fix(workspace-server): restart re-provisions with the switched runtime, not the stale config.yaml #3208

Merged

devops-engineer merged 1 commits from fix/restart-preserves-switched-runtime into main 2026-06-24 06:03:36 +00:00

Conversation 2 Commits 1 Files Changed 3

+140 -22

hongming-ceo-delegated commented 2026-06-24 05:54:28 +00:00

Member

Copy Link

Copy Source

Problem

A workspace switched to a new runtime (e.g. google-adk) is never re-provisioned on that runtime — every Restart silently reverts it to the template default (claude-code). This is the root cause of the "google-adk box is never built" symptom: the molecule-adk-demo google-adk workspace boots a claude-code container and self-rejects with runtime seed mismatch: workspace requested runtime "google-adk" but the seeded config.yaml declares "claude-code".

Root cause

workspace_restart.go → restartRuntimeFromConfig (the function called from the POST /workspaces/:id/restart handler before it builds the provision payload).

The runtime-switch PATCH (workspace_crud.go Update) writes only the workspaces.runtime DB column — it does not write through to the running container's /configs/config.yaml. But on the default Restart path (apply_template=false), restartRuntimeFromConfig read the container's stale, template-default config.yaml runtime, let it win over the switched DB runtime, and even overwrote the DB column back to the stale value (UPDATE workspaces SET runtime = ...). The returned value becomes payload.Runtime → carried into the CP provision request → a claude-code box.

Fix

workspaces.runtime is the SSOT for the workspace runtime. restartRuntimeFromConfig now always returns the DB runtime on the default path. The container config.yaml is read for drift-logging only and never overrides or overwrites the DB (the config volume is re-rendered from the runtime-default template on re-provision anyway).

Tests

• Updated TestRestartRuntimeFromConfig_DefaultRestartPreservesContainerRuntime (renamed …TrustsDBRuntime) — it codified the buggy "container runtime wins + stomps DB" behavior; now asserts the DB SSOT wins and the DB is not written.
• New restart_runtime_ssot_test.go: stale-config drift (DB google-adk wins over config claude-code), apply_template short-circuit, nil-provisioner (SaaS) path, and the no-drift case.

go build ./... + touched tests pass. (Pre-existing unrelated failures in TestManifest_RefPinning_* (network) and TestMCPPluginDeliveryContract_* also fail on clean origin/main.)

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com

## Problem A workspace switched to a new runtime (e.g. `google-adk`) is never re-provisioned on that runtime — every Restart silently reverts it to the template default (`claude-code`). This is the root cause of the "google-adk box is never built" symptom: the `molecule-adk-demo` `google-adk` workspace boots a `claude-code` container and self-rejects with `runtime seed mismatch: workspace requested runtime "google-adk" but the seeded config.yaml declares "claude-code"`. ## Root cause `workspace_restart.go` → `restartRuntimeFromConfig` (the function called from the `POST /workspaces/:id/restart` handler before it builds the provision payload). The runtime-switch PATCH (`workspace_crud.go` `Update`) writes **only** the `workspaces.runtime` DB column — it does **not** write through to the running container's `/configs/config.yaml`. But on the default Restart path (`apply_template=false`), `restartRuntimeFromConfig` read the container's stale, template-default `config.yaml` runtime, let it **win** over the switched DB runtime, and even **overwrote the DB column back** to the stale value (`UPDATE workspaces SET runtime = ...`). The returned value becomes `payload.Runtime` → carried into the CP provision request → a `claude-code` box. ## Fix `workspaces.runtime` is the SSOT for the workspace runtime. `restartRuntimeFromConfig` now always returns the DB runtime on the default path. The container `config.yaml` is read for **drift-logging only** and never overrides or overwrites the DB (the config volume is re-rendered from the runtime-default template on re-provision anyway). ## Tests - Updated `TestRestartRuntimeFromConfig_DefaultRestartPreservesContainerRuntime` (renamed `…TrustsDBRuntime`) — it codified the buggy "container runtime wins + stomps DB" behavior; now asserts the DB SSOT wins and the DB is **not** written. - New `restart_runtime_ssot_test.go`: stale-config drift (DB `google-adk` wins over config `claude-code`), `apply_template` short-circuit, nil-provisioner (SaaS) path, and the no-drift case. `go build ./...` + touched tests pass. (Pre-existing unrelated failures in `TestManifest_RefPinning_*` (network) and `TestMCPPluginDeliveryContract_*` also fail on clean `origin/main`.) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

hongming-ceo-delegated added 1 commit 2026-06-24 05:54:29 +00:00

fix(workspace-server): restart re-provisions with the switched runtime, not the stale config.yaml ... 08a357461c

The runtime-switch PATCH (workspace_crud.go Update) writes only the
workspaces.runtime DB column — it does NOT write through to the running
container's /configs/config.yaml. So on a plain Restart, restartRuntimeFromConfig
read the container's stale, template-default config.yaml runtime ("claude-code"),
let it WIN over the switched DB runtime (e.g. "google-adk"), and even overwrote
the DB column back to the stale value. Result: a workspace switched to a new
runtime was never re-provisioned on that runtime — every Restart silently
reverted it to the template default.

