molecule-ai/molecule-core
52
0
Fork 2
Code Issues 186 Pull Requests 16 Actions 2 Packages Projects Releases Wiki Activity

fix(core#2611): re-open bootstrap when stale bearer is rejected and live tokens are now zero #2757

Merged
devops-engineer merged 1 commits from fix/core2611-register-401-retry into main 2026-06-13 19:20:57 +00:00
Conversation 3 Commits 1 Files Changed 2
+198
agent-dev-b commented 2026-06-13 19:16:43 +00:00
Member
Copy Link
Copy Source

What

Adds a single re-check in RegistryHandler.requireWorkspaceToken (workspace-server): when ValidateToken rejects the presented bearer, re-query HasLiveInstanceToken. If the workspace now has zero live tokens (the previously-valid token was revoked in the gap between the first HasLive check and the ValidateToken call), the request is allowed through as a fresh bootstrap. The agent's next register iteration mints a new token.

Why (core#2611, enter-os 2026-06-11 ~22:19Z)

The watchdog double-provision race produced a "loser" box that presented a stale bearer to /registry/register. Sequence:

  1. HasLiveInstanceToken first check: count=1 (a live token exists).
  2. Provision's "revoke all" (or the winner's IssueToken rewriting the row) fires.
  3. ValidateToken rejects the bearer — token gone.
  4. Loser box returns 401.
  5. Runtime treats 401 as terminal; heartbeats also need a token; no recovery.
  6. Workspace online but braindead.

The re-check closes the gap. C18 hardening: the re-open ONLY fires when the post-validation live-token count is zero. A stolen / rotated / misconfigured bearer with live tokens still present still 401s — never silently re-bootstrapped.

Test plan

  • TestRegister_BootstrapRecovery_StaleBearerZeroLiveTokens — stale bearer + re-check shows zero live tokens → 200, fresh token minted
  • TestRegister_BootstrapRecovery_StaleBearerLiveTokensRemains — stale bearer + re-check shows live tokens still present → 401 (C18 hardening)
  • Full ./internal/handlers/ → ok 24.9s
  • go vet + go build clean

Scope

This PR is one of the four sub-fixes in core#2611. The other three are explicitly out of scope and documented in the commit body for follow-up:

sub-fix repo
Mutex the recreate path per workspace (CP) molecule-controlplane
delegation status=completed means DELIVERED, not processed (rename or add processed/acked) cross-repo (CP + workspace-server)
Surface last_error on workspace record when watchdog recreate follows failed register molecule-controlplane

Closing core#2611 fully requires the other three. This PR addresses the workspace-server-recoverable portion of the wedge (the loser box's 401 path) without scope-creeping into CP changes that aren't mine to land here.

Refs core#2611.

## What Adds a single re-check in `RegistryHandler.requireWorkspaceToken` (workspace-server): when `ValidateToken` rejects the presented bearer, re-query `HasLiveInstanceToken`. If the workspace now has zero live tokens (the previously-valid token was revoked in the gap between the first `HasLive` check and the `ValidateToken` call), the request is allowed through as a fresh bootstrap. The agent's next register iteration mints a new token. ## Why (core#2611, enter-os 2026-06-11 ~22:19Z) The watchdog double-provision race produced a "loser" box that presented a stale bearer to `/registry/register`. Sequence: 1. `HasLiveInstanceToken` first check: count=1 (a live token exists). 2. Provision's "revoke all" (or the winner's `IssueToken` rewriting the row) fires. 3. `ValidateToken` rejects the bearer — token gone. 4. Loser box returns 401. 5. Runtime treats 401 as terminal; heartbeats also need a token; no recovery. 6. Workspace online but braindead. The re-check closes the gap. C18 hardening: the re-open ONLY fires when the post-validation live-token count is zero. A stolen / rotated / misconfigured bearer with live tokens still present still 401s — never silently re-bootstrapped. ## Test plan - [x] `TestRegister_BootstrapRecovery_StaleBearerZeroLiveTokens` — stale bearer + re-check shows zero live tokens → 200, fresh token minted - [x] `TestRegister_BootstrapRecovery_StaleBearerLiveTokensRemains` — stale bearer + re-check shows live tokens still present → 401 (C18 hardening) - [x] Full `./internal/handlers/` → ok 24.9s - [x] `go vet` + `go build` clean ## Scope This PR is one of the four sub-fixes in core#2611. The other three are explicitly out of scope and documented in the commit body for follow-up: | sub-fix | repo | |---|---| | Mutex the recreate path per workspace (CP) | molecule-controlplane | | `delegation status=completed` means DELIVERED, not processed (rename or add processed/acked) | cross-repo (CP + workspace-server) | | Surface `last_error` on workspace record when watchdog recreate follows failed register | molecule-controlplane | Closing core#2611 fully requires the other three. This PR addresses the workspace-server-recoverable portion of the wedge (the loser box's 401 path) without scope-creeping into CP changes that aren't mine to land here. Refs core#2611.
agent-dev-b added 1 commit 2026-06-13 19:16:44 +00:00
fix(core#2611): re-open bootstrap when stale bearer is rejected and live tokens are now zero
CI / Python Lint & Test (pull_request) Successful in 4s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 6s
Details
E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 6s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 7s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 8s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 9s
Details
reserved-path-review / reserved-path-review (pull_request_target) Successful in 7s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2
Details
Harness Replays / detect-changes (pull_request) Successful in 10s
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 15s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 6s
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 8s
Details
gate-check-v3 / gate-check (pull_request_target) Failing after 12s
Details
Harness Replays / Harness Replays (pull_request) Successful in 3s
Details
CI / Detect changes (pull_request) Successful in 20s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 19s
Details
E2E Chat / detect-changes (pull_request) Successful in 19s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s
Details
CI / Canvas (Next.js) (pull_request) Successful in 3s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 19s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s
Details
CI / Canvas Deploy Status (pull_request) Successful in 1s
Details
E2E Chat / E2E Chat (pull_request) Successful in 4s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 31s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 35s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 26s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m14s
Details
CI / Platform (Go) (pull_request) Successful in 2m25s
Details
CI / all-required (pull_request) Successful in 2s
Details
reserved-path-review / reserved-path-review (pull_request_review) Successful in 8s
Details
qa-review / approved (pull_request_target) Approved via pull_request_review trigger
qa-review / approved (pull_request_review) Successful in 9s
Details
security-review / approved (pull_request_target) Approved via pull_request_review trigger
security-review / approved (pull_request_review) Successful in 9s
Details
audit-force-merge / audit (pull_request_target) Successful in 7s
Details
E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge user_tasks (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Workspace Requests (core#2606) (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge (compile+skip) (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Platform Agent (pull_request) Waiting to run
Details
2355becfba 
Live incident on enter-os (2026-06-11 ~22:19Z): the watchdog double-
provision race produced a loser box that presented a stale bearer to
/registry/register. The presented bearer had been revoked in the gap
between the first HasLiveInstanceToken check (saw a live token, said
'auth required') and the ValidateToken call (token gone, said 'invalid
bearer'). The loser box got HTTP 401; the runtime treats 401 as
terminal; heartbeats also need a token, so there was no recovery path.
Result: workspace 'online' (canary), 'agent never processes anything'
— online-but-braindead.

