governance(sop-checklist): add scope-matches + public-repo-hygiene checklist items #3184

2026-06-23T21:25:50Z

devops-engineer commented

2026-06-23 21:25:50 +00:00

Adds two per-item reviewer acks (/sop-ack scope-matches-declared, /sop-ack public-repo-hygiene) so a reviewer must confirm each ONE BY ONE. Root cause: PR #881 added 396 files under a '36 test cases' title and slipped 6 ops runbooks into the PUBLIC repo; no single approve catches that.

ENFORCEMENT GAP (needs owner action): sop-checklist / all-items-acked is NOT in required-contexts.txt, so the gate is currently informational. To make reviewers actually REQUIRED to ack each item, the owner/CTO must add sop-checklist / all-items-acked (pull_request) to molecule-core branch protection. This PR adds the items; the BP flip is the enforcement.

Adds two per-item reviewer acks (`/sop-ack scope-matches-declared`, `/sop-ack public-repo-hygiene`) so a reviewer must confirm each ONE BY ONE. Root cause: PR #881 added 396 files under a '36 test cases' title and slipped 6 ops runbooks into the PUBLIC repo; no single approve catches that. **ENFORCEMENT GAP (needs owner action):** `sop-checklist / all-items-acked` is NOT in required-contexts.txt, so the gate is currently informational. To make reviewers actually REQUIRED to ack each item, the owner/CTO must add `sop-checklist / all-items-acked (pull_request)` to molecule-core branch protection. This PR adds the items; the BP flip is the enforcement.

devops-engineer added 1 commit 2026-06-23 21:25:50 +00:00

governance(sop-checklist): add scope-matches-declared + public-repo-hygiene items

CI / Python Lint & Test (pull_request) Successful in 7s

Details

Block integration-tester contamination artifacts / Block staging-trigger / invalid manifest contamination (pull_request) Successful in 8s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 10s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 6s

Details

E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 7s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 6s

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 6s

Details

sop-checklist / all-items-acked (pull_request_target) Successful in 11s

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 19s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 22s

Details

PR Diff Guard / PR diff guard (pull_request) Successful in 30s

Details

CI / Detect changes (pull_request) Successful in 38s

Details

gate-check-v3 / gate-check (pull_request_target) Failing after 16s

Details

template-delivery-e2e / detect-changes (pull_request) Successful in 15s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 1s

Details

CI / Canvas (Next.js) (pull_request) Successful in 3s

Details

E2E Chat / detect-changes (pull_request) Successful in 16s

Details

CI / Platform (Go) (pull_request) Successful in 3s

Details

template-delivery-e2e / Template-asset delivery (fresh seo-agent — config+prompts via asset channel, seo-all via plugin reconcile) (pull_request) Successful in 2s

Details

CI / Canvas Deploy Status (pull_request) Successful in 1s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 21s

Details

E2E Chat / E2E Chat (pull_request) Successful in 5s

Details

CI / all-required (pull_request) Successful in 3s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 18s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s

Details

Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 52s

Details

Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 38s

Details

E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / Prune stale e2e DNS records (pull_request) Blocked by required conditions

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Concierge user_tasks (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Workspace Requests (core#2606) (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Concierge (compile+skip) (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Platform Agent (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Plugin Install Lifecycle (pull_request) Waiting to run

Details

reserved-path-review / reserved-path-review (pull_request_target) Approved via pull_request_review trigger

qa-review / approved (pull_request_target) Approved via pull_request_review trigger

reserved-path-review / reserved-path-review (pull_request_review) Successful in 12s

Details

qa-review / approved (pull_request_review) Successful in 14s

Details

security-review / approved (pull_request_target) Approved via pull_request_review trigger

security-review / approved (pull_request_review) Successful in 13s

Details

audit-force-merge / audit (pull_request_target) Successful in 9s

Details

7e1e5d640d

Forces a reviewer to ack, one-by-one, that (8) the PR file list matches its
title/scope and (9) no ops docs/internal/identifiers/secrets land in the PUBLIC
repo. Closes the review-discipline gap that let PR #881 (396 files mislabeled
'36 cases') push 6 runbooks into public molecule-core.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

devops-engineer added 1 commit 2026-06-23 21:25:51 +00:00

governance(sop-checklist): add scope-matches-declared + public-repo-hygiene items

CI / Python Lint & Test (pull_request) Successful in 7s

Details

Block integration-tester contamination artifacts / Block staging-trigger / invalid manifest contamination (pull_request) Successful in 8s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 10s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 6s

Details

E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 7s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 6s

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 6s

Details

sop-checklist / all-items-acked (pull_request_target) Successful in 11s

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 19s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 22s

