Compare commits
57
Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
5933d87647 | ||
|
|
bee24e2b10 | ||
|
|
a7aac0df1d | ||
|
|
ec903b0d61 | ||
|
|
f34319852e | ||
|
|
2fa97c26fb | ||
|
|
5ab5fe8583 | ||
|
|
f32aaaa3b5 | ||
|
|
5347b313ea | ||
|
|
1be4600261 | ||
|
|
780ef0b1be | ||
|
|
a654cda058 | ||
|
|
ab1c2d7973 | ||
|
|
6a179aeb85 | ||
|
|
f20c8436aa | ||
|
|
db5d14184f | ||
|
|
10228e1c06 | ||
|
|
d8b2b8f1a7 | ||
|
|
9e1d5c5649 | ||
|
|
2429d9d2e8 | ||
|
|
16cd871fbd | ||
|
|
783ea88a01 | ||
|
|
036b78e31e | ||
|
|
08c3488d7c | ||
|
|
4f2fd9a8b1 | ||
|
|
4185ee1417 | ||
|
|
ae6a3ae00c | ||
|
|
2fde92ad25 | ||
|
|
ebd06b73c9 | ||
|
|
af9f1c5944 | ||
|
|
f83d2c2027 | ||
|
|
93781af7e9 | ||
|
|
314615ec2c | ||
|
|
52013791d4 | ||
|
|
2ac7519792 | ||
|
|
a32c68e24b | ||
|
|
7186718cfd | ||
|
|
964505654f | ||
|
|
008cd3fd74 | ||
|
|
11ffe0f9dd | ||
|
|
683649424b | ||
|
|
ac531dda05 | ||
|
|
36781ebef7 | ||
|
|
2941ec529c | ||
|
|
eddb68818e | ||
|
|
b98e8dfa1a | ||
|
|
86651a3d05 | ||
|
|
3f3f880147 | ||
|
|
6094069ef6 | ||
|
|
6913ac98f1 | ||
|
|
faf36b5bdf | ||
|
|
05b4f13e96 | ||
|
|
57b2023611 | ||
|
|
5debfcf178 | ||
|
|
27d75facd4 | ||
|
|
2b4c291f12 | ||
|
|
b0ae1605c3 |
@@ -0,0 +1,610 @@
|
||||
"""Controller-owned work allocator policy (#600).
|
||||
|
||||
Builds on the #613 control-plane DB substrate (``ControlPlaneDB.assign_and_lease``).
|
||||
|
||||
Workers must not self-select exclusive work under the standard multi-LLM
|
||||
workflow. They call ``gitea_allocate_next_work`` which:
|
||||
|
||||
1. Inspects candidate Gitea issues/PRs (never raw monitoring incidents).
|
||||
2. Applies ADR routing policy (role, terminal path, leases, blocked, deps).
|
||||
3. Atomically assigns + leases the selected item in one DB transaction.
|
||||
|
||||
This module is pure selection + substrate orchestration. Gitea I/O for live
|
||||
inventory lives in the MCP tool wrapper so tests can inject candidates.
|
||||
|
||||
#612 remains downstream: bridge-created Gitea issues become candidates only
|
||||
after they exist as normal issues; this module never assigns incidents.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import uuid
|
||||
from dataclasses import dataclass, field
|
||||
from typing import Any, Sequence
|
||||
|
||||
from control_plane_db import (
|
||||
ControlPlaneDB,
|
||||
ControlPlaneError,
|
||||
InvalidWorkKindError,
|
||||
LeaseRequiredError,
|
||||
WORK_KINDS,
|
||||
)
|
||||
|
||||
# Outcomes required by #600 / ADR §5.
|
||||
OUTCOME_ASSIGNED = "assigned_work"
|
||||
OUTCOME_WAIT = "wait"
|
||||
OUTCOME_BLOCKED_TERMINAL = "blocked_by_terminal_path"
|
||||
OUTCOME_BLOCKED_LEASE = "blocked_by_active_lease"
|
||||
OUTCOME_NEEDS_CONTROLLER = "needs_controller"
|
||||
OUTCOME_NO_SAFE = "no_safe_work"
|
||||
OUTCOME_ROLE_INELIGIBLE = "role_ineligible"
|
||||
OUTCOME_PREVIEW = "preview" # dry-run only (apply=false)
|
||||
|
||||
ROLE_AUTHOR = "author"
|
||||
ROLE_REVIEWER = "reviewer"
|
||||
ROLE_MERGER = "merger"
|
||||
ROLE_RECONCILER = "reconciler"
|
||||
ROLE_CONTROLLER = "controller"
|
||||
|
||||
VALID_ROLES = frozenset(
|
||||
{ROLE_AUTHOR, ROLE_REVIEWER, ROLE_MERGER, ROLE_RECONCILER, ROLE_CONTROLLER}
|
||||
)
|
||||
|
||||
# Default action matrices by role (mutation gate will re-check).
|
||||
ROLE_ACTIONS: dict[str, tuple[tuple[str, ...], tuple[str, ...]]] = {
|
||||
ROLE_AUTHOR: (
|
||||
("implement", "comment", "push", "create_pr"),
|
||||
("approve", "merge", "request_changes", "self_select_without_assignment"),
|
||||
),
|
||||
ROLE_REVIEWER: (
|
||||
("review", "comment", "approve", "request_changes"),
|
||||
("merge", "push", "create_pr", "self_select_without_assignment"),
|
||||
),
|
||||
ROLE_MERGER: (
|
||||
("merge", "comment"),
|
||||
("approve", "request_changes", "push", "create_pr", "self_select_without_assignment"),
|
||||
),
|
||||
ROLE_RECONCILER: (
|
||||
("comment", "diagnose", "cleanup"),
|
||||
("approve", "merge", "push", "create_pr", "self_select_without_assignment"),
|
||||
),
|
||||
ROLE_CONTROLLER: (
|
||||
("comment", "diagnose", "allocate"),
|
||||
("approve", "merge", "push", "create_pr"),
|
||||
),
|
||||
}
|
||||
|
||||
|
||||
@dataclass
|
||||
class WorkCandidate:
|
||||
"""One assignable Gitea issue or PR presented to the allocator."""
|
||||
|
||||
kind: str # issue | pr
|
||||
number: int
|
||||
state: str = "open"
|
||||
labels: tuple[str, ...] = ()
|
||||
title: str = ""
|
||||
priority: int = 0
|
||||
head_sha: str | None = None
|
||||
# Routing signals (callers derive from Gitea / review feedback).
|
||||
request_changes_current_head: bool = False
|
||||
approval_on_current_head: bool = False
|
||||
approval_stale: bool = False
|
||||
approval_contaminated: bool = False
|
||||
mergeable: bool = False
|
||||
blocked: bool = False
|
||||
dependency_unmet: bool = False
|
||||
dependency_reason: str | None = None
|
||||
already_claimed_elsewhere: bool = False
|
||||
|
||||
def __post_init__(self) -> None:
|
||||
self.kind = (self.kind or "").strip().lower()
|
||||
self.state = (self.state or "open").strip().lower()
|
||||
self.labels = tuple(
|
||||
str(x).strip().lower() for x in (self.labels or ()) if str(x).strip()
|
||||
)
|
||||
if self.kind not in WORK_KINDS:
|
||||
raise InvalidWorkKindError(
|
||||
f"candidate kind '{self.kind}' is not assignable; only "
|
||||
f"{sorted(WORK_KINDS)} (never raw incidents)"
|
||||
)
|
||||
|
||||
def as_dict(self) -> dict[str, Any]:
|
||||
return {
|
||||
"kind": self.kind,
|
||||
"number": self.number,
|
||||
"state": self.state,
|
||||
"labels": list(self.labels),
|
||||
"title": self.title,
|
||||
"priority": self.priority,
|
||||
"head_sha": self.head_sha,
|
||||
"request_changes_current_head": self.request_changes_current_head,
|
||||
"approval_on_current_head": self.approval_on_current_head,
|
||||
"approval_stale": self.approval_stale,
|
||||
"approval_contaminated": self.approval_contaminated,
|
||||
"mergeable": self.mergeable,
|
||||
"blocked": self.blocked,
|
||||
"dependency_unmet": self.dependency_unmet,
|
||||
"dependency_reason": self.dependency_reason,
|
||||
}
|
||||
|
||||
|
||||
@dataclass
|
||||
class SkipRecord:
|
||||
kind: str
|
||||
number: int
|
||||
reason: str
|
||||
|
||||
def as_dict(self) -> dict[str, Any]:
|
||||
return {"kind": self.kind, "number": self.number, "reason": self.reason}
|
||||
|
||||
|
||||
def normalize_role(role: str | None, *, profile_name: str | None = None) -> str:
|
||||
"""Map profile/role strings to a canonical allocator role."""
|
||||
raw = (role or "").strip().lower()
|
||||
if raw in VALID_ROLES:
|
||||
return raw
|
||||
prof = (profile_name or "").strip().lower()
|
||||
for token in VALID_ROLES:
|
||||
if token in prof or prof.endswith(f"-{token}"):
|
||||
return token
|
||||
if "author" in raw:
|
||||
return ROLE_AUTHOR
|
||||
if "review" in raw:
|
||||
return ROLE_REVIEWER
|
||||
if "merg" in raw:
|
||||
return ROLE_MERGER
|
||||
if "reconcil" in raw:
|
||||
return ROLE_RECONCILER
|
||||
if "control" in raw:
|
||||
return ROLE_CONTROLLER
|
||||
raise ControlPlaneError(
|
||||
f"unknown allocator role '{role}' (profile={profile_name!r}); "
|
||||
f"expected one of {sorted(VALID_ROLES)}"
|
||||
)
|
||||
|
||||
|
||||
def expected_role_for_candidate(c: WorkCandidate) -> str:
|
||||
"""ADR §5.3 routing: which role should take this work next."""
|
||||
if c.kind == "pr":
|
||||
if c.approval_contaminated:
|
||||
return ROLE_RECONCILER
|
||||
if c.request_changes_current_head:
|
||||
return ROLE_AUTHOR
|
||||
if c.approval_stale:
|
||||
return ROLE_REVIEWER
|
||||
if c.approval_on_current_head and c.mergeable:
|
||||
return ROLE_MERGER
|
||||
# Open PR without terminal verdict → reviewer
|
||||
return ROLE_REVIEWER
|
||||
# Issues: ready work → author by default; blocked stays controller/none
|
||||
labels = set(c.labels)
|
||||
if "status:blocked" in labels or c.blocked:
|
||||
return ROLE_CONTROLLER
|
||||
return ROLE_AUTHOR
|
||||
|
||||
|
||||
def role_actions(role: str) -> tuple[tuple[str, ...], tuple[str, ...]]:
|
||||
return ROLE_ACTIONS.get(role, ROLE_ACTIONS[ROLE_AUTHOR])
|
||||
|
||||
|
||||
def classify_skip(
|
||||
c: WorkCandidate,
|
||||
*,
|
||||
role: str,
|
||||
terminal_pr: int | None,
|
||||
) -> str | None:
|
||||
"""Return skip reason, or None if candidate is selectable for *role*."""
|
||||
if c.state in ("merged", "closed"):
|
||||
return f"{c.kind}#{c.number} is {c.state}; never assign"
|
||||
if c.blocked or "status:blocked" in c.labels:
|
||||
return f"{c.kind}#{c.number} is blocked"
|
||||
if c.dependency_unmet:
|
||||
return (
|
||||
c.dependency_reason
|
||||
or f"{c.kind}#{c.number} has unmet dependencies"
|
||||
)
|
||||
if c.already_claimed_elsewhere:
|
||||
return f"{c.kind}#{c.number} already claimed elsewhere"
|
||||
if c.kind == "pr" and not (c.head_sha or "").strip():
|
||||
return f"pr#{c.number} missing head_sha pin"
|
||||
|
||||
# Terminal path first: when an active terminal PR exists, only that PR
|
||||
# (or controller diagnosis) is assignable for review-path roles.
|
||||
if terminal_pr is not None and c.kind == "pr" and c.number != terminal_pr:
|
||||
if role in (ROLE_REVIEWER, ROLE_MERGER):
|
||||
return (
|
||||
f"pr#{c.number} skipped: active terminal-review lock on "
|
||||
f"PR #{terminal_pr} must be resolved first"
|
||||
)
|
||||
|
||||
expected = expected_role_for_candidate(c)
|
||||
if role == ROLE_CONTROLLER:
|
||||
# Controller may inspect anything but only assigns diagnosis targets
|
||||
# when contaminated / blocked.
|
||||
if expected == ROLE_RECONCILER or c.blocked:
|
||||
return None
|
||||
return f"{c.kind}#{c.number} does not require controller (expected {expected})"
|
||||
|
||||
if role != expected:
|
||||
return (
|
||||
f"{c.kind}#{c.number} expects role '{expected}', active role is '{role}'"
|
||||
)
|
||||
|
||||
# Ready-gate for issues: prefer status:ready when labels present.
|
||||
if c.kind == "issue" and c.labels:
|
||||
if "status:ready" not in c.labels and "status:in-progress" not in c.labels:
|
||||
# Allow unlabeled open issues; only skip explicit non-ready states.
|
||||
if any(l.startswith("status:") for l in c.labels):
|
||||
return f"issue#{c.number} not status:ready ({','.join(c.labels)})"
|
||||
return None
|
||||
|
||||
|
||||
def sort_candidates(candidates: Sequence[WorkCandidate]) -> list[WorkCandidate]:
|
||||
"""Higher priority first; then lower number (older issues) for stability."""
|
||||
return sorted(
|
||||
candidates,
|
||||
key=lambda c: (-int(c.priority), c.kind != "pr", int(c.number)),
|
||||
)
|
||||
|
||||
|
||||
def allocate_next_work(
|
||||
db: ControlPlaneDB,
|
||||
*,
|
||||
session_id: str,
|
||||
role: str,
|
||||
remote: str,
|
||||
org: str,
|
||||
repo: str,
|
||||
candidates: Sequence[WorkCandidate],
|
||||
apply: bool = False,
|
||||
profile_name: str | None = None,
|
||||
username: str | None = None,
|
||||
lease_ttl_seconds: int | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Select and optionally reserve the next work unit via control-plane DB.
|
||||
|
||||
*apply=False* (default): dry-run selection only — no lease/assignment.
|
||||
*apply=True*: atomic ``assign_and_lease`` for the selected candidate.
|
||||
|
||||
Never uses file locks or comment-only leases as the assignment source.
|
||||
"""
|
||||
if db is None:
|
||||
return {
|
||||
"success": False,
|
||||
"outcome": OUTCOME_NO_SAFE,
|
||||
"reasons": [
|
||||
"control-plane DB substrate unavailable (fail closed, #600/#613)"
|
||||
],
|
||||
"skipped": [],
|
||||
"assignment": None,
|
||||
"substrate": "control_plane_db",
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
try:
|
||||
role_norm = normalize_role(role, profile_name=profile_name)
|
||||
except ControlPlaneError as exc:
|
||||
return {
|
||||
"success": False,
|
||||
"outcome": OUTCOME_ROLE_INELIGIBLE,
|
||||
"reasons": [str(exc)],
|
||||
"skipped": [],
|
||||
"assignment": None,
|
||||
"substrate": "control_plane_db",
|
||||
}
|
||||
|
||||
session_id = (session_id or "").strip() or f"alloc-{uuid.uuid4().hex[:12]}"
|
||||
try:
|
||||
db.upsert_session(
|
||||
session_id=session_id,
|
||||
role=role_norm,
|
||||
profile=profile_name,
|
||||
pid=os.getpid(),
|
||||
)
|
||||
except Exception as exc: # noqa: BLE001 — surface structured
|
||||
return {
|
||||
"success": False,
|
||||
"outcome": OUTCOME_NO_SAFE,
|
||||
"reasons": [
|
||||
f"failed to register session in control-plane DB: {exc} "
|
||||
"(fail closed, #613)"
|
||||
],
|
||||
"skipped": [],
|
||||
"assignment": None,
|
||||
"substrate": "control_plane_db",
|
||||
}
|
||||
|
||||
# Expire stale leases globally before selection.
|
||||
try:
|
||||
db.expire_stale_leases()
|
||||
except Exception as exc: # noqa: BLE001
|
||||
return {
|
||||
"success": False,
|
||||
"outcome": OUTCOME_NO_SAFE,
|
||||
"reasons": [f"lease expiry failed: {exc} (fail closed)"],
|
||||
"skipped": [],
|
||||
"assignment": None,
|
||||
"substrate": "control_plane_db",
|
||||
}
|
||||
|
||||
terminal = None
|
||||
try:
|
||||
terminal = db.get_active_terminal_lock(remote=remote, org=org, repo=repo)
|
||||
except Exception as exc: # noqa: BLE001
|
||||
return {
|
||||
"success": False,
|
||||
"outcome": OUTCOME_NO_SAFE,
|
||||
"reasons": [f"terminal lock lookup failed: {exc} (fail closed)"],
|
||||
"skipped": [],
|
||||
"assignment": None,
|
||||
"substrate": "control_plane_db",
|
||||
}
|
||||
terminal_pr = int(terminal["terminal_pr"]) if terminal else None
|
||||
|
||||
skipped: list[SkipRecord] = []
|
||||
ordered = sort_candidates(list(candidates))
|
||||
selected: WorkCandidate | None = None
|
||||
for c in ordered:
|
||||
reason = classify_skip(c, role=role_norm, terminal_pr=terminal_pr)
|
||||
if reason:
|
||||
skipped.append(SkipRecord(c.kind, c.number, reason))
|
||||
continue
|
||||
selected = c
|
||||
break
|
||||
|
||||
if selected is None:
|
||||
# If terminal lock blocks all review work, surface that explicitly.
|
||||
if terminal_pr is not None and role_norm in (ROLE_REVIEWER, ROLE_MERGER):
|
||||
outcome = OUTCOME_BLOCKED_TERMINAL
|
||||
reasons = [
|
||||
f"no safe work for role '{role_norm}': active terminal-review "
|
||||
f"lock on PR #{terminal_pr} (resolve terminal path first, #332/#600)"
|
||||
]
|
||||
else:
|
||||
outcome = OUTCOME_NO_SAFE
|
||||
reasons = [
|
||||
f"no safe assignable work for role '{role_norm}' "
|
||||
f"among {len(ordered)} candidates"
|
||||
]
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": outcome,
|
||||
"apply": bool(apply),
|
||||
"role": role_norm,
|
||||
"profile_name": profile_name,
|
||||
"username": username,
|
||||
"session_id": session_id,
|
||||
"remote": remote,
|
||||
"org": org,
|
||||
"repo": repo,
|
||||
"selected": None,
|
||||
"expected_role_next": None,
|
||||
"reasons": reasons,
|
||||
"skipped": [s.as_dict() for s in skipped],
|
||||
"terminal_pr": terminal_pr,
|
||||
"assignment": None,
|
||||
"substrate": "control_plane_db",
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
"downstream_note": (
|
||||
"#612 incident bridge remains downstream of #600; "
|
||||
"allocator never assigns raw monitoring incidents"
|
||||
),
|
||||
}
|
||||
|
||||
expected_role = expected_role_for_candidate(selected)
|
||||
allowed, forbidden = role_actions(role_norm)
|
||||
selection = {
|
||||
"kind": selected.kind,
|
||||
"number": selected.number,
|
||||
"title": selected.title,
|
||||
"labels": list(selected.labels),
|
||||
"head_sha": selected.head_sha,
|
||||
"priority": selected.priority,
|
||||
"expected_role_next": expected_role,
|
||||
"reason_selected": (
|
||||
f"highest-priority candidate for role '{role_norm}' "
|
||||
f"(expected_role={expected_role})"
|
||||
),
|
||||
}
|
||||
|
||||
if not apply:
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": OUTCOME_PREVIEW,
|
||||
"apply": False,
|
||||
"role": role_norm,
|
||||
"profile_name": profile_name,
|
||||
"username": username,
|
||||
"session_id": session_id,
|
||||
"remote": remote,
|
||||
"org": org,
|
||||
"repo": repo,
|
||||
"selected": selection,
|
||||
"expected_role_next": expected_role,
|
||||
"reasons": [
|
||||
"dry-run only (apply=false); no assignment/lease created — "
|
||||
"call again with apply=true to reserve via control-plane DB"
|
||||
],
|
||||
"skipped": [s.as_dict() for s in skipped],
|
||||
"terminal_pr": terminal_pr,
|
||||
"assignment": None,
|
||||
"substrate": "control_plane_db",
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
"downstream_note": (
|
||||
"#612 incident bridge remains downstream of #600; "
|
||||
"allocator never assigns raw monitoring incidents"
|
||||
),
|
||||
}
|
||||
|
||||
# Atomic reserve via #613 substrate.
|
||||
ttl = lease_ttl_seconds if lease_ttl_seconds is not None else None
|
||||
try:
|
||||
kwargs: dict[str, Any] = {
|
||||
"session_id": session_id,
|
||||
"role": role_norm,
|
||||
"remote": remote,
|
||||
"org": org,
|
||||
"repo": repo,
|
||||
"kind": selected.kind,
|
||||
"number": selected.number,
|
||||
"expected_head_sha": selected.head_sha,
|
||||
"allowed_actions": allowed,
|
||||
"forbidden_actions": forbidden,
|
||||
"phase": "allocated",
|
||||
}
|
||||
if ttl is not None:
|
||||
kwargs["lease_ttl_seconds"] = int(ttl)
|
||||
result = db.assign_and_lease(**kwargs)
|
||||
except (InvalidWorkKindError, LeaseRequiredError, ControlPlaneError) as exc:
|
||||
return {
|
||||
"success": False,
|
||||
"outcome": OUTCOME_NO_SAFE,
|
||||
"apply": True,
|
||||
"role": role_norm,
|
||||
"session_id": session_id,
|
||||
"remote": remote,
|
||||
"org": org,
|
||||
"repo": repo,
|
||||
"selected": selection,
|
||||
"expected_role_next": expected_role,
|
||||
"reasons": [f"atomic assign+lease failed: {exc} (fail closed, #613)"],
|
||||
"skipped": [s.as_dict() for s in skipped],
|
||||
"terminal_pr": terminal_pr,
|
||||
"assignment": None,
|
||||
"substrate": "control_plane_db",
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
if result.outcome == "wait":
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": OUTCOME_WAIT,
|
||||
"apply": True,
|
||||
"role": role_norm,
|
||||
"session_id": session_id,
|
||||
"remote": remote,
|
||||
"org": org,
|
||||
"repo": repo,
|
||||
"selected": selection,
|
||||
"expected_role_next": expected_role,
|
||||
"reasons": [result.reason or "foreign active lease"],
|
||||
"skipped": [s.as_dict() for s in skipped],
|
||||
"terminal_pr": terminal_pr,
|
||||
"assignment": result.as_dict(),
|
||||
"owner_session_id": result.owner_session_id,
|
||||
"substrate": "control_plane_db",
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
if result.outcome == "no_safe_work":
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": OUTCOME_NO_SAFE,
|
||||
"apply": True,
|
||||
"role": role_norm,
|
||||
"session_id": session_id,
|
||||
"remote": remote,
|
||||
"org": org,
|
||||
"repo": repo,
|
||||
"selected": selection,
|
||||
"expected_role_next": expected_role,
|
||||
"reasons": [result.reason or "no_safe_work"],
|
||||
"skipped": [s.as_dict() for s in skipped],
|
||||
"terminal_pr": terminal_pr,
|
||||
"assignment": result.as_dict(),
|
||||
"substrate": "control_plane_db",
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
# assigned
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": OUTCOME_ASSIGNED,
|
||||
"apply": True,
|
||||
"role": role_norm,
|
||||
"profile_name": profile_name,
|
||||
"username": username,
|
||||
"session_id": session_id,
|
||||
"remote": remote,
|
||||
"org": org,
|
||||
"repo": repo,
|
||||
"selected": selection,
|
||||
"expected_role_next": expected_role,
|
||||
"reasons": [
|
||||
selection["reason_selected"],
|
||||
result.reason or "atomic assign+lease created",
|
||||
],
|
||||
"skipped": [s.as_dict() for s in skipped],
|
||||
"terminal_pr": terminal_pr,
|
||||
"assignment": result.as_dict(),
|
||||
"lease_proof": {
|
||||
"assignment_id": result.assignment_id,
|
||||
"lease_id": result.lease_id,
|
||||
"expires_at": result.expires_at,
|
||||
"expected_head_sha": result.expected_head_sha,
|
||||
"allowed_actions": list(result.allowed_actions),
|
||||
"forbidden_actions": list(result.forbidden_actions),
|
||||
"source": "control_plane_db.assign_and_lease",
|
||||
},
|
||||
"next_valid_command": _next_command(role_norm, selected),
|
||||
"substrate": "control_plane_db",
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
"downstream_note": (
|
||||
"#612 incident bridge remains downstream of #600; "
|
||||
"allocator never assigns raw monitoring incidents"
|
||||
),
|
||||
}
|
||||
|
||||
|
||||
def _next_command(role: str, c: WorkCandidate) -> str:
|
||||
if role == ROLE_AUTHOR and c.kind == "issue":
|
||||
return f"implement issue #{c.number} under a branches/ worktree; open PR when ready"
|
||||
if role == ROLE_AUTHOR and c.kind == "pr":
|
||||
return (
|
||||
f"address REQUEST_CHANGES on PR #{c.number} at head "
|
||||
f"{(c.head_sha or '')[:12]} and push fixes"
|
||||
)
|
||||
if role == ROLE_REVIEWER:
|
||||
return (
|
||||
f"review PR #{c.number} pinned at head {(c.head_sha or '')[:12]} "
|
||||
"via full reviewer workflow"
|
||||
)
|
||||
if role == ROLE_MERGER:
|
||||
return (
|
||||
f"merge PR #{c.number} only with explicit operator MERGE "
|
||||
f"authorization at head {(c.head_sha or '')[:12]}"
|
||||
)
|
||||
if role == ROLE_RECONCILER:
|
||||
return f"diagnose contested state for {c.kind}#{c.number}"
|
||||
return f"proceed on {c.kind}#{c.number} under role {role}"
|
||||
|
||||
|
||||
def candidate_from_dict(data: dict[str, Any]) -> WorkCandidate:
|
||||
"""Build a WorkCandidate from a plain dict (tests / MCP inventory)."""
|
||||
return WorkCandidate(
|
||||
kind=str(data.get("kind") or "issue"),
|
||||
number=int(data["number"]),
|
||||
state=str(data.get("state") or "open"),
|
||||
labels=tuple(data.get("labels") or ()),
|
||||
title=str(data.get("title") or ""),
|
||||
priority=int(data.get("priority") or 0),
|
||||
head_sha=data.get("head_sha"),
|
||||
request_changes_current_head=bool(data.get("request_changes_current_head")),
|
||||
approval_on_current_head=bool(data.get("approval_on_current_head")),
|
||||
approval_stale=bool(data.get("approval_stale")),
|
||||
approval_contaminated=bool(data.get("approval_contaminated")),
|
||||
mergeable=bool(data.get("mergeable")),
|
||||
blocked=bool(data.get("blocked")),
|
||||
dependency_unmet=bool(data.get("dependency_unmet")),
|
||||
dependency_reason=data.get("dependency_reason"),
|
||||
already_claimed_elsewhere=bool(data.get("already_claimed_elsewhere")),
|
||||
)
|
||||
+1751
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,63 @@
|
||||
"""Controller-closure baseline-proof gate (#529, criterion 6).
|
||||
|
||||
A controller (or any session) may close a tracking issue with a closure
|
||||
report that summarizes validation. When that report calls a non-zero
|
||||
test-suite exit an "expected pre-existing failure" (or baseline / known
|
||||
failure) it must carry pre-merge proof; otherwise the closure buries an
|
||||
unproven regression as an accepted baseline and weakens controller
|
||||
confidence in the durable state.
|
||||
|
||||
This module fails closed on exactly that case by reusing the pre-merge
|
||||
baseline proof verifier (#533). A closure report is allowed when it is
|
||||
empty (no validation claim), a clean pass, or a baseline failure proven on
|
||||
the PR pre-merge base commit (or a documented known-failure record that
|
||||
predates the PR).
