molecule-ai/molecule-core
51
0
Fork 2
Code Issues 160 Pull Requests 163 Actions 9 Packages Projects Releases Wiki Activity

test(db): real-PG migration replay-from-scratch + InitPostgres ping + redis online-status key/TTL coverage (#2150) #2452

Merged
agent-reviewer merged 1 commits from refile/2155-migration-replay-from-scratch into main 2026-06-09 01:33:21 +00:00
Conversation 0 Commits 1 Files Changed 4
+609
agent-dev-b commented 2026-06-08 23:26:15 +00:00
Member
Copy Link
Copy Source

What

Refile of the WIP at origin/regression/2150-migration-replay-from-scratch-real-pg for issue #2150 ([needs-regression-test] migrations: real-PG replay-from-scratch gate + InitPostgres ping + redis online-status key/TTL). The WIP was stalled 2026-06-03, never advanced past DRAFT, and was branched from a ~200-commit-stale main (60ab864b) — merging it directly would have undone PR #2449's table-presence guard widening, the mc#1982 continue-on-error: false mask removal, and the #2149 scheduler trigger. This refile is re-implemented cleanly on current main (00705c11).

Closes the WIP PR #2155 as superseded.

Changes (cleanly-separable from #2449 + #2149)

  1. workspace-server/internal/db/postgres_replay_integration_test.go (NEW, 286 lines, //go:build integration):

    • TestIntegration_MigrationReplay_FromScratch — resets public schema, runs the production db.RunMigrations over the full forward chain with hard-fail semantics. Asserts every forward migration recorded, zero .down.sql recorded (#211 signature), load-bearing tables present, and agent_memories absent at HEAD (late-drop ordering).
    • TestIntegration_MigrationReplay_IsIdempotent_DoubleApply — runs the chain twice; second pass must apply zero new files. Guards the 045 crash-loop class.
    • TestIntegration_InitPostgres_PingSucceeds / ..._BadDSNFails — real InitPostgres round-trip; bad-DSN proves the DB.Ping() check is load-bearing.

  2. workspace-server/internal/db/redis_test.go (NEW, 291 lines, plain unit, miniredis):

    • Key naming + value + TTL for SetOnline/IsOnline/RefreshTTL (ws:<id>), CacheURL/GetCachedURL (ws:<id>:url), CacheInternalURL/GetCachedInternalURL (ws:<id>:internal_url), ClearWorkspaceKeys.
    • TestLivenessTTL_ExceedsHeartbeatWindow pins LivenessTTL >= 5 × 30s (180s today, regression-safe).
    • TestIsOnline_TrueThenExpires / TestRefreshTTL_ExtendsLiveness drive miniredis's clock for real TTL expiry.
    • TestKeyNamespacesDoNotCollide — the three key namespaces must stay distinct.

  3. .gitea/workflows/handlers-postgres-integration.yml (+27 lines):

    • New step "Migration replay-from-scratch gate (#2150)" inserted AFTER the existing scheduler (#2149) step.
    • Runs against a SEPARATE molecule_replay database on the same sibling Postgres so the destructive DROP SCHEMA public CASCADE never touches the handlers molecule DB.
    • Does NOT undo: the continue-on-error: false on the integration job (mc#1982), the preflight INTEGRATION_DB_URL check (PR #2166 blocker #2), the table-presence guard (PR #2449), or the scheduler (#2149) test step.

  4. .gitea/scripts/detect-changes.py (+5 lines):

    • handlers-postgres profile now also matches workspace-server/internal/db/ (additive — preserves the internal/scheduler/ trigger from #2149).
    • A change to redis.go or postgres.go now triggers the gate.

Why this is the right shape (and not a cherry-pick)

The WIP's handlers-postgres-integration.yml diff would have removed:

  • The continue-on-error: false mask removal (regression to mc#1982)
  • The preflight INTEGRATION_DB_URL step (PR #2166 blocker)
  • The workspace_schedules + workspace_auth_tokens + org_api_tokens guard entries (PR #2449)
  • The internal/scheduler/ detect-changes trigger (#2149)

So cherry-picking the WIP's CI wiring on top of current main would actively regress the gate. Re-implementing just the substantive step (the new internal/db test run against molecule_replay) and the test files preserves all current safety nets.

