fix: isolate immutable session context tests (#714)

This commit is contained in:
2026-07-15 02:26:27 -04:00
parent 632c568865
commit 29ffe1407f
7 changed files with 303 additions and 126 deletions
+36 -38
View File
@@ -1131,7 +1131,7 @@ def _seed_session_context(
org: str | None = None,
source: str = "seed",
) -> dict:
"""Seed/rebind immutable session context with env/override awareness (#714)."""
"""Seed immutable session context once for the current process (#714)."""
expected = (profile.get("username") or "").strip() or None
return session_ctx.seed_session_context_if_unbound(
profile_name=profile.get("profile_name") or "",
@@ -1143,8 +1143,6 @@ def _seed_session_context(
role_kind=_profile_role_kind(profile),
expected_username=expected,
source=source,
active_profile_override=gitea_config._active_profile_override,
env_profile=(os.environ.get("GITEA_MCP_PROFILE") or "").strip() or None,
)
import issue_work_duplicate_gate # noqa: E402
import issue_workflow_labels # noqa: E402
@@ -2097,6 +2095,10 @@ def gitea_create_issue(
blocked = _profile_permission_block(
task_capability_map.required_permission("create_issue"),
number=None,
remote=remote,
host=h,
org=o,
repo=r,
)
if blocked:
return blocked
@@ -2537,6 +2539,10 @@ def gitea_create_pr(
blocked = _profile_permission_block(
task_capability_map.required_permission("create_pr"),
number=None,
remote=remote,
host=host,
org=org,
repo=repo,
)
if blocked:
return blocked
@@ -5373,7 +5379,7 @@ def gitea_commit_files(
return blocked
blocked = _profile_permission_block(
task_capability_map.required_permission("commit_files"),
commit="", branch="",
commit="", branch="", remote=remote, host=host, org=org, repo=repo,
)
if blocked:
return blocked
@@ -7613,9 +7619,16 @@ def _session_context_mutation_block(
}
profile_name = profile.get("profile_name")
expected = (profile.get("username") or "").strip() or None
h = host or (REMOTES.get(remote or "", {}).get("host") if remote else None)
remote_config = REMOTES.get(remote or "", {}) if remote else {}
h = host or remote_config.get("host")
resolved_org = org or remote_config.get("org")
resolved_repo = repo or remote_config.get("repo")
identity = username
if identity is None and h:
# Legacy env-only profiles do not declare an expected identity. Their
# first mutation still pins remote/host/repository, while existing audit
# paths resolve identity at the actual write. Configured identities are
# always verified here before a mutation can proceed.
if identity is None and expected and h:
try:
identity = _authenticated_username(h)
except Exception:
@@ -7643,8 +7656,8 @@ def _session_context_mutation_block(
remote=remote,
host=h,
identity=identity,
repository=repo,
org=org,
repository=resolved_repo,
org=resolved_org,
source="mutation-gate-seed",
)
ctx_gate = session_ctx.assess_session_context(
@@ -7652,8 +7665,8 @@ def _session_context_mutation_block(
remote=remote,
host=h,
identity=identity,
repository=repo,
org=org,
repository=resolved_repo,
org=resolved_org,
expected_username=expected,
require_bound=True,
)
@@ -7697,7 +7710,19 @@ def _profile_permission_block(required_operation: str, **extra_fields) -> dict |
# #714: evaluate active profile only — never auto-switch.
_ensure_matching_profile(required_operation, req_role, extra_fields.get("remote"))
ctx_block = _session_context_mutation_block(
reasons = _profile_operation_gate(required_operation)
if reasons:
blocked = {
"success": False,
"performed": False,
"reasons": reasons,
"permission_report": _permission_block_report(required_operation),
"session_context_audit": session_ctx.mutation_context_audit_fields(),
}
blocked.update(extra_fields)
return blocked
return _session_context_mutation_block(
remote=extra_fields.get("remote"),
host=extra_fields.get("host"),
org=extra_fields.get("org"),
@@ -7706,21 +7731,6 @@ def _profile_permission_block(required_operation: str, **extra_fields) -> dict |
issue_number=extra_fields.get("issue_number"),
pr_number=extra_fields.get("pr_number"),
)
if ctx_block is not None:
return ctx_block
reasons = _profile_operation_gate(required_operation)
if not reasons:
return None
blocked = {
"success": False,
"performed": False,
"reasons": reasons,
"permission_report": _permission_block_report(required_operation),
"session_context_audit": session_ctx.mutation_context_audit_fields(),
}
blocked.update(extra_fields)
return blocked
def _namespace_mutation_block(mutation_task: str, **extra_fields) -> dict | None:
@@ -7730,18 +7740,6 @@ def _namespace_mutation_block(mutation_task: str, **extra_fields) -> dict | None
# #714: evaluate active profile only — never auto-switch.
_ensure_matching_profile(required_permission, required_role, extra_fields.get("remote"))
ctx_block = _session_context_mutation_block(
remote=extra_fields.get("remote"),
host=extra_fields.get("host"),
org=extra_fields.get("org"),
repo=extra_fields.get("repo"),
number=extra_fields.get("number"),
issue_number=extra_fields.get("issue_number"),
pr_number=extra_fields.get("pr_number"),
)
if ctx_block is not None:
return ctx_block
try:
profile = get_profile()
except Exception as exc: