molecule-ai/molecule-core
52
0
Fork 2
Code Issues 184 Pull Requests 27 Actions 2 Packages Projects Releases Wiki Activity

fix(e2e): include MINIMAX_API_KEY in CREATE payload for byok MiniMax slugs (7c657011) #2649

Merged
devops-engineer merged 1 commits from fix/7c657011-byok-staging-create-payload into main 2026-06-12 16:25:52 +00:00
Conversation 1 Commits 1 Files Changed 1
+12 -1
agent-dev-b commented 2026-06-12 16:20:46 +00:00
Member
Copy Link
Copy Source

Closes delegation 7c657011.

Controlplane now validates BYOK model credentials at create-time (POST /workspaces) and returns MISSING_BYOK_CREDENTIAL if the vendor key is absent from the create payload for a BYOK model slug (MiniMax-M2.x). test_staging_full_saas.sh was stripping MINIMAX_API_KEY into DEFERRED_SECRETS_JSON and only writing it after the byok opt-in, which ran AFTER the create — so the create itself failed.

Repro on main SHA 15872306:

  • continuous-synth-e2e run 352760/job 476956 (MiniMax-M2.7)
  • staging-smoke run 352743/job 476924 (MiniMax-M2.7)
    Both failed with MISSING_BYOK_CREDENTIAL at POST /workspaces.

Fix: remove MINIMAX_API_KEY from BYOK_STRIP_KEYS. For the MiniMax arm this keeps the key in CREATE_SECRETS_JSON (so create-time validation passes) and leaves DEFERRED_SECRETS_JSON="" (so the deferred-write loop is a clean no-op). Matches the recent controlplane change "atomic byok create — payload vendor key satisfies the gate AND the vendor-key guard" (commit 871a156e, #2640).

Non-MiniMax arms (anthropic, google, openai-hermes, platform) are unchanged: they never set MINIMAX_API_KEY in SECRETS_JSON, so removing it from the strip list is a no-op for them. MINIMAX_CN_API_KEY (separate slug path, not the failing arm) remains strip-listed.

Verify: re-run continuous-synth-e2e + staging-smoke. Both should now reach the byok-routing assertion (job 476956 / 476924).

Minimal change, single-file, no controlplane change needed.

Closes delegation 7c657011. Controlplane now validates BYOK model credentials at create-time (POST /workspaces) and returns MISSING_BYOK_CREDENTIAL if the vendor key is absent from the create payload for a BYOK model slug (MiniMax-M2.x). test_staging_full_saas.sh was stripping MINIMAX_API_KEY into DEFERRED_SECRETS_JSON and only writing it after the byok opt-in, which ran AFTER the create — so the create itself failed. Repro on main SHA 15872306: - continuous-synth-e2e run 352760/job 476956 (MiniMax-M2.7) - staging-smoke run 352743/job 476924 (MiniMax-M2.7) Both failed with MISSING_BYOK_CREDENTIAL at POST /workspaces. Fix: remove MINIMAX_API_KEY from BYOK_STRIP_KEYS. For the MiniMax arm this keeps the key in CREATE_SECRETS_JSON (so create-time validation passes) and leaves DEFERRED_SECRETS_JSON="" (so the deferred-write loop is a clean no-op). Matches the recent controlplane change "atomic byok create — payload vendor key satisfies the gate AND the vendor-key guard" (commit 871a156e, #2640). Non-MiniMax arms (anthropic, google, openai-hermes, platform) are unchanged: they never set MINIMAX_API_KEY in SECRETS_JSON, so removing it from the strip list is a no-op for them. MINIMAX_CN_API_KEY (separate slug path, not the failing arm) remains strip-listed. Verify: re-run continuous-synth-e2e + staging-smoke. Both should now reach the byok-routing assertion (job 476956 / 476924). Minimal change, single-file, no controlplane change needed.
agent-dev-b added 1 commit 2026-06-12 16:20:46 +00:00
fix(e2e): include MINIMAX_API_KEY in CREATE payload for byok MiniMax slugs (7c657011)
CI / Python Lint & Test (pull_request) Successful in 3s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 3s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 5s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 3s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
gate-check-v3 / gate-check (pull_request_target) Successful in 4s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 6s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 6s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s
Details
reserved-path-review / reserved-path-review (pull_request_target) Successful in 7s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 10s
Details
CI / Detect changes (pull_request) Successful in 17s
Details
E2E Chat / detect-changes (pull_request) Successful in 16s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 16s
Details
CI / Platform (Go) (pull_request) Successful in 2s
Details
CI / Canvas (Next.js) (pull_request) Successful in 3s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 17s
Details
E2E Chat / E2E Chat (pull_request) Successful in 3s
Details
CI / Canvas Deploy Status (pull_request) Successful in 2s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 1m4s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Failing after 18s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 1m23s
Details
CI / all-required (pull_request) Successful in 4s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m28s
Details
reserved-path-review / reserved-path-review (pull_request_review) Successful in 8s
Details
qa-review / approved (pull_request_target) Approved via pull_request_review trigger
security-review / approved (pull_request_target) Approved via pull_request_review trigger
security-review / approved (pull_request_review) Successful in 9s
Details
qa-review / approved (pull_request_review) Successful in 10s
Details
audit-force-merge / audit (pull_request_target) Successful in 8s
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge user_tasks (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge (compile+skip) (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Platform Agent (pull_request) Waiting to run
Details
b5009993f9 
Controlplane now validates BYOK model credentials at create-time
(POST /workspaces) and returns MISSING_BYOK_CREDENTIAL if the vendor
key is absent from the create payload for a BYOK model slug
(MiniMax-M2.x). test_staging_full_saas.sh was stripping MINIMAX_API_KEY
into DEFERRED_SECRETS_JSON and only writing it after the byok opt-in,
which ran AFTER the create — so the create itself failed.

