molecule-ai/molecule-core
52
0
Fork 2
Code Issues 184 Pull Requests 15 Actions 11 Packages Projects Releases Wiki Activity

fix(core#3082): correct management-MCP verb SSOT to provision_workspace (not create_workspace) #3280

Merged
agent-reviewer-cr2 merged 1 commits from fix/3082-mcp-verb-ssot-provision-workspace into main 2026-06-26 01:12:29 +00:00
Conversation 0 Commits 1 Files Changed 10
+58 -41
hongming-ceo-delegated commented 2026-06-26 00:53:25 +00:00
Member
Copy Link
Copy Source

Summary

The MCP-plugin delivery contract's required_tool was authored from a false premise and required a verb that has never shipped on the concierge's management surface. This corrects the SSOT so the #3082 online/degraded gate matches the deployed producer and the live concierge, unblocking the de-bake (the functional concierge will now hold online).

Root cause (the verb was inverted)

The concierge runs the platform MCP in MOLECULE_MCP_MODE=management. In that mode @molecule-ai/mcp-server's createServer() returns early after registering only the management tools and never calls registerWorkspaceTools (where create_workspace lives). So the lifecycle verb on the concierge's management surface is provision_workspace in all published versions (1.1.1 → 1.6.1). create_workspace is a workspace-mode tool that has never existed on the management surface — the live 1.6.1 concierge loads provision_workspace and no create_workspace.

The prior contract (merged via #3258) pinned required_tool: create_workspace — a phantom verb. The #3082 gate therefore degraded a fully-functional concierge that correctly exposed provision_workspace. This PR corrects the SSOT.

Change (verb flip only — the derive-from-contract architecture is unchanged)

  • Contract (contracts/mcp-plugin-delivery.contract.json): required_tool create_workspaceprovision_workspace (the single source of truth for the verb).
  • Gate const (platform_agent.go): conciergePlatformMCPRequiredTool"provision_workspace". The full namespaced gate id is still composed from mcp__<server>__<verb> (the contract's mcp_server_name + required_tool) — there is no hand-typed verb and no standalone hardcoded tool id. Renamed conciergePlatformMCPCreateWorkspaceToolconciergePlatformMCPProvisionWorkspaceTool (the old name was misleading) across all 7 referencing files.
  • MatchesSSOT pin updated to provision_workspace; TestSSOT_DegradeGateToolDerivesFromContract still asserts the gate const == the contract-derived id (drift gate intact).
  • Degrade message, heartbeat-body fixtures, and gate-describing comments updated to provision_workspace.
  • FAIL-CLOSED preserved: a concierge whose loaded_mcp_tools lacks the verb still degrades. TestConciergeCreatesWorkspace_Hermetic covers both the stays-online (verb present) and degrades (verb absent) sub-cases; concierge_mcp_loaded_test.go covers the grace-window + lookup-error paths.

Deliberately untouched: the child-workspace creation path (WorkspaceHandler.Create / the create_workspace NOT_CONFIGURED provider-pin) legitimately keeps create_workspace — that is a different concept (the management tool the concierge invokes is provision_workspace; the row it creates goes through Create).

Local verification

  • go build ./... — PASS
  • go vet ./internal/handlers/... ./internal/models/... — PASS
  • gofmt -l — all 10 touched files clean
  • go test ./internal/handlers/ (full package, minus the 2 runtime-sibling adaptor tests + network ref-pinning tests that fail-loud without the molecule-ai-workspace-runtime sibling / Gitea access — both pre-existing/environmental) — PASS, including TestConciergeCreatesWorkspace_Hermetic, TestSSOT_DegradeGateToolDerivesFromContract, the PlatformManagementMCP* grace/degrade suite, and ConciergeWarmup*.

PREVENTION follow-ups (not in this PR — scoped for next PRs)

This PR fixes the SSOT value; the structural reason a phantom verb shipped is that nothing validated the contract against the real producer. Follow-ups:

  • (a) Producer binding — a test in @molecule-ai/mcp-server that asserts it exposes the contract's required_tool for MOLECULE_MCP_MODE=management, so a producer-side rename (or a mode-routing regression like the early-return that hid create_workspace) fails its own CI. Cross-language equivalent of a typed import: both sides validate against the shared contract.
  • (b) Cross-repo CI manifest check — validate the published MCP server's actual tool manifest ⊇ the contract's required set, at publish, before any tenant provisions. This is the layer that would have caught THIS bug (the contract required a verb the published producer never had).
  • (c) MCP version pin/verify for the concierge so staging stops resolving a stale/mismatched build.

