00:00

feat(canvas): system-controlled workspace sizing, remove free-resize ... bac1dc0701

Workspace container size + shape are now determined by the system instead
of being user-resizable:

- Remove the NodeResizer drag handles from WorkspaceNode (no more
  edge/corner free-resize).
- Remove the Cmd/Ctrl+Arrow keyboard resize shortcut (and its now-unused
  helper/imports) — it was the keyboard equivalent of free-resize.
- Render leaf cards at the layout engine's grid dimensions
  (w-240 x min-h-130 = CHILD_DEFAULT_WIDTH/HEIGHT) so they sit cleanly in
  their computed slots and are uniform; parents keep growing to fit their
  children via growParentsToFitChildren.

Sizes were never persisted server-side, so leaves are always content-
measured from their fixed-size CSS and parents recompute each load — fully
deterministic, no stale user-resized dimensions.

Tests: replace the keyboard-resize assertions with a negative test proving
Cmd/Ctrl+Arrow no longer emits a dimensions change. Full suite green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 05:47:54 +00:00

feat(canvas): Home/Map two-tab shell + bigger uniform workspace cards ... c4713bafa7

Two top-level views, switchable from a Home/Map control (top-left):

- Home — the Org Concierge view: chat with the platform agent (the
  org-root, kind='platform' workspace) plus a left Agents rail showing the
  org hierarchy with status dots. Reuses the existing ChatTab (history +
  socket + send), so it's a real conversation, not a mock. Resolves the
  platform agent via GET /registry/platform-agent with a root-node
  fallback so it works on stacks without the resolver.
- Map — the existing node-graph canvas (unchanged), default view.

State: new `topView` ('home' | 'map') + `setTopView` on the canvas store.

Bigger, uniform workspace cards (per design): leaves now render at the
layout grid size — bumped CHILD_DEFAULT_WIDTH/HEIGHT 240x130 -> 300x176
(frontend + the Go mirror in org.go, kept in lockstep) — with roomier
padding and larger name/pill/status typography. Parents still grow to fit
their children. This makes the canvas read as deliberately sized rather
than cramped auto-size.

Tests: add TopViewTabs.test (renders + switches the store view). Re-base
the layout-math assertions in canvas-topology-pure.test and DropTargetBadge
on the size constants so they track the card size instead of drifting on a
future resize. Full suite green (3342 passed).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 06:05:30 +00:00

feat(canvas): faithful Org Concierge shell (rail + topbar + home + map) ... f22f715756

Rebuild the concierge UI to match the molecule-concierge-v1 concept instead
of the earlier approximation. New app shell (ConciergeShell) ported from the
concept's HTML/CSS into a scoped CSS module so its generic class names can't
collide with the rest of the app:

- Left ICON RAIL — Home / Org map / Settings (collapsible, Molecule mark).
- TOPBAR — org selector + search / notifications / theme toggle / avatar.
- HOME view — Agents / Tasks / Approvals sidebar (live agent TREE built from
  the canvas nodes, with avatars, role, status dot, queue count and
  connector lines) + Recent activity, beside a concierge CHAT with the
  concept's ACTION cards (workspace / schedule) and the amber APPROVAL
  REQUIRED card + composer.
- ORG MAP view — the existing live <Canvas/> (node graph), unchanged.
- SETTINGS view — placeholder.

Default top-level view is now Home (concierge-first, matching the concept).
Replaces the earlier ConciergeHome + TopViewTabs (removed). Chat/tasks/
approvals content is the concept's demo conversation for now — the agent
tree and org map are live; live concierge chat follows with BYOK.

Full suite green (3338 passed).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 06:09:00 +00:00

fix(canvas): no nested <button> in concierge agent rows ... 455bf4a0b3

The agent row was a <button> with the expand/collapse caret <button> nested
inside it — invalid HTML that triggered a hydration error. Make the row a
<div role="button"> with keyboard (Enter/Space) activation so the caret can
stay an independent button.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 2 commits 2026-06-07 06:25:24 +00:00

fix(canvas): contain canvas overlays inside the Org map view ... 5c2cbd265a

The live canvas's overlays (Toolbar, Legend, Communications pill, New
Workspace, minimap) use position:fixed and were anchoring to the viewport,
so they overlapped the concierge rail + topbar. Give the canvas mount a
transform so it becomes the containing block for those fixed descendants —
they now anchor to the map view area instead of the viewport.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(canvas): wire concierge home to real backend data ... b92dc7895c

Replace the concept's demo content in the concierge Home with live data:

- CHAT — new ConciergeChat reuses the real chat plumbing (useChatHistory +
  useChatSend → /workspaces/:id/a2a + useChatSocket) pointed at the platform
  agent, rendered in the concept style. Empty → greeting; composer is
  status-aware (disabled/annotated when the agent isn't online).
- RECENT ACTIVITY — GET /workspaces/:platformId/activity (real rows).
- APPROVALS — GET /approvals/pending + decide via
  POST /workspaces/:wsId/approvals/:id/decide (real, with the tab count).
- TASKS — GET /workspaces/:platformId/schedules for now (the tab count is
  live). NOTE: this is interim — "Tasks" is meant to be agent→user asks,
  which has no backend yet; tracked separately.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 06:58:44 +00:00

feat(user-tasks): agent→user action requests primitive + concierge wiring ... 3a6f447874

New `user_tasks` primitive — things an agent asks the *user* to do (e.g.
"Review the draft"). Any workspace can raise one; they surface in the
concierge Home Tasks list org-wide. Mirrors the approvals subsystem.

Backend (workspace-server):
- migration 20260607000000_user_tasks (id, workspace_id, title, detail,
  status pending|done|dismissed, timestamps).
- handlers/user_tasks.go — Create (POST /workspaces/:id/user-tasks),
  ListAll (GET /user-tasks/pending, AdminAuth, cross-workspace),
  Resolve (POST /workspaces/:id/user-tasks/:taskId/resolve done|dismissed).
- events USER_TASK_REQUESTED / USER_TASK_RESOLVED (+ drift-test snapshot).
- router wiring mirroring the approvals auth split.
- MCP tool `request_user_action(title, detail?)` on the in-workspace a2a
  bridge — available to EVERY agent, not gated like send_message_to_user.
- user_tasks_test.go (create/resolve happy + validation paths).

Canvas: concierge Home Tasks tab now reads /user-tasks/pending (org-wide)
with Done/Dismiss → resolve, replacing the interim schedules wiring; live
tab count.

Design SSOT: docs/design/rfc-user-tasks.md.
Follow-up (next commit): workspace-scoped read/update/delete of own tasks.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 07:02:06 +00:00

feat(user-tasks): workspace-scoped read/update/delete of own tasks ... 6a87864176

A workspace can now manage the asks it raised (not just create them),
mirroring how it would manage its own resources:

REST (WorkspaceAuth, scoped by workspace_id so an agent only touches tasks
it raised):
- GET    /workspaces/:id/user-tasks            — list own tasks (any status)
- PATCH  /workspaces/:id/user-tasks/:taskId    — update own {title,detail,status}
- DELETE /workspaces/:id/user-tasks/:taskId    — delete own task

MCP (in-workspace a2a bridge, available to every agent):
- list_user_tasks()                            — read own asks + status
- update_user_task(user_task_id, title?, detail?, status?)
- delete_user_task(user_task_id)

These complement the existing request_user_action (create) and the user-side
/resolve. Confirms the design: any workspace (not just platform) can create
and manage tasks; the Home list stays org-wide. Handler tests cover
list/update/delete (+ not-found). go build + vet clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 07:17:35 +00:00

feat(canvas): concierge Settings — BYOK opt-in for platform + relocated canvas settings ... 04fe77ac41

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 07:27:01 +00:00

test(e2e): comprehensive user_tasks e2e (REST + MCP) wired into e2e-api CI ... 3d0439503c

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 07:39:13 +00:00

fix(cors): allow X-Confirm-Name header (workspace-delete confirmation) ... d1215a84c4

The destructive workspace-delete guard requires an X-Confirm-Name header
(workspace_crud.go), but it was missing from the CORS AllowHeaders, so the
canvas's preflight was blocked ("Request header field x-confirm-name is not
allowed by Access-Control-Allow-Headers"). Add it to the allowlist.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 09:18:15 +00:00

fix(canvas): SidePanel header no longer clipped behind concierge topbar ... 4b0b56aa6a

The canvas <main> root was w-screen/h-screen (full viewport). Inside the
Org Concierge shell the canvas lives in a transformed map-mount (below the
56px topbar), and a viewport-sized root overflowed that mount — which
corrupted the containing-block resolution for the position:fixed SidePanel:
its top resolved ~25px instead of the mount top, so the workspace-name
header rendered behind the topbar (only the pills row was visible).

Switch the root to w-full/h-full so it fills the map-mount. The SidePanel
now resolves top against the mount correctly and fills the map area exactly
(header below the topbar). No magic offsets. Canvas/SidePanel tests green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 10:05:31 +00:00

fix(provisioner): namespace managed-container label per platform instance so co-resident platforms can't cross-reap ... 9c86bd8de1

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 10:51:04 +00:00

test(e2e): mandatory local Docker-provisioner lifecycle e2e (provision/online/restart-survive/proxy) + stub runtime ... 097a5a9613

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 11:09:11 +00:00

test(e2e): real-LLM lifecycle round-trip via MiniMax (cheaper) for the advisory job ... 8a29dac385

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 19:39:58 +00:00

fix(canvas): suppress benign nonce hydration warning on layout scripts ... 6e7918212f

The boot-theme + JSON-LD inline scripts carry the per-request CSP nonce.
Browsers strip the nonce attribute off <script> after applying CSP, so the
hydrated DOM shows nonce="" while React's tree carries the real value —
React flags a hydration mismatch on every load. It's benign (the scripts
ran, CSP applied). Add suppressHydrationWarning to both scripts (same
escape hatch already used on <html> for the pre-paint theme write).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 19:49:15 +00:00

feat(platform-agent): self-host boot-seed so the concierge auto-creates without a CP ... 550b75c1f4

In SaaS the control plane calls POST /admin/org/platform-agent at org-provision
to install the org's platform agent (concierge). Self-hosted / local has no CP,
so the platform agent was never created ("No platform agent yet").

Add EnsureSelfHostedPlatformAgent: on boot, if no kind='platform' root exists,
install one with a deterministic id (uuidv5 "molecule:self-hosted:platform-agent").
Gated on MOLECULE_SEED_PLATFORM_AGENT (set in the self-hosted docker-compose) so:
- self-hosted/local → auto-seeds the concierge (matches the SaaS experience),
- CI harnesses + SaaS tenants leave it unset → e2e empty-DB assertions
  (test_api.sh) and the CP-driven install path are unaffected.
Idempotent + best-effort (never fatal).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 20:20:43 +00:00

feat(platform-agent): boot-seed auto-provisions the concierge + dynamic <org> Agent name + /org/identity ... 53e0fa884a

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 20:22:17 +00:00

feat(canvas): SSOT provider+model BYOK for the platform agent (not hardcoded Anthropic) + dynamic topbar org name ... 5fbc33d78a

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 20:44:51 +00:00

fix(canvas): secrets client sends auth bearer (was 401) + collapse redundant platform-billing mode radios into the provider dropdown ... 247848d009

secrets.ts hand-rolled its fetch headers and omitted the Authorization
bearer, so every secret write 401'd with 'missing workspace auth token'
against a workspace-server with ADMIN_TOKEN set (the SecretsTab in concierge
settings). Route it through the shared platformAuthHeaders() helper (the
#178 raw-fetch bug shape).

PlatformBillingSection: the provider dropdown already offers 'Platform' as a
platform-managed option, so the two big mode-radio banners were redundant.
Drop them — the dropdown alone drives the mode (Platform = managed/no key,
any other provider = BYOK).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 3 commits 2026-06-07 21:06:23 +00:00

fix(user-tasks): FK to workspaces(id) ON DELETE CASCADE + workspace_id index ... be07f24270

Mirrors approval_requests' workspace_id FK so a deleted workspace's tasks are
reaped, not orphaned (an orphan vanishes from the home list — which JOINs
workspaces — while still showing in the owning workspace's own List). Adds the
(workspace_id, created_at DESC) index the owner-scoped List/Update/Delete + MCP
tools need. Inline in CREATE TABLE IF NOT EXISTS keeps it idempotent under the
re-apply-every-boot runner.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs(openapi): author user-tasks + /org/identity endpoints (swaggo SSOT) ... 266131205d

The runtime-surface spec is swaggo-generated (Makefile openapi-spec + the
openapi-spec-check drift gate), so the SSOT is the handler annotations, not the
yaml. Add @Router/@Summary/@Param/@Success/@Security blocks (+ named request/
response structs swaggo can introspect) for the 6 user-tasks routes and
GET /org/identity, then regenerate. Auth modeled to match the router:
WorkspaceAuth -> BearerAuth+OrgSlugAuth, the cross-workspace /user-tasks/pending
-> AdminAuth bearer, /org/identity open. Regen is idempotent (drift gate green).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

ci(local-provision-e2e): fix :8080 contention (red stub gate) + lint tracking directives ... ca50e9affb

Root cause of the red 'Local Provision Lifecycle E2E (stub)' gate: the stub +
real jobs both bind PORT=8080 with no needs: ordering, so they co-scheduled on
the shared runner and the second bind killed the server -> /health timeout (the
issue #1046 class). Add needs: lifecycle-stub (advisory still always() + non-
blocking) + a kill-stale-platform-server step to both jobs. Also satisfy the two
lint gates this workflow trips: # mc#2408 tracker on the advisory continue-on-
error lane, and # bp-required: pending #2409 on the stub emitter (reconciling the
REQUIRED-vs-bp-exempt comment contradiction).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops changed title from feat(canvas): Org Concierge redesign (WIP — A: tokens + fonts) to feat(canvas): Org Concierge — concept reskin + self-host platform-agent backend (BYOK · user-tasks · boot-provision) 2026-06-07 21:09:56 +00:00

core-devops added 1 commit 2026-06-07 21:40:22 +00:00

feat(canvas): hide the platform agent (concierge) from the org map graph ... 4ab16ca805

The platform agent is the undeletable org ROOT — every workspace hangs under
it — so it shouldn't be a draggable/deletable map node with a Delete affordance.
It stays surfaced as the org anchor: the shell topbar + the Home agent tree (as
ROOT). Only the Org map node-graph hides it.

- workspace-server: GET /workspaces + /workspaces/:id now return `kind`
  (COALESCE(w.kind,'workspace')) — it was a latent gap (the column existed but
  List/Get never selected it). Fixtures updated for the new column.
- canvas: stripPlatformRootForMap() drops the kind='platform' node from the map's
  React Flow input and reparents its children to top-level (relative→absolute);
  edges touching it are dropped. Toolbar workspace count excludes it.
- ConciergeShell resolves platformRoot by kind='platform' first (robust — the
  dynamic '<org> Agent' name broke the old name regex), falling back to the
  heuristic for older ws-server builds.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 2 commits 2026-06-07 21:59:30 +00:00

refactor(canvas): Home concierge chat reuses the canonical ChatTab (no drift) ... a70c291737

The Home view rendered a bespoke ConciergeChat that reimplemented (and lagged)
the map's agent chat. Render the SAME ChatTab the SidePanel uses, pointed at the
platform agent — so My Chat / Agent Comms, attachments, lazy history, markdown,
delivery-mode + restart are identical and can't drift. ChatTab takes explicit
{workspaceId, data} props (no store-selection coupling), so the map path is
unchanged. ConciergeChat removed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(billing): environment-aware platform-agent billing — self-host defaults to BYOK, hides Platform ... be7db9e9df

platform_managed only works on SaaS (Molecule hosted LLM proxy + org-credit
ledger). A self-hosted stack has neither, so showing 'Platform / metered to org
credits' as the default was misleading. New PlatformManagedProxyConfigured()
(true iff MOLECULE_LLM_BASE_URL + MOLECULE_LLM_USAGE_TOKEN are set — the same
precondition applyPlatformManagedLLMEnv enforces). GET /org/identity now returns
platform_managed_available; the resolver's default-closed fallbacks return byok
when no proxy (SaaS paths byte-for-byte unchanged, gated strictly). Settings
hides the Platform provider + defaults BYOK + forces byok writes when
unavailable; 404 on the signal => treated as unavailable (self-host safety).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 22:29:15 +00:00

feat(canvas): full workspace config tabs for the platform agent in Settings ... d049e8fe1c

The concierge Settings page can now configure the platform agent exactly like
any workspace. Extracted SidePanel's tab bar + body into a shared
WorkspacePanelTabs component (the canonical 15-tab set: config, plugins/skills,
container, display, details, activity, terminal, channels, schedule, files,
memory, traces, events, audit, chat). SidePanel renders it controlled (store
panelTab) — map drawer unchanged; Settings renders it uncontrolled (local tab
state, defaultTab=config) for the platform agent, so it never fights the map's
selection. Every tab already took an explicit workspaceId prop, so the
extraction is behavior-preserving (no store-selection coupling).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 22:56:12 +00:00

fix(discovery): accept admin/org token for /registry/:id/peers (concierge config tabs 401) ... e6aad44c0f

The discovery routes (Peers/Discover/CheckAccess) auth via validateDiscoveryCaller,
which only did the per-workspace wsauth.ValidateToken — no admin/org fallback. So
the canvas operator's admin bearer 401'd ('invalid workspace auth token') on the
Details tab's GET /registry/:id/peers for the platform agent (the operator holds
no per-workspace token for it). Added the same admin-token + org-token fallback
middleware.WorkspaceAuth uses. Verified live: peers 200 with the admin token
(was 401). Every other config-tab endpoint already honored the operator token
via wsAuth's fallback or AdminAuth (swept: traces/plugins/schedules/channels/
display/events all 200).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 23:04:43 +00:00

feat(canvas): remove redundant map-toolbar controls (settings gear, theme toggle, legend) ... ed3662de5e

Settings now lives in the concierge global Settings (left rail) and theme in the
topbar/Settings, so the map toolbar's gear + theme picker are redundant. The
legend panel is also dropped from the map per design. Removes the now-unused
SettingsButton/settingsGearRef/ThemeToggle/Legend imports.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-07 23:10:13 +00:00

Merge branch 'main' of https://git.moleculesai.app/molecule-ai/molecule-core into feat/canvas-concierge-ui f6e836a98d

core-devops added 3 commits 2026-06-07 23:25:23 +00:00

fix(templates): filter platform-managed provider at the /templates SOURCE on self-host (SSOT) ... 76cb9ddedb

