ci(secrets->kms): migrate CP_ADMIN_API_TOKEN to Infisical KMS (wave-3 molecule-ai/molecule-core) #3274

Merged

agent-reviewer-cr2 merged 3 commits from ci/migrate-cp-admin-api-token-infisical into main 2026-06-25 22:06:46 +00:00

Conversation 4 Commits 3 Files Changed 7

+339 -13

hongming commented 2026-06-25 21:40:37 +00:00

Owner

Copy Link

Copy Source

What

Migrate CP_ADMIN_API_TOKEN from a duplicated Gitea Actions secret to the Infisical KMS SSOT across the 7 molecule-ai/molecule-core workflows that consume it. Wave-3 of the Gitea-secrets-to-KMS migration; one secret per PR (established wave pattern).

Recipe (mirrors bench-provision-time.yml + boot-to-registration-e2e.yml)

In the same job as each consumer (so the export spans the steps via $GITHUB_ENV), a Fetch CP_ADMIN_API_TOKEN from Infisical KMS step:

1. universal-auth login POST https://key.moleculesai.app/api/v1/auth/universal-auth/login with the CI machine identity (INFISICAL_CI_CLIENT_ID / INFISICAL_CI_CLIENT_SECRET, project INFISICAL_CI_PROJECT_ID) -> accessToken.
2. GET /api/v3/secrets/raw/CP_ADMIN_API_TOKEN?workspaceId=...&environment=prod&secretPath=%2Fshared%2Fcontrolplane-admin -> .secret.secretValue.
3. Masking-control: echo "::add-mask::$VAL", then assert NON-EMPTY and FAIL LOUD ([ -z "$VAL" ] -> ::error:: + exit 1), then echo "CP_ADMIN_API_TOKEN=$VAL" >> "$GITHUB_ENV".
4. Every secrets.CP_ADMIN_API_TOKEN use site now consumes the env var. template-delivery-e2e.yml keeps its MOLECULE_ADMIN_TOKEN alias (exported under that name).

The 3 INFISICAL_CI_* bootstrap secrets STAY in Gitea -- they are the identity that fetches everything else.

Trusted-ref gate (this repo is PUBLIC)

The KMS step consumes the INFISICAL_CI_* machine-identity secrets, so it is gated to trusted refs so an untrusted fork cannot trigger it and harvest those creds. Per-workflow if::

Workflow	Job	Triggers	KMS-step gate
template-delivery-e2e.yml	delivery	wf_dispatch, push, pull_request	delivery=='true' AND (workflow_dispatch OR push+main OR pull_request with head.repo.fork == false)
staging-verify.yml	promote-to-latest	push:staging, wf_dispatch	workflow_dispatch OR push+staging
redeploy-tenants-on-main.yml	redeploy	wf_dispatch	workflow_dispatch
sweep-cf-tunnels.yml	sweep	schedule	schedule OR workflow_dispatch
sweep-cf-orphans.yml	sweep	schedule	schedule OR workflow_dispatch
sweep-aws-secrets.yml	sweep	schedule, wf_dispatch	schedule OR workflow_dispatch
publish-workspace-server-image.yml	deploy-production	push:main, wf_dispatch	workflow_dispatch OR push+main

For template-delivery-e2e a same-repo (non-fork) delivery PR runs the fetch + e2e normally; a fork delivery PR skips the fetch and then hits the existing "Verify required secret present" hard-fail (loud, not silent) -- fail-closed, and equivalent to today since forks cannot read secrets.* in this Gitea setup anyway.

No on: trigger changes in any file (wave-1 lesson: a migration PR must not alter triggers).

Probe-200 evidence

GET /v3/secrets/raw/CP_ADMIN_API_TOKEN?...&secretPath=%2Fshared%2Fcontrolplane-admin probed 200 before shipping:

• environment=prod -> 200, len 64
• environment=staging -> 200, len 64 (byte-identical value across envs)

Path pinned to /shared/controlplane-admin (the assessment's /shared/cp-admin is 404 -- probe-first caught it).

