core-devops
71c68e44f2
ci-arm64-advisory / fast-checks (pull_request) Waiting to run
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 4s
CI / Python Lint & Test (pull_request) Successful in 5s
CI / Detect changes (pull_request) Successful in 7s
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 11s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 6s
E2E Chat / detect-changes (pull_request) Successful in 10s
E2E API Smoke Test / detect-changes (pull_request) Successful in 10s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 9s
Harness Replays / detect-changes (pull_request) Successful in 6s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 5s
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 8s
Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 10s
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m10s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m3s
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m21s
lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 5s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s
sync-providers-yaml / Compare synced providers.yaml against controlplane canonical (pull_request) Failing after 5s
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 1m36s
gate-check-v3 / gate-check (pull_request) Successful in 12s
verify-providers-gen / Regenerate providers artifact and fail on drift (pull_request) Successful in 38s
qa-review / approved (pull_request) Failing after 6s
security-review / approved (pull_request) Failing after 7s
sop-checklist / review-refire (pull_request) Has been skipped
sop-tier-check / tier-check (pull_request) Successful in 7s
CI / Canvas (Next.js) (pull_request) Successful in 2s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 3s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5s
E2E Chat / E2E Chat (pull_request) Successful in 3s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 14s
Harness Replays / Harness Replays (pull_request) Successful in 7s
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m34s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m34s
CI / Platform (Go) (pull_request) Successful in 5m44s
CI / all-required (pull_request) Successful in 8m39s
sop-checklist / all-items-acked (pull_request) [info tier:low] acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, l
sop-checklist / na-declarations (pull_request) N/A: (none)
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Distributes the provider-registry SSOT into molecule-core per the CTO-decided
shape (internal#718 comment, 2026-05-27): "Distribution = SDK via codegen +
verify-CI", multi-repo branch "codegen-checked-into-each-repo + verify-CI".
molecule-core has no Go module dependency on molecule-controlplane, so this
lands a SYNCED COPY of the canonical providers.yaml plus the loader,
DeriveProvider/IsPlatform/ResolveUpstream, the generated Go projection
(cmd/gen-providers), and the drift gates — a byte-faithful mirror of the
controlplane P0/P1 machinery. Canonical SSOT stays in controlplane
internal/providers/providers.yaml.
ZERO behavior change (additive, like P0): NO production code path imports the
new package yet. P2-B wires the billing/credential decision onto the loader.
What lands:
- internal/providers/{providers.go,derive_provider.go,providers.yaml} — mirror
of the controlplane loader + canonical YAML (synced copy).
- internal/providers/gen/registry_gen.go — generated projection; fingerprint
faffcbe59bb9f38c matches controlplane.
- cmd/gen-providers — the generator (go generate + -check drift mode).
- .gitea/workflows/verify-providers-gen.yml — artifact ↔ synced-copy drift gate
(mirror of the controlplane workflow; standalone, not in branch protection
yet — same soak-then-promote posture).
- .gitea/workflows/sync-providers-yaml.yml — NEW cross-repo gate: fetches the
controlplane canonical providers.yaml and byte-compares against core's synced
copy (RED on canonical drift). Read-only AUTO_SYNC_TOKEN; degrades to a
warning if the token is absent.
- internal/providers/sync_canonical_test.go — hermetic sha pin of the synced
copy (the always-on backstop; catches a hand-edit even with no network).
- internal/providers/gen_import_boundary_test.go — arch-lint-equivalent AST gate
(core has no go-arch-lint): no production package may import the raw gen
projection. Proven load-bearing.
Build/test: go build ./... (+ -tags=integration) green; providers/gen/
gen-providers suites pass (incl. -race); gen -check in sync; gofmt + vet clean.
internal#718 P2-A. NO behavior change. Not merged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>