Merge pull request 'Clarify and enforce reviewer-vs-merger role boundaries (#483)' (#486) from feat/issue-483-role-boundaries into master
This commit was merged in pull request #486.
This commit is contained in:
@@ -435,6 +435,40 @@ class ValidateConfigTests(unittest.TestCase):
|
||||
with open(example, encoding="utf-8") as fh:
|
||||
self.assertEqual(gitea_config.validate_config(json.load(fh)), [])
|
||||
|
||||
def test_repo_example_file_reviewer_vs_merger_boundaries(self):
|
||||
example_path = __import__("pathlib").Path(__file__).resolve().parent.parent \
|
||||
/ "gitea-mcp.v2-contexts.example.json"
|
||||
with open(example_path, encoding="utf-8") as fh:
|
||||
cfg = json.load(fh)
|
||||
|
||||
# 1. Config includes separate reviewer and merger examples
|
||||
self.assertIn("example-reviewer", cfg["profiles"])
|
||||
self.assertIn("example-merger", cfg["profiles"])
|
||||
|
||||
reviewer = cfg["profiles"]["example-reviewer"]
|
||||
merger = cfg["profiles"]["example-merger"]
|
||||
|
||||
# 2. Example reviewer config does not include merge capability
|
||||
reviewer_allowed = reviewer.get("allowed_operations") or []
|
||||
reviewer_forbidden = reviewer.get("forbidden_operations") or []
|
||||
|
||||
self.assertNotIn("merge", reviewer_allowed)
|
||||
self.assertNotIn("gitea.pr.merge", reviewer_allowed)
|
||||
self.assertIn("merge", reviewer_forbidden)
|
||||
|
||||
# 3. Example reviewer can resolve review task, cannot resolve merge task
|
||||
# 4. Example merger can resolve merge task
|
||||
rev_review_ok, _ = gitea_config.check_operation("gitea.pr.review", reviewer_allowed, reviewer_forbidden)
|
||||
rev_merge_ok, _ = gitea_config.check_operation("gitea.pr.merge", reviewer_allowed, reviewer_forbidden)
|
||||
|
||||
merg_allowed = merger.get("allowed_operations") or []
|
||||
merg_forbidden = merger.get("forbidden_operations") or []
|
||||
merg_merge_ok, _ = gitea_config.check_operation("gitea.pr.merge", merg_allowed, merg_forbidden)
|
||||
|
||||
self.assertTrue(rev_review_ok, "example-reviewer must allow review")
|
||||
self.assertFalse(rev_merge_ok, "example-reviewer must not allow merge")
|
||||
self.assertTrue(merg_merge_ok, "example-merger must allow merge")
|
||||
|
||||
def test_broken_contexts_config_reports_problems(self):
|
||||
data = contexts_config()
|
||||
data["profiles"]["prgs-author"]["context"] = "nope"
|
||||
|
||||
@@ -705,8 +705,100 @@ class TestEntryPoint(unittest.TestCase):
|
||||
|
||||
def test_supported_task_kinds_include_review_and_reconcile(self):
|
||||
self.assertIn("review_pr", FINAL_REPORT_TASK_KINDS)
|
||||
self.assertIn("merge_pr", FINAL_REPORT_TASK_KINDS)
|
||||
self.assertIn("reconcile_already_landed", FINAL_REPORT_TASK_KINDS)
|
||||
|
||||
|
||||
class TestMergePrRules(unittest.TestCase):
|
||||
def test_clean_merger_report_passes(self):
|
||||
lines = [
|
||||
"## Controller Handoff",
|
||||
"",
|
||||
"- Task: merge PR #203",
|
||||
"- Repo: Scaled-Tech-Consulting/Gitea-Tools",
|
||||
"- Role: merger",
|
||||
"- Identity: sysadmin / prgs-merger",
|
||||
"- Issue/PR: #182 / PR #203",
|
||||
"- Branch/SHA: feat/x @ 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Files changed: review_proofs.py",
|
||||
"- Validation: pytest in branches/review-203",
|
||||
"- Mutations: merge completed",
|
||||
"- File edits by reviewer: none",
|
||||
"- Worktree/index mutations: none",
|
||||