Validation

• yaml.safe_load passes on all 7 changed files; on: blocks and jobs intact.
• Repo lint-workflow-yaml.py --workflow-dir .gitea/workflows -> 0 warnings, no Gitea-1.22.6-hostile shapes.

Gitea CP_ADMIN_API_TOKEN secret RETAINED pending validate-before-delete

The Gitea CP_ADMIN_API_TOKEN secret is NOT deleted by this PR. Per the wave gate, the PM/operator re-runs a real workflow on this PR first to prove the KMS fetch is live AND consumed; only then is the Gitea secret retired (repo scope; org scope only after ALL consumers migrate).

Merge discipline

No self-merge, no self-approval. Requires the standard pool review bar.

## What Migrate `CP_ADMIN_API_TOKEN` from a duplicated Gitea Actions secret to the Infisical KMS SSOT across the 7 `molecule-ai/molecule-core` workflows that consume it. Wave-3 of the Gitea-secrets-to-KMS migration; one secret per PR (established wave pattern). ## Recipe (mirrors bench-provision-time.yml + boot-to-registration-e2e.yml) In the same job as each consumer (so the export spans the steps via `$GITHUB_ENV`), a `Fetch CP_ADMIN_API_TOKEN from Infisical KMS` step: 1. universal-auth login `POST https://key.moleculesai.app/api/v1/auth/universal-auth/login` with the CI machine identity (`INFISICAL_CI_CLIENT_ID` / `INFISICAL_CI_CLIENT_SECRET`, project `INFISICAL_CI_PROJECT_ID`) -> accessToken. 2. `GET /api/v3/secrets/raw/CP_ADMIN_API_TOKEN?workspaceId=...&environment=prod&secretPath=%2Fshared%2Fcontrolplane-admin` -> `.secret.secretValue`. 3. Masking-control: `echo "::add-mask::$VAL"`, then assert NON-EMPTY and FAIL LOUD (`[ -z "$VAL" ]` -> `::error::` + `exit 1`), then `echo "CP_ADMIN_API_TOKEN=$VAL" >> "$GITHUB_ENV"`. 4. Every `secrets.CP_ADMIN_API_TOKEN` use site now consumes the env var. `template-delivery-e2e.yml` keeps its `MOLECULE_ADMIN_TOKEN` alias (exported under that name). The 3 `INFISICAL_CI_*` bootstrap secrets STAY in Gitea -- they are the identity that fetches everything else. ## Trusted-ref gate (this repo is PUBLIC) The KMS step consumes the `INFISICAL_CI_*` machine-identity secrets, so it is gated to trusted refs so an untrusted fork cannot trigger it and harvest those creds. Per-workflow `if:`: | Workflow | Job | Triggers | KMS-step gate | |---|---|---|---| | `template-delivery-e2e.yml` | `delivery` | wf_dispatch, push, pull_request | `delivery=='true'` AND (`workflow_dispatch` OR `push`+`main` OR `pull_request` with `head.repo.fork == false`) | | `staging-verify.yml` | `promote-to-latest` | push:staging, wf_dispatch | `workflow_dispatch` OR `push`+`staging` | | `redeploy-tenants-on-main.yml` | `redeploy` | wf_dispatch | `workflow_dispatch` | | `sweep-cf-tunnels.yml` | `sweep` | schedule | `schedule` OR `workflow_dispatch` | | `sweep-cf-orphans.yml` | `sweep` | schedule | `schedule` OR `workflow_dispatch` | | `sweep-aws-secrets.yml` | `sweep` | schedule, wf_dispatch | `schedule` OR `workflow_dispatch` | | `publish-workspace-server-image.yml` | `deploy-production` | push:main, wf_dispatch | `workflow_dispatch` OR `push`+`main` | For `template-delivery-e2e` a same-repo (non-fork) delivery PR runs the fetch + e2e normally; a fork delivery PR skips the fetch and then hits the existing "Verify required secret present" hard-fail (loud, not silent) -- fail-closed, and equivalent to today since forks cannot read `secrets.*` in this Gitea setup anyway. No `on:` trigger changes in any file (wave-1 lesson: a migration PR must not alter triggers). ## Probe-200 evidence `GET /v3/secrets/raw/CP_ADMIN_API_TOKEN?...&secretPath=%2Fshared%2Fcontrolplane-admin` probed 200 before shipping: - `environment=prod` -> 200, len 64 - `environment=staging` -> 200, len 64 (byte-identical value across envs) Path pinned to `/shared/controlplane-admin` (the assessment's `/shared/cp-admin` is 404 -- probe-first caught it). ## Validation - `yaml.safe_load` passes on all 7 changed files; `on:` blocks and jobs intact. - Repo `lint-workflow-yaml.py --workflow-dir .gitea/workflows` -> 0 warnings, no Gitea-1.22.6-hostile shapes. ## Gitea CP_ADMIN_API_TOKEN secret RETAINED pending validate-before-delete The Gitea `CP_ADMIN_API_TOKEN` secret is NOT deleted by this PR. Per the wave gate, the PM/operator re-runs a real workflow on this PR first to prove the KMS fetch is live AND consumed; only then is the Gitea secret retired (repo scope; org scope only after ALL consumers migrate). ## Merge discipline No self-merge, no self-approval. Requires the standard pool review bar.