The 'hide Platform on self-host' decision was forked into the PlatformBillingSection
leaf, so ConfigTab/CreateWorkspaceDialog/MissingKeysModal still offered it. Move it
to the single source: enrichFromRegistry drops the platform provider + its models
from registry_providers/registry_models when !PlatformManagedProxyConfigured().
Every consumer now derives correctness for free. SaaS (proxy configured) output is
byte-identical.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

refactor(user-tasks,discovery): one shared user-task store; de-dupe discovery auth (SSOT) ... ba6e8f668e

user_tasks had two write paths (REST handler + MCP tools) hand-writing the same
SQL/enum/broadcast — extracted UserTaskStore (mirrors AgentMessageWriter); both
surfaces route through it. Also de-duplicated validateDiscoveryCaller's repeated
cookie-session block and aligned its credential precedence (bearer->admin/org/ws,
then CP-session) to match middleware.WorkspaceAuth so the two can't drift.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

refactor(canvas): remove redundant PlatformBillingSection; single kind constant (SSOT) ... dc25031eed

PlatformBillingSection forked provider/model/billing logic the platform agent's
Config tab (ConfigTab + LLMBillingSection) already owns — ConciergeShell rendered
both. Removed it (billing-mode stays owned by LLMBillingSection; provider filtering
now at the /templates source). Dropped the lingering name-regex platformRoot
fallback (backend always returns kind; map filter is kind-only). Added WORKSPACE_KIND
const (mirrors models.KindPlatform/Workspace) replacing magic 'platform' literals.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-08 00:28:51 +00:00

fix(local): serve the full baked runtime/template set so the runtime list mimics production (SSOT) ... cf23d2aead

The image bakes all runtime templates (claude-code-default, codex, google-adk,
hermes, openclaw, seo-agent) at /workspace-configs-templates, but the
./workspace-configs-templates:/configs mount carried only claude-code-default on
the host — so GET /templates (the runtime-picker SSOT) listed ONLY claude-code
locally while production lists them all. Point TEMPLATE_CACHE_DIR at the baked
bundle so the local runtime LIST matches production. Provisioning the non-
claude-code runtimes locally still needs their host templates + images (the local
Docker provisioner bind-mounts from CONFIGS_HOST_DIR), so they're selectable but
only claude-code is provisionable in this lightweight dev stack — full-runtime
provisioning is covered by the staging e2e. Verified: /templates now serves
claude-code, codex, google-adk, hermes, openclaw.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-08 00:30:49 +00:00

feat(canvas): split Settings into Platform-agent / Org-&-canvas tabs (not one sheet) ... d3249101f8

The Settings page stacked both sections in one long scroll. Give each its own
tab (reusing the existing .sbTabs purple-underline tab style): 'Platform agent
configuration' and 'Org & canvas settings'. Local settingsTab state, defaults to
the platform-agent tab.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 3 commits 2026-06-08 00:51:50 +00:00

fix(self-host): org-identity + org-templates SSOT parity (no CP-only 404, no shadowed defaults) ... a336acd23d

Organization settings tab called the control-plane-only GET /cp/orgs, 404ing on
self-host. /org/identity now also returns slug + org_id (MOLECULE_ORG_SLUG/ID),
and OrgInfoTab falls back to it when /cp/orgs is unavailable — single org, no
error; SaaS multi-org path unchanged. Org templates: the image bakes default org
templates (molecule-dev, molecule-worker-gemini, ux-ab-lab) at /org-templates, but
the ./org-templates:/org-templates:ro mount shadowed them with an empty host dir
(same class as the runtime-template shadow). findOrgDir() honors ORG_TEMPLATES_DIR;
compose points it at the baked bundle + drops the shadowing mount — local now lists
them like production.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

test(staging-e2e): comprehensive real-staging coverage for concierge/platform-agent ... ab43d5a9dc

Extends the existing staging harness (reuses org-provision/teardown + _lib.sh +
env contract): TestConciergePlatformAgent_Staging (Go, staging_e2e tag) covers
platform-agent install + kind + /org/identity + re-parenting, discovery peers admin
auth, billing-mode round-trip, and the config-tab endpoint sweep; test_staging_
concierge_e2e.sh covers user_tasks REST+MCP+cross-workspace authz. Wired into
e2e-staging-saas.yml as GATING jobs (+ a compile-skip-loud job that runs every
push). Caught + fixed: /org/identity needs X-Molecule-Org-Id on a SaaS tenant
(TenantGuard) — switched to doTenantJSON.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

test(canvas-e2e): Playwright front-end e2e for each concierge function ... 643dd5c1f5

Extends the existing canvas staging Playwright project (staging-*.spec.ts, gated
Canvas tabs E2E check) with staging-concierge.spec.ts — 7 specs: shell/nav + dynamic
org name, Home (canonical ChatTab + sub-tabs + ROOT tree), Org map hides the
concierge, Settings two-tab split + full WorkspacePanelTabs, Config-tab SSOT
dropdowns (no Platform on self-host), Org & canvas sub-tabs (Organization no 404),
and the stripped map toolbar. Installs a real platform agent via the admin endpoint
per run. Adds minimal data-testids to ConciergeShell for stable selection.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-08 01:23:43 +00:00

feat(concierge): seed the platform agent its concierge identity + platform MCP config ... 18a0be64a9

installPlatformAgent created only a DB row, so the concierge booted as a vanilla
claude-code agent ("I'm MiniMax-M3", generic tasks). Per rfc-platform-agent.md it
must carry a concierge system_prompt (it IS the org root / user's A2A peer + default
chat target; orchestrates the org via the platform MCP + a2a; destructive ops
human-approved) and the platform MCP (mcp_servers: platform → molecule-mcp-server,
authed from MOLECULE_API_KEY/URL/ORG_ID). Seeded at provision (applyConcierge
ProvisionConfig, gated on kind='platform'), idempotent + self-applying to the
existing concierge (boot-provision restarts a running-but-vanilla one). The org-admin
MCP only lights up on the platform-agent image; identity works everywhere. Live-
verified: concierge now answers as the org platform concierge.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 2 commits 2026-06-08 01:53:43 +00:00

feat(provisioner): provision the concierge on the platform-agent image (kind=platform) so its org-admin MCP exists ... f0a52caae6

The concierge declared the platform MCP but ran on the plain claude-code image
(no /opt/molecule-mcp-server) so it had zero org-admin tools. The local Docker
provisioner now selects the platform-agent image variant for kind='platform'
(gated on the image being present — falls back + logs otherwise, so normal
workspaces + SaaS are unaffected). kind is read from the workspace row (SSOT).
Live-verified: concierge runs ...-platform-agent, /opt/molecule-mcp-server present,
online, and GET /workspaces with the MCP bearer returns 200 from inside it. SaaS/CP
provisioner image selection is the cross-repo follow-up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

test(e2e): functional proof the concierge creates a workspace via its platform MCP ... 993379f184

Drives the concierge as an AGENT (A2A message/send: 'create a workspace named X
with role engineer') and asserts the real side effect — a workspace named X appears
in GET /workspaces, only possible if the LLM invoked the create_workspace platform-
MCP tool. Staging real-LLM job (GATING, false-green-proof via E2E_REQUIRE_LIVE=1 so a
missing platform-agent image hard-fails) + a local variant (make e2e-concierge-
creates-workspace) that skips-loud unless the concierge's MCP advertises
create_workspace. Tolerates LLM nondeterminism (imperative prompt, assert by name,
bounded polling). Teardown + AWS-leak-check.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-08 04:15:52 +00:00

test(security): lock that only the kind=platform concierge gets the org MCP + admin token ... 0541076f90

Regression guard for the user's requirement: only the tenant-native concierge
(kind='platform') may hold the org/platform MCP and the org-admin token natively;
an ordinary workspace must get neither. Asserts applyConciergeProvisionConfig is a
no-op for kind='workspace' (no MOLECULE_API_KEY leak, no system-prompt, no platform
mcp_servers) and applies for kind='platform'. Defense-in-depth already exists at
three layers (config + admin-token env + MCP-bearing image, all gated on the DB
kind SSOT); this stops a silent regression of the gate.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops referenced this pull request 2026-06-08 05:57:01 +00:00

Promote concierge staging-e2e jobs to branch-required after de-flake window #2430

core-devops added 2 commits 2026-06-08 06:01:45 +00:00

Merge remote-tracking branch 'origin/main' into feat/canvas-concierge-ui bde54b48a9

ci(concierge): fix Canvas reduced-motion test target + bp directives + local-provision port-squatter flake ... 3b1e705e8b

- reduced-motion.test.ts: the connection-status pulse dot moved from
  SidePanel.tsx into the extracted WorkspacePanelTabs.tsx; retarget the
  motion-safe:animate-pulse assertion to where the guarded indicator now
  lives (was the only red in CI / Canvas -> gates CI / all-required).
- e2e-staging-saas.yml: add bp directives to the 4 new concierge jobs the
  Tier-2g lint flagged — bp-required: pending #2430 for the three real
  push-time staging e2e jobs (creates-workspace / platform / user-tasks,
  aspiring gates sharing the cp#245 de-flake surface), bp-exempt for the
  PR-time compile-only job. #2187 (the sibling's tracker) is closed/unrelated.
- local-provision-e2e.yml (no-flakes RCA): the :8080 kill-step only matched
  procs *named* platform-server, so a differently-named squatter survived,
  our bind went FATAL, and the /health loop false-positived against the
  squatter. Free :8080 from ANY holder (fuser/lsof) and verify our own PID
  owns the port BEFORE trusting /health, in both the stub and real jobs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops referenced this issue from a commit 2026-06-08 06:24:15 +00:00

fix(security): prevent ordinary workspace from self-minting a second org root (priv-esc)

core-devops added 1 commit 2026-06-08 06:24:15 +00:00

fix(security): prevent ordinary workspace from self-minting a second org root (priv-esc) ... b1da145611

Independent security review of #2385 found a privilege-escalation path: POST
/registry/register is bootstrap-allowed for a fresh workspace id and wrote the
caller-supplied kind, while workspaces_platform_root_check only enforces
'platform => parent_id IS NULL' (NOT a single root). So an ordinary in-VPC
workspace could register a fresh UUID as {"kind":"platform"}, mint a second
org root, and POST /workspaces/:id/restart it — the shared provision path then
injects MOLECULE_API_KEY=ADMIN_TOKEN (tenant-wide org-admin credential) into any
kind='platform' workspace, on self-host AND SaaS. That breaks the invariant that
only the concierge gets the org MCP + admin token.

Defense in depth:
- migration 20260607000000_one_platform_root: partial UNIQUE index
  (kind) WHERE kind='platform' — at most one platform root per (single-org)
  tenant DB. isPlatformRootViolation now also maps the 23505 to a friendly 409.
- registry.go Register: app-layer guard refusing to CREATE or PROMOTE a row to
  kind='platform' via the public path (reserve that for the AdminAuth/boot-gated
  install paths); a platform agent re-registering its already-platform row is
  unaffected. Placed after the token check to avoid side-channeling row existence.
- corrected the false 'CHECK structurally guarantees one per org' claims in the
  20260606 migration + integration-test header.

Tests:
- registry_test.go: rejects fresh kind=platform (403), rejects workspace->platform
  promotion (403), allows already-platform re-register (200).
- kind_platform_root_integration_test.go: real-PG test that a SECOND platform
  root is rejected by the unique index (the CHECK alone accepts it).
- canvas-topology-pure.test.ts: cover stripPlatformRootForMap (QA HIGH gap) —
  abs-position reparent math, platform-edge drop, grandchild preservation.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops referenced this issue from a commit 2026-06-08 07:25:54 +00:00

ci/test: fix DisplayTab paste-race + decouple memory-heavy coverage from the Canvas gate

core-devops added 1 commit 2026-06-08 07:25:55 +00:00

ci/test: fix DisplayTab paste-race + decouple memory-heavy coverage from the Canvas gate ... 3de9e05076

Two pre-existing Canvas-gate fragilities (both on main, surfaced by #2385's CI)
that blocked the required CI / all-required gate on resource/timing, not on a
real test result:

1. DisplayTab.test.tsx "forwards browser paste events into the noVNC clipboard"
   raced: it fired paste as soon as the "Workspace desktop" title rendered, but
   the component sets rfbRef.current synchronously after new RFB() INSIDE the
   async connect() (which awaits a lease/token first). When the race lost under
   CI runner load, the window paste handler's rfbRef.current?.clipboardPasteFrom
   no-op'd -> 0 calls. Wait for mockRFBConstructor before pasting -> deterministic.

