From b2c3633c09b36748e1e06fe9542e06acf4efdb30 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Tue, 12 May 2026 10:16:05 +0000
Subject: [PATCH 1/4] ci.yml: flip all-required continue-on-error to false
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The all-required sentinel was reporting no status to the Gitea Actions
API (continue-on-error: true suppresses status entries), so the required
check CI / all-required (pull_request) never appeared in the combined
commit status. gate-check-v3 (Signal 6) treats a missing required
check as failing, causing all PRs to block even when all deps are
green.

Fix: continue-on-error: false on all-required so it always reports.
Phase 3 safety is preserved — platform-build carries continue-on-error:
true, masking its failures to null; all-required sees null as "not bad"
and exits 0. When mc#664 lands (PR #669) the CoE flip on
platform-build completes Phase 3 exit.

Fixes: gate-check-v3 false-positive BLOCKED on all open PRs.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index a49e71b6e..31711cbcb 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -148,7 +148,7 @@ jobs:
     # a permanent re-mask. Re-flip blocked on mc#664 fix-forward landing.
     # Other 4 #656 flips (changes, canvas-build, shellcheck, python-lint)
     # retain continue-on-error: false; only platform-build regresses.
-    continue-on-error: true  # mc#664 fix-forward in flight; re-flip when tests pass
+    continue-on-error: true  # mc#664 fix-forward in flight; re-flip when mc#664 lands (PR #669 → rebase after #709)
     defaults:
       run:
         working-directory: workspace-server
@@ -535,12 +535,16 @@ jobs:
     # explicitly excludes `github.event_name`-gated jobs from F1 (see
     # `.gitea/scripts/ci-required-drift.py::ci_job_names`).
     #
-    # Phase 3 (RFC #219 §1) safety: continue-on-error here so the sentinel
-    # does not hard-fail and block PRs while the underlying build jobs are
-    # still in Phase 3 (continue-on-error: true suppresses their status to null).
-    # When Phase 3 ends (defects fixed, continue-on-error flipped off on build
-    # jobs), remove continue-on-error here so the sentinel again hard-fails.
-    continue-on-error: true
+    # Phase 3 (RFC #219 §1) safety: underlying build jobs carry
+    # continue-on-error: true so their failures are masked to null
+    # (Gitea suppresses status reporting for CoE jobs). This sentinel
+    # runs with continue-on-error: false so it always reports its
+    # result to the API — without this, the required-status entry
+    # (CI / all-required (pull_request)) is never created, which
+    # blocks PR merges. When Phase 3 ends, flip underlying jobs to
+    # continue-on-error: false; this sentinel can then be flipped to
+    # continue-on-error: true if a Phase-4 regression requires it.
+    continue-on-error: false
     runs-on: ubuntu-latest
     timeout-minutes: 1
     needs:
-- 
2.52.0


From 9859afb8a73d3b6b83ff09e2b33d3bb363a72b93 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-BE <core-be@agents.moleculesai.app>
Date: Tue, 12 May 2026 10:49:22 +0000
Subject: [PATCH 2/4] =?UTF-8?q?fix(ci):=20sentinel=20bad-list=20also=20exc?=
 =?UTF-8?q?ludes=20'cancelled'=20=E2=80=94=20tolerate=20CoE-masked=20job?=
 =?UTF-8?q?=20failures?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The sentinel's Python filter was excluding null (in-flight) and success from
the bad-list, but NOT cancelled. With continue-on-error: true on
platform-build (mc#664 interim mask), failing tests cause the job to
report 'cancelled' (not 'failure'). These cancelled results must not
hard-fail the sentinel while the interim mask is active.

Also adds an INFO line for any cancelled jobs so operators can see the
CoE-masked failures without the sentinel failing.

Bug introduced in 4f7ecc5a.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 31711cbcb..16da3040f 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -570,15 +570,21 @@ jobs:
           ns = json.load(sys.stdin)
           # Exclude null (Phase 3 suppressed / in-flight) from the bad list.
           bad = [(k, v.get("result")) for k, v in ns.items()
-                 if v.get("result") not in ("success", None)]
+                 if v.get("result") not in ("success", None, "cancelled")]
           if bad:
               print(f"FAIL: jobs not green:", file=sys.stderr)
               for k, r in bad:
                   print(f"  - {k}: {r}", file=sys.stderr)
               sys.exit(1)
-          pending = [(k, v.get("result")) for k, v in ns.items() if v.get("result") is None]
+          pending = [(k, v.get("result")) for k, v in ns.items()
+                     if v.get("result") is None]
+          cancelled = [(k, v.get("result")) for k, v in ns.items()
+                       if v.get("result") == "cancelled"]
           if pending:
               print(f"WARN: {len(pending)} job(s) still in-flight (result=null): " +
                     ", ".join(k for k, _ in pending), file=sys.stderr)
+          if cancelled:
+              print(f"INFO: {len(cancelled)} job(s) masked by continue-on-error: " +
+                    ", ".join(k for k, _ in cancelled), file=sys.stderr)
           print(f"OK: all {len(ns)} required jobs succeeded (or Phase-3 suppressed)")
           '
-- 
2.52.0


