Remote post-merge branch deletion was blocked because the capability
resolver classified delete_branch as an author-role task while
gitea.branch.delete is granted only to prgs-reconciler. No configured
profile could satisfy both the permission gate and the role gate, so
every deletion failed closed with performed=false.
Re-home delete_branch from the author role to the reconciler role in
both single-source-of-truth maps:
- task_capability_map.TASK_CAPABILITY_MAP["delete_branch"].role
- role_session_router: TASK_REQUIRED_ROLE + AUTHOR_TASKS/RECONCILER_TASKS
resolve_task_capability("delete_branch") now resolves to prgs-reconciler.
In gitea_delete_branch, the reconciler is now the delete-capable role and
performs raw deletion through the existing reconciliation-cleanup-phase
authorization gate (operator approval + safe_to_delete proof) plus the
preservation/protected guards; the prior reconciler->cleanup redirect is
removed as it would orphan that guarded flow. Author, reviewer, and
merger stay denied by the permission gate and the required-role gate.
gitea_cleanup_merged_pr_branch remains a separate reconciler-owned path
with independent merged/ancestry/ownership verification.
Tests: reconciler resolves + performs eligible deletion; author/reviewer/
merger denied even when holding the permission; protected/preservation
branches remain fail-closed; both role maps asserted in agreement.
Updated pre-existing tests that encoded the superseded author-delete /
#687 reconciler-redirect contract. Full suite: 3190 passed, 6 skipped,
1 pre-existing unrelated failure (test_issue_702 create_pr stale-binding).
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Claude-Session: https://claude.ai/code/session_01UracxyRHQw49rZBaexHdft
Adds canonical pr-queue-cleanup workflow, report verifier, reviewer-only task
routing, and runbook guidance so operators can drain open PRs one canonical
review at a time with fail-closed boundaries on batching and unauthorized merges.
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Expose read-only assess/scan tools and capability planning so already-landed
open PRs can be reconciled without review or merge. Register the
gitea-reconcile-landed-pr skill and workflow-source verification.
Introduce a dedicated reconciler role with gitea_reconcile_already_landed_pr,
which closes open PRs only after live fetch and ancestor proof against a fresh
target branch. Document the gitea-reconciler namespace and extend task routing.
Already-landed open PRs block the review queue: the already-landed gate
correctly stops approval/merge, but no task path could close the
redundant PR. Add the reconciler close path:
- task_capability_map: new reconcile_close_landed_pr (gitea.pr.close)
and reconcile_close_landed_issue (gitea.issue.close) tasks under a
dedicated "reconciler" role. Exact close capabilities only — the
role grants no review, approve, request-changes, or merge authority,
and normal reviewer profiles keep no broad PR-close authority.
- role_session_router: reconciler tasks route wrong_role_stop in
author/reviewer sessions with a dedicated recovery message; matching
reconciler sessions route allowed_current_session.
- review_proofs.assess_reconciler_close_gate: PR close allowed only
when every proof passes — PR live-verified open, candidate head SHA
pinned and matching the live head, target branch freshly fetched
with a full SHA, head an ancestor of the target, exact
gitea.pr.close proven. Non-landed PRs return
NOT_LANDED_CLOSE_BLOCKED; missing close capability returns
RECOVERY_HANDOFF_REQUIRED; incomplete proof fails closed as
GATE_NOT_PROVEN. Linked-issue close is skipped when the issue is
already closed and allowed only for an open issue resolved by the
landed commits with exact gitea.issue.close capability. The gate
also returns the required final-report field list.
17 new tests cover the capability map, wrong-role routing, and every
gate path (landed close, non-landed block, stale target, changed head,
missing capabilities, linked-issue variants, review-mutation denial).
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Add assess_infra_stop() to scan git state and conflict markers on each
reviewer capability check, return the exact conflict path in responses,
and clear stale capability-stop terminal state once the worktree is clean.
Closes#285
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Match git conflict markers on whole lines only so decorative equals
borders in mcp_discoverability.py no longer false-positive. Scan
session worktrees under branches/ without skipping the entire tree
when the worktree path contains "branches".
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Add gitea_route_task_session and role_session_router to fail closed when
reviewer tasks start under author-bound MCP sessions. Block author-side
issue creation fallback after wrong_role_stop. Add handoff proof helper and
tests.
Closes#206
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>