Commit Graph
94 Commits
Author SHA1 Message Date
sysadminandClaude Opus 4.8 7fb813446f feat: require true pre-merge baseline proof for non-zero validation exits (Closes #533)
Add premerge_baseline_proof.py distinguishing four validation outcomes
(clean pass / current-master failure reproduced / pre-merge baseline-proven
failure / unresolved regression risk). A non-zero exit may only be labeled
"baseline"/"pre-existing" with pre-merge proof: the failure reproduced on the
PR's pre-merge base commit, or a documented known-failure record predating the
PR. Current-master (post-merge) reproduction is explicitly rejected as
sufficient baseline proof.

- premerge_baseline_proof.py: assess_premerge_baseline_proof + labels
- final_report_validator.py: reviewer.premerge_baseline_proof rule on
  review_pr and reconcile_already_landed tasks
- skills/llm-project-workflow/templates/review-pr.md: baseline proof section
  requiring base commit, tested commit, command, exit status, failure signature
- tests/test_premerge_baseline_proof.py: reject current-master-only proof,
  accept pre-merge base proof and documented known-failure records

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 23:04:44 -04:00
sysadmin 565363d5f4 docs: define bootstrap review path for self-hosted MCP fixes (Closes #557)
Document the narrow controller-authorized path for landing MCP workflow
fixes when live daemons cannot canonically review themselves, with
required audits, allowed/forbidden actions, and post-land restart steps.
2026-07-08 22:36:10 -04:00
sysadmin 9a2e585a9e Merge pull request 'feat: enforce reconciler PR-close proof fields in final reports (Closes #306)' (#423) from feat/issue-306-reconciler-close-proof into master 2026-07-08 21:32:32 -05:00
sysadmin 81822da04d Merge pull request 'feat: add controller issue-acceptance gate (Closes #500)' (#504) from feat/issue-500-controller-issue-acceptance-gate into master 2026-07-08 21:29:05 -05:00
sysadmin 826d632173 Merge pull request 'feat: require exact per-mutation capability proof in reviewer reports (Closes #405)' (#418) from feat/issue-405-mutation-capability-proof into master 2026-07-08 21:13:08 -05:00
sysadmin 08bcc03f17 fix: return structured conflict-fix push assessment errors (Closes #519)
Resolve PR via pulls API before fetching lease comments so
gitea_assess_conflict_fix_push fails closed with actionable reasons
instead of surfacing HTTP 500 when Gitea returns not-found errors.

Add regression tests and document assessment-failure handoff in work-issue.
2026-07-08 22:07:59 -04:00
sysadminandClaude Opus 4.8 fd2bc018ff fix: guard remote/repo mismatch vs local git remote (Closes #530)
Bare remote=prgs resolved to the hardcoded REMOTES default
Scaled-Tech-Consulting/Timesheet instead of the Gitea-Tools repository
the local git remote points at, causing false 404s and risking mutation
of a different repository.

Add remote_repo_guard.assess_remote_repo_match (pure) + formatter, wired
into gitea_mcp_server._resolve so every read/lookup/mutation tool fails
closed when the MCP-resolved org/repo disagrees with the local git remote
URL and the caller did not pass explicit org/repo. The guard is
best-effort: it skips when both org and repo are explicit, when the local
remote URL is unavailable, and is bypassed under pytest unless
GITEA_FORCE_REMOTE_REPO_CHECK is set.

Add tests/test_remote_repo_guard.py (pure-function cases + server wiring
proving a lookup tool cannot silently query a different repository), and
update author/reviewer/merger handoff templates to require explicit
remote/org/repo.

Closes #530

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 15:49:31 -04:00
sysadminandClaude Opus 4.8 ea51b0196a feat: require MCP-native post-merge cleanup proof (Closes #517)
Add mcp_native_cleanup_proof verifier that blocks raw git branch deletion and
raw API comment deletion scripts as cleanup proof, requires authorized
reconciler MCP tools in cleanup mutation ledgers, and separates merge from
cleanup mutations in controller handoffs.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 12:54:37 -04:00
sysadmin cc63ab74e6 Merge pull request 'feat: add worktree cleanup audit integrity (Closes #404)' (#417) from feat/issue-404-worktree-cleanup-audit into master 2026-07-08 11:51:06 -05:00
sysadmin cfce823dd7 Merge pull request 'feat: guarded merger lease adoption flow (#536)' (#538) from feat/issue-536-merger-lease-adoption into master 2026-07-08 10:47:51 -05:00
sysadmin e27b6ddefb feat: add worktree cleanup audit integrity (Closes #404)
Reconcile before/after branches/ snapshots so preserved worktrees cannot
disappear without removal logs or explained state transitions.

