Commit Graph
100 Commits
Author SHA1 Message Date
sysadmin f6b2adac4d Merge pull request 'feat: discover non-canonical worktrees by branch matching (Closes #528)' (#568) from feat/issue-528-reconcile-worktree-naming into master 2026-07-08 22:03:44 -05:00
sysadmin 719de6fb7a Merge pull request 'fix: resolve broken ISSUE_LOCK_FILE import in webui/lease_loader.py (Closes #569)' (#570) from feat/issue-569-fix-webui-import into master 2026-07-08 21:59:03 -05:00
sysadmin 0ee89fe347 fix: resolve broken ISSUE_LOCK_FILE import in webui/lease_loader.py (Closes #569) 2026-07-08 22:56:55 -04:00
sysadmin 7a0de4a8e9 feat: discover non-canonical worktrees by branch matching (Closes #528) 2026-07-08 22:53:34 -04:00
sysadmin 4bcdd350f6 Merge pull request 'docs: define bootstrap review path for self-hosted MCP fixes (Closes #557)' (#564) from docs/issue-557-bootstrap-review-path into master 2026-07-08 21:52:43 -05:00
sysadmin 565363d5f4 docs: define bootstrap review path for self-hosted MCP fixes (Closes #557)
Document the narrow controller-authorized path for landing MCP workflow
fixes when live daemons cannot canonically review themselves, with
required audits, allowed/forbidden actions, and post-land restart steps.
2026-07-08 22:36:10 -04:00
sysadmin 9a2e585a9e Merge pull request 'feat: enforce reconciler PR-close proof fields in final reports (Closes #306)' (#423) from feat/issue-306-reconciler-close-proof into master 2026-07-08 21:32:32 -05:00
sysadmin 81822da04d Merge pull request 'feat: add controller issue-acceptance gate (Closes #500)' (#504) from feat/issue-500-controller-issue-acceptance-gate into master 2026-07-08 21:29:05 -05:00
sysadmin b7e0c537f3 Merge pull request 'feat: persist MCP workflow proof and decision lock across daemons (Closes #559)' (#562) from feat/issue-559-durable-session-state into master 2026-07-08 21:26:57 -05:00
sysadmin 2a3d30fb3a feat: persist MCP workflow proof and decision lock across daemons (Closes #559)
Share review-workflow-load and review-decision-lock state across MCP
daemon process pools via a user-private durable store keyed by profile
identity (not host-global /tmp), with TTL and fail-closed profile checks.
2026-07-08 22:22:34 -04:00
sysadmin 1ffa911dbc Merge pull request 'feat: add lease and collision visibility to web UI (Closes #433)' (#454) from feat/issue-433-lease-visibility into master 2026-07-08 21:22:21 -05:00
sysadmin 5ad764b359 Merge pull request 'Detect stale MCP runtime before mutation tools execute' (#545) from fix/issue-531-mcp-eof-defect into master 2026-07-08 21:20:16 -05:00
sysadmin 0e791325f8 feat: add canonical run-tests runner (Closes #473)
Merge PR #476 — root-level run-tests.sh full-validation runner (Closes #473).
2026-07-08 21:16:06 -05:00
sysadmin 826d632173 Merge pull request 'feat: require exact per-mutation capability proof in reviewer reports (Closes #405)' (#418) from feat/issue-405-mutation-capability-proof into master 2026-07-08 21:13:08 -05:00
sysadmin 9d86fc44e4 fix: return structured conflict-fix push assessment errors (Closes #519)
Merge PR #520 — structured conflict-fix push assessment errors (Closes #519).
2026-07-08 21:11:29 -05:00
sysadmin 8db26c9a15 fix: preserve actual reconciler role for comment_issue preflight (Closes #540)
Merge PR #541 — preserve actual reconciler role for #274/#475 exemptions during comment_issue preflight (Closes #540).
2026-07-08 21:09:33 -05:00
sysadmin ae9ed8a908 fix: bind issue comments to explicit worktree path (Closes #560)
Merge PR #561 — bind issue comments to explicit worktree path (Closes #560).
2026-07-08 21:09:01 -05:00
sysadmin f1449ff5c8 fix: isolate #519 PR lookup from shared lease comment listing
Keep _fetch_pr_lease_comments_safe for gitea_assess_conflict_fix_push
only. Restore _list_pr_lease_comments to a single comments GET so merge
approval feedback and #485 non-list handling keep stable API call order.