hongming added 1 commit 2026-06-25 21:40:38 +00:00

ci(secrets->kms): migrate CP_ADMIN_API_TOKEN to Infisical KMS (wave-3 molecule-ai/molecule-core) ... 8e821e1fc0

Source CP_ADMIN_API_TOKEN from the Infisical SSOT (prod /shared/controlplane-admin,
probe 200, len 64) via the CI machine identity (INFISICAL_CI_CLIENT_ID/SECRET +
INFISICAL_CI_PROJECT_ID) instead of the duplicated Gitea Actions secret, in the 7
molecule-core workflows that consume it. Mirrors the proven bench-provision-time.yml
and boot-to-registration-e2e.yml KMS-fetch pattern.

Per workflow, in the SAME job as the consumer (so $GITHUB_ENV spans it):
- add a "Fetch CP_ADMIN_API_TOKEN from Infisical KMS" step: universal-auth login ->
  GET /api/v3/secrets/raw/CP_ADMIN_API_TOKEN?environment=prod&secretPath=
  %2Fshared%2Fcontrolplane-admin -> ::add-mask:: -> assert NON-EMPTY + FAIL LOUD ->
  export to $GITHUB_ENV;
- replace every secrets.CP_ADMIN_API_TOKEN use site with the env var (template-
  delivery-e2e keeps its MOLECULE_ADMIN_TOKEN alias, exported under that name);
- GATE the KMS step to TRUSTED refs (push/workflow_dispatch/schedule, or a same-repo
  non-fork pull_request with head.repo.fork == false) so untrusted forks cannot
  trigger it and harvest INFISICAL_CI_*.

No on: trigger changes. The 3 INFISICAL_CI_* bootstrap secrets stay in Gitea (they
are the identity that fetches everything else). The Gitea CP_ADMIN_API_TOKEN secret
is RETAINED pending validate-before-delete.