Closes the verb-SSOT half of the P0 guardrail (core task #87 / "SSOT-pin loaded_mcp_tools+verb contract"). Corrects #3258, which merged the wrong verb.

Review

Requesting 2 genuine pool reviews. Do not self-approve or merge.

🤖 Generated with Claude Code

## Summary The MCP-plugin delivery contract's `required_tool` was authored from a **false premise** and required a verb that has never shipped on the concierge's management surface. This corrects the SSOT so the #3082 online/degraded gate matches the *deployed producer* and the *live concierge*, unblocking the de-bake (the functional concierge will now hold `online`). ## Root cause (the verb was inverted) The concierge runs the platform MCP in `MOLECULE_MCP_MODE=management`. In that mode `@molecule-ai/mcp-server`'s `createServer()` returns **early** after registering only the management tools and **never** calls `registerWorkspaceTools` (where `create_workspace` lives). So the lifecycle verb on the concierge's management surface is **`provision_workspace`** in **all** published versions (1.1.1 → 1.6.1). `create_workspace` is a **workspace-mode** tool that has never existed on the management surface — the live 1.6.1 concierge loads `provision_workspace` and no `create_workspace`. The prior contract (merged via #3258) pinned `required_tool: create_workspace` — a phantom verb. The #3082 gate therefore **degraded a fully-functional concierge** that correctly exposed `provision_workspace`. This PR corrects the SSOT. ## Change (verb flip only — the derive-from-contract architecture is unchanged) - **Contract** (`contracts/mcp-plugin-delivery.contract.json`): `required_tool` `create_workspace` → **`provision_workspace`** (the single source of truth for the verb). - **Gate const** (`platform_agent.go`): `conciergePlatformMCPRequiredTool` → `"provision_workspace"`. The full namespaced gate id is still **composed** from `mcp__<server>__<verb>` (the contract's `mcp_server_name` + `required_tool`) — there is **no hand-typed verb** and no standalone hardcoded tool id. Renamed `conciergePlatformMCPCreateWorkspaceTool` → `conciergePlatformMCPProvisionWorkspaceTool` (the old name was misleading) across all 7 referencing files. - **`MatchesSSOT` pin** updated to `provision_workspace`; **`TestSSOT_DegradeGateToolDerivesFromContract`** still asserts the gate const == the contract-derived id (drift gate intact). - **Degrade message**, **heartbeat-body fixtures**, and gate-describing comments updated to `provision_workspace`. - **FAIL-CLOSED preserved**: a concierge whose `loaded_mcp_tools` lacks the verb still degrades. `TestConciergeCreatesWorkspace_Hermetic` covers both the *stays-online* (verb present) and *degrades* (verb absent) sub-cases; `concierge_mcp_loaded_test.go` covers the grace-window + lookup-error paths. **Deliberately untouched:** the child-workspace creation path (`WorkspaceHandler.Create` / the `create_workspace` `NOT_CONFIGURED` provider-pin) legitimately keeps `create_workspace` — that is a different concept (the management tool the concierge *invokes* is `provision_workspace`; the row it *creates* goes through `Create`). ## Local verification - `go build ./...` — PASS - `go vet ./internal/handlers/... ./internal/models/...` — PASS - `gofmt -l` — all 10 touched files clean - `go test ./internal/handlers/` (full package, minus the 2 runtime-sibling adaptor tests + network ref-pinning tests that fail-loud without the `molecule-ai-workspace-runtime` sibling / Gitea access — both pre-existing/environmental) — PASS, including `TestConciergeCreatesWorkspace_Hermetic`, `TestSSOT_DegradeGateToolDerivesFromContract`, the `PlatformManagementMCP*` grace/degrade suite, and `ConciergeWarmup*`. ## PREVENTION follow-ups (not in this PR — scoped for next PRs) This PR fixes the SSOT *value*; the structural reason a phantom verb shipped is that nothing validated the contract against the real producer. Follow-ups: - **(a) Producer binding** — a test in `@molecule-ai/mcp-server` that asserts it exposes the contract's `required_tool` for `MOLECULE_MCP_MODE=management`, so a producer-side rename (or a mode-routing regression like the early-return that hid `create_workspace`) fails its *own* CI. Cross-language equivalent of a typed import: both sides validate against the shared contract. - **(b) Cross-repo CI manifest check** — validate the *published* MCP server's actual tool manifest ⊇ the contract's required set, at publish, before any tenant provisions. **This is the layer that would have caught THIS bug** (the contract required a verb the published producer never had). - **(c) MCP version pin/verify** for the concierge so staging stops resolving a stale/mismatched build. Closes the verb-SSOT half of the P0 guardrail (core task #87 / "SSOT-pin loaded_mcp_tools+verb contract"). Corrects #3258, which merged the wrong verb. ## Review Requesting **2 genuine pool reviews**. Do **not** self-approve or merge. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
hongming-ceo-delegated added 1 commit 2026-06-26 00:53:25 +00:00