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from typing import Any
|
||||
|
||||
from premerge_baseline_proof import CLEAN_PASS, assess_premerge_baseline_proof
|
||||
|
||||
|
||||
def assess_controller_closure_baseline_proof(
|
||||
closure_report: str | None,
|
||||
) -> dict[str, Any]:
|
||||
"""Assess whether an issue-closure report may proceed.
|
||||
|
||||
Returns a dict with ``block``, ``proven``, ``label``, ``reasons``,
|
||||
``skipped`` and ``safe_next_action``. Only blocks when the closure
|
||||
report claims a non-zero validation exit is an expected
|
||||
pre-existing/baseline failure without valid pre-merge proof.
|
||||
"""
|
||||
text = (closure_report or "").strip()
|
||||
if not text:
|
||||
return {
|
||||
"block": False,
|
||||
"proven": True,
|
||||
"label": CLEAN_PASS,
|
||||
"reasons": [],
|
||||
"skipped": True,
|
||||
"safe_next_action": "",
|
||||
}
|
||||
|
||||
result = assess_premerge_baseline_proof(text)
|
||||
block = bool(result.get("block"))
|
||||
return {
|
||||
"block": block,
|
||||
"proven": not block,
|
||||
"label": result.get("label"),
|
||||
"reasons": list(result.get("reasons") or []),
|
||||
"skipped": bool(result.get("skipped", False)),
|
||||
"safe_next_action": (
|
||||
result.get("safe_next_action")
|
||||
or (
|
||||
"provide pre-merge baseline proof (base commit, tested commit, "
|
||||
"command, exit status, failure signature) before closing on an "
|
||||
"expected pre-existing failure"
|
||||
)
|
||||
)
|
||||
if block
|
||||
else "",
|
||||
}
|
||||
@@ -0,0 +1,105 @@
|
||||
# Control-plane DB substrate (#613)
|
||||
|
||||
**Status:** Implemented (SQLite single-writer MVP)
|
||||
|
||||
**ADR:** [`mcp-allocator-control-plane-observability-adr.md`](mcp-allocator-control-plane-observability-adr.md)
|
||||
|
||||
**Module:** `control_plane_db.py`
|
||||
|
||||
## Architecture statement
|
||||
|
||||
> **DB coordinates, Gitea records, Sentry/GlitchTip observe; the bridge is the only path that turns observations into Gitea work.**
|
||||
|
||||
## What this ships
|
||||
|
||||
| Capability | Notes |
|
||||
|------------|--------|
|
||||
| Schema | `sessions`, `work_items`, `leases`, `assignments`, `terminal_locks`, `events`, `incident_links` |
|
||||
| Atomic assign+lease | `ControlPlaneDB.assign_and_lease` — one `BEGIN IMMEDIATE` transaction |
|
||||
| Mutation gate | `require_valid_assignment` — live lease + allowed action + non-terminal work + non-stale head |
|
||||
| Heartbeat / release / expire | Lease lifecycle helpers |
|
||||
| Terminal-lock index | Routing signal for #600 (terminal path first) |
|
||||
| `incident_links` | Provider-neutral link model for #612 — **not** assignable work; scope keys NULL-safe |
|
||||
|
||||
## Hard rules (enforced in code)
|
||||
|
||||
1. Assignable `work_items.kind` ∈ {`issue`, `pr`} only — **never** raw Sentry/GlitchTip incidents.
|
||||
2. Two concurrent sessions cannot both receive an active assignment on the same open work item (second gets `wait`).
|
||||
3. Merged/closed work items return `no_safe_work` at assign time, and `require_valid_assignment` fails closed if the work item becomes terminal later.
|
||||
4. Assignments pin `expected_head_sha`; mutations fail closed if the work item head drifts.
|
||||
5. SQLite path is the **single-writer MVP** (`GITEA_CONTROL_PLANE_DB`, default under `~/.cache/gitea-tools/control-plane/`). Multi-session multi-host production requires **Postgres** or a **single allocator daemon** (ADR §6).
|
||||
6. `incident_links` optional scope fields are stored as empty strings (never NULL) so UNIQUE is canonical across minimal upserts.
|
||||
7. Legacy `incident_links` migration collapses NULL-scope duplicates **only** when Gitea targets **and** all meaningful observation metadata agree (fingerprint, status, event_count, permalink, timestamps, linked PRs, etc.). Conflicting metadata fails closed — no silent discard.
|
||||
|
||||
## Dependency chain
|
||||
|
||||
```text
|
||||
#613 control-plane DB (this) → #600 allocator API → #612 incident bridge
|
||||
```
|
||||
|
||||
- **#600** must call this substrate (not file locks / comment-only leases alone) for completion.
|
||||
- **#612** must write `incident_links` here and create **Gitea issues**; the allocator assigns those issues, not raw incidents.
|
||||
|
||||
## Allocator API (#600)
|
||||
|
||||
Module: `allocator_service.py` · MCP tool: `gitea_allocate_next_work`
|
||||
|
||||
- Workers call `gitea_allocate_next_work(apply=false|true)` instead of self-selecting work.
|
||||
- `apply=false` returns a dry-run selection (`outcome=preview`) with skip reasons.
|
||||
- `apply=true` reserves via `ControlPlaneDB.assign_and_lease` (atomic assignment+lease).
|
||||
- Coordination source is **always** the control-plane DB — not file locks or comment-only leases.
|
||||
- Routing follows ADR §5.3 (REQUEST_CHANGES → author, terminal path first, foreign lease → wait).
|
||||
- Raw monitoring incidents are never candidates.
|
||||
|
||||
|
||||
## Lease lifecycle API (#601)
|
||||
|
||||
Module: `lease_lifecycle.py` · MCP tools: `gitea_*_workflow_lease(s)`
|
||||
|
||||
Active control-plane leases are **first-class workflow state**:
|
||||
|
||||
| Tool | Purpose |
|
||||
|------|---------|
|
||||
| `gitea_list_workflow_leases` | List active (or all) leases for a repo |
|
||||
| `gitea_inspect_workflow_lease` | Freshness + `safe_next_action` for one lease id |
|
||||
| `gitea_adopt_workflow_lease` | Owner-resume or sanctioned reclaim with provenance |
|
||||
| `gitea_release_workflow_lease` | Explicit owner release (audited) |
|
||||
| `gitea_expire_workflow_leases` | Deterministic expire of past-`expires_at` leases |
|
||||
| `gitea_abandon_workflow_lease` | Abandon with required proof |
|
||||
| `gitea_reclaim_expired_workflow_lease` | Expire + re-assign with provenance |
|
||||
|
||||
### Hard rules
|
||||
|
||||
1. Control-plane DB is the coordination authority — file locks / comment-only leases are not authoritative alone.
|
||||
2. Active foreign leases cannot be stolen; inspect returns `wait_foreign_active`.
|
||||
3. Abandon requires `(dead_process OR missing_worktree)` and `no_live_mutation_risk`; foreign abandon also needs `operator_authorized` or full dead+missing+no_open_pr proof.
|
||||
4. Adopt provenance always records `adopted_from_session_id`, `adopted_by_session_id`, work identity, optional head SHA, and worktree path.
|
||||
5. Reviewer→merger comment handoff (`gitea_adopt_merger_pr_lease`) is unchanged and remains the Gitea-thread durability path.
|
||||
|
||||
```bash
|
||||
python3 -m pytest tests/test_lease_lifecycle.py tests/test_control_plane_db.py tests/test_allocator_service.py tests/test_merger_lease_adoption.py -q
|
||||
```
|
||||
|
||||
## Incident bridge (#612)
|
||||
|
||||
Module: `incident_bridge.py` · MCP tools: `gitea_observability_*`
|
||||
|
||||
- Bridge converts Sentry/GlitchTip observations → **normal Gitea issues** + `incident_links`.
|
||||
- Phase-1: `gitea_observability_reconcile_incident(apply=false|true)` with JSON observation.
|
||||
- Dry-run performs **no** Gitea mutation and **no** DB write.
|
||||
- Apply reuses existing links or creates one Gitea issue; never invents `work_items.kind=incident`.
|
||||
- Config: `GITEA_OBSERVABILITY_PROJECTS_JSON` or `GITEA_OBSERVABILITY_PROJECTS_FILE`.
|
||||
- Provider tokens never appear in issue bodies, links, or tool results.
|
||||
- Allocator sees bridge work only after a Gitea issue exists.
|
||||
|
||||
## Non-goals (intentionally deferred)
|
||||
|
||||
- Full unsupervised watchdog auto-filing (prefer explicit reconcile first)
|
||||
- Assuming GlitchTip writeback API equals Sentry without verification
|
||||
- Gitea comment/label mirror writers for every assignment (optional later)
|
||||
|
||||
## Tests
|
||||
|
||||
```bash
|
||||
python3 -m pytest tests/test_control_plane_db.py -q
|
||||
```
|
||||
@@ -0,0 +1,301 @@
|
||||
# ADR: MCP allocator, control-plane DB, and Sentry/GlitchTip incident bridge architecture
|
||||
|
||||
- **Status:** Accepted (implementation pending; blocks code for #600 / #612 / #613)
|
||||
- **Date:** 2026-07-09
|
||||
- **Tracking issues:**
|
||||
- [#613](https://gitea.prgs.cc/Scaled-Tech-Consulting/Gitea-Tools/issues/613) — control-plane DB (first)
|
||||
- [#600](https://gitea.prgs.cc/Scaled-Tech-Consulting/Gitea-Tools/issues/600) — allocator API (second)
|
||||
- [#612](https://gitea.prgs.cc/Scaled-Tech-Consulting/Gitea-Tools/issues/612) — Sentry/GlitchTip incident bridge (third)
|
||||
- **Related:** existing GlitchTip contracts (`glitchtip-to-gitea-workflow-design.md`, `glitchtip-gitea-deduplication-linking-design.md`), trust boundaries (`tool-boundaries.md`, `safety-model.md`), current leases (`pr_work_lease.py`, `issue_lock_store.py`)
|
||||
|
||||
## 1. Context
|
||||
|
||||
Multiple LLM sessions can independently inspect the Gitea queue and start the same issue or PR. Existing coordination (Gitea comment leases, local issue-lock files, labels) often detects collisions **after** work has started. Parallel issues #600, #612, and #613 each describe part of a fix; without one ADR they risk overlapping stores, wrong dependency order, and trust-boundary violations.
|
||||
|
||||
This ADR is the canonical architecture decision **before** implementing those issues.
|
||||
|
||||
## 2. Decision summary (core)
|
||||
|
||||
| Layer | Owns | Must not |
|
||||
|-------|------|----------|
|
||||
| **Control-plane DB** | Sessions, atomic assignment, leases, heartbeats, terminal-lock index, events, incident links | Bypass Gitea workflow gates or replace issue/PR history |
|
||||
| **Gitea** | Durable work record: issues, PRs, comments, labels, reviews, merges | Be the only concurrency lock under multi-session load |
|
||||
| **Sentry / GlitchTip** | Incidents, events, provider UI | Assign work, approve/merge/close, or mutate Gitea outside the bridge |
|
||||
| **Incident bridge** | Provider adapters, reconcile/create Gitea issues, link storage upsert, optional provider writeback | Hand raw provider incidents to the allocator as work items |
|
||||
|
||||
**One-liner:** **DB coordinates. Gitea records. Sentry/GlitchTip observe. The bridge is the only path that turns observations into Gitea work. The allocator assigns only Gitea issues/PRs, never raw monitoring incidents.**
|
||||
|
||||
## 3. Dependency order
|
||||
|
||||
Implementation **must** follow:
|
||||
|
||||
```text
|
||||
#613 control-plane DB → #600 allocator API → #612 incident bridge
|
||||
(atomic substrate) (routing policy) (feeds Gitea work)
|
||||
```
|
||||
|
||||
| Issue | Role | Depends on |
|
||||
|-------|------|------------|
|
||||
| **#613** | Durable coordination DB + lease/assignment transactions | — |
|
||||
| **#600** | `gitea_allocate_next_work` policy and tool surface | **#613** (hard) |
|
||||
| **#612** | Multi-project Sentry/GlitchTip → Gitea bridge | **#613** for `incident_links` index; **#600** before treating bridge-created issues as allocator feed in multi-worker prod |
|
||||
|
||||
**Hard rules:**
|
||||
|
||||
1. Do **not** implement #600 on file locks / comment-only leases and call it done.
|
||||
2. Do **not** ship #612 as a second assignment system for raw incidents.
|
||||
3. Partial previews (read-only list tools, schema stubs) may land earlier if they do not claim “allocator complete” or “bridge complete.”
|
||||
|
||||
## 4. Authority boundaries
|
||||
|
||||
### 4.1 Gitea (durable source of truth for work)
|
||||
|
||||
Gitea remains authoritative for:
|
||||
|
||||
- Issue and PR identity, titles, bodies, state (open/closed/merged)
|
||||
- Comments, reviews, approvals, REQUEST_CHANGES
|
||||
- Labels and workflow status labels (`status:ready`, `status:in-progress`, …)
|
||||
- Merges, closes, branch refs as recorded by Gitea/git hosting
|
||||
|
||||
Operators and auditors read **history** from Gitea.
|
||||
|
||||
### 4.2 Control-plane DB (coordination / index)
|
||||
|
||||
The control-plane DB is authoritative for **live multi-session coordination**:
|
||||
|
||||
- Which session holds which assignment/lease
|
||||
- Heartbeat freshness and expiry
|
||||
- Terminal-lock index for routing
|
||||
- Event log of allocation/lease transitions
|
||||
- `incident_links` index (see §8)
|
||||
|
||||
It is **not** a substitute for Gitea history. When DB and Gitea disagree on durable work state (e.g. PR already merged), **Gitea wins**; the DB is reconciled.
|
||||
|
||||
### 4.3 Sentry / GlitchTip (observe)
|
||||
|
||||
Providers own incident lifecycle and raw event data. They:
|
||||
|
||||
- Must **not** bypass Gitea gates
|
||||
- Must **not** assign LLM work
|
||||
- May receive **writeback** of resolution status only through the bridge, when configured and supported
|
||||
|
||||
### 4.4 Trust boundaries for credentials
|
||||
|
||||
Aligned with `docs/tool-boundaries.md` and `docs/safety-model.md`:
|
||||
|
||||
- **One MCP server process per trust boundary** remains the default.
|
||||
- Monitor API tokens (Sentry/GlitchTip) live in the **bridge/orchestrator boundary** (or a dedicated observability write/read profile), **not** blindly inside every Gitea MCP author/reviewer/merger process.
|
||||
- Gitea tokens stay on Gitea MCP profiles only.
|
||||
- Orchestrators compose services; they must not become a single credential pool that silently mixes Gitea write + monitor tokens into every worker.
|
||||
|
||||
Tool names such as `gitea_observability_*` may exist as a **namespace façade** only if the runtime still enforces separate credential scopes (e.g. bridge process vs pure Gitea mutation process).
|
||||
|
||||
## 5. Allocator rules (#600 on top of #613)
|
||||
|
||||
### 5.1 Worker contract
|
||||
|
||||
- Workers **do not self-select** work under the standard multi-LLM workflow.
|
||||
- Workers call **`gitea_allocate_next_work`** (with `apply=true` only when taking work).
|
||||
- Mutations that claim exclusive work require a **valid assignment and lease** from the control-plane DB.
|
||||
- Return values include at least: role, issue/PR number, expected head SHA (when applicable), lease ID, expiry, allowed actions, forbidden actions — or a non-assignment outcome (`WAIT`, terminal-path block, no safe work, needs controller, etc.).
|
||||
|
||||
### 5.2 Atomic reserve
|
||||
|
||||
- **Assignment creation and lease creation happen in one DB transaction.**
|
||||
- Two concurrent sessions **must not** receive the same issue/PR as assigned work.
|
||||
- On contention: second session gets **WAIT** or **owner-resume**, never a duplicate lease.
|
||||
|
||||
### 5.3 Routing policy
|
||||
|
||||
| Condition | Route |
|
||||
|-----------|--------|
|
||||
| Current-head **REQUEST_CHANGES** | **Author** (not reviewer/merger) |
|
||||
| **Stale** approval (approval not on current head) | **Reviewer** |
|
||||
| **Clean** approval on current head, mergeable | **Merger** |
|
||||
| Contested / contaminated approval | **Diagnosis / reconciler** (controller path) |
|
||||
| Active **foreign** lease | **WAIT** or **owner-resume** |
|
||||
| **Terminal-review** lock present | **Terminal-path resolution first** before downstream review work |
|
||||
| Merged / closed PR | **Never assign** |
|
||||
| Issue locked by sanctioned lease | **Never assign** to another worker unless lease cleanup/adoption is sanctioned |
|
||||
|
||||
### 5.4 Relationship to Gitea mirrors
|
||||
|
||||
After a successful assignment, the allocator (or sanctioned tooling) may update Gitea comments/labels so humans and audits see state. Those mirrors **are not** the sole lock source.
|
||||
|
||||
## 6. Control-plane DB topology (#613)
|
||||
|
||||
### 6.1 Preferred architecture (multi-daemon / Proxmox)
|
||||
|
||||
For true multi-session concurrency (multiple MCP daemons, multiple hosts, or Proxmox VMs):
|
||||
|
||||
**Prefer either:**
|
||||
|
||||
1. **Shared Postgres** used by all Gitea MCP profiles / allocator callers, **or**
|
||||
2. A **single allocator daemon** (sole writer to the coordination store) that all workers call over MCP/RPC.
|
||||
|
||||
Both satisfy: one transactional authority for “who has this work item.”
|
||||
|
||||
### 6.2 SQLite MVP
|
||||
|
||||
SQLite is acceptable **only** for a **single-writer MVP**:
|
||||
|
||||
- One process owns writes (allocator daemon or single co-located MCP server), **or**
|
||||
- Documented single-host single-daemon experiments with file locking and no multi-host claims.
|
||||
|
||||
SQLite is **not** sufficient to declare multi-session production readiness when four independent LLM sessions talk to four MCP processes without a shared writer.
|
||||
|
||||
### 6.3 Suggested entities (normative shape)
|
||||
|
||||
Minimum logical entities (names may vary; semantics must not):
|
||||
|
||||
1. **sessions** — session_id, role/profile, namespace, pid, started_at, last_heartbeat_at, status
|
||||
2. **work_items** — remote/org/repo, kind ∈ {`issue`, `pr`}, number, state, priority, current_head_sha, updated_at
|
||||
3. **leases** — lease_id, work_item_id, session_id, role, phase, expires_at, heartbeat_at, status
|
||||
4. **assignments** — assignment_id, work_item_id, session_id, allowed_action(s), expected_head_sha, status
|
||||
5. **terminal_locks** — repo/org, terminal_pr, review_id, decision, status, cleanup_state
|
||||
6. **events** — event_id, work_item_id, type, message, created_at
|
||||
7. **incident_links** — provider-neutral link model (see §8)
|
||||
|
||||
**Explicit non-kind:** do **not** use `work_items.kind = sentry_incident` (or glitchtip_incident) as an assignable work unit. Incidents become work only after the bridge creates/links a **Gitea issue**.
|
||||
|
||||
## 7. Lease migration (avoid split-brain)
|
||||
|
||||
### 7.1 Target state
|
||||
|
||||
- **Primary** for live coordination: **control-plane DB** leases and assignments.
|
||||
- **Gitea comment leases** (e.g. `<!-- mcp-review-lease:v1 -->`) and **local issue-lock files** become:
|
||||
- **mirrors** of DB state for human visibility / recovery, and/or
|
||||
- written **only** through the allocator (or sanctioned lease tools that update DB + mirror in one workflow).
|
||||
|
||||
### 7.2 Migration rules
|
||||
|
||||
1. New exclusive claims go through DB assignment+lease first.
|
||||
2. Comment lease / file lock writers that skip the DB are **deprecated** once #613+#600 land.
|
||||
3. Reconciler tooling heals: expired DB lease, orphan Gitea comment, orphan local file — fail closed when ambiguous.
|
||||
4. **Split-brain is a defect:** “DB free + Gitea comment leased” or “DB leased + Gitea free” must be detectable and reconcilable; production paths must not rely on two independent writers.
|
||||
|
||||
### 7.3 Heartbeats
|
||||
|
||||
- Heartbeats update the **DB**.
|
||||
- Optional Gitea summaries must avoid comment spam (periodic summary or edit-in-place policy).
|
||||
|
||||
## 8. Observability bridge (#612)
|
||||
|
||||
### 8.1 Role
|
||||
|
||||
The bridge:
|
||||
|
||||
1. Scans configured Sentry and/or GlitchTip projects (multi-project mappings).
|
||||
2. Deduplicates against existing links / Gitea issues.
|
||||
3. Creates or updates **normal Gitea issues** (labels, sanitized body, provider URL).
|
||||
4. Upserts **one** canonical `incident_links` row.
|
||||
5. Optionally writes resolution status back to the provider when supported.
|
||||
6. Never approves, merges, closes, or otherwise bypasses Gitea workflow gates.
|
||||
|
||||
### 8.2 Allocator interaction
|
||||
|
||||
- The allocator sees observability work **only after** a Gitea issue exists (typically `status:ready` + observability labels).
|
||||
- **Do not assign raw Sentry/GlitchTip incidents** as work items.
|
||||
- Bridge AC “allocator can see linked issues” means: **as ordinary Gitea issues**, not a special incident queue.
|
||||
|
||||
### 8.3 Provider adapters and trust
|
||||
|
||||
- Separate **Sentry** and **GlitchTip** adapters; document API differences; do not assume writeback parity.
|
||||
- Self-hosted base URLs supported (e.g. `https://sentry.prgs.cc`).
|
||||
- Tokens from environment / secret store only.
|
||||
- Prefer phase-1 **explicit reconcile / dry-run** before unsupervised watchdog auto-filing, consistent with existing GlitchTip filing safety contracts.
|
||||
|
||||
### 8.4 Home of implementation
|
||||
|
||||
Filing/orchestration may live in:
|
||||
|
||||
- a control-plane / bridge package or profile, and/or
|
||||
- Gitea-Tools as operator-facing tools that **delegate** to that boundary,
|
||||
|
||||
but must not violate §4.4 credential isolation.
|
||||
|
||||
## 9. Incident link storage (single source of truth)
|
||||
|
||||
### 9.1 Canonical model: `incident_links` (provider-neutral)
|
||||
|
||||
Prefer a **provider-neutral** model over Sentry-only `sentry_links`:
|
||||
|
||||
| Field (logical) | Purpose |
|
||||
|-----------------|---------|
|
||||
| provider | `sentry` \| `glitchtip` \| … |
|
||||
| provider_base_url | Self-hosted base |
|
||||
| provider_org / provider_project | Mapping key |
|
||||
| provider_issue_id / provider_short_id | Provider identity |
|
||||
| provider_permalink | Human URL |
|
||||
| fingerprint | Stable dedupe key when available |
|
||||
| gitea_org / gitea_repo / gitea_issue_number | Linked work |
|
||||
| linked_pr_numbers | Optional PR association |
|
||||
| first_seen / last_seen / event_count | Summary metrics (safe) |
|
||||
| status | link lifecycle |
|
||||
| release_resolved_at / last_sync_at | Sync bookkeeping |
|
||||
|
||||
### 9.2 Gitea as human mirror
|
||||
|
||||
- Issue body markers / structured comments (e.g. HTML comment metadata) remain the **human- and audit-visible mirror**.
|
||||
- They must stay consistent with `incident_links` but are **not** a second independent write path for inventing links without the bridge.
|
||||
|
||||
### 9.3 One truth
|
||||
|
||||
- **Do not** maintain two independent systems of record (e.g. full mapping only in #612 storage **and** a separate #613 `sentry_links` with different semantics).
|
||||
- #612 implementation **must** use the same `incident_links` model introduced under #613 (or a single agreed store both reference).
|
||||
|
||||
## 10. Security and redaction
|
||||
|
||||
Mandatory for bridge payloads, Gitea issue bodies/comments, DB-stored event summaries, and logs:
|
||||
|
||||
- No API tokens, DSNs, passwords, cookies, auth headers
|
||||
- No keychain IDs, private config contents, raw session-state files, full prompt bodies
|
||||
- Sanitize stack locals and request data; store only safe tags/context
|
||||
- Logs must never print provider tokens or DSNs
|
||||
- Redaction tests are required for #612
|
||||
|
||||
## 11. Non-goals
|
||||
|
||||
- Replace Gitea as the durable workflow record
|
||||
- Let Sentry/GlitchTip assign work or mutate Gitea workflow state outside sanctioned tools
|
||||
- Let the bridge approve, merge, close, release, or bypass Gitea gates
|
||||
- Implement #600 on file locks / comments alone and call allocator complete
|
||||
- Treat raw monitoring incidents as `work_items` for the allocator
|
||||
- Put monitor tokens into every Gitea MCP worker process by default
|
||||
|
||||
## 12. Consequences
|
||||
|
||||
### Positive
|
||||
|
||||
- Clear implementation order and ownership
|
||||
- Multi-session safety becomes testable at the DB layer
|
||||
- Observability becomes assignable work without special-casing the allocator
|
||||
- Trust boundaries stay compatible with existing control-plane docs
|
||||
|
||||
### Costs / risks
|
||||
|
||||
- Migration from comment/file leases requires reconciler work
|
||||
- Shared Postgres or single allocator daemon is operational cost
|
||||
- Bridge must be careful not to spam Gitea issues (dedupe, caps, policy modes)
|
||||
|
||||
### Follow-ups (documentation only until implemented)
|
||||
|
||||
1. Update #600, #612, and #613 bodies to **link this ADR** and restate hard dependencies.
|
||||
2. Implement #613 schema + atomic assign/lease.
|
||||
3. Implement #600 against the DB.
|
||||
4. Implement #612 against `incident_links` + Gitea create/update.
|
||||
5. Deprecate dual writers for leases.
|
||||
|
||||
## 13. Acceptance criteria for *this* ADR
|
||||
|
||||
This document is accepted when:
|
||||
|
||||
1. It is merged into `docs/architecture/` on the default branch.
|
||||
2. #600 / #612 / #613 (or their PRs) reference this path as the architecture source of truth.
|
||||
3. No implementation PR for those issues claims completion without conforming to §§2–11.
|
||||
|
||||
## 14. Document history
|
||||
|
||||
| Date | Change |
|
||||
|------|--------|
|
||||
| 2026-07-09 | Initial ADR: dependency order, authority model, topology, lease migration, bridge, `incident_links`, security, non-goals |
|
||||
@@ -39,6 +39,7 @@ one.
|
||||
| `status:blocked` | Issue is blocked |
|
||||
| `status:needs-review` | Issue work needs review |
|
||||
| `status:pr-open` | A linked PR is open |
|
||||
| `status:changes-requested` | Reviewer requested changes on the linked PR |
|
||||
| `status:approved` | Linked PR is approved |
|
||||
| `status:merged` | Linked PR is merged |
|
||||
| `status:reconcile` | Issue needs reconciliation |
|
||||
@@ -46,6 +47,72 @@ one.
|
||||
| `status:duplicate` | Issue is a duplicate |
|
||||
| `status:wontfix` | Issue will not be fixed |
|
||||
|
||||
## Role Ownership Labels (#603)
|
||||
|
||||
A single `role:*` label shows which workflow role currently owns the item. It is
|
||||
advisory visibility only — the control-plane lease (#601) is the source of truth
|
||||
for mutation authority. Only one `role:*` label is active at a time; tooling
|
||||
replaces it on handoff via `transition_role_labels`.
|
||||
|
||||
| Label | Use |
|
||||
| --- | --- |
|
||||
| `role:author` | Author currently owns the item |
|
||||
| `role:reviewer` | Reviewer currently owns the item |
|
||||
| `role:merger` | Merger currently owns the item |
|
||||
|
||||
## Hazard Labels (#603)
|
||||
|
||||
Hazard labels are orthogonal warning flags. Unlike `status:*` and `role:*`,
|
||||
**more than one hazard may be active at once**, and a hazard never substitutes
|
||||
for a live lease / PR-state check. Add/remove with `add_hazard_label` /
|
||||
`clear_hazard_label`.
|
||||
|
||||
| Label | Use |
|
||||
| --- | --- |
|
||||
| `hazard:stale-lease` | A stale or expired lease references this item |
|
||||
| `hazard:workflow-contaminated` | Session/workflow state is contaminated; do not mutate |
|
||||
| `hazard:conflicted` | Linked PR has merge conflicts |
|
||||
| `hazard:root-mutation` | Work was mutated in the project root checkout |
|
||||
| `hazard:manual-state` | Session or lease state was edited manually |
|
||||
| `hazard:terminal-blocker` | A terminal review/merge lock blocks progress (#332/#602) |
|
||||
|
||||
Any item that carries `status:blocked` or any `hazard:*` flag must also have a
|
||||
blocking-reason / next-action comment (`requires_blocking_reason`).
|
||||
|
||||
## `state:*` → canonical mapping (#603 migration)
|
||||
|
||||
Issue #603 proposed a parallel `state:*` vocabulary. To avoid a conflicting
|
||||
second lifecycle prefix, those requested states are folded into the existing
|
||||
canonical labels rather than introduced as `state:*`. `state:*` is **not** a
|
||||
supported prefix; use the canonical label on the right.
|
||||
|
||||
| Requested `state:*` | Canonical label |
|
||||
| --- | --- |
|
||||
| `state:needs-triage` | `status:triage` |
|
||||
| `state:claimed` | `status:claimed` |
|
||||
| `state:authoring` | `status:in-progress` |
|
||||
| `state:needs-review` | `status:needs-review` |
|
||||
| `state:reviewing` | `status:needs-review` |
|
||||
| `state:changes-requested` | `status:changes-requested` |
|
||||
| `state:approved` | `status:approved` |
|
||||
| `state:merge-ready` | `status:approved` |
|
||||
| `state:merged` | `status:merged` |
|
||||
| `state:blocked` | `status:blocked` |
|
||||
| `state:terminal-blocker` | `hazard:terminal-blocker` |
|
||||
| `state:abandoned` | `status:wontfix` |
|
||||
|
||||
The transition helpers accept these names as synonyms (e.g.
