Make the preflight bypass test actually exercise purity (not test short-circuit),
cover unmerged/open-head fail-closed cleanup, and document post-merge cleanup
ownership for prgs-reconciler so authors are not required for that path.
The conflict-resolution rebase incorrectly kept ISSUE_LOCK_FILE in the
merged_cleanup_reconcile import, but that symbol was moved to
issue_lock_provenance on master. This broke webui import collection.
Fixes the reviewer-reported regression on PR #448.
Adds read-only /runtime and /api/runtime routes showing active profile,
identity, config model, git sync vs remote master, shell health,
workflow/schema hashes, and stale-runtime warnings with #420 guidance.
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Discover branches/review-pr<N>[-submit] worktrees separately from author
cleanup, fail closed on dirty trees / open PRs / active reviewer leases,
and remove only assessed-safe scratch paths via reconcile.
Add premerge_baseline_proof.py distinguishing four validation outcomes
(clean pass / current-master failure reproduced / pre-merge baseline-proven
failure / unresolved regression risk). A non-zero exit may only be labeled
"baseline"/"pre-existing" with pre-merge proof: the failure reproduced on the
PR's pre-merge base commit, or a documented known-failure record predating the
PR. Current-master (post-merge) reproduction is explicitly rejected as
sufficient baseline proof.
- premerge_baseline_proof.py: assess_premerge_baseline_proof + labels
- final_report_validator.py: reviewer.premerge_baseline_proof rule on
review_pr and reconcile_already_landed tasks
- skills/llm-project-workflow/templates/review-pr.md: baseline proof section
requiring base commit, tested commit, command, exit status, failure signature
- tests/test_premerge_baseline_proof.py: reject current-master-only proof,
accept pre-merge base proof and documented known-failure records
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Document the narrow controller-authorized path for landing MCP workflow
fixes when live daemons cannot canonically review themselves, with
required audits, allowed/forbidden actions, and post-land restart steps.
Share review-workflow-load and review-decision-lock state across MCP
daemon process pools via a user-private durable store keyed by profile
identity (not host-global /tmp), with TTL and fail-closed profile checks.
Keep _fetch_pr_lease_comments_safe for gitea_assess_conflict_fix_push
only. Restore _list_pr_lease_comments to a single comments GET so merge
approval feedback and #485 non-list handling keep stable API call order.
Closes#519
Resolve PR via pulls API before fetching lease comments so
gitea_assess_conflict_fix_push fails closed with actionable reasons
instead of surfacing HTTP 500 when Gitea returns not-found errors.
Add regression tests and document assessment-failure handoff in work-issue.
Bare remote=prgs resolved to the hardcoded REMOTES default
Scaled-Tech-Consulting/Timesheet instead of the Gitea-Tools repository
the local git remote points at, causing false 404s and risking mutation
of a different repository.
Add remote_repo_guard.assess_remote_repo_match (pure) + formatter, wired
into gitea_mcp_server._resolve so every read/lookup/mutation tool fails
closed when the MCP-resolved org/repo disagrees with the local git remote
URL and the caller did not pass explicit org/repo. The guard is
best-effort: it skips when both org and repo are explicit, when the local
remote URL is unavailable, and is bypassed under pytest unless
GITEA_FORCE_REMOTE_REPO_CHECK is set.
Add tests/test_remote_repo_guard.py (pure-function cases + server wiring
proving a lookup tool cannot silently query a different repository), and
update author/reviewer/merger handoff templates to require explicit
remote/org/repo.
Closes#530
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>