From c8f8c545e944dc55ab2128b71d1aefd7d6ef4de0 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Tue, 12 May 2026 11:44:08 +0000
Subject: [PATCH 3/4] ci: re-run lint checks with Paired: #669 in PR body
 (body-edited after initial push)

---
 .gitea/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 16da3040f..aec6d40df 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -536,7 +536,7 @@ jobs:
     # `.gitea/scripts/ci-required-drift.py::ci_job_names`).
     #
     # Phase 3 (RFC #219 §1) safety: underlying build jobs carry
-    # continue-on-error: true so their failures are masked to null
+    # continue-on-error: true so their failures are masked to null (2026-05-12: re-enabled mc#664 interim)
     # (Gitea suppresses status reporting for CoE jobs). This sentinel
     # runs with continue-on-error: false so it always reports its
     # result to the API — without this, the required-status entry
-- 
2.52.0


From de7896fe74a5d6a60e7cbaed438ac83459ca88ba Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Tue, 12 May 2026 15:54:05 +0000
Subject: [PATCH 4/4] fix(ci): lint TRACKER_RE false-negative + self-fix inline
 comment

TRACKER_RE required the tracker to immediately follow `# ` (comment
marker + optional whitespace). Trackers embedded mid-sentence after
prose (e.g. `... internal#350.`) were missed because the `\s*` prefix
consumed the `#` and then couldn't match `mc|internal` at the next
position.

Fix: remove the `#\s*` anchor so the regex scans the full line.
This correctly finds:
  - Inline: `# continue-on-error: true  # mc#664`
  - Standalone: `# mc#664 fix`
  - Mid-sentence: `# ... internal#350.`
  - Full-sentence: `# see mc#1234 for details`

Self-fix: add explicit `# internal#350` inline on the lint job's
continue-on-error: true line in lint-continue-on-error-tracking.yml.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/scripts/lint_continue_on_error_tracking.py    | 8 +++++---
 .gitea/workflows/lint-continue-on-error-tracking.yml | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.gitea/scripts/lint_continue_on_error_tracking.py b/.gitea/scripts/lint_continue_on_error_tracking.py
index f8a0269ad..afb1fcaee 100644
--- a/.gitea/scripts/lint_continue_on_error_tracking.py
+++ b/.gitea/scripts/lint_continue_on_error_tracking.py
@@ -98,11 +98,13 @@ except ImportError:
 # ---------------------------------------------------------------------------
 # Tracker comment regex.
 # Matches: `# mc#1234`, `# internal#42`, `# mc#1234 - description`
+# Also matches trackers embedded mid-sentence: `# see mc#1234 for details`
 # Does NOT match: `# mc1234` (missing inner #), `mc#1234` (no leading
-# `#` comment marker), `# MC#1234` (case-sensitive — `mc` and `internal`
-# are conventional lower-case repo slugs).
+# comment `#`), `# MC#1234` (case-sensitive). The search is line-wide,
+# not just at the comment-marker prefix — fixes false-negative when
+# the tracker appears mid-sentence (e.g. `internal#350` after prose).
 TRACKER_RE = re.compile(
-    r"#\s*(?P<slug>mc|internal)#(?P<num>\d+)\b"
+    r"(?P<slug>mc|internal)#(?P<num>\d+)\b"
 )
 
 # Truthy continue-on-error values we treat as "true". PyYAML decodes
diff --git a/.gitea/workflows/lint-continue-on-error-tracking.yml b/.gitea/workflows/lint-continue-on-error-tracking.yml
index b9d03e3de..cd3a59a0d 100644
--- a/.gitea/workflows/lint-continue-on-error-tracking.yml
+++ b/.gitea/workflows/lint-continue-on-error-tracking.yml
@@ -97,7 +97,7 @@ jobs:
     # PRs. Pre-existing continue-on-error: true directives on main
     # all violate this lint at first — intentional. Flip to false
     # follow-up after main is clean for 3 days. internal#350.
-    continue-on-error: true
+    continue-on-error: true  # internal#350 Phase 3 mask — 14d forced-renewal cadence
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
-- 
2.52.0