Closes #519
2026-07-08 22:07:59 -04:00
sysadmin 08bcc03f17 fix: return structured conflict-fix push assessment errors (Closes #519)
Resolve PR via pulls API before fetching lease comments so
gitea_assess_conflict_fix_push fails closed with actionable reasons
instead of surfacing HTTP 500 when Gitea returns not-found errors.

Add regression tests and document assessment-failure handoff in work-issue.
2026-07-08 22:07:59 -04:00
sysadmin 6e589e73ea fix: guard remote/repo mismatch vs local git remote (Closes #530)
Merge PR #555 — remote/repo mismatch guard vs local git remote (Closes #530).
2026-07-08 21:07:02 -05:00
sysadmin 8c171fb47b Merge pull request 'feat: add root MCP operator shell menu (#478)' (#479) from feat/issue-478-mcp-menu-shell into master 2026-07-08 21:04:35 -05:00
sysadmin 18e7d7b6e1 Merge pull request 'fix: remove duplicate verify_preflight_purity in gitea_adopt_merger_pr_lease (closes #548)' (#550) from issue-548-fix-duplicate-preflight into master 2026-07-08 20:54:40 -05:00
sysadmin bd22135906 fix: bind issue comments to explicit worktree path (Closes #560) 2026-07-08 16:13:34 -04:00
sysadmin 78fce0dbb6 Merge branch 'fix/issue-546-reviewer-deadlock' into master (bootstrap deadlock bypass) 2026-07-08 16:12:32 -04:00
sysadminandClaude Opus 4.8 fd2bc018ff fix: guard remote/repo mismatch vs local git remote (Closes #530)
Bare remote=prgs resolved to the hardcoded REMOTES default
Scaled-Tech-Consulting/Timesheet instead of the Gitea-Tools repository
the local git remote points at, causing false 404s and risking mutation
of a different repository.

Add remote_repo_guard.assess_remote_repo_match (pure) + formatter, wired
into gitea_mcp_server._resolve so every read/lookup/mutation tool fails
closed when the MCP-resolved org/repo disagrees with the local git remote
URL and the caller did not pass explicit org/repo. The guard is
best-effort: it skips when both org and repo are explicit, when the local
remote URL is unavailable, and is bypassed under pytest unless
GITEA_FORCE_REMOTE_REPO_CHECK is set.

Add tests/test_remote_repo_guard.py (pure-function cases + server wiring
proving a lookup tool cannot silently query a different repository), and
update author/reviewer/merger handoff templates to require explicit
remote/org/repo.

Closes #530

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 15:49:31 -04:00
sysadmin 535da1bc5a chore: remove trailing extra blank line at EOF in test_mcp_server.py 2026-07-08 15:40:12 -04:00
sysadmin dfbee45309 fix: resolve reviewer preflight capability/lease deadlock and add gitea_release_reviewer_pr_lease tool (closes #546) 2026-07-08 15:29:18 -04:00
sysadmin a4e014e62b fix: remove duplicate verify_preflight_purity in gitea_adopt_merger_pr_lease (#548)
The second direct call after _verify_role_mutation_workspace caused
_clear_preflight_capability_state() to run twice (or between checks),
clearing valid capability/preflight state. This forced temp local
patches during #542/#517 merge/reconcile.

- Remove the redundant verify call (the _verify already performs
  purity verification with correct worktree_path).
- Update test to reflect single invocation path and add explicit
  test proving state preservation, single call, no dupe clear,
  and no need for raw/temp fallbacks.
- Reconciler/controller flows stay fully MCP-native.

Fixes #548
2026-07-08 15:01:48 -04:00
sysadmin eeadb1bbea Merge pull request 'feat: require MCP-native post-merge cleanup proof (Closes #517)' (#542) from feat/issue-517-mcp-native-cleanup into master 2026-07-08 13:08:51 -05:00
sysadmin c64809134f Detect stale MCP runtime before mutation tools execute 2026-07-08 13:43:50 -04:00
sysadminandClaude Opus 4.8 749ca04388 fix: scope MCP cleanup proof to mutation ledgers (#517)
Raw branch/comment delete detection now scans only Cleanup mutations,
Git ref mutations, and Worktree mutations ledger fields so narrative
§28B citations and validation notes no longer false-positive.

