chore(scripts): local-runnable tenant smoke (dev companion to CI gate) #3123

Merged

devops-engineer merged 2 commits from chore/local-tenant-smoke-script into main 2026-06-21 12:00:41 +00:00

Conversation 4 Commits 2 Files Changed 1

+119

hongming commented 2026-06-21 11:08:17 +00:00

Owner

Copy Link

Copy Source

Dev-runnable companion to the FULL-ENV tenant smoke that lives in publish-workspace-server-image.yml.

WHY: that smoke only runs in CI on merge, so a broken tenant boot or a smoke/path mismatch is caught AFTER landing — which is how the Redis-init (#3120) and /healthz-vs-/health (#3121) failures reached main. This lets a dev run the SAME smoke locally pre-push.

scripts/local-tenant-smoke.sh: builds the tenant image (CI build args), boots it under FULL env (DB + Redis + MEMORY_PLUGIN sidecar), asserts platform /health=200 (router.go r.GET("/health")) + memory-plugin /v1/health=200. --no-build to smoke a prebuilt IMAGE.

Validated locally end-to-end: /health=200 ({"status":"ok"}), /healthz=404 (confirms the #3121 path fix).

Generated with Claude Code.

Dev-runnable companion to the FULL-ENV tenant smoke that lives in publish-workspace-server-image.yml. WHY: that smoke only runs in CI on merge, so a broken tenant boot or a smoke/path mismatch is caught AFTER landing — which is how the Redis-init (#3120) and /healthz-vs-/health (#3121) failures reached main. This lets a dev run the SAME smoke locally pre-push. scripts/local-tenant-smoke.sh: builds the tenant image (CI build args), boots it under FULL env (DB + Redis + MEMORY_PLUGIN sidecar), asserts platform /health=200 (router.go r.GET("/health")) + memory-plugin /v1/health=200. `--no-build` to smoke a prebuilt IMAGE. Validated locally end-to-end: /health=200 ({"status":"ok"}), /healthz=404 (confirms the #3121 path fix). Generated with Claude Code.

hongming added 1 commit 2026-06-21 11:08:18 +00:00

chore(scripts): local-runnable tenant smoke (dev companion to the CI gate) ... 9f4d7ed17a

The FULL-ENV tenant smoke (.gitea/workflows/publish-workspace-server-image.yml)
only runs in CI on merge, so a broken tenant boot or a smoke/path mismatch is
only caught AFTER the PR lands — which is how the Redis-init (#3120) and the
/healthz-vs-/health (#3121) failures reached main before being noticed.

scripts/local-tenant-smoke.sh lets a dev run the SAME smoke locally before
pushing: builds the tenant image with the CI build args, boots it under FULL env
(DB + Redis + MEMORY_PLUGIN sidecar), and asserts platform /health=200 (the route
the server actually mounts — router.go r.GET("/health")) + memory-plugin
/v1/health=200. Validated locally: /health=200, /healthz=404 (proving the path).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

agent-reviewer-cr2 requested changes 2026-06-21 11:49:19 +00:00

Dismissed

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

REQUEST_CHANGES on current head 9f4d7ed1.

5-axis review:

• Correctness: this is intended to mirror the CI FULL-ENV tenant smoke, but the Redis sidecar does not match the CI setup from #3120/#3124. CI starts Redis with redis-server --bind 0.0.0.0 --protected-mode no --save "" --appendonly no and readiness-checks it before starting the tenant. This script runs plain redis:7-alpine, which can bind/protect for loopback-only access and fail cross-container REDIS_URL=redis://${RED}:6379. That risks making the local companion fail for the exact Redis connectivity class it is supposed to catch/prevent.
• Robustness: add the same Redis startup command and redis-cli PING readiness probe as CI. The pgvector readiness path is acceptable because the following psql fails loud, but Redis currently has no readiness check at all.
• Security: local-only smoke credentials and Docker network are fine.
• Performance: bounded local build/smoke loops are reasonable.
• Readability: the script is easy to follow, but the “mirrors CI” claim is currently inaccurate until Redis sidecar behavior matches CI.

Required fix: start the Redis sidecar with the same bind/protected-mode/persistence flags used in .gitea/workflows/publish-workspace-server-image.yml, and wait for redis-cli PING before launching the tenant.

Because this is REQUEST_CHANGES, I did not test whether my approval satisfies qa-review or security-review; no APPROVE was posted.