"- Git ref mutations: git fetch prgs master",
|
||||
"- MCP/Gitea mutations: merge completed",
|
||||
"- Review mutations: none",
|
||||
"- Merge mutations: merged PR #203",
|
||||
"- Cleanup mutations: none",
|
||||
"- External-state mutations: none",
|
||||
"- Read-only diagnostics: metadata check",
|
||||
"- Current status: PR merged",
|
||||
"- Blockers: none",
|
||||
"- Next: none",
|
||||
"- Safety: review and merge are separate roles",
|
||||
"- Selected PR: #203",
|
||||
"- Pinned reviewed head: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Reviewed head SHA: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Final live head SHA before approval: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Final live head SHA before merge: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Push occurred during validation: no",
|
||||
"- Active profile: prgs-merger",
|
||||
"- Role kind: merger",
|
||||
"- Merge capability source: profile",
|
||||
"- Explicit operator authorization: MERGE PR 203",
|
||||
"- Expected head SHA: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Approval at current head: yes",
|
||||
"- Merge result: PR merged successfully",
|
||||
"- Cleanup status: complete",
|
||||
]
|
||||
report = "\n".join(lines)
|
||||
result = assess_final_report_validator(
|
||||
report,
|
||||
"merge_pr",
|
||||
)
|
||||
self.assertEqual(result["grade"], "A")
|
||||
self.assertFalse(result["blocked"])
|
||||
|
||||
def test_missing_merger_fields_blocks(self):
|
||||
lines = [
|
||||
"## Controller Handoff",
|
||||
"",
|
||||
"- Task: merge PR #203",
|
||||
"- Repo: Scaled-Tech-Consulting/Gitea-Tools",
|
||||
"- Role: merger",
|
||||
"- Identity: sysadmin / prgs-merger",
|
||||
"- Issue/PR: #182 / PR #203",
|
||||
"- Branch/SHA: feat/x @ 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Files changed: review_proofs.py",
|
||||
"- Validation: pytest in branches/review-203",
|
||||
"- Mutations: merge completed",
|
||||
"- File edits by reviewer: none",
|
||||
"- Worktree/index mutations: none",
|
||||
"- Git ref mutations: git fetch prgs master",
|
||||
"- MCP/Gitea mutations: merge completed",
|
||||
"- Review mutations: none",
|
||||
"- Merge mutations: merged PR #203",
|
||||
"- Cleanup mutations: none",
|
||||
"- External-state mutations: none",
|
||||
"- Read-only diagnostics: metadata check",
|
||||
"- Current status: PR merged",
|
||||
"- Blockers: none",
|
||||
"- Next: none",
|
||||
"- Safety: review and merge are separate roles",
|
||||
"- Selected PR: #203",
|
||||
"- Pinned reviewed head: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Reviewed head SHA: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Final live head SHA before approval: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Final live head SHA before merge: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Push occurred during validation: no",
|
||||
]
|
||||
report = "\n".join(lines)
|
||||
result = assess_final_report_validator(
|
||||
report,
|
||||
"merge_pr",
|
||||
)
|
||||
self.assertTrue(result["downgraded"])
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
|
||||
@@ -952,6 +952,19 @@ class TestMergePR(unittest.TestCase):
|
||||
|
||||
# -- identity / profile / eligibility fail-closed -------------------------
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_reviewer_profile_cannot_merge(self, _auth, mock_api):