|
||||
`canonical_status_label("authoring")` → `status:in-progress`), so callers may use
|
||||
the #603 wording while a single canonical status stays active.
|
||||
|
||||
## Allocator Cross-Check (#603)
|
||||
|
||||
Labels are advisory queue hints. The work allocator (#600/#613) uses labels as
|
||||
one signal but **cross-checks live leases and PR state** and never trusts labels
|
||||
alone. Discussion issues (`type:discussion`) are excluded from implementation
|
||||
queues (`is_implementation_candidate`) unless a controller explicitly selects
|
||||
them.
|
||||
|
||||
## Transition Rules
|
||||
|
||||
Suggested lifecycle:
|
||||
|
||||
@@ -811,6 +811,32 @@ author work. Do not switch from `prgs-reconciler` to `prgs-author` only to run
|
||||
- **Reports:** label cleanup actions as reconciler cleanup (not author mutation).
|
||||
- **Prompt:** `As prgs-reconciler, dry-run then execute gitea_reconcile_merged_cleanups for recently merged PRs without switching to prgs-author.`
|
||||
|
||||
### Superseded PR / satisfied issue reconciliation (#525)
|
||||
|
||||
Closing duplicate or superseded PRs after a canonical PR has merged is
|
||||
**reconciler** work. Do not switch to `prgs-author` only to close the duplicate
|
||||
PR, close the satisfied issue, or file a narrow follow-up discovered during
|
||||
reconciliation.
|
||||
|
||||
- **Profile:** `prgs-reconciler`.
|
||||
- **Tasks:** `reconcile_close_superseded_pr`,
|
||||
`reconcile_close_satisfied_issue`, and
|
||||
`reconcile_create_followup_issue`.
|
||||
- **Tool:** `gitea_reconcile_superseded_by_merged_pr`.
|
||||
- **Required proof:**
|
||||
1. Live target PR state is open, but it is not independently required and no
|
||||
mergeable work remains.
|
||||
2. Live superseding PR state is closed and merged.
|
||||
3. Superseding PR head is an ancestor of freshly fetched `master`.
|
||||
4. Merge commit SHA is recorded.
|
||||
5. Canonical close comment cites the superseding PR and merge commit.
|
||||
6. Linked issue closure is attempted only when the issue is open and
|
||||
explicitly satisfied by the superseding PR.
|
||||
- **Fail closed:** missing ancestry proof, missing canonical comment,
|
||||
mergeable target PR, same target/superseding PR, or missing
|
||||
`gitea.pr.close` / `gitea.issue.close` capability.
|
||||
- **Prompt:** `As prgs-reconciler, reconcile PR #N as superseded by merged PR #M; post the canonical close comment, close the superseded PR, and close issue #K only if the merged PR fully satisfies it.`
|
||||
|
||||
### Stop on blocker
|
||||
|
||||
- **Any profile.** If a required gate cannot be satisfied — identity
|
||||
@@ -1023,6 +1049,72 @@ Special states:
|
||||
Final reports must not claim a comment was posted when
|
||||
`canonical_comment_validation.allowed` is false (#496 AC14).
|
||||
|
||||
## Stale #332 review-decision lock cleanup (#594)
|
||||
|
||||
#332 hard-stops a reviewer session after a terminal live review mutation
|
||||
(`approve` / `request_changes`). After #559 those locks are **durable** under
|
||||
`~/.cache/gitea-tools/session-state/review_decision_lock-<profile>.json`, so they
|
||||
can outlive the PR they protected.
|
||||
|
||||
### When cleanup is **allowed**
|
||||
|
||||
Use `gitea_cleanup_stale_review_decision_lock` from a **reviewer** profile when:
|
||||
|
||||
1. A durable review-decision lock has a terminal live mutation, **and**
|
||||
2. Live Gitea state shows that terminal PR is already **merged** or **closed**
|
||||
(so no same-PR merge sequence remains), **and**
|
||||
3. The active profile identity matches the lock, **and**
|
||||
4. Authenticated identity can be verified.
|
||||
|
||||
Workflow:
|
||||
|
||||
```text
|
||||
# 1) Assess only (default)
|
||||
gitea_cleanup_stale_review_decision_lock(apply=false, remote=prgs, ...)
|
||||
|
||||
# 2) Apply after is_moot=true and cleanup_allowed=true
|
||||
gitea_cleanup_stale_review_decision_lock(
|
||||
apply=true,
|
||||
expected_terminal_pr=<merged-or-closed-pr>,
|
||||
remote=prgs,
|
||||
...
|
||||
)
|
||||
```
|
||||
|
||||
Successful apply:
|
||||
|
||||
* clears in-memory + durable decision lock for that profile
|
||||
* returns a structured `audit` payload
|
||||
* posts an audit comment on the mooted PR when `gitea.pr.comment` is allowed
|
||||
(`post_audit_comment=true` default)
|
||||
|
||||
Same-profile auto-expire: if `gitea_merge_pr` succeeds on a PR that this same
|
||||
profile just approved, the decision lock is cleared after merge. Cross-profile
|
||||
locks (reviewer vs merger) still require the cleanup tool.
|
||||
|
||||
### When cleanup is **forbidden**
|
||||
|
||||
Do **not** clear when:
|
||||
|
||||
* the last terminal PR is still **open** (active #332 hard-stop — continue merge
|
||||
for that approve, or stop after request_changes)
|
||||
* live PR state cannot be fetched (fail closed)
|
||||
* profile identity does not match the lock
|
||||
* identity cannot be verified
|
||||
* `expected_terminal_pr` does not match the last terminal PR
|
||||
|
||||
**Never** use manual deletion of session-state files as the normal workflow.
|
||||
**Never** use cleanup to skip review of an open PR or to bypass eligibility /
|
||||
mark-ready / submit gates on active work.
|
||||
|
||||
### Related tools
|
||||
|
||||
| Tool | Purpose |
|
||||
|------|---------|
|
||||
| `gitea_cleanup_stale_review_decision_lock` | Moot decision-lock cleanup (#594) |
|
||||
| `gitea_authorize_review_correction` | Operator-approved correction after a **mistaken** live review on still-active work (#211) |
|
||||
| `gitea_cleanup_post_merge_moot_lease` | Moot **lease** cleanup after merge (#515) — different object |
|
||||
|
||||
## Fail-closed behavior
|
||||
|
||||
Before any mutating action the workflow verifies identity, active profile,
|
||||
|
||||
@@ -0,0 +1,118 @@
|
||||
# Recovering from `client is closing: EOF` on a Gitea MCP namespace (#543)
|
||||
|
||||
## Symptom
|
||||
|
||||
A tool call through a Gitea MCP namespace — `gitea-author`, `gitea-reviewer`,
|
||||
`gitea-merger`, or the shared `gitea-tools` namespace — fails immediately with:
|
||||
|
||||
```
|
||||
client is closing: EOF
|
||||
```
|
||||
|
||||
Every subsequent call to that same namespace returns the same error, including
|
||||
cheap read tools such as `gitea_whoami` and `gitea_list_profiles`. Other MCP
|
||||
servers registered with the same client (for example `context7`) keep working,
|
||||
so this is **not** a global MCP-client outage.
|
||||
|
||||
## Why this is not a code defect
|
||||
|
||||
This failure is a **transport-level** condition in the IDE / MCP client manager,
|
||||
not a missing or broken tool:
|
||||
|
||||
- The tool can be present and registered in the Python `FastMCP` tool manager.
|
||||
- Direct Python inspection of the server confirms the tool exists.
|
||||
- Running the server manually and sending JSON-RPC over stdio works fine
|
||||
(offline spawn) — that path does **not** prove the IDE namespace is healthy.
|
||||
|
||||
The client manager entered a closed state after the backing subprocess for that
|
||||
namespace terminated (or was killed) behind its back. Once closed, the client
|
||||
does **not** re-spawn the child on the next tool call — it just replays
|
||||
`client is closing: EOF`. The OS process may even still be alive if a parent
|
||||
language-server process is holding the stdio pipes open.
|
||||
|
||||
This is the canonical "registered in FastMCP ≠ callable through the namespace"
|
||||
false-ready state. It is distinct from the **stale-runtime** family in #531 /
|
||||
#544, where the process is reachable but running behind `master`; that case is
|
||||
detected by the `ps`-based `_check_mcp_runtimes_diagnostics` in
|
||||
`gitea_mcp_server.py`. The EOF case is a dead/closed transport, not a stale one,
|
||||
so the `ps` check alone will not surface it.
|
||||
|
||||
## Recovery path (canonical — client reconnect only)
|
||||
|
||||
Do the steps in order. Stop as soon as a live **client-namespace** call succeeds.
|
||||
|
||||
1. **Confirm the blast radius.** Call a cheap read tool on the failing namespace
|
||||
(`gitea_whoami` or `gitea_list_profiles`). Then call the same tool on a
|
||||
different MCP server (e.g. `context7`).
|
||||
- Only the Gitea namespace fails → single-namespace transport close. Continue.
|
||||
- Every server fails → restart the whole MCP client, not just one namespace.
|
||||
|
||||
2. **Reconnect the namespace through the client, not the shell.** Use the IDE /
|
||||
client MCP-reconnect action for that server entry (in Claude Code:
|
||||
`/mcp` → reconnect the affected `gitea-*` server). Reconnecting forces the
|
||||
client to spawn a fresh subprocess and re-open the pipe. This clears the
|
||||
closed-client state that a bare `kill`/respawn from a terminal does **not**.
|
||||
|
||||
3. **Do not "fix" it by importing the server or poking the process.** Reaching
|
||||
for `python -c 'import gitea_mcp_server ...'`, raw JSON-RPC from a shell,
|
||||
killing PIDs to force a respawn, or touching MCP config mtimes does **not**
|
||||
restore the *client's* view of the namespace and violates the daemon-import
|
||||
guard (#558, `docs/mcp-daemon-import-guard.md`). The only sanctioned repair
|
||||
is a **client reconnect / relaunch**.
|
||||
|
||||
4. **Verify through the same path the workflow will use.** After reconnect, call
|
||||
the specific tool the blocked workflow needs — not just any tool — through
|
||||
the target namespace. For a merge that means calling the merger-authorized
|
||||
adoption/merge tool through `gitea-merger`. A green `gitea_whoami` on one
|
||||
namespace does **not** prove another namespace or another tool is callable.
|
||||
Record success with:
|
||||
|
||||
```text
|
||||
gitea_assess_mcp_namespace_health(..., probe_source="client_namespace")
|
||||
```
|
||||
|
||||
5. **If reconnect does not clear it,** relaunch the client entirely, then repeat
|
||||
step 4. If EOF persists after a full relaunch, the backing subprocess is
|
||||
failing to start — inspect its stderr / launch config (command path, venv,
|
||||
`*_MCP_CONFIG`, `*_MCP_PROFILE` env) rather than retrying the call. Still
|
||||
do not use PID kill or config-touch as the primary recovery.
|
||||
|
||||
## Diagnostics to capture when reporting EOF
|
||||
|
||||
Include all of these so the failure is actionable and reproducible:
|
||||
|
||||
- **Namespace name** that returned EOF (`gitea-author` / `gitea-reviewer` /
|
||||
`gitea-merger` / `gitea-tools`).
|
||||
- **Tool** that was called and the **exact** error string.
|
||||
- **PID** of the backing process (if any) and whether it was still alive
|
||||
(informational only — not a recovery action).
|
||||
- **Profile / env** for that namespace (execution profile, `*_MCP_PROFILE`,
|
||||
worktree binding such as `GITEA_AUTHOR_WORKTREE`).
|
||||
- **Config path** the client launched the server from.
|
||||
- Result of the **cross-server control** call (did `context7` succeed?).
|
||||
|
||||
## Offline spawn probe (non-authoritative)
|
||||
|
||||
`test_mcp_conn.py` performs a full JSON-RPC handshake against a **fresh
|
||||
subprocess** (`initialize` → `initialized` → `tools/list` → `tools/call`) and
|
||||
classifies with `probe_source=offline_spawn`. That is useful for offline
|
||||
launch/registration debugging. It is **not** proof the IDE-managed namespace is
|
||||
healthy. See `docs/mcp-namespace-health.md`.
|
||||
|
||||
## Do-not list during EOF recovery
|
||||
|
||||
- Do **not** retry a blocked merge/adoption until the required tool is confirmed
|
||||
callable through the merger-authorized **client** namespace (see #543).
|
||||
- Do **not** clean, reset, or rebind a **foreign** worktree to work around the
|
||||
error.
|
||||
- Do **not** bypass the namespace with direct imports, raw API/curl, or
|
||||
in-memory state restoration.
|
||||
- Do **not** kill MCP PIDs or touch config mtimes as a substitute for client
|
||||
reconnect.
|
||||
|
||||
## Related
|
||||
|
||||
- #531 / #544 — stale-runtime detection (`ps`-based); sibling failure mode.
|
||||
- #558 / `docs/mcp-daemon-import-guard.md` — why shell imports are not a repair.
|
||||
- `docs/mcp-client-registration.md` — per-server registration contract.
|
||||
- `docs/mcp-namespace-health.md` — probe sources and mutation enforcement.
|
||||
@@ -0,0 +1,88 @@
|
||||
# MCP namespace health diagnostics (#543)
|
||||
|
||||
Gitea MCP tools can be registered in the Python FastMCP server while the IDE's
|
||||
live MCP namespace is still unusable. The failure usually appears as
|
||||
`client is closing: EOF`, `transport closed`, or an empty response when calling
|
||||
a tool such as `gitea_whoami`.
|
||||
|
||||
Do not treat static tool registration as proof that review or merge workflows
|
||||
can proceed. A reviewer or merger flow must have **client-namespace** evidence
|
||||
that the required tool is callable through the configured IDE MCP namespace.
|
||||
|
||||
## Probe sources (do not confuse them)
|
||||
|
||||
| Source | How obtained | Proves IDE namespace? |
|
||||
| --- | --- | --- |
|
||||
| `client_namespace` | Tool call through the IDE-managed MCP client | **Yes** |
|
||||
| `offline_spawn` | `test_mcp_conn.py` subprocess JSON-RPC handshake | **No** (offline only) |
|
||||
|
||||
`gitea_assess_mcp_namespace_health` accepts `probe_source` and only sets
|
||||
`ide_namespace_proven=true` for `client_namespace` success. Offline spawn
|
||||
success never clears review/merge mutation gates.
|
||||
|
||||
## Client-namespace health check (canonical)
|
||||
|
||||
1. Through the IDE client, call a cheap tool on the target namespace
|
||||
(`gitea_whoami` or `gitea_list_profiles`).
|
||||
2. Feed the live result into:
|
||||
|
||||
```text
|
||||
gitea_assess_mcp_namespace_health(
|
||||
namespace="gitea-merger", # or reviewer / author / tools
|
||||
registered_tools=[...], # optional static list
|
||||
probe_result={"success": true, "result": {...}},
|
||||
probe_source="client_namespace",
|
||||
)
|
||||
```
|
||||
|
||||
3. A healthy client-namespace assessment is recorded in the MCP session and
|
||||
consulted by **live** `gitea_submit_pr_review` / `gitea_merge_pr` gates.
|
||||
4. If the probe fails with EOF, recover via **client reconnect only** — see
|
||||
`docs/mcp-namespace-eof-recovery.md`. Do **not** kill PIDs or touch MCP
|
||||
config mtimes as a recovery procedure.
|
||||
|
||||
## Offline spawn probe (non-authoritative)
|
||||
|
||||
```bash
|
||||
python3 test_mcp_conn.py --config ~/.gemini/config/mcp_config.json
|
||||
```
|
||||
|
||||
This script spawns a **separate** server process from config, performs
|
||||
JSON-RPC `initialize` → `tools/list` → `tools/call`, and classifies the
|
||||
result with `probe_source=offline_spawn`. Use it for offline debugging of
|
||||
launch command / registration. It does **not** prove the IDE-managed
|
||||
namespace is healthy.
|
||||
|
||||
By default the script checks:
|
||||
|
||||
| Namespace | Required tool |
|
||||
| --- | --- |
|
||||
| `gitea-author` | `gitea_whoami` |
|
||||
| `gitea-reviewer` | `gitea_whoami` |
|
||||
| `gitea-merger` | `gitea_whoami` |
|
||||
| `gitea-tools` | `gitea_list_profiles` |
|
||||
|
||||
## Recovery (canonical)
|
||||
|
||||
When a namespace returns EOF, follow
|
||||
`docs/mcp-namespace-eof-recovery.md` in order:
|
||||
|
||||
1. Confirm blast radius (Gitea namespace vs all MCP servers).
|
||||
2. **Reconnect the namespace through the client** (IDE reconnect / relaunch).
|
||||
3. Do not repair via shell imports, raw JSON-RPC, PID kills, or config mtime
|
||||
touches — those do not restore the client's closed transport.
|
||||
4. Re-verify the **specific** required tool through the target namespace.
|
||||
5. Resume review/merge only after a successful `client_namespace` assessment.
|
||||
|
||||
## Enforcement
|
||||
|
||||
1. **State machine (read-only):** feed `blocks_merge_workflow` from a
|
||||
`client_namespace` assessment into
|
||||
`gitea_assess_review_merge_state_machine(live_namespace_broken=...)`.
|
||||
2. **Live mutations:** `gitea_submit_pr_review` and `gitea_merge_pr` call
|
||||
`_live_namespace_health_gate` and fail closed when the session has a
|
||||
recorded unhealthy or non-client probe for the required namespace
|
||||
(`gitea-reviewer` for review, `gitea-merger` for merge).
|
||||
|
||||
When blocked, repair the IDE namespace and re-record a healthy
|
||||
`client_namespace` assessment before retrying the mutation.
|
||||
@@ -15,5 +15,7 @@
|
||||
5. **Explicit merge confirmation** — `gitea_merge_pr` requires `confirmation="MERGE PR <n>"`.
|
||||
6. **No self-review / self-merge** — Authenticated user must differ from PR author for approve/merge.
|
||||
7. **Review decision lock** — Live review mutations require validation-phase dry-run and `gitea_mark_final_review_decision`.
|
||||
8. **Redaction** — Tokens, passwords, and keychain material never appear in tool output.
|
||||
9. **Wiki publication (#224)** — `docs/wiki/` and the sync helper are prerequisites only. Closing a wiki issue requires live Gitea Wiki proof on the repo Wiki tab. See [Runbooks](Runbooks.md#wiki-publication-readiness-gate-224).
|
||||
8. **Terminal review hard-stop (#332)** — After a terminal live review mutation, only same-PR merge after `approve` may continue. Durable locks (#559) must not be deleted by hand.
|
||||
9. **Stale decision-lock cleanup (#594)** — `gitea_cleanup_stale_review_decision_lock` may clear a durable #332 lock **only** when the last terminal mutation's PR is live-state **merged or closed**, identity/profile gates pass, and apply uses a reviewer-capable profile. Open/ambiguous locks stay fail-closed. Successful cleanup records a durable audit trail.
|
||||
10. **Redaction** — Tokens, passwords, and keychain material never appear in tool output.
|
||||
11. **Wiki publication (#224)** — `docs/wiki/` and the sync helper are prerequisites only. Closing a wiki issue requires live Gitea Wiki proof on the repo Wiki tab. See [Runbooks](Runbooks.md#wiki-publication-readiness-gate-224).
|
||||
@@ -14,6 +14,7 @@ from typing import Any, Callable
|
||||
import branch_cleanup_guard
|
||||
import issue_acceptance_gate
|
||||
import issue_lock_provenance
|
||||
import merger_lease_adoption
|
||||
import reviewer_handoff_consistency
|
||||
import thread_state_ledger_validator
|
||||
from mcp_native_cleanup_proof import assess_mcp_native_cleanup_proof
|
||||
@@ -39,6 +40,7 @@ FINAL_REPORT_TASK_KINDS = frozenset({
|
||||
"issue_filing",
|
||||
"issue_selection",
|
||||
"inventory",
|
||||
"controller_close",
|
||||
})
|
||||
|
||||
_TASK_KIND_ALIASES = {
|
||||
@@ -50,6 +52,9 @@ _TASK_KIND_ALIASES = {
|
||||
"reconcile_already_landed": "reconcile_already_landed",
|
||||
"work-issue": "work_issue",
|
||||
"create_issue": "issue_filing",
|
||||
"close_issue": "controller_close",
|
||||
"close-issue": "controller_close",
|
||||
"controller-close": "controller_close",
|
||||
}
|
||||
|
||||
_HANDOFF_ROLE_BY_TASK = {
|
||||
@@ -61,6 +66,7 @@ _HANDOFF_ROLE_BY_TASK = {
|
||||
"issue_filing": "issue_filing",
|
||||
"issue_selection": None,
|
||||
"inventory": "inventory",
|
||||
"controller_close": None,
|
||||
}
|
||||
|
||||
_LEGACY_WORKSPACE_MUTATIONS_RE = re.compile(
|
||||
@@ -849,6 +855,27 @@ def _rule_reviewer_premerge_baseline_proof(report_text: str) -> list[dict[str, s
|
||||
)
|
||||
|
||||
|
||||
def _rule_reviewer_post_merge_validation(report_text: str) -> list[dict[str, str]]:
|
||||
"""Block active approval on an already-merged/closed PR, and post-merge moot
|
||||
validation claimed without merged-state + merge-commit proof (#529)."""
|
||||
from post_merge_validation import assess_post_merge_validation
|
||||
|
||||
result = assess_post_merge_validation(report_text)
|
||||
if not result.get("block"):
|
||||
return []
|
||||
return _findings_from_reasons(
|
||||
"reviewer.post_merge_validation",
|
||||
result.get("reasons") or [],
|
||||
field="Validation status",
|
||||
severity="block",
|
||||
safe_next_action=result.get("safe_next_action")
|
||||
or (
|
||||
"record post-merge moot validation instead of an active approval; "
|
||||
"cite PR state merged/closed and the merge commit SHA"
|
||||
),
|
||||
)
|
||||
|
||||
|
||||
def _rule_reviewer_validation_status_vocabulary(
|
||||
report_text: str,
|
||||
*,
|
||||
@@ -1263,6 +1290,24 @@ def _rule_shared_manual_lock_pr_override(report_text: str) -> list[dict[str, str
|
||||
)
|
||||
|
||||
|
||||
def _rule_shared_manual_lease_proof_handoff(report_text: str) -> list[dict[str, str]]:
|
||||
"""Block merge/review handoffs that claim unsafe lease seeding (#535)."""
|
||||
result = merger_lease_adoption.assess_manual_lease_proof_handoff(report_text)
|
||||
if result.get("proven"):
|
||||
return []
|
||||
return _findings_from_reasons(
|
||||
"shared.manual_lease_proof_handoff",
|
||||
result.get("reasons") or [],
|
||||
field="Merge mutations",
|
||||
severity="block",
|
||||
safe_next_action=(
|
||||
"use gitea_adopt_merger_pr_lease or gitea_acquire_reviewer_pr_lease; "
|
||||
"cite lease_proof_source / adoption_comment_id; never claim manual "
|
||||
"seeded/injected lease proof"
|
||||
),
|
||||
)
|
||||
|
||||
|
||||
def _rule_shared_issue_acceptance_gate(report_text: str) -> list[dict[str, str]]:
|
||||
result = issue_acceptance_gate.validate_final_report_issue_acceptance(report_text)
|
||||
if not result.get("applicable") or result.get("valid"):
|
||||
@@ -1459,6 +1504,7 @@ def _rule_shared_mcp_native_cleanup_proof(report_text: str) -> list[dict[str, st
|
||||
_SHARED_ISSUE_LOCK_RULES = (
|
||||
_rule_shared_issue_lock_external_state,
|
||||
_rule_shared_manual_lock_pr_override,
|
||||
_rule_shared_manual_lease_proof_handoff,
|
||||
_rule_shared_author_reviewer_same_run,
|
||||
_rule_shared_raw_branch_delete_bypass,
|
||||
_rule_shared_canonical_state_update,
|
||||
@@ -1494,6 +1540,7 @@ _RULES_BY_TASK: dict[str, list[Callable[..., list[dict[str, str]]]]] = {
|
||||
_rule_reviewer_linked_issue,
|
||||
_rule_reviewer_baseline_on_failure,
|
||||
_rule_reviewer_premerge_baseline_proof,
|
||||
_rule_reviewer_post_merge_validation,
|
||||
_rule_reviewer_validation_status_vocabulary,
|
||||
_rule_reviewer_main_checkout_baseline,
|
||||
_rule_reviewer_main_checkout_path,
|
||||
@@ -1586,6 +1633,13 @@ _RULES_BY_TASK: dict[str, list[Callable[..., list[dict[str, str]]]]] = {
|
||||
*_SHARED_CANONICAL_COMMENT_RULES,
|
||||
*_SHARED_ISSUE_LOCK_RULES,
|
||||
],
|
||||
# Controller issue closure (#529): a closure report must not bury an
|
||||
# unproven non-zero suite exit as an "expected pre-existing failure".
|
||||
# Kept intentionally narrow so a closure pre-check does not demand the
|
||||
# full reviewer/author handoff schema.
|
||||
"controller_close": [
|
||||
_rule_reviewer_premerge_baseline_proof,
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
|
||||
+3
-2
@@ -20,14 +20,15 @@ from dotenv import dotenv_values, load_dotenv
|
||||
|
||||
import gitea_config
|
||||
|
||||
PROJECT_ROOT = os.path.dirname(os.path.abspath(__file__))
|
||||
|
||||
# Load standard .env if present
|
||||
load_dotenv()
|
||||
load_dotenv(os.path.join(PROJECT_ROOT, ".env"))
|
||||
|
||||
# Dictionary to store configurations parsed dynamically from .env.* files
|
||||
DYNAMIC_CONFIGS = {}
|
||||
|
||||
# Scan all files starting with .env in the project root to load multiple configurations
|
||||
PROJECT_ROOT = os.path.dirname(os.path.abspath(__file__))
|
||||
for env_path in glob.glob(os.path.join(PROJECT_ROOT, ".env*")):
|
||||
# Skip directories and the example template
|
||||
if os.path.basename(env_path) == ".env.example":
|
||||
|
||||
+2447
-107
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,788 @@
|
||||
"""Observability incident bridge (#612).
|
||||
|
||||
Converts Sentry/GlitchTip **observations** into durable **Gitea issues** and
|
||||
``incident_links`` rows on the #613 control-plane DB.
|
||||
|
||||
Hard rules (ADR):
|
||||
* Gitea owns work; providers own incidents; the bridge only links them.
|
||||
* Raw monitoring incidents are **never** assignable ``work_items``.
|
||||
* The #600 allocator sees bridge work only as normal Gitea issues.
|
||||
* Phase-1 prefers dry-run / explicit reconcile; apply creates/links issues.
|
||||
* No tokens, DSNs, cookies, or other secrets in bodies, DB, or logs.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import json
|
||||
import os
|
||||
import re
|
||||
from dataclasses import dataclass, field
|
||||
from typing import Any, Callable, Sequence
|
||||
|
||||
from control_plane_db import ControlPlaneDB, ControlPlaneError, WORK_KINDS, _norm_scope
|
||||
|
||||
PROVIDERS = frozenset({"sentry", "glitchtip"})
|
||||
|
||||
OUTCOME_PREVIEW = "preview"
|
||||
OUTCOME_LINKED = "linked_existing"
|
||||
OUTCOME_CREATED = "created_issue"
|
||||
OUTCOME_UPDATED = "updated_link"
|
||||
OUTCOME_BLOCKED = "blocked"
|
||||
OUTCOME_NO_ACTION = "no_safe_action"
|
||||
|
||||
# Patterns scrubbed from any bridge-facing text (bodies, titles, tags, logs).
|
||||
_SECRET_PATTERNS: tuple[re.Pattern[str], ...] = (
|
||||
re.compile(
|
||||
r"(?i)\b(api[_-]?token|token|secret|password|passwd)\s*[:=]\s*\S+"
|
||||
),
|
||||
re.compile(
|
||||
r"(?i)\bAuthorization\s*[:=]\s*(?:Bearer\s+)?[A-Za-z0-9._\-+=/]{8,}"
|
||||
),
|
||||
re.compile(r"(?i)\bBearer\s+[A-Za-z0-9._\-]{8,}"),
|
||||
re.compile(r"(?i)\bBasic\s+[A-Za-z0-9+/=]{8,}"),
|
||||
re.compile(r"(?i)\b(dsn|sentry_dsn|glitchtip_dsn)\s*[:=]\s*\S+"),
|
||||
re.compile(r"https?://[^/\s]+:[^@/\s]+@"), # user:pass@host
|
||||
re.compile(r"(?i)\b(keychain[_-]?id|private[_-]?key)\s*[:=]\s*\S+"),
|
||||
re.compile(r"(?i)cookie\s*[:=]\s*[^\s;]+"),
|
||||
re.compile(r"(?i)\bsession[_-]?id\s*[:=]\s*\S+"),
|
||||
)
|
||||
|
||||
_SENSITIVE_TAG_KEYS = frozenset(
|
||||
{
|
||||
"authorization",
|
||||
"cookie",
|
||||
"set-cookie",
|
||||
"password",
|
||||
"passwd",
|
||||
"secret",
|
||||
"token",
|
||||
"api_key",
|
||||
"apikey",
|
||||
"dsn",
|
||||
"sentry_dsn",
|
||||
"access_token",
|
||||
"refresh_token",
|
||||
}
|
||||
)
|
||||
|
||||
DEFAULT_LABELS = (
|
||||
"type:bug",
|
||||
"observability",
|
||||
"status:ready",
|
||||
)
|
||||
|
||||
|
||||
@dataclass(frozen=True)
|
||||
class ProjectMapping:
|
||||
"""Maps a monitoring project to a Gitea repository."""