- worktree_cleanup_audit.py: snapshot capture, disposition reconciliation
- gitea_capture_branches_worktree_snapshot, gitea_assess_worktree_cleanup_integrity
- Final-report rule author.worktree_cleanup_audit_proof
- worktree-cleanup.md bulk audit section
- tests/test_worktree_cleanup_audit.py (11 cases)
2026-07-08 11:15:55 -04:00
sysadminandClaude Opus 4.8 3d540f6fba feat: add workflow-load session boundary proof (Closes #403)
Extend the review workflow load gate with pre-review command classification,
boundary violation tracking, and structured helper-result requirements in
final reports. Adds gitea_record_pre_review_command MCP tool.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 11:13:43 -04:00
sysadmin 0b62d4e06a Merge pull request 'feat: add session-owned worktree cleanup audit and TTL enforcement (Closes #401)' (#492) from feat/issue-401-worktree-cleanup-ttl into master 2026-07-08 10:11:15 -05:00
sysadminandClaude Opus 4.8 7d5c7df82f fix: resolve conflicts for PR #418
Merge prgs/master into feat/issue-405-mutation-capability-proof and keep
both reviewer mutation-capability proof and post-merge cleanup proof rules.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 11:06:03 -04:00
sysadmin 08ea214526 feat: guarded merger lease adoption flow (#536)
Replace manual in-process _SESSION_LEASE seeding with an auditable
gitea_adopt_merger_pr_lease tool that posts durable adoption proof and
records sanctioned session provenance. Mutation gates now reject bare
record_session_lease calls without provenance from acquire/adopt/heartbeat.

Closes #536
2026-07-08 11:03:56 -04:00
sysadmin 6b45212659 Merge pull request 'feat: keep reconciliation audits read-only unless cleanup authorized (Closes #419)' (#421) from feat/issue-419-audit-readonly-mode into master 2026-07-08 04:16:45 -05:00
sysadmin 4d24c34548 Merge pull request 'feat: require post-merge cleanup safety-gate proof in reviewer reports (Closes #402)' (#415) from feat/issue-402-post-merge-cleanup-proof into master 2026-07-08 03:13:43 -05:00
sysadminandClaude Opus 4.8 182fcbf598 fix: resolve conflicts for PR #421
Merge prgs/master; keep audit-readonly gate (#419) and explicit delete_branch
preflight task binding from master.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 04:08:07 -04:00
sysadminandClaude Opus 4.8 33d01ba65e feat: add controller issue-acceptance gate (Closes #500)
Add issue_acceptance_gate validation for Controller Issue Acceptance
comments, final-report rules blocking merge-only issue completion claims,
documentation/templates, and regression tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:27:37 -04:00
sysadmin 48cf3a334b Merge pull request 'feat: require validation cwd and HEAD proof in reviewer reports (Closes #398)' (#411) from feat/issue-398-validation-cwd-proof into master 2026-07-08 02:09:11 -05:00
sysadminandClaude Opus 4.8 cedf451a2b feat: add session-owned worktree cleanup audit and TTL enforcement (Closes #401)
Stale worktrees accumulate under branches/ when runs stop early, race a
sibling session, hit a validation failure, or lose cwd state, making later
workflow decisions harder and riskier.

Changes:
- worktree_cleanup_audit.py — ownership metadata, safety-first classifier
  (active_open_pr, active_issue_work, dirty_local_worktree,
  clean_stale_removable, detached_review_leftover, unsafe_unknown), TTL
  expiry, per-worktree removal proof, and success-completion cleanup plan.
  Only clean_stale_removable and detached_review_leftover are removable;
  dirty/PR/leased/protected/unknown worktrees are never auto-deleted.
- gitea_audit_worktree_cleanup — read-only MCP tool that classifies every
  branches/ entry, fetches live open-PR heads (fails closed if unavailable),
  and returns counts, removable candidates, and git worktree list proof.
- work-issue.md 22A + review-merge-pr.md 28 — cleanup/TTL workflow rules.
- tests/test_worktree_cleanup_audit.py — 30 cases covering all nine
  acceptance scenarios plus inference, metadata, TTL, and report accuracy.