|
||||
env = {"GITEA_PROFILE_NAME": "prgs-reviewer",
|
||||
"GITEA_ALLOWED_OPERATIONS": "read,approve"}
|
||||
with patch.dict(os.environ, env, clear=True):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
gitea_merge_pr(
|
||||
pr_number=8, confirmation=self._confirm(8), remote="prgs"
|
||||
)
|
||||
self.assertIn("Reviewer profile cannot merge. Use a merger profile/session after formal approval at current head.", str(ctx.exception))
|
||||
mock_api.assert_not_called()
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_self_author_cannot_merge(self, _auth, mock_api):
|
||||
@@ -993,14 +1006,13 @@ class TestMergePR(unittest.TestCase):
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_profile_without_merge_permission_blocks(self, _auth, mock_api):
|
||||
mock_api.side_effect = [{"login": "merger-bot"}, self._pr("author-bot")]
|
||||
env = {"GITEA_PROFILE_NAME": "gitea-reviewer",
|
||||
"GITEA_ALLOWED_OPERATIONS": "read,review,approve"}
|
||||
with patch.dict(os.environ, env, clear=True):
|
||||
r = gitea_merge_pr(
|
||||
pr_number=8, confirmation=self._confirm(8), remote="prgs")
|
||||
self.assertFalse(r["performed"])
|
||||
self.assertIn("profile is not allowed to merge", r["reasons"])
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
gitea_merge_pr(
|
||||
pr_number=8, confirmation=self._confirm(8), remote="prgs")
|
||||
self.assertIn("Reviewer profile cannot merge. Use a merger profile/session after formal approval at current head.", str(ctx.exception))
|
||||
self._assert_no_merge_call(mock_api)
|
||||
|
||||
# -- PR state / mergeability ----------------------------------------------
|
||||
|
||||
@@ -33,8 +33,15 @@ REVIEWER_ENV = {
|
||||
"GITEA_PROFILE_NAME": "reviewer-test",
|
||||
"GITEA_ALLOWED_OPERATIONS":
|
||||
"gitea.read,gitea.pr.review,gitea.pr.comment,gitea.pr.approve,"
|
||||
"gitea.pr.request_changes,gitea.pr.merge",
|
||||
"GITEA_FORBIDDEN_OPERATIONS": "gitea.pr.create,gitea.branch.push",
|
||||
"gitea.pr.request_changes",
|
||||
"GITEA_FORBIDDEN_OPERATIONS": "gitea.pr.create,gitea.branch.push,gitea.pr.merge",
|
||||
}
|
||||
|
||||
MERGER_ENV = {
|
||||
"GITEA_PROFILE_NAME": "merger-test",
|
||||
"GITEA_ALLOWED_OPERATIONS":
|
||||
"gitea.read,gitea.pr.comment,gitea.pr.merge",
|
||||
"GITEA_FORBIDDEN_OPERATIONS": "gitea.pr.create,gitea.branch.push,gitea.pr.approve",
|
||||
}
|
||||
|
||||
EXPECTED_SKILLS = [
|
||||
@@ -88,6 +95,15 @@ class TestControlPlaneGuide(GuideTestBase):
|
||||
self.assertIn("eligibility", blob)
|
||||
self.assertIn("pinned", blob)
|
||||
|
||||
@patch("mcp_server.api_request", return_value={"login": "merger-bot"})
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_merger_profile_guidance(self, _auth, _api):
|
||||
with patch.dict(os.environ, MERGER_ENV, clear=True):
|
||||
g = mcp_get_control_plane_guide(remote="prgs")
|
||||
self.assertEqual(g["profile"]["role_kind"], "merger")
|
||||
blob = " ".join(g["guidance"]).lower()
|
||||
self.assertIn("merge", blob)
|
||||
|
||||
@patch("mcp_server.get_auth_header", return_value=None)
|
||||
def test_unresolved_identity_instructs_stop(self, _auth):
|
||||
with patch.dict(os.environ, AUTHOR_ENV, clear=True):
|
||||
|
||||
@@ -44,9 +44,19 @@ CONFIG_RESOLVER = {
|
||||
"role": "reviewer",
|
||||
"username": "reviewer-user",
|
||||
"auth": {"type": "env", "name": "GITEA_TOKEN_REVIEWER"},
|
||||