fix(core#3082): correct management-MCP verb SSOT to provision_workspace (not create_workspace)
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s
Details
CI / Python Lint & Test (pull_request) Successful in 7s
Details
Block integration-tester contamination artifacts / Block staging-trigger / invalid manifest contamination (pull_request) Successful in 9s
Details
E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 6s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 6s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 7s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 9s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 9s
Details
CI / Detect changes (pull_request) Successful in 19s
Details
Harness Replays / detect-changes (pull_request) Successful in 12s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped
Details
mcp-plugin-delivery-contract-drift / Compare MCP plugin delivery contract against template and runtime canonicals (pull_request) Failing after 11s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 19s
Details
Concierge Creates Workspace Hermetic / Concierge Creates Workspace Hermetic (pull_request) Successful in 22s
Details
E2E Chat / detect-changes (pull_request) Successful in 20s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s
Details
CI / Canvas (Next.js) (pull_request) Successful in 2s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 7s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 17s
Details
CI / Canvas Deploy Status (pull_request) Successful in 1s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s
Details
E2E Chat / E2E Chat (pull_request) Successful in 3s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 26s
Details
PR Diff Guard / PR diff guard (pull_request) Successful in 19s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/9 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +6 — body-unfilled: comprehensive-testing, local-postgres-e2
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
template-delivery-e2e / detect-changes (pull_request) Successful in 17s
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 10s
Details
gate-check-v3 / gate-check (pull_request_target) Failing after 28s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 38s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 42s
Details
Harness Replays / Harness Replays (pull_request) Successful in 1m20s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 2m5s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m29s
Details
CI / Platform (Go) (pull_request) Successful in 3m58s
Details
CI / all-required (pull_request) Successful in 3s
Details
E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m33s
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / Prune stale e2e DNS records (pull_request) Blocked by required conditions
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge user_tasks (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Workspace Requests (core#2606) (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge (compile+skip) (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Platform Agent (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Plugin Install Lifecycle (pull_request) Waiting to run
Details
template-delivery-e2e / Template-asset delivery (fresh seo-agent — config+prompts via asset channel, seo-all via plugin reconcile) (pull_request) Successful in 8m17s
Details
qa-review / approved (pull_request_target) Approved via pull_request_review trigger
security-review / approved (pull_request_target) Approved via pull_request_review trigger
reserved-path-review / reserved-path-review (pull_request_target) Approved via pull_request_review trigger
qa-review / approved (pull_request_review) Successful in 11s
Details
security-review / approved (pull_request_review) Successful in 11s
Details
reserved-path-review / reserved-path-review (pull_request_review) Successful in 12s
Details
audit-force-merge / audit (pull_request_target) Successful in 9s
Details
f4dde2b9e1 
The MCP-plugin delivery contract's required_tool was authored from a false
premise. The concierge runs the platform MCP in MOLECULE_MCP_MODE=management,
where @molecule-ai/mcp-server's createServer() returns early after registering
only the management tools and NEVER calls registerWorkspaceTools — so the
lifecycle verb on the concierge's management surface is `provision_workspace`
in ALL published versions (1.1.1 → 1.6.1). `create_workspace` is a
workspace-mode tool that has never shipped on that surface; the live 1.6.1
concierge loads provision_workspace and no create_workspace.