Authorized cleanup tool proof also applies when cleanup is claimed under
Git ref or Worktree mutation ledgers while Cleanup mutations is none.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 13:43:39 -04:00
sysadminandClaude Opus 4.8 ea51b0196a feat: require MCP-native post-merge cleanup proof (Closes #517)
Add mcp_native_cleanup_proof verifier that blocks raw git branch deletion and
raw API comment deletion scripts as cleanup proof, requires authorized
reconciler MCP tools in cleanup mutation ledgers, and separates merge from
cleanup mutations in controller handoffs.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 12:54:37 -04:00
sysadmin cc63ab74e6 Merge pull request 'feat: add worktree cleanup audit integrity (Closes #404)' (#417) from feat/issue-404-worktree-cleanup-audit into master 2026-07-08 11:51:06 -05:00
sysadminandClaude Opus 4.8 9438855fdd fix: preserve actual reconciler role for #274/#475 role exemptions during comment_issue preflight (Closes #540)
resolve_task_capability("comment_issue") stamps _preflight_resolved_role
= "author" because comment_issue.required_role_kind = author.
_effective_workspace_role() prefers that stamp, so a genuine
prgs-reconciler session was classified as an author inside the #274
branch-only mutation guard and the #475 root checkout guard, blocking
gitea_create_issue_comment from the control checkout.

Fix keys the role exemptions off the actual active profile role as well
as the effective workspace role:

- Add _actual_profile_role(): derives the workspace role from the active
  profile alone, never from _preflight_resolved_role.
- _enforce_branches_only_author_mutation: exempt when EITHER the
  effective role OR the actual profile role is a non-author role.
- _enforce_root_checkout_guard: pass actual_role; assess_root_checkout_guard
  now exempts a reconciler by resolved OR actual role.

Author blocking is preserved: an actual author profile classifies as
author in both signals, so it stays blocked on a contaminated control
checkout. Merger strictness stays keyed on the resolved task role so a
merger operating from its clean branches/ workspace under a non-merge
task is not over-tightened.

Regression tests (tests/test_issue_540_comment_role_poison.py) cover the
reconciler comment path, author-blocking path, reviewer/merger/reconciler
role classification under a poisoned author stamp, and the root guard
actual_role exemption.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 12:03:14 -04:00
sysadmin cfce823dd7 Merge pull request 'feat: guarded merger lease adoption flow (#536)' (#538) from feat/issue-536-merger-lease-adoption into master 2026-07-08 10:47:51 -05:00
sysadmin 7231f27c1c Merge pull request 'feat: add workflow-load session boundary proof (Closes #403)' (#422) from feat/issue-403-workflow-load-boundaries into master 2026-07-08 10:42:49 -05:00
sysadmin e27b6ddefb feat: add worktree cleanup audit integrity (Closes #404)
Reconcile before/after branches/ snapshots so preserved worktrees cannot
disappear without removal logs or explained state transitions.

- worktree_cleanup_audit.py: snapshot capture, disposition reconciliation
- gitea_capture_branches_worktree_snapshot, gitea_assess_worktree_cleanup_integrity
- Final-report rule author.worktree_cleanup_audit_proof
- worktree-cleanup.md bulk audit section
- tests/test_worktree_cleanup_audit.py (11 cases)
2026-07-08 11:15:55 -04:00
sysadmin cefebd7643 test: seed review workflow load and pass expected_head_sha in legacy test fixtures 2026-07-08 11:14:06 -04:00
sysadminandClaude Opus 4.8 3d540f6fba feat: add workflow-load session boundary proof (Closes #403)
Extend the review workflow load gate with pre-review command classification,
boundary violation tracking, and structured helper-result requirements in
final reports. Adds gitea_record_pre_review_command MCP tool.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 11:13:43 -04:00
sysadmin 2bb45c0f80 Merge pull request 'feat: add root checkout guard for contaminated control checkout (Closes #475)' (#488) from feat/issue-475-root-checkout-guard into master 2026-07-08 10:12:52 -05:00
sysadmin 0b62d4e06a Merge pull request 'feat: add session-owned worktree cleanup audit and TTL enforcement (Closes #401)' (#492) from feat/issue-401-worktree-cleanup-ttl into master 2026-07-08 10:11:15 -05:00
sysadminandClaude Opus 4.8 7d5c7df82f fix: resolve conflicts for PR #418
Merge prgs/master into feat/issue-405-mutation-capability-proof and keep
both reviewer mutation-capability proof and post-merge cleanup proof rules.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 11:06:03 -04:00
sysadmin 08ea214526 feat: guarded merger lease adoption flow (#536)
Replace manual in-process _SESSION_LEASE seeding with an auditable
gitea_adopt_merger_pr_lease tool that posts durable adoption proof and
records sanctioned session provenance. Mutation gates now reject bare
record_session_lease calls without provenance from acquire/adopt/heartbeat.

