fix: resolve conflicts for PR #499
Merge prgs/master into PR branch to restore mergeability. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
This commit is contained in:
@@ -63,8 +63,14 @@ Do not use legacy fields: `Pinned reviewed head`, `Scratch worktree used`,
|
||||
- Current status:
|
||||
- Safe next action:
|
||||
- Safety statement:
|
||||
- Workflow-load helper result:
|
||||
```
|
||||
|
||||
The **Workflow-load helper result** field must carry structured output from
|
||||
`gitea_load_review_workflow` (workflow_hash, final_report_schema_hash,
|
||||
boundary_status). Narrative claims that workflow files were viewed locally are
|
||||
not sufficient (#403).
|
||||
|
||||
### Already-landed handoff overrides
|
||||
|
||||
When eligibility class is `ALREADY_LANDED_RECONCILE_REQUIRED`:
|
||||
|
||||
@@ -10,6 +10,10 @@ Load the canonical workflow first:
|
||||
Final report schema: `schemas/review-merge-final-report.md`.
|
||||
|
||||
Rules (llm-project-workflow):
|
||||
- Repository targeting (#530): pass explicit `remote=`, `org=`, and `repo=` on
|
||||
every gitea-tools call (e.g. `remote=prgs org=Scaled-Tech-Consulting
|
||||
repo=Gitea-Tools`). A bare `remote=prgs` can resolve to the wrong default repo
|
||||
and is blocked when it disagrees with the local git remote URL.
|
||||
- Only an eligible, NON-author reviewer merges. If authenticated user == PR
|
||||
author → STOP.
|
||||
- Do not merge unless the PR is open, mergeable, and its checks/review pass.
|
||||
@@ -41,7 +45,15 @@ Steps:
|
||||
8. Confirm remote master now contains the merge commit (or the expected changes if squash merged).
|
||||
*Note: Gitea PR "closed" state is NOT equivalent to "merged". Do not assume a closed PR succeeded without verifying the actual landed changes.*
|
||||
|
||||
Then run the cleanup template (worktree-cleanup.md):
|
||||
Post-merge cleanup (#517): merger sessions must NOT perform ad hoc cleanup.
|
||||
- Record merge mutations separately from cleanup mutations in the controller handoff.
|
||||
- Hand cleanup to a `prgs-reconciler` session — never raw `git branch -d`,
|
||||
`git push --delete`, curl/API comment deletion, or local scripts.
|
||||
- Reconciler cleanup must cite authorized MCP tools
|
||||
(`gitea_reconcile_merged_cleanups`, `gitea_cleanup_post_merge_moot_lease`,
|
||||
`gitea_delete_branch`, etc.) plus `gitea.branch.delete` capability proof.
|
||||
|
||||
Then run the cleanup template (worktree-cleanup.md) in a reconciler session:
|
||||
- Verify expected file/commit presence on master (post-merge file-presence verification):
|
||||
- Run: git fetch <remote> --prune; git checkout master; git pull <remote> master --ff-only
|
||||
- Verify that the expected files added/modified in the PR are present on master (or absent if deleted).
|
||||
|
||||
@@ -0,0 +1,27 @@
|
||||
# Template: post-merge cleanup (reconciler only)
|
||||
|
||||
Copy, fill the `<...>` fields, and paste as the task prompt. Run only after merge
|
||||
is confirmed on remote master. Merger sessions must hand off here — never perform
|
||||
this cleanup inline (#517).
|
||||
|
||||
```text
|
||||
Task: MCP-native post-merge cleanup for PR #<pr> / issue #<n>.
|
||||
|
||||
Rules:
|
||||
- Active profile must be reconciler (`prgs-reconciler`) with `gitea.branch.delete`.
|
||||
- Use MCP tools only — no raw git branch delete, no API comment deletion scripts.
|
||||
- Record cleanup mutations separately from merge mutations in the handoff.