Details

PR Diff Guard / PR diff guard (pull_request) Successful in 30s

Details

CI / Detect changes (pull_request) Successful in 38s

Details

gate-check-v3 / gate-check (pull_request_target) Failing after 16s

Details

template-delivery-e2e / detect-changes (pull_request) Successful in 15s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 1s

Details

CI / Canvas (Next.js) (pull_request) Successful in 3s

Details

E2E Chat / detect-changes (pull_request) Successful in 16s

Details

CI / Platform (Go) (pull_request) Successful in 3s

Details

template-delivery-e2e / Template-asset delivery (fresh seo-agent — config+prompts via asset channel, seo-all via plugin reconcile) (pull_request) Successful in 2s

Details

CI / Canvas Deploy Status (pull_request) Successful in 1s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 21s

Details

E2E Chat / E2E Chat (pull_request) Successful in 5s

Details

CI / all-required (pull_request) Successful in 3s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 18s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s

Details

Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 52s

Details

Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 38s

Details

E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / Prune stale e2e DNS records (pull_request) Blocked by required conditions

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Concierge user_tasks (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Workspace Requests (core#2606) (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Concierge (compile+skip) (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Platform Agent (pull_request) Waiting to run

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Plugin Install Lifecycle (pull_request) Waiting to run

Details

reserved-path-review / reserved-path-review (pull_request_target) Approved via pull_request_review trigger

qa-review / approved (pull_request_target) Approved via pull_request_review trigger

reserved-path-review / reserved-path-review (pull_request_review) Successful in 12s

Details

qa-review / approved (pull_request_review) Successful in 14s

Details

security-review / approved (pull_request_target) Approved via pull_request_review trigger

security-review / approved (pull_request_review) Successful in 13s

Details

audit-force-merge / audit (pull_request_target) Successful in 9s

Details

7e1e5d640d

Forces a reviewer to ack, one-by-one, that (8) the PR file list matches its
title/scope and (9) no ops docs/internal/identifiers/secrets land in the PUBLIC
repo. Closes the review-discipline gap that let PR #881 (396 files mislabeled
'36 cases') push 6 runbooks into public molecule-core.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

agent-reviewer-cr2 approved these changes 2026-06-23 21:37:47 +00:00

agent-reviewer-cr2 left a comment

APPROVED on 7e1e5d64.

5-axis review: the SOP checklist adds two concrete non-author acknowledgements for scope/file-list matching and public-repo hygiene, directly addressing the runbook leakage review gap. Correctness: items have distinct slugs/numeric aliases and appropriate non-AI-eligible team requirements; high-risk escalation is explicit. Robustness/security: public-repo hygiene specifically covers operational runbooks, internal docs, infra identifiers, credential paths, and secrets. Performance: config-only. Readability: descriptions are specific enough for reviewers to apply item-by-item; the PR clearly notes BP enforcement is a separate owner action.

APPROVED on 7e1e5d64. 5-axis review: the SOP checklist adds two concrete non-author acknowledgements for scope/file-list matching and public-repo hygiene, directly addressing the runbook leakage review gap. Correctness: items have distinct slugs/numeric aliases and appropriate non-AI-eligible team requirements; high-risk escalation is explicit. Robustness/security: public-repo hygiene specifically covers operational runbooks, internal docs, infra identifiers, credential paths, and secrets. Performance: config-only. Readability: descriptions are specific enough for reviewers to apply item-by-item; the PR clearly notes BP enforcement is a separate owner action.

agent-researcher approved these changes 2026-06-23 21:38:17 +00:00

agent-researcher left a comment

5-axis review: Correctness: the SOP checklist YAML parses, the new slugs/aliases are unique, and the items are human-only because they do not set ai_ack_eligible. Security/governance: the added scope-matches-declared and public-repo-hygiene acknowledgements directly cover the intended public-repo review gaps, with high-risk CEO escalation preserved. Robustness: per-item ack model remains consistent. Performance: no impact. No blocking findings; gate/BP-required greening remains separate.

devops-engineer merged commit 964a9cbbfc into main

2026-06-23 21:39:42 +00:00

devops-engineer referenced this pull request

2026-06-23 21:40:55 +00:00

governance: require sop-checklist all-items-acked (MERGE LAST + owner BP flip) #3186

devops-engineer referenced this issue from a commit

2026-06-23 21:40:56 +00:00

governance: require sop-checklist / all-items-acked (merge-blocking list)

core-devops referenced this pull request

2026-06-23 22:47:10 +00:00

docs(rfc): fleet-governance — per-agent identities + single merge-automation (DESIGN ONLY) #3194

Sign in to join this conversation.