Closes #536
2026-07-08 11:03:56 -04:00
sysadmin 6b45212659 Merge pull request 'feat: keep reconciliation audits read-only unless cleanup authorized (Closes #419)' (#421) from feat/issue-419-audit-readonly-mode into master 2026-07-08 04:16:45 -05:00
sysadmin ccdff1df27 Merge pull request 'Require canonical workflow load proof for reviewer mutations' (#493) from feat/issue-389-review-workflow-load-proof into master 2026-07-08 04:16:19 -05:00
sysadmin af938064cd Merge pull request 'feat: add safe post-merge moot lease cleanup for already-merged PRs (Closes #515)' (#527) from feat/issue-515-post-merge-moot-lease into master 2026-07-08 04:02:23 -05:00
sysadminandClaude Opus 4.8 2faf18a802 feat: add safe post-merge moot lease cleanup for already-merged PRs (Closes #515)
Refuse merge-oriented reviewer-lease acquisition/adoption on an already
merged/closed PR, and add a read-first cleanup path for a lingering moot lease.

- reviewer_pr_lease.assess_acquire_lease: new pr_merged_or_closed flag; fail
  closed with a post_merge_moot reason and no lease body when the PR already
  merged/closed.
- reviewer_pr_lease.assess_post_merge_moot_lease: pure assessment. Only treats a
  lease as moot when the PR is merged/closed; never proposes touching an active
  lease on an open PR; provides a terminal phase:released (blocker:
  post-merge-moot) body to neutralise the moot lease append-only; idempotent
  once the released marker is the newest entry.
- gitea_acquire_reviewer_pr_lease: fetch live PR state, pass the flag, surface
  post_merge_moot on refusal (no comment posted).
- gitea_cleanup_post_merge_moot_lease: new read-first tool. Reports merged
  state, merge_commit_sha, linked-issue closure, lease-moot, cleanup
  performed/skipped, and no_merge_or_adoption. apply=True posts the released
  marker only when merged/closed with an active lease; refuses on open PRs.
- tests/test_post_merge_moot_lease.py: 10 tests covering acquire refusal on
  merged PR (no post), safe/idempotent cleanup, and open-PR foreign-lease
  protection.

No relaxation of #407 reviewer-lease or #16 gated-merge gates for open PRs.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 04:51:10 -04:00
sysadmin 236c8b779f Merge pull request 'fix: register gitea_lock_issue as MCP tool (Closes #521)' (#526) from feat/issue-521-lock-issue-registration into master 2026-07-08 03:50:24 -05:00
sysadmin 564fee9639 Merge branch 'prgs/master' into feat/issue-389-review-workflow-load-proof 2026-07-08 04:44:58 -04:00
sysadmin d56baa635e fix: register gitea_lock_issue as MCP tool (Closes #521)
Move @mcp.tool() from internal _list_open_pulls helper onto
gitea_lock_issue so author sessions can discover and call the
issue lock required by gitea_create_pr.

