feat(guard): harden workflow against unattributed root WIP and pytest-disabled production guards (Closes #683)
Add shared workflow_scope_guard with typed blockers (blocker_kind +
exact_next_action) and force-on production enforcement under pytest.
Wire root/branches/scope checks through verify_preflight_purity and
mutation entrypoints (create_issue, comment_issue) without adopting the
rejected 300a4ca patterns (test-mode early-return, porcelain *.py filter).
Regression suite covers out-of-scope issue ownership, root diagnostic
edits, worktree bind success path, force-on under pytest, porcelain
integrity, monkeypatch resistance, real entrypoint fail-closed proof,
and durable failure recording.
This commit is contained in:
+297
-87
@@ -623,101 +623,280 @@ def verify_preflight_purity(
|
||||
remote: str | None = None,
|
||||
worktree_path: str | None = None,
|
||||
task: str | None = None,
|
||||
*,
|
||||
target_issue_number: int | None = None,
|
||||
require_author_lock: bool = False,
|
||||
):
|
||||
"""Verify that identity and capability were verified prior to session edits."""
|
||||
"""Verify identity/capability order, then production workspace guards.
|
||||
|
||||
#683: pytest/unittest must not skip production root/branches/scope
|
||||
enforcement when force-on signals request production behavior. The
|
||||
early return below only skips *preflight-order* purity checks under
|
||||
pure unit-test isolation — never when production guards are active.
|
||||
"""
|
||||
global _preflight_reviewer_violation_files
|
||||
|
||||
in_test = _preflight_in_test_mode()
|
||||
if in_test and not (
|
||||
os.environ.get("GITEA_TEST_FORCE_DIRTY")
|
||||
or os.environ.get("GITEA_TEST_PORCELAIN") is not None
|
||||
):
|
||||
return
|
||||
production_active = workflow_scope_guard.production_guards_active(
|
||||
in_test_mode=in_test
|
||||
)
|
||||
# Pure unit-test isolation: skip purity-order unless legacy dirty/porcelain
|
||||
# force flags request the dirtiness path. #683 FORCE_PRODUCTION_GUARDS alone
|
||||
# runs production root/branches/scope without requiring whoami/capability.
|
||||
skip_purity_order = in_test and not workflow_scope_guard.purity_order_forced()
|
||||
|
||||
if not _preflight_whoami_called:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Identity (gitea_whoami) has not been verified (fail closed)"
|
||||
)
|
||||
if not _preflight_capability_called:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Task capability (gitea_resolve_task_capability) has not been resolved (fail closed)"
|
||||
)
|
||||
if (
|
||||
task is not None
|
||||
and _preflight_resolved_task is not None
|
||||
and task != _preflight_resolved_task
|
||||
):
|
||||
raise RuntimeError(
|
||||
"Pre-flight task mismatch: "
|
||||
f"resolved '{_preflight_resolved_task}' but mutation requires "
|
||||
f"'{task}' (fail closed)"
|
||||
)
|
||||
|
||||
# #671: block review/merge/close/completion mutations while the session is
|
||||
# contaminated by a direct stable-branch push attempt (reconciler-exempt).
|
||||
_enforce_stable_branch_contamination_gate(task, remote)
|
||||
|
||||
ctx = _resolve_namespace_mutation_context(worktree_path)
|
||||
workspace = ctx["workspace_path"]
|
||||
canonical_root = ctx["canonical_repo_root"]
|
||||
process_root = ctx["process_project_root"]
|
||||
real_workspace = os.path.realpath(workspace)
|
||||
role = ctx.get("workspace_role_kind") or _effective_workspace_role()
|
||||
|
||||
if real_workspace != process_root:
|
||||
if not _preflight_in_test_mode():
|
||||
membership = author_mutation_worktree.assess_workspace_repo_membership(
|
||||
workspace_path=workspace,
|
||||
canonical_repo_root=canonical_root,
|
||||
if not skip_purity_order:
|
||||
if not _preflight_whoami_called:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Identity (gitea_whoami) has not been verified (fail closed)"
|
||||
)
|
||||
if membership["block"]:
|
||||
if not _preflight_capability_called:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Task capability (gitea_resolve_task_capability) has not been resolved (fail closed)"
|
||||
)
|
||||
if (
|
||||
task is not None
|
||||
and _preflight_resolved_task is not None
|
||||
and task != _preflight_resolved_task
|
||||
):
|
||||
raise RuntimeError(
|
||||
"Pre-flight task mismatch: "
|
||||
f"resolved '{_preflight_resolved_task}' but mutation requires "
|
||||
f"'{task}' (fail closed)"
|
||||
)
