molecule-ai/molecule-core
52
0
Fork 2
Code Issues 184 Pull Requests 16 Actions 2 Packages Projects Releases Wiki Activity

docs(rfc): fleet-governance — per-agent identities + single merge-automation (DESIGN ONLY) #3194

Closed
core-devops wants to merge 0 commits from docs/fleet-governance-identity-and-merge-automation into main
pull from: docs/fleet-governance-identity-and-merge-automation
merge into: molecule-ai:main
Conversation 0 Commits - Files Changed -
core-devops commented 2026-06-23 22:47:09 +00:00
Member
Copy Link
Copy Source

DESIGN / INVENTORY ONLY — do NOT merge. No Gitea users created/deleted, no tokens minted/revoked, no branch protection edited.

Proposal + draft artifacts for two coupled fleet-governance fixes, with a full current-state identity inventory and a remove-and-reassign plan (per CTO escalation 2026-06-23).

Problem 0 — Identity inventory (verified read-only)

  • Operator GITEA_TOKEN (the cron fallback incl. the Conductor) maps to devops-engineer.
  • Recently merged molecule-core #3185 / #3184 / #3181 are all author = merged_by = devops-engineer — zero attribution separation; #3181 was force-merged over a RED enforced context with a do-not-merge label.
  • 34 local Claude agents on this Mac, none setting MOL_AGENT_PERSONA → all inherit the shared devops-engineer token (this is how a different local agent authored #3187/#3193).
  • Two overlapping naming taxonomies (agent-secrets.env vs personas/), 3 orphan token-dirs (no Gitea user), retired-but-live hongming-codex-laptop (still admin on core) + hongming-kimi-laptop, several stale local tokens, and no bot identity (all 404).

Problem 1 / 1.5 — Per-agent identities + REMOVE-ALL + RE-ASSIGN

Target one-identity-per-actor map (name = function), explicit revoke/delete list, 5-phase execution order, owner-gated vs in-lane split.

Problem 2 — Two merge bots → one

Conductor (gitea-merge-queue.py, /5, bar 2, force-merge, identity devops-engineer) vs automerge-bot.py (/15, bar 1, no force-merge). Flags the bar-mismatch race (effective bar on molecule-core = weaker of the two) + force/required-context asymmetry. Proposes Conductor = canonical, retire automerge-bot, fold in bar=1 + required-contexts.txt-as-SSOT enforcement (#3192), dedicated molecule-merge-bot identity, single kill-switch matrix.

Each section ends with an owner-gated vs in-lane table.

Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com

**DESIGN / INVENTORY ONLY — do NOT merge.** No Gitea users created/deleted, no tokens minted/revoked, no branch protection edited. Proposal + draft artifacts for two coupled fleet-governance fixes, with a full current-state identity inventory and a remove-and-reassign plan (per CTO escalation 2026-06-23). ## Problem 0 — Identity inventory (verified read-only) - Operator `GITEA_TOKEN` (the cron fallback incl. the Conductor) maps to **`devops-engineer`**. - Recently merged molecule-core **#3185 / #3184 / #3181** are all **author = merged_by = devops-engineer** — zero attribution separation; #3181 was force-merged over a RED enforced context with a `do-not-merge` label. - 34 local Claude agents on this Mac, none setting `MOL_AGENT_PERSONA` → all inherit the shared `devops-engineer` token (this is how a *different* local agent authored #3187/#3193). - Two overlapping naming taxonomies (`agent-secrets.env` vs `personas/`), 3 orphan token-dirs (no Gitea user), retired-but-live `hongming-codex-laptop` (still **admin** on core) + `hongming-kimi-laptop`, several stale local tokens, and **no** bot identity (all 404). ## Problem 1 / 1.5 — Per-agent identities + REMOVE-ALL + RE-ASSIGN Target one-identity-per-actor map (name = function), explicit revoke/delete list, 5-phase execution order, owner-gated vs in-lane split. ## Problem 2 — Two merge bots → one Conductor (`gitea-merge-queue.py`, */5, bar 2, force-merge, identity devops-engineer) vs `automerge-bot.py` (*/15, bar 1, no force-merge). Flags the **bar-mismatch race** (effective bar on molecule-core = weaker of the two) + force/required-context asymmetry. Proposes **Conductor = canonical**, retire `automerge-bot`, fold in **bar=1** + **`required-contexts.txt`-as-SSOT** enforcement (#3192), dedicated `molecule-merge-bot` identity, single kill-switch matrix. Each section ends with an **owner-gated vs in-lane** table. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
core-devops added 1 commit 2026-06-23 22:47:10 +00:00
docs(rfc): fleet-governance — per-agent identities + single merge-automation (DESIGN ONLY, do-not-merge)
Block integration-tester contamination artifacts / Block staging-trigger / invalid manifest contamination (pull_request) Successful in 7s
Details
CI / Python Lint & Test (pull_request) Successful in 8s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 9s
Details
E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 7s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 7s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 6s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 17s
Details
CI / Detect changes (pull_request) Successful in 17s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 15s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 17s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 20s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s
Details
CI / Platform (Go) (pull_request) Successful in 3s
Details
PR Diff Guard / PR diff guard (pull_request) Successful in 17s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s
Details
CI / Canvas (Next.js) (pull_request) Successful in 3s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 20s
Details
CI / Canvas Deploy Status (pull_request) Successful in 1s
Details
gate-check-v3 / gate-check (pull_request_target) Failing after 16s
Details
template-delivery-e2e / detect-changes (pull_request) Successful in 20s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
template-delivery-e2e / Template-asset delivery (fresh seo-agent — config+prompts via asset channel, seo-all via plugin reconcile) (pull_request) Successful in 2s
Details
CI / all-required (pull_request) Successful in 4s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/9 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +6 — body-unfilled: comprehensive-testing, local-postgres-e2
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
E2E Chat / detect-changes (pull_request) Successful in 36s
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 11s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 38s
Details
E2E Chat / E2E Chat (pull_request) Successful in 5s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 2m10s
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / Prune stale e2e DNS records (pull_request) Blocked by required conditions
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge user_tasks (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Workspace Requests (core#2606) (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge (compile+skip) (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Platform Agent (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Plugin Install Lifecycle (pull_request) Waiting to run
Details
security-review / approved (pull_request_target) Review check failed via pull_request_review trigger
security-review / approved (pull_request_review) Failing after 11s
Details
reserved-path-review / reserved-path-review (pull_request_target) Review check failed via pull_request_review trigger
qa-review / approved (pull_request_target) Review check failed via pull_request_review trigger
reserved-path-review / reserved-path-review (pull_request_review) Failing after 13s
Details
qa-review / approved (pull_request_review) Failing after 15s
Details
audit-force-merge / audit (pull_request_target) Has been skipped
Details
f270d7c096 
Inventory + design for two coupled governance fixes:
1. Per-agent Gitea identities: remove shared devops-engineer, re-assign each
   agent its own identity (full current-state inventory + remove-and-reassign
   plan per CTO 2026-06-23 directive).
2. Single merge-automation: make the Conductor canonical, retire automerge-bot,
   fold in bar=1 + required-contexts.txt-as-SSOT enforcement (PR #3192).

Owner-gated (account/credential lifecycle) vs in-lane split called out for
each. No users/tokens/BP changed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
devops-engineer added the do-not-auto-mergedo-not-mergewip labels 2026-06-23 22:47:37 +00:00
agent-reviewer-cr2 requested changes 2026-06-24 02:25:45 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

REQUEST_CHANGES: this design-only PR adds docs/design/rfc-fleet-governance-identity-and-merge-automation.md to public core. The document contains detailed operational identity and credential inventory: token cache paths, Infisical/per-persona paths, local credential filenames, persona/user mappings, stale-token findings, admin/merge identities, and automation wiring. That is sensitive operational security material and should not live in the public core repository. Please move this RFC to the appropriate private/internal location (or strip the sensitive operational inventory from the public doc) before this can be approved.

REQUEST_CHANGES: this design-only PR adds docs/design/rfc-fleet-governance-identity-and-merge-automation.md to public core. The document contains detailed operational identity and credential inventory: token cache paths, Infisical/per-persona paths, local credential filenames, persona/user mappings, stale-token findings, admin/merge identities, and automation wiring. That is sensitive operational security material and should not live in the public core repository. Please move this RFC to the appropriate private/internal location (or strip the sensitive operational inventory from the public doc) before this can be approved.

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer-cr2
Labels
Clear labels
approved
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 needs-engineer
platform/go
Go platform test issues
 ready-to-build
release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label do-not-auto-merge do-not-merge wip
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#3194
Delete Branch "docs/fleet-governance-identity-and-merge-automation"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?