Validation:
  /Users/jasonwalker/Development/Gitea-Tools/venv/bin/python \
    -m unittest tests.test_worktree_cleanup_audit tests.test_merged_cleanup_reconcile -q
  38 passed.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 02:40:15 -04:00
sysadminandClaude Opus 4.8 0cbd1fc801 feat: add first-class stacked PR support to author workflow (#484)
Normal author work is unchanged: gitea_lock_issue still requires the worktree
to be base-equivalent to master/main/dev, and gitea_create_pr still targets a
normal base branch. A *stacked* PR (based on another unmerged PR's branch) is a
new explicit, proof-backed path — it never bypasses the issue lock.

- stacked_pr_support.py: pure policy. Approve a non-master base only when it is
  declared AND owned by a live OPEN PR whose number matches; reject arbitrary,
  mismatched, or stale (merged/closed) branches; require the PR body to document
  the stack (base branch, stacked-on PR, merge ordering).
- issue_lock_worktree.py: read_worktree_git_state / _find_matching_base_ref gain
  an opt-in extra_bases arg so an approved stacked base can anchor
  base-equivalence in addition to master/main/dev (empty by default = unchanged).
- gitea_mcp_server.py:
  - gitea_lock_issue gains stacked_base_branch + stacked_base_pr. When declared,
    it verifies the open PR owns the branch, anchors base-equivalence to it, and
    records approved_stacked_base = {branch, pr_number, verified_open} on the lock.
  - gitea_create_pr validates a non-master base against the lock's approved
    stacked base, re-checks the dependency PR is still open, and enforces the
    stacked-PR body fields. Master-based path untouched.
- Docs: llm-workflow-runbooks.md and work-issue.md document when stacked PRs are
  allowed and the required PR-body wording.

Tests: test_stacked_pr_support.py (18 policy cases), stacked base-equivalence in
test_issue_lock_worktree.py, approved_stacked_base persistence round-trip in
test_issue_lock_store.py. Existing lock/create_pr regressions still pass.

The #482 -> #479/#478 case motivates this: create_pr previously could not open a
stacked PR because the lock required a master-equivalent worktree.

Closes #484.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 02:22:54 -04:00
sysadmin 673cb77004 fix: resolve conflicts for PR #418 2026-07-08 02:20:04 -04:00
sysadmin d6b1e4be3c fix: resolve conflicts for PR #415 2026-07-08 02:20:04 -04:00
sysadmin 28f0f84de8 fix: resolve conflicts for PR #411 2026-07-08 02:20:04 -04:00
sysadmin 7af73e1539 Merge pull request 'feat: add precise validation status vocabulary for reviewer reports (Closes #406)' (#412) from feat/issue-406-validation-status-vocabulary into master 2026-07-08 00:48:04 -05:00
sysadmin ae0478bf54 Merge pull request 'feat: add conflict-fix leases and stale-head protection (Closes #399)' (#416) from feat/issue-399-conflict-fix-leases into master 2026-07-08 00:34:20 -05:00
sysadminandClaude Opus 4.8 89582a0f2a feat: require approval at current PR head for merge (#471)
Add merge_approval_gate assessment so gitea_merge_pr fails closed when
visible APPROVED reviews do not pin the live head SHA. Expose
approval_at_current_head and stale_approval_block_reason in review
feedback. Document re-review requirement in canonical merge workflow.

