hongming
8019231a16
ci-arm64-advisory / fast-checks (push) Waiting to run
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (push) Successful in 8s
Block internal-flavored paths / Block forbidden paths (push) Successful in 8s
CI / Detect changes (push) Successful in 9s
CI / Python Lint & Test (push) Successful in 5s
E2E API Smoke Test / detect-changes (push) Successful in 9s
E2E Chat / detect-changes (push) Successful in 8s
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (push) Successful in 49s
E2E Staging Canvas (Playwright) / detect-changes (push) Successful in 12s
publish-workspace-server-image / build-and-push (push) Successful in 3m12s
E2E Staging SaaS (full lifecycle) / pr-validate (push) Successful in 39s
Handlers Postgres Integration / detect-changes (push) Successful in 4s
Harness Replays / detect-changes (push) Successful in 5s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (push) Successful in 6s
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (push) Successful in 4s
Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (push) Successful in 3s
lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (push) Successful in 3s
lint-continue-on-error-tracking / lint-continue-on-error-tracking (push) Successful in 1m6s
Secret scan / Scan diff for credential-shaped strings (push) Successful in 14s
CI / Canvas (Next.js) (push) Successful in 3s
CI / Shellcheck (E2E scripts) (push) Successful in 2s
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (push) Successful in 1m25s
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (push) Successful in 5m19s
E2E Staging External Runtime / E2E Staging External Runtime (push) Successful in 5m30s
E2E API Smoke Test / E2E API Smoke Test (push) Successful in 2m23s
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (push) Successful in 6m5s
E2E Chat / E2E Chat (push) Successful in 4m6s
CI / Platform (Go) (push) Successful in 5m0s
CI / all-required (push) Successful in 9m45s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (push) Successful in 2s
publish-workspace-server-image / Production auto-deploy (push) Successful in 8m32s
Harness Replays / Harness Replays (push) Successful in 12s
CI / Canvas Deploy Reminder (push) Successful in 2s
Handlers Postgres Integration / Handlers Postgres Integration (push) Successful in 1m37s
Sweep stale Cloudflare Tunnels / Sweep CF tunnels (push) Successful in 8s
Sweep stale e2e-* orgs (staging) / Sweep e2e orgs (push) Successful in 12s
Staging SaaS smoke (every 30 min) / Staging SaaS smoke (push) Successful in 5m9s
main-red-watchdog / watchdog (push) Successful in 32s
gate-check-v3 / gate-check (push) Successful in 25s
Continuous synthetic E2E (staging) / Synthetic E2E against staging (push) Successful in 6m10s
CTO-bypass merge 2026-05-24: #1760 Go module rename to git.moleculesai.app path
131 lines
4.1 KiB
Go
131 lines
4.1 KiB
Go
package registry
|
|
|
|
import (
|
|
"database/sql"
|
|
"log"
|
|
|
|
"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/db"
|
|
)
|
|
|
|
// maxAncestorWalk caps the depth of the parent-chain walk in
|
|
// CanCommunicate. Org trees are realistically 3-5 deep
|
|
// (PM → Dev Lead → Backend Engineer is depth 3); 32 is a safety
|
|
// ceiling so a malformed cycle in the workspaces table can't loop
|
|
// forever.
|
|
const maxAncestorWalk = 32
|
|
|
|
type workspaceRef struct {
|
|
ID string
|
|
ParentID *string
|
|
}
|
|
|
|
func getWorkspaceRef(id string) (*workspaceRef, error) {
|
|
var ws workspaceRef
|
|
var parentID sql.NullString
|
|
err := db.DB.QueryRow(`SELECT id, parent_id FROM workspaces WHERE id = $1`, id).
|
|
Scan(&ws.ID, &parentID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if parentID.Valid {
|
|
ws.ParentID = &parentID.String
|
|
}
|
|
return &ws, nil
|
|
}
|
|
|
|
// isAncestorOf returns true if `ancestorID` is found anywhere on the
|
|
// parent-chain walk starting from `childID`. Walks at most maxAncestorWalk
|
|
// steps so a corrupt parent-cycle cannot loop forever. Returns false on any
|
|
// DB lookup error (logged) — fail-secure.
|
|
func isAncestorOf(ancestorID, childID string) bool {
|
|
current := childID
|
|
for i := 0; i < maxAncestorWalk; i++ {
|
|
ref, err := getWorkspaceRef(current)
|
|
if err != nil {
|
|
log.Printf("isAncestorOf: walk lookup %s: %v", current, err)
|
|
return false
|
|
}
|
|
if ref.ParentID == nil {
|
|
return false
|
|
}
|
|
if *ref.ParentID == ancestorID {
|
|
return true
|
|
}
|
|
current = *ref.ParentID
|
|
}
|
|
log.Printf("isAncestorOf: walk exceeded maxAncestorWalk=%d from %s — corrupt parent chain?",
|
|
maxAncestorWalk, childID)
|
|
return false
|
|
}
|
|
|
|
// CanCommunicate checks if two workspaces can talk to each other based on
|
|
// the org hierarchy. The rules:
|
|
//
|
|
// - self → self
|
|
// - siblings (same parent, including both root-level)
|
|
// - any ancestor → any descendant (e.g. PM → Backend Engineer)
|
|
// - any descendant → any ancestor (e.g. Security Auditor → PM)
|
|
//
|
|
// The third and fourth rules generalise the previous "direct parent ↔
|
|
// child" check. Originally this was strict 1-step parent/child only,
|
|
// which broke the audit-routing contract: Security Auditor (under Dev
|
|
// Lead, under PM) could not call delegate_task on PM to deliver an
|
|
// audit_summary, so it fell back to delegating to Dev Lead — bypassing
|
|
// PM's category_routing entirely.
|
|
//
|
|
// The relaxation preserves the hierarchy intent (no horizontal cross-team
|
|
// chatter — Frontend Engineer cannot directly message Backend Engineer
|
|
// unless they share a parent, which they do under Dev Lead) while
|
|
// unblocking the leadership-chain pattern that is fundamental to how
|
|
// audit summaries fan out across the org.
|
|
func CanCommunicate(callerID, targetID string) bool {
|
|
if callerID == targetID {
|
|
return true
|
|
}
|
|
|
|
caller, err := getWorkspaceRef(callerID)
|
|
if err != nil {
|
|
log.Printf("CanCommunicate: lookup caller %s: %v", callerID, err)
|
|
return false
|
|
}
|
|
target, err := getWorkspaceRef(targetID)
|
|
if err != nil {
|
|
log.Printf("CanCommunicate: lookup target %s: %v", targetID, err)
|
|
return false
|
|
}
|
|
|
|
// Siblings — same parent (including root-level where both have no parent)
|
|
if caller.ParentID != nil && target.ParentID != nil &&
|
|
*caller.ParentID == *target.ParentID {
|
|
return true
|
|
}
|
|
// Root-level siblings — both have no parent
|
|
if caller.ParentID == nil && target.ParentID == nil {
|
|
return true
|
|
}
|
|
|
|
// Direct parent → child (fast path; avoids the ancestor walk)
|
|
if target.ParentID != nil && caller.ID == *target.ParentID {
|
|
return true
|
|
}
|
|
|
|
// Direct child → parent (fast path)
|
|
if caller.ParentID != nil && target.ID == *caller.ParentID {
|
|
return true
|
|
}
|
|
|
|
// Distant ancestor → descendant: caller is somewhere up target's chain.
|
|
// Triggers extra DB lookups, only reached when the fast paths above didn't match.
|
|
if target.ParentID != nil && isAncestorOf(callerID, *target.ParentID) {
|
|
return true
|
|
}
|
|
|
|
// Distant descendant → ancestor: target is somewhere up caller's chain.
|
|
// (e.g. Security Auditor → PM, where Security Auditor's parent is Dev Lead.)
|
|
if caller.ParentID != nil && isAncestorOf(targetID, *caller.ParentID) {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|