Add regression tests for MCP registration and create_pr lock flow.
2026-07-08 04:42:35 -04:00
sysadmin c54ac0d4de Merge pull request 'feat: isolate MCP workspace binding across role namespaces (Closes #510)' (#512) from feat/issue-510-workspace-binding-isolation into master 2026-07-08 03:37:17 -05:00
sysadmin 4d24c34548 Merge pull request 'feat: require post-merge cleanup safety-gate proof in reviewer reports (Closes #402)' (#415) from feat/issue-402-post-merge-cleanup-proof into master 2026-07-08 03:13:43 -05:00
sysadminandClaude Opus 4.8 4561d7ad12 fix: resolve conflicts for PR #493
Merge prgs/master; keep review workflow load gate (#389) with explicit
merge_pr preflight task binding.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 04:09:31 -04:00
sysadmin 3d11e1f12b feat: isolate MCP workspace binding across role namespaces (Closes #510)
Namespace-scoped workspace resolution prevents GITEA_AUTHOR_WORKTREE from
poisoning reviewer, merger, and reconciler purity checks. Each role uses
its own worktree env var with actionable binding-source errors and safe
reconnect guidance. Preserves #274/#475 author and control-checkout guards.
2026-07-08 04:08:08 -04:00
sysadminandClaude Opus 4.8 182fcbf598 fix: resolve conflicts for PR #421
Merge prgs/master; keep audit-readonly gate (#419) and explicit delete_branch
preflight task binding from master.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 04:08:07 -04:00
sysadmin ce61e424f6 Merge pull request 'fix: preserve capability preflight across safe reads (Closes #469)' (#502) from fix/issue-469-preflight-read-survival into master 2026-07-08 03:01:48 -05:00
sysadmin f89949cea9 Merge pull request 'fix: exempt reconciler close_pr from branches-only worktree guard (Closes #468)' (#472) from feat/issue-468-reconciler-close-guard into master 2026-07-08 02:48:57 -05:00
sysadmin b3edd53185 Merge pull request 'fix: guard PR/issue comment listing against non-list API payloads (Closes #485)' (#487) from feat/issue-485-lease-comments-non-list-guard into master 2026-07-08 02:46:03 -05:00
sysadmin 9ada4762c5 Merge pull request 'feat: expose explicit adoption proof in gitea_lock_issue response (Closes #477)' (#481) from feat/issue-477-lock-adoption-proof into master 2026-07-08 02:31:47 -05:00
sysadminandClaude Opus 4.8 33d01ba65e feat: add controller issue-acceptance gate (Closes #500)
Add issue_acceptance_gate validation for Controller Issue Acceptance
comments, final-report rules blocking merge-only issue completion claims,
documentation/templates, and regression tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:27:37 -04:00
sysadminandClaude Opus 4.8 3bce0a55fb test: reset preflight globals in read-survival setUp (#469)
Prevents cross-test leakage that masked the missing-capability fail-closed case.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:23:12 -04:00
sysadminandClaude Opus 4.8 afb4ba563c fix: preserve capability preflight across interleaved read-only whoami (#469)
Read-only gitea_whoami calls no longer clear a valid capability proof when
whoami was already verified clean. Capability is consumed on mutation (one
resolve per mutation), and verify_preflight_purity rejects task mismatches.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 03:23:12 -04:00
sysadmin 48cf3a334b Merge pull request 'feat: require validation cwd and HEAD proof in reviewer reports (Closes #398)' (#411) from feat/issue-398-validation-cwd-proof into master 2026-07-08 02:09:11 -05:00
sysadmin 974463163d Merge pull request 'feat: add first-class stacked PR support to author workflow (Closes #484)' (#489) from feat/issue-484-stacked-pr-support into master 2026-07-08 01:41:19 -05:00
sysadminandClaude Opus 4.8 cedf451a2b feat: add session-owned worktree cleanup audit and TTL enforcement (Closes #401)
Stale worktrees accumulate under branches/ when runs stop early, race a
sibling session, hit a validation failure, or lose cwd state, making later
workflow decisions harder and riskier.

Changes:
- worktree_cleanup_audit.py — ownership metadata, safety-first classifier
  (active_open_pr, active_issue_work, dirty_local_worktree,
  clean_stale_removable, detached_review_leftover, unsafe_unknown), TTL
  expiry, per-worktree removal proof, and success-completion cleanup plan.
  Only clean_stale_removable and detached_review_leftover are removable;
  dirty/PR/leased/protected/unknown worktrees are never auto-deleted.
- gitea_audit_worktree_cleanup — read-only MCP tool that classifies every
  branches/ entry, fetches live open-PR heads (fails closed if unavailable),
  and returns counts, removable candidates, and git worktree list proof.
- work-issue.md 22A + review-merge-pr.md 28 — cleanup/TTL workflow rules.
- tests/test_worktree_cleanup_audit.py — 30 cases covering all nine
  acceptance scenarios plus inference, metadata, TTL, and report accuracy.

