docs: define bootstrap review path for self-hosted MCP fixes (Closes #557)

Document the narrow controller-authorized path for landing MCP workflow
fixes when live daemons cannot canonically review themselves, with
required audits, allowed/forbidden actions, and post-land restart steps.
This commit is contained in:
2026-07-08 22:36:10 -04:00
parent 9a2e585a9e
commit 565363d5f4
4 changed files with 307 additions and 1 deletions
+22
View File
@@ -408,6 +408,28 @@ The guard blocks when the **control checkout** (repository root) is:
`branches/...` directories are disposable role worktrees; the root checkout is
the stable orchestration surface only.
## Bootstrap Review Path for self-hosted MCP fixes (#557)
When a PR fixes Gitea-Tools MCP workflow code that the **live daemon** still
runs from broken `master`, canonical review can deadlock on itself.
Do **not** improvise raw API, direct imports, root edits, or gate bypasses.
Use the narrow controller-authorized path documented in:
- [`docs/bootstrap-review-path.md`](bootstrap-review-path.md)
Hard rules:
- No merge without a durable `BOOTSTRAP REVIEW AUTHORIZATION (#557)` record on
the PR or linked issue.
- Validation, duplicate-PR, mutation-ledger, and contamination audits remain
mandatory.
- Root checkout stays read-only orchestration only; verification runs in
`branches/` worktrees.
- After land: restart MCP daemons and re-verify with canonical tools only.
- This never weakens normal reviewer/merger gates for ordinary PRs.
## Shell Spawn Hard-Stop Rule
Symptom: a shell tool call returns `exit_code: -1` with empty stdout/stderr.