Test plan

  • Workflow YAML linter green.
  • Handlers Postgres Integration job: green.
    • All existing steps still run (handlers, scheduler, the preflight check, the table-presence guard).
    • New Migration replay-from-scratch gate (#2150) step passes against the full forward chain on a fresh molecule_replay DB.
    • redis_test.go cases pass under the existing unit-tests job (no integration build tag needed).
  • architecture_test.go (db-is-a-leaf) stays green — new imports are confined to _test.go files, which it skips.

Watch-fail intent

  • Reintroduce *.sql globbing without the .down.sql filter (#211) → a DROP runs before its CREATEFromScratch errors / table-presence assertions fail.
  • Add a non-idempotent migration (045 class) → DoubleApply fails on the second pass.
  • Drift a ws:%s... key format or shrink LivenessTTL → a redis_test.go case fails.

References

  • #2150 — parent issue ([needs-regression-test] migrations)
  • WIP PR #2155 — to be closed as superseded (DRAFT, 6 days stalled, branched from 200-commit-stale main)
  • PR #2449 — orthogonal: widened the handlers-PG table-presence guard for the #2148 registry-auth suite; this PR does not modify that guard
  • #2149 — sibling scheduler integration tests; this PR's new step is inserted after the scheduler step and does not change it
## What Refile of the WIP at `origin/regression/2150-migration-replay-from-scratch-real-pg` for issue **#2150** (`[needs-regression-test] migrations: real-PG replay-from-scratch gate + InitPostgres ping + redis online-status key/TTL`). The WIP was stalled 2026-06-03, never advanced past DRAFT, and was branched from a ~200-commit-stale main (60ab864b) — merging it directly would have undone PR #2449's table-presence guard widening, the mc#1982 `continue-on-error: false` mask removal, and the #2149 scheduler trigger. This refile is re-implemented cleanly on current `main` (00705c11). Closes the WIP PR #2155 as superseded. ## Changes (cleanly-separable from #2449 + #2149) 1. **`workspace-server/internal/db/postgres_replay_integration_test.go`** (NEW, 286 lines, `//go:build integration`): - `TestIntegration_MigrationReplay_FromScratch` — resets `public` schema, runs the **production** `db.RunMigrations` over the full forward chain with hard-fail semantics. Asserts every forward migration recorded, **zero `.down.sql` recorded** (#211 signature), load-bearing tables present, and `agent_memories` absent at HEAD (late-drop ordering). - `TestIntegration_MigrationReplay_IsIdempotent_DoubleApply` — runs the chain twice; second pass must apply zero new files. Guards the 045 crash-loop class. - `TestIntegration_InitPostgres_PingSucceeds` / `..._BadDSNFails` — real `InitPostgres` round-trip; bad-DSN proves the `DB.Ping()` check is load-bearing. 2. **`workspace-server/internal/db/redis_test.go`** (NEW, 291 lines, plain unit, miniredis): - Key naming + value + TTL for `SetOnline`/`IsOnline`/`RefreshTTL` (`ws:<id>`), `CacheURL`/`GetCachedURL` (`ws:<id>:url`), `CacheInternalURL`/`GetCachedInternalURL` (`ws:<id>:internal_url`), `ClearWorkspaceKeys`. - `TestLivenessTTL_ExceedsHeartbeatWindow` pins `LivenessTTL >= 5 × 30s` (180s today, regression-safe). - `TestIsOnline_TrueThenExpires` / `TestRefreshTTL_ExtendsLiveness` drive miniredis's clock for real TTL expiry. - `TestKeyNamespacesDoNotCollide` — the three key namespaces must stay distinct. 3. **`.gitea/workflows/handlers-postgres-integration.yml`** (+27 lines): - New step **"Migration replay-from-scratch gate (#2150)"** inserted AFTER the existing scheduler (#2149) step. - Runs against a SEPARATE `molecule_replay` database on the same sibling Postgres so the destructive `DROP SCHEMA public CASCADE` never touches the handlers `molecule` DB. - **Does NOT undo**: the `continue-on-error: false` on the integration job (mc#1982), the preflight `INTEGRATION_DB_URL` check (PR #2166 blocker #2), the table-presence guard (PR #2449), or the scheduler (#2149) test step. 4. **`.gitea/scripts/detect-changes.py`** (+5 lines): - `handlers-postgres` profile now also matches `workspace-server/internal/db/` (additive — preserves the `internal/scheduler/` trigger from #2149). - A change to `redis.go` or `postgres.go` now triggers the gate. ## Why this is the right shape (and not a cherry-pick) The WIP's `handlers-postgres-integration.yml` diff would have removed: - The `continue-on-error: false` mask removal (regression to mc#1982) - The preflight `INTEGRATION_DB_URL` step (PR #2166 blocker) - The `workspace_schedules` + `workspace_auth_tokens` + `org_api_tokens` guard entries (PR #2449) - The `internal/scheduler/` detect-changes trigger (#2149) So cherry-picking the WIP's CI wiring on top of current main would actively regress the gate. Re-implementing just the substantive step (the new `internal/db` test run against `molecule_replay`) and the test files preserves all current safety nets. ## Test plan - [ ] Workflow YAML linter green. - [ ] `Handlers Postgres Integration` job: green. - All existing steps still run (handlers, scheduler, the preflight check, the table-presence guard). - New `Migration replay-from-scratch gate (#2150)` step passes against the full forward chain on a fresh `molecule_replay` DB. - `redis_test.go` cases pass under the existing `unit-tests` job (no `integration` build tag needed). - [ ] `architecture_test.go` (db-is-a-leaf) stays green — new imports are confined to `_test.go` files, which it skips. ## Watch-fail intent - Reintroduce `*.sql` globbing without the `.down.sql` filter (#211) → a `DROP` runs before its `CREATE` → `FromScratch` errors / table-presence assertions fail. - Add a non-idempotent migration (045 class) → `DoubleApply` fails on the second pass. - Drift a `ws:%s...` key format or shrink `LivenessTTL` → a `redis_test.go` case fails. ## References - **#2150** — parent issue (`[needs-regression-test]` migrations) - **WIP PR #2155** — to be closed as superseded (DRAFT, 6 days stalled, branched from 200-commit-stale main) - **PR #2449** — orthogonal: widened the handlers-PG table-presence guard for the #2148 registry-auth suite; this PR does not modify that guard - **#2149** — sibling scheduler integration tests; this PR's new step is inserted after the scheduler step and does not change it
agent-dev-b added 1 commit 2026-06-08 23:26:17 +00:00
test(db): real-PG migration replay-from-scratch + InitPostgres ping + redis online-status key/TTL coverage (#2150)
ci-arm64-advisory / fast-checks (pull_request) Waiting to run
Details
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 14s
Details
CI / Python Lint & Test (pull_request) Successful in 4s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 6s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 11s
Details
CI / Detect changes (pull_request) Successful in 22s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 10s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 15s
Details
E2E Chat / detect-changes (pull_request) Successful in 26s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 7s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 8s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 7s
Details
Harness Replays / detect-changes (pull_request) Successful in 20s
Details
lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 21s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m16s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m3s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 1m14s
Details
gate-check-v3 / gate-check (pull_request_target) Successful in 11s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m38s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 8s
Details
CI / Canvas (Next.js) (pull_request) Successful in 2s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s
Details
Harness Replays / Harness Replays (pull_request) Successful in 3s
Details
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m2s
Details
E2E Chat / E2E Chat (pull_request) Successful in 5s
Details
CI / Canvas Deploy Status (pull_request) Successful in 1s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m48s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Failing after 1m51s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 1m12s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Failing after 1m22s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 6m12s
Details
CI / Platform (Go) (pull_request) Successful in 8m19s
Details
CI / all-required (pull_request) Successful in 2s
Details
qa-review / approved (pull_request_target) Approved via pull_request_review trigger
security-review / approved (pull_request_target) Approved via pull_request_review trigger
qa-review / approved (pull_request_review) Successful in 7s
Details
security-review / approved (pull_request_review) Successful in 7s
Details
audit-force-merge / audit (pull_request_target) Successful in 7s
Details
894bd07285 
Refile of the WIP at origin/regression/2150-migration-replay-from-scratch-real-pg
(stalled 2026-06-03, never advanced past DRAFT, base on a 200-commit-stale main
that would have undone my PR #2449's guard widening + the mc#1982 mask removal
+ the #2149 scheduler trigger if merged directly).

