Commit Graph
638 Commits
Author SHA1 Message Date
sysadmin 535da1bc5a chore: remove trailing extra blank line at EOF in test_mcp_server.py 2026-07-08 15:40:12 -04:00
sysadmin dfbee45309 fix: resolve reviewer preflight capability/lease deadlock and add gitea_release_reviewer_pr_lease tool (closes #546) 2026-07-08 15:29:18 -04:00
sysadmin a4e014e62b fix: remove duplicate verify_preflight_purity in gitea_adopt_merger_pr_lease (#548)
The second direct call after _verify_role_mutation_workspace caused
_clear_preflight_capability_state() to run twice (or between checks),
clearing valid capability/preflight state. This forced temp local
patches during #542/#517 merge/reconcile.

- Remove the redundant verify call (the _verify already performs
  purity verification with correct worktree_path).
- Update test to reflect single invocation path and add explicit
  test proving state preservation, single call, no dupe clear,
  and no need for raw/temp fallbacks.
- Reconciler/controller flows stay fully MCP-native.

Fixes #548
2026-07-08 15:01:48 -04:00
sysadmin c64809134f Detect stale MCP runtime before mutation tools execute 2026-07-08 13:43:50 -04:00
sysadminandClaude Opus 4.8 749ca04388 fix: scope MCP cleanup proof to mutation ledgers (#517)
Raw branch/comment delete detection now scans only Cleanup mutations,
Git ref mutations, and Worktree mutations ledger fields so narrative
§28B citations and validation notes no longer false-positive.

Authorized cleanup tool proof also applies when cleanup is claimed under
Git ref or Worktree mutation ledgers while Cleanup mutations is none.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 13:43:39 -04:00
sysadminandClaude Opus 4.8 ea51b0196a feat: require MCP-native post-merge cleanup proof (Closes #517)
Add mcp_native_cleanup_proof verifier that blocks raw git branch deletion and
raw API comment deletion scripts as cleanup proof, requires authorized
reconciler MCP tools in cleanup mutation ledgers, and separates merge from
cleanup mutations in controller handoffs.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 12:54:37 -04:00
sysadmin cc63ab74e6 Merge pull request 'feat: add worktree cleanup audit integrity (Closes #404)' (#417) from feat/issue-404-worktree-cleanup-audit into master 2026-07-08 11:51:06 -05:00
sysadminandClaude Opus 4.8 9438855fdd fix: preserve actual reconciler role for #274/#475 role exemptions during comment_issue preflight (Closes #540)
resolve_task_capability("comment_issue") stamps _preflight_resolved_role
= "author" because comment_issue.required_role_kind = author.
_effective_workspace_role() prefers that stamp, so a genuine
prgs-reconciler session was classified as an author inside the #274
branch-only mutation guard and the #475 root checkout guard, blocking
gitea_create_issue_comment from the control checkout.

Fix keys the role exemptions off the actual active profile role as well
as the effective workspace role:

- Add _actual_profile_role(): derives the workspace role from the active
  profile alone, never from _preflight_resolved_role.
- _enforce_branches_only_author_mutation: exempt when EITHER the
  effective role OR the actual profile role is a non-author role.
- _enforce_root_checkout_guard: pass actual_role; assess_root_checkout_guard
  now exempts a reconciler by resolved OR actual role.

Author blocking is preserved: an actual author profile classifies as
author in both signals, so it stays blocked on a contaminated control
checkout. Merger strictness stays keyed on the resolved task role so a
merger operating from its clean branches/ workspace under a non-merge
task is not over-tightened.

Regression tests (tests/test_issue_540_comment_role_poison.py) cover the
reconciler comment path, author-blocking path, reviewer/merger/reconciler
role classification under a poisoned author stamp, and the root guard
actual_role exemption.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 12:03:14 -04:00
sysadmin cfce823dd7 Merge pull request 'feat: guarded merger lease adoption flow (#536)' (#538) from feat/issue-536-merger-lease-adoption into master 2026-07-08 10:47:51 -05:00
sysadmin e27b6ddefb feat: add worktree cleanup audit integrity (Closes #404)
Reconcile before/after branches/ snapshots so preserved worktrees cannot
disappear without removal logs or explained state transitions.