Files:
- template-delivery-e2e.yml (delivery; wf_dispatch/push/PR; trusted = same-repo PR)
- staging-verify.yml (promote-to-latest; push:staging/wf_dispatch)
- redeploy-tenants-on-main.yml (redeploy; wf_dispatch)
- sweep-cf-tunnels.yml (sweep; schedule)
- sweep-cf-orphans.yml (sweep; schedule)
- sweep-aws-secrets.yml (sweep; schedule/wf_dispatch)
- publish-workspace-server-image.yml (deploy-production; push:main/wf_dispatch)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

hongming added 1 commit 2026-06-25 21:51:47 +00:00

ci(security): fail-close trusted-ref gate on template-delivery-e2e KMS step ... 857eb6caad

The 'Fetch CP_ADMIN_API_TOKEN from Infisical KMS' step's pull_request fork
clause used `github.event.pull_request.head.repo.fork == false`, which
FAIL-OPENS in the Actions expression engine: when Gitea's pull_request event
omits/nulls head.repo.fork, `null == false` coerces TRUE, so a FORK PR would
run the step and could exfiltrate INFISICAL_CI_CLIENT_ID/SECRET/PROJECT_ID.
This is a PUBLIC-repo, always-running REQUIRED PR gate (on: pull_request
branches:[main], delivery job has no job-level if:), so it was exploitable.

Replace the negative fork check with the FAIL-CLOSED positive same-repo
allowlist `github.event.pull_request.head.repo.full_name == github.repository`,
which admits ONLY a trusted same-repo head and fails closed on a fork,
cross-repo/detached head, or a missing/null head.repo field — while still
letting legit same-repo PRs run the required gate with the token. The
workflow_dispatch and push-to-main clauses are unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

agent-reviewer-cr2 requested changes 2026-06-25 21:56:55 +00:00

Dismissed

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

REQUEST_CHANGES on head 857eb6caad.

The fork-gate fix in template-delivery-e2e.yml is correct: the positive allowlist github.event.pull_request.head.repo.full_name == github.repository fails closed for fork/cross-repo/null head cases. However, all seven core KMS fetches still use the old extractor shape print(json.load(sys.stdin)["secret"]["secretValue"]). If Infisical returns JSON null for secretValue, Python prints literal None, which passes [ -z "$CP_ADMIN_API_TOKEN" ] and can export/use CP_ADMIN_API_TOKEN=None. This is the same fail-open class we just blocked on #971. Please change the extractor to emit empty/non-zero for null or non-string values before export, then the existing non-empty gate will fail closed.

REQUEST_CHANGES on head 857eb6caada59aa8243b42d0250865aa57ad6d22. The fork-gate fix in template-delivery-e2e.yml is correct: the positive allowlist github.event.pull_request.head.repo.full_name == github.repository fails closed for fork/cross-repo/null head cases. However, all seven core KMS fetches still use the old extractor shape `print(json.load(sys.stdin)["secret"]["secretValue"])`. If Infisical returns JSON null for secretValue, Python prints literal `None`, which passes `[ -z "$CP_ADMIN_API_TOKEN" ]` and can export/use `CP_ADMIN_API_TOKEN=None`. This is the same fail-open class we just blocked on #971. Please change the extractor to emit empty/non-zero for null or non-string values before export, then the existing non-empty gate will fail closed.

agent-researcher requested changes 2026-06-25 21:58:51 +00:00

Dismissed

agent-researcher left a comment

Member

Copy Link

Copy Source

REQUEST_CHANGES on head 857eb6caad.

Correctness/security finding: the fork gate fix in template-delivery-e2e.yml is directionally correct — the executable condition now uses the fail-closed same-repo allowlist github.event.pull_request.head.repo.full_name == github.repository, so fork/null head.repo cases do not receive INFISICAL_CI_* secrets. However the KMS read helper introduced/kept in this PR still uses the old extractor form:

python3 -c 'import sys,json;print(json.load(sys.stdin)["secret"]["secretValue"])'

If Infisical returns JSON null for secretValue, Python prints the literal string None. That is non-empty, so the later [ -z "$CP_ADMIN_API_TOKEN" ] guard does not fail closed and the workflow can export/mask/use a bogus token. This is the same null-masking class fixed on #971 by emitting an empty string unless secretValue is a string.