|
||||
|
||||
name: str
|
||||
provider: str
|
||||
monitor_base_url: str
|
||||
monitor_org: str
|
||||
monitor_project: str
|
||||
gitea_org: str
|
||||
gitea_repo: str
|
||||
default_labels: tuple[str, ...] = DEFAULT_LABELS
|
||||
environment_filters: tuple[str, ...] = ()
|
||||
severity_threshold: str | None = None
|
||||
|
||||
def __post_init__(self) -> None:
|
||||
prov = (self.provider or "").strip().lower()
|
||||
if prov not in PROVIDERS:
|
||||
raise ControlPlaneError(
|
||||
f"unknown provider '{self.provider}'; expected one of {sorted(PROVIDERS)}"
|
||||
)
|
||||
object.__setattr__(self, "provider", prov)
|
||||
object.__setattr__(self, "monitor_base_url", (self.monitor_base_url or "").rstrip("/"))
|
||||
object.__setattr__(self, "monitor_org", (self.monitor_org or "").strip())
|
||||
object.__setattr__(self, "monitor_project", (self.monitor_project or "").strip())
|
||||
object.__setattr__(self, "gitea_org", (self.gitea_org or "").strip())
|
||||
object.__setattr__(self, "gitea_repo", (self.gitea_repo or "").strip())
|
||||
object.__setattr__(
|
||||
self,
|
||||
"default_labels",
|
||||
tuple(str(x).strip() for x in (self.default_labels or DEFAULT_LABELS) if str(x).strip()),
|
||||
)
|
||||
|
||||
def as_dict(self) -> dict[str, Any]:
|
||||
return {
|
||||
"name": self.name,
|
||||
"provider": self.provider,
|
||||
"monitor_base_url": self.monitor_base_url,
|
||||
"monitor_org": self.monitor_org,
|
||||
"monitor_project": self.monitor_project,
|
||||
"gitea_org": self.gitea_org,
|
||||
"gitea_repo": self.gitea_repo,
|
||||
"default_labels": list(self.default_labels),
|
||||
"environment_filters": list(self.environment_filters),
|
||||
"severity_threshold": self.severity_threshold,
|
||||
}
|
||||
|
||||
def matches_observation(self, obs: dict[str, Any]) -> bool:
|
||||
if (obs.get("provider") or "").strip().lower() != self.provider:
|
||||
return False
|
||||
base = (obs.get("provider_base_url") or obs.get("monitor_base_url") or "").rstrip("/")
|
||||
if base and self.monitor_base_url and base != self.monitor_base_url:
|
||||
return False
|
||||
org = (obs.get("provider_org") or obs.get("monitor_org") or "").strip()
|
||||
if org and self.monitor_org and org != self.monitor_org:
|
||||
return False
|
||||
project = (obs.get("provider_project") or obs.get("monitor_project") or "").strip()
|
||||
if project and self.monitor_project and project != self.monitor_project:
|
||||
return False
|
||||
return True
|
||||
|
||||
|
||||
@dataclass
|
||||
class NormalizedIncident:
|
||||
provider: str
|
||||
provider_base_url: str
|
||||
provider_org: str
|
||||
provider_project: str
|
||||
provider_issue_id: str
|
||||
provider_short_id: str | None = None
|
||||
provider_permalink: str | None = None
|
||||
fingerprint: str | None = None
|
||||
first_seen: str | None = None
|
||||
last_seen: str | None = None
|
||||
event_count: int | None = None
|
||||
status: str = "open"
|
||||
environment: str | None = None
|
||||
severity: str | None = None
|
||||
culprit: str | None = None
|
||||
title: str = ""
|
||||
summary: str = ""
|
||||
tags: dict[str, str] = field(default_factory=dict)
|
||||
gitea_org: str = ""
|
||||
gitea_repo: str = ""
|
||||
default_labels: tuple[str, ...] = DEFAULT_LABELS
|
||||
|
||||
def provider_key(self) -> tuple[str, str, str, str, str]:
|
||||
return (
|
||||
self.provider,
|
||||
_norm_scope(self.provider_base_url),
|
||||
_norm_scope(self.provider_org),
|
||||
_norm_scope(self.provider_project),
|
||||
str(self.provider_issue_id),
|
||||
)
|
||||
|
||||
def as_dict(self) -> dict[str, Any]:
|
||||
return {
|
||||
"provider": self.provider,
|
||||
"provider_base_url": self.provider_base_url,
|
||||
"provider_org": self.provider_org,
|
||||
"provider_project": self.provider_project,
|
||||
"provider_issue_id": self.provider_issue_id,
|
||||
"provider_short_id": self.provider_short_id,
|
||||
"provider_permalink": self.provider_permalink,
|
||||
"fingerprint": self.fingerprint,
|
||||
"first_seen": self.first_seen,
|
||||
"last_seen": self.last_seen,
|
||||
"event_count": self.event_count,
|
||||
"status": self.status,
|
||||
"environment": self.environment,
|
||||
"severity": self.severity,
|
||||
"culprit": self.culprit,
|
||||
"title": self.title,
|
||||
"summary": self.summary,
|
||||
"tags": dict(self.tags),
|
||||
"gitea_org": self.gitea_org,
|
||||
"gitea_repo": self.gitea_repo,
|
||||
"default_labels": list(self.default_labels),
|
||||
}
|
||||
|
||||
|
||||
def redact_text(value: Any) -> str:
|
||||
"""Redact secret-like material from a string (fail closed to empty)."""
|
||||
if value is None:
|
||||
return ""
|
||||
text = str(value)
|
||||
for pat in _SECRET_PATTERNS:
|
||||
text = pat.sub("[REDACTED]", text)
|
||||
return text
|
||||
|
||||
|
||||
def sanitize_tags(tags: Any) -> dict[str, str]:
|
||||
if not isinstance(tags, dict):
|
||||
return {}
|
||||
out: dict[str, str] = {}
|
||||
for k, v in tags.items():
|
||||
key = str(k).strip().lower()
|
||||
if not key or key in _SENSITIVE_TAG_KEYS:
|
||||
continue
|
||||
if any(s in key for s in ("token", "secret", "password", "cookie", "auth", "dsn")):
|
||||
continue
|
||||
val = redact_text(v)
|
||||
if "[REDACTED]" in val:
|
||||
continue
|
||||
if len(val) > 200:
|
||||
val = val[:200] + "…"
|
||||
out[key] = val
|
||||
return out
|
||||
|
||||
|
||||
def project_mapping_from_dict(data: dict[str, Any]) -> ProjectMapping:
|
||||
labels = data.get("default_labels") or DEFAULT_LABELS
|
||||
envs = data.get("environment_filters") or ()
|
||||
return ProjectMapping(
|
||||
name=str(data.get("name") or data.get("monitor_project") or "unnamed"),
|
||||
provider=str(data.get("provider") or ""),
|
||||
monitor_base_url=str(data.get("monitor_base_url") or data.get("provider_base_url") or ""),
|
||||
monitor_org=str(data.get("monitor_org") or data.get("provider_org") or ""),
|
||||
monitor_project=str(data.get("monitor_project") or data.get("provider_project") or ""),
|
||||
gitea_org=str(data.get("gitea_org") or ""),
|
||||
gitea_repo=str(data.get("gitea_repo") or ""),
|
||||
default_labels=tuple(labels),
|
||||
environment_filters=tuple(envs),
|
||||
severity_threshold=data.get("severity_threshold"),
|
||||
)
|
||||
|
||||
|
||||
def load_project_mappings(
|
||||
*,
|
||||
config_path: str | None = None,
|
||||
mappings_json: str | None = None,
|
||||
) -> list[ProjectMapping]:
|
||||
"""Load project mappings from JSON env, file, or explicit JSON string.
|
||||
|
||||
Env: ``GITEA_OBSERVABILITY_PROJECTS_JSON`` or path
|
||||
``GITEA_OBSERVABILITY_PROJECTS_FILE``.
|
||||
"""
|
||||
raw: Any = None
|
||||
if mappings_json:
|
||||
raw = json.loads(mappings_json)
|
||||
else:
|
||||
env_json = (os.environ.get("GITEA_OBSERVABILITY_PROJECTS_JSON") or "").strip()
|
||||
path = (
|
||||
(config_path or "").strip()
|
||||
or (os.environ.get("GITEA_OBSERVABILITY_PROJECTS_FILE") or "").strip()
|
||||
)
|
||||
if env_json:
|
||||
raw = json.loads(env_json)
|
||||
elif path and os.path.isfile(path):
|
||||
with open(path, encoding="utf-8") as fh:
|
||||
raw = json.load(fh)
|
||||
if raw is None:
|
||||
return []
|
||||
if isinstance(raw, dict) and "projects" in raw:
|
||||
raw = raw["projects"]
|
||||
if not isinstance(raw, list):
|
||||
raise ControlPlaneError("observability project mappings must be a list")
|
||||
return [project_mapping_from_dict(item) for item in raw if isinstance(item, dict)]
|
||||
|
||||
|
||||
def resolve_mapping(
|
||||
observation: dict[str, Any],
|
||||
mappings: Sequence[ProjectMapping],
|
||||
*,
|
||||
explicit: ProjectMapping | None = None,
|
||||
) -> ProjectMapping | None:
|
||||
if explicit is not None:
|
||||
return explicit
|
||||
matches = [m for m in mappings if m.matches_observation(observation)]
|
||||
if len(matches) == 1:
|
||||
return matches[0]
|
||||
if len(matches) > 1:
|
||||
raise ControlPlaneError(
|
||||
"ambiguous project mapping for observation: "
|
||||
+ ", ".join(m.name for m in matches)
|
||||
+ " (fail closed, #612)"
|
||||
)
|
||||
# Fallback: observation itself may carry gitea targets
|
||||
g_org = (observation.get("gitea_org") or "").strip()
|
||||
g_repo = (observation.get("gitea_repo") or "").strip()
|
||||
provider = (observation.get("provider") or "").strip().lower()
|
||||
if g_org and g_repo and provider in PROVIDERS:
|
||||
return ProjectMapping(
|
||||
name=f"inline-{provider}",
|
||||
provider=provider,
|
||||
monitor_base_url=str(
|
||||
observation.get("provider_base_url")
|
||||
or observation.get("monitor_base_url")
|
||||
or ""
|
||||
),
|
||||
monitor_org=str(
|
||||
observation.get("provider_org") or observation.get("monitor_org") or ""
|
||||
),
|
||||
monitor_project=str(
|
||||
observation.get("provider_project")
|
||||
or observation.get("monitor_project")
|
||||
or ""
|
||||
),
|
||||
gitea_org=g_org,
|
||||
gitea_repo=g_repo,
|
||||
default_labels=tuple(observation.get("default_labels") or DEFAULT_LABELS),
|
||||
)
|
||||
return None
|
||||
|
||||
|
||||
def normalize_incident(
|
||||
observation: dict[str, Any],
|
||||
mapping: ProjectMapping,
|
||||
) -> NormalizedIncident:
|
||||
"""Normalize + sanitize a raw provider observation (fail closed)."""
|
||||
if not isinstance(observation, dict):
|
||||
raise ControlPlaneError("observation must be a dict (fail closed, #612)")
|
||||
|
||||
provider = (observation.get("provider") or mapping.provider or "").strip().lower()
|
||||
if provider not in PROVIDERS:
|
||||
raise ControlPlaneError(
|
||||
f"unknown provider '{provider}'; expected {sorted(PROVIDERS)} (fail closed)"
|
||||
)
|
||||
if provider != mapping.provider:
|
||||
raise ControlPlaneError(
|
||||
f"observation provider '{provider}' does not match mapping "
|
||||
f"'{mapping.provider}' (fail closed, #612)"
|
||||
)
|
||||
|
||||
issue_id = observation.get("provider_issue_id") or observation.get("id")
|
||||
if issue_id is None or str(issue_id).strip() == "":
|
||||
raise ControlPlaneError(
|
||||
"observation missing provider_issue_id (fail closed, #612)"
|
||||
)
|
||||
|
||||
base = (
|
||||
observation.get("provider_base_url")
|
||||
or observation.get("monitor_base_url")
|
||||
or mapping.monitor_base_url
|
||||
or ""
|
||||
)
|
||||
org = (
|
||||
observation.get("provider_org")
|
||||
or observation.get("monitor_org")
|
||||
or mapping.monitor_org
|
||||
or ""
|
||||
)
|
||||
project = (
|
||||
observation.get("provider_project")
|
||||
or observation.get("monitor_project")
|
||||
or mapping.monitor_project
|
||||
or ""
|
||||
)
|
||||
|
||||
title = redact_text(
|
||||
observation.get("title")
|
||||
or observation.get("culprit")
|
||||
or f"{provider} incident {issue_id}"
|
||||
)
|
||||
meta = observation.get("metadata")
|
||||
meta_value = meta.get("value") if isinstance(meta, dict) else None
|
||||
raw_sum = (
|
||||
observation.get("summary")
|
||||
or observation.get("message")
|
||||
or meta_value
|
||||
or title
|
||||
)
|
||||
summary = redact_text(raw_sum)
|
||||
|
||||
permalink = observation.get("provider_permalink") or observation.get("permalink")
|
||||
if permalink:
|
||||
permalink = redact_text(permalink)
|
||||
if "[REDACTED]" in permalink:
|
||||
permalink = None
|
||||
|
||||
tags = sanitize_tags(observation.get("tags") or {})
|
||||
event_count = observation.get("event_count") or observation.get("count")
|
||||
try:
|
||||
event_count_i = int(event_count) if event_count is not None else None
|
||||
except (TypeError, ValueError):
|
||||
event_count_i = None
|
||||
|
||||
return NormalizedIncident(
|
||||
provider=provider,
|
||||
provider_base_url=str(base).rstrip("/"),
|
||||
provider_org=str(org).strip(),
|
||||
provider_project=str(project).strip(),
|
||||
provider_issue_id=str(issue_id).strip(),
|
||||
provider_short_id=redact_text(observation.get("provider_short_id") or observation.get("shortId") or "")
|
||||
or None,
|
||||
provider_permalink=permalink,
|
||||
fingerprint=redact_text(observation.get("fingerprint") or "") or None,
|
||||
first_seen=str(observation.get("first_seen") or observation.get("firstSeen") or "")
|
||||
or None,
|
||||
last_seen=str(observation.get("last_seen") or observation.get("lastSeen") or "")
|
||||
or None,
|
||||
event_count=event_count_i,
|
||||
status=str(observation.get("status") or "open").strip().lower() or "open",
|
||||
environment=redact_text(observation.get("environment") or "") or None,
|
||||
severity=redact_text(observation.get("severity") or observation.get("level") or "")
|
||||
or None,
|
||||
culprit=redact_text(observation.get("culprit") or "") or None,
|
||||
title=title[:200],
|
||||
summary=summary[:2000],
|
||||
tags=tags,
|
||||
gitea_org=mapping.gitea_org,
|
||||
gitea_repo=mapping.gitea_repo,
|
||||
default_labels=mapping.default_labels,
|
||||
)
|
||||
|
||||
|
||||
def build_gitea_issue_title(inc: NormalizedIncident) -> str:
|
||||
env = f" [{inc.environment}]" if inc.environment else ""
|
||||
sev = f" ({inc.severity})" if inc.severity else ""
|
||||
return redact_text(f"[obs:{inc.provider}]{env}{sev} {inc.title}")[:180]
|
||||
|
||||
|
||||
def build_gitea_issue_body(inc: NormalizedIncident) -> str:
|
||||
"""Sanitized durable issue body (no secrets)."""
|
||||
lines = [
|
||||
"## Observability incident (bridge #612)",
|
||||
"",
|
||||
"<!-- mcp-incident-bridge:v1 -->",
|
||||
f"<!-- provider={inc.provider} issue_id={inc.provider_issue_id} -->",
|
||||
"",
|
||||
f"- **provider:** `{inc.provider}`",
|
||||
f"- **provider_issue_id:** `{inc.provider_issue_id}`",
|
||||
]
|
||||
if inc.provider_short_id:
|
||||
lines.append(f"- **provider_short_id:** `{inc.provider_short_id}`")
|
||||
if inc.provider_permalink:
|
||||
lines.append(f"- **provider_url:** {inc.provider_permalink}")
|
||||
lines.extend(
|
||||
[
|
||||
f"- **provider_org/project:** `{inc.provider_org}` / `{inc.provider_project}`",
|
||||
f"- **base_url:** `{inc.provider_base_url}`",
|
||||
f"- **fingerprint:** `{inc.fingerprint or ''}`",
|
||||
f"- **first_seen:** `{inc.first_seen or ''}`",
|
||||
f"- **last_seen:** `{inc.last_seen or ''}`",
|
||||
f"- **event_count:** `{inc.event_count if inc.event_count is not None else ''}`",
|
||||
f"- **environment:** `{inc.environment or ''}`",
|
||||
f"- **severity:** `{inc.severity or ''}`",
|
||||
f"- **culprit:** `{inc.culprit or ''}`",
|
||||
f"- **status:** `{inc.status}`",
|
||||
"",
|
||||
"### Summary",
|
||||
"",
|
||||
redact_text(inc.summary) or "(no summary)",
|
||||
"",
|
||||
"### Safe tags",
|
||||
"",
|
||||
]
|
||||
)
|
||||
if inc.tags:
|
||||
for k, v in sorted(inc.tags.items()):
|
||||
lines.append(f"- `{k}`: `{v}`")
|
||||
else:
|
||||
lines.append("- (none)")
|
||||
lines.extend(
|
||||
[
|
||||
"",
|
||||
"### Canonical next action",
|
||||
"",
|
||||
"Author: investigate and fix under normal Gitea workflow. "
|
||||
"Allocator may select this issue as ordinary Gitea work "
|
||||
"(never as a raw provider incident).",
|
||||
"",
|
||||
"### Bridge notes",
|
||||
"",
|
||||
"- Raw Sentry/GlitchTip incidents are **not** assignable work items.",
|
||||
"- Gitea remains the durable work record; DB stores `incident_links` only.",
|
||||
"- Provider tokens must never appear in this issue.",
|
||||
]
|
||||
)
|
||||
return "\n".join(lines)
|
||||
|
||||
|
||||
def _link_conflict(existing: dict[str, Any], inc: NormalizedIncident) -> str | None:
|
||||
"""Fail closed if existing link targets a different Gitea issue/repo."""
|
||||
eg_org = str(existing.get("gitea_org") or "")
|
||||
eg_repo = str(existing.get("gitea_repo") or "")
|
||||
eg_num = existing.get("gitea_issue_number")
|
||||
if eg_org and eg_org != inc.gitea_org:
|
||||
return (
|
||||
f"existing link points to org '{eg_org}', mapping wants "
|
||||
f"'{inc.gitea_org}' (fail closed, #612)"
|
||||
)
|
||||
if eg_repo and eg_repo != inc.gitea_repo:
|
||||
return (
|
||||
f"existing link points to repo '{eg_repo}', mapping wants "
|
||||
f"'{inc.gitea_repo}' (fail closed, #612)"
|
||||
)
|
||||
# fingerprint conflict when both present and disagree
|
||||
ef = (existing.get("fingerprint") or "").strip()
|
||||
nf = (inc.fingerprint or "").strip()
|
||||
if ef and nf and ef != nf:
|
||||
# Same provider issue id with different fingerprints is ambiguous.
|
||||
return (
|
||||
f"fingerprint conflict for provider issue {inc.provider_issue_id}: "
|
||||
f"link has '{ef}', observation has '{nf}' (fail closed, #612)"
|
||||
)
|
||||
return None
|
||||
|
||||
|
||||
CreateIssueFn = Callable[[str, str, list[str], str, str], dict[str, Any]]
|
||||
# create_issue_fn(title, body, labels, gitea_org, gitea_repo) -> {"number": int, ...}
|
||||
|
||||
|
||||
def reconcile_incident(
|
||||
db: ControlPlaneDB | None,
|
||||
*,
|
||||
observation: dict[str, Any],
|
||||
mappings: Sequence[ProjectMapping] | None = None,
|
||||
mapping: ProjectMapping | None = None,
|
||||
apply: bool = False,
|
||||
create_issue_fn: CreateIssueFn | None = None,
|
||||
force_gitea_issue_number: int | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Reconcile one observation into incident_links + optional Gitea issue.
|
||||
|
||||
*apply=False* (default): preview only — no DB mutation, no Gitea mutation.
|
||||
*apply=True*: upsert link; create Gitea issue when none linked (requires
|
||||
``create_issue_fn``) or use ``force_gitea_issue_number`` for explicit link.
|
||||
|
||||
Never creates control-plane ``work_items`` for raw incidents.
|
||||
"""
|
||||
base: dict[str, Any] = {
|
||||
"success": False,
|
||||
"apply": bool(apply),
|
||||
"outcome": OUTCOME_NO_ACTION,
|
||||
"performed": False,
|
||||
"gitea_mutated": False,
|
||||
"db_mutated": False,
|
||||
"raw_incident_assignable": False,
|
||||
"work_item_kind_would_be": None,
|
||||
"reasons": [],
|
||||
"skipped": None,
|
||||
"incident": None,
|
||||
"existing_link": None,
|
||||
"gitea_issue": None,
|
||||
"action": None,
|
||||
"mapping": None,
|
||||
"substrate": "control_plane_db.incident_links",
|
||||
"durable_work_system": "gitea_issues",
|
||||
}
|
||||
|
||||
if db is None:
|
||||
base["reasons"] = [
|
||||
"control-plane DB substrate unavailable (fail closed, #613/#612)"
|
||||
]
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
return base
|
||||
|
||||
try:
|
||||
maps = list(mappings or [])
|
||||
resolved = resolve_mapping(observation, maps, explicit=mapping)
|
||||
if resolved is None:
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [
|
||||
"no project mapping for observation (fail closed, #612); "
|
||||
"configure GITEA_OBSERVABILITY_PROJECTS_JSON or pass mapping"
|
||||
]
|
||||
return base
|
||||
base["mapping"] = resolved.as_dict()
|
||||
inc = normalize_incident(observation, resolved)
|
||||
base["incident"] = inc.as_dict()
|
||||
except (ControlPlaneError, json.JSONDecodeError, TypeError, ValueError) as exc:
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [str(exc)]
|
||||
return base
|
||||
|
||||
# Environment filter (optional)
|
||||
if resolved.environment_filters and inc.environment:
|
||||
allowed = {e.lower() for e in resolved.environment_filters}
|
||||
if inc.environment.lower() not in allowed:
|
||||
base["outcome"] = OUTCOME_NO_ACTION
|
||||
base["reasons"] = [
|
||||
f"environment '{inc.environment}' not in filters "
|
||||
f"{sorted(allowed)}; skip (policy)"
|
||||
]
|
||||
base["success"] = True
|
||||
base["action"] = "skip_environment_filter"
|
||||
return base
|
||||
|
||||
existing = db.get_incident_link_by_provider(
|
||||
provider=inc.provider,
|
||||
provider_issue_id=inc.provider_issue_id,
|
||||
provider_base_url=inc.provider_base_url,
|
||||
provider_org=inc.provider_org,
|
||||
provider_project=inc.provider_project,
|
||||
)
|
||||
base["existing_link"] = existing
|
||||
|
||||
if existing:
|
||||
conflict = _link_conflict(existing, inc)
|
||||
if conflict:
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [conflict]
|
||||
return base
|
||||
|
||||
title = build_gitea_issue_title(inc)
|
||||
body = build_gitea_issue_body(inc)
|
||||
labels = list(inc.default_labels)
|
||||
if inc.provider and f"{inc.provider}" not in labels:
|
||||
labels.append(inc.provider)
|
||||
if "observability" not in labels:
|
||||
labels.append("observability")
|
||||
|
||||
preview_issue = {
|
||||
"title": title,
|
||||
"body_preview": body[:500] + ("…" if len(body) > 500 else ""),
|
||||
"labels": labels,
|
||||
"gitea_org": inc.gitea_org,
|
||||
"gitea_repo": inc.gitea_repo,
|
||||
"would_create": existing is None and force_gitea_issue_number is None,
|
||||
"would_reuse_issue": int(existing["gitea_issue_number"])
|
||||
if existing
|
||||
else force_gitea_issue_number,
|
||||
}
|
||||
base["gitea_issue_preview"] = preview_issue
|
||||
|
||||
if not apply:
|
||||
base["success"] = True
|
||||
base["outcome"] = OUTCOME_PREVIEW
|
||||
base["action"] = (
|
||||
"preview_reuse_link" if existing else "preview_create_issue"
|
||||
)
|
||||
base["reasons"] = [
|
||||
"dry-run only (apply=false); no Gitea mutation and no DB write — "
|
||||
"call again with apply=true to create/link"
|
||||
]
|
||||
if existing:
|
||||
base["gitea_issue"] = {
|
||||
"number": existing.get("gitea_issue_number"),
|
||||
"org": existing.get("gitea_org"),
|
||||
"repo": existing.get("gitea_repo"),
|
||||
}
|
||||
# Prove we never treat this as work_item kind incident
|
||||
base["raw_incident_assignable"] = False
|
||||
base["work_item_kind_would_be"] = "issue" # only after Gitea issue exists
|
||||
return base
|
||||
|
||||
# --- apply path ---
|
||||
issue_number: int | None = None
|
||||
created = False
|
||||
if existing:
|
||||
issue_number = int(existing["gitea_issue_number"])
|
||||
action = "updated_existing_link"
|
||||
outcome = OUTCOME_UPDATED
|
||||
elif force_gitea_issue_number is not None:
|
||||
issue_number = int(force_gitea_issue_number)
|
||||
action = "link_explicit_issue"
|
||||
outcome = OUTCOME_LINKED
|
||||
else:
|
||||
if create_issue_fn is None:
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [
|
||||
"apply=true requires create_issue_fn when no existing link "
|
||||
"(fail closed, #612)"
|
||||
]
|
||||
return base
|
||||
try:
|
||||
created_res = create_issue_fn(
|
||||
title, body, labels, inc.gitea_org, inc.gitea_repo
|
||||
)
|
||||
except Exception as exc: # noqa: BLE001
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [
|
||||
f"Gitea issue creation failed: {redact_text(exc)} (fail closed)"
|
||||
]
|
||||
return base
|
||||
number = created_res.get("number") if isinstance(created_res, dict) else None
|
||||
if number is None:
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [
|
||||
"Gitea issue creation returned no issue number (fail closed, #612)"
|
||||
]
|
||||
base["create_result"] = created_res
|
||||
return base
|
||||
issue_number = int(number)
|
||||
created = True
|
||||
action = "created_gitea_issue"
|
||||
outcome = OUTCOME_CREATED
|
||||
base["gitea_mutated"] = True
|
||||
base["create_result"] = {
|
||||
k: created_res.get(k)
|
||||
for k in ("number", "success", "performed", "reasons")
|
||||
if isinstance(created_res, dict)
|
||||
}
|
||||
|
||||
assert issue_number is not None
|
||||
try:
|
||||
link = db.upsert_incident_link(
|
||||
provider=inc.provider,
|
||||
provider_issue_id=inc.provider_issue_id,
|
||||
gitea_org=inc.gitea_org,
|
||||
gitea_repo=inc.gitea_repo,
|
||||
gitea_issue_number=issue_number,
|
||||
provider_base_url=inc.provider_base_url,
|
||||
provider_org=inc.provider_org,
|
||||
provider_project=inc.provider_project,
|
||||
provider_short_id=inc.provider_short_id,
|
||||
provider_permalink=inc.provider_permalink,
|
||||
fingerprint=inc.fingerprint,
|
||||
first_seen=inc.first_seen,
|
||||
last_seen=inc.last_seen,
|
||||
event_count=inc.event_count,
|
||||
status=inc.status if not created else "open",
|
||||
)
|
||||
except Exception as exc: # noqa: BLE001
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [
|
||||
f"incident_links upsert failed: {redact_text(exc)} (fail closed, #613)"
|
||||
]
|
||||
base["gitea_issue"] = {
|
||||
"number": issue_number,
|
||||
"org": inc.gitea_org,
|
||||
"repo": inc.gitea_repo,
|
||||
"created": created,
|
||||
}
|
||||
return base
|
||||
|
||||
base["success"] = True
|
||||
base["performed"] = True
|
||||
base["db_mutated"] = True
|
||||
base["outcome"] = outcome
|
||||
base["action"] = action
|
||||
base["gitea_issue"] = {
|
||||
"number": issue_number,
|
||||
"org": inc.gitea_org,
|
||||
"repo": inc.gitea_repo,
|
||||
"created": created,
|
||||
}
|
||||
base["link"] = {
|
||||
k: link.get(k)
|
||||
for k in (
|
||||
"link_id",
|
||||
"provider",
|
||||
"provider_issue_id",
|
||||
"gitea_org",
|
||||
"gitea_repo",
|
||||
"gitea_issue_number",
|
||||
"fingerprint",
|
||||
"event_count",
|
||||
"status",
|
||||
"last_sync_at",
|
||||
)
|
||||
}
|
||||
base["reasons"] = [
|
||||
(
|
||||
f"reused Gitea issue #{issue_number} for provider "
|
||||
f"{inc.provider}:{inc.provider_issue_id}"
|
||||
if not created
|
||||
else f"created Gitea issue #{issue_number} and stored incident_links row"
|
||||
),
|
||||
"raw provider incident is not an assignable work_item "
|
||||
f"(WORK_KINDS={sorted(WORK_KINDS)})",
|
||||
]
|
||||
base["raw_incident_assignable"] = False
|
||||
base["work_item_kind_would_be"] = "issue"
|
||||
base["allocator_visible_as"] = {
|
||||
"kind": "issue",
|
||||
"number": issue_number,
|
||||
"org": inc.gitea_org,
|
||||
"repo": inc.gitea_repo,
|
||||
"note": "allocator selects normal Gitea issues only (#600/#612)",
|
||||
}
|
||||
return base
|
||||
|
||||
|
||||
def assert_not_raw_incident_work_item(kind: str) -> None:
|
||||
"""Guard used by tests / callers: incidents must not enter WORK_KINDS."""