- worktree_cleanup_audit.py: snapshot capture, disposition reconciliation
- gitea_capture_branches_worktree_snapshot, gitea_assess_worktree_cleanup_integrity
- Final-report rule author.worktree_cleanup_audit_proof
- worktree-cleanup.md bulk audit section
- tests/test_worktree_cleanup_audit.py (11 cases)
2026-07-08 11:15:55 -04:00
sysadmin cefebd7643 test: seed review workflow load and pass expected_head_sha in legacy test fixtures 2026-07-08 11:14:06 -04:00
sysadminandClaude Opus 4.8 3d540f6fba feat: add workflow-load session boundary proof (Closes #403)
Extend the review workflow load gate with pre-review command classification,
boundary violation tracking, and structured helper-result requirements in
final reports. Adds gitea_record_pre_review_command MCP tool.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 11:13:43 -04:00
sysadmin 2bb45c0f80 Merge pull request 'feat: add root checkout guard for contaminated control checkout (Closes #475)' (#488) from feat/issue-475-root-checkout-guard into master 2026-07-08 10:12:52 -05:00
sysadmin 0b62d4e06a Merge pull request 'feat: add session-owned worktree cleanup audit and TTL enforcement (Closes #401)' (#492) from feat/issue-401-worktree-cleanup-ttl into master 2026-07-08 10:11:15 -05:00
sysadmin 3550262613 fix: resolve conflicts for PR #516
Merge prgs/master into feat/issue-514-branch-delete-guard and preserve PR intent
alongside compatible master guardrails.
2026-07-08 11:10:21 -04:00
sysadmin 59f2de9711 fix: resolve conflicts for PR #511
Merge prgs/master into feat/issue-507-controller-thread-ledger and preserve PR intent
alongside compatible master guardrails.
2026-07-08 11:10:19 -04:00
sysadmin c0b1f562a9 fix: resolve conflicts for PR #506
Merge prgs/master into feat/issue-501-reviewer-handoff-consistency and preserve PR intent
alongside compatible master guardrails.
2026-07-08 11:10:18 -04:00
sysadmin 560cfa8f47 fix: resolve conflicts for PR #499
Merge prgs/master into feat/issue-495-canonical-next-action-comments and preserve PR intent
alongside compatible master guardrails.
2026-07-08 11:10:16 -04:00
sysadmin 3b4f222a7d fix: resolve conflicts for PR #486
Merge prgs/master into feat/issue-483-role-boundaries and preserve PR intent
alongside compatible master guardrails.
2026-07-08 11:10:15 -04:00
sysadmin a2aea5357d fix: resolve conflicts for PR #444
Merge prgs/master into feat/issue-420-server-code-parity and preserve PR intent
alongside compatible master guardrails.
2026-07-08 11:10:13 -04:00
sysadminandClaude Opus 4.8 7d5c7df82f fix: resolve conflicts for PR #418
Merge prgs/master into feat/issue-405-mutation-capability-proof and keep
both reviewer mutation-capability proof and post-merge cleanup proof rules.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 11:06:03 -04:00
sysadmin 08ea214526 feat: guarded merger lease adoption flow (#536)
Replace manual in-process _SESSION_LEASE seeding with an auditable
gitea_adopt_merger_pr_lease tool that posts durable adoption proof and
records sanctioned session provenance. Mutation gates now reject bare
record_session_lease calls without provenance from acquire/adopt/heartbeat.

Closes #536
2026-07-08 11:03:56 -04:00
sysadmin 6b45212659 Merge pull request 'feat: keep reconciliation audits read-only unless cleanup authorized (Closes #419)' (#421) from feat/issue-419-audit-readonly-mode into master 2026-07-08 04:16:45 -05:00
sysadmin ccdff1df27 Merge pull request 'Require canonical workflow load proof for reviewer mutations' (#493) from feat/issue-389-review-workflow-load-proof into master 2026-07-08 04:16:19 -05:00
sysadminandClaude Opus 4.8 2faf18a802 feat: add safe post-merge moot lease cleanup for already-merged PRs (Closes #515)
Refuse merge-oriented reviewer-lease acquisition/adoption on an already
merged/closed PR, and add a read-first cleanup path for a lingering moot lease.