Validation:
  /Users/jasonwalker/Development/Gitea-Tools/venv/bin/python \
    -m unittest tests.test_worktree_cleanup_audit tests.test_merged_cleanup_reconcile -q
  38 passed.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 02:40:15 -04:00
sysadminandClaude Opus 4.8 be592d6d4d feat: add root checkout guard for contaminated control checkout (Closes #475)
Introduce root_checkout_guard helper and enforce it in verify_preflight_purity
so author, reviewer, and merger mutations fail closed when the stable control
checkout is on the wrong branch, detached, dirty, or diverged from prgs/master.
Isolated branches/... worktrees and reconciler paths remain allowed.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 02:23:27 -04:00
sysadminandClaude Opus 4.8 0cbd1fc801 feat: add first-class stacked PR support to author workflow (#484)
Normal author work is unchanged: gitea_lock_issue still requires the worktree
to be base-equivalent to master/main/dev, and gitea_create_pr still targets a
normal base branch. A *stacked* PR (based on another unmerged PR's branch) is a
new explicit, proof-backed path — it never bypasses the issue lock.

- stacked_pr_support.py: pure policy. Approve a non-master base only when it is
  declared AND owned by a live OPEN PR whose number matches; reject arbitrary,
  mismatched, or stale (merged/closed) branches; require the PR body to document
  the stack (base branch, stacked-on PR, merge ordering).
- issue_lock_worktree.py: read_worktree_git_state / _find_matching_base_ref gain
  an opt-in extra_bases arg so an approved stacked base can anchor
  base-equivalence in addition to master/main/dev (empty by default = unchanged).
- gitea_mcp_server.py:
  - gitea_lock_issue gains stacked_base_branch + stacked_base_pr. When declared,
    it verifies the open PR owns the branch, anchors base-equivalence to it, and
    records approved_stacked_base = {branch, pr_number, verified_open} on the lock.
  - gitea_create_pr validates a non-master base against the lock's approved
    stacked base, re-checks the dependency PR is still open, and enforces the
    stacked-PR body fields. Master-based path untouched.
- Docs: llm-workflow-runbooks.md and work-issue.md document when stacked PRs are
  allowed and the required PR-body wording.

Tests: test_stacked_pr_support.py (18 policy cases), stacked base-equivalence in
test_issue_lock_worktree.py, approved_stacked_base persistence round-trip in
test_issue_lock_store.py. Existing lock/create_pr regressions still pass.

The #482 -> #479/#478 case motivates this: create_pr previously could not open a
stacked PR because the lock required a master-equivalent worktree.

Closes #484.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 02:22:54 -04:00
sysadmin 673cb77004 fix: resolve conflicts for PR #418 2026-07-08 02:20:04 -04:00
sysadmin d6b1e4be3c fix: resolve conflicts for PR #415 2026-07-08 02:20:04 -04:00
sysadmin 28f0f84de8 fix: resolve conflicts for PR #411 2026-07-08 02:20:04 -04:00
sysadmin 685e627984 fix: resolve conflicts for PR #392
Merge prgs/master into feat/issue-389-review-workflow-load-proof and
preserve workflow-load gates while adopting master test harness patterns
(_seed_ready_review_decision, reviewer leases, expected_head_sha).
2026-07-08 02:17:58 -04:00
sysadminandClaude Opus 4.8 08202f7eaa fix: guard PR/issue comment listing against non-list API payloads (Closes #485)
_list_pr_lease_comments and gitea_list_issue_comments now fail safe to an
empty list when the comments API returns a non-list payload (e.g. an error
object), preventing KeyError: slice on the lease and listing paths.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 02:17:37 -04:00
sysadmin 7af73e1539 Merge pull request 'feat: add precise validation status vocabulary for reviewer reports (Closes #406)' (#412) from feat/issue-406-validation-status-vocabulary into master 2026-07-08 00:48:04 -05:00
sysadmin ae0478bf54 Merge pull request 'feat: add conflict-fix leases and stale-head protection (Closes #399)' (#416) from feat/issue-399-conflict-fix-leases into master 2026-07-08 00:34:20 -05:00
sysadmin cc5686b896 Merge pull request 'feat: require approval at current PR head for merge (#471)' (#480) from feat/issue-471-merge-head-approval into master 2026-07-08 00:29:17 -05:00
sysadmin d4dc9aa854 fix: align test mocks with #399 lease gates and head SHA requirements
PR #416 introduced pr_work_lease reviewer blocks and mandatory full
40-hex expected_head_sha on mark/merge paths. Update audit, review,
permission-report, terminal hard-stop, inventory, and schema tests to
patch lease comment fetches, seed ready review decisions, and use
consistent HEAD_SHA constants so the full suite passes again.
2026-07-08 01:26:36 -04:00
sysadminandClaude Opus 4.8 89582a0f2a feat: require approval at current PR head for merge (#471)
Add merge_approval_gate assessment so gitea_merge_pr fails closed when
visible APPROVED reviews do not pin the live head SHA. Expose
approval_at_current_head and stale_approval_block_reason in review
feedback. Document re-review requirement in canonical merge workflow.

