feat(review-workflow): add fail-closed proofs for blind PR queue review (#173)
Adds review_proofs.py with pure, fail-closed helpers for the reviewer-side blind queue workflow: - verify_pinned_head_checkout: proves HEAD == pinned PR head (full 40-hex, no prefix matches) and diff base == PR base; any mismatch blocks review/merge. - assess_inventory_completeness: exhaustive "only PRs found" claims require every configured repo listed with stated filters, proven pagination, and reported open-PR totals. - assess_validation_report: validation results are unclaimable unless the exact command was stated and its output read; missing pass/fail/skip counts, unjustified ignored paths, or unexplained deviation from the canonical command downgrade the report to weak. - assess_self_review_contamination: contamination must be evidence-backed; bare same-session claims (either way) yield "unknown" with a choose-another-PR-or-stop action, never an assumed verdict. - build_final_report: distinguishes identity eligibility, author/reviewer distinctness, session contamination, validation-on-pinned-head, merge, and issue verification; grades "A" only when every proof is present, downgrades otherwise, and marks a merge without allowing proofs as a blocked violation. tests/test_review_proofs.py covers all seven harness assertions from the issue (unchecked-out pinned head blocks merge; multi-repo inventory; pagination; missing counts flagged weak; evidence-required contamination; unread output cannot claim validation passed; ignored paths need justification). SKILL.md section F and templates/review-pr.md now require the checkout, inventory, validation-evidence, and contamination proofs and the distinguished final report. No review/merge safety gate is weakened. Closes #173 Co-Authored-By: Claude Fable 5 <[email protected]>
This commit is contained in:
@@ -167,11 +167,38 @@ Worktree folder = branch with `/` replaced by `-`
|
||||
|
||||
1. Use a separate review worktree (`scripts/worktree-review <branch>`), detached.
|
||||
2. Verify your authenticated identity.
|
||||
3. Verify the PR author — **you must not be the author.**
|
||||
3. Verify the PR author — **you must not be the author.** Self-review
|
||||
contamination must be *evidence-backed* (#173): state the authenticated
|
||||
reviewer identity, the PR author identity, whether this session
|
||||
authored/touched the PR branch, and the evidence source for any
|
||||
"same-session author" claim. If the evidence is missing, report the
|
||||
status as **unknown** — never declare contamination by assumption — and
|
||||
choose another PR or stop (`review_proofs.assess_self_review_contamination`).
|
||||
4. Verify the worktree is clean.
|
||||
5. Inspect the full diff; confirm scope matches the linked issue; flag unrelated files.
|
||||
6. Run the tests.
|
||||
7. **Do not merge if checks fail. Do not merge if the reviewer is the author.**
|
||||
5. **Checkout proof (#173):** before reviewing or validating, prove and
|
||||
state: the selected PR head SHA from Gitea (pinned), the local checkout
|
||||
SHA (`git rev-parse HEAD`), that `HEAD ==` the pinned PR head SHA, and
|
||||
that the diff base is the PR base branch. If `HEAD` does not match the
|
||||
pinned head, **stop before review/merge**
|
||||
(`review_proofs.verify_pinned_head_checkout`).
|
||||
6. **Inventory proof (#173):** a blind queue review must prove listing
|
||||
completeness before claiming "only PRs found": both configured
|
||||
repositories checked, open-PR filters stated, pagination handled or
|
||||
explicitly not needed, and the total open PR count per repo reported
|
||||
(`review_proofs.assess_inventory_completeness`).
|
||||
7. Inspect the full diff; confirm scope matches the linked issue; flag unrelated files.
|
||||
8. Run the tests. Validation reporting must include the exact command and
|
||||
exact results: pass/fail, counts of tests passed/skipped/failed, any
|
||||
ignored paths and why they are safe to ignore, and whether the command
|
||||
differs from the repository's canonical validation command. Only claim a
|
||||
validation result after the command has completed and its output has
|
||||
been read (`review_proofs.assess_validation_report`).
|
||||
9. **Do not merge if checks fail. Do not merge if the reviewer is the author.**
|
||||
10. The final report must distinguish (`review_proofs.build_final_report`):
|
||||
identity eligible; PR author different from reviewer; session
|
||||
contamination absent (with evidence); validation performed on the pinned
|
||||
head; merge performed; issue status verified. If any proof is missing,
|
||||
stop or downgrade the result instead of merging confidently.
|
||||
|
||||
## G. Merge / cleanup workflow
|
||||
|
||||
|
||||
Reference in New Issue
Block a user