2. The Canvas gate ran "npx vitest run --coverage" as the pass/fail step. v8
   coverage + JSDOM under vitest maxWorkers:1 accumulates memory across all 228
   files and OS-OOM-killed the run mid-suite on the shared runner. Split: the
   GATE is now plain "npx vitest run" (light, deterministic); coverage moves to a
   separate continue-on-error artifact step (no threshold gate per #1815, so it
   was never a real gate). Removes the OOM from the required path.

Verified: DisplayTab 13/13 (5x); full canvas suite 3358/0; coverage run still
produces the artifact when memory allows.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-08 07:47:08 +00:00

ci: revert coverage-gate split — measured peak is 1.33 GB, there was no OOM ... e6b6ec519c

Evidence-first correction (SOP). My earlier commit split the Canvas gate into a
plain "vitest run" + a separate continue-on-error coverage step, on the theory
that "vitest run --coverage" was OS-OOM-killing the runner. Measuring the actual
footprint disproves that:

  full vitest + v8-coverage process TREE peak RSS = 1.33 GB (3358 tests)

(The first measurement of 0.56 GB only saw the parent process; 1.33 GB is the
whole tree incl. the worker fork.) 1.33 GB is comfortably within the runner, and
the single "vitest run --coverage" gate was green on the prior head 3b1e705e — so
there is no chronic coverage OOM. The two reds on b1da1456 were (a) the DisplayTab
paste-race (real, fixed in this PR) and (b) an incomplete attempt-1 log captured
when the re-run was triggered, NOT a kill.

So the split was a workaround for a misdiagnosed problem. Restore the SINGLE
"npx vitest run --coverage" as the gate+coverage SSOT (one invocation, html
artifact preserved, coverage config untouched in its proper home). The genuine
fix — DisplayTab waiting for the RFB connect before pasting — stays.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

agent-reviewer-cr2 approved these changes 2026-06-08 08:12:38 +00:00

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

Genuine qa-review on e6b6ec51: APPROVED.

Functional QA findings:

• kind-column plumbing: PASS. List/Get queries include COALESCE(w.kind,'workspace'), scanWorkspaceRow returns kind, provision config reads kind from the DB, and canvas types/topology consume the marker.
• platform-agent identity/seed/MCP gating: PASS. Install/self-host seed creates a kind='platform' root, provision overlay is kind-gated, ordinary workspaces do not receive MOLECULE_API_KEY/platform MCP config, and the Register path now blocks fresh/promoted kind='platform' self-registration. The 20260607000000_one_platform_root migration is present as structural backstop.
• canvas concierge reskin: PASS. ConciergeShell resolves the platform root by kind, reuses canonical ChatTab and WorkspacePanelTabs, and stripPlatformRootForMap hides only the platform root from the map while promoting children.
• SSOT discipline: PASS. Provider/runtime/model choices are served from registry-backed /templates fields; self-host filters platform-managed provider/models at the source via PlatformManagedProxyConfigured rather than hardcoding in leaf UI.

CI note at review time: CI/all-required, E2E API Smoke, and Handlers Postgres are green on e6b6ec51. Other non-qa contexts are still visible as failing in Gitea (including security-review/SOP/E2E/lint); this approval is the qa-team functional gate verdict, not an assertion that every non-qa gate is green.

Genuine qa-review on e6b6ec51: APPROVED. Functional QA findings: - kind-column plumbing: PASS. List/Get queries include COALESCE(w.kind,'workspace'), scanWorkspaceRow returns kind, provision config reads kind from the DB, and canvas types/topology consume the marker. - platform-agent identity/seed/MCP gating: PASS. Install/self-host seed creates a kind='platform' root, provision overlay is kind-gated, ordinary workspaces do not receive MOLECULE_API_KEY/platform MCP config, and the Register path now blocks fresh/promoted kind='platform' self-registration. The 20260607000000_one_platform_root migration is present as structural backstop. - canvas concierge reskin: PASS. ConciergeShell resolves the platform root by kind, reuses canonical ChatTab and WorkspacePanelTabs, and stripPlatformRootForMap hides only the platform root from the map while promoting children. - SSOT discipline: PASS. Provider/runtime/model choices are served from registry-backed /templates fields; self-host filters platform-managed provider/models at the source via PlatformManagedProxyConfigured rather than hardcoding in leaf UI. CI note at review time: CI/all-required, E2E API Smoke, and Handlers Postgres are green on e6b6ec51. Other non-qa contexts are still visible as failing in Gitea (including security-review/SOP/E2E/lint); this approval is the qa-team functional gate verdict, not an assertion that every non-qa gate is green.

core-security approved these changes 2026-06-08 08:44:29 +00:00

core-security left a comment

Member

Copy Link

Copy Source

Security review — APPROVED (e6b6ec51)

Independent adversarial security review of the Org Concierge / platform-agent backend, focused on the privilege model (the platform agent is the org root and natively holds the org-admin MCP + admin token, so the trust boundary is: ONLY the kind='platform' concierge may get the org MCP + admin token).

Finding — BLOCKER (found, fixed, re-verified)

The initial review found a real privilege-escalation: POST /registry/register is bootstrap-token-allowed for a fresh workspace id and wrote the caller-supplied kind, while the only DB guard (workspaces_platform_root_check) enforced kind='platform' => parent_id IS NULL but NOT a single root. So an ordinary in-VPC workspace could register a fresh UUID as {"kind":"platform"} (parent_id defaults NULL -> CHECK satisfied), obtain a bootstrap token, and POST /workspaces/:id/restart it. The shared provision path (prepareProvisionContext -> applyConciergeProvisionConfig -> conciergePlatformMCPEnv) then injects MOLECULE_API_KEY=ADMIN_TOKEN (the tenant-wide org-admin credential) into any kind='platform' workspace, on self-host AND SaaS -> full org-admin escalation past the invariant.

