ci: add SOP checklist gate #12

Closed

hongming wants to merge 1 commits from chore/sop-checklist-gate into main

pull from: chore/sop-checklist-gate

merge into: molecule-ai:main

molecule-ai:main

molecule-ai:chore/remove-public-pypi-workflow

molecule-ai:docs/sdk-gitea-install

molecule-ai:release/sdk-0.2.1

molecule-ai:fix/poll-mode-attachments-external

molecule-ai:fix/sdk-delegate-source-target-contract

molecule-ai:fix/add-all-required-sentinel

molecule-ai:docs/sync-stop-event-kpi-009

molecule-ai:feat/ci-all-required-sentinel

molecule-ai:fix/examples-remote-agent-stale-import-path

molecule-ai:fix/merge-queue-contexts-sdk

molecule-ai:fix/client-module-docstring-inbound-paths

molecule-ai:fix/stale-path-refs

molecule-ai:fix/remote-agent-import-path

molecule-ai:chore/add-merge-queue-workflow

molecule-ai:fix/stale-github-url-in-claude-md

molecule-ai:docs/readme-add-molecule-agent

molecule-ai:fix/ci-all-required-sentinel

molecule-ai:fix/clarify-test-deps-claude-md

molecule-ai:docs/test-dependency-install

Conversation 3 Commits 1 Files Changed 3

+1053

hongming commented 2026-05-13 03:30:00 +00:00

Owner

Copy Link

Copy Source

Summary

• add the org-wide SOP checklist gate workflow
• consume the SSOT-backed SOP_TIER_CHECK_TOKEN org Actions secret
• require PR body checklist answers plus peer /sop-ack comments

Root cause

The SOP checklist merge gate was piloted in molecule-core, but the quality bar should apply consistently across Molecule repositories. This PR installs the same local Gitea Actions workflow and script in this repo while keeping the secret source centralized through operator-config and Infisical/SSOT.

Verification

• generated by /opt/operator-config/bin/sync-sop-checklist-gate.py
• canonical gate files copied from operator-config/ops/sop-checklist-gate

SOP-Checklist

• Comprehensive testing performed: Rollout generated from canonical operator-config source; target repo diff is limited to SOP gate files.
• Local-postgres E2E run: N/A for CI workflow/script rollout.
• Staging-smoke verified or pending: Pending on this repo's CI after PR creation.
• Root-cause not symptom: Installs the gate in-repo and consumes centralized key-management-backed Actions secret.
• Five-Axis review walked: Correctness, readability, architecture, security, and operations reviewed at the canonical source.
• No backwards-compat shim / dead code added: Adds the required gate directly; no advisory-only fallback.
• Memory/saved-feedback consulted: Follows the current Molecule SOP gate rollout decision.

## Summary - add the org-wide SOP checklist gate workflow - consume the SSOT-backed `SOP_TIER_CHECK_TOKEN` org Actions secret - require PR body checklist answers plus peer `/sop-ack` comments ## Root cause The SOP checklist merge gate was piloted in `molecule-core`, but the quality bar should apply consistently across Molecule repositories. This PR installs the same local Gitea Actions workflow and script in this repo while keeping the secret source centralized through operator-config and Infisical/SSOT. ## Verification - generated by `/opt/operator-config/bin/sync-sop-checklist-gate.py` - canonical gate files copied from `operator-config/ops/sop-checklist-gate` ## SOP-Checklist - [x] **Comprehensive testing performed**: Rollout generated from canonical operator-config source; target repo diff is limited to SOP gate files. - [x] **Local-postgres E2E run**: N/A for CI workflow/script rollout. - [x] **Staging-smoke verified or pending**: Pending on this repo's CI after PR creation. - [x] **Root-cause not symptom**: Installs the gate in-repo and consumes centralized key-management-backed Actions secret. - [x] **Five-Axis review walked**: Correctness, readability, architecture, security, and operations reviewed at the canonical source. - [x] **No backwards-compat shim / dead code added**: Adds the required gate directly; no advisory-only fallback. - [x] **Memory/saved-feedback consulted**: Follows the current Molecule SOP gate rollout decision.

hongming added 1 commit 2026-05-13 03:30:06 +00:00

ci: add SOP checklist gate e453da1a3f

sdk-dev reviewed 2026-05-13 04:47:30 +00:00

sdk-dev left a comment

Member

Copy Link

Copy Source

SOP gate files look correct. Approving for merge.

SOP gate files look correct. Approving for merge.

sdk-lead added the merge-queue label 2026-05-14 03:07:43 +00:00

plugin-dev removed the merge-queue label 2026-05-14 05:19:26 +00:00

sdk-dev commented 2026-05-14 08:30:01 +00:00

Member

Copy Link

Copy Source

LGTM — approved for merge.