- reviewer_pr_lease.assess_acquire_lease: new pr_merged_or_closed flag; fail
  closed with a post_merge_moot reason and no lease body when the PR already
  merged/closed.
- reviewer_pr_lease.assess_post_merge_moot_lease: pure assessment. Only treats a
  lease as moot when the PR is merged/closed; never proposes touching an active
  lease on an open PR; provides a terminal phase:released (blocker:
  post-merge-moot) body to neutralise the moot lease append-only; idempotent
  once the released marker is the newest entry.
- gitea_acquire_reviewer_pr_lease: fetch live PR state, pass the flag, surface
  post_merge_moot on refusal (no comment posted).
- gitea_cleanup_post_merge_moot_lease: new read-first tool. Reports merged
  state, merge_commit_sha, linked-issue closure, lease-moot, cleanup
  performed/skipped, and no_merge_or_adoption. apply=True posts the released
  marker only when merged/closed with an active lease; refuses on open PRs.
- tests/test_post_merge_moot_lease.py: 10 tests covering acquire refusal on
  merged PR (no post), safe/idempotent cleanup, and open-PR foreign-lease
  protection.

No relaxation of #407 reviewer-lease or #16 gated-merge gates for open PRs.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 04:51:10 -04:00
sysadmin 564fee9639 Merge branch 'prgs/master' into feat/issue-389-review-workflow-load-proof 2026-07-08 04:44:58 -04:00
sysadmin d56baa635e fix: register gitea_lock_issue as MCP tool (Closes #521)
Move @mcp.tool() from internal _list_open_pulls helper onto
gitea_lock_issue so author sessions can discover and call the
issue lock required by gitea_create_pr.

Add regression tests for MCP registration and create_pr lock flow.
2026-07-08 04:42:35 -04:00
sysadmin c54ac0d4de Merge pull request 'feat: isolate MCP workspace binding across role namespaces (Closes #510)' (#512) from feat/issue-510-workspace-binding-isolation into master 2026-07-08 03:37:17 -05:00
sysadmin b7755f26e3 feat: require workflow labels for issues (Closes #513) 2026-07-08 04:20:24 -04:00
sysadmin 3cb05284b3 feat: guard merged branch cleanup path
Closes #514
2026-07-08 04:18:09 -04:00
sysadmin 4d24c34548 Merge pull request 'feat: require post-merge cleanup safety-gate proof in reviewer reports (Closes #402)' (#415) from feat/issue-402-post-merge-cleanup-proof into master 2026-07-08 03:13:43 -05:00
sysadminandClaude Opus 4.8 4561d7ad12 fix: resolve conflicts for PR #493
Merge prgs/master; keep review workflow load gate (#389) with explicit
merge_pr preflight task binding.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 04:09:31 -04:00
sysadminandClaude Opus 4.8 9e29d00292 fix: resolve conflicts for PR #486
Merge prgs/master; preserve reviewer-merge block (#483) with explicit
merge_pr preflight task binding.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 04:08:51 -04:00
sysadmin 3d11e1f12b feat: isolate MCP workspace binding across role namespaces (Closes #510)
Namespace-scoped workspace resolution prevents GITEA_AUTHOR_WORKTREE from
poisoning reviewer, merger, and reconciler purity checks. Each role uses
its own worktree env var with actionable binding-source errors and safe
reconnect guidance. Preserves #274/#475 author and control-checkout guards.
2026-07-08 04:08:08 -04:00
sysadminandClaude Opus 4.8 182fcbf598 fix: resolve conflicts for PR #421
Merge prgs/master; keep audit-readonly gate (#419) and explicit delete_branch
preflight task binding from master.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 04:08:07 -04:00
sysadmin ce61e424f6 Merge pull request 'fix: preserve capability preflight across safe reads (Closes #469)' (#502) from fix/issue-469-preflight-read-survival into master 2026-07-08 03:01:48 -05:00
sysadminandClaude Opus 4.8 96fe077292 fix: resolve conflicts for PR #486
Merge prgs/master and preserve reviewer/reconciler/merger branches-only
exemption (#483) with reconciler close_pr guard context from #468.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:59:16 -04:00
sysadmin f89949cea9 Merge pull request 'fix: exempt reconciler close_pr from branches-only worktree guard (Closes #468)' (#472) from feat/issue-468-reconciler-close-guard into master 2026-07-08 02:48:57 -05:00
sysadminandClaude Opus 4.8 eff4572a91 feat: add Controller Handoff + Thread State Ledger validation (#507)
Introduce thread_state_ledger_validator for the mandatory two-comment
workflow: tagged [CONTROLLER HANDOFF] paired with [THREAD STATE LEDGER].
Wire validation into final_report_validator and gitea_create_issue_comment,
add runbook docs, worked examples, and tests.

