fix: isolate immutable session context tests (#714)
This commit is contained in:
+36
-38
@@ -1131,7 +1131,7 @@ def _seed_session_context(
|
||||
org: str | None = None,
|
||||
source: str = "seed",
|
||||
) -> dict:
|
||||
"""Seed/rebind immutable session context with env/override awareness (#714)."""
|
||||
"""Seed immutable session context once for the current process (#714)."""
|
||||
expected = (profile.get("username") or "").strip() or None
|
||||
return session_ctx.seed_session_context_if_unbound(
|
||||
profile_name=profile.get("profile_name") or "",
|
||||
@@ -1143,8 +1143,6 @@ def _seed_session_context(
|
||||
role_kind=_profile_role_kind(profile),
|
||||
expected_username=expected,
|
||||
source=source,
|
||||
active_profile_override=gitea_config._active_profile_override,
|
||||
env_profile=(os.environ.get("GITEA_MCP_PROFILE") or "").strip() or None,
|
||||
)
|
||||
import issue_work_duplicate_gate # noqa: E402
|
||||
import issue_workflow_labels # noqa: E402
|
||||
@@ -2097,6 +2095,10 @@ def gitea_create_issue(
|
||||
blocked = _profile_permission_block(
|
||||
task_capability_map.required_permission("create_issue"),
|
||||
number=None,
|
||||
remote=remote,
|
||||
host=h,
|
||||
org=o,
|
||||
repo=r,
|
||||
)
|
||||
if blocked:
|
||||
return blocked
|
||||
@@ -2537,6 +2539,10 @@ def gitea_create_pr(
|
||||
blocked = _profile_permission_block(
|
||||
task_capability_map.required_permission("create_pr"),
|
||||
number=None,
|
||||
remote=remote,
|
||||
host=host,
|
||||
org=org,
|
||||
repo=repo,
|
||||
)
|
||||
if blocked:
|
||||
return blocked
|
||||
@@ -5373,7 +5379,7 @@ def gitea_commit_files(
|
||||
return blocked
|
||||
blocked = _profile_permission_block(
|
||||
task_capability_map.required_permission("commit_files"),
|
||||
commit="", branch="",
|
||||
commit="", branch="", remote=remote, host=host, org=org, repo=repo,
|
||||
)
|
||||
if blocked:
|
||||
return blocked
|
||||
@@ -7613,9 +7619,16 @@ def _session_context_mutation_block(
|
||||
}
|
||||
profile_name = profile.get("profile_name")
|
||||
expected = (profile.get("username") or "").strip() or None
|
||||
h = host or (REMOTES.get(remote or "", {}).get("host") if remote else None)
|
||||
remote_config = REMOTES.get(remote or "", {}) if remote else {}
|
||||
h = host or remote_config.get("host")
|
||||
resolved_org = org or remote_config.get("org")
|
||||
resolved_repo = repo or remote_config.get("repo")
|
||||
identity = username
|
||||
if identity is None and h:
|
||||
# Legacy env-only profiles do not declare an expected identity. Their
|
||||
# first mutation still pins remote/host/repository, while existing audit
|
||||
# paths resolve identity at the actual write. Configured identities are
|
||||
# always verified here before a mutation can proceed.
|
||||
if identity is None and expected and h:
|
||||
try:
|
||||
identity = _authenticated_username(h)
|
||||
except Exception:
|
||||
@@ -7643,8 +7656,8 @@ def _session_context_mutation_block(
|
||||
remote=remote,
|
||||
host=h,
|
||||
identity=identity,
|
||||
repository=repo,
|
||||
org=org,
|
||||
repository=resolved_repo,
|
||||
org=resolved_org,
|
||||
source="mutation-gate-seed",
|
||||
)
|
||||
ctx_gate = session_ctx.assess_session_context(
|
||||
@@ -7652,8 +7665,8 @@ def _session_context_mutation_block(
|
||||
remote=remote,
|
||||
host=h,
|
||||
identity=identity,
|
||||
repository=repo,
|
||||
org=org,
|
||||
repository=resolved_repo,
|
||||
org=resolved_org,
|
||||
expected_username=expected,
|
||||
require_bound=True,
|
||||
)
|
||||
@@ -7697,7 +7710,19 @@ def _profile_permission_block(required_operation: str, **extra_fields) -> dict |
|
||||
# #714: evaluate active profile only — never auto-switch.
|
||||
_ensure_matching_profile(required_operation, req_role, extra_fields.get("remote"))
|
||||
|
||||
ctx_block = _session_context_mutation_block(
|
||||
reasons = _profile_operation_gate(required_operation)
|
||||
if reasons:
|
||||
blocked = {
|
||||
"success": False,
|
||||
"performed": False,
|
||||
"reasons": reasons,
|
||||
"permission_report": _permission_block_report(required_operation),
|
||||
"session_context_audit": session_ctx.mutation_context_audit_fields(),
|
||||
}
|
||||
blocked.update(extra_fields)
|
||||
return blocked
|
||||
|
||||
return _session_context_mutation_block(
|
||||
remote=extra_fields.get("remote"),
|
||||
host=extra_fields.get("host"),
|
||||
org=extra_fields.get("org"),
|
||||
@@ -7706,21 +7731,6 @@ def _profile_permission_block(required_operation: str, **extra_fields) -> dict |
|
||||
issue_number=extra_fields.get("issue_number"),
|
||||
pr_number=extra_fields.get("pr_number"),
|
||||
)
|
||||
if ctx_block is not None:
|
||||
return ctx_block
|
||||
|
||||
reasons = _profile_operation_gate(required_operation)
|
||||
if not reasons:
|
||||
return None
|
||||
blocked = {
|
||||
"success": False,
|
||||
"performed": False,
|
||||
"reasons": reasons,
|
||||
"permission_report": _permission_block_report(required_operation),
|
||||
"session_context_audit": session_ctx.mutation_context_audit_fields(),
|
||||
}
|
||||
blocked.update(extra_fields)
|
||||
return blocked
|
||||
|
||||
|
||||
def _namespace_mutation_block(mutation_task: str, **extra_fields) -> dict | None:
|
||||
@@ -7730,18 +7740,6 @@ def _namespace_mutation_block(mutation_task: str, **extra_fields) -> dict | None
|
||||
# #714: evaluate active profile only — never auto-switch.
|
||||
_ensure_matching_profile(required_permission, required_role, extra_fields.get("remote"))
|
||||
|
||||
ctx_block = _session_context_mutation_block(
|
||||
remote=extra_fields.get("remote"),
|
||||
host=extra_fields.get("host"),
|
||||
org=extra_fields.get("org"),
|
||||
repo=extra_fields.get("repo"),
|
||||
number=extra_fields.get("number"),
|
||||
issue_number=extra_fields.get("issue_number"),
|
||||
pr_number=extra_fields.get("pr_number"),
|
||||
)
|
||||
if ctx_block is not None:
|
||||
return ctx_block
|
||||
|
||||
try:
|
||||
profile = get_profile()
|
||||
except Exception as exc:
|
||||
|
||||
Reference in New Issue
Block a user