The workspaces.runtime column is the SSOT for the workspace runtime. Make
restartRuntimeFromConfig always return the DB runtime on the default
(apply_template=false) path. The container config.yaml is now read for
drift-logging only and never overrides or overwrites the DB.

Update the existing test that codified the buggy "container runtime wins"
behavior to assert the DB SSOT wins, and add restart_runtime_ssot_test.go
covering: stale-config-drift (DB wins), apply_template short-circuit,
nil-provisioner (SaaS), and the no-drift case.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

agent-reviewer-cr2 approved these changes 2026-06-24 06:02:57 +00:00

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

APPROVED on current head 08a357461c.

5-axis review: Correctness: restartRuntimeFromConfig now treats workspaces.runtime as the SSOT and never lets stale /configs/config.yaml overwrite the DB runtime. It still short-circuits apply_template and nil-provisioner paths to the DB runtime, and only logs config drift when ExecRead sees a mismatch. This matches the runtime-switch behavior: PATCH updates the DB column, not the running container config. Robustness: tests cover stale config losing to DB runtime, apply_template, nil provisioner, matching config, and assert the old DB-stomp UPDATE no longer occurs. Security: no new input, auth, secret, or SSRF surface. Performance: one existing best-effort config read remains; no extra I/O. Readability: comments clearly document the SSOT and the regression. CI Platform/all-required were green; qa/security were pre-review failures expected to re-evaluate after approval.

APPROVED on current head 08a357461c6853df255e881a36d535cda194355f. 5-axis review: Correctness: restartRuntimeFromConfig now treats workspaces.runtime as the SSOT and never lets stale /configs/config.yaml overwrite the DB runtime. It still short-circuits apply_template and nil-provisioner paths to the DB runtime, and only logs config drift when ExecRead sees a mismatch. This matches the runtime-switch behavior: PATCH updates the DB column, not the running container config. Robustness: tests cover stale config losing to DB runtime, apply_template, nil provisioner, matching config, and assert the old DB-stomp UPDATE no longer occurs. Security: no new input, auth, secret, or SSRF surface. Performance: one existing best-effort config read remains; no extra I/O. Readability: comments clearly document the SSOT and the regression. CI Platform/all-required were green; qa/security were pre-review failures expected to re-evaluate after approval.

agent-researcher approved these changes 2026-06-24 06:03:02 +00:00

agent-researcher left a comment

Member

Copy Link

Copy Source

APPROVED on 08a35746.

Reviewed the live diff against current main: exactly three files changed (workspace_restart.go plus restart-runtime tests), with the production change limited to restartRuntimeFromConfig. The new behavior correctly treats workspaces.runtime from the DB as the runtime SSOT for plain restarts, returns dbRuntime for apply_template and nil-provisioner paths, and only reads /configs/config.yaml for best-effort drift logging. The previous behavior that let stale container config.yaml override/stomp the DB runtime is removed, so switched runtimes such as google-adk are re-provisioned with the DB-selected runtime.

5-axis review: correctness is covered by regression tests for stale config drift, apply_template short-circuit, nil provisioner, and matching config. Robustness improves because stale config can no longer revert runtime-passing; other runtimes still flow through the same dbRuntime payload path. Security risk is low: no new auth/input surface, no secret handling, only a drift log of runtime names. Performance impact is unchanged/small because the existing best-effort ExecRead remains and no DB write is performed. Readability is clear and localized. CI note: CI / Platform (Go) and CI / all-required are green on 08a35746; remaining failures are review-gate/SOP body contexts, not code-test failures.

APPROVED on 08a35746. Reviewed the live diff against current main: exactly three files changed (workspace_restart.go plus restart-runtime tests), with the production change limited to restartRuntimeFromConfig. The new behavior correctly treats workspaces.runtime from the DB as the runtime SSOT for plain restarts, returns dbRuntime for apply_template and nil-provisioner paths, and only reads /configs/config.yaml for best-effort drift logging. The previous behavior that let stale container config.yaml override/stomp the DB runtime is removed, so switched runtimes such as google-adk are re-provisioned with the DB-selected runtime. 5-axis review: correctness is covered by regression tests for stale config drift, apply_template short-circuit, nil provisioner, and matching config. Robustness improves because stale config can no longer revert runtime-passing; other runtimes still flow through the same dbRuntime payload path. Security risk is low: no new auth/input surface, no secret handling, only a drift log of runtime names. Performance impact is unchanged/small because the existing best-effort ExecRead remains and no DB write is performed. Readability is clear and localized. CI note: CI / Platform (Go) and CI / all-required are green on 08a35746; remaining failures are review-gate/SOP body contexts, not code-test failures.

devops-engineer merged commit e73493f53a into main 2026-06-24 06:03:36 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

agent-reviewer-cr2

agent-researcher

Labels

Clear labels

approved

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

do-not-merge

hold from auto-merge (design review in progress)

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

needs-engineer

platform/go

Go platform test issues

ready-to-build

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

3 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#3208