Closes #471.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 00:37:54 -04:00
sysadmin 55b3658d93 fix: resolve conflicts for PR #416
Merge current prgs/master into feat/issue-399-conflict-fix-leases.
Preserve reviewer PR lease gate (#407) before conflict-fix stale-head
gate (#399); document both as §26B and §26C. Align MCP and validator
tests with mandatory expected_head_sha and stale-head proof fields.
2026-07-07 17:38:45 -04:00
sysadmin ddaf380db2 feat: gate reconciliation audit mode from unauthorized cleanup (Closes #419)
Add audit vs cleanup phase tracking so reconciliation audits stay read-only
unless cleanup is explicitly authorized with delete capability proof, safety
proof, and before/after snapshots. Block gitea_delete_branch and merged-cleanup
execution during audit phase, validate final reports for false no-mutations
claims, and document the boundary in the reconcile-landed-pr workflow.
2026-07-07 17:20:36 -04:00
sysadminandClaude Opus 4.8 66d37dd3cb feat: require exact per-mutation capability proof in reviewer reports (Closes #405)
Adds mutation-capability table validation so review_pr cannot authorize
merge or delete mutations without their own exact capability rows.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 17:20:01 -04:00
sysadminandClaude Opus 4.8 d5dc9f2708 feat: require post-merge cleanup safety-gate proof in reviewer reports (Closes #402)
Adds post_merge_cleanup_proof validation so cleanup claims must carry the
branch deletion and worktree removal checklists, or report CLEANUP_SKIPPED
with an exact blocker.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 17:19:37 -04:00
sysadminandClaude Opus 4.8 06c2069234 feat: add per-PR reviewer leases for parallel review (Closes #407)
Structured PR-thread leases with acquire/heartbeat MCP tools and
mutation-time enforcement so reviewers cannot race the same PR queue.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 17:16:06 -04:00
sysadmin cc4741a4ce Merge pull request 'feat: block manual issue-lock seeding and require lock disclosure (Closes #447)' (#463) from feat/issue-447-lock-provenance into master 2026-07-07 15:46:09 -05:00
sysadminandClaude Opus 4.8 795f544047 feat: block manual issue-lock seeding and require lock disclosure (#447)
Add lock_provenance metadata on gitea_lock_issue writes and fail closed at
gitea_create_pr when provenance is missing. Final-report validation now
requires explicit External-state mutations disclosure for issue-lock
read/write/delete and blocks mixed author PR creation with reviewer approval.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 16:18:42 -04:00
sysadminandClaude Opus 4.8 1320a55a7e feat: require validation cwd and HEAD proof in reviewer reports (Closes #398)
Rebased onto current prgs/master; merged with #396 validation failure
history by keeping both validator rules and workflow handoff fields.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 13:09:58 -04:00
sysadminandClaude Opus 4.8 cf057d7829 feat: move duplicate-work detection before author mutations (Closes #400)
Extract issue_work_duplicate_gate for open PR, remote branch, and active
claim checks; wire it into lock_issue, commit_files recheck, and create_pr
recheck. Add gitea_assess_work_issue_duplicate read-only preflight, work-issue
report outcome validation, and workflow section 10A.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 13:08:21 -04:00
sysadmin 87beb44394 feat: add conflict-fix leases and stale-head protection (Closes #399)
Introduce structured PR work leases so author conflict-fix pushes cannot
race reviewer validation, approval, or merge on a moving head SHA.

- pr_work_lease.py: parse/acquire leases, push and reviewer mutation gates
- gitea_acquire_conflict_fix_lease, gitea_assess_conflict_fix_push MCP tools
- Enforce reviewed head SHA on mark_final_review_decision, submit_pr_review, merge_pr
- Final-report rules and workflow sections 20A / 26B
- tests/test_pr_work_lease.py (14 cases)
2026-07-07 13:06:07 -04:00
sysadminandClaude Opus 4.8 b9e5cd0f57 feat: enforce reconciler PR-close proof fields in final reports (Closes #306)
Closes #306.

The dedicated reconciler close path (profile, gated close tool, ancestor
proof, tests) already shipped across #301/#304/#309/#310, but the
final-report validator did not require a reconciler close to prove itself.
A handoff could report `PRs closed: #N` while omitting the close
capability, ancestor proof, or linked-issue result and still grade A.

This adds the missing report-time enforcement.

Changes:
- final_report_validator.py — new `reconcile.close_proof_fields` rule
  (`_rule_reconcile_close_proof`). Fires only when a PR close is reported
  (via the `PRs closed` field or a `reconciler_close_lock`), then blocks
  unless the handoff carries close capability proof (gitea.pr.close),
  ancestor proof, PR close result, and linked-issue result. Comment-only
  and blocked reconciliations are unaffected. New optional
  `reconciler_close_lock` kwarg on `assess_final_report_validator`.
- tests/test_final_report_validator.py — TestReconcilerCloseProof (6 cases):
  full-proof close passes; missing capability / ancestor / linked-issue
  result each block; session close lock requires proof; comment-only
  needs no close proof.
- reconcile-landed-pr.md — §18A documents the enforced gate.

Validation:

  venv/bin/python -m pytest tests/test_final_report_validator.py \
    tests/test_reconciler_close_gate.py tests/test_already_landed_reconcile.py \
    tests/test_reconcile_already_landed_pr_tool.py \
    tests/test_reconciliation_workflow.py tests/test_review_proofs.py -q

289 passed.