|
||||
|
||||
Steps:
|
||||
1. `gitea_resolve_task_capability(task="reconcile_merged_cleanups", remote=prgs)`
|
||||
2. Confirm PR #<pr> merged on <remote>/master.
|
||||
3. `gitea_cleanup_post_merge_moot_lease` if a reviewer lease remains (append-only).
|
||||
4. `gitea_reconcile_merged_cleanups` for branch/worktree cleanup with dry-run first.
|
||||
5. Report authorized cleanup tools used and reconciler capability proof.
|
||||
|
||||
Handoff ledger (required fields):
|
||||
- Merge mutations: (none — merger already recorded gitea_merge_pr)
|
||||
- Cleanup mutations: list exact MCP tools invoked
|
||||
- Reconciler capability: profile + gitea.branch.delete proof
|
||||
- Next actor: controller acceptance or none
|
||||
```
|
||||
@@ -35,6 +35,10 @@ Load the canonical workflow first:
|
||||
Final report schema: `schemas/review-merge-final-report.md`.
|
||||
|
||||
Rules (llm-project-workflow):
|
||||
- Repository targeting (#530): pass explicit `remote=`, `org=`, and `repo=` on
|
||||
every gitea-tools call (e.g. `remote=prgs org=Scaled-Tech-Consulting
|
||||
repo=Gitea-Tools`). A bare `remote=prgs` can resolve to the wrong default repo
|
||||
and is blocked when it disagrees with the local git remote URL.
|
||||
- Review in a SEPARATE detached review worktree, never the author's folder.
|
||||
- Worktree safety (#233): before checkout, diff, validation, review, or merge,
|
||||
report the starting worktree path and whether it was dirty. If unrelated
|
||||
|
||||
@@ -15,6 +15,10 @@ Rules (llm-project-workflow):
|
||||
- Work only in an isolated branch worktree under branches/. The main checkout
|
||||
is orchestration/status only.
|
||||
- Do not self-review or self-merge.
|
||||
- Repository targeting (#530): pass explicit `remote=`, `org=`, and `repo=` on
|
||||
every gitea-tools call (e.g. `remote=prgs org=Scaled-Tech-Consulting
|
||||
repo=Gitea-Tools`). A bare `remote=prgs` can resolve to the wrong default repo
|
||||
and is blocked when it disagrees with the local git remote URL.
|
||||
|
||||
Steps:
|
||||
0. Work Selection Rule — before any claim, branch, or file edits, acquire or
|
||||
|
||||
@@ -26,3 +26,43 @@ Steps:
|
||||
|
||||
Handoff: merge confirmed, issue closed, branch+worktree removed, checkout clean.
|
||||
```
|
||||
|
||||
## Branches cleanup audit integrity (#404)
|
||||
|
||||
Any bulk or multi-path cleanup under `branches/` must capture auditable before/after
|
||||
identity for every initial directory and registered worktree. Use
|
||||
`worktree_cleanup_audit.capture_cleanup_snapshot` before and after cleanup, record
|
||||
every intentional removal in a removal log (path, method, order, timestamp,
|
||||
pre-removal proof), then run `reconcile_cleanup_audit` and
|
||||
`assess_cleanup_audit_integrity`.
|
||||
|
||||
The cleanup report must include a reconciliation table:
|
||||
|
||||
* initial count
|
||||
* removed count
|
||||
* preserved count
|
||||
* missing-unexplained count
|
||||
* final count
|
||||
|
||||
Fail closed when:
|
||||
|
||||
* a preserved (active PR, dirty, claim/lease, or unsafe) worktree disappears without
|
||||
a removal log entry or explicit explanation
|
||||
* the removal log omits a removed clean-stale path
|
||||
* final counts do not reconcile with initial minus removed
|
||||
|
||||
If another session removes or mutates a worktree during cleanup, record the path
|
||||
under explained missing entries — never treat silent disappearance as success.