Closes #471.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 00:37:54 -04:00
sysadminandClaude Opus 4.8 831183308d feat: add root MCP operator shell menu (#478)
Add ./mcp-menu.sh for safe, read-only onboarding and workflow prompt
discovery. Includes root checkout health, role prompts, onboarding
checklist, Proxmox placeholders, and run-tests fallback. Document in
docs/mcp-menu.md with hermetic tests.

Closes #478.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 00:23:29 -04:00
sysadmin a1de4ab8f9 Merge pull request 'feat: harden issue lock store against concurrent session clobbering (Closes #438)' (#464) from feat/issue-438-lock-hardening into master 2026-07-07 17:37:46 -05:00
sysadmin 3c41d2af5c Merge pull request 'feat: add own-branch lock adoption recovery to gitea_lock_issue (Closes #442)' (#461) from feat/issue-442-lock-adoption into master 2026-07-07 17:16:33 -05:00
sysadminandClaude Opus 4.8 d306c0a5ec feat: harden keyed issue lock store with flock serialization (#438)
Rebase onto master (#443 keyed store) and port #438 hardening: per-issue
fcntl.flock around bind_session_lock, assess_lock_freshness with dead-PID
detection, verify_lock_for_mutation before create_pr, and live lock
inventory for claim visibility.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 18:07:44 -04:00
sysadminandClaude Opus 4.8 85532059e2 fix: use exact issue-number boundary in own-branch adoption (#442)
Replace substring issue-marker matching with a numeric word-boundary
regex so issue-42 adoption is not false-blocked by unrelated issue-420
branches. Add regression tests for the #42 vs #420 collision.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 18:05:19 -04:00
sysadmin 54a75153a9 Merge pull request 'feat: keyed issue-lock store replaces global lock file (Closes #443)' (#465) from feat/issue-443-lock-store into master 2026-07-07 16:57:54 -05:00
sysadmin 5dfc00319f Merge pull request 'feat: align mutation guard with runtime_context workspace resolution (Closes #460)' (#462) from feat/issue-460-workspace-guard-alignment into master 2026-07-07 16:53:07 -05:00
sysadmin f51dc95153 Merge pull request 'feat: harden #274 branches-only guard for gitea_create_issue (Closes #274)' (#449) from feat/issue-274-branches-only-guard-hardening into master 2026-07-07 16:48:00 -05:00
sysadminandClaude Opus 4.8 b15494deb9 feat: add root-level run-tests.sh full-validation runner (Closes #473)
Adds a canonical, discoverable full-validation entry point so sessions stop
guessing between pytest invocations.