"allowed_operations": ["gitea.read", "gitea.pr.review", "gitea.pr.approve", "gitea.pr.merge", "gitea.issue.comment"],
|
||||
"forbidden_operations": ["gitea.pr.create", "gitea.branch.push"],
|
||||
"allowed_operations": ["gitea.read", "gitea.pr.review", "gitea.pr.approve", "gitea.issue.comment"],
|
||||
"forbidden_operations": ["gitea.pr.create", "gitea.branch.push", "gitea.pr.merge"],
|
||||
"execution_profile": "reviewer-profile"
|
||||
},
|
||||
"merger-profile": {
|
||||
"enabled": True,
|
||||
"context": "ctx",
|
||||
"role": "merger",
|
||||
"username": "merger-user",
|
||||
"auth": {"type": "env", "name": "GITEA_TOKEN_MERGER"},
|
||||
"allowed_operations": ["gitea.read", "gitea.pr.merge", "gitea.issue.comment"],
|
||||
"forbidden_operations": ["gitea.pr.create", "gitea.branch.push", "gitea.pr.approve"],
|
||||
"execution_profile": "merger-profile"
|
||||
}
|
||||
},
|
||||
"rules": {
|
||||
@@ -83,6 +93,7 @@ class TestResolveTaskCapability(unittest.TestCase):
|
||||
"GITEA_MCP_PROFILE": profile,
|
||||
"GITEA_TOKEN_AUTHOR": "author-pass",
|
||||
"GITEA_TOKEN_REVIEWER": "reviewer-pass",
|
||||
"GITEA_TOKEN_MERGER": "merger-pass",
|
||||
}
|
||||
|
||||
@patch("mcp_server.api_request", return_value={"login": "author-user"})
|
||||
@@ -231,9 +242,9 @@ class TestResolveTaskCapability(unittest.TestCase):
|
||||
with patch.dict(os.environ, self._env("author-profile")):
|
||||
res = mcp_server.gitea_resolve_task_capability(task="merge_pr", remote="prgs")
|
||||
self.assertFalse(res["allowed_in_current_session"])
|
||||
self.assertIn("reviewer", res["exact_safe_next_action"].lower())
|
||||
self.assertIn("merger", res["exact_safe_next_action"].lower())
|
||||
self.assertEqual(res["required_operation_permission"], "gitea.pr.merge")
|
||||
self.assertEqual(res["required_role_kind"], "reviewer")
|
||||
self.assertEqual(res["required_role_kind"], "merger")
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
def test_self_review_blocked_structured(self, mock_api):
|
||||
|
||||
@@ -43,9 +43,19 @@ CONFIG_SWITCHING_DISABLED = {
|
||||
"role": "reviewer",
|
||||
"username": "reviewer-user",
|
||||
"auth": {"type": "env", "name": "GITEA_TOKEN_REVIEWER"},
|
||||
"allowed_operations": ["gitea.read", "gitea.pr.approve", "gitea.pr.merge"],
|
||||
"forbidden_operations": ["gitea.pr.create", "gitea.branch.push"],
|
||||
"allowed_operations": ["gitea.read", "gitea.pr.review", "gitea.pr.approve"],
|
||||
"forbidden_operations": ["gitea.pr.create", "gitea.branch.push", "gitea.pr.merge"],
|
||||
"execution_profile": "reviewer-profile"
|
||||
},
|
||||
"merger-profile": {
|
||||
"enabled": True,
|
||||
"context": "ctx",
|
||||
"role": "merger",
|
||||
"username": "merger-user",
|
||||
"auth": {"type": "env", "name": "GITEA_TOKEN_MERGER"},
|
||||
"allowed_operations": ["gitea.read", "gitea.pr.merge"],
|
||||
"forbidden_operations": ["gitea.pr.create", "gitea.branch.push", "gitea.pr.approve"],
|
||||
"execution_profile": "merger-profile"
|
||||
}
|
||||
},
|
||||
"rules": {
|
||||
@@ -90,6 +100,7 @@ class TestRuntimeClarity(unittest.TestCase):
|
||||
"GITEA_MCP_REVEAL_ENDPOINTS": reveal,
|
||||
"GITEA_TOKEN_AUTHOR": "author-pass",
|
||||
"GITEA_TOKEN_REVIEWER": "reviewer-pass",
|
||||
"GITEA_TOKEN_MERGER": "merger-pass",
|
||||
}
|
||||
|
||||
# -------------------------------------------------------------------------
|
||||
@@ -125,7 +136,7 @@ class TestRuntimeClarity(unittest.TestCase):