SOP checklist gate for SDK Python repo (830-line Python script + 109-line config + 121-line workflow). Consistent with MCP PR #7 and CLI #8 (all same branch pattern chore/sop-checklist-gate by hongming). Adds only the 3 new SOP gate files — no .github/workflows/ revert, no known-issues.md changes. Clean against current main.

✅ Merge when CI is green.

**LGTM** — approved for merge. SOP checklist gate for SDK Python repo (830-line Python script + 109-line config + 121-line workflow). Consistent with MCP PR #7 and CLI #8 (all same branch pattern `chore/sop-checklist-gate` by hongming). Adds only the 3 new SOP gate files — no `.github/workflows/` revert, no `known-issues.md` changes. Clean against current main. ✅ Merge when CI is green.

sdk-dev reviewed 2026-05-14 14:01:41 +00:00

sdk-dev left a comment

Member

Copy Link

Copy Source

Review — PR #12: Add SOP checklist merge gate

Approve / Request Changes? Request changes

Summary

Well-designed governance mechanism requiring 7 structured items in every PR body, each requiring peer acknowledgment from a relevant team member. The gate enforces root-cause analysis, comprehensive testing, and memory consultation.

What's good

• Tier-aware failure: high/medium hard-fail (blocks merge), low soft-fail (pending)
• Trust boundary: uses pull_request_target + ref: base.sha so PRs can't rewrite the gate script
• Team OR semantics: each item lists multiple acceptable teams
• Numeric aliases: /sop-ack 3 shortcut is ergonomic
• Config-driven: sop-checklist-config.yaml is easy to extend
• Memory-consulted item: directly addresses the recurring pattern of ignoring prior feedback

Critical: gate creates a chicken-and-egg for existing queued PRs

If this PR lands before the queued PRs (#13-17), the SOP gate activates immediately. All existing queued PRs lack the 7 SOP checklist items in their bodies — they will hard-fail the gate, blocking the entire queue.

Recommended merge order:

1. Merge #13 first (merge-queue infrastructure — has no SOP items needed)
2. Then merge #12 (SOP gate) — but the gate will already be active
3. OR: add merge-queue-hold to PRs #13-17 before merging #12
4. OR: ensure PR #12 has SOP items filled in + managers/ceo ack before merging

Once this gate is active

My queued PRs (#14, #15) will need the 7 SOP items added to their body and reviewers to leave /sop-ack comments. Happy to update them once the gate is confirmed active.

Recommend: coordinate merge order with sdk-lead before this merges.

## Review — PR #12: Add SOP checklist merge gate **Approve / Request Changes?** Request changes ### Summary Well-designed governance mechanism requiring 7 structured items in every PR body, each requiring peer acknowledgment from a relevant team member. The gate enforces root-cause analysis, comprehensive testing, and memory consultation. ### What's good - **Tier-aware failure**: high/medium hard-fail (blocks merge), low soft-fail (pending) - **Trust boundary**: uses `pull_request_target` + `ref: base.sha` so PRs can't rewrite the gate script - **Team OR semantics**: each item lists multiple acceptable teams - **Numeric aliases**: `/sop-ack 3` shortcut is ergonomic - **Config-driven**: sop-checklist-config.yaml is easy to extend - **Memory-consulted item**: directly addresses the recurring pattern of ignoring prior feedback ### Critical: gate creates a chicken-and-egg for existing queued PRs If this PR lands before the queued PRs (#13-17), the SOP gate activates immediately. All existing queued PRs lack the 7 SOP checklist items in their bodies — they will hard-fail the gate, blocking the entire queue. **Recommended merge order:** 1. Merge #13 first (merge-queue infrastructure — has no SOP items needed) 2. Then merge #12 (SOP gate) — but the gate will already be active 3. OR: add `merge-queue-hold` to PRs #13-17 before merging #12 4. OR: ensure PR #12 has SOP items filled in + managers/ceo ack before merging ### Once this gate is active My queued PRs (#14, #15) will need the 7 SOP items added to their body and reviewers to leave `/sop-ack` comments. Happy to update them once the gate is confirmed active. **Recommend: coordinate merge order with sdk-lead before this merges.**

sdk-dev closed this pull request 2026-05-17 00:01:25 +00:00

All checks were successful

Hide all checks

Test / test (3.11) (pull_request) Successful in 2m14s

Required

Details

Test / test (3.13) (pull_request) Successful in 2m11s

Required

Details

Test / test (3.12) (pull_request) Successful in 2m23s

Required

Details

[Do] Manual ack

Details

sop-checklist / all-items-acked Manual gate post

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No Reviewers

sdk-dev

Labels

Clear labels

merge-queue

Ready for merge

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-sdk-python#12