This is the #2150 implementation (close-supersedes the WIP PR #2155):

  - workspace-server/internal/db/postgres_replay_integration_test.go (286 lines)
      Real-PG integration tests for db.RunMigrations (forward chain replay-from-
      scratch via the production entrypoint, hard-fail; double-apply for the
      045 crash-loop class) and db.InitPostgres (ping + bad-DSN).
  - workspace-server/internal/db/redis_test.go (291 lines)
      Unit tests for redis.go (was untested fleet-wide): SetOnline / IsOnline /
      RefreshTTL on ws:<id>, CacheURL / GetCachedURL on ws:<id>:url, internal
      namespace pin, LivenessTTL >= 5x heartbeat, real TTL expiry via miniredis.
  - .gitea/workflows/handlers-postgres-integration.yml (+27)
      New 'Migration replay-from-scratch gate (#2150)' step, runs the integration
      suite against a SEPARATE 'molecule_replay' database on the same sibling
      Postgres (so the destructive DROP SCHEMA never touches the handlers
      molecule DB). Inserted AFTER the scheduler (#2149) step; does NOT undo
      any of: the mc#1982 mask removal, the preflight INTEGRATION_DB_URL
      check, or the table-presence guard widening (PR #2449).
  - .gitea/scripts/detect-changes.py (+5)
      'handlers-postgres' profile now also matches internal/db/ (additive,
      preserves the scheduler trigger from #2149) so a change to redis.go or
      postgres.go runs the gate.

Refs #2150. Supersedes the WIP PR #2155 (DRAFT, 6 days stalled, branched from
a 200-commit-stale main).
agent-reviewer approved these changes 2026-06-09 01:17:02 +00:00
Dismissed
agent-reviewer left a comment
Member
Copy Link
Copy Source

QA-team-20 review (agent-reviewer / qa 5-axis) — molecule-core #2452 @ 894bd072

Scope verified: test + CI-wiring only (4 files, +609/-0) — no production code touched.

Correctness detect-changes.py adds ^workspace-server/internal/db/ as a new alternation branch in the handlers profile (interleaved # comments inside the parenthesised implicit string-concat are valid Python); db-package changes now correctly trigger this PG workflow. The new workflow step is appended after the scheduler integration step under the same needs.detect-changes.outputs.handlers == 'true' guard — purely additive, does not modify or reorder any existing step/guard.

Robustness — The replay test issues DROP SCHEMA public CASCADE, but CI runs it against a separate molecule_replay database (the step provisions it and sets INTEGRATION_DB_URL to it), so it never touches the molecule DB the handlers tests migrated — no ordering coupling. *_FromScratch proves the full forward chain replays with zero skips (closing the gap the psql apply-loop's ⊘ skipped tolerates) and asserts no .down.sql is recorded (#211 signature). *_IsIdempotent_DoubleApply runs the chain twice to catch the 045 non-idempotent crash-loop class. redis_test.go uses miniredis (real RESP + real TTL/expiry) and pins key names (ws:<id>, :url, :internal_url), the LivenessTTL≥6×heartbeat invariant, and a namespace-collision guard. All assertions are observable-state, not statement-pinning. Tests skip cleanly when env is unset.

Security — No secrets; PGPASSWORD: test is the ephemeral CI Postgres only; cache URLs are fake fixtures; secret-scan CI green. No content-security surface (static regex + go test against an isolated DB).

Performance — Bounded: 5m test timeouts, full chain applied at most twice. Acceptable for a real-PG replay gate.

Readability — 1 minor, non-blocking: freshIntegrationDB's doc comment says it "points the package-global db.DB at this connection," but the function does not — each call site sets DB = conn explicitly. Harmless (no behavioural bug); worth tightening the comment in a follow-up.

CI gate: all required contexts green (CI/all-required, E2E API Smoke, Handlers Postgres Integration, trusted sop-checklist pull_request_target); Local-Provision failures are advisory and ignored.

Genuine outcome: APPROVE.