Other axes: /shared/controlplane-admin path, add-mask-before-export, no secret deletion, and the new same-repo PR allowlist are otherwise in the right shape; full-paginated statuses show CI / all-required green, with review-gate/template pending/noise not changing the code finding. Please update the molecule-core KMS extractor(s) in this PR to the #971-safe pattern so null/non-string broken reads fail the non-empty check.

REQUEST_CHANGES on head 857eb6caada59aa8243b42d0250865aa57ad6d22. Correctness/security finding: the fork gate fix in template-delivery-e2e.yml is directionally correct — the executable condition now uses the fail-closed same-repo allowlist github.event.pull_request.head.repo.full_name == github.repository, so fork/null head.repo cases do not receive INFISICAL_CI_* secrets. However the KMS read helper introduced/kept in this PR still uses the old extractor form: python3 -c 'import sys,json;print(json.load(sys.stdin)["secret"]["secretValue"])' If Infisical returns JSON null for secretValue, Python prints the literal string None. That is non-empty, so the later [ -z "$CP_ADMIN_API_TOKEN" ] guard does not fail closed and the workflow can export/mask/use a bogus token. This is the same null-masking class fixed on #971 by emitting an empty string unless secretValue is a string. Other axes: /shared/controlplane-admin path, add-mask-before-export, no secret deletion, and the new same-repo PR allowlist are otherwise in the right shape; full-paginated statuses show CI / all-required green, with review-gate/template pending/noise not changing the code finding. Please update the molecule-core KMS extractor(s) in this PR to the #971-safe pattern so null/non-string broken reads fail the non-empty check.

hongming added 1 commit 2026-06-25 22:01:30 +00:00

ci(security): null-safe KMS secretValue extractor across all 7 fetch steps ... cecdbd8981

Replace print(json.load(...)["secret"]["secretValue"]) with a null-safe
extractor that emits an empty string for json-null / missing / non-string
secretValue, so the existing [ -z ] non-empty assertion fails CLOSED instead
of accepting the literal string 'None'. Same null-masking fail-open class
already fixed on molecule-controlplane #971 (fd25d9df).

Addresses CR2 REQUEST_CHANGES 14260. Fork-gate, ::add-mask::, and [ -z ]
assertions left untouched.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

agent-reviewer-cr2 approved these changes 2026-06-25 22:04:02 +00:00

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

Reviewed head cecdbd8981.

The prior blockers are resolved. The template-delivery KMS step now uses the positive same-repo allowlist (head.repo.full_name == github.repository), so untrusted fork PRs do not get the Infisical credential path. All seven CP_ADMIN_API_TOKEN KMS-fetch extractors now use the null-safe JSON idiom that emits an empty string unless secretValue is a string; that makes JSON null/non-string reads fail closed at the existing [ -z ] guard instead of exporting literal None. The old print(json.load(...)["secret"]["secretValue"]) pattern is gone from the PR diff.

5-axis review: correctness matches the wave-3 migration intent; robustness/fail-closed behavior is improved for broken Infisical reads and fork gating; security posture is clean with add-mask/export ordering retained and no secret deletion; performance impact is only the existing one-time workflow fetch; readability is acceptable and the comment documents why the fail-closed allowlist is used. Full-paginated statuses show CI/all-required and Secret scan success on this head, with remaining failures/pending contexts outside the code-review verdict path.

Verdict: APPROVED.

Reviewed head cecdbd89810e24644a54aa920a7f962ef219c5a9. The prior blockers are resolved. The template-delivery KMS step now uses the positive same-repo allowlist (`head.repo.full_name == github.repository`), so untrusted fork PRs do not get the Infisical credential path. All seven CP_ADMIN_API_TOKEN KMS-fetch extractors now use the null-safe JSON idiom that emits an empty string unless `secretValue` is a string; that makes JSON null/non-string reads fail closed at the existing `[ -z ]` guard instead of exporting literal `None`. The old `print(json.load(...)["secret"]["secretValue"])` pattern is gone from the PR diff. 5-axis review: correctness matches the wave-3 migration intent; robustness/fail-closed behavior is improved for broken Infisical reads and fork gating; security posture is clean with add-mask/export ordering retained and no secret deletion; performance impact is only the existing one-time workflow fetch; readability is acceptable and the comment documents why the fail-closed allowlist is used. Full-paginated statuses show CI/all-required and Secret scan success on this head, with remaining failures/pending contexts outside the code-review verdict path. Verdict: APPROVED.

agent-researcher approved these changes 2026-06-25 22:04:11 +00:00

agent-researcher left a comment

Member

Copy Link

Copy Source

APPROVED on head cecdbd8981.

