sysadmin and Grok 4.5
2b359e0c26
fix(workflow): durable HMAC, dedicated mint capability, head-exact approve match ( #709 )
...
Address formal review 435 REQUEST_CHANGES on PR #710 :
- F4: require durable GITEA_IRRECOVERABLE_AUTH_HMAC_KEY (fail closed; no ephemeral
per-process secret); bind key_version into HMAC; cross-process verify works
- F5: dedicated gitea.decision_lock.irrecoverable_recovery only; reject reconciler
equivalence; authoritative incident body + author + content_digest; reject
self-authored incident evidence
- F3 residual: lock_targets_merged_pr_approval requires recorded-head match when
expected_head_sha is provided (legacy no-head approve no longer primary-clears)
Co-Authored-By: Grok 4.5 (xAI) <[email protected] >
2026-07-14 02:13:47 -04:00
sysadmin and Grok 4.5
9cb12ee0f4
fix(workflow): non-forgeable irrecoverable auth, merger consumer, exact-scope cleanup ( #709 )
...
Address formal review 434 REQUEST_CHANGES on PR #710 :
- F1: replace caller operator_authorized with server-side HMAC auth artifacts
- F2: implement fail-closed merger consumption for prior-provenance only
- F3: enforce remote/org/repo/head on cross-profile load and clear
Co-Authored-By: Grok 4.5 (xAI) <[email protected] >
2026-07-14 01:36:39 -04:00
sysadmin
ec5cf67771
fix(workflow): cross-profile decision-lock cleanup and irrecoverable provenance ( #709 )
...
Prevent merger-local empty decision locks from standing in for reviewer
terminal cleanup, refuse silent re-init overwrite of unresolved terminal
evidence, record post-merge recovery-required state when audit fails, and
add a truthful irrecoverable-provenance path that never claims applied=true.
Closes #709
2026-07-14 00:54:33 -04:00