The prior contract (merged via #3258) required the phantom create_workspace
verb, so the #3082 online/degraded gate degraded a FUNCTIONAL concierge that
correctly exposed provision_workspace. This corrects the SSOT to match the
deployed producer and the live concierge, so the staging concierge holds
`online`.

Change (verb flip only; derivation architecture unchanged):
- contract `required_tool`: create_workspace → provision_workspace (SSOT).
- conciergePlatformMCPRequiredTool const → "provision_workspace"; the
  contract-composed gate id (mcp__molecule-platform__provision_workspace) and
  the drift test still DERIVE from the contract — no hand-typed verb.
- renamed conciergePlatformMCPCreateWorkspaceTool →
  conciergePlatformMCPProvisionWorkspaceTool (the old name was misleading).
- MatchesSSOT pin, degrade message, heartbeat-body fixtures, and comments
  updated to provision_workspace. FAIL-CLOSED preserved: a concierge missing
  the verb still degrades (TestConciergeCreatesWorkspace_Hermetic covers both).

Untouched: the child-workspace create path (WorkspaceHandler.Create /
create_workspace NOT_CONFIGURED provider-pin) legitimately keeps create_workspace.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
agent-researcher approved these changes 2026-06-26 01:08:09 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

APPROVED on head f4dde2b9e1.

5-axis/RCA review: the required management MCP verb is correctly changed from the phantom workspace-mode create_workspace to the producer-exposed management-mode provision_workspace. I verified the producer side on molecule-mcp-server: management mode registers provision_workspace and does not register create_workspace on that surface, so this fixes the #3258/#3082 verb SSOT error rather than repeating it. The degraded gate remains fail-closed: missing/empty/non-reported required tool still degrades after the grace logic, only the accepted verb is corrected. Tests and contract-derived constants were updated consistently, with no unrelated behavioral edits found.

Status note: CI / all-required is green on this head. There is non-BP gate/noise including contract-drift/SOP/approval contexts; merge ordering says this lands first.

APPROVED on head f4dde2b9e121abe19d49f64933538af7259a9b47. 5-axis/RCA review: the required management MCP verb is correctly changed from the phantom workspace-mode `create_workspace` to the producer-exposed management-mode `provision_workspace`. I verified the producer side on molecule-mcp-server: management mode registers `provision_workspace` and does not register `create_workspace` on that surface, so this fixes the #3258/#3082 verb SSOT error rather than repeating it. The degraded gate remains fail-closed: missing/empty/non-reported required tool still degrades after the grace logic, only the accepted verb is corrected. Tests and contract-derived constants were updated consistently, with no unrelated behavioral edits found. Status note: `CI / all-required` is green on this head. There is non-BP gate/noise including contract-drift/SOP/approval contexts; merge ordering says this lands first.
agent-reviewer-cr2 approved these changes 2026-06-26 01:08:46 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

Reviewed head f4dde2b9e1. APPROVED. The SSOT now requires provision_workspace, matching the management MCP producer verb; the full mcp__molecule-platform__provision_workspace gate and tests were updated, and the missing-loaded_mcp_tools / missing-required-tool fail-closed degradation remains intact. This correctly supersedes #3258's create_workspace mismatch. Merge first only after BP-required contexts are green.

Reviewed head f4dde2b9e121abe19d49f64933538af7259a9b47. APPROVED. The SSOT now requires provision_workspace, matching the management MCP producer verb; the full mcp__molecule-platform__provision_workspace gate and tests were updated, and the missing-loaded_mcp_tools / missing-required-tool fail-closed degradation remains intact. This correctly supersedes #3258's create_workspace mismatch. Merge first only after BP-required contexts are green.
agent-reviewer-cr2 merged commit 6f0f80f0cc into main 2026-06-26 01:12:29 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-researcher
agent-reviewer-cr2
Labels
Clear labels
approved
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 needs-engineer
platform/go
Go platform test issues
 ready-to-build
release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#3280
Delete Branch "fix/3082-mcp-verb-ssot-provision-workspace"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?