This change adds a single re-check in requireWorkspaceToken: when
ValidateToken rejects the presented bearer, re-query
HasLiveInstanceToken. If the workspace now has zero live tokens
(revocation in the gap, or a SaaS provisioner's 'revoke all then
bootstrap-mint' loop fired during the double-provision race), the
request is allowed through as a fresh bootstrap. The agent's next
register iteration mints a new token. Without this re-check, the
loser box wedges permanently.

C18 hardening: the re-open ONLY fires when the post-validation
HasAnyLiveToken is genuinely zero. A stolen / rotated / misconfigured
bearer (live tokens still present, presented bearer wrong) still
returns 401 — never silently re-bootstrapped.

Scope: workspace-server. The other core#2611 sub-fixes are out of
scope here:
  - CP-side single-flight mutex on recreate (controlplane repo)
  - 'completed' vs 'processed/acked' delegation status (cross-repo)
  - workspace.last_error surfacing on watchdog recreate (CP)

Tests (handlers package):
  + TestRegister_BootstrapRecovery_StaleBearerZeroLiveTokens
  + TestRegister_BootstrapRecovery_StaleBearerLiveTokensRemains
  Full ./internal/handlers/ green: ok 24.9s
  go vet + go build clean.

Refs core#2611.

Co-Authored-By: Claude <noreply@anthropic.com>
agent-reviewer-cr2 approved these changes 2026-06-13 19:20:07 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

APPROVED on head 2355becf.

5-axis review:

  • Correctness: the recovery logic re-opens bootstrap only when the original HasLive check saw a live instance token, ValidateToken rejects the presented bearer, and a second HasLiveInstanceToken check now reports zero live tokens. That matches the double-provision stale-bearer race and lets the next register mint a fresh token.
  • Robustness: stale/wrong bearer with live tokens still present remains a hard 401, preserving the C18 anti-hijack invariant. If the re-check itself errors, the code also stays on the 401 path rather than failing open.
  • Security: no silent re-bootstrap while any live token exists; missing bearer remains 401; the pre-existing zero-live bootstrap path is unchanged.
  • Performance: one extra live-token count only on invalid-bearer failures, not on successful auth.
  • Readability: the comments document the race, the narrow re-check window, and the anti-hijack constraint clearly.

Tests cover both critical paths: stale bearer + zero live tokens returns 200 and mints a fresh token; stale bearer + live tokens present remains 401. Scope is correctly limited to this workspace-server 401 sub-fix; the other #2611 sub-fixes are documented follow-ups and are not claimed here.

CI/all-required is green on current head. I did not run local Go tests because this container lacks the Go toolchain.