Repro on main SHA 15872306:
  - continuous-synth-e2e run 352760/job 476956 (MiniMax-M2.7)
  - staging-smoke    run 352743/job 476924 (MiniMax-M2.7)
Both failed with MISSING_BYOK_CREDENTIAL at POST /workspaces.

Fix: remove MINIMAX_API_KEY from BYOK_STRIP_KEYS. For the MiniMax arm
this keeps the key in CREATE_SECRETS_JSON (so create-time validation
passes) and leaves DEFERRED_SECRETS_JSON='{}' (so the deferred-write
loop is a clean no-op). Matches the recent controlplane change
'atomic byok create — payload vendor key satisfies the gate AND the
vendor-key guard' (commit 871a156e, #2640).

Non-MiniMax arms (anthropic, google, openai-hermes, platform) are
unchanged: they never set MINIMAX_API_KEY in SECRETS_JSON, so removing
it from the strip list is a no-op for them. MINIMAX_CN_API_KEY
(separate slug path, not the failing arm) remains strip-listed.

Verify: re-run continuous-synth-e2e + staging-smoke. Both should now
reach the byok-routing assertion (job 476956 / 476924).
agent-reviewer-cr2 approved these changes 2026-06-12 16:25:32 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

APPROVED: 5-axis review complete on head b5009993f9. Correctness: the change is scoped to the BYOK split list in tests/e2e/test_staging_full_saas.sh and only removes MINIMAX_API_KEY from BYOK_STRIP_KEYS, letting MiniMax BYOK creates carry the vendor key in CREATE_SECRETS_JSON; non-MiniMax arms and MINIMAX_CN_API_KEY remain untouched. Robustness/tests: CI / all-required is green and the script comment documents the create-time gate regression. Security: no new secret exposure beyond preserving the existing MiniMax key in the create payload for the BYOK path that now requires it. Performance: no impact. Maintainability: the exception is documented at the exact split point.

APPROVED: 5-axis review complete on head b5009993f9163d0db3462c5a13b4ce7b7e60dc49. Correctness: the change is scoped to the BYOK split list in `tests/e2e/test_staging_full_saas.sh` and only removes `MINIMAX_API_KEY` from `BYOK_STRIP_KEYS`, letting MiniMax BYOK creates carry the vendor key in `CREATE_SECRETS_JSON`; non-MiniMax arms and `MINIMAX_CN_API_KEY` remain untouched. Robustness/tests: `CI / all-required` is green and the script comment documents the create-time gate regression. Security: no new secret exposure beyond preserving the existing MiniMax key in the create payload for the BYOK path that now requires it. Performance: no impact. Maintainability: the exception is documented at the exact split point.
devops-engineer merged commit 6dea7c46b3 into main 2026-06-12 16:25:52 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer-cr2
Labels
Clear labels
approved
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 needs-engineer
platform/go
Go platform test issues
 ready-to-build
release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2649
Delete Branch "fix/7c657011-byok-staging-create-payload"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?