Scope reviewed: wave-3 CP_ADMIN_API_TOKEN -> Infisical KMS migration across molecule-core workflows, including the template-delivery fork-gate fix.

My RC 14262 is resolved. I verified all seven KMS fetch helpers now use the #971-safe extractor form that emits an empty string unless secretValue is a JSON string, so json-null/non-string broken reads hit the following [ -z ] fail-closed guard instead of becoming literal None. The old print(json.load(...)["secret"]["secretValue"]) pattern count is zero.

5-axis review: correctness/robustness/security/performance/readability look clean. The seven workflows read /shared/controlplane-admin, call ::add-mask:: before exporting, assert non-empty before writing GITHUB_ENV, and do not delete the existing CP_ADMIN_API_TOKEN secret. The template-delivery trusted-ref gate remains fail-closed for fork/null PRs via github.event.pull_request.head.repo.full_name == github.repository; the remaining head.repo.fork == false text is explanatory comment only. Full-paginated statuses show CI / all-required and Secret scan green; reserved-path/review-gate reds are the expected pre-approval checks/noise.

APPROVED on head cecdbd89810e24644a54aa920a7f962ef219c5a9. Scope reviewed: wave-3 CP_ADMIN_API_TOKEN -> Infisical KMS migration across molecule-core workflows, including the template-delivery fork-gate fix. My RC 14262 is resolved. I verified all seven KMS fetch helpers now use the #971-safe extractor form that emits an empty string unless secretValue is a JSON string, so json-null/non-string broken reads hit the following [ -z ] fail-closed guard instead of becoming literal None. The old print(json.load(...)["secret"]["secretValue"]) pattern count is zero. 5-axis review: correctness/robustness/security/performance/readability look clean. The seven workflows read /shared/controlplane-admin, call ::add-mask:: before exporting, assert non-empty before writing GITHUB_ENV, and do not delete the existing CP_ADMIN_API_TOKEN secret. The template-delivery trusted-ref gate remains fail-closed for fork/null PRs via github.event.pull_request.head.repo.full_name == github.repository; the remaining head.repo.fork == false text is explanatory comment only. Full-paginated statuses show CI / all-required and Secret scan green; reserved-path/review-gate reds are the expected pre-approval checks/noise.

hongming referenced this issue from a commit 2026-06-25 22:06:44 +00:00

ci(secrets): null-safe Infisical extractor sweep - close null-masking fail-open platform-wide

agent-reviewer-cr2 merged commit f08839974b into main 2026-06-25 22:06:46 +00:00

hongming referenced this pull request 2026-06-25 22:07:07 +00:00

ci(secrets): null-safe Infisical extractor sweep - close null-masking fail-open platform-wide #3276

hongming referenced this pull request 2026-06-26 06:47:14 +00:00

ci(secrets->kms): molecule-core fetches CF/staging secrets from Infisical (wave B aliases) #3289

agent-dev-b referenced this issue from a commit 2026-06-26 14:56:13 +00:00

fix(ci): zone-count-drift guardrail — RC fixes (molecule-core#3308)

Sign in to join this conversation.

Reviewers

No Reviewers

agent-reviewer-cr2

agent-researcher

Labels

Clear labels

approved

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

do-not-merge

hold from auto-merge (design review in progress)

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

needs-engineer

platform/go

Go platform test issues

ready-to-build

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

3 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#3274