Reviewer final reports must not claim proof-sensitive workflow steps
unless each claim carries explicit command/tool evidence or structured
MCP result metadata:
- New reviewer_proof_backed_claims.py verifier covering the five claim
families from the issue: inventory completeness (explicit pagination
metadata required; page-size assumptions rejected), earlier-PR skips
(per-PR command/tool or structured mergeability/blocker evidence),
baseline validation (worktree path, target SHA, dirty-before, exact
command, exact result, dirty-after), master integration (exact
merge/rebase/simulation command), and cleanup (final git worktree
list proof).
- PROOF_PROVENANCE_CLASSES constant distinguishes command actually run,
MCP metadata, inherited from previous blocker state, and not checked.
- Re-export from review_proofs and wire into build_final_report as a
downgrade check with proof_backed_claims_proven/violations fields.
- New workflow section 30A documents the rule; contract test locks the
marker and an export test locks the re-export.
- 13 tests in tests/test_reviewer_proof_backed_claims.py covering the
required scenarios: baseline claim without command, skipped-PR claim
without evidence, inventory-complete from page-size assumption only,
cleanup without final worktree proof, and a fully proof-backed report
passing.
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Superset of the initial test slice: adds capability-map and router
routing cases (reviewer-role enforcement, author wrong_role_stop), the
full terminal-chain matrix (comment/skip stop, gates-failed stop, merge
completed/blocker stop, unknown-decision fail-closed), and report
verifier cases for two terminal mutations, missing next-suggested-PR,
branch mutations, and missing workflow citation.
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Adds canonical pr-queue-cleanup workflow, report verifier, reviewer-only task
routing, and runbook guidance so operators can drain open PRs one canonical
review at a time with fail-closed boundaries on batching and unauthorized merges.
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
The canonical PR review/merge workflow already lives in
skills/llm-project-workflow/workflows/review-merge-pr.md and is exposed
through mcp_list_project_skills / mcp_get_skill_guide (#333-#335), and
its final-report schema already demands a workflow version. What was
missing is enforcement: add compute_workflow_hash (short sha256
version hash of workflow text) and assess_review_workflow_source to
review_proofs. Review reports must cite the canonical workflow file
and carry a populated Workflow version field; when the current
canonical hash is supplied, a mismatched citation fails as a stale
workflow copy, directing the agent to reload via mcp_get_skill_guide.
Fails closed. Tests cover hash determinism and content sensitivity,
matching-hash pass, missing citation, missing version field, stale
hash, version none, and offline validation without a canonical hash.
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>