|
||||
|
||||
# #671: block review/merge/close/completion mutations while the session is
|
||||
# contaminated by a direct stable-branch push attempt (reconciler-exempt).
|
||||
_enforce_stable_branch_contamination_gate(task, remote)
|
||||
|
||||
ctx = _resolve_namespace_mutation_context(worktree_path)
|
||||
workspace = ctx["workspace_path"]
|
||||
canonical_root = ctx["canonical_repo_root"]
|
||||
process_root = ctx["process_project_root"]
|
||||
real_workspace = os.path.realpath(workspace)
|
||||
role = ctx.get("workspace_role_kind") or _effective_workspace_role()
|
||||
|
||||
if real_workspace != process_root:
|
||||
if not _preflight_in_test_mode():
|
||||
membership = author_mutation_worktree.assess_workspace_repo_membership(
|
||||
workspace_path=workspace,
|
||||
canonical_repo_root=canonical_root,
|
||||
)
|
||||
if membership["block"]:
|
||||
raise RuntimeError(
|
||||
author_mutation_worktree.format_workspace_repo_membership_error(
|
||||
membership
|
||||
)
|
||||
)
|
||||
|
||||
dirty_files = sorted(
|
||||
_parse_porcelain_entries(_get_workspace_porcelain(workspace))
|
||||
)
|
||||
if dirty_files:
|
||||
raise RuntimeError(
|
||||
author_mutation_worktree.format_workspace_repo_membership_error(
|
||||
membership
|
||||
nwb.format_namespace_workspace_binding_error(
|
||||
role_kind=role,
|
||||
workspace_path=workspace,
|
||||
binding_source=ctx.get("workspace_binding_source")
|
||||
or "unknown binding source",
|
||||
dirty_files=dirty_files,
|
||||
ignored_bindings=ctx.get("ignored_bindings"),
|
||||
)
|
||||
)
|
||||
|
||||
dirty_files = sorted(_parse_porcelain_entries(_get_workspace_porcelain(workspace)))
|
||||
if dirty_files:
|
||||
raise RuntimeError(
|
||||
nwb.format_namespace_workspace_binding_error(
|
||||
role_kind=role,
|
||||
workspace_path=workspace,
|
||||
binding_source=ctx.get("workspace_binding_source")
|
||||
or "unknown binding source",
|
||||
dirty_files=dirty_files,
|
||||
ignored_bindings=ctx.get("ignored_bindings"),
|
||||
)
|
||||
)
|
||||
else:
|
||||
if _preflight_whoami_violation:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Workspace file edits occurred before "
|
||||
f"gitea_whoami verification (fail closed). Offending files: "
|
||||
f"{_format_preflight_files(_preflight_whoami_violation_files)}"
|
||||
)
|
||||
if _preflight_capability_violation:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Workspace file edits occurred before "
|
||||
f"gitea_resolve_task_capability verification (fail closed). Offending files: "
|
||||
f"{_format_preflight_files(_preflight_capability_violation_files)}"
|
||||
)
|
||||
|
||||
if role in {"reviewer", "merger"}:
|
||||
current = _get_workspace_porcelain()
|
||||
baseline = _preflight_capability_baseline_porcelain or ""
|
||||
reviewer_delta = _new_tracked_changes_since(baseline, current)
|
||||
_preflight_reviewer_violation_files = reviewer_delta
|
||||
if reviewer_delta:
|
||||
else:
|
||||
if _preflight_whoami_violation:
|
||||
raise RuntimeError(
|
||||
f"{role.title()} role violation: profile is forbidden from modifying "
|
||||
"tracked workspace files (fail closed). Offending files: "
|
||||
f"{_format_preflight_files(reviewer_delta)}"
|
||||
"Pre-flight order violation: Workspace file edits occurred before "
|
||||
f"gitea_whoami verification (fail closed). Offending files: "
|
||||
f"{_format_preflight_files(_preflight_whoami_violation_files)}"
|
||||
)
|
||||
if _preflight_capability_violation:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Workspace file edits occurred before "
|
||||
f"gitea_resolve_task_capability verification (fail closed). Offending files: "
|
||||
f"{_format_preflight_files(_preflight_capability_violation_files)}"
|
||||
)
|
||||
|
||||
_enforce_root_checkout_guard(worktree_path)
|
||||
_enforce_branches_only_author_mutation(worktree_path)
|
||||
_clear_preflight_capability_state()
|
||||
if role in {"reviewer", "merger"}:
|
||||
current = _get_workspace_porcelain()
|
||||
baseline = _preflight_capability_baseline_porcelain or ""
|
||||
reviewer_delta = _new_tracked_changes_since(baseline, current)
|
||||
_preflight_reviewer_violation_files = reviewer_delta
|
||||
if reviewer_delta:
|
||||
raise RuntimeError(
|
||||
f"{role.title()} role violation: profile is forbidden from modifying "
|
||||
"tracked workspace files (fail closed). Offending files: "
|
||||
f"{_format_preflight_files(reviewer_delta)}"
|
||||
)