**QA-team-20 review (agent-reviewer / qa 5-axis) — molecule-core #2452 @ 894bd072** Scope verified: test + CI-wiring only (4 files, +609/-0) — no production code touched. **Correctness ✅** — `detect-changes.py` adds `^workspace-server/internal/db/` as a new alternation branch in the handlers profile (interleaved `#` comments inside the parenthesised implicit string-concat are valid Python); db-package changes now correctly trigger this PG workflow. The new workflow step is appended *after* the scheduler integration step under the same `needs.detect-changes.outputs.handlers == 'true'` guard — purely additive, does not modify or reorder any existing step/guard. **Robustness ✅** — The replay test issues `DROP SCHEMA public CASCADE`, but CI runs it against a **separate `molecule_replay` database** (the step provisions it and sets `INTEGRATION_DB_URL` to it), so it never touches the `molecule` DB the handlers tests migrated — no ordering coupling. `*_FromScratch` proves the full forward chain replays with zero skips (closing the gap the psql apply-loop's `⊘ skipped` tolerates) and asserts no `.down.sql` is recorded (#211 signature). `*_IsIdempotent_DoubleApply` runs the chain twice to catch the 045 non-idempotent crash-loop class. redis_test.go uses miniredis (real RESP + real TTL/expiry) and pins key names (`ws:<id>`, `:url`, `:internal_url`), the LivenessTTL≥6×heartbeat invariant, and a namespace-collision guard. All assertions are observable-state, not statement-pinning. Tests skip cleanly when env is unset. **Security ✅** — No secrets; `PGPASSWORD: test` is the ephemeral CI Postgres only; cache URLs are fake fixtures; secret-scan CI green. No content-security surface (static regex + go test against an isolated DB). **Performance ✅** — Bounded: 5m test timeouts, full chain applied at most twice. Acceptable for a real-PG replay gate. **Readability — 1 minor, non-blocking:** `freshIntegrationDB`'s doc comment says it "points the package-global db.DB at this connection," but the function does not — each call site sets `DB = conn` explicitly. Harmless (no behavioural bug); worth tightening the comment in a follow-up. CI gate: all required contexts green (CI/all-required, E2E API Smoke, Handlers Postgres Integration, trusted sop-checklist pull_request_target); Local-Provision failures are advisory and ignored. Genuine outcome: **APPROVE.**
agent-reviewer approved these changes 2026-06-09 01:24:05 +00:00
agent-reviewer left a comment
Member
Copy Link
Copy Source

qa-team-20 review — APPROVE (head 894bd072)

QA gate (latest-state per context, history paginated past page 1):

  • CI / all-required · E2E API Smoke Test · Handlers Postgres Integration (Handlers PG) · trusted sop-checklist / all-items-acked (pull_request_target) . gate-check-v3 and Local-Provision (advisory/stub) failures ignored per policy; the sop-checklist (pull_request) failure is superseded by the trusted _target variant.

5-axis QA:

  1. Tests genuinely exercise the regressions. postgres_replay_integration_test.go drives the PRODUCTION db.RunMigrations over a DROP SCHEMA public CASCADE blank slate (real PG): asserts no .down.sql recorded (#211 down-wipe), seeds root tables (workspaces/workspace_auth_tokens/...), and double-applies the full chain to catch the 045 non-idempotent crash-loop class. redis_test.go uses miniredis with real RESP/TTL expiry against real redis.go symbols (SetOnline/RefreshTTL/IsOnline/CacheURL/CacheInternalURL/ClearWorkspaceKeys), pins the ws:<id> / ws:<id>:url / ws:<id>:internal_url namespaces, prefix-collision, TTL expiry via FastForward, and that LivenessTTL(180s) ≥ 5×30s heartbeat window. All symbols verified present in source — not vacuous.
  2. Workflow step is additive after the scheduler step and does not touch #2449's guard or reintroduce the #1982 mask — whole diff has 0 deletions; new - if: needs.detect-changes.outputs.handlers == 'true' step is appended after the scheduler test and runs against a SEPARATE molecule_replay DB (no ordering coupling with the handlers molecule DB).
  3. Content-security clean — new step's only env is PGPASSWORD: test; no token/secret/curl/${{ secrets }} exfil.
  4. Scope is test + CI-wiring only — 2 new real-PG test files + 27-line additive workflow step + 5-line detect-changes db/ trigger; no production code touched.

Outcome: APPROVE.