Closes #507

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:46:25 -04:00
sysadmin b3edd53185 Merge pull request 'fix: guard PR/issue comment listing against non-list API payloads (Closes #485)' (#487) from feat/issue-485-lease-comments-non-list-guard into master 2026-07-08 02:46:03 -05:00
sysadminandClaude Opus 4.8 25cf323d14 feat: add Canonical Thread Handoff protocol (Closes #505)
Define CTH comment types, base template, parser/validator helpers, protocol
documentation with examples, and workflow/runbook/prompt updates so agents
discover and post authoritative thread handoffs before acting.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:44:58 -04:00
sysadminandClaude Opus 4.8 429faccd08 feat: reject contradictory reviewer handoff ledgers (Closes #501)
Add reviewer_handoff_consistency validation for narrative vs mutation
ledger contradictions, wire it into review_pr final-report rules, and
document the blocked-review handoff template.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:33:31 -04:00
sysadmin 9ada4762c5 Merge pull request 'feat: expose explicit adoption proof in gitea_lock_issue response (Closes #477)' (#481) from feat/issue-477-lock-adoption-proof into master 2026-07-08 02:31:47 -05:00
sysadminandClaude Opus 4.8 33d01ba65e feat: add controller issue-acceptance gate (Closes #500)
Add issue_acceptance_gate validation for Controller Issue Acceptance
comments, final-report rules blocking merge-only issue completion claims,
documentation/templates, and regression tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:27:37 -04:00
sysadminandClaude Opus 4.8 3bce0a55fb test: reset preflight globals in read-survival setUp (#469)
Prevents cross-test leakage that masked the missing-capability fail-closed case.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:23:12 -04:00
sysadminandClaude Opus 4.8 afb4ba563c fix: preserve capability preflight across interleaved read-only whoami (#469)
Read-only gitea_whoami calls no longer clear a valid capability proof when
whoami was already verified clean. Capability is consumed on mutation (one
resolve per mutation), and verify_preflight_purity rejects task mismatches.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:23:12 -04:00
sysadminandClaude Opus 4.8 9235f3a23c feat: require canonical next-action state comments (#495)
Add canonical issue/PR/discussion state comment templates and validators,
final-report rules for STATE/WHO_IS_NEXT/NEXT_ACTION/NEXT_PROMPT, and
queue-controller guidance. Posting enforcement remains in #496.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:17:38 -04:00
sysadminandClaude Opus 4.8 d50328aea4 feat: add canonical state handoff ledger (#494)
Add templates, validators, and documentation for discussion/issue/PR state
comments and final-report next-action handoff fields. Wire enforcement into
assess_final_report_validator across all workflow task kinds.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:14:32 -04:00
sysadmin 48cf3a334b Merge pull request 'feat: require validation cwd and HEAD proof in reviewer reports (Closes #398)' (#411) from feat/issue-398-validation-cwd-proof into master 2026-07-08 02:09:11 -05:00
sysadminandClaude Opus 4.8 cedf451a2b feat: add session-owned worktree cleanup audit and TTL enforcement (Closes #401)
Stale worktrees accumulate under branches/ when runs stop early, race a
sibling session, hit a validation failure, or lose cwd state, making later
workflow decisions harder and riskier.

Changes:
- worktree_cleanup_audit.py — ownership metadata, safety-first classifier
  (active_open_pr, active_issue_work, dirty_local_worktree,
  clean_stale_removable, detached_review_leftover, unsafe_unknown), TTL
  expiry, per-worktree removal proof, and success-completion cleanup plan.
  Only clean_stale_removable and detached_review_leftover are removable;
  dirty/PR/leased/protected/unknown worktrees are never auto-deleted.
- gitea_audit_worktree_cleanup — read-only MCP tool that classifies every
  branches/ entry, fetches live open-PR heads (fails closed if unavailable),
  and returns counts, removable candidates, and git worktree list proof.
- work-issue.md 22A + review-merge-pr.md 28 — cleanup/TTL workflow rules.
- tests/test_worktree_cleanup_audit.py — 30 cases covering all nine
  acceptance scenarios plus inference, metadata, TTL, and report accuracy.

Validation:
  /Users/jasonwalker/Development/Gitea-Tools/venv/bin/python \
    -m unittest tests.test_worktree_cleanup_audit tests.test_merged_cleanup_reconcile -q
  38 passed.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 02:40:15 -04:00