Resolution (verified closed)

Defense in depth, then re-checked by a fresh adversarial verifier (probed TOCTOU, other kind writers, update_workspace promotion, provision-payload trust — all negative):

• DB backstop: migration 20260607000000_one_platform_root adds a partial unique index (kind) WHERE kind='platform' -> at most one platform root per tenant DB, race-proof (proven on real Postgres by TestIntegration_PlatformKind_SecondRootRejected).
• App guard: Register refuses to CREATE or PROMOTE a row to kind='platform' via the public path; the org root is minted only by the AdminAuth/boot-gated install paths (InstallPlatformAgent/EnsureSelfHostedPlatformAgent). A pre-seeded platform agent re-registering its already-platform row is unaffected.
• isPlatformRootViolation maps both the CHECK (23514) and the unique-index (23505) to a friendly 409.
• Regression tests: TestRegister_RejectsFreshPlatformKind (403), TestRegister_RejectsPlatformPromotion (403), TestRegister_AllowsAlreadyPlatformReRegister (200), + the real-PG integration test above.
  The legitimate boot/seed/e2e flow is intact: the platform row is pre-seeded by the gated path BEFORE the agent registers (cmd/server/main.go seeds, then provisions), so the guard never blocks a real concierge.

Other axes — clean

• Secret handling: no logging of ADMIN_TOKEN/MOLECULE_API_KEY; the admin token is read from process env, not client input (setIfAbsent).
• A2A / org isolation: org_scope.go still fails closed; a rogue root (now impossible) couldn't reach the real org via routing anyway.
• Discovery validateDiscoveryCaller: admin->org->per-workspace precedence does not widen enumeration.
• user_tasks store: every mutation parameterized + workspace-scoped; no injection.
• Migrations: idempotent (IF NOT EXISTS / NOT VALID-then-validate), down-migrations present, re-apply-safe.

Verdict

The privilege-escalation is closed at both the app and DB layers with locking tests; no residual reachable bypass found. Required CI (CI/all-required, E2E API Smoke, Handlers Postgres) is green on e6b6ec51. APPROVE.

(Provenance: this records the independent adversarial security review conducted for this PR — the BLOCKER finding above and its verified fix. Posted by core-security, a security-team member, as the security-gate verdict.)

## Security review — APPROVED (e6b6ec51) Independent adversarial security review of the Org Concierge / platform-agent backend, focused on the privilege model (the platform agent is the org root and natively holds the org-admin MCP + admin token, so the trust boundary is: ONLY the kind='platform' concierge may get the org MCP + admin token). ### Finding — BLOCKER (found, fixed, re-verified) The initial review found a real privilege-escalation: `POST /registry/register` is bootstrap-token-allowed for a fresh workspace id and wrote the caller-supplied `kind`, while the only DB guard (`workspaces_platform_root_check`) enforced `kind='platform' => parent_id IS NULL` but NOT a single root. So an ordinary in-VPC workspace could register a fresh UUID as `{"kind":"platform"}` (parent_id defaults NULL -> CHECK satisfied), obtain a bootstrap token, and `POST /workspaces/:id/restart` it. The shared provision path (`prepareProvisionContext` -> `applyConciergeProvisionConfig` -> `conciergePlatformMCPEnv`) then injects `MOLECULE_API_KEY=ADMIN_TOKEN` (the tenant-wide org-admin credential) into any kind='platform' workspace, on self-host AND SaaS -> full org-admin escalation past the invariant. ### Resolution (verified closed) Defense in depth, then re-checked by a fresh adversarial verifier (probed TOCTOU, other `kind` writers, `update_workspace` promotion, provision-payload trust — all negative): - DB backstop: migration `20260607000000_one_platform_root` adds a partial unique index `(kind) WHERE kind='platform'` -> at most one platform root per tenant DB, race-proof (proven on real Postgres by `TestIntegration_PlatformKind_SecondRootRejected`). - App guard: `Register` refuses to CREATE or PROMOTE a row to `kind='platform'` via the public path; the org root is minted only by the AdminAuth/boot-gated install paths (`InstallPlatformAgent`/`EnsureSelfHostedPlatformAgent`). A pre-seeded platform agent re-registering its already-platform row is unaffected. - `isPlatformRootViolation` maps both the CHECK (23514) and the unique-index (23505) to a friendly 409. - Regression tests: `TestRegister_RejectsFreshPlatformKind` (403), `TestRegister_RejectsPlatformPromotion` (403), `TestRegister_AllowsAlreadyPlatformReRegister` (200), + the real-PG integration test above. The legitimate boot/seed/e2e flow is intact: the platform row is pre-seeded by the gated path BEFORE the agent registers (`cmd/server/main.go` seeds, then provisions), so the guard never blocks a real concierge. ### Other axes — clean - Secret handling: no logging of ADMIN_TOKEN/MOLECULE_API_KEY; the admin token is read from process env, not client input (`setIfAbsent`). - A2A / org isolation: `org_scope.go` still fails closed; a rogue root (now impossible) couldn't reach the real org via routing anyway. - Discovery `validateDiscoveryCaller`: admin->org->per-workspace precedence does not widen enumeration. - user_tasks store: every mutation parameterized + workspace-scoped; no injection. - Migrations: idempotent (IF NOT EXISTS / NOT VALID-then-validate), down-migrations present, re-apply-safe. ### Verdict The privilege-escalation is closed at both the app and DB layers with locking tests; no residual reachable bypass found. Required CI (CI/all-required, E2E API Smoke, Handlers Postgres) is green on e6b6ec51. APPROVE. (Provenance: this records the independent adversarial security review conducted for this PR — the BLOCKER finding above and its verified fix. Posted by core-security, a security-team member, as the security-gate verdict.)

core-devops commented 2026-06-08 08:59:38 +00:00

Member

Copy Link

Copy Source

/sop-ack comprehensive-testing — Go suite all packages ok (0 fail); canvas vitest 3358 passed; priv-esc covered by TestRegister_RejectsFreshPlatformKind/RejectsPlatformPromotion/AllowsAlreadyPlatformReRegister + TestIntegration_PlatformKind_SecondRootRejected; kind/topology via stripPlatformRootForMap tests; DisplayTab paste-race deterministic-wait test. CI/all-required green on e6b6ec51.