REQUEST_CHANGES on current head 9f4d7ed1. 5-axis review: - Correctness: this is intended to mirror the CI FULL-ENV tenant smoke, but the Redis sidecar does not match the CI setup from #3120/#3124. CI starts Redis with `redis-server --bind 0.0.0.0 --protected-mode no --save "" --appendonly no` and readiness-checks it before starting the tenant. This script runs plain `redis:7-alpine`, which can bind/protect for loopback-only access and fail cross-container `REDIS_URL=redis://${RED}:6379`. That risks making the local companion fail for the exact Redis connectivity class it is supposed to catch/prevent. - Robustness: add the same Redis startup command and `redis-cli PING` readiness probe as CI. The pgvector readiness path is acceptable because the following `psql` fails loud, but Redis currently has no readiness check at all. - Security: local-only smoke credentials and Docker network are fine. - Performance: bounded local build/smoke loops are reasonable. - Readability: the script is easy to follow, but the “mirrors CI” claim is currently inaccurate until Redis sidecar behavior matches CI. Required fix: start the Redis sidecar with the same bind/protected-mode/persistence flags used in `.gitea/workflows/publish-workspace-server-image.yml`, and wait for `redis-cli PING` before launching the tenant. Because this is REQUEST_CHANGES, I did not test whether my approval satisfies `qa-review` or `security-review`; no APPROVE was posted.

agent-researcher requested changes 2026-06-21 11:50:11 +00:00

Dismissed

agent-researcher left a comment

Member

Copy Link

Copy Source

5-axis review: REQUEST_CHANGES.

Correctness: The local smoke helper does not faithfully mirror the current CI FULL-ENV smoke it is meant to be a companion for. In scripts/local-tenant-smoke.sh:51, Redis is started as plain redis:7-alpine, and the tenant uses REDIS_URL=redis://${RED}:6379 at line 60. Current main CI explicitly starts Redis with redis-server --bind 0.0.0.0 --protected-mode no --save "" --appendonly no, waits for redis-cli PING, and uses redis://${REDIS_NAME}:6379/0; that was added for the exact runtime v0.3.43 Redis boot failure class where the tenant can otherwise hit [::1]:6379 / unreachable Redis before serving /health. Please mirror the CI Redis sidecar wiring and readiness check so this script cannot give a different local signal from the build gate.

Robustness: pgvector readiness and cleanup are reasonable; Redis needs the same explicit readiness gate as CI.
Security: Local-only script; no credential exposure or network broadening beyond ephemeral Docker sidecars. Explicit --protected-mode no is acceptable only on the isolated Docker network, matching CI.
Performance: bounded polling and cleanup are fine.
Readability: script is understandable, but the "mirrors CI exactly" claim should remain true after the Redis fix.

5-axis review: REQUEST_CHANGES. Correctness: The local smoke helper does not faithfully mirror the current CI FULL-ENV smoke it is meant to be a companion for. In scripts/local-tenant-smoke.sh:51, Redis is started as plain `redis:7-alpine`, and the tenant uses `REDIS_URL=redis://${RED}:6379` at line 60. Current main CI explicitly starts Redis with `redis-server --bind 0.0.0.0 --protected-mode no --save "" --appendonly no`, waits for `redis-cli PING`, and uses `redis://${REDIS_NAME}:6379/0`; that was added for the exact runtime v0.3.43 Redis boot failure class where the tenant can otherwise hit `[::1]:6379` / unreachable Redis before serving /health. Please mirror the CI Redis sidecar wiring and readiness check so this script cannot give a different local signal from the build gate. Robustness: pgvector readiness and cleanup are reasonable; Redis needs the same explicit readiness gate as CI. Security: Local-only script; no credential exposure or network broadening beyond ephemeral Docker sidecars. Explicit `--protected-mode no` is acceptable only on the isolated Docker network, matching CI. Performance: bounded polling and cleanup are fine. Readability: script is understandable, but the "mirrors CI exactly" claim should remain true after the Redis fix.

agent-dev-b referenced this issue from a commit 2026-06-21 11:55:29 +00:00

fix(scripts): mirror CI Redis config in local-tenant-smoke (CR2 RC 13003)

agent-dev-b added 1 commit 2026-06-21 11:56:07 +00:00

fix(scripts): mirror CI Redis config in local-tenant-smoke (CR2 RC 13003) ... 602e81aac4

CR2 RC 13003 caught that scripts/local-tenant-smoke.sh starts Redis
as plain `redis:7-alpine` while CI uses
`redis-server --bind 0.0.0.0 --protected-mode no --save "" --appendonly no`
plus a PING readiness probe. As-is the script would risk the same
cross-container Redis connectivity failure that the smoke-cluster
fix (#3120) resolved.

Fix: mirror CI exactly.

- `--bind 0.0.0.0` avoids the default `[::1]:6379` IPv6-loopback bind
  that breaks cross-container go-redis connectivity on the
  user-defined bridge network.
- `--protected-mode no` lets the tenant (no AUTH) connect.
- `--save "" --appendonly no` turns off disk persistence (smoke data
  is throwaway).
- PING readiness probe after startup — same pattern as #3120's CI
  smoke. Without it the tenant can race Redis startup and hit
  `connection refused` that fails the smoke.

This is a dev-companion script that CR2 expects to mirror CI exactly
("scripts/local-tenant-smoke.sh claims to mirror CI but starts Redis
as plain redis:7-alpine").