|
||||
|
||||
## Bulk `branches/` cleanup audit (#404)
|
||||
|
||||
Before removing multiple session-owned worktrees:
|
||||
|
||||
1. Call `gitea_capture_branches_worktree_snapshot` and record the before snapshot.
|
||||
2. Remove only paths classified as `clean_stale_removable` with explicit per-path proof.
|
||||
3. Log every removal with path, method, and timestamp/order.
|
||||
4. Capture an after snapshot with the same tool.
|
||||
5. Call `gitea_assess_worktree_cleanup_integrity` with before, after, and the removal log.
|
||||
6. Fail closed when any protected path (active PR, dirty, claim/lease) disappears
|
||||
without an explained state transition.
|
||||
7. Final report must include the reconciliation table and `git worktree list` proof.
|
||||
|
||||
@@ -36,6 +36,44 @@ If available, load it first and report:
|
||||
|
||||
If the canonical workflow cannot be loaded and the project requires it, stop and produce a recovery handoff only.
|
||||
|
||||
## 0A. Workflow-load and session boundary anchor (#403)
|
||||
|
||||
The MCP gate is the authority — not local file viewing.
|
||||
|
||||
Before any reviewer mutation:
|
||||
|
||||
1. Record pre-review commands with `gitea_record_pre_review_command` when they
|
||||
are not automatically classified (inventory/diagnostic commands may be
|
||||
recorded explicitly for proof).
|
||||
2. Call `gitea_load_review_workflow` to establish workflow hash proof **and**
|
||||
session boundary state in the same in-process session proof.
|
||||
3. Do not claim the workflow was loaded by reading
|
||||
`skills/llm-project-workflow/workflows/review-merge-pr.md` as a local file;
|
||||
that narrative does not satisfy the validator.
|
||||
|
||||
Allowed before workflow load (classify as `read_only_inventory` or
|
||||
`diagnostic`):
|
||||
|
||||
* `gitea_whoami`, `gitea_resolve_task_capability`, `gitea_list_prs`,
|
||||
`gitea_view_pr`, `gitea_get_runtime_context`
|
||||
* `git fetch` / `git remote update` for inventory
|
||||
* `git status`, `git worktree list` (read-only)
|
||||
|
||||
Boundary violations (block downstream reviewer mutations even after load):
|
||||
|
||||
* validation commands (`pytest`, `python -m unittest`) in the main checkout
|
||||
* local profile/credential/config inspection (`profiles.json`, `gitea-mcp.json`,
|
||||
`.env`, keychain dumps)
|
||||
* MCP repair (`pkill`, MCP config edits)
|
||||
* git mutations before workflow load
|
||||
|
||||
Final reports must include a structured **Workflow-load helper result** block
|
||||
copied from `gitea_load_review_workflow`, including at minimum:
|
||||
|
||||
* `workflow_hash`
|
||||
* `final_report_schema_hash`
|
||||
* `boundary_status` (`clean` or `violation`)
|
||||
|
||||
## 1. Start with live identity, profile, runtime, and capability checks
|
||||
|
||||
Prove:
|
||||
@@ -796,6 +834,21 @@ inventory before continuing.
|
||||
Final reports must include lease session id, acquisition proof, heartbeat
|
||||
status, and release/blocked status.
|
||||
|
||||
## 26B-1. Merger lease adoption (#536)
|
||||
|
||||
When review and merge are **different sessions**, the merger must adopt the
|
||||
reviewer's lease — never manually seed `reviewer_pr_lease._SESSION_LEASE`.
|
||||
|
||||
Before merge in a merger-only session:
|
||||
|
||||
1. Confirm `approval_at_current_head` via `gitea_get_pr_review_feedback`.
|
||||
2. Call `gitea_adopt_merger_pr_lease` from a clean merger worktree under
|
||||
`branches/`, passing `expected_head_sha` pinned to the approved head.
|
||||
3. Quote the adoption comment id and `adopted_from_session_id` in the handoff.
|
||||
4. Proceed to `gitea_merge_pr` only after adoption succeeds.
|
||||
|
||||
Manual in-process lease seeding is rejected by mutation gates (fail closed).