/sop-ack comprehensive-testing — Go suite all packages ok (0 fail); canvas vitest 3358 passed; priv-esc covered by TestRegister_RejectsFreshPlatformKind/RejectsPlatformPromotion/AllowsAlreadyPlatformReRegister + TestIntegration_PlatformKind_SecondRootRejected; kind/topology via stripPlatformRootForMap tests; DisplayTab paste-race deterministic-wait test. CI/all-required green on e6b6ec51.

core-devops commented 2026-06-08 08:59:41 +00:00

Member

Copy Link

Copy Source

/sop-ack local-postgres-e2e — Handlers Postgres Integration green on e6b6ec51 (run 270450): real Postgres replays the new 20260607000000_one_platform_root migration and runs TestIntegration_PlatformKind_SecondRootRejected (2nd platform root rejected by uniq_workspaces_one_platform_root, 23505).

/sop-ack local-postgres-e2e — Handlers Postgres Integration green on e6b6ec51 (run 270450): real Postgres replays the new 20260607000000_one_platform_root migration and runs TestIntegration_PlatformKind_SecondRootRejected (2nd platform root rejected by uniq_workspaces_one_platform_root, 23505).

core-devops commented 2026-06-08 08:59:44 +00:00

Member

Copy Link

Copy Source

/sop-ack staging-smoke — scheduled post-merge: e2e-staging-concierge-{creates-workspace,platform,user-tasks} in e2e-staging-saas.yml run on push-to-main/workflow_dispatch/cron (never on PR); PR path uses the -compile-skip stub. Correctly no canary pre-merge.

/sop-ack staging-smoke — scheduled post-merge: e2e-staging-concierge-{creates-workspace,platform,user-tasks} in e2e-staging-saas.yml run on push-to-main/workflow_dispatch/cron (never on PR); PR path uses the -compile-skip stub. Correctly no canary pre-merge.

core-devops commented 2026-06-08 08:59:48 +00:00

Member

Copy Link

Copy Source

/sop-ack memory-consulted — Applied: no-flakes (named the DisplayTab race, not re-run); evidence-first (measured coverage peak RSS 1.33GB before acting); dont-just-patch (reverted the misdiagnosed coverage split); SSOT discipline (kind SSOT marker + registry-derived providers, single coverage run); comprehensive-tests+real-e2e; build-integration-tag-before-push; security-review-acted-on (defense-in-depth priv-esc fix).

/sop-ack memory-consulted — Applied: no-flakes (named the DisplayTab race, not re-run); evidence-first (measured coverage peak RSS 1.33GB before acting); dont-just-patch (reverted the misdiagnosed coverage split); SSOT discipline (kind SSOT marker + registry-derived providers, single coverage run); comprehensive-tests+real-e2e; build-integration-tag-before-push; security-review-acted-on (defense-in-depth priv-esc fix).

core-security commented 2026-06-08 08:59:53 +00:00

Member

Copy Link

Copy Source

/sop-ack root-cause — (a) priv-esc root: /registry/register upserts caller-supplied kind while the only DB guard bounded parent-ness not cardinality (permits multiple parentless platform roots) -> fixed at mechanism: partial unique index uniq_workspaces_one_platform_root + app-layer Register guard (403 on create/promote), not a symptom patch. (b) DisplayTab flake root: paste fired before async RFB connect() set rfbRef.current -> fixed by awaiting mockRFBConstructor, not a retry. (c) coverage OOM disproved by measurement (1.33GB) -> reverted the double-run patch to single run.

/sop-ack root-cause — (a) priv-esc root: /registry/register upserts caller-supplied kind while the only DB guard bounded parent-ness not cardinality (permits multiple parentless platform roots) -> fixed at mechanism: partial unique index uniq_workspaces_one_platform_root + app-layer Register guard (403 on create/promote), not a symptom patch. (b) DisplayTab flake root: paste fired before async RFB connect() set rfbRef.current -> fixed by awaiting mockRFBConstructor, not a retry. (c) coverage OOM disproved by measurement (1.33GB) -> reverted the double-run patch to single run.

core-security commented 2026-06-08 08:59:56 +00:00

Member

Copy Link

Copy Source

/sop-ack five-axis-review — Correctness: kind plumbing consistent Go<->TS, security/gating tests green. Readability: matches style, threat-tied comments. Architecture: kind = pure SSOT discriminator, org still the parent_id-chain root. Security: priv-esc found+fixed+verified, org-MCP gating locked by TestApplyConciergeProvisionConfig_OnlyPlatformGetsOrgMCP, no secret logging, user_tasks ownership-scoped (WHERE workspace_id). Performance: kind probe is cold-path PK lookup + covering indexes; LOW follow-up: per-turn config re-read.

/sop-ack five-axis-review — Correctness: kind plumbing consistent Go<->TS, security/gating tests green. Readability: matches style, threat-tied comments. Architecture: kind = pure SSOT discriminator, org still the parent_id-chain root. Security: priv-esc found+fixed+verified, org-MCP gating locked by TestApplyConciergeProvisionConfig_OnlyPlatformGetsOrgMCP, no secret logging, user_tasks ownership-scoped (WHERE workspace_id). Performance: kind probe is cold-path PK lookup + covering indexes; LOW follow-up: per-turn config re-read.

core-security commented 2026-06-08 08:59:59 +00:00

Member

Copy Link

Copy Source

/sop-ack no-backwards-compat — No shim/dead code: no commented-out code, no _old/_v2/.bak, 0 file deletions, all new symbols wired in; refactors REMOVE redundancy (PlatformBillingSection, name-regex fallback) and collapse platform literals into SSOT consts. The only compat surface is the migrations = additive backward-compatible schema (kind default workspace, CHECK NOT VALID-then-validate, IF NOT EXISTS), proper evolution not a shim.

/sop-ack no-backwards-compat — No shim/dead code: no commented-out code, no _old/_v2/.bak, 0 file deletions, all new symbols wired in; refactors REMOVE redundancy (PlatformBillingSection, name-regex fallback) and collapse platform literals into SSOT consts. The only compat surface is the migrations = additive backward-compatible schema (kind default workspace, CHECK NOT VALID-then-validate, IF NOT EXISTS), proper evolution not a shim.

core-devops merged commit f91583efa0 into main 2026-06-08 09:10:29 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

agent-reviewer-cr2

core-security

Labels

Clear labels

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

4 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2385