|
||||
k = (kind or "").strip().lower()
|
||||
if k not in WORK_KINDS:
|
||||
if k in ("sentry_incident", "glitchtip_incident", "incident", "observation"):
|
||||
raise ControlPlaneError(
|
||||
f"kind '{k}' is not assignable; bridge must create Gitea issues first (#612)"
|
||||
)
|
||||
raise ControlPlaneError(f"kind '{k}' is not assignable")
|
||||
@@ -0,0 +1,180 @@
|
||||
"""Pre-create issue content gate (#582).
|
||||
|
||||
Blocks issue creation when the title/body is a *vague reference* to
|
||||
out-of-band content the LLM cannot prove it has ("the drafted issue",
|
||||
"the prepared issue", "the issue we discussed", "the previous draft")
|
||||
with no durable source pointer.
|
||||
|
||||
The rule from #582: an LLM must not fabricate an issue from stale chat
|
||||
memory. When the requested issue content is a vague reference and no
|
||||
durable source pointer (existing issue/PR/comment, checked-in file, URL,
|
||||
or scratchpad path) is present, the gate fails closed and the caller must
|
||||
return BLOCKED + DIAGNOSE naming the exact vague/missing fields.
|
||||
|
||||
This gate intentionally does NOT require a non-empty body: title-only
|
||||
issue creation remains allowed for callers that explicitly want it. It
|
||||
only blocks content that is a placeholder reference to something the
|
||||
current context does not contain.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import re
|
||||
import unicodedata
|
||||
|
||||
# Vague reference phrases that point at out-of-band draft content. Stored
|
||||
# normalized (lowercase, punctuation-stripped, whitespace-collapsed) so they
|
||||
# can be matched against normalized field text.
|
||||
VAGUE_REFERENCE_PHRASES: tuple[str, ...] = (
|
||||
"the drafted issue",
|
||||
"drafted issue",
|
||||
"the prepared issue",
|
||||
"prepared issue",
|
||||
"the issue we discussed",
|
||||
"the issue we talked about",
|
||||
"the one we discussed",
|
||||
"the previous draft",
|
||||
"previous draft",
|
||||
"the draft above",
|
||||
"the issue above",
|
||||
"as discussed",
|
||||
"as we discussed",
|
||||
"as previously discussed",
|
||||
"per our discussion",
|
||||
"per our conversation",
|
||||
"per our chat",
|
||||
"see above",
|
||||
"same as before",
|
||||
"the issue from earlier",
|
||||
"the issue i drafted",
|
||||
"the issue you drafted",
|
||||
)
|
||||
|
||||
# A field that only restates a vague phrase (optionally with a leading verb
|
||||
# such as "create"/"add"/"open"/"file") is still a vague reference.
|
||||
_LEADING_VERBS = ("create", "add", "open", "file", "make", "please", "the")
|
||||
|
||||
# Durable source pointers: if any of these appears, the content points at a
|
||||
# retrievable source of truth and is NOT treated as a fabricated reference.
|
||||
_DURABLE_SOURCE_REGEXES: tuple[re.Pattern[str], ...] = (
|
||||
re.compile(r"#\d+"), # #402
|
||||
re.compile(r"\b(?:issue|pull|pr)\s+#?\d+", re.I), # issue 402 / PR #17
|
||||
re.compile(r"\bcomment\s+#?\d+", re.I), # comment 8155
|
||||
re.compile(r"https?://\S+", re.I), # URL
|
||||
re.compile( # checked-in file
|
||||
r"[\w./-]+\.(?:py|md|json|txt|sh|ya?ml|toml|cfg|ini|rst)\b", re.I
|
||||
),
|
||||
re.compile(r"\bscratchpad\b", re.I), # scratchpad path
|
||||
re.compile(r"(?:^|\s)/[\w./-]+"), # absolute path
|
||||
)
|
||||
|
||||
|
||||
def normalize_text(text: str) -> str:
|
||||
"""Lowercase, punctuation-stripped, whitespace-collapsed text."""
|
||||
norm = unicodedata.normalize("NFKC", (text or "").strip().lower())
|
||||
norm = re.sub(r"[^\w\s]", " ", norm)
|
||||
norm = re.sub(r"\s+", " ", norm).strip()
|
||||
return norm
|
||||
|
||||
|
||||
def has_durable_source_pointer(text: str) -> bool:
|
||||
"""True when the raw text references a durable, retrievable source."""
|
||||
raw = text or ""
|
||||
return any(rx.search(raw) for rx in _DURABLE_SOURCE_REGEXES)
|
||||
|
||||
|
||||
def find_vague_reference(text: str) -> str | None:
|
||||
"""Return the vague phrase a field is dominated by, else ``None``.
|
||||
|
||||
A field is a vague reference only when it contains a known vague phrase,
|
||||
carries no durable source pointer, and the phrase dominates the field
|
||||
(the field is essentially just the phrase). Long, specific bodies that
|
||||
merely contain "as discussed" in passing are not blocked.
|
||||
"""
|
||||
if has_durable_source_pointer(text):
|
||||
return None
|
||||
norm = normalize_text(text)
|
||||
if not norm:
|
||||
return None
|
||||
stripped = norm
|
||||
for verb in _LEADING_VERBS:
|
||||
if stripped.startswith(verb + " "):
|
||||
stripped = stripped[len(verb) + 1:]
|
||||
for phrase in VAGUE_REFERENCE_PHRASES:
|
||||
if phrase in norm and len(stripped) <= len(phrase) + 12:
|
||||
return phrase
|
||||
return None
|
||||
|
||||
|
||||
def assess_issue_content(
|
||||
title: str,
|
||||
body: str = "",
|
||||
*,
|
||||
allow_incomplete: bool = False,
|
||||
) -> dict:
|
||||
"""Evaluate whether proposed issue content is durable enough to create.
|
||||
|
||||
Returns a dict with ``complete`` (bool), ``missing_fields``,
|
||||
``vague_fields``, ``reasons``, ``diagnose`` (joined reasons), and
|
||||
``has_durable_source_pointer``. ``allow_incomplete`` is an explicit
|
||||
operator override that forces ``complete`` True.
|
||||
"""
|
||||
t = (title or "").strip()
|
||||
b = (body or "").strip()
|
||||
missing_fields: list[str] = []
|
||||
vague_fields: list[str] = []
|
||||
reasons: list[str] = []
|
||||
|
||||
if not t:
|
||||
missing_fields.append("title")
|
||||
reasons.append("issue title is required")
|
||||
else:
|
||||
phrase = find_vague_reference(t)
|
||||
if phrase:
|
||||
vague_fields.append("title")
|
||||
reasons.append(
|
||||
f"title is a vague reference ('{phrase}') with no durable "
|
||||
"content or source pointer"
|
||||
)
|
||||
|
||||
if b:
|
||||
phrase = find_vague_reference(b)
|
||||
if phrase:
|
||||
vague_fields.append("body")
|
||||
reasons.append(
|
||||
f"body is a vague reference ('{phrase}') with no durable "
|
||||
"content or source pointer"
|
||||
)
|
||||
|
||||
complete = allow_incomplete or (not missing_fields and not vague_fields)
|
||||
return {
|
||||
"complete": complete,
|
||||
"missing_fields": missing_fields,
|
||||
"vague_fields": vague_fields,
|
||||
"reasons": reasons,
|
||||
"diagnose": "; ".join(reasons),
|
||||
"has_durable_source_pointer": has_durable_source_pointer(b)
|
||||
or has_durable_source_pointer(t),
|
||||
"override_applied": bool(
|
||||
allow_incomplete and (missing_fields or vague_fields)
|
||||
),
|
||||
}
|
||||
|
||||
|
||||
def pre_create_issue_content_gate(
|
||||
title: str,
|
||||
body: str = "",
|
||||
*,
|
||||
allow_incomplete: bool = False,
|
||||
) -> dict:
|
||||
"""Content gate wrapper mirroring the duplicate gate shape.
|
||||
|
||||
``performed`` is True when the content is durable enough to create (or an
|
||||
explicit override was supplied). When False, the caller must return
|
||||
BLOCKED + DIAGNOSE and must not create the issue.
|
||||
"""
|
||||
assessment = assess_issue_content(
|
||||
title, body, allow_incomplete=allow_incomplete
|
||||
)
|
||||
assessment["performed"] = assessment["complete"]
|
||||
return assessment
|
||||
@@ -375,6 +375,64 @@ def _same_realpath(left: str | None, right: str | None) -> bool:
|
||||
return left == right
|
||||
|
||||
|
||||
|
||||
def assess_expired_lock_reclaim(
|
||||
existing_lock: dict[str, Any] | None,
|
||||
*,
|
||||
now: datetime | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Decide whether an expired/stale author issue lock may be reclaimed (#601).
|
||||
|
||||
Required proof (any reclaim of non-live lock):
|
||||
* lease not live (expired or dead pid)
|
||||
* owner process dead OR worktree missing
|
||||
* no force-delete of live foreign ownership
|
||||
"""
|
||||
if not existing_lock:
|
||||
return {
|
||||
"reclaim_allowed": True,
|
||||
"reasons": ["no existing lock"],
|
||||
"freshness": assess_lock_freshness(None, now=now),
|
||||
}
|
||||
freshness = assess_lock_freshness(existing_lock, now=now)
|
||||
if freshness.get("live"):
|
||||
return {
|
||||
"reclaim_allowed": False,
|
||||
"reasons": ["lock is still live; cannot reclaim (fail closed)"],
|
||||
"freshness": freshness,
|
||||
}
|
||||
pid = existing_lock.get("session_pid")
|
||||
if pid is None:
|
||||
pid = existing_lock.get("pid")
|
||||
dead = not is_process_alive(pid) if pid is not None else True
|
||||
wt = str(existing_lock.get("worktree_path") or "")
|
||||
missing_wt = (not wt) or (not os.path.isdir(os.path.realpath(wt)))
|
||||
if not (dead or missing_wt):
|
||||
return {
|
||||
"reclaim_allowed": False,
|
||||
"reasons": [
|
||||
"expired/stale lock still has live owner pid and present worktree; "
|
||||
"recovery review required (fail closed)"
|
||||
],
|
||||
"freshness": freshness,
|
||||
"owner_pid_dead": dead,
|
||||
"worktree_missing": missing_wt,
|
||||
}
|
||||
return {
|
||||
"reclaim_allowed": True,
|
||||
"reasons": [
|
||||
"non-live lock with dead process and/or missing worktree; "
|
||||
"sanctioned reclaim allowed"
|
||||
],
|
||||
"freshness": freshness,
|
||||
"owner_pid_dead": dead,
|
||||
"worktree_missing": missing_wt,
|
||||
"prior_branch": existing_lock.get("branch_name"),
|
||||
"prior_worktree": existing_lock.get("worktree_path"),
|
||||
"prior_pid": pid,
|
||||
}
|
||||
|
||||
|
||||
def assess_same_issue_lease_conflict(
|
||||
existing_lock: dict[str, Any] | None,
|
||||
*,
|
||||
@@ -405,6 +463,11 @@ def assess_same_issue_lease_conflict(
|
||||
and _same_realpath(str(existing_worktree or ""), worktree_path)
|
||||
)
|
||||
if is_lease_expired(existing_lock, now=now):
|
||||
reclaim = assess_expired_lock_reclaim(existing_lock, now=now)
|
||||
if reclaim.get("reclaim_allowed"):
|
||||
# #601: expired + dead pid / missing worktree may be reclaimed
|
||||
# through the normal lock path (sanctioned overwrite).
|
||||
return None
|
||||
return (
|
||||
f"Issue #{issue_number} has an expired {operation_type} lease on "
|
||||
f"branch '{existing_branch}' from worktree '{existing_worktree}'. "
|
||||
|
||||
+213
-1
@@ -34,6 +34,11 @@ STATUS_LABEL_SPECS: tuple[LabelSpec, ...] = (
|
||||
LabelSpec("status:blocked", "b60205", "Issue is blocked"),
|
||||
LabelSpec("status:needs-review", "0052cc", "Issue work needs review"),
|
||||
LabelSpec("status:pr-open", "1d76db", "A linked PR is open"),
|
||||
LabelSpec(
|
||||
"status:changes-requested",
|
||||
"e11d21",
|
||||
"Reviewer requested changes on the linked PR",
|
||||
),
|
||||
LabelSpec("status:approved", "0e8a16", "Linked PR is approved"),
|
||||
LabelSpec("status:merged", "5319e7", "Linked PR is merged"),
|
||||
LabelSpec("status:reconcile", "d93f0b", "Issue needs reconciliation"),
|
||||
@@ -42,12 +47,74 @@ STATUS_LABEL_SPECS: tuple[LabelSpec, ...] = (
|
||||
LabelSpec("status:wontfix", "000000", "Issue will not be fixed"),
|
||||
)
|
||||
|
||||
# Durable validation-outcome labels (#529): the four canonical distinctions a
|
||||
# reviewer report can carry. These are orthogonal to the single active status:*
|
||||
# label, so they use their own prefix and are not subject to the one-status
|
||||
# invariant.
|
||||
VALIDATION_LABEL_SPECS: tuple[LabelSpec, ...] = (
|
||||
LabelSpec("validation:clean-pass", "0e8a16", "Validation was a clean pass"),
|
||||
LabelSpec(
|
||||
"validation:baseline-accepted",
|
||||
"fbca04",
|
||||
"Validation passed with a baseline-proven unrelated failure",
|
||||
),
|
||||
LabelSpec(
|
||||
"validation:blocked",
|
||||
"b60205",
|
||||
"Validation blocked by an unresolved failure",
|
||||
),
|
||||
LabelSpec(
|
||||
"validation:post-merge-moot",
|
||||
"5319e7",
|
||||
"Validation is post-merge moot (PR already merged/closed before review)",
|
||||
),
|
||||
)
|
||||
|
||||
# Lifecycle role-ownership labels (#603): which workflow role currently owns the
|
||||
# item. Advisory visibility only — the control-plane lease (#601) remains the
|
||||
# source of truth for mutation authority. Only one role:* label is active at a
|
||||
# time, mirroring the single-active-status invariant.
|
||||
ROLE_LABEL_SPECS: tuple[LabelSpec, ...] = (
|
||||
LabelSpec("role:author", "1d76db", "Author currently owns the item"),
|
||||
LabelSpec("role:reviewer", "5319e7", "Reviewer currently owns the item"),
|
||||
LabelSpec("role:merger", "0e8a16", "Merger currently owns the item"),
|
||||
)
|
||||
|
||||
# Lifecycle hazard labels (#603): orthogonal warning flags surfacing dangerous
|
||||
# coordination conditions. Unlike status/role, multiple hazard:* labels may be
|
||||
# active at once, and they never substitute for live lease / PR state checks.
|
||||
HAZARD_LABEL_SPECS: tuple[LabelSpec, ...] = (
|
||||
LabelSpec("hazard:stale-lease", "d93f0b", "A stale or expired lease references this item"),
|
||||
LabelSpec(
|
||||
"hazard:workflow-contaminated",
|
||||
"b60205",
|
||||
"Session/workflow state is contaminated and must not mutate",
|
||||
),
|
||||
LabelSpec("hazard:conflicted", "e11d21", "Linked PR has merge conflicts"),
|
||||
LabelSpec("hazard:root-mutation", "b60205", "Work was mutated in the project root checkout"),
|
||||
LabelSpec("hazard:manual-state", "d93f0b", "Session or lease state was edited manually"),
|
||||
LabelSpec(
|
||||
"hazard:terminal-blocker",
|
||||
"000000",
|
||||
"A terminal review/merge lock blocks progress (#332/#602)",
|
||||
),
|
||||
)
|
||||
|
||||
CANONICAL_LABEL_SPECS: tuple[LabelSpec, ...] = (
|
||||
TYPE_LABEL_SPECS + STATUS_LABEL_SPECS
|
||||
TYPE_LABEL_SPECS
|
||||
+ STATUS_LABEL_SPECS
|
||||
+ VALIDATION_LABEL_SPECS
|
||||
+ ROLE_LABEL_SPECS
|
||||
+ HAZARD_LABEL_SPECS
|
||||
)
|
||||
|
||||
TYPE_LABELS: frozenset[str] = frozenset(spec.name for spec in TYPE_LABEL_SPECS)
|
||||
STATUS_LABELS: frozenset[str] = frozenset(spec.name for spec in STATUS_LABEL_SPECS)
|
||||
VALIDATION_LABELS: frozenset[str] = frozenset(
|
||||
spec.name for spec in VALIDATION_LABEL_SPECS
|
||||
)
|
||||
ROLE_LABELS: frozenset[str] = frozenset(spec.name for spec in ROLE_LABEL_SPECS)
|
||||
HAZARD_LABELS: frozenset[str] = frozenset(spec.name for spec in HAZARD_LABEL_SPECS)
|
||||
CANONICAL_LABELS: frozenset[str] = frozenset(
|
||||
spec.name for spec in CANONICAL_LABEL_SPECS
|
||||
)
|
||||
@@ -65,9 +132,15 @@ STATUS_TRANSITIONS: dict[str, str] = {
|
||||
"blocked": "status:blocked",
|
||||
"needs_review": "status:needs-review",
|
||||
"needs-review": "status:needs-review",
|
||||
"reviewing": "status:needs-review",
|
||||
"pr_open": "status:pr-open",
|
||||
"pr-open": "status:pr-open",
|
||||
"changes_requested": "status:changes-requested",
|
||||
"changes-requested": "status:changes-requested",
|
||||
"changes": "status:changes-requested",
|
||||
"approved": "status:approved",
|
||||
"merge_ready": "status:approved",
|
||||
"merge-ready": "status:approved",
|
||||
"merge": "status:reconcile",
|
||||
"merged": "status:reconcile",
|
||||
"reconcile": "status:reconcile",
|
||||
@@ -75,6 +148,37 @@ STATUS_TRANSITIONS: dict[str, str] = {
|
||||
"complete": "status:done",
|
||||
"duplicate": "status:duplicate",
|
||||
"wontfix": "status:wontfix",
|
||||
"abandoned": "status:wontfix",
|
||||
# #603 requested state:* synonyms folded into the canonical status vocabulary
|
||||
"needs_triage": "status:triage",
|
||||
"needs-triage": "status:triage",
|
||||
"authoring": "status:in-progress",
|
||||
}
|
||||
|
||||
# #603: single-active role ownership. Maps role kinds / role:* labels to the
|
||||
# canonical role label. Mirrors STATUS_TRANSITIONS for the role dimension.
|
||||
ROLE_TRANSITIONS: dict[str, str] = {
|
||||
"author": "role:author",
|
||||
"reviewer": "role:reviewer",
|
||||
"merger": "role:merger",
|
||||
}
|
||||
|
||||
# #603: hazard flag synonyms. Hazards are additive (not single-active), so this
|
||||
# only normalizes names; it does not drive replacement.
|
||||
HAZARD_TRANSITIONS: dict[str, str] = {
|
||||
"stale_lease": "hazard:stale-lease",
|
||||
"stale-lease": "hazard:stale-lease",
|
||||
"workflow_contaminated": "hazard:workflow-contaminated",
|
||||
"workflow-contaminated": "hazard:workflow-contaminated",
|
||||
"contaminated": "hazard:workflow-contaminated",
|
||||
"conflicted": "hazard:conflicted",
|
||||
"conflict": "hazard:conflicted",
|
||||
"root_mutation": "hazard:root-mutation",
|
||||
"root-mutation": "hazard:root-mutation",
|
||||
"manual_state": "hazard:manual-state",
|
||||
"manual-state": "hazard:manual-state",
|
||||
"terminal_blocker": "hazard:terminal-blocker",
|
||||
"terminal-blocker": "hazard:terminal-blocker",
|
||||
}
|
||||
|
||||
|
||||
@@ -129,6 +233,100 @@ def transition_status_labels(
|
||||
return kept
|
||||
|
||||
|
||||
def role_labels(labels: Iterable[str | Mapping[str, object]] | Mapping[str, object]) -> list[str]:
|
||||
return [name for name in label_names(labels) if name.startswith("role:")]
|
||||
|
||||
|
||||
def hazard_labels(labels: Iterable[str | Mapping[str, object]] | Mapping[str, object]) -> list[str]:
|
||||
return [name for name in label_names(labels) if name.startswith("hazard:")]
|
||||
|
||||
|
||||
def canonical_role_label(role_or_transition: str) -> str:
|
||||
role = role_or_transition.strip()
|
||||
if role in ROLE_LABELS:
|
||||
return role
|
||||
normalized = role.lower().replace(" ", "-")
|
||||
try:
|
||||
return ROLE_TRANSITIONS[normalized]
|
||||
except KeyError as exc:
|
||||
raise ValueError(
|
||||
f"unknown workflow role or transition '{role_or_transition}'"
|
||||
) from exc
|
||||
|
||||
|
||||
def transition_role_labels(
|
||||
existing_labels: Iterable[str | Mapping[str, object]] | Mapping[str, object],
|
||||
role_or_transition: str,
|
||||
) -> list[str]:
|
||||
"""Replace all active role labels with the requested canonical role."""
|
||||
new_role = canonical_role_label(role_or_transition)
|
||||
kept = [name for name in label_names(existing_labels) if not name.startswith("role:")]
|
||||
if new_role not in kept:
|
||||
kept.append(new_role)
|
||||
return kept
|
||||
|
||||
|
||||
def canonical_hazard_label(hazard: str) -> str:
|
||||
name = hazard.strip()
|
||||
if name in HAZARD_LABELS:
|
||||
return name
|
||||
normalized = name.lower().replace(" ", "-")
|
||||
try:
|
||||
return HAZARD_TRANSITIONS[normalized]
|
||||
except KeyError as exc:
|
||||
raise ValueError(f"unknown workflow hazard '{hazard}'") from exc
|
||||
|
||||
|
||||
def add_hazard_label(
|
||||
existing_labels: Iterable[str | Mapping[str, object]] | Mapping[str, object],
|
||||
hazard: str,
|
||||
) -> list[str]:
|
||||
"""Add a hazard flag without disturbing status/role/type labels (additive)."""
|
||||
new_hazard = canonical_hazard_label(hazard)
|
||||
kept = label_names(existing_labels)
|
||||
if new_hazard not in kept:
|
||||
kept.append(new_hazard)
|
||||
return kept
|
||||
|
||||
|
||||
def clear_hazard_label(
|
||||
existing_labels: Iterable[str | Mapping[str, object]] | Mapping[str, object],
|
||||
hazard: str,
|
||||
) -> list[str]:
|
||||
"""Remove a single hazard flag, leaving all other labels intact."""
|
||||
target = canonical_hazard_label(hazard)
|
||||
return [name for name in label_names(existing_labels) if name != target]
|
||||
|
||||
|
||||
def is_discussion(labels: Iterable[str | Mapping[str, object]] | Mapping[str, object]) -> bool:
|
||||
return "type:discussion" in type_labels(labels)
|
||||
|
||||
|
||||
def is_implementation_candidate(
|
||||
labels: Iterable[str | Mapping[str, object]] | Mapping[str, object],
|
||||
) -> bool:
|
||||
"""Whether an item may enter an implementation queue on labels alone.
|
||||
|
||||
Discussion issues are excluded (#603 AC3) unless a controller explicitly
|
||||
selects them; the allocator still cross-checks live lease/PR state and never
|
||||
trusts labels alone (#603 AC2).
|
||||
"""
|
||||
return not is_discussion(labels)
|
||||
|
||||
|
||||
def requires_blocking_reason(
|
||||
labels: Iterable[str | Mapping[str, object]] | Mapping[str, object],
|
||||
) -> bool:
|
||||
"""Whether the item must carry a blocking-reason / next-action comment (AC4).
|
||||
|
||||
True when blocked or when any hazard flag is present.
|
||||
"""
|
||||
names = label_names(labels)
|
||||
if "status:blocked" in names:
|
||||
return True
|
||||
return any(name.startswith("hazard:") for name in names)
|
||||
|
||||
|
||||
def labels_for_new_issue(
|
||||
issue_type: str | None = None,
|
||||
initial_status: str | None = None,
|
||||
@@ -162,6 +360,8 @@ def assess_issue_labels(
|
||||
names = label_names(labels)
|
||||
found_types = type_labels(names)
|
||||
found_statuses = status_labels(names)
|
||||
found_roles = role_labels(names)
|
||||
found_hazards = hazard_labels(names)
|
||||
errors: list[str] = []
|
||||
warnings: list[str] = []
|
||||
|
||||
@@ -176,6 +376,10 @@ def assess_issue_labels(
|
||||
"issue has multiple active status:* labels: "
|
||||
+ ", ".join(found_statuses)
|
||||
)
|
||||
if len(found_roles) > 1:
|
||||
errors.append(
|
||||
"issue has multiple active role:* labels: " + ", ".join(found_roles)
|
||||
)
|
||||
|
||||
for name in found_types:
|
||||
if name not in TYPE_LABELS:
|
||||
@@ -183,12 +387,20 @@ def assess_issue_labels(
|
||||
for name in found_statuses:
|
||||
if name not in STATUS_LABELS:
|
||||
warnings.append(f"unknown status label '{name}'")
|
||||
for name in found_roles:
|
||||
if name not in ROLE_LABELS:
|
||||
warnings.append(f"unknown role label '{name}'")
|
||||
for name in found_hazards:
|
||||
if name not in HAZARD_LABELS:
|
||||
warnings.append(f"unknown hazard label '{name}'")
|
||||
|
||||
return {
|
||||
"valid": not errors,
|
||||
"labels": names,
|
||||
"type_labels": found_types,
|
||||
"status_labels": found_statuses,
|
||||
"role_labels": found_roles,
|
||||
"hazard_labels": found_hazards,
|
||||
"errors": errors,
|
||||
"warnings": warnings,
|
||||
}
|
||||
|
||||
@@ -0,0 +1,723 @@
|
||||
"""First-class control-plane lease lifecycle (#601).
|
||||
|
||||
Active leases are queryable workflow state. Canonical operations:
|
||||
|
||||
* list / inspect
|
||||
* adopt (with provenance)
|
||||
* release (explicit, recorded)
|
||||
* expire / reclaim
|
||||
* abandon (requires proof: dead process and/or missing worktree, etc.)
|
||||
|
||||
Authority model:
|
||||
|
||||
* Control-plane DB is the coordination source for assignment/lease.
|
||||
* File locks and comment-only leases are **not** authoritative alone.
|
||||
* Reviewer/merger comment leases (``reviewer_pr_lease`` / merger adoption)
|
||||
remain for Gitea-thread durability; they must not bypass DB assignment when
|
||||
the control-plane path is in use.
|
||||
|
||||
Fail closed on ambiguous ownership, active foreign leases, mismatched
|
||||
worktree, stale head, missing capability, and unsafe cleanup.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import json
|
||||
import os
|
||||
from dataclasses import dataclass, field
|
||||
from datetime import datetime, timezone
|
||||
from typing import Any, Callable, Mapping
|
||||
|
||||
import control_plane_db as cpd
|
||||
|
||||
# Outcomes / safe next actions (stable vocabulary for tools + tests).
|
||||
SAFE_OWNER_RESUME = "owner_resume"
|
||||
SAFE_WAIT_FOREIGN = "wait_foreign_active"
|
||||
SAFE_RECLAIM_EXPIRED = "reclaim_expired"
|
||||
SAFE_ABANDON_ALLOWED = "abandon_allowed"
|
||||
SAFE_RELEASE_OWNED = "release_owned"
|
||||
SAFE_STALE_PROMPT = "stale_prompt_lease"
|
||||
SAFE_UNKNOWN = "inspect_only"
|
||||
SAFE_NO_AUTHORITY = "file_or_comment_not_authoritative"
|
||||
|
||||
LEASE_STATUS_ACTIVE = "active"
|
||||
LEASE_STATUS_RELEASED = "released"
|
||||
LEASE_STATUS_EXPIRED = "expired"
|
||||
LEASE_STATUS_ABANDONED = "abandoned"
|
||||
|
||||
AUTHORITATIVE_SOURCE = "control_plane_db"
|
||||
|
||||
|
||||
class LeaseLifecycleError(RuntimeError):
|
||||
"""Fail-closed lifecycle policy error."""