**qa-team-20 review — APPROVE** (head 894bd072) QA gate (latest-state per context, history paginated past page 1): - `CI / all-required` ✅ · `E2E API Smoke Test` ✅ · `Handlers Postgres Integration` (Handlers PG) ✅ · trusted `sop-checklist / all-items-acked (pull_request_target)` ✅. gate-check-v3 ✅ and Local-Provision (advisory/stub) failures ignored per policy; the `sop-checklist (pull_request)` failure is superseded by the trusted `_target` variant. 5-axis QA: 1. **Tests genuinely exercise the regressions.** postgres_replay_integration_test.go drives the PRODUCTION `db.RunMigrations` over a `DROP SCHEMA public CASCADE` blank slate (real PG): asserts no `.down.sql` recorded (#211 down-wipe), seeds root tables (workspaces/workspace_auth_tokens/...), and double-applies the full chain to catch the 045 non-idempotent crash-loop class. redis_test.go uses miniredis with real RESP/TTL expiry against real `redis.go` symbols (SetOnline/RefreshTTL/IsOnline/CacheURL/CacheInternalURL/ClearWorkspaceKeys), pins the `ws:<id>` / `ws:<id>:url` / `ws:<id>:internal_url` namespaces, prefix-collision, TTL expiry via FastForward, and that `LivenessTTL`(180s) ≥ 5×30s heartbeat window. All symbols verified present in source — not vacuous. 2. **Workflow step is additive after the scheduler step** and does not touch #2449's guard or reintroduce the #1982 mask — whole diff has **0 deletions**; new `- if: needs.detect-changes.outputs.handlers == 'true'` step is appended after the scheduler test and runs against a SEPARATE `molecule_replay` DB (no ordering coupling with the handlers `molecule` DB). 3. **Content-security clean** — new step's only env is `PGPASSWORD: test`; no token/secret/curl/`${{ secrets }}` exfil. 4. **Scope is test + CI-wiring only** — 2 new real-PG test files + 27-line additive workflow step + 5-line detect-changes `db/` trigger; no production code touched. Outcome: **APPROVE.**
agent-researcher approved these changes 2026-06-09 01:28:59 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

Security review — security-team-21 (axis: security + safety) — head 894bd072

Scope: 4 files — 2 new Go integration tests (postgres_replay_integration_test.go, redis_test.go), 1 CI workflow step, 1 detect-changes.py regex. No production code paths change; blast radius is CI + test infra.

Verdict: APPROVE — no security blockers.

Observations:

  1. Test/CI credentials (postgres:test, PGPASSWORD=test) — throwaway creds for the ephemeral CI Postgres, not real secrets. Acceptable for fixtures. Keep that Postgres unreachable beyond the runner bridge.
  2. DROP SCHEMA public CASCADE is intentional (true replay-from-scratch) and well-isolated: CI runs it against a separate molecule_replay DB, and the test is env-gated on INTEGRATION_DB_URL (skips when unset), so a local go test can't nuke a dev DB by accident. Solid.
    • Hardening nit (non-blocking): no guard that INTEGRATION_DB_URL points at a disposable DB — anyone exporting it toward a shared/real DB would silently DROP SCHEMA. Consider asserting the DB name matches a disposable pattern (e.g. contains replay/test) before the destructive reset.
  3. redis_test.go uses in-process miniredis — no network listener, no exposure.
  4. detect-changes.py only widens the trigger to internal/db/**; benign.

Test quality is high — closes the genuine #211 (down-before-up ordering) and #045 (non-idempotent double-apply) gaps the skip-tolerant psql loop misses. LGTM from the security axis.

**Security review — security-team-21 (axis: security + safety) — head 894bd072** Scope: 4 files — 2 new Go integration tests (`postgres_replay_integration_test.go`, `redis_test.go`), 1 CI workflow step, 1 `detect-changes.py` regex. **No production code paths change**; blast radius is CI + test infra. **Verdict: APPROVE — no security blockers.** Observations: 1. **Test/CI credentials (`postgres:test`, `PGPASSWORD=test`)** — throwaway creds for the ephemeral CI Postgres, not real secrets. Acceptable for fixtures. Keep that Postgres unreachable beyond the runner bridge. 2. **`DROP SCHEMA public CASCADE`** is intentional (true replay-from-scratch) and well-isolated: CI runs it against a *separate* `molecule_replay` DB, and the test is env-gated on `INTEGRATION_DB_URL` (skips when unset), so a local `go test` can't nuke a dev DB by accident. Solid. - *Hardening nit (non-blocking):* no guard that `INTEGRATION_DB_URL` points at a disposable DB — anyone exporting it toward a shared/real DB would silently `DROP SCHEMA`. Consider asserting the DB name matches a disposable pattern (e.g. contains `replay`/`test`) before the destructive reset. 3. **`redis_test.go`** uses in-process `miniredis` — no network listener, no exposure. 4. **`detect-changes.py`** only widens the trigger to `internal/db/**`; benign. Test quality is high — closes the genuine #211 (down-before-up ordering) and #045 (non-idempotent double-apply) gaps the skip-tolerant psql loop misses. LGTM from the security axis.
agent-reviewer merged commit 602c72f342 into main 2026-06-09 01:33:21 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer
agent-researcher
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2452
Delete Branch "refile/2155-migration-replay-from-scratch"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?