|
||||
|
||||
# Historical path: root + branches after purity-order when dirty paths live.
|
||||
_enforce_root_checkout_guard(worktree_path)
|
||||
_enforce_branches_only_author_mutation(worktree_path)
|
||||
_enforce_issue_scope_guard(
|
||||
worktree_path,
|
||||
task=task,
|
||||
target_issue_number=target_issue_number,
|
||||
require_author_lock=require_author_lock,
|
||||
)
|
||||
_clear_preflight_capability_state()
|
||||
return
|
||||
|
||||
# #683: under pytest unit isolation, FORCE_PRODUCTION_GUARDS still runs
|
||||
# production root + branches + issue scope (no silent no-op of guards).
|
||||
if production_active:
|
||||
_enforce_root_checkout_guard(worktree_path)
|
||||
_enforce_branches_only_author_mutation(worktree_path)
|
||||
_enforce_issue_scope_guard(
|
||||
worktree_path,
|
||||
task=task,
|
||||
target_issue_number=target_issue_number,
|
||||
require_author_lock=require_author_lock,
|
||||
)
|
||||
|
||||
|
||||
def _session_issue_lock_snapshot(
|
||||
workspace_path: str | None = None,
|
||||
) -> dict:
|
||||
"""Return session lock fields relevant to #683 scope enforcement.
|
||||
|
||||
Branch-vs-lock comparison uses the live workspace branch only when the
|
||||
lock's worktree matches the mutation workspace. That prevents a foreign
|
||||
or leftover session lock from poisoning unrelated test worktrees while
|
||||
still fail-closing when the bound worktree drifts to another issue.
|
||||
"""
|
||||
lock = issue_lock_store.read_session_issue_lock() or {}
|
||||
raw = lock.get("issue_number")
|
||||
locked: int | None
|
||||
try:
|
||||
locked = int(raw) if raw is not None else None
|
||||
except (TypeError, ValueError):
|
||||
locked = None
|
||||
lock_wt = (lock.get("worktree_path") or "").strip()
|
||||
workspace = (workspace_path or "").strip()
|
||||
worktrees_match = False
|
||||
if lock_wt and workspace:
|
||||
try:
|
||||
worktrees_match = os.path.realpath(lock_wt) == os.path.realpath(workspace)
|
||||
except OSError:
|
||||
worktrees_match = False
|
||||
return {
|
||||
"locked_issue_number": locked,
|
||||
"lock_branch_name": (lock.get("branch_name") or "").strip() or None,
|
||||
"lock_worktree_path": lock_wt or None,
|
||||
"worktrees_match": worktrees_match,
|
||||
}
|
||||
|
||||
|
||||
def _session_locked_issue_number() -> int | None:
|
||||
"""Return the active session issue lock number when present (#683)."""
|
||||
return _session_issue_lock_snapshot().get("locked_issue_number")
|
||||
|
||||
|
||||
def _enforce_issue_scope_guard(
|
||||
worktree_path: str | None = None,
|
||||
*,
|
||||
task: str | None = None,
|
||||
target_issue_number: int | None = None,
|
||||
require_author_lock: bool = False,
|
||||
) -> None:
|
||||
"""#683: fail closed on missing/out-of-scope issue ownership for mutations."""
