fix(workflow): cross-profile decision-lock cleanup and irrecoverable provenance (#709)
Prevent merger-local empty decision locks from standing in for reviewer terminal cleanup, refuse silent re-init overwrite of unresolved terminal evidence, record post-merge recovery-required state when audit fails, and add a truthful irrecoverable-provenance path that never claims applied=true. Closes #709
This commit is contained in:
+143
-1
@@ -36,7 +36,21 @@ KIND_REVIEW_DRAFT = "review_draft"
|
||||
# other session proofs; a contaminated session fails closed on gated mutations
|
||||
# until a reconciler audits and clears it.
|
||||
KIND_STABLE_BRANCH_CONTAMINATION = "stable_branch_contamination"
|
||||
# #709: archive prior terminal decision ledgers instead of silent overwrite.
|
||||
KIND_DECISION_LOCK_ARCHIVE = "review_decision_lock_archive"
|
||||
# #709: post-merge cleanup/audit reconciliation-required durable record.
|
||||
KIND_POST_MERGE_DECISION_RECOVERY = "post_merge_decision_recovery"
|
||||
# #709: truthful record when historical terminal evidence is irrecoverably gone.
|
||||
KIND_IRRECOVERABLE_DECISION_PROVENANCE = "irrecoverable_decision_provenance"
|
||||
|
||||
# Kinds that must survive the default session-state TTL (forensic / recovery).
|
||||
RECOVERY_CRITICAL_KINDS = frozenset(
|
||||
{
|
||||
KIND_DECISION_LOCK_ARCHIVE,
|
||||
KIND_POST_MERGE_DECISION_RECOVERY,
|
||||
KIND_IRRECOVERABLE_DECISION_PROVENANCE,
|
||||
}
|
||||
)
|
||||
|
||||
|
||||
_SAFE_SEGMENT_RE = re.compile(r"[^A-Za-z0-9._+-]+")
|
||||
@@ -270,7 +284,11 @@ def identity_match_reasons(
|
||||
reasons.append("session state missing recorded_at timestamp (fail closed)")
|
||||
else:
|
||||
age = _now_utc() - recorded_at
|
||||
if age > timedelta(hours=ttl_hours()):
|
||||
kind = (record.get("kind") or "").strip()
|
||||
ttl_exempt = kind in RECOVERY_CRITICAL_KINDS or bool(
|
||||
record.get("recovery_critical")
|
||||
)
|
||||
if age > timedelta(hours=ttl_hours()) and not ttl_exempt:
|
||||
reasons.append(
|
||||
f"session state expired after {ttl_hours():g}h (fail closed)"
|
||||
)
|
||||
@@ -447,3 +465,127 @@ def clear_state(
|
||||
profile_identity=profile_identity,
|
||||
state_dir=state_dir,
|
||||
)
|
||||
|
||||
def list_decision_lock_profile_identities(
|
||||
state_dir: str | None = None,
|
||||
) -> list[str]:
|
||||
"""Return profile identities that have a durable review_decision_lock file (#709).
|
||||
|
||||
Filename form: ``review_decision_lock-<profile>.json`` (see ``state_key``).
|
||||
Does not validate TTL or identity — callers must load via ``load_state``.
|
||||
"""
|
||||
root = (state_dir or default_state_dir()).strip()
|
||||
if not root or not os.path.isdir(root):
|
||||
return []
|
||||
prefix = f"{_sanitize_segment(KIND_DECISION_LOCK)}-"
|
||||
suffix = ".json"
|
||||
found: list[str] = []
|
||||
try:
|
||||
names = os.listdir(root)
|
||||
except OSError:
|
||||
return []
|
||||
for name in names:
|
||||
if not name.startswith(prefix) or not name.endswith(suffix):
|
||||
continue
|
||||
if name.endswith(".lock"):
|
||||
continue
|
||||
mid = name[len(prefix) : -len(suffix)]
|
||||
if mid:
|
||||
found.append(mid)
|
||||
return sorted(set(found))
|
||||
|
||||
|
||||
def load_state_for_profile(
|
||||
*,
|
||||
kind: str,
|
||||
profile_identity: str,
|
||||
remote: str | None = None,
|
||||
org: str | None = None,
|
||||
repo: str | None = None,
|
||||
state_dir: str | None = None,
|
||||
skip_identity_match: bool = False,
|
||||
) -> dict[str, Any] | None:
|
||||
"""Load durable state for an explicit profile identity (#709 cross-profile).
|
||||
|
||||
When *skip_identity_match* is True, still requires the file's recorded
|
||||
profile_identity to equal the requested profile (anti-stomp), but does not
|
||||
require the *active* session identity to match — needed so a merger can
|
||||
inspect a reviewer lock after merge.
|
||||
"""
|
||||
profile = current_profile_identity(profile_identity=profile_identity)
|
||||
root = _ensure_state_dir(state_dir)
|
||||
path = state_file_path(
|
||||
kind=kind,
|
||||
remote=remote,
|
||||
org=org,
|
||||
repo=repo,
|
||||
profile_identity=profile,
|
||||
state_dir=root,
|
||||
)
|
||||
lock_path = f"{path}.lock"
|
||||
with _exclusive_file_lock(lock_path):
|
||||
envelope = _read_json(path)
|
||||
if not envelope:
|
||||
return None
|
||||
payload = envelope.get("payload")
|
||||
if not isinstance(payload, dict):
|
||||
return None
|
||||
merged = dict(payload)
|
||||
for key in (
|
||||
"kind",
|
||||
"remote",
|
||||
"org",
|
||||
"repo",
|
||||
"profile_identity",
|
||||
"session_profile_lock",
|
||||
"recorded_at",
|
||||
"updated_at",
|
||||
"writer_pid",
|
||||
):
|
||||
if key in envelope and key not in merged:
|
||||
merged[key] = envelope[key]
|
||||
stored = (merged.get("profile_identity") or "").strip()
|
||||
if stored and stored != profile:
|
||||
return None
|
||||
if skip_identity_match:
|
||||
# Still enforce TTL / future-dated so dead records do not authorize cleanup.
|
||||
reasons = identity_match_reasons(
|
||||
merged,
|
||||
remote=remote or merged.get("remote"),
|
||||
org=org or merged.get("org"),
|
||||
repo=repo or merged.get("repo"),
|
||||
profile_identity=stored or profile,
|
||||
)
|
||||
# Drop active-session-only mismatches; keep expiry / spoof reasons.
|
||||
filtered = [
|
||||
r
|
||||
for r in reasons
|
||||
if "profile identity mismatch" not in r
|
||||
or (stored and stored != profile)
|
||||
]
|
||||
# Re-run only expiry/future/missing checks via identity when profile matches
|
||||
expiry_reasons = [
|
||||
r
|
||||
for r in identity_match_reasons(
|
||||
merged,
|
||||
remote=None,
|
||||
org=None,
|
||||
repo=None,
|
||||
profile_identity=stored or profile,
|
||||
)
|
||||
if any(x in r for x in ("expired", "future", "missing recorded_at"))
|
||||
]
|
||||
if expiry_reasons:
|
||||
return None
|
||||
return merged
|
||||
reasons = identity_match_reasons(
|
||||
merged,
|
||||
remote=remote,
|
||||
org=org,
|
||||
repo=repo,
|
||||
profile_identity=profile,
|
||||
)
|
||||
if reasons:
|
||||
return None
|
||||
return merged
|
||||
|
||||
|
||||
Reference in New Issue
Block a user