Commit Graph
72 Commits
Author SHA1 Message Date
sysadminandClaude Opus 4.8 6946534f3e feat: verify canonical workflow citation and version in review reports (Closes #296)
The canonical PR review/merge workflow already lives in
skills/llm-project-workflow/workflows/review-merge-pr.md and is exposed
through mcp_list_project_skills / mcp_get_skill_guide (#333-#335), and
its final-report schema already demands a workflow version. What was
missing is enforcement: add compute_workflow_hash (short sha256
version hash of workflow text) and assess_review_workflow_source to
review_proofs. Review reports must cite the canonical workflow file
and carry a populated Workflow version field; when the current
canonical hash is supplied, a mismatched citation fails as a stale
workflow copy, directing the agent to reload via mcp_get_skill_guide.
Fails closed. Tests cover hash determinism and content sensitivity,
matching-hash pass, missing citation, missing version field, stale
hash, version none, and offline validation without a canonical hash.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 09:19:33 -04:00
sysadmin c21e756a30 Merge pull request 'feat: prove reviewer worktree ownership before reset (Closes #312)' (#362) from feat/issue-312-worktree-ownership into master 2026-07-07 08:12:56 -05:00
sysadmin c20a93602d Merge pull request 'feat: block approval on full-suite failure without baseline proof (Closes #323)' (#361) from feat/issue-323-full-suite-approval-gate into master 2026-07-07 08:09:13 -05:00
sysadmin 5e023dcc97 Merge pull request 'feat: verify linked-issue consistency for the selected PR (Closes #314)' (#360) from feat/issue-314-linked-issue-consistency into master 2026-07-07 04:45:10 -05:00
sysadmin f87101ccaa Merge pull request 'feat: require live blocker proof before skipping earlier PRs (Closes #318)' (#355) from feat/issue-318-prior-blocker-skip-proof into master 2026-07-07 04:41:56 -05:00
sysadmin fa0cb12464 Merge pull request 'feat: block reviewer local Gitea fallbacks during normal review (Closes #324)' (#350) from feat/issue-324-reviewer-no-fallback into master 2026-07-07 04:37:12 -05:00
sysadmin f1c7054871 fix: resolve conflicts for PR #360 2026-07-07 05:35:13 -04:00
sysadmin 4204503b41 fix: resolve conflicts for PR #355 2026-07-07 05:35:13 -04:00
sysadmin 77b29fe417 fix: resolve conflicts for PR #362 2026-07-07 05:33:47 -04:00
sysadmin a0d68ef66e fix: resolve conflicts for PR #361 2026-07-07 05:33:47 -04:00
sysadmin f2d82a93ed fix: resolve conflicts for PR #350 2026-07-07 05:33:47 -04:00
sysadmin e1dabd1b0f Merge pull request 'feat: reject legacy Workspace mutations field in reviewer handoffs (Closes #320)' (#357) from feat/issue-320-remove-workspace-mutations into master 2026-07-07 04:33:31 -05:00
sysadmin 4d3e90e7c5 Merge pull request 'feat: enforce queue ordering proof in reviewer reports (Closes #321)' (#351) from feat/issue-321-queue-ordering-proof into master 2026-07-07 04:31:14 -05:00
sysadmin bc227a9a6d feat: block reviewer local Gitea fallbacks during normal review (Closes #324) 2026-07-07 05:27:24 -04:00
sysadmin 2cf0ad5908 feat: add composable final-report validator for reviewer and reconciliation handoffs (Closes #327) 2026-07-07 05:27:24 -04:00
sysadmin 077cedc0c9 feat: enforce queue ordering proof in reviewer reports (Closes #321) 2026-07-07 05:27:18 -04:00
sysadmin c83c18e52a Merge pull request 'feat: enforce proof wording for pagination and live claims (Closes #330)' (#346) from feat/issue-330-proof-wording-enforcement into master 2026-07-07 04:26:44 -05:00
sysadminandClaude Opus 4.8 ce3bd784c0 Add worktree ownership verifier for reviewer reset safety (#312)
Require session-owned review worktrees or documented safe-reuse proof
before destructive reset/validation. Block contradictory workspace-none
claims when git reset --hard occurred.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 05:26:37 -04:00
sysadminandClaude Opus 4.8 5fa5760dd0 feat: block approval on full-suite failure without baseline proof (Closes #323)
Approving a PR whose full test suite fails is now gated behind complete
baseline proof. New assess_full_suite_failure_approval_gate:

- Full-suite pass: approval allowed, no baseline required.
- Full-suite failure: default action is REQUEST_CHANGES; approval is
  blocked unless the #325 baseline validation proof passes (branches/
  worktree, pinned baseline/PR SHAs, matching failure signatures,
  clean before/after) and the proof also carries the PR and baseline
  full-suite commands, evidence that new/changed tests passed, and a
  non-empty explanation of why the failures are unrelated to the PR.
- Unknown/unproven full-suite result blocks approval.
- Main-checkout baseline comparison is rejected.
- Vague "same as master" claims without proof are rejected via the
  existing pre-existing-failure claim detection.
- Non-approve decisions are never blocked; the gate only reports the
  request-changes default.

Tests cover matching baseline failures, mismatched signatures,
incomplete proof (missing commands, new-test evidence, explanation),
main-checkout baseline, unknown suite result, vague claims, and
full-suite pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 05:24:07 -04:00
sysadmin 1666e55e60 Merge pull request 'feat: reject workspace-none claims after worktree mutations (Closes #313)' (#354) from feat/issue-313-worktree-mutation-consistency into master 2026-07-07 04:23:54 -05:00
sysadminandClaude Opus 4.8 1e6bd34d6f feat: verify linked-issue consistency for the selected PR (Closes #314)
Add assess_linked_issue_consistency to review_proofs: reviewer final
reports must report a "Linked issue status" that matches the issue(s)
the selected PR was live-verified to link this session. Without live
proof the field may only say "not verified in this session"; with
proof, every linked issue must be named, and any other "Issue #N"
mention anywhere in the report fails as stale leakage from a previous
PR (the PR #280 / Issue #260-vs-#275 incident). Missing field fails
closed. Tests cover correct linked issue, stale previous issue in both
the status field and diagnostics, missing proof, unverified wording,
multiple linked issues, and PR-number mentions not being mistaken for
issue mentions.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 05:22:08 -04:00
sysadmin e9fdb356dd fix: resolve conflicts for issue 330 (master refresh) 2026-07-07 05:21:43 -04:00
sysadmin 897d256f98 Merge pull request 'feat: add queue-status report verifier for reviewer handoffs (Closes #339)' (#347) from feat/issue-339-queue-status-report-verifier into master 2026-07-07 04:20:09 -05:00
sysadmin 240e7adf46 fix: resolve conflicts for issue 339 2026-07-07 05:18:29 -04:00
sysadmin deb228d629 Merge pull request 'feat: require conflict proof for skipped non-mergeable PRs (Closes #322)' (#353) from feat/issue-322-mergeability-skip-proof into master 2026-07-07 04:17:09 -05:00
sysadminandClaude Opus 4.8 94b022b24d fix: resolve conflicts for issue 330
Merge prgs/master into feat/issue-330-proof-wording-enforcement and keep
both assess_proof_wording (#330) and git ref mutation reporting (#297).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 05:16:57 -04:00
sysadmin 6bf0210128 Merge pull request 'feat: enforce branches-only baseline validation in reviewer reports (Closes #325)' (#349) from feat/issue-325-baseline-worktree-validation into master 2026-07-07 04:13:22 -05:00
sysadminandClaude Opus 4.8 56661cd0a7 feat: require live blocker proof before skipping earlier PRs (Closes #318)
Add assess_prior_blocker_skip_proof to validate reviewer reports document
live REQUEST_CHANGES blocker proof for skipped earlier open PRs, reject
stale-memory skips when head changed after blocker, and require
BLOCKER_STATUS_UNVERIFIED when review feedback cannot be fetched.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 05:12:01 -04:00
sysadminandClaude Opus 4.8 c2bba27b86 feat: reject legacy Workspace mutations field in reviewer handoffs (Closes #320)
Reviewer controller handoffs must now report the precise mutation
categories (File edits by reviewer, Worktree/index mutations, Git ref
mutations, MCP/Gitea mutations, Review mutations, Merge mutations,
Cleanup mutations, External-state mutations, Read-only diagnostics)
instead of the ambiguous legacy "Workspace mutations" field.