|
||||
|
||||
## 26C. Conflict-fix lease and stale-head protection (#399)
|
||||
|
||||
Before validating, approving, or merging a PR:
|
||||
@@ -871,6 +924,16 @@ Confirm:
|
||||
|
||||
Clean only the session-owned `branches/` review worktree if the project workflow explicitly allows cleanup.
|
||||
|
||||
Review, baseline, and merge-simulation worktrees created during this run are
|
||||
transient and are removed automatically at successful completion once they are
|
||||
clean, carry no open PR, and hold no active lease (#401). Use
|
||||
`gitea_audit_worktree_cleanup` (read-only) to classify `branches/` entries; only
|
||||
`clean_stale_removable` and `detached_review_leftover` may be removed, one-by-one,
|
||||
after `git worktree list` proof plus per-worktree proof of path, branch/HEAD,
|
||||
clean/dirty status, no active PR/lease, and the removal result. Dirty,
|
||||
active-PR, active-issue, and leased worktrees are never deleted automatically; a
|
||||
failed removal must be reported with the leftover path and reason.
|
||||
|
||||
Do not delete or mutate unrelated branches/worktrees.
|
||||
|
||||
Do not touch the main checkout except to update the stable branch after merge if explicitly allowed by the workflow.
|
||||
@@ -915,6 +978,27 @@ If any gate fails, report:
|
||||
|
||||
Skipped cleanup with an exact blocker passes validation. Performed-cleanup claims without the checklist fail validation.
|
||||
|
||||
## 28B. MCP-native cleanup only (#517)
|
||||
|
||||
Post-merge cleanup of leases, comments, branches, and worktrees must go through
|
||||
explicit MCP tools — never raw git, curl/API scripts, or ad hoc helper scripts.
|
||||
|
||||
Merger and reviewer sessions must **not** perform cleanup inline. Record:
|
||||
|
||||
* **Merge mutations** — only `gitea_merge_pr` (or review mutations for review-only runs)
|
||||
* **Cleanup mutations** — only authorized reconciler MCP tools, cited by exact tool name
|
||||
|
||||
Authorized cleanup tools include `gitea_reconcile_merged_cleanups`,
|
||||
`gitea_cleanup_post_merge_moot_lease`, `gitea_delete_branch`, and
|
||||
`gitea_cleanup_merged_pr_branch` (when available). Lease cleanup uses
|
||||
append-only release comments — never delete another session's lease comment.
|
||||
|
||||
Hand cleanup to a `prgs-reconciler` session with `gitea.branch.delete` capability
|
||||
proof. Raw `git branch -d`, `git push --delete`, and comment-deletion API calls
|
||||
are blocked in final-report validation.
|
||||
|
||||
Template: `templates/post-merge-cleanup-handoff.md`.
|
||||
|
||||
## 29. Recovery handoff rules
|
||||
|
||||
If blocked, produce a recovery handoff with:
|
||||
@@ -1013,6 +1097,26 @@ Use precise wording:
|
||||
|
||||
Do not collapse review, merge, cleanup, or external-state mutations into vague wording.
|
||||
|
||||
## 31B. Mutation-capability table (#405)
|
||||
|
||||
Every performed mutation requires exact capability proof resolved **before** that
|
||||
mutation executes. Nearby capabilities never authorize a different operation —
|
||||
`review_pr` does not authorize `merge_pr`, and `merge_pr` does not authorize
|
||||
`delete_branch` / `gitea.branch.delete`.
|
||||
|
||||
When any mutation beyond a bare review occurs (merge, branch delete, issue
|
||||
close/comment, etc.), the final report must include a **mutation-capability table**
|
||||
with one row per performed mutation:
|
||||
|
||||
* mutation (tool/action name)
|
||||
* exact task/capability resolved (for example `merge_pr` / `gitea.pr.merge`)
|
||||
* result
|
||||
* order/timestamp proof that capability was resolved before the mutation
|
||||
|
||||
If exact capability proof is missing, skip the mutation or stop the workflow —
|
||||
never claim a performed mutation without its row. Post-hoc capability proof after
|
||||
the mutation fails validation.