|
||||
|
||||
|
||||
@dataclass(frozen=True)
|
||||
class AbandonProof:
|
||||
"""Required evidence to abandon a non-owned or expired lease safely."""
|
||||
|
||||
dead_process: bool = False
|
||||
missing_worktree: bool = False
|
||||
same_owner: bool = False
|
||||
no_open_pr: bool = False
|
||||
no_live_mutation_risk: bool = False
|
||||
operator_authorized: bool = False
|
||||
worktree_path: str | None = None
|
||||
owner_pid: int | None = None
|
||||
notes: str = ""
|
||||
|
||||
def as_dict(self) -> dict[str, Any]:
|
||||
return {
|
||||
"dead_process": self.dead_process,
|
||||
"missing_worktree": self.missing_worktree,
|
||||
"same_owner": self.same_owner,
|
||||
"no_open_pr": self.no_open_pr,
|
||||
"no_live_mutation_risk": self.no_live_mutation_risk,
|
||||
"operator_authorized": self.operator_authorized,
|
||||
"worktree_path": self.worktree_path,
|
||||
"owner_pid": self.owner_pid,
|
||||
"notes": self.notes,
|
||||
}
|
||||
|
||||
def is_sufficient(self) -> bool:
|
||||
"""Abandon requires process death or missing worktree + no mutation risk.
|
||||
|
||||
Foreign active leases additionally need operator_authorized unless the
|
||||
owner process is dead and the worktree is missing.
|
||||
"""
|
||||
if not self.no_live_mutation_risk:
|
||||
return False
|
||||
if not (self.dead_process or self.missing_worktree):
|
||||
return False
|
||||
if self.same_owner:
|
||||
return True
|
||||
# Foreign abandon: operator flag OR (dead + missing worktree + no risk)
|
||||
if self.operator_authorized:
|
||||
return True
|
||||
return bool(self.dead_process and self.missing_worktree and self.no_open_pr)
|
||||
|
||||
|
||||
def is_process_alive(pid: int | None) -> bool:
|
||||
if pid is None:
|
||||
return False
|
||||
try:
|
||||
pid_i = int(pid)
|
||||
except (TypeError, ValueError):
|
||||
return False
|
||||
if pid_i <= 0:
|
||||
return False
|
||||
try:
|
||||
os.kill(pid_i, 0)
|
||||
return True
|
||||
except ProcessLookupError:
|
||||
return False
|
||||
except PermissionError:
|
||||
# Exists but not owned by us — treat as alive (fail closed).
|
||||
return True
|
||||
except OSError:
|
||||
return False
|
||||
|
||||
|
||||
def worktree_exists(path: str | None) -> bool:
|
||||
if not path:
|
||||
return False
|
||||
try:
|
||||
return os.path.isdir(os.path.realpath(path))
|
||||
except OSError:
|
||||
return False
|
||||
|
||||
|
||||
def _utc_now() -> datetime:
|
||||
return datetime.now(timezone.utc)
|
||||
|
||||
|
||||
def _parse_ts(value: str | None) -> datetime | None:
|
||||
return cpd._parse_ts(value)
|
||||
|
||||
|
||||
def classify_lease_freshness(
|
||||
lease: Mapping[str, Any],
|
||||
*,
|
||||
now: datetime | None = None,
|
||||
pid_checker: Callable[[int | None], bool] = is_process_alive,
|
||||
worktree_checker: Callable[[str | None], bool] = worktree_exists,
|
||||
) -> dict[str, Any]:
|
||||
"""Classify a control-plane lease row for workflow tooling."""
|
||||
moment = now or _utc_now()
|
||||
status = (lease.get("status") or "").strip().lower()
|
||||
expires = _parse_ts(lease.get("expires_at"))
|
||||
owner_pid = lease.get("owner_pid")
|
||||
if owner_pid is None:
|
||||
owner_pid = lease.get("session_pid")
|
||||
wt = lease.get("worktree_path")
|
||||
pid_alive = pid_checker(owner_pid) if owner_pid is not None else None
|
||||
wt_present = worktree_checker(wt) if wt else None
|
||||
expired_by_time = bool(expires and expires <= moment)
|
||||
|
||||
if status == LEASE_STATUS_ABANDONED:
|
||||
freshness = "abandoned"
|
||||
elif status == LEASE_STATUS_RELEASED:
|
||||
freshness = "released"
|
||||
elif status == LEASE_STATUS_EXPIRED or expired_by_time:
|
||||
freshness = "expired"
|
||||
elif status != LEASE_STATUS_ACTIVE:
|
||||
freshness = status or "unknown"
|
||||
elif pid_alive is False:
|
||||
freshness = "stale_dead_process"
|
||||
elif wt is not None and wt_present is False:
|
||||
freshness = "stale_missing_worktree"
|
||||
else:
|
||||
freshness = "active"
|
||||
|
||||
return {
|
||||
"freshness": freshness,
|
||||
"status": status,
|
||||
"expired_by_time": expired_by_time,
|
||||
"owner_pid": owner_pid,
|
||||
"owner_pid_alive": pid_alive,
|
||||
"worktree_path": wt,
|
||||
"worktree_present": wt_present,
|
||||
"expires_at": lease.get("expires_at"),
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
|
||||
def decide_safe_next_action(
|
||||
*,
|
||||
lease: Mapping[str, Any] | None,
|
||||
caller_session_id: str,
|
||||
freshness: Mapping[str, Any] | None = None,
|
||||
caller_worktree: str | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Return safe_next_action + reasons for a caller inspecting a lease."""
|
||||
if not lease:
|
||||
return {
|
||||
"safe_next_action": SAFE_STALE_PROMPT,
|
||||
"reasons": ["lease not found in control-plane DB (stale prompt id?)"],
|
||||
"block": True,
|
||||
}
|
||||
fr = freshness or classify_lease_freshness(lease)
|
||||
owner = str(lease.get("session_id") or "")
|
||||
same_owner = owner == str(caller_session_id)
|
||||
status = fr.get("freshness")
|
||||
reasons: list[str] = []
|
||||
|
||||
# Worktree mismatch for owner resume
|
||||
lease_wt = lease.get("worktree_path")
|
||||
if (
|
||||
same_owner
|
||||
and lease_wt
|
||||
and caller_worktree
|
||||
and os.path.realpath(str(lease_wt)) != os.path.realpath(str(caller_worktree))
|
||||
):
|
||||
return {
|
||||
"safe_next_action": SAFE_UNKNOWN,
|
||||
"reasons": [
|
||||
f"worktree mismatch: lease has {lease_wt!r}, caller has "
|
||||
f"{caller_worktree!r} (fail closed)"
|
||||
],
|
||||
"block": True,
|
||||
"same_owner": True,
|
||||
}
|
||||
|
||||
if status in ("abandoned", "released"):
|
||||
return {
|
||||
"safe_next_action": SAFE_STALE_PROMPT,
|
||||
"reasons": [f"lease status is {status}; do not adopt blindly"],
|
||||
"block": True,
|
||||
"same_owner": same_owner,
|
||||
}
|
||||
|
||||
if status == "expired" or fr.get("expired_by_time"):
|
||||
return {
|
||||
"safe_next_action": SAFE_RECLAIM_EXPIRED,
|
||||
"reasons": ["lease expired; reclaim via expire+assign or adopt reclaim path"],
|
||||
"block": False,
|
||||
"same_owner": same_owner,
|
||||
}
|
||||
|
||||
if status in ("stale_dead_process", "stale_missing_worktree"):
|
||||
if same_owner:
|
||||
return {
|
||||
"safe_next_action": SAFE_OWNER_RESUME,
|
||||
"reasons": [
|
||||
f"caller owns lease with freshness={status}; rebind via "
|
||||
"adopt/owner-resume or abandon with proof"
|
||||
],
|
||||
"block": False,
|
||||
"same_owner": True,
|
||||
"also_allowed": [SAFE_ABANDON_ALLOWED, SAFE_RELEASE_OWNED],
|
||||
}
|
||||
return {
|
||||
"safe_next_action": SAFE_ABANDON_ALLOWED,
|
||||
"reasons": [
|
||||
f"lease freshness={status}; abandon with required proof then reassign"
|
||||
],
|
||||
"block": False,
|
||||
"same_owner": False,
|
||||
}
|
||||
|
||||
if same_owner and status == "active":
|
||||
return {
|
||||
"safe_next_action": SAFE_OWNER_RESUME,
|
||||
"reasons": [
|
||||
"caller owns active lease; resume via heartbeat/assign owner-resume "
|
||||
"or release explicitly"
|
||||
],
|
||||
"block": False,
|
||||
"same_owner": True,
|
||||
"also_allowed": [SAFE_RELEASE_OWNED],
|
||||
}
|
||||
|
||||
if not same_owner and status == "active":
|
||||
return {
|
||||
"safe_next_action": SAFE_WAIT_FOREIGN,
|
||||
"reasons": [
|
||||
f"foreign active lease held by session {owner}; "
|
||||
"do not steal (fail closed)"
|
||||
],
|
||||
"block": True,
|
||||
"same_owner": False,
|
||||
"owner_session_id": owner,
|
||||
}
|
||||
|
||||
return {
|
||||
"safe_next_action": SAFE_UNKNOWN,
|
||||
"reasons": [f"unclassified freshness={status}"],
|
||||
"block": True,
|
||||
"same_owner": same_owner,
|
||||
}
|
||||
|
||||
|
||||
def non_db_lease_authority_report(
|
||||
*,
|
||||
file_lock_present: bool = False,
|
||||
comment_lease_present: bool = False,
|
||||
db_lease_present: bool = False,
|
||||
) -> dict[str, Any]:
|
||||
"""File/comment leases alone are not coordination authority (#601 / #600)."""
|
||||
authoritative = bool(db_lease_present)
|
||||
reasons: list[str] = []
|
||||
if file_lock_present and not db_lease_present:
|
||||
reasons.append(
|
||||
"file lock present but control-plane DB lease absent — "
|
||||
"file lock is not authoritative alone"
|
||||
)
|
||||
if comment_lease_present and not db_lease_present:
|
||||
reasons.append(
|
||||
"comment-only lease present but control-plane DB lease absent — "
|
||||
"comment lease is not authoritative alone"
|
||||
)
|
||||
if authoritative:
|
||||
reasons.append("control-plane DB lease is the coordination authority")
|
||||
return {
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE if authoritative else None,
|
||||
"db_lease_present": db_lease_present,
|
||||
"file_lock_present": file_lock_present,
|
||||
"comment_lease_present": comment_lease_present,
|
||||
"safe_next_action": (
|
||||
SAFE_UNKNOWN if authoritative else SAFE_NO_AUTHORITY
|
||||
),
|
||||
"reasons": reasons,
|
||||
"file_lock_only": bool(file_lock_present and not db_lease_present),
|
||||
"comment_lease_only": bool(comment_lease_present and not db_lease_present),
|
||||
}
|
||||
|
||||
|
||||
def build_adopt_provenance(
|
||||
*,
|
||||
adopted_from_session_id: str,
|
||||
adopted_by_session_id: str,
|
||||
work_kind: str,
|
||||
work_number: int,
|
||||
remote: str,
|
||||
org: str,
|
||||
repo: str,
|
||||
worktree_path: str | None,
|
||||
expected_head_sha: str | None,
|
||||
prior_lease_id: str | None,
|
||||
reason: str,
|
||||
) -> dict[str, Any]:
|
||||
return {
|
||||
"adopted_from_session_id": adopted_from_session_id,
|
||||
"adopted_by_session_id": adopted_by_session_id,
|
||||
"work_kind": work_kind,
|
||||
"work_number": int(work_number),
|
||||
"remote": remote,
|
||||
"org": org,
|
||||
"repo": repo,
|
||||
"worktree_path": worktree_path,
|
||||
"expected_head_sha": expected_head_sha,
|
||||
"prior_lease_id": prior_lease_id,
|
||||
"reason": reason,
|
||||
"recorded_at": cpd._ts(),
|
||||
"source": "lease_lifecycle.adopt",
|
||||
}
|
||||
|
||||
|
||||
def inspect_lease(
|
||||
db: cpd.ControlPlaneDB,
|
||||
lease_id: str,
|
||||
*,
|
||||
caller_session_id: str,
|
||||
caller_worktree: str | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Full first-class lease workflow state for one lease id."""
|
||||
state = db.get_lease_workflow_state(lease_id)
|
||||
if not state:
|
||||
decision = decide_safe_next_action(
|
||||
lease=None, caller_session_id=caller_session_id
|
||||
)
|
||||
return {
|
||||
"success": True,
|
||||
"found": False,
|
||||
"lease_id": lease_id,
|
||||
"lease": None,
|
||||
"freshness": None,
|
||||
**decision,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
lease = state["lease"]
|
||||
freshness = classify_lease_freshness(lease)
|
||||
decision = decide_safe_next_action(
|
||||
lease=lease,
|
||||
caller_session_id=caller_session_id,
|
||||
freshness=freshness,
|
||||
caller_worktree=caller_worktree,
|
||||
)
|
||||
return {
|
||||
"success": True,
|
||||
"found": True,
|
||||
"lease_id": lease_id,
|
||||
"lease": lease,
|
||||
"assignment": state.get("assignment"),
|
||||
"work_item": state.get("work_item"),
|
||||
"session": state.get("session"),
|
||||
"freshness": freshness,
|
||||
"provenance": state.get("provenance"),
|
||||
**decision,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
|
||||
def list_active_leases(
|
||||
db: cpd.ControlPlaneDB,
|
||||
*,
|
||||
remote: str | None = None,
|
||||
org: str | None = None,
|
||||
repo: str | None = None,
|
||||
role: str | None = None,
|
||||
include_non_active: bool = False,
|
||||
limit: int = 100,
|
||||
) -> dict[str, Any]:
|
||||
statuses = None if include_non_active else (LEASE_STATUS_ACTIVE,)
|
||||
rows = db.list_leases(
|
||||
remote=remote,
|
||||
org=org,
|
||||
repo=repo,
|
||||
role=role,
|
||||
statuses=statuses,
|
||||
limit=limit,
|
||||
)
|
||||
enriched = []
|
||||
for row in rows:
|
||||
fr = classify_lease_freshness(row)
|
||||
enriched.append({**row, "freshness": fr})
|
||||
return {
|
||||
"success": True,
|
||||
"count": len(enriched),
|
||||
"leases": enriched,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
"include_non_active": include_non_active,
|
||||
}
|
||||
|
||||
|
||||
def adopt_lease(
|
||||
db: cpd.ControlPlaneDB,
|
||||
*,
|
||||
lease_id: str,
|
||||
adopter_session_id: str,
|
||||
role: str,
|
||||
worktree_path: str | None = None,
|
||||
expected_head_sha: str | None = None,
|
||||
owner_pid: int | None = None,
|
||||
operator_authorized: bool = False,
|
||||
) -> dict[str, Any]:
|
||||
"""Sanctioned adopt path with provenance; never silent foreign steal."""
|
||||
state = db.get_lease_workflow_state(lease_id)
|
||||
if not state:
|
||||
raise LeaseLifecycleError(
|
||||
f"unknown lease_id {lease_id}; stale prompt id (fail closed)"
|
||||
)
|
||||
lease = state["lease"]
|
||||
work = state["work_item"]
|
||||
freshness = classify_lease_freshness(lease)
|
||||
owner = str(lease.get("session_id") or "")
|
||||
same_owner = owner == str(adopter_session_id)
|
||||
|
||||
if freshness["freshness"] == "active" and not same_owner:
|
||||
raise LeaseLifecycleError(
|
||||
f"refusing to steal active foreign lease {lease_id} owned by "
|
||||
f"{owner} (fail closed)"
|
||||
)
|
||||
|
||||
if freshness["freshness"] in ("abandoned", "released"):
|
||||
raise LeaseLifecycleError(
|
||||
f"lease {lease_id} is {freshness['freshness']}; cannot adopt "
|
||||
"(fail closed)"
|
||||
)
|
||||
|
||||
# Expired or stale: require abandon-style safety before ownership transfer
|
||||
# when not same owner; same owner may reclaim.
|
||||
if not same_owner and freshness["freshness"] in (
|
||||
"expired",
|
||||
"stale_dead_process",
|
||||
"stale_missing_worktree",
|
||||
):
|
||||
if not operator_authorized and freshness["freshness"] == "expired":
|
||||
# Deterministic reclaim of expired foreign lease is allowed
|
||||
# without operator flag (sanctioned expire reclaim).
|
||||
pass
|
||||
elif freshness["freshness"] != "expired" and not operator_authorized:
|
||||
# stale active-looking requires abandon proof path
|
||||
raise LeaseLifecycleError(
|
||||
f"lease {lease_id} freshness={freshness['freshness']}; "
|
||||
"use abandon with proof before foreign adopt (fail closed)"
|
||||
)
|
||||
|
||||
provenance = build_adopt_provenance(
|
||||
adopted_from_session_id=owner,
|
||||
adopted_by_session_id=adopter_session_id,
|
||||
work_kind=str(work.get("kind")),
|
||||
work_number=int(work.get("number")),
|
||||
remote=str(work.get("remote")),
|
||||
org=str(work.get("org")),
|
||||
repo=str(work.get("repo")),
|
||||
worktree_path=worktree_path,
|
||||
expected_head_sha=expected_head_sha or lease.get("expected_head_sha"),
|
||||
prior_lease_id=lease_id,
|
||||
reason=(
|
||||
"owner-resume-adopt" if same_owner else "sanctioned-reclaim-adopt"
|
||||
),
|
||||
)
|
||||
|
||||
result = db.adopt_lease(
|
||||
lease_id=lease_id,
|
||||
adopter_session_id=adopter_session_id,
|
||||
role=role,
|
||||
worktree_path=worktree_path,
|
||||
expected_head_sha=expected_head_sha,
|
||||
owner_pid=owner_pid if owner_pid is not None else os.getpid(),
|
||||
provenance=provenance,
|
||||
)
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": result.get("outcome"),
|
||||
"same_owner": same_owner,
|
||||
"prior_lease_id": lease_id,
|
||||
"lease": result.get("lease"),
|
||||
"assignment": result.get("assignment"),
|
||||
"provenance": provenance,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
"reasons": result.get("reasons") or [],
|
||||
}
|
||||
|
||||
|
||||
def release_lease(
|
||||
db: cpd.ControlPlaneDB,
|
||||
*,
|
||||
lease_id: str,
|
||||
session_id: str,
|
||||
) -> dict[str, Any]:
|
||||
proof = db.release_lease_recorded(lease_id=lease_id, session_id=session_id)
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": "released",
|
||||
"lease_id": lease_id,
|
||||
"session_id": session_id,
|
||||
"release_proof": proof,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
|
||||
def expire_leases(db: cpd.ControlPlaneDB) -> dict[str, Any]:
|
||||
n = db.expire_stale_leases()
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": "expired",
|
||||
"expired_count": int(n),
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
|
||||
def reclaim_expired_lease(
|
||||
db: cpd.ControlPlaneDB,
|
||||
*,
|
||||
lease_id: str,
|
||||
session_id: str,
|
||||
role: str,
|
||||
worktree_path: str | None = None,
|
||||
expected_head_sha: str | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Expire-if-needed then assign to *session_id* for the same work item."""
|
||||
state = db.get_lease_workflow_state(lease_id)
|
||||
if not state:
|
||||
raise LeaseLifecycleError(f"unknown lease_id {lease_id}")
|
||||
lease = state["lease"]
|
||||
work = state["work_item"]
|
||||
freshness = classify_lease_freshness(lease)
|
||||
if freshness["freshness"] == "active":
|
||||
if lease.get("session_id") != session_id:
|
||||
raise LeaseLifecycleError(
|
||||
f"cannot reclaim active foreign lease {lease_id} (fail closed)"
|
||||
)
|
||||
# owner resume
|
||||
return adopt_lease(
|
||||
db,
|
||||
lease_id=lease_id,
|
||||
adopter_session_id=session_id,
|
||||
role=role,
|
||||
worktree_path=worktree_path,
|
||||
expected_head_sha=expected_head_sha,
|
||||
)
|
||||
if freshness["freshness"] not in (
|
||||
"expired",
|
||||
"stale_dead_process",
|
||||
"stale_missing_worktree",
|
||||
"abandoned",
|
||||
"released",
|
||||
):
|
||||
raise LeaseLifecycleError(
|
||||
f"lease {lease_id} freshness={freshness['freshness']} not reclaimable"
|
||||
)
|
||||
|
||||
# Ensure expired marker is applied
|
||||
db.expire_stale_leases()
|
||||
# If still active due to clock skew / non-time stale, force expire this lease
|
||||
refreshed = db.get_lease_workflow_state(lease_id)
|
||||
if refreshed and refreshed["lease"].get("status") == "active":
|
||||
db.force_expire_lease(lease_id, reason="reclaim_expired_lease")
|
||||
|
||||
head = expected_head_sha or work.get("current_head_sha")
|
||||
assigned = db.assign_and_lease(
|
||||
session_id=session_id,
|
||||
role=role,
|
||||
remote=str(work["remote"]),
|
||||
org=str(work["org"]),
|
||||
repo=str(work["repo"]),
|
||||
kind=str(work["kind"]),
|
||||
number=int(work["number"]),
|
||||
expected_head_sha=head,
|
||||
phase="reclaimed",
|
||||
worktree_path=worktree_path,
|
||||
owner_pid=os.getpid(),
|
||||
)
|
||||
if assigned.outcome != "assigned":
|
||||
raise LeaseLifecycleError(
|
||||
f"reclaim assign failed: {assigned.outcome} — {assigned.reason}"
|
||||
)
|
||||
provenance = build_adopt_provenance(
|
||||
adopted_from_session_id=str(lease.get("session_id")),
|
||||
adopted_by_session_id=session_id,
|
||||
work_kind=str(work["kind"]),
|
||||
work_number=int(work["number"]),
|
||||
remote=str(work["remote"]),
|
||||
org=str(work["org"]),
|
||||
repo=str(work["repo"]),
|
||||
worktree_path=worktree_path,
|
||||
expected_head_sha=head,
|
||||
prior_lease_id=lease_id,
|
||||
reason="reclaim_expired",
|
||||
)
|
||||
db.attach_lease_provenance(assigned.lease_id, provenance)
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": "reclaimed",
|
||||
"prior_lease_id": lease_id,
|
||||
"assignment": assigned.as_dict(),
|
||||
"provenance": provenance,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
|
||||
def abandon_lease(
|
||||
db: cpd.ControlPlaneDB,
|
||||
*,
|
||||
lease_id: str,
|
||||
requester_session_id: str,
|
||||
proof: AbandonProof,
|
||||
) -> dict[str, Any]:
|
||||
state = db.get_lease_workflow_state(lease_id)
|
||||
if not state:
|
||||
raise LeaseLifecycleError(f"unknown lease_id {lease_id}")
|
||||
lease = state["lease"]
|
||||
owner = str(lease.get("session_id") or "")
|
||||
same_owner = owner == str(requester_session_id)
|
||||
|
||||
# Enrich proof with live checks when not provided
|
||||
owner_pid = proof.owner_pid
|
||||
if owner_pid is None:
|
||||
owner_pid = lease.get("owner_pid")
|
||||
wt = proof.worktree_path if proof.worktree_path is not None else lease.get(
|
||||
"worktree_path"
|
||||
)
|
||||
dead = proof.dead_process or (
|
||||
owner_pid is not None and not is_process_alive(owner_pid)
|
||||
)
|
||||
missing_wt = proof.missing_worktree or (
|
||||
bool(wt) and not worktree_exists(str(wt))
|
||||
)
|
||||
enriched = AbandonProof(
|
||||
dead_process=bool(dead),
|
||||
missing_worktree=bool(missing_wt),
|
||||
same_owner=same_owner or proof.same_owner,
|
||||
no_open_pr=proof.no_open_pr,
|
||||
no_live_mutation_risk=proof.no_live_mutation_risk,
|
||||
operator_authorized=proof.operator_authorized,
|
||||
worktree_path=str(wt) if wt else None,
|
||||
owner_pid=int(owner_pid) if owner_pid is not None else None,
|
||||
notes=proof.notes,
|
||||
)
|
||||
if not enriched.is_sufficient():
|
||||
raise LeaseLifecycleError(
|
||||
"abandon proof insufficient: need (dead_process or missing_worktree) "
|
||||
"and no_live_mutation_risk; foreign abandon also needs "
|
||||
"operator_authorized or (dead+missing_worktree+no_open_pr). "
|
||||
f"proof={enriched.as_dict()}"
|
||||
)
|
||||
|
||||
# Active foreign with live process + present worktree: never abandon without
|
||||
# operator (already covered by is_sufficient).
|
||||
result = db.abandon_lease(
|
||||
lease_id=lease_id,
|
||||
requester_session_id=requester_session_id,
|
||||
proof=enriched.as_dict(),
|
||||
)
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": "abandoned",
|
||||
"lease_id": lease_id,
|
||||
"requester_session_id": requester_session_id,
|
||||
"prior_owner_session_id": owner,
|
||||
"abandon_proof": enriched.as_dict(),
|
||||
"audit": result,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
+12
-4
@@ -22,7 +22,7 @@ venv_python = os.path.join(PROJECT_ROOT, "venv", "bin", "python3")
|
||||
if os.path.exists(venv_python) and sys.executable != venv_python:
|
||||
os.execv(venv_python, [venv_python] + sys.argv)
|
||||
|
||||
from gitea_auth import get_auth_header, api_request, repo_api_url
|
||||
from gitea_auth import get_auth_header, api_request, api_get_all, repo_api_url
|
||||
import issue_workflow_labels
|
||||
|
||||
HOST = "gitea.dadeschools.net"
|
||||
@@ -82,9 +82,17 @@ def api(method, path, auth, payload=None):
|
||||
|
||||
|
||||
def _labels_by_name(auth):
|
||||
"""Return {label name: id} for the repo's existing labels."""
|
||||
existing = api("GET", "/labels?limit=100", auth) or []
|
||||
return {lb["name"]: lb["id"] for lb in existing}
|
||||
"""Return {label name: id} for the repo's existing labels (all pages, #627)."""
|
||||
existing = api_get_all(f"{BASE_URL}/labels", auth) or []
|
||||
name_to_id = {}
|
||||
for lb in existing:
|
||||
if not isinstance(lb, dict):
|
||||
continue
|
||||
name = lb.get("name")
|
||||
lid = lb.get("id")
|
||||
if name and lid is not None and name not in name_to_id:
|
||||
name_to_id[name] = lid
|
||||
return name_to_id
|
||||
|
||||
|
||||
def create_labels(auth, dry=False):
|
||||
|
||||
+5
-5
@@ -17,7 +17,7 @@ if os.path.exists(venv_python) and sys.executable != venv_python:
|
||||
|
||||
from gitea_auth import (
|
||||
get_auth_header, resolve_remote, add_remote_args,
|
||||
api_request, repo_api_url,
|
||||
api_request, api_get_all, repo_api_url,
|
||||
)
|
||||
|
||||
LABEL_NAME = "status:in-progress"
|
||||
@@ -45,12 +45,12 @@ def main(argv=None):
|
||||
base = repo_api_url(host, org, repo)
|
||||
|
||||
try:
|
||||
# Find the label ID
|
||||
labels = api_request("GET", f"{base}/labels?limit=100", auth)
|
||||
# Paginated inventory (#627): Gitea caps single pages at 50.
|
||||
labels = api_get_all(f"{base}/labels", auth) or []
|
||||
label_id = None
|
||||
for lb in labels:
|
||||
if lb["name"] == LABEL_NAME:
|
||||
label_id = lb["id"]
|
||||
if lb.get("name") == LABEL_NAME:
|
||||
label_id = lb.get("id")
|
||||
break
|
||||
|
||||
if label_id is None:
|
||||
|
||||
@@ -29,6 +29,11 @@ class UnsanctionedRuntimeError(RuntimeError):
|
||||
|
||||
|
||||
def is_pytest_runtime() -> bool:
|
||||
if os.environ.get("GITEA_TEST_FORCE_UNSANCTIONED") == "1":
|
||||
return False
|
||||
import sys
|
||||
if "pytest" in sys.modules:
|
||||
return True
|
||||
return bool((os.environ.get("PYTEST_CURRENT_TEST") or "").strip())
|
||||
|
||||
|
||||
|
||||
@@ -0,0 +1,306 @@
|
||||
"""Assess live MCP namespace health without trusting static registration.