- assess_controller_handoff(role="review") no longer requires
  "Workspace mutations" and fails closed when any legacy
  "Workspace mutations:" line is present, regardless of value.
- New HANDOFF_REVIEW_MUTATION_FIELDS makes the nine precise categories
  required fields for review-role handoffs, matching the canonical
  schemas/review-merge-final-report.md field set.
- Tests cover approval, request-changes, merge, worktree cleanup,
  fetch-only, and blocked handoffs, plus rejection of
  "Workspace mutations: none" and non-none values.
- Author/create-issue/inventory roles keep their existing contracts.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 05:11:05 -04:00
sysadminandClaude Opus 4.8 9fbe556466 feat: reject workspace-none claims after worktree mutations (Closes #313)
Add assess_workspace_mutation_consistency to review_proofs: final
reports fail validation when they claim "Workspace mutations: none"
while worktree mutations (reset --hard, checkout, clean, worktree
add/remove, stash, merge, rebase, ...) occurred — either observed in
the workflow command log or self-reported in the report's own
"Worktree mutations" field. Observed worktree and git ref mutations
must be reported under their precise category fields; reports pass
when they say "File edits by reviewer: none" alongside a non-none
"Worktree mutations" entry. Tests cover reset, checkout, worktree add,
clean, fetch-only, and no-op cases.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 05:09:44 -04:00
sysadminandClaude Opus 4.8 cf1cedf5e3 feat: require conflict proof for skipped non-mergeable PRs (Closes #322)
Add assess_non_mergeable_skip_proof to validate reviewer reports document
head SHA, mergeability result, conflict proof command, conflicting files,
and head-change status for each skipped non-mergeable PR, or classify
MERGEABILITY_UNVERIFIED when proof cannot be retrieved.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 05:08:53 -04:00
sysadmin d7d2f92286 Merge pull request 'feat(reports): classify git fetch as a git ref mutation (closes #297)' (#344) from feat/issue-297-fetch-ref-mutation into master 2026-07-07 04:07:11 -05:00
sysadmin f92d1a29c2 Merge pull request 'Add pagination metadata to gitea_list_prs' (#342) from feat/issue-340-list-prs-pagination-metadata into master 2026-07-07 04:03:30 -05:00
sysadminandClaude Opus 4.8 a47083b9b8 feat: enforce branches-only baseline validation in reviewer reports (Closes #325)
Add assess_reviewer_baseline_validation_proof to block test-suite runs in
the main checkout and require complete baseline worktree proof when reports
claim pre-existing master failures.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 05:02:07 -04:00
sysadmin 6c653ce32a feat: add queue-status report verifier for reviewer handoffs (#339)
Add assess_queue_status_report and assess_proof_wording to reject
contradictory queue-status-only reports: passed gates without a selected
PR, prior diagnostic conflict proof, pagination assumptions, and
blocker contradictions. Wire into build_final_report and document the
queue-status-only schema path.

Closes #339
2026-07-07 04:57:50 -04:00
sysadmin 46703eac3f feat: enforce proof wording for pagination and live claims (#330)
Add assess_proof_wording to reject unsupported phrases such as
inventory complete, live proof, same as master, and file edits none
unless matching evidence is present. Wire into build_final_report and
add doc-contract tests.

Closes #330
2026-07-07 04:46:48 -04:00
sysadminandClaude Opus 4.8 c41a698a08 feat(reports): classify git fetch as a git ref mutation (closes #297)
Reviewer reports treated 'git fetch prgs master' as read-only
diagnostics while claiming 'Git/worktree mutations: None'. Fetch edits
no files but updates remote-tracking refs, so hiding it under
diagnostics understates what the run mutated.

Add git_ref_mutating_commands() classifying fetch, pull, push, merge,
update-ref, remote update, branch -d/-D, and reset --hard as git ref
mutations, and assess_git_ref_mutation_report() which fails a report
when ref-updating commands ran but the report lacks a non-none 'Git ref
mutations' entry, omits 'fetched <remote>/<branch>' for a targeted
fetch, still claims 'Git/worktree mutations: None', or lists the
command under read-only diagnostics.

Tests cover fetch-only review, missing ledger entry, missing fetch
target, contradictory none-claim, read-only misclassification, worktree
creation (not a ref mutation), merge, cleanup branch deletion,
no-mutation blocked handoff, and dict command-log entries.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 04:26:58 -04:00
sysadmin 8929286276 feat: add pagination metadata to gitea_list_prs (#340)
Return wrapped {prs, pagination} from gitea_list_prs with has_more,
inventory_complete, and page traversal via api_fetch_page. Route
gitea_review_pr inventory through gitea_list_prs so trust gates can
prove pagination finality. Add assess_list_prs_pagination_proof verifier.

Closes #340
2026-07-07 04:25:02 -04:00
sysadmin 14f5c865b3 feat: add create-issue final-report verifier (#337)
Extend review_proofs with assess_create_issue_final_report to enforce
workflow-source proof, create-issue handoff schema fields, and rejection
of work-issue/review-merge cross-mode handoff fields.

Closes #337
2026-07-07 04:23:45 -04:00
sysadminandClaude Opus 4.8 ae4dd0ff91 Add final-report mutation ledger verifier (#331)
Introduce assess_mutation_ledger_report so reviewer final reports cannot
claim no file edits when the action log records performed mutations.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 04:08:27 -04:00
sysadmin c73e68bd75 Merge pull request 'feat(reports): add no-email identity summary and disclosure validator (closes #305)' (#329) from feat/issue-305-report-email-redaction into master 2026-07-07 03:03:12 -05:00
sysadminandClaude Opus 4.8 a3b79736e0 feat(reports): add no-email identity summary and disclosure validator (closes #305)
Workflow reports included the authenticated user's personal email even
when username/profile identity was sufficient (observed: 'Identity:
jcwalker3 / [email protected]' in a reconciliation handoff).

Add format_identity_summary() producing the canonical no-email identity
line ('<username> / <profile>' with optional role/remote, reducing an
email passed in the username slot to its local part), and
assess_email_disclosure() flagging personal email addresses in report
text unless the report itself justifies the disclosure (tool proof,
explicit request, or identity disambiguation).

Tests cover no-email summaries for author and reviewer identities,
role/remote suffixes, email-in-username reduction, clean reports,
single and multiple unjustified disclosures, and justified
disambiguation.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 02:57:45 -04:00
sysadminandClaude Opus 4.8 efb0a2d076 Add REQUEST_CHANGES override proof helper before approval (#326)
Introduce assess_request_changes_approval_proof in review_proofs.py so
review workflows can fail closed when approving an unchanged head after a
prior REQUEST_CHANGES unless explicit override proof is provided.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 02:53:25 -04:00
sysadminandClaude Opus 4.8 24d8891424 fix(issue-filing): enforce mutation-scope denials in generic loop (#191)
The forbidden-mutation loop in assess_issue_filing_mutation_scope never
appended reasons; align aggregation with issue-selection handoff checks.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-06 14:36:18 -04:00
sysadminandClaude Opus 4.8 27922c67f8 feat(issue-filing): harden final report proofs for handoff and mutations (#191)
Add assess_issue_filing_final_report and supporting checks for Controller
Handoff (issue_filing role), exact issue number/title, full 40-char SHAs,
per-mutation capability proof, single-mutation scope statements, and
duplicate-search summaries. Workflow skill documents the issue-filing
handoff fields.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-06 14:32:48 -04:00
sysadminandClaude Opus 4.8 70c868962a feat(reviewer): add queue-target lock before PR inventory trust gate (#200)
Operators can supply an active PR backlog for one repo while agents
inventory another and falsely report trusted_empty. reconcile_queue_target
locks the target repo from operator context/backlog before list_prs runs;
pr_inventory_trust_gate blocks target_repo_mismatch and unresolved locks.
assess_reviewer_queue_inventory wires the lock into the canonical path.

Tests cover Gitea-Tools backlog vs mcp-control-plane inventory mismatch,
ambiguous dual-repo context, conflicting directive vs backlog, and final-
report field requirements.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-06 12:29:16 -04:00
sysadminandClaude Opus 4.8 dc41b685d0 feat(author): add continuation-mode selection wall for open-PR issues (#188)
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-06 11:40:35 -04:00
jcwalker3 056a232ef8 revert: remove #208 from master (land via PR #235) 2026-07-06 10:19:26 -05:00
sysadminandClaude Opus 4.8 ca3de3da53 feat(reviewer): require trust-gate proof in empty-queue reports (#198)
Add assess_empty_queue_report to block empty-queue claims without
pr_inventory_trust_gate.status == trusted_empty, reject weak merge-commit
corroboration, extend inventory handoff fields, and wire the gate into
build_final_report and capability-stop terminal validation.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-06 11:16:35 -04:00
sysadminandClaude Opus 4.8 1033a22407 feat(reviewer): wire PR inventory trust gate into live queue path (#196)
Run pr_inventory_trust_gate on empty gitea_review_pr inventory results,
add assess_reviewer_queue_inventory for multi-repo completeness checks,
and require trusted_empty before empty-queue claims in reports/templates.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-06 02:08:55 -04:00