|
||||
ctx = _resolve_namespace_mutation_context(worktree_path)
|
||||
workspace = ctx["workspace_path"]
|
||||
git_state = issue_lock_worktree.read_worktree_git_state(workspace)
|
||||
# Honour actual profile role as well as poisoned task role (#540 / #683):
|
||||
# comment_issue preflight stamps required_role_kind=author, which must not
|
||||
# strip a genuine reconciler of control-checkout exemptions.
|
||||
role = ctx.get("workspace_role_kind") or _effective_workspace_role()
|
||||
actual = _actual_profile_role()
|
||||
if actual in nwb.NON_AUTHOR_ROLES:
|
||||
role = actual
|
||||
snap = _session_issue_lock_snapshot(workspace)
|
||||
# Scope uses the lock's recorded branch for issue-number matching.
|
||||
# Live workspace branch can inherit the parent control checkout's branch
|
||||
# name when a temp branches/ dir is not its own worktree tip — that must
|
||||
# not invent a false out-of-scope failure. Live branch drift is enforced
|
||||
# by issue_lock_store.verify_lock_for_mutation elsewhere.
|
||||
branch_for_scope = snap.get("lock_branch_name")
|
||||
if (
|
||||
snap.get("worktrees_match")
|
||||
and workflow_scope_guard.production_guards_forced()
|
||||
):
|
||||
live_branch = git_state.get("current_branch")
|
||||
live_issue = workflow_scope_guard.extract_issue_number_from_branch(
|
||||
live_branch
|
||||
)
|
||||
locked = snap.get("locked_issue_number")
|
||||
if (
|
||||
live_issue is not None
|
||||
and locked is not None
|
||||
and live_issue != locked
|
||||
):
|
||||
branch_for_scope = live_branch
|
||||
# Author implementation / source-adjacent mutations need ownership when forced.
|
||||
authorish = role == "author" or (
|
||||
task
|
||||
in {
|
||||
"create_issue",
|
||||
"comment_issue",
|
||||
"lock_issue",
|
||||
"create_pr",
|
||||
"commit_files",
|
||||
"gitea_commit_files",
|
||||
"mark_issue",
|
||||
}
|
||||
)
|
||||
require_lock = bool(require_author_lock) or (
|
||||
authorish
|
||||
and workflow_scope_guard.production_guards_forced()
|
||||
and role == "author"
|
||||
)
|
||||
assessment = workflow_scope_guard.assess_production_mutation_guards(
|
||||
workspace_path=workspace,
|
||||
canonical_repo_root=ctx["canonical_repo_root"],
|
||||
porcelain_status=git_state.get("porcelain_status") or "",
|
||||
current_branch=branch_for_scope,
|
||||
locked_issue_number=snap.get("locked_issue_number"),
|
||||
target_issue_number=target_issue_number,
|
||||
role_kind=role,
|
||||
require_author_lock=require_lock,
|
||||
in_test_mode=_preflight_in_test_mode(),
|
||||
)
|
||||
workflow_scope_guard.raise_if_blocked(assessment)
|
||||
|
||||
|
||||
def _production_guard_block_from_exc(exc: BaseException, **extra) -> dict | None:
|
||||
"""Map production-guard exceptions to typed tool block responses (#683)."""