|
||||
|
||||
The IDE/client namespace can fail with EOF even when this Python process still
|
||||
registers the Gitea tools with FastMCP. These helpers keep that distinction
|
||||
explicit so reviewer/merger flows can fail closed on the live path.
|
||||
|
||||
Probe sources
|
||||
-------------
|
||||
* ``client_namespace`` — evidence from the IDE-managed MCP client path (the
|
||||
only source that can prove the workflow namespace is healthy).
|
||||
* ``offline_spawn`` — a separate ``subprocess.Popen`` JSON-RPC handshake
|
||||
(e.g. ``test_mcp_conn.py``). Useful offline, but **never** proves the
|
||||
IDE-managed namespace is callable.
|
||||
* ``unknown`` — legacy/unspecified; treated as not IDE-proven.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from typing import Any
|
||||
|
||||
|
||||
REQUIRED_NAMESPACE_TOOLS = {
|
||||
"gitea-author": "gitea_whoami",
|
||||
"gitea-reviewer": "gitea_whoami",
|
||||
"gitea-merger": "gitea_whoami",
|
||||
"gitea-tools": "gitea_list_profiles",
|
||||
}
|
||||
|
||||
DEFAULT_NAMESPACES = tuple(REQUIRED_NAMESPACE_TOOLS)
|
||||
|
||||
# Namespaces that must be healthy for a given mutation task.
|
||||
TASK_REQUIRED_NAMESPACES = {
|
||||
"review_pr": "gitea-reviewer",
|
||||
"submit_review": "gitea-reviewer",
|
||||
"merge_pr": "gitea-merger",
|
||||
}
|
||||
|
||||
PROBE_SOURCE_CLIENT = "client_namespace"
|
||||
PROBE_SOURCE_OFFLINE = "offline_spawn"
|
||||
PROBE_SOURCE_UNKNOWN = "unknown"
|
||||
VALID_PROBE_SOURCES = frozenset(
|
||||
{PROBE_SOURCE_CLIENT, PROBE_SOURCE_OFFLINE, PROBE_SOURCE_UNKNOWN}
|
||||
)
|
||||
|
||||
EOF_PATTERNS = (
|
||||
"client is closing: eof",
|
||||
"transport closed",
|
||||
"connection closed",
|
||||
"broken pipe",
|
||||
"end of file",
|
||||
"eof",
|
||||
)
|
||||
|
||||
SAFE_ENV_KEYS = (
|
||||
"GITEA_MCP_PROFILE",
|
||||
"GITEA_PROFILE_NAME",
|
||||
"GITEA_SERVICE",
|
||||
"GITEA_EXECUTION_ROLE",
|
||||
"GITEA_MCP_CONFIG",
|
||||
)
|
||||
|
||||
|
||||
def _as_list(value: Any) -> list[str] | None:
|
||||
if value is None:
|
||||
return None
|
||||
if isinstance(value, (list, tuple, set)):
|
||||
return [str(v) for v in value]
|
||||
return [str(value)]
|
||||
|
||||
|
||||
def _contains_eof(text: str | None) -> bool:
|
||||
lowered = (text or "").lower()
|
||||
return any(pattern in lowered for pattern in EOF_PATTERNS)
|
||||
|
||||
|
||||
def _normalize_probe_source(probe_source: str | None) -> str:
|
||||
raw = (probe_source or PROBE_SOURCE_UNKNOWN).strip().lower()
|
||||
if raw in VALID_PROBE_SOURCES:
|
||||
return raw
|
||||
return PROBE_SOURCE_UNKNOWN
|
||||
|
||||
|
||||
def _safe_env_summary(process: dict[str, Any] | None) -> dict[str, str]:
|
||||
if not process:
|
||||
return {}
|
||||
env = process.get("env") or process.get("environment") or {}
|
||||
if not isinstance(env, dict):
|
||||
return {}
|
||||
return {
|
||||
key: str(env[key])
|
||||
for key in SAFE_ENV_KEYS
|
||||
if key in env and env[key] not in (None, "")
|
||||
}
|
||||
|
||||
|
||||
def classify_namespace_probe(
|
||||
namespace: str,
|
||||
*,
|
||||
required_tool: str | None = None,
|
||||
registered_tools: list[str] | tuple[str, ...] | set[str] | None = None,
|
||||
probe_result: dict[str, Any] | None = None,
|
||||
process: dict[str, Any] | None = None,
|
||||
config_path: str | None = None,
|
||||
profile: str | None = None,
|
||||
configured: bool = True,
|
||||
probe_source: str | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Classify whether a required tool is callable through a live namespace.
|
||||
|
||||
``registered_tools`` is static/server-side evidence. ``probe_result`` is
|
||||
live invocation evidence. Only ``probe_source=client_namespace`` proves the
|
||||
IDE-managed path; ``offline_spawn`` is an offline subprocess check only.
|
||||
"""
|
||||
ns = (namespace or "").strip()
|
||||
tool = required_tool or REQUIRED_NAMESPACE_TOOLS.get(ns) or "gitea_whoami"
|
||||
source = _normalize_probe_source(probe_source)
|
||||
registered_list = _as_list(registered_tools)
|
||||
registered = None if registered_list is None else tool in registered_list
|
||||
|
||||
probe = probe_result or {}
|
||||
probe_success = bool(probe.get("success"))
|
||||
error_message = str(
|
||||
probe.get("error")
|
||||
or probe.get("message")
|
||||
or probe.get("stderr")
|
||||
or probe.get("exception")
|
||||
or ""
|
||||
)
|
||||
error_type = str(probe.get("error_type") or "").strip()
|
||||
if not error_type and error_message:
|
||||
if _contains_eof(error_message):
|
||||
error_type = "namespace_eof"
|
||||
elif "timeout" in error_message.lower():
|
||||
error_type = "namespace_timeout"
|
||||
else:
|
||||
error_type = "namespace_call_failed"
|
||||
|
||||
if not configured:
|
||||
error_type = "namespace_not_configured"
|
||||
elif registered is False:
|
||||
error_type = "tool_missing"
|
||||
elif not probe_result:
|
||||
error_type = "live_probe_missing"
|
||||
elif not probe_success and not error_type:
|
||||
error_type = "namespace_call_failed"
|
||||
|
||||
callable_live = bool(configured and probe_result and probe_success)
|
||||
# Probe-path health (spawn or client). IDE-proven only for client path.
|
||||
healthy = bool(configured and registered is not False and callable_live)
|
||||
ide_namespace_proven = bool(healthy and source == PROBE_SOURCE_CLIENT)
|
||||
process_pid = process.get("pid") if isinstance(process, dict) else None
|
||||
profile_name = profile or (
|
||||
process.get("profile") if isinstance(process, dict) else None
|
||||
)
|
||||
env_summary = _safe_env_summary(process)
|
||||
|
||||
reasons: list[str] = []
|
||||
if not configured:
|
||||
reasons.append(f"MCP namespace '{ns}' is not configured.")
|
||||
if registered is False:
|
||||
reasons.append(
|
||||
f"Required tool '{tool}' is not registered in namespace '{ns}'."
|
||||
)
|
||||
if error_type == "live_probe_missing":
|
||||
reasons.append(
|
||||
f"No live client invocation proof was supplied for '{ns}.{tool}'."
|
||||
)
|
||||
elif error_type == "namespace_eof":
|
||||
reasons.append(
|
||||
f"Live MCP namespace '{ns}' returned EOF while invoking '{tool}'."
|
||||
)
|
||||
elif error_type == "namespace_timeout":
|
||||
reasons.append(
|
||||
f"Live MCP namespace '{ns}' timed out while invoking '{tool}'."
|
||||
)
|
||||
elif error_type == "namespace_call_failed":
|
||||
reasons.append(
|
||||
f"Live MCP namespace '{ns}' failed while invoking '{tool}'."
|
||||
)
|
||||
if source == PROBE_SOURCE_OFFLINE:
|
||||
reasons.append(
|
||||
"Probe source is offline_spawn (subprocess JSON-RPC); this does "
|
||||
"not prove the IDE-managed MCP namespace is healthy."
|
||||
)
|
||||
elif source == PROBE_SOURCE_UNKNOWN and probe_result:
|
||||
reasons.append(
|
||||
"Probe source unspecified; treat as not IDE-namespace proof unless "
|
||||
"re-supplied with probe_source='client_namespace'."
|
||||
)
|
||||
|
||||
remediation = []
|
||||
if not healthy or not ide_namespace_proven:
|
||||
remediation.append(
|
||||
"Reconnect the IDE MCP client namespace (client reconnect / "
|
||||
f"relaunch), then invoke '{tool}' through namespace '{ns}' and "
|
||||
"record the result with probe_source='client_namespace'."
|
||||
)
|
||||
remediation.append(
|
||||
"Do not treat offline subprocess probes (test_mcp_conn.py) or "
|
||||
"shell kill/PID respawn as proof the IDE namespace is repaired."
|
||||
)
|
||||
if process_pid and source != PROBE_SOURCE_OFFLINE:
|
||||
remediation.append(
|
||||
f"Diagnostics may include PID {process_pid}; process details "
|
||||
"are informational only — recovery is client-layer reconnect."
|
||||
)
|
||||
else:
|
||||
remediation.append(
|
||||
f"IDE-managed namespace '{ns}' can invoke '{tool}' "
|
||||
f"(probe_source={source})."
|
||||
)
|
||||
|
||||
# Client-namespace broken health blocks review/merge. Offline probes never
|
||||
# authorize mutations and only block when they report unhealthy (still
|
||||
# fail-closed for known bad spawn evidence).
|
||||
blocks = False
|
||||
if source == PROBE_SOURCE_CLIENT:
|
||||
blocks = namespace_health_blocks_task("merge_pr", healthy)
|
||||
elif source == PROBE_SOURCE_OFFLINE:
|
||||
# Offline never proves IDE health; never unblock. Unhealthy offline
|
||||
# still surfaces as a soft diagnostic, not a mutation-ledger block.
|
||||
blocks = False
|
||||
else:
|
||||
# Unknown source: only block when evidence is unhealthy (fail closed
|
||||
# on bad data without treating success as IDE proof).
|
||||
blocks = namespace_health_blocks_task("merge_pr", healthy)
|
||||
|
||||
return {
|
||||
"success": healthy,
|
||||
"healthy": healthy,
|
||||
"namespace": ns,
|
||||
"required_tool": tool,
|
||||
"configured": configured,
|
||||
"registered_tools_checked": registered_list is not None,
|
||||
"required_tool_registered": registered,
|
||||
"required_tool_callable": callable_live,
|
||||
"probe_source": source,
|
||||
"ide_namespace_proven": ide_namespace_proven,
|
||||
"error_type": None if healthy else error_type,
|
||||
"error_message": error_message or None,
|
||||
"reasons": reasons,
|
||||
"remediation": remediation,
|
||||
"diagnostics": {
|
||||
"namespace": ns,
|
||||
"required_tool": tool,
|
||||
"process_pid": process_pid,
|
||||
"profile": profile_name,
|
||||
"env": env_summary,
|
||||
"config_path": config_path,
|
||||
"probe_source": source,
|
||||
},
|
||||
"blocks_merge_workflow": blocks,
|
||||
}
|
||||
|
||||
|
||||
def namespace_health_blocks_task(task: str, healthy: bool) -> bool:
|
||||
"""Return whether a broken namespace must block a workflow task."""
|
||||
if healthy:
|
||||
return False
|
||||
return (task or "").strip() in {"merge_pr", "review_pr", "submit_review"}
|
||||
|
||||
|
||||
def required_namespace_for_task(task: str) -> str | None:
|
||||
"""Map a mutation task to the MCP namespace that must be healthy."""
|
||||
return TASK_REQUIRED_NAMESPACES.get((task or "").strip())
|
||||
|
||||
|
||||
def mutation_gate_from_session(
|
||||
task: str,
|
||||
session_health: dict[str, dict[str, Any]] | None,
|
||||
) -> list[str]:
|
||||
"""Fail-closed gate using recorded client-namespace health assessments.
|
||||
|
||||
* Missing session entry → no gate (caller has not assessed yet).
|
||||
* Client-namespace unhealthy / not IDE-proven → block mutation.
|
||||
* Offline-only session entries never authorize mutations.
|
||||
"""
|
||||
ns = required_namespace_for_task(task)
|
||||
if not ns:
|
||||
return []
|
||||
store = session_health or {}
|
||||
entry = store.get(ns)
|
||||
if not entry:
|
||||
return []
|
||||
source = _normalize_probe_source(entry.get("probe_source"))
|
||||
if source != PROBE_SOURCE_CLIENT:
|
||||
return [
|
||||
f"recorded namespace health for '{ns}' is probe_source={source}, "
|
||||
"not client_namespace; re-probe through the IDE-managed path "
|
||||
f"before {(task or 'mutation')}"
|
||||
]
|
||||
if entry.get("ide_namespace_proven") and entry.get("healthy"):
|
||||
return []
|
||||
if entry.get("blocks_merge_workflow") or not entry.get("healthy"):
|
||||
detail = entry.get("error_type") or "unhealthy"
|
||||
return [
|
||||
f"live MCP namespace '{ns}' is recorded {detail} "
|
||||
f"(probe_source={source}); repair the IDE namespace before "
|
||||
f"{(task or 'mutation')} (fail closed, #543)"
|
||||
]
|
||||
if not entry.get("ide_namespace_proven"):
|
||||
return [
|
||||
f"live MCP namespace '{ns}' is not IDE-proven; supply a "
|
||||
"client_namespace probe before mutation (fail closed, #543)"
|
||||
]
|
||||
return []
|
||||
@@ -6,6 +6,10 @@ Runs over stdio. All tools authenticate via macOS keychain (git credential fill)
|
||||
import os
|
||||
import sys
|
||||
|
||||
if "PYTEST_CURRENT_TEST" not in os.environ:
|
||||
sys.stderr = open("/tmp/mcp_server_stderr.log", "a", buffering=1)
|
||||
sys.stderr.write(f"\n--- MCP SERVER STARTUP (PID {os.getpid()}) ---\n")
|
||||
|
||||
from role_session_router import (
|
||||
python_bytes_have_conflict_markers,
|
||||
skip_python_scan_walk_root,
|
||||
|
||||
@@ -30,6 +30,14 @@ DEFAULT_TTL_HOURS = 4.0
|
||||
|
||||
KIND_WORKFLOW_LOAD = "review_workflow_load"
|
||||
KIND_DECISION_LOCK = "review_decision_lock"
|
||||
KIND_REVIEW_DRAFT = "review_draft"
|
||||
# Durable marker set when a worker session attempts a direct stable-branch push
|
||||
# or a root-checkout local commit (#671). Keyed per profile identity like the
|
||||
# other session proofs; a contaminated session fails closed on gated mutations
|
||||
# until a reconciler audits and clears it.
|
||||
KIND_STABLE_BRANCH_CONTAMINATION = "stable_branch_contamination"
|
||||
|
||||
|
||||
|
||||
_SAFE_SEGMENT_RE = re.compile(r"[^A-Za-z0-9._+-]+")
|
||||
SESSION_PROFILE_LOCK_ENV = "GITEA_SESSION_PROFILE_LOCK"
|
||||
|
||||
@@ -7,6 +7,7 @@ after formal approval at the current PR head.
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import re
|
||||
from datetime import datetime, timezone
|
||||
from typing import Any
|
||||
|
||||
@@ -133,6 +134,115 @@ def is_sanctioned_session_lease(session: dict[str, Any] | None) -> bool:
|
||||
return False
|
||||
|
||||
|
||||
def describe_session_lease_proof(
|
||||
session: dict[str, Any] | None,
|
||||
) -> dict[str, Any]:
|
||||
"""Canonical merge-report lease proof fields (#535).
|
||||
|
||||
Surfaces how the in-session lease was established so merge handoffs can
|
||||
distinguish sanctioned MCP acquire/adopt paths from bare manual seeding.
|
||||
"""
|
||||
if not session:
|
||||
return {
|
||||
"lease_proof_source": None,
|
||||
"lease_recovery_reason": None,
|
||||
"lease_proof_kind": "none",
|
||||
"lease_proof_sanctioned": False,
|
||||
"lease_proof_comment_id": None,
|
||||
"lease_adopted_from_session_id": None,
|
||||
}
|
||||
|
||||
provenance = session.get("lease_provenance") or {}
|
||||
if not isinstance(provenance, dict):
|
||||
provenance = {}
|
||||
source = (provenance.get("source") or "").strip() or None
|
||||
sanctioned = is_sanctioned_session_lease(session)
|
||||
reason = provenance.get("adoption_reason")
|
||||
if isinstance(reason, str):
|
||||
reason = reason.strip() or None
|
||||
else:
|
||||
reason = None
|
||||
|
||||
if source == SOURCE_ADOPT and sanctioned:
|
||||
kind = "sanctioned_adoption"
|
||||
reason = reason or DEFAULT_ADOPTION_REASON
|
||||
elif source == SOURCE_ACQUIRE and sanctioned:
|
||||
kind = "sanctioned_acquire"
|
||||
elif source == SOURCE_HEARTBEAT and sanctioned:
|
||||
kind = "sanctioned_heartbeat"
|
||||
elif source:
|
||||
kind = "unsanctioned"
|
||||
else:
|
||||
# Session present without provenance = classic manual _SESSION_LEASE seed.
|
||||
kind = "unsanctioned_manual_seed"
|
||||
|
||||
comment_id = provenance.get("comment_id")
|
||||
if comment_id is None:
|
||||
comment_id = session.get("comment_id")
|
||||
|
||||
return {
|
||||
"lease_proof_source": source,
|
||||
"lease_recovery_reason": reason,
|
||||
"lease_proof_kind": kind,
|
||||
"lease_proof_sanctioned": sanctioned,
|
||||
"lease_proof_comment_id": comment_id,
|
||||
"lease_adopted_from_session_id": provenance.get("adopted_from_session_id"),
|
||||
}
|
||||
|
||||
|
||||
# Phrases that claim non-MCP / fabricated lease proof in handoffs (#535).
|
||||
_UNSAFE_LEASE_PROOF_CLAIM_RE = re.compile(
|
||||
r"(?is)\b("
|
||||
r"manually\s+seeded\s+lease|"
|
||||
r"manual(?:ly)?\s+seed(?:ed)?\s+(?:lease|proof)|"
|
||||
r"seeded\s+lease\s+proof|"
|
||||
r"injected\s+lease|"
|
||||
r"lease\s+proof\s+injected|"
|
||||
r"manual\s+_?SESSION_LEASE|"
|
||||
r"_SESSION_LEASE\s+seed|"
|
||||
r"unsanctioned\s+lease\s+proof"
|
||||
r")\b"
|
||||
)
|
||||
|
||||
# Evidence that the report used the sanctioned MCP adoption/acquire path.
|
||||
_SANCTIONED_LEASE_EVIDENCE_RE = re.compile(
|
||||
r"(?is)\b("
|
||||
r"gitea_adopt_merger_pr_lease|"
|
||||
r"gitea_acquire_reviewer_pr_lease|"
|
||||
r"lease_proof_source\s*[:=]\s*gitea_adopt_merger_pr_lease|"
|
||||
r"lease_proof_source\s*[:=]\s*gitea_acquire_reviewer_pr_lease|"
|
||||
r"lease_proof_kind\s*[:=]\s*sanctioned_adoption|"
|
||||
r"lease_proof_kind\s*[:=]\s*sanctioned_acquire|"
|
||||
r"adoption_comment_id\s*[:=]|"
|
||||
r"sanctioned_adoption|"
|
||||
r"mcp-review-lease-adoption"
|
||||
r")\b"
|
||||
)
|
||||
|
||||
|
||||
def assess_manual_lease_proof_handoff(report_text: str) -> dict[str, Any]:
|
||||
"""Controller audit: block handoffs that claim unsafe lease seeding (#535).
|
||||
|
||||
Reports may discuss manual seeding as a blocked/historical anti-pattern only
|
||||
when they also cite sanctioned MCP adoption/acquire evidence. Bare claims of
|
||||
manual/seeded/injected lease proof without that evidence fail closed.
|
||||
"""
|
||||
text = report_text or ""
|
||||
if not _UNSAFE_LEASE_PROOF_CLAIM_RE.search(text):
|
||||
return {"proven": True, "block": False, "reasons": []}
|
||||
if _SANCTIONED_LEASE_EVIDENCE_RE.search(text):
|
||||
return {"proven": True, "block": False, "reasons": []}
|
||||
return {
|
||||
"proven": False,
|
||||
"block": True,
|
||||
"reasons": [
|
||||
"report claims manual/seeded/injected/unsanctioned lease proof without "
|
||||
"sanctioned MCP adoption evidence (use gitea_adopt_merger_pr_lease / "
|
||||
"gitea_acquire_reviewer_pr_lease and cite lease_proof_source; #535)"
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
def assess_adopt_merger_lease(
|
||||
comments: list[dict],
|
||||
*,
|
||||
|
||||
@@ -0,0 +1,222 @@
|
||||
"""Canonical post-merge (moot) validation outcome and wording gate (#529).
|
||||
|
||||
When a PR is already merged or closed *before* a reviewer submits their
|
||||
verdict, an ordinary "approve" is misleading: the review never gated the
|
||||
merge, so a normal active approval overstates controller confidence. The
|
||||
sanctioned outcome for that case is a **post-merge moot validation** — the
|
||||
reviewer records what validation found, but classifies it as moot rather than
|
||||
an active approval.
|
||||
|
||||
This module defines the four canonical validation distinctions #529 requires
|
||||
and enforces the post-merge case:
|
||||
|
||||
- ``CLEAN_PASS_OUTCOME`` — clean validation pass on an open, reviewable PR.
|
||||
- ``BASELINE_ACCEPTED_OUTCOME`` — validation pass with a baseline-proven
|
||||
unrelated failure (proof handled by :mod:`premerge_baseline_proof`).
|
||||
- ``BLOCKED_OUTCOME`` — validation blocked by an unresolved failure.
|
||||
- ``POST_MERGE_MOOT_OUTCOME`` — the PR was already merged/closed before review
|
||||
submission; validation is recorded as post-merge moot, not an active
|
||||
approval.
|
||||
|
||||
The gate blocks two mistakes:
|
||||
|
||||
1. Claiming an *active approval* on a PR that was already merged/closed before
|
||||
review submission (must be recorded as post-merge moot validation instead).
|
||||
2. Claiming post-merge moot validation without proof the PR is actually
|
||||
merged/closed (a merged-state field plus a merge commit SHA).
|
||||
|
||||
Each outcome maps to a durable ``validation:*`` process-state label so PRs and
|
||||
issues carry the distinction (#529 acceptance criterion).
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import re
|
||||
from typing import Any
|
||||
|
||||
CLEAN_PASS_OUTCOME = "clean validation pass"
|
||||
BASELINE_ACCEPTED_OUTCOME = "validation pass with baseline-proven unrelated failure"
|
||||
BLOCKED_OUTCOME = "validation blocked by unresolved failure"
|
||||
POST_MERGE_MOOT_OUTCOME = "post-merge moot validation"
|
||||
|
||||
# Canonical validation status label a reviewer writes in the report body for the
|
||||
# post-merge case; kept in sync with validation_status_vocabulary.
|
||||
POST_MERGE_MOOT_STATUS = "post-merge moot validation"
|
||||
|
||||
# Durable process-state labels (registered in issue_workflow_labels).
|
||||
LABEL_CLEAN_PASS = "validation:clean-pass"
|
||||
LABEL_BASELINE_ACCEPTED = "validation:baseline-accepted"
|
||||
LABEL_BLOCKED = "validation:blocked"
|
||||
LABEL_POST_MERGE_MOOT = "validation:post-merge-moot"
|
||||
|
||||
_OUTCOME_TO_LABEL: dict[str, str] = {
|
||||
CLEAN_PASS_OUTCOME: LABEL_CLEAN_PASS,
|
||||
BASELINE_ACCEPTED_OUTCOME: LABEL_BASELINE_ACCEPTED,
|
||||
BLOCKED_OUTCOME: LABEL_BLOCKED,
|
||||
POST_MERGE_MOOT_OUTCOME: LABEL_POST_MERGE_MOOT,
|
||||
}
|
||||
|
||||
# The PR was already merged/closed before the review was submitted.
|
||||
_MERGED_BEFORE_REVIEW_RE = re.compile(
|
||||
r"(?:already[- ]merged"
|
||||
r"|merged\s+before\s+review"
|
||||
r"|closed\s+before\s+review"
|
||||
r"|pr\s+(?:is|was)\s+(?:already\s+)?(?:merged|closed)"
|
||||
r"|pr\s+state\s*[:=]\s*(?:merged|closed)"
|
||||
r"|merged\s*/\s*closed)",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
# An active approval verdict is being claimed.
|
||||
_ACTIVE_APPROVAL_RE = re.compile(
|
||||
r"(?:review\s+decision\s*[:=]\s*approve"
|
||||
r"|submitted\s+['\"]?approve['\"]?"
|
||||
r"|active\s+approval"
|
||||
r"|approving\s+the\s+pr"
|
||||
r"|posting\s+an?\s+approval)",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
# The sanctioned post-merge moot validation wording.
|
||||
_POST_MERGE_MOOT_RE = re.compile(
|
||||
r"post[- ]merge\s+(?:moot\s+)?validation"
|
||||
r"|post[- ]merge\s+moot"
|
||||
r"|moot\s+validation",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
# Proof the PR is genuinely merged/closed.
|
||||
_MERGED_STATE_PROOF_RE = re.compile(
|
||||
r"(?:pr\s+state\s*[:=]\s*(?:merged|closed)"
|
||||
r"|merged_at\s*[:=]\s*\S"
|
||||
r"|closed_at\s*[:=]\s*\S"
|
||||
r"|state\s*[:=]\s*(?:merged|closed))",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
_MERGE_COMMIT_SHA_RE = re.compile(
|
||||
r"merge\s+commit(?:\s+sha)?\s*[:=]\s*[0-9a-f]{7,40}",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
|
||||
|
||||
POST_MERGE_VALIDATION_TEMPLATE = (
|
||||
"Validation status: post-merge moot validation\n"
|
||||
"PR state: merged\n"
|
||||
"Merge commit sha: <40-hex merge commit>\n"
|
||||
"Validation finding: <what the validation run showed, for the record>\n"
|
||||
"Note: PR merged/closed before review submission; recorded as post-merge "
|
||||
"moot validation, not an active approval."
|
||||
)
|
||||
|
||||
|
||||
def process_state_label(outcome: str) -> str | None:
|
||||
"""Return the durable ``validation:*`` label for a canonical outcome."""
|
||||
return _OUTCOME_TO_LABEL.get(outcome)
|
||||
|
||||
|
||||
def assess_post_merge_validation(
|
||||
report_text: str,
|
||||
*,
|
||||
pr_merged_or_closed: bool | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Assess post-merge moot validation wording and proof (#529).
|
||||
|
||||
Args:
|
||||
report_text: The reviewer final report text.
|
||||
pr_merged_or_closed: Optional structured signal that the PR is already
|
||||
merged/closed. When ``True`` it forces the merged-before-review
|
||||
path even if the report text omits the phrasing; proof fields are
|
||||
still required in the report body for durability.
|
||||
|
||||
Returns a dict with ``proven``, ``block``, ``outcome``,
|
||||
``process_state_label``, ``reasons``, ``skipped`` and ``safe_next_action``.
|
||||
Only blocks when the report either claims an active approval on a
|
||||
merged/closed PR, or claims post-merge moot validation without proof.
|
||||
"""
|
||||
text = report_text or ""
|
||||
|
||||
merged_signal = bool(_MERGED_BEFORE_REVIEW_RE.search(text)) or bool(
|
||||
pr_merged_or_closed
|
||||
)
|
||||
active_approval = bool(_ACTIVE_APPROVAL_RE.search(text))
|
||||
moot_wording = bool(_POST_MERGE_MOOT_RE.search(text))
|
||||
|
||||
# Nothing about merged-state or moot validation — not applicable here.
|
||||
if not merged_signal and not moot_wording:
|
||||
return {
|
||||
"proven": True,
|
||||
"block": False,
|
||||
"outcome": None,
|
||||
"process_state_label": None,
|
||||
"reasons": [],
|
||||
"skipped": True,
|
||||
"safe_next_action": "",
|
||||
}
|
||||
|
||||
# An active approval on a PR already merged/closed before review, without
|
||||
# the sanctioned moot wording, overstates confidence.
|
||||
if merged_signal and active_approval and not moot_wording:
|
||||
return {
|
||||
"proven": False,
|
||||
"block": True,
|
||||
"outcome": POST_MERGE_MOOT_OUTCOME,
|
||||
"process_state_label": LABEL_POST_MERGE_MOOT,
|
||||
"reasons": [
|
||||
"PR was already merged/closed before review submission; an "
|
||||
"active approval overstates confidence — record 'post-merge "
|
||||
"moot validation' instead of a normal approval"
|
||||
],
|
||||
"skipped": False,
|
||||
"safe_next_action": (
|
||||
"classify the outcome as post-merge moot validation (not an "
|
||||
"active approval); cite PR state merged/closed and the merge "
|
||||
"commit SHA. Template:\n" + POST_MERGE_VALIDATION_TEMPLATE
|
||||
),
|
||||
}
|
||||
|
||||
# Post-merge moot validation claimed — require merged-state + commit proof.
|
||||
if moot_wording:
|
||||
reasons: list[str] = []
|
||||
if not _MERGED_STATE_PROOF_RE.search(text):
|
||||
reasons.append(
|
||||
"post-merge moot validation claimed without merged/closed state "
|
||||
"proof (state: merged/closed, or merged_at/closed_at)"
|
||||
)
|
||||
if not _MERGE_COMMIT_SHA_RE.search(text):
|
||||
reasons.append(
|
||||
"post-merge moot validation claimed without a merge commit SHA"
|
||||
)
|
||||
if reasons:
|
||||
return {
|
||||
"proven": False,
|
||||
"block": True,
|
||||
"outcome": POST_MERGE_MOOT_OUTCOME,
|
||||
"process_state_label": LABEL_POST_MERGE_MOOT,
|
||||
"reasons": reasons,
|
||||
"skipped": False,
|
||||
"safe_next_action": (
|
||||
"prove the PR is merged/closed: cite PR state and the merge "
|
||||
"commit SHA. Template:\n" + POST_MERGE_VALIDATION_TEMPLATE
|
||||
),
|
||||
}
|
||||
return {
|
||||
"proven": True,
|
||||
"block": False,
|
||||
"outcome": POST_MERGE_MOOT_OUTCOME,
|
||||
"process_state_label": LABEL_POST_MERGE_MOOT,
|
||||
"reasons": [],
|
||||
"skipped": False,
|
||||
"safe_next_action": "",
|
||||
}
|
||||
|
||||
# Merged signal present but no approval claim and no moot wording yet —
|
||||
# guide toward the moot outcome without blocking.
|
||||
return {
|
||||
"proven": True,
|
||||
"block": False,
|
||||
"outcome": POST_MERGE_MOOT_OUTCOME,
|
||||
"process_state_label": LABEL_POST_MERGE_MOOT,
|
||||
"reasons": [],
|
||||
"skipped": False,
|
||||
"safe_next_action": (
|
||||
"PR appears merged/closed; if submitting a verdict, record "
|
||||
"post-merge moot validation rather than an active approval"
|
||||
),
|
||||
}
|
||||
+26
-2
@@ -16,11 +16,35 @@ or the local remote URL is unavailable (best-effort corroboration only).
