From 271df36602d0357fb1aa819b6cb9f02c0abc3d3a Mon Sep 17 00:00:00 2001
From: core-devops <core-devops@moleculesai.app>
Date: Sat, 20 Jun 2026 02:04:21 +0000
Subject: [PATCH 1/3] feat(ssot): add workspace-runtime as a party to the
 mcp-plugin-delivery drift gate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Byte-compares the runtime's vendored contract copy too — closes the gap that
let the RCA#2970 literal drift through (runtime wasn't a contract party).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .../mcp-plugin-delivery-contract-drift.yml    | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/.gitea/workflows/mcp-plugin-delivery-contract-drift.yml b/.gitea/workflows/mcp-plugin-delivery-contract-drift.yml
index e78815bd1..6000fdef5 100644
--- a/.gitea/workflows/mcp-plugin-delivery-contract-drift.yml
+++ b/.gitea/workflows/mcp-plugin-delivery-contract-drift.yml
@@ -117,3 +117,25 @@ jobs:
             echo "Re-sync: copy molecule-ai-workspace-template-claude-code contracts/mcp-plugin-delivery.contract.json verbatim over $LOCAL."
             exit 1
           fi
+
+          # Runtime party (added): the workspace-runtime vendored copy must also
+          # stay byte-identical — its platform_agent_identity consumer is the one
+          # whose literal drift caused the RCA#2970 concierge-online bug.
+          RT_URL="${API_ROOT}/repos/molecule-ai/molecule-ai-workspace-runtime/raw/contracts/mcp-plugin-delivery.contract.json?ref=${REF}"
+          set +e
+          curl -fsS -H "Authorization: token ${AUTO_SYNC_TOKEN}" "${RT_URL}" -o /tmp/runtime-mcp-plugin-delivery.contract.json
+          rt_status=$?
+          set -e
+          if [ "$rt_status" -eq 22 ]; then
+            RT_URL="${API_ROOT}/repos/molecule-ai/molecule-ai-workspace-runtime/raw/contracts/mcp-plugin-delivery.contract.json?ref=main"
+            curl -fsS -H "Authorization: token ${AUTO_SYNC_TOKEN}" "${RT_URL}" -o /tmp/runtime-mcp-plugin-delivery.contract.json || { echo "::warning::runtime contract copy not found (404) — skipping runtime compare during bootstrap."; exit 0; }
+          elif [ "$rt_status" -ne 0 ]; then
+            echo "::error::Failed to fetch runtime canonical contract (exit $rt_status)."; exit 1
+          fi
+          if diff -u /tmp/runtime-mcp-plugin-delivery.contract.json "$LOCAL"; then
+            echo "OK — core's contract is byte-identical to the workspace-runtime copy."
+          else
+            echo "::error::core's mcp-plugin-delivery.contract.json DRIFTED from the workspace-runtime copy."
+            echo "Re-sync: keep contracts/mcp-plugin-delivery.contract.json identical across core, template, and runtime."
+            exit 1
+          fi
-- 
2.52.0


From 6298febf53a97916a45eb7db2d7b77357dfa3a44 Mon Sep 17 00:00:00 2001
From: core-devops <core-devops@moleculesai.app>
Date: Sat, 20 Jun 2026 02:04:22 +0000
Subject: [PATCH 2/3] feat(ssot): extend mcp-plugin-delivery contract
 (byte-identical with template+runtime)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 contracts/mcp-plugin-delivery.contract.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contracts/mcp-plugin-delivery.contract.json b/contracts/mcp-plugin-delivery.contract.json
index 0e42676b1..75768ed1e 100644
--- a/contracts/mcp-plugin-delivery.contract.json
+++ b/contracts/mcp-plugin-delivery.contract.json
@@ -1 +1 @@
-{"settings_path":"/configs/.claude/settings.json","key":"mcpServers","entry_shape":"name->{command,args?,env?}","producer":"MCPServerAdaptor","consumer":"claude_sdk_executor._load_settings_mcp"}
+{"settings_path":"/configs/.claude/settings.json","key":"mcpServers","entry_shape":"name->{command,args?,env?}","mcp_server_name":"molecule-platform","legacy_binary_path":"/opt/molecule-mcp-server","runtime_present_field":"mcp_server_present","producer":"MCPServerAdaptor","consumer":"claude_sdk_executor._load_settings_mcp","consumers":["claude_sdk_executor._load_settings_mcp","platform_agent_identity.mcp_server_present","workspace-server/internal/handlers/registry.go#RCA2970-online-gate"]}
-- 
2.52.0