|
||||
if isinstance(exc, workflow_scope_guard.ProductionGuardError):
|
||||
return workflow_scope_guard.block_response(exc, **extra)
|
||||
text = str(exc)
|
||||
if "Workflow scope guard (#683)" in text or "Root checkout guard (#475)" in text:
|
||||
kind = workflow_scope_guard.BLOCKER_PRODUCTION_GUARD
|
||||
if "root_diagnostic_edit" in text or "tracked source or test edits" in text:
|
||||
kind = workflow_scope_guard.BLOCKER_ROOT_DIAGNOSTIC_EDIT
|
||||
elif "Branches-only mutation guard" in text or "stable control checkout" in text:
|
||||
kind = workflow_scope_guard.BLOCKER_MISSING_WORKTREE
|
||||
elif "out-of-scope" in text or "locked to issue" in text:
|
||||
kind = workflow_scope_guard.BLOCKER_OUT_OF_SCOPE_ISSUE
|
||||
elif "no owning issue" in text:
|
||||
kind = workflow_scope_guard.BLOCKER_MISSING_ISSUE_SCOPE
|
||||
return workflow_scope_guard.block_response(
|
||||
blocker_kind=kind,
|
||||
reasons=[text],
|
||||
**extra,
|
||||
)
|
||||
if "Branches-only mutation guard" in text:
|
||||
return workflow_scope_guard.block_response(
|
||||
blocker_kind=workflow_scope_guard.BLOCKER_MISSING_WORKTREE,
|
||||
reasons=[text],
|
||||
**extra,
|
||||
)
|
||||
if "Root checkout guard" in text:
|
||||
return workflow_scope_guard.block_response(
|
||||
blocker_kind=workflow_scope_guard.BLOCKER_ROOT_DIAGNOSTIC_EDIT,
|
||||
reasons=[text],
|
||||
**extra,
|
||||
)
|
||||
return None
|
||||
|
||||
|
||||
def _verify_role_mutation_workspace(
|
||||
@@ -727,7 +906,12 @@ def _verify_role_mutation_workspace(
|
||||
worktree: str | None = None,
|
||||
task: str | None = None,
|
||||
) -> str:
|
||||
"""Bind reviewer/merger mutations to the active namespace workspace (#510)."""
|
||||
"""Bind reviewer/merger mutations to the active namespace workspace (#510).
|
||||
|
||||
#683: must NOT early-return solely because pytest/unittest is loaded.
|
||||
Production workspace binding always runs; test isolation uses explicit
|
||||
env fixtures / force-on flags, never a production short-circuit here.
|
||||
"""
|
||||
|
||||
# Check running runtimes to prevent stale mutations
|
||||
try:
|
||||
@@ -928,6 +1112,7 @@ import merge_approval_gate # noqa: E402
|
||||
import already_landed_reconcile # noqa: E402
|
||||
import author_mutation_worktree # noqa: E402
|
||||
import root_checkout_guard # noqa: E402
|
||||
import workflow_scope_guard # noqa: E402 # #683 production scope / force-on guards
|
||||
import stable_branch_push_guard # noqa: E402
|
||||
import remote_repo_guard # noqa: E402
|
||||
import issue_claim_heartbeat # noqa: E402
|
||||
@@ -1896,7 +2081,15 @@ def gitea_create_issue(
|
||||
)
|
||||
if blocked:
|
||||
return blocked
|
||||
verify_preflight_purity(remote, worktree_path=worktree_path, task="create_issue")
|
||||
try:
|
||||
verify_preflight_purity(
|
||||
remote, worktree_path=worktree_path, task="create_issue"
|
||||
)
|
||||
except Exception as exc:
|
||||
typed = _production_guard_block_from_exc(exc, number=None)
|
||||
if typed is not None:
|
||||
return typed
|
||||
raise
|
||||
content_gate = issue_content_gate.pre_create_issue_content_gate(
|
||||
title,
|
||||
body,
|
||||
@@ -8167,9 +8360,26 @@ def gitea_create_issue_comment(
|
||||
with the reveal opt-in); on a permission block or empty body,
|
||||
'success'/'performed' False and 'reasons' with no API call made
|
||||
(permission blocks also carry a structured 'permission_report',
|
||||
#142).
|
||||
#142). On production-guard blocks (#683): 'blocker_kind' and
|
||||
'exact_next_action' with no API side effect.
|
||||
"""
|
||||
verify_preflight_purity(remote, worktree_path=worktree_path, task="comment_issue")
|
||||
try:
|
||||
# Do not pass target_issue_number: comments on other issues remain
|
||||
# allowed while an author holds a different implementation lock.
|
||||
# Scope ownership for source edits is enforced via branch/worktree
|
||||
# binding + root diagnostic checks (#683).
|
||||
verify_preflight_purity(
|
||||
remote,
|
||||
worktree_path=worktree_path,
|
||||
task="comment_issue",
|
||||
)
|
||||
except Exception as exc:
|
||||
typed = _production_guard_block_from_exc(
|
||||
exc, issue_number=issue_number
|
||||
)
|
||||
if typed is not None:
|
||||
return typed
|
||||
raise
|
||||
gate_reasons = _profile_operation_gate("gitea.issue.comment")
|
||||
reasons = list(gate_reasons)
|
||||
if not (body or "").strip():
|
||||
|
||||
Reference in New Issue
Block a user