molecule-ai/molecule-core
41
0
Fork 2
Code Issues 103 Pull Requests 147 Actions 122 Packages Projects Releases Wiki Activity
4d3c326fd9
molecule-core/Makefile
core-be 4d3c326fd9
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Failing after 0s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Failing after 0s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Failing after 0s
Details
qa-review / approved (pull_request) Failing after 0s
Details
security-review / approved (pull_request) Failing after 1s
Details
sop-checklist / all-items-acked (pull_request) Successful in 15s
Details
gate-check-v3 / gate-check (pull_request) Waiting to run
Details
sop-tier-check / tier-check (pull_request) Waiting to run
Details
lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Successful in 2m1s
Details
test(provisioner): fast local-Docker parity test for the token-injection ownership bug class 
The Hermes fleet-wide list_peers 401 (#1877/#418) came from
WriteAuthTokenToVolume + WriteFilesToContainer delivering /configs
token files root:root AFTER the entrypoint's chown -R agent /configs,
so the AgentUID a2a_mcp_server got EACCES → empty bearer → 401. Those
are Docker API ops, NOT AWS — they were only "prod-only" because the
local stack didn't drive the same post-start re-injection sequence,
NOT because they need EC2.

This test invokes the REAL WriteAuthTokenToVolume + WriteFilesToContainer
against the LOCAL Docker daemon and asserts AgentUID can re-write
/configs/.auth_token + .platform_inbound_secret (the save_token
O_WRONLY|O_TRUNC recovery path that actually 401'd Hermes — a read
probe stays green on root:root because the file is world-readable, so
that would have been a vacuous proxy assertion).

Demonstrated both directions against the two code states:
  - pre-fix (pristine staging): headline test FAILS in ~0.9s — would
    have caught Hermes locally instead of an ~1h EC2 round-trip.
  - post-fix (this PR's base, the agent-owned-injection fix): PASSES
    in ~0.87s.
TestTokenOwnership_FailPre_ProvesCatch pins the pre-fix root:root
delivery shape independently so the catch stays demonstrable on this
fix-based branch (the assertion is load-bearing, not vacuously green).
TestTokenOwnership_DockerIsLocalNotAWS statically guards that the
provisioner has no AWS SDK dep — the reason this bug class is locally
reproducible at all.

Wired into the mandatory local-E2E gate via `make test-local-e2e`
(feedback_mandatory_local_e2e_before_ship); self-skips when no Docker
daemon is reachable so `make test`/CI stays green on Docker-less
runners. Local fast counterpart to the staging-required gate.

Stacked on fix/workspace-token-injection-agent-owned (PR #1327) so it
lands green; references the exported provisioner.AgentUID contract
rather than a duplicated literal.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 02:37:07 -07:00

43 lines
2.0 KiB
Makefile
Raw Blame History

# Top-level Makefile — convenience wrappers around docker compose.
#
# Most molecule-core dev work happens via these shortcuts. CI doesn't
# use this Makefile; CI calls docker compose / go test directly so the
# Makefile can evolve without breaking the build.
.PHONY: help dev up down logs build test test-local-e2e
help: ## Show this help.
@grep -E '^[a-zA-Z_-]+:.*?## ' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-12s\033[0m %s\n", $$1, $$2}'
dev: ## Start the full stack with air hot-reload for the platform service.
docker compose -f docker-compose.yml -f docker-compose.dev.yml up
up: ## Start the full stack in production-shape mode (no air, normal Dockerfile).
docker compose up
down: ## Stop the stack and remove containers (volumes preserved).
docker compose down
logs: ## Tail logs from all services (Ctrl-C to detach).
docker compose logs -f
build: ## Force a fresh build of the platform image (no cache).
docker compose build --no-cache platform
test: ## Run Go unit tests in workspace-server/.
cd workspace-server && go test -race ./...
# Mandatory local-E2E gate (feedback_mandatory_local_e2e_before_ship,
# feedback_local_must_mimic_production). The provisioner-parity tests
# invoke the REAL WriteAuthTokenToVolume + WriteFilesToContainer against
# the LOCAL Docker daemon and assert /configs token files are
# AgentUID-owned — the formerly-prod-only token-injection ownership bug
# class (Hermes list_peers 401, #1877/#418), now caught in SECONDS
# locally instead of an ~1h EC2 round-trip. These self-skip when no
# Docker daemon is reachable (so `make test`/CI stays green on
# Docker-less runners); this target requires a daemon and is the local
# fast counterpart to the staging-required gate. Run before pushing any
# workspace-server provisioner change.
test-local-e2e: ## Run Docker-gated local-E2E parity tests (requires a local Docker daemon).
cd workspace-server && go test -run 'TestTokenOwnership' -v ./internal/provisioner/
Reference in New Issue View Git Blame Copy Permalink