|
||||
|
||||
## 31A. Local artifact and report consistency rule
|
||||
|
||||
Do not create local walkthrough, notes, markdown, JSON, or report artifacts during reviewer runs unless the canonical workflow or operator explicitly requires it.
|
||||
|
||||
@@ -626,9 +626,14 @@ When pushing to an existing PR branch to resolve merge conflicts:
|
||||
* session worktree path
|
||||
* push cwd
|
||||
* whether the push is fast-forward
|
||||
3. Do not push when a reviewer holds an active lease on the same PR.
|
||||
4. Do not force-push.
|
||||
5. Do not push from the main checkout or wrong cwd.
|
||||
* explicit `remote`, `org`, and `repo` when not using defaults
|
||||
3. If assessment returns `assessment_failed: true` or `pr_lookup: failed`, stop
|
||||
and produce a recovery handoff with the structured `reasons` and
|
||||
`resolved_repo` fields — do not treat an MCP HTTP 500 as proof the push was
|
||||
unsafe or safe (#519).
|
||||
4. Do not push when a reviewer holds an active lease on the same PR.
|
||||
5. Do not force-push.
|
||||
6. Do not push from the main checkout or wrong cwd.
|
||||
|
||||
Conflict-fix final reports must state:
|
||||
|
||||
@@ -699,6 +704,39 @@ Do not update the main checkout unless the canonical workflow explicitly allows
|
||||
|
||||
Any cleanup is a mutation and must be reported.
|
||||
|
||||
### 22A. Session-owned worktree cleanup and TTL (#401)
|
||||
|
||||
Every session-owned worktree created under `branches/` has ownership metadata:
|
||||
path, workflow type, issue number, PR number, branch/head SHA, creator
|
||||
identity/profile, created timestamp, last-used timestamp, and cleanup
|
||||
eligibility.
|
||||
|
||||
Cleanup is classification-driven. `gitea_audit_worktree_cleanup` (read-only)
|
||||
classifies every `branches/` entry as exactly one of:
|
||||
|
||||
* `active_open_pr` — branch has an open PR; never auto-removed.
|
||||
* `active_issue_work` — active claim/lease or fresh issue worktree; never
|
||||
auto-removed.
|
||||
* `dirty_local_worktree` — uncommitted changes; never auto-removed.
|
||||
* `clean_stale_removable` — clean, no PR, no lease; removable.
|
||||
* `detached_review_leftover` — clean detached review/baseline/merge-simulation
|
||||
worktree; removable.
|
||||
* `unsafe_unknown` — protected base checkout or unknown workflow type; never
|
||||
auto-removed.
|
||||
|
||||
Only `clean_stale_removable` and `detached_review_leftover` may be removed, and
|
||||
only one-by-one after `git worktree list` proof plus per-worktree proof of:
|
||||
worktree path, branch/HEAD, clean/dirty status, no active PR/lease, and the
|
||||
removal result. Review, baseline, and merge-simulation worktrees are removed
|
||||
automatically at successful workflow completion; issue/conflict-fix worktrees
|
||||
are removed only after their TTL (`GITEA_WORKTREE_TTL_HOURS`, default 24h)
|
||||
expires and no lock/lease is held.
|
||||
|
||||
Dirty, active-PR, active-issue, and leased worktrees are never deleted
|
||||
automatically. If a removal fails, the final report must list the leftover
|
||||
worktree path and the reason. Include the `git worktree list` output as final
|
||||
cleanup verification.
|
||||
|
||||
## 23. Recovery handoff rules
|
||||
|
||||
If blocked, produce a recovery handoff with:
|
||||
|
||||
Reference in New Issue
Block a user