From eb6e8565acbc0e73a276e4f8ad5d0d9c20308b37 Mon Sep 17 00:00:00 2001
From: core-devops <core-devops@moleculesai.app>
Date: Sat, 20 Jun 2026 02:08:54 +0000
Subject: [PATCH 3/3] =?UTF-8?q?revert(ssot):=20drop=20drift-gate=20workflo?=
 =?UTF-8?q?w=20change=20from=20this=20PR=20(reserved-path=20=E2=86=92=20CT?=
 =?UTF-8?q?O/security-gated)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Keep #3093 to the contract-data extension only. The drift-gate runtime-party
addition moves to a separate follow-up that carries the reserved-path + security-review approvals.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .../mcp-plugin-delivery-contract-drift.yml    | 22 -------------------
 1 file changed, 22 deletions(-)

diff --git a/.gitea/workflows/mcp-plugin-delivery-contract-drift.yml b/.gitea/workflows/mcp-plugin-delivery-contract-drift.yml
index 6000fdef5..e78815bd1 100644
--- a/.gitea/workflows/mcp-plugin-delivery-contract-drift.yml
+++ b/.gitea/workflows/mcp-plugin-delivery-contract-drift.yml
@@ -117,25 +117,3 @@ jobs:
             echo "Re-sync: copy molecule-ai-workspace-template-claude-code contracts/mcp-plugin-delivery.contract.json verbatim over $LOCAL."
             exit 1
           fi
-
-          # Runtime party (added): the workspace-runtime vendored copy must also
-          # stay byte-identical — its platform_agent_identity consumer is the one
-          # whose literal drift caused the RCA#2970 concierge-online bug.
-          RT_URL="${API_ROOT}/repos/molecule-ai/molecule-ai-workspace-runtime/raw/contracts/mcp-plugin-delivery.contract.json?ref=${REF}"
-          set +e
-          curl -fsS -H "Authorization: token ${AUTO_SYNC_TOKEN}" "${RT_URL}" -o /tmp/runtime-mcp-plugin-delivery.contract.json
-          rt_status=$?
-          set -e
-          if [ "$rt_status" -eq 22 ]; then
-            RT_URL="${API_ROOT}/repos/molecule-ai/molecule-ai-workspace-runtime/raw/contracts/mcp-plugin-delivery.contract.json?ref=main"
-            curl -fsS -H "Authorization: token ${AUTO_SYNC_TOKEN}" "${RT_URL}" -o /tmp/runtime-mcp-plugin-delivery.contract.json || { echo "::warning::runtime contract copy not found (404) — skipping runtime compare during bootstrap."; exit 0; }
-          elif [ "$rt_status" -ne 0 ]; then
-            echo "::error::Failed to fetch runtime canonical contract (exit $rt_status)."; exit 1
-          fi
-          if diff -u /tmp/runtime-mcp-plugin-delivery.contract.json "$LOCAL"; then
-            echo "OK — core's contract is byte-identical to the workspace-runtime copy."
-          else
-            echo "::error::core's mcp-plugin-delivery.contract.json DRIFTED from the workspace-runtime copy."
-            echo "Re-sync: keep contracts/mcp-plugin-delivery.contract.json identical across core, template, and runtime."
-            exit 1
-          fi
-- 
2.52.0