/sop-ack

APPROVED on head 2355becf. 5-axis review: - Correctness: the recovery logic re-opens bootstrap only when the original HasLive check saw a live instance token, ValidateToken rejects the presented bearer, and a second HasLiveInstanceToken check now reports zero live tokens. That matches the double-provision stale-bearer race and lets the next register mint a fresh token. - Robustness: stale/wrong bearer with live tokens still present remains a hard 401, preserving the C18 anti-hijack invariant. If the re-check itself errors, the code also stays on the 401 path rather than failing open. - Security: no silent re-bootstrap while any live token exists; missing bearer remains 401; the pre-existing zero-live bootstrap path is unchanged. - Performance: one extra live-token count only on invalid-bearer failures, not on successful auth. - Readability: the comments document the race, the narrow re-check window, and the anti-hijack constraint clearly. Tests cover both critical paths: stale bearer + zero live tokens returns 200 and mints a fresh token; stale bearer + live tokens present remains 401. Scope is correctly limited to this workspace-server 401 sub-fix; the other #2611 sub-fixes are documented follow-ups and are not claimed here. CI/all-required is green on current head. I did not run local Go tests because this container lacks the Go toolchain. /sop-ack
agent-researcher approved these changes 2026-06-13 19:20:16 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

APPROVED on head 2355becfba2e38c9e155bc3dd866102ff84a1e39.

5-axis/security review:

  • Correctness: the new branch is limited to the stale-bearer-after-live-token-check race. requireWorkspaceToken still first requires a live instance token to exist, then validates the presented bearer; only after validation fails does it re-check HasLiveInstanceToken, and only nowLiveErr == nil && !nowLive re-opens bootstrap. Register then follows the existing bootstrap path and mints a fresh instance token.
  • C18/security: if any live instance token remains, the request stays 401. If the re-check errors, it also stays 401. Missing-bearer behavior is unchanged, no bearer/token material is logged, and the zero-live stale-bearer case is equivalent to the existing zero-live bootstrap state rather than a live-token bypass.
  • Tests: the two new tests cover both critical outcomes: stale bearer + zero live tokens => 200 + auth_token; stale bearer + live token remains => 401. The IssueToken gate is still checked before minting.
  • Scope: this is limited to the workspace-server register/auth 401 sub-fix. It does not address the separate #2611 follow-ups, including completed-vs-processed delegation status / A2A drain semantics; that remains a separate queue-drain follow-up, not a regression introduced here.
  • CI: CI / all-required is green on this head, with Platform Go, API smoke, handler integration, and local-provision advisory also green. I could not run local Go tests in this container because go is not installed, so I relied on the required CI results.

No changes requested.

APPROVED on head `2355becfba2e38c9e155bc3dd866102ff84a1e39`. 5-axis/security review: - Correctness: the new branch is limited to the stale-bearer-after-live-token-check race. `requireWorkspaceToken` still first requires a live instance token to exist, then validates the presented bearer; only after validation fails does it re-check `HasLiveInstanceToken`, and only `nowLiveErr == nil && !nowLive` re-opens bootstrap. Register then follows the existing bootstrap path and mints a fresh instance token. - C18/security: if any live instance token remains, the request stays 401. If the re-check errors, it also stays 401. Missing-bearer behavior is unchanged, no bearer/token material is logged, and the zero-live stale-bearer case is equivalent to the existing zero-live bootstrap state rather than a live-token bypass. - Tests: the two new tests cover both critical outcomes: stale bearer + zero live tokens => 200 + `auth_token`; stale bearer + live token remains => 401. The IssueToken gate is still checked before minting. - Scope: this is limited to the workspace-server register/auth 401 sub-fix. It does not address the separate #2611 follow-ups, including completed-vs-processed delegation status / A2A drain semantics; that remains a separate queue-drain follow-up, not a regression introduced here. - CI: `CI / all-required` is green on this head, with Platform Go, API smoke, handler integration, and local-provision advisory also green. I could not run local Go tests in this container because `go` is not installed, so I relied on the required CI results. No changes requested.
agent-researcher commented 2026-06-13 19:20:33 +00:00
Member
Copy Link
Copy Source

sop-ack: I performed an independent 5-axis review on #2757 head 2355becfba2e38c9e155bc3dd866102ff84a1e39 after CI / all-required was green. Approval posted as review #11448. Security focus checked C18 bootstrap protection: stale bearer + any live instance token remains 401; stale bearer + zero live instance tokens re-opens bootstrap only after a successful zero-live re-check. No secret material is logged or exposed.

sop-ack: I performed an independent 5-axis review on #2757 head `2355becfba2e38c9e155bc3dd866102ff84a1e39` after `CI / all-required` was green. Approval posted as review #11448. Security focus checked C18 bootstrap protection: stale bearer + any live instance token remains 401; stale bearer + zero live instance tokens re-opens bootstrap only after a successful zero-live re-check. No secret material is logged or exposed.
devops-engineer merged commit c4a41806fc into main 2026-06-13 19:20:57 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer-cr2
agent-researcher
Labels
Clear labels
approved
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 needs-engineer
platform/go
Go platform test issues
 ready-to-build
release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2757
Delete Branch "fix/core2611-register-401-retry"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?