- run-tests.sh: executable root runner; runs `venv/bin/python -m pytest "$@"`;
  forwards args; fails closed with a clear setup message when the venv Python
  is missing (no silent wrong-interpreter fallback); set -euo pipefail; no
  network, no Gitea, no lock files.
- docs/developer-testing-guidelines.md: name ./run-tests.sh as the canonical
  full/focused validation command.
- tests/test_run_tests_script.py: contract checks (exists, executable, strict
  bash flags, venv pytest + arg forwarding, fail-closed guard, repo-local, and
  the guide naming the runner).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 17:44:22 -04:00
sysadmin 55b3658d93 fix: resolve conflicts for PR #416
Merge current prgs/master into feat/issue-399-conflict-fix-leases.
Preserve reviewer PR lease gate (#407) before conflict-fix stale-head
gate (#399); document both as §26B and §26C. Align MCP and validator
tests with mandatory expected_head_sha and stale-head proof fields.
2026-07-07 17:38:45 -04:00
sysadminandClaude Opus 4.8 c7b462a034 fix: exempt reconciler close_pr from branches-only worktree guard (#468)
Reconciler profiles perform Gitea metadata mutations (close_pr) and must
not be blocked when the MCP workspace resolves to the stable control
checkout without GITEA_AUTHOR_WORKTREE. Author file mutations remain
guarded. Add regression tests for reconciler close vs author create_issue.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 17:36:33 -04:00
sysadmin 2c47208b0d fix: resolve conflicts for PR #392
Merge current prgs/master into feat/issue-389-review-workflow-load-proof.
Combine workflow-load session proof (#389) with reviewer PR lease test
fixtures from #407 so reviewer mutation gates remain fully tested.
2026-07-07 17:34:41 -04:00
sysadminandClaude Opus 4.8 e956040b6b test: align duplicate-gate and artifact tests with keyed lock store (#443)
Update lock-issue and duplicate-recheck tests to mock branch listing,
use GITEA_ISSUE_LOCK_DIR session binding, and satisfy create_pr
provenance/worktree guards after the keyed persistent lock store landed.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 17:30:50 -04:00
sysadmin 43a17a7e8e resolve conflicts for PR #465 2026-07-07 17:30:35 -04:00
sysadminandClaude Opus 4.8 d042a9ca24 feat: replace global issue lock with keyed persistent store (Closes #443)
Store per remote/org/repo/issue locks under GITEA_ISSUE_LOCK_DIR with
atomic writes and per-session binding. Integrate own-branch adoption for
lock recovery, update worktree-start and cleanup reconcile, and add tests
documenting the ban on manual global lock seeding.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 17:30:35 -04:00
sysadmin f061fee18d Merge pull request 'feat: add per-PR reviewer leases for parallel review (Closes #407)' (#424) from feat/issue-407-reviewer-pr-leases into master 2026-07-07 16:27:19 -05:00
sysadmin 551ee7d70c fix: resolve conflicts for PR #421 2026-07-07 17:20:53 -04:00
sysadmin ddaf380db2 feat: gate reconciliation audit mode from unauthorized cleanup (Closes #419)
Add audit vs cleanup phase tracking so reconciliation audits stay read-only
unless cleanup is explicitly authorized with delete capability proof, safety
proof, and before/after snapshots. Block gitea_delete_branch and merged-cleanup
execution during audit phase, validate final reports for false no-mutations
claims, and document the boundary in the reconcile-landed-pr workflow.
2026-07-07 17:20:36 -04:00
sysadmin 8b551c565f fix: resolve conflicts for PR #418 2026-07-07 17:20:10 -04:00
sysadminandClaude Opus 4.8 66d37dd3cb feat: require exact per-mutation capability proof in reviewer reports (Closes #405)
Adds mutation-capability table validation so review_pr cannot authorize
merge or delete mutations without their own exact capability rows.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 17:20:01 -04:00
sysadminandClaude Opus 4.8 44a7c62dc3 fix: resolve conflicts for PR #415
Rebase onto current prgs/master and fix cleanup-mutations regex so
"Cleanup mutations: none" does not false-positive the proof checklist.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 17:19:37 -04:00
sysadminandClaude Opus 4.8 d5dc9f2708 feat: require post-merge cleanup safety-gate proof in reviewer reports (Closes #402)
Adds post_merge_cleanup_proof validation so cleanup claims must carry the
branch deletion and worktree removal checklists, or report CLEANUP_SKIPPED
with an exact blocker.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 17:19:37 -04:00
sysadminandClaude Opus 4.8 3e4b721d60 test: align duplicate gate lock fixtures with #447 provenance (#407)
Rebase onto master (#413/#463) requires sanctioned lock_provenance in
create_pr duplicate-recheck tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-07 17:18:00 -04:00