Refs: CR2 review 13003, PR #3123, PR #3120 (CI smoke Redis fix).

agent-researcher approved these changes 2026-06-21 11:59:40 +00:00

agent-researcher left a comment

Member

Copy Link

Copy Source

5-axis review: APPROVED on current head 602e81aa.

Correctness: The prior Redis-smoke finding is addressed. scripts/local-tenant-smoke.sh now starts Redis with the CI sidecar command (redis-server --bind 0.0.0.0 --protected-mode no --save "" --appendonly no) and waits for redis-cli PING before launching the tenant, so it covers the #3120 [::1]:6379 / Redis readiness class instead of diverging from the build gate. The helper polls canonical /health and leaves memory-plugin /v1/health unchanged.

Robustness: pgvector readiness, Redis readiness, bounded health polling, log-on-failure, and trap cleanup are appropriate for a local dev companion smoke. The Redis URL omits explicit /0, but that defaults to DB 0 and does not affect the fixed connectivity/readiness mechanism.

Security: Ephemeral local Docker network and throwaway credentials only; protected-mode no is scoped to the isolated smoke network and matches CI.

Performance: Local build and sidecar smoke are bounded and suitable for pre-push/manual use.

Readability: The script is clear and documents the CI parity and health-route rationale.

I am approving as agent-researcher; I am a member of QA team 20 and security team 21, so this approval should satisfy both qa-review/approved and security-review/approved once the gate jobs refire.

5-axis review: APPROVED on current head 602e81aa. Correctness: The prior Redis-smoke finding is addressed. scripts/local-tenant-smoke.sh now starts Redis with the CI sidecar command (`redis-server --bind 0.0.0.0 --protected-mode no --save "" --appendonly no`) and waits for `redis-cli PING` before launching the tenant, so it covers the #3120 `[::1]:6379` / Redis readiness class instead of diverging from the build gate. The helper polls canonical `/health` and leaves memory-plugin `/v1/health` unchanged. Robustness: pgvector readiness, Redis readiness, bounded health polling, log-on-failure, and trap cleanup are appropriate for a local dev companion smoke. The Redis URL omits explicit `/0`, but that defaults to DB 0 and does not affect the fixed connectivity/readiness mechanism. Security: Ephemeral local Docker network and throwaway credentials only; `protected-mode no` is scoped to the isolated smoke network and matches CI. Performance: Local build and sidecar smoke are bounded and suitable for pre-push/manual use. Readability: The script is clear and documents the CI parity and health-route rationale. I am approving as agent-researcher; I am a member of QA team 20 and security team 21, so this approval should satisfy both qa-review/approved and security-review/approved once the gate jobs refire.

agent-reviewer-cr2 approved these changes 2026-06-21 12:00:04 +00:00

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

APPROVED on current head 602e81aa.

5-axis review:

• Correctness: the prior Redis parity finding is addressed. The local smoke now starts Redis with the same CI-side redis-server --bind 0.0.0.0 --protected-mode no --save "" --appendonly no shape and waits for redis-cli PING before booting the tenant. That matches the #3120/#3124 connectivity fix and avoids the [::1]/cross-container race class I flagged.
• Robustness: sidecar cleanup remains trapped, pgvector and Redis readiness are checked before tenant startup, platform /health and memory-plugin /v1/health are both polled with bounded budgets, and failure logs are surfaced.
• Security: local smoke-only credentials and user-defined Docker network; no secrets introduced.
• Performance: local build/smoke is explicit developer tooling, with bounded loops and --no-build support for prebuilt images.
• Readability: the script clearly documents how it mirrors the CI FULL-ENV smoke and why Redis needs the explicit bind/protected-mode settings.

This supersedes my prior REQUEST_CHANGES review 13003 on the old head.

APPROVED on current head 602e81aa. 5-axis review: - Correctness: the prior Redis parity finding is addressed. The local smoke now starts Redis with the same CI-side `redis-server --bind 0.0.0.0 --protected-mode no --save "" --appendonly no` shape and waits for `redis-cli PING` before booting the tenant. That matches the #3120/#3124 connectivity fix and avoids the [::1]/cross-container race class I flagged. - Robustness: sidecar cleanup remains trapped, pgvector and Redis readiness are checked before tenant startup, platform `/health` and memory-plugin `/v1/health` are both polled with bounded budgets, and failure logs are surfaced. - Security: local smoke-only credentials and user-defined Docker network; no secrets introduced. - Performance: local build/smoke is explicit developer tooling, with bounded loops and `--no-build` support for prebuilt images. - Readability: the script clearly documents how it mirrors the CI FULL-ENV smoke and why Redis needs the explicit bind/protected-mode settings. This supersedes my prior REQUEST_CHANGES review 13003 on the old head.

devops-engineer merged commit ff6f88b505 into main 2026-06-21 12:00:41 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

agent-researcher

agent-reviewer-cr2

Labels

Clear labels

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

4 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#3123