|
||||
t for t in caps["task_capabilities"] if t["task"] == "merge_pr"
|
||||
)
|
||||
self.assertFalse(merge_entry["allowed_in_current_session"])
|
||||
self.assertIn("reviewer-profile", merge_entry["matching_configured_profiles"])
|
||||
self.assertIn("merger-profile", merge_entry["matching_configured_profiles"])
|
||||
|
||||
@patch(
|
||||
"mcp_server.assess_preflight_status",
|
||||
@@ -144,6 +155,30 @@ class TestRuntimeClarity(unittest.TestCase):
|
||||
caps = ctx["session_capabilities"]
|
||||
self.assertFalse(caps["can_author_prs"])
|
||||
self.assertFalse(caps["can_create_issues"])
|
||||
self.assertTrue(caps["can_review_prs"])
|
||||
self.assertFalse(caps["can_merge_prs"])
|
||||
merge_entry = next(
|
||||
t for t in caps["task_capabilities"] if t["task"] == "merge_pr"
|
||||
)
|
||||
self.assertFalse(merge_entry["allowed_in_current_session"])
|
||||
|
||||
@patch(
|
||||
"mcp_server.assess_preflight_status",
|
||||
return_value={"preflight_ready": True, "preflight_block_reasons": []},
|
||||
)
|
||||
@patch("mcp_server.api_request", return_value={"login": "merger-user"})
|
||||
@patch("mcp_server.get_auth_header", return_value="token merger-pass")
|
||||
def test_get_runtime_context_merger(self, _auth, _api, _preflight):
|
||||
with patch.dict(os.environ, self._env("merger-profile"), clear=True):
|
||||
ctx = mcp_server.gitea_get_runtime_context(remote="dadeschools")
|
||||
self.assertEqual(ctx["active_profile"], "merger-profile")
|
||||
self.assertEqual(ctx["authenticated_username"], "merger-user")
|
||||
self.assertTrue(ctx["review_merge_allowed"])
|
||||
self.assertEqual(ctx["suggested_fix"], "none")
|
||||
self.assertEqual(ctx["safe_next_action"], "None; ready for operations.")
|
||||
caps = ctx["session_capabilities"]
|
||||
self.assertFalse(caps["can_author_prs"])
|
||||
self.assertFalse(caps["can_create_issues"])
|
||||
self.assertFalse(caps["can_review_prs"])
|
||||
self.assertTrue(caps["can_merge_prs"])
|
||||
merge_entry = next(
|
||||
@@ -160,7 +195,7 @@ class TestRuntimeClarity(unittest.TestCase):
|
||||
with patch.dict(os.environ, self._env("author-profile", reveal="0"), clear=True):
|
||||
res = mcp_server.gitea_list_profiles()
|
||||
profiles = res["profiles"]
|
||||
self.assertEqual(len(profiles), 2)
|
||||
self.assertEqual(len(profiles), 3)
|
||||
|
||||
author_prof = next(p for p in profiles if p["name"] == "author-profile")
|
||||
self.assertTrue(author_prof["is_active"])
|
||||
@@ -176,6 +211,13 @@ class TestRuntimeClarity(unittest.TestCase):
|
||||
self.assertEqual(reviewer_prof["base_url"], "<redacted>")
|
||||
self.assertEqual(reviewer_prof["identity_status"], "credentials present")
|
||||
|
||||
merger_prof = next(p for p in profiles if p["name"] == "merger-profile")
|
||||
self.assertFalse(merger_prof["is_active"])
|
||||
self.assertEqual(merger_prof["role_kind"], "merger")
|
||||
self.assertEqual(merger_prof["auth"]["name"], "<redacted>")
|
||||
self.assertEqual(merger_prof["base_url"], "<redacted>")
|
||||
self.assertEqual(merger_prof["identity_status"], "credentials present")
|
||||
|
||||
@patch("mcp_server.api_request", return_value={"login": "author-user"})
|
||||
@patch("mcp_server.get_auth_header", return_value="token author-pass")
|
||||
def test_list_profiles_revealed_under_opt_in(self, _auth, _api):
|
||||
|
||||
Reference in New Issue
Block a user