Worktree: branches/issue-306-reconciler-close-proof

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 13:03:23 -04:00
sysadminandClaude Opus 4.8 db032ef93c feat: add precise validation status vocabulary for reviewer reports (Closes #406)
Introduce validation_status_vocabulary with proof-path binding for baseline-
equivalent, merge-simulation-resolved, and transient-pass labels. Wire the
assessor into final_report_validator and document the taxonomy in the
review-merge workflow.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 12:53:55 -04:00
sysadmin 9fde4f3e76 Merge pull request 'feat: require transient validation failure history in reviewer reports (Closes #396)' (#409) from feat/issue-396-transient-validation-failure-history into master 2026-07-07 10:42:56 -05:00
sysadmin 6b5d2ad080 Merge pull request 'feat: require proof-backed claims in reviewer handoff reports (Closes #395)' (#397) from feat/issue-395-proof-backed-review-handoff into master 2026-07-07 10:34:35 -05:00
sysadminandClaude Opus 4.8 71ccbca10f feat: require transient validation failure history in reviewer reports (Closes #396)
Add assess_validation_failure_history_report so reviewer final reports must
document every validation failure observed during a session, not only the
final passing result. Wire the verifier into final_report_validator,
gitea_validate_review_final_report, and the review-merge workflow template.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 11:22:00 -04:00
sysadmin 10e64f6683 fix: resolve conflicts for PR #385
Merge prgs/master; keep work-issue author routing (#139) alongside
reconciler task entries from master (#309/#310).
2026-07-07 10:34:23 -04:00
sysadmin c1d85b621a feat: require proof-backed claims in reviewer handoff reports (Closes #395) 2026-07-07 10:24:54 -04:00
sysadminandClaude Opus 4.8 91c67930ec feat: add PR-only queue cleanup mode with per-PR dispatch gates (Closes #390)
Adds canonical pr-queue-cleanup workflow, report verifier, reviewer-only task
routing, and runbook guidance so operators can drain open PRs one canonical
review at a time with fail-closed boundaries on batching and unauthorized merges.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 10:02:49 -04:00
sysadmin d66d465e31 fix: resolve conflicts for PR #385
Merge prgs/master and keep work-issue author routing (#139) alongside
reconciler close task routing (#309).
2026-07-07 09:58:45 -04:00
sysadminandClaude Opus 4.8 c260ef15fb feat: register work-issue task routing for role-aware MCP (#139)
- Map work_issue/work-issue to author role and gitea.pr.create in resolver
- Route work-issue sessions through role_session_router before mutations
- Expose work_issue in runtime context task capabilities
- Add work-issue workflow source verifier and canonical routing docs
- Tests for resolver, router, and final-report verifier

Closes #139

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 09:30:38 -04:00
sysadminandClaude Opus 4.8 852ac1f56b feat: comment-then-stop policy for partial PR reconciliation (Closes #302)
Already-landed PR reconciliation could prove a PR should be closed but
stop silently when gitea.pr.close was unavailable, even with comment
capability present. Adopt Option B (comment-then-stop) as the durable
policy and enforce it:

- resolve_partial_reconciliation_plan maps proven capabilities to one
  of four outcomes: FULL_RECONCILE_CLOSE_ALLOWED (close_pr proven),
  PARTIAL_RECONCILE_COMMENT_THEN_STOP (comment_pr proven, close_pr
  missing; one reconciliation comment with PR head SHA, target branch
  SHA, ancestor proof, linked issue status, and the missing capability,
  then stop), RECOVERY_HANDOFF_ONLY (no comment capability; no Gitea
  mutation), and GATE_NOT_PROVEN (no ancestry proof; no mutation
  regardless of capability). Missing capability dicts fail closed.
- assess_partial_reconciliation_report requires final reports to
  explain why the comment was or was not posted, name the missing
  capability, and state the close result or that no mutation ran.
- workflows/reconcile-landed-pr.md gains section 12A documenting the
  policy; the workflow contract test locks the new markers.

Tests cover close capability present, close missing with comment
allowed, comment capability missing, all capabilities missing,
unproven ancestry, fail-closed capability dict, and report checks for
each outcome.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 05:47:16 -04:00
sysadmin 6c653ce32a feat: add queue-status report verifier for reviewer handoffs (#339)
Add assess_queue_status_report and assess_proof_wording to reject
contradictory queue-status-only reports: passed gates without a selected
PR, prior diagnostic conflict proof, pagination assumptions, and
blocker contradictions. Wire into build_final_report and document the
queue-status-only schema path.

Closes #339
2026-07-07 04:57:50 -04:00