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import re
|
||||
|
||||
REMEDIATION = (
|
||||
"Pass explicit org= and repo= matching the local git remote, "
|
||||
"e.g. org=Scaled-Tech-Consulting repo=Gitea-Tools."
|
||||
"Pass explicit org= and repo= matching the local git remote on tools that "
|
||||
"accept those parameters (including mcp_get_control_plane_guide), "
|
||||
"e.g. org=Scaled-Tech-Consulting repo=Gitea-Tools. "
|
||||
"Do not pass org/repo to tools whose schema does not list them."
|
||||
)
|
||||
|
||||
# https://host/org/repo.git or git@host:org/repo.git
|
||||
_REMOTE_URL_SLUG_RE = re.compile(
|
||||
r"(?:[:/])(?P<org>[^/]+)/(?P<repo>[^/]+?)(?:\.git)?/*$"
|
||||
)
|
||||
|
||||
|
||||
def parse_org_repo_from_remote_url(remote_url: str | None) -> tuple[str, str] | None:
|
||||
"""Best-effort parse of org/repo from a git remote URL."""
|
||||
url = (remote_url or "").strip()
|
||||
if not url:
|
||||
return None
|
||||
match = _REMOTE_URL_SLUG_RE.search(url)
|
||||
if not match:
|
||||
return None
|
||||
org = (match.group("org") or "").strip()
|
||||
repo = (match.group("repo") or "").strip()
|
||||
if not org or not repo:
|
||||
return None
|
||||
return org, repo
|
||||
|
||||
|
||||
def assess_remote_repo_match(
|
||||
*,
|
||||
|
||||
@@ -93,8 +93,16 @@ def assess_workflow_blockers(
|
||||
capability_blocked: bool = False,
|
||||
mcp_reconnect_failed: bool = False,
|
||||
stale_capability_state: bool = False,
|
||||
live_namespace_broken: bool = False,
|
||||
) -> dict[str, Any]:
|
||||
"""Return hard blockers that forbid all PR queue work (#290 AC3)."""
|
||||
"""Return hard blockers that forbid all PR queue work (#290 AC3).
|
||||
|
||||
``live_namespace_broken`` fails the merge/review path closed when the live
|
||||
MCP namespace call path is unusable (e.g. ``client is closing: EOF``) even
|
||||
though the tool is registered in FastMCP (#543 AC5). Feed it the
|
||||
``blocks_merge_workflow`` verdict from
|
||||
``mcp_namespace_health.classify_namespace_probe``.
|
||||
"""
|
||||
reasons: list[str] = []
|
||||
if infra_stop:
|
||||
reasons.append("infra_stop is active; PR selection/review/merge is forbidden")
|
||||
@@ -104,6 +112,12 @@ def assess_workflow_blockers(
|
||||
reasons.append("MCP reconnect failed; stale session state cannot be reused")
|
||||
if stale_capability_state:
|
||||
reasons.append("stale MCP capability state detected after reconnect failure")
|
||||
if live_namespace_broken:
|
||||
reasons.append(
|
||||
"live MCP namespace call path is broken (registered in FastMCP but "
|
||||
"not callable through the namespace); repair the namespace before "
|
||||
"review/merge"
|
||||
)
|
||||
return {
|
||||
"block": bool(reasons),
|
||||
"reasons": reasons,
|
||||
@@ -118,16 +132,19 @@ def assess_state_advancement(
|
||||
state_completion: dict[str, bool] | None,
|
||||
*,
|
||||
target_state: str,
|
||||
infra_stop: bool = False,
|
||||
capability_blocked: bool = False,
|
||||
**blocker_kwargs,
|
||||
) -> dict[str, Any]:
|
||||
"""Fail closed when *target_state* is requested before upstream gates pass."""
|
||||
"""Fail closed when *target_state* is requested before upstream gates pass.
|
||||
|
||||
Forwards every blocker flag (``infra_stop``, ``capability_blocked``,
|
||||
``mcp_reconnect_failed``, ``stale_capability_state``,
|
||||
``live_namespace_broken``) to :func:`assess_workflow_blockers` so
|
||||
``can_approve``/``can_merge`` honor the full blocker set, not just
|
||||
infra_stop/capability_blocked (#543 AC5).
|
||||
"""
|
||||
completion = dict(state_completion or {})
|
||||
target = _clean(target_state).upper()
|
||||
blockers = assess_workflow_blockers(
|
||||
infra_stop=infra_stop,
|
||||
capability_blocked=capability_blocked,
|
||||
)
|
||||
blockers = assess_workflow_blockers(**blocker_kwargs)
|
||||
reasons = list(blockers["reasons"])
|
||||
|
||||
try:
|
||||
|
||||
@@ -4842,6 +4842,22 @@ RECONCILER_CLOSE_REPORT_FIELDS = (
|
||||
"no review/merge confirmation",
|
||||
)
|
||||
|
||||
RECONCILER_SUPERSESSION_REPORT_FIELDS = (
|
||||
"identity/profile",
|
||||
"supersession close capability proof",
|
||||
"target PR live state",
|
||||
"target PR independent-work proof",
|
||||
"superseding PR merged state",
|
||||
"superseding merge commit SHA",
|
||||
"target branch SHA",
|
||||
"superseding ancestry proof",
|
||||
"canonical close comment",
|
||||
"linked issue status",
|
||||
"PR close result",
|
||||
"issue close result",
|
||||
"no review/merge confirmation",
|
||||
)
|
||||
|
||||
|
||||
def assess_reconciler_close_gate(
|
||||
*,
|
||||
@@ -4988,6 +5004,157 @@ def assess_reconciler_close_gate(
|
||||
}
|
||||
|
||||
|
||||
def assess_reconciler_supersession_close_gate(
|
||||
*,
|
||||
target_pr_number: int | None,
|
||||
target_pr_state: str | None,
|
||||
target_pr_mergeable: bool | None,
|
||||
target_independently_required: bool | None,
|
||||
superseding_pr_number: int | None,
|
||||
superseding_pr_state: str | None,
|
||||
superseding_pr_merged: bool,
|
||||
superseding_merge_commit_sha: str | None,
|
||||
superseding_head_sha: str | None,
|
||||
target_branch: str | None,
|
||||
target_branch_sha: str | None,
|
||||
superseding_head_is_ancestor_of_target: bool | None,
|
||||
canonical_comment_valid: bool,
|
||||
canonical_comment_mentions_superseding_pr: bool,
|
||||
canonical_comment_mentions_merge_commit: bool,
|
||||
close_pr_capability: bool,
|
||||
close_issue_capability: bool = False,
|
||||
target_issue_state: str | None = None,
|
||||
issue_satisfied_by_superseding: bool = False,
|
||||
) -> dict:
|
||||
"""Gate reconciler closure of PRs/issues superseded by a merged PR.
|
||||
|
||||
This is stricter than already-landed cleanup: the target PR may be closed
|
||||
only after a named superseding PR is live-verified merged, its head is on a
|
||||
freshly fetched target branch, the target PR is proven not independently
|
||||
required, and a canonical close comment cites the superseding PR and merge
|
||||
commit.
|
||||
"""
|
||||
reasons: list[str] = []
|
||||
if not isinstance(target_pr_number, int) or target_pr_number <= 0:
|
||||
reasons.append("target PR number missing or invalid (#525)")
|
||||
if not isinstance(superseding_pr_number, int) or superseding_pr_number <= 0:
|
||||
reasons.append("superseding PR number missing or invalid (#525)")
|
||||
if target_pr_number and superseding_pr_number and (
|
||||
target_pr_number == superseding_pr_number
|
||||
):
|
||||
reasons.append("target PR and superseding PR must differ (#525)")
|
||||
if (target_pr_state or "").strip().lower() != "open":
|
||||
reasons.append("target PR must be live-verified open before close (#525)")
|
||||
if target_pr_mergeable is True:
|
||||
reasons.append(
|
||||
"target PR is still mergeable; prove it is superseded before close (#525)"
|
||||
)
|
||||
if target_independently_required is not False:
|
||||
reasons.append(
|
||||
"target PR independent-work proof missing; close requires explicit "
|
||||
"proof that no required work remains (#525)"
|
||||
)
|
||||
if (superseding_pr_state or "").strip().lower() != "closed":
|
||||
reasons.append("superseding PR must be live-verified closed (#525)")
|
||||
if superseding_pr_merged is not True:
|
||||
reasons.append("superseding PR must be live-verified merged (#525)")
|
||||
if not _FULL_SHA.match((superseding_merge_commit_sha or "").strip()):
|
||||
reasons.append("superseding merge commit SHA missing or invalid (#525)")
|
||||
if not _FULL_SHA.match((superseding_head_sha or "").strip()):
|
||||
reasons.append("superseding head SHA missing or invalid (#525)")
|
||||
if not (target_branch or "").strip():
|
||||
reasons.append("target branch missing (#525)")
|
||||
if not _FULL_SHA.match((target_branch_sha or "").strip()):
|
||||
reasons.append("target branch SHA missing or invalid (#525)")
|
||||
if superseding_head_is_ancestor_of_target is None:
|
||||
reasons.append("superseding ancestry proof not checked (#525)")
|
||||
if not canonical_comment_valid:
|
||||
reasons.append("canonical close comment failed validation (#525)")
|
||||
if not canonical_comment_mentions_superseding_pr:
|
||||
reasons.append("canonical comment must cite superseding PR (#525)")
|
||||
if not canonical_comment_mentions_merge_commit:
|
||||
reasons.append("canonical comment must cite merge commit SHA (#525)")
|
||||
|
||||
never_allowed = {
|
||||
"review_allowed": False,
|
||||
"approve_allowed": False,
|
||||
"request_changes_allowed": False,
|
||||
"merge_allowed": False,
|
||||
}
|
||||
|
||||
if reasons:
|
||||
return {
|
||||
"outcome": "GATE_NOT_PROVEN",
|
||||
"pr_close_allowed": False,
|
||||
"issue_close_allowed": False,
|
||||
"reasons": reasons,
|
||||
"required_report_fields": RECONCILER_SUPERSESSION_REPORT_FIELDS,
|
||||
"safe_next_action": (
|
||||
"prove superseding PR state, target branch ancestry, target "
|
||||
"supersession, and canonical comment before closing"
|
||||
),
|
||||
**never_allowed,
|
||||
}
|
||||
|
||||
if superseding_head_is_ancestor_of_target is False:
|
||||
return {
|
||||
"outcome": "SUPERSEDING_PR_NOT_ON_TARGET",
|
||||
"pr_close_allowed": False,
|
||||
"issue_close_allowed": False,
|
||||
"reasons": [
|
||||
f"superseding PR #{superseding_pr_number} head is not an "
|
||||
f"ancestor of {target_branch}; supersession close denied (#525)"
|
||||
],
|
||||
"required_report_fields": RECONCILER_SUPERSESSION_REPORT_FIELDS,
|
||||
"safe_next_action": "re-fetch target branch and re-check ancestry",
|
||||
**never_allowed,
|
||||
}
|
||||
|
||||
if close_pr_capability is not True:
|
||||
return {
|
||||
"outcome": "RECOVERY_HANDOFF_REQUIRED",
|
||||
"pr_close_allowed": False,
|
||||
"issue_close_allowed": False,
|
||||
"reasons": [
|
||||
"exact gitea.pr.close capability not proven; produce a "
|
||||
"recovery handoff instead of closing (#525)"
|
||||
],
|
||||
"required_report_fields": RECONCILER_SUPERSESSION_REPORT_FIELDS,
|
||||
"safe_next_action": (
|
||||
"launch a reconciler profile with gitea.pr.close and replay "
|
||||
"the live-state proof"
|
||||
),
|
||||
**never_allowed,
|
||||
}
|
||||
|
||||
issue_close_allowed = (
|
||||
(target_issue_state or "").strip().lower() == "open"
|
||||
and issue_satisfied_by_superseding is True
|
||||
and close_issue_capability is True
|
||||
)
|
||||
issue_reasons = []
|
||||
if (target_issue_state or "").strip().lower() == "closed":
|
||||
issue_reasons.append("linked issue already closed; no issue close attempted (#525)")
|
||||
elif target_issue_state and not issue_close_allowed:
|
||||
issue_reasons.append(
|
||||
"issue close requires an open issue satisfied by the superseding "
|
||||
"merged PR and exact gitea.issue.close capability (#525)"
|
||||
)
|
||||
|
||||
return {
|
||||
"outcome": "SUPERSESSION_CLOSE_ALLOWED",
|
||||
"pr_close_allowed": True,
|
||||
"issue_close_allowed": issue_close_allowed,
|
||||
"reasons": issue_reasons,
|
||||
"required_report_fields": RECONCILER_SUPERSESSION_REPORT_FIELDS,
|
||||
"safe_next_action": (
|
||||
"post the canonical comment, close the superseded PR, and close "
|
||||
"the linked issue only when issue_close_allowed is true"
|
||||
),
|
||||
**never_allowed,
|
||||
}
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Identity disclosure (#305)
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
+238
-1
@@ -522,4 +522,241 @@ def assess_lease_inventory(
|
||||
"active_review_leases": active,
|
||||
"stale_review_leases": stale,
|
||||
"reclaimable_review_leases": reclaimable,
|
||||
}
|
||||
}
|
||||
|
||||
# Canonical next-action vocabulary for reviewer lease handoff (#599).
|
||||
NEXT_ACTION_ACQUIRE = "acquire"
|
||||
NEXT_ACTION_WAIT = "wait"
|
||||
NEXT_ACTION_RESUME_EXACT_OWNER_SESSION = "resume_exact_owner_session"
|
||||
NEXT_ACTION_RELEASE_EXPIRED_LEASE = "release_expired_lease"
|
||||
NEXT_ACTION_OPERATOR_AUTHORIZED_CLEANUP = "operator_authorized_cleanup"
|
||||
NEXT_ACTION_REPAIR_WORKTREE_BINDING = "repair_worktree_binding"
|
||||
|
||||
_HANDOFF_CLASSIFICATIONS = frozenset({
|
||||
"no_lease",
|
||||
"own_active",
|
||||
"own_expired",
|
||||
"foreign_active",
|
||||
"foreign_reclaimable",
|
||||
"foreign_expired",
|
||||
"instructed_lease_missing_with_replacement",
|
||||
"worktree_binding_mismatch",
|
||||
})
|
||||
|
||||
|
||||
def _norm_path(value: str | None) -> str:
|
||||
text = (value or "").strip()
|
||||
if not text:
|
||||
return ""
|
||||
return os.path.normpath(text.rstrip("/"))
|
||||
|
||||
|
||||
def diagnose_reviewer_pr_lease_handoff(
|
||||
comments: list[dict],
|
||||
*,
|
||||
pr_number: int,
|
||||
current_session_id: str | None,
|
||||
current_reviewer_identity: str | None,
|
||||
proposed_worktree: str | None = None,
|
||||
env_bound_worktree: str | None = None,
|
||||
instructed_session_id: str | None = None,
|
||||
instructed_comment_id: int | None = None,
|
||||
now: datetime | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Classify open-PR reviewer lease handoff and emit a canonical next action (#599).
|
||||
|
||||
Read-only diagnosis. Never steals, releases, or adopts a foreign lease.
|
||||
Fail-closed acquisition rules for active foreign leases remain intact.
|
||||
|
||||
Returns a structured diagnosis with:
|
||||
- classification
|
||||
- next_action (one of wait / resume_exact_owner_session /
|
||||
release_expired_lease / operator_authorized_cleanup /
|
||||
repair_worktree_binding / acquire)
|
||||
- active_lease identity fields when present
|
||||
- worktree_binding match result
|
||||
- instructed-lease mismatch flags
|
||||
"""
|
||||
now = now or datetime.now(timezone.utc)
|
||||
session_id = (current_session_id or "").strip()
|
||||
identity = (current_reviewer_identity or "").strip()
|
||||
instructed_sid = (instructed_session_id or "").strip()
|
||||
reasons: list[str] = []
|
||||
|
||||
active = find_active_reviewer_lease(comments, pr_number=pr_number, now=now)
|
||||
session_lease = get_session_lease()
|
||||
|
||||
# Worktree binding: env-bound vs proposed vs active lease worktree.
|
||||
env_wt = _norm_path(env_bound_worktree)
|
||||
prop_wt = _norm_path(proposed_worktree)
|
||||
lease_wt = _norm_path((active or {}).get("worktree") if active else None)
|
||||
binding_mismatch = False
|
||||
binding_details: dict[str, Any] = {
|
||||
"env_bound_worktree": env_bound_worktree or None,
|
||||
"proposed_worktree": proposed_worktree or None,
|
||||
"lease_worktree": (active or {}).get("worktree") if active else None,
|
||||
"match": True,
|
||||
}
|
||||
paths = [p for p in (env_wt, prop_wt, lease_wt) if p]
|
||||
if len(paths) >= 2 and len(set(paths)) > 1:
|
||||
binding_mismatch = True
|
||||
binding_details["match"] = False
|
||||
reasons.append(
|
||||
"worktree binding mismatch: env/proposed/lease worktree paths disagree"
|
||||
)
|
||||
|
||||
# Instructed lease gone while a different lease is active (PR #592-style).
|
||||
instructed_missing_with_replacement = False
|
||||
if instructed_sid or instructed_comment_id is not None:
|
||||
if not active:
|
||||
reasons.append(
|
||||
"instructed lease is gone and no active replacement lease remains"
|
||||
)
|
||||
else:
|
||||
owner = (active.get("session_id") or "").strip()
|
||||
cid = active.get("comment_id")
|
||||
sid_mismatch = bool(instructed_sid and owner and owner != instructed_sid)
|
||||
cid_mismatch = (
|
||||
instructed_comment_id is not None
|
||||
and cid is not None
|
||||
and int(cid) != int(instructed_comment_id)
|
||||
)
|
||||
if sid_mismatch or cid_mismatch:
|
||||
instructed_missing_with_replacement = True
|
||||
reasons.append(
|
||||
"instructed lease is gone; a different active lease replaced it "
|
||||
f"(active session_id={owner}, comment_id={cid})"
|
||||
)
|
||||
|
||||
# Classification + next_action.
|
||||
classification = "no_lease"
|
||||
next_action = NEXT_ACTION_ACQUIRE
|
||||
|
||||
if active:
|
||||
owner = (active.get("session_id") or "").strip()
|
||||
freshness = active.get("freshness") or classify_lease_freshness(
|
||||
active, now=now
|
||||
)
|
||||
owner_identity = (active.get("reviewer_identity") or "").strip()
|
||||
is_own = bool(session_id and owner and owner == session_id)
|
||||
# Same identity alone is NOT ownership for resume; session_id must match.
|
||||
same_identity = bool(
|
||||
identity and owner_identity and identity == owner_identity
|
||||
)
|
||||
|
||||
if is_own and freshness in {"active", "stale_warning"}:
|
||||
classification = "own_active"
|
||||
next_action = NEXT_ACTION_RESUME_EXACT_OWNER_SESSION
|
||||
elif is_own and freshness in {"reclaimable", "expired"}:
|
||||
classification = "own_expired"
|
||||
next_action = NEXT_ACTION_RELEASE_EXPIRED_LEASE
|
||||
reasons.append(
|
||||
f"own lease freshness is '{freshness}'; release via "
|
||||
"gitea_release_reviewer_pr_lease then re-acquire"
|
||||
)
|
||||
elif not is_own and freshness in {"active", "stale_warning"}:
|
||||
classification = "foreign_active"
|
||||
next_action = NEXT_ACTION_WAIT
|
||||
reasons.append(
|
||||
f"foreign active reviewer lease (session_id={owner}, "
|
||||
f"phase={active.get('phase')}, freshness={freshness}); "
|
||||
"do not submit; do not steal"
|
||||
)
|
||||
if same_identity:
|
||||
reasons.append(
|
||||
"lease identity matches current reviewer but session_id differs; "
|
||||
"resume only from the exact owner session_id or wait"
|
||||
)
|
||||
elif not is_own and freshness == "reclaimable":
|
||||
classification = "foreign_reclaimable"
|
||||
next_action = NEXT_ACTION_RELEASE_EXPIRED_LEASE
|
||||
reasons.append(
|
||||
f"foreign reclaimable lease (session_id={owner}); clear only via "
|
||||
"sanctioned gitea_release_reviewer_pr_lease when reclaimable"
|
||||
)
|
||||
elif not is_own and freshness == "expired":
|
||||
classification = "foreign_expired"
|
||||
next_action = NEXT_ACTION_RELEASE_EXPIRED_LEASE
|
||||
reasons.append(
|
||||
f"foreign expired lease (session_id={owner}); use sanctioned release"
|
||||
)
|
||||
else:
|
||||
classification = "foreign_active"
|
||||
next_action = NEXT_ACTION_WAIT
|
||||
reasons.append(
|
||||
f"unclassified active lease state (session_id={owner}, "
|
||||
f"freshness={freshness}); wait fail-closed"
|
||||
)
|
||||
|
||||
if instructed_missing_with_replacement and classification.startswith(
|
||||
"foreign"
|
||||
):
|
||||
classification = "instructed_lease_missing_with_replacement"
|
||||
# Foreign active still means wait; reclaimable still release.
|
||||
if next_action == NEXT_ACTION_WAIT:
|
||||
reasons.append(
|
||||
"replacement foreign lease is active — wait; "
|
||||
"operator_authorized_cleanup only with explicit operator authority"
|
||||
)
|
||||
else:
|
||||
classification = "no_lease"
|
||||
next_action = NEXT_ACTION_ACQUIRE
|
||||
reasons.append("no active reviewer lease; acquire via gitea_acquire_reviewer_pr_lease")
|
||||
|
||||
# Binding mismatch is a first-class blocker before submit, but does not
|
||||
# erase foreign-lease wait/release guidance. Override next_action only when
|
||||
# the session would otherwise be free to acquire or resume (submit path).
|
||||
if binding_mismatch:
|
||||
if next_action in {
|
||||
NEXT_ACTION_ACQUIRE,
|
||||
NEXT_ACTION_RESUME_EXACT_OWNER_SESSION,
|
||||
}:
|
||||
classification = "worktree_binding_mismatch"
|
||||
next_action = NEXT_ACTION_REPAIR_WORKTREE_BINDING
|
||||
else:
|
||||
reasons.append(
|
||||
"also repair worktree binding before submit "
|
||||
f"(next_action remains {next_action})"
|
||||
)
|
||||
|
||||
lease_summary = None
|
||||
if active:
|
||||
lease_summary = {
|
||||
"comment_id": active.get("comment_id"),
|
||||
"session_id": active.get("session_id"),
|
||||
"phase": active.get("phase"),
|
||||
"candidate_head": active.get("candidate_head"),
|
||||
"expires_at": active.get("expires_at"),
|
||||
"last_activity": active.get("last_activity"),
|
||||
"freshness": active.get("freshness")
|
||||
or classify_lease_freshness(active, now=now),
|
||||
"reviewer_identity": active.get("reviewer_identity"),
|
||||
"profile": active.get("profile"),
|
||||
"worktree": active.get("worktree"),
|
||||
"blocker": active.get("blocker"),
|
||||
}
|
||||
|
||||
return {
|
||||
"pr_number": pr_number,
|
||||
"classification": classification,
|
||||
"next_action": next_action,
|
||||
"active_lease": lease_summary,
|
||||
"session_lease": session_lease,
|
||||
"worktree_binding": binding_details,
|
||||
"instructed_session_id": instructed_session_id,
|
||||
"instructed_comment_id": instructed_comment_id,
|
||||
"instructed_lease_missing_with_replacement": instructed_missing_with_replacement,
|
||||
"mutation_allowed": (
|
||||
next_action == NEXT_ACTION_RESUME_EXACT_OWNER_SESSION
|
||||
and not binding_mismatch
|
||||
and bool(session_lease)
|
||||
),
|
||||
"reasons": reasons,
|
||||
"forbidden": [
|
||||
"manual lock deletion",
|
||||
"raw API bypass",
|
||||
"mtime manipulation",
|
||||
"direct _SESSION_LEASE seeding",
|
||||
"silent foreign lease steal",
|
||||
],
|
||||
}
|
||||
|
||||
+31
-2
@@ -55,7 +55,6 @@ def skip_python_scan_walk_root(project_root: str, walk_root: str) -> bool:
|
||||
|
||||
REVIEWER_TASKS = frozenset({
|
||||
"review_pr",
|
||||
"merge_pr",
|
||||
"blind_pr_queue_review",
|
||||
"pr_queue_cleanup",
|
||||
"pr-queue-cleanup",
|
||||
@@ -63,6 +62,10 @@ REVIEWER_TASKS = frozenset({
|
||||
"approve_pr",
|
||||
})
|
||||
|
||||
MERGER_TASKS = frozenset({
|
||||
"merge_pr",
|
||||
})
|
||||
|
||||
AUTHOR_TASKS = frozenset({
|
||||
"create_issue",
|
||||
"comment_issue",
|
||||
@@ -98,7 +101,7 @@ TASK_REQUIRED_ROLE = {
|
||||
"address_pr_change_requests": "author",
|
||||
"delete_branch": "author",
|
||||
"review_pr": "reviewer",
|
||||
"merge_pr": "reviewer",
|
||||
"merge_pr": "merger",
|
||||
"blind_pr_queue_review": "reviewer",
|
||||
"pr_queue_cleanup": "reviewer",
|
||||
"pr-queue-cleanup": "reviewer",
|
||||
@@ -114,6 +117,9 @@ TASK_REQUIRED_ROLE = {
|
||||
# #309: reconciler tasks close already-landed PRs/issues only.
|
||||
"reconcile_close_landed_pr": "reconciler",
|
||||
"reconcile_close_landed_issue": "reconciler",
|
||||
"reconcile_close_superseded_pr": "reconciler",
|
||||
"reconcile_close_satisfied_issue": "reconciler",
|
||||
"reconcile_create_followup_issue": "reconciler",
|
||||
}
|
||||
|
||||
WRONG_ROLE_REVIEWER_MSG = (
|
||||
@@ -125,6 +131,10 @@ WRONG_ROLE_RECONCILER_MSG = (
|
||||
"MCP namespace/profile with exact close capability."
|
||||
)
|
||||
|
||||
WRONG_ROLE_MERGER_MSG = (
|
||||
"Wrong role/session for merger task. Launch merger MCP namespace."
|
||||
)
|
||||
|
||||
_session_last_route: dict | None = None
|
||||
|
||||
|
||||
@@ -240,6 +250,25 @@ def route_task_session(
|
||||
_record_route(result)
|
||||
return result
|
||||
|
||||
if required_role == "merger":
|
||||
result = {
|
||||
"task_type": task_type,
|
||||
"required_role": required_role,
|
||||
"active_role": active_role_kind,
|
||||
"active_profile": active_profile,
|
||||
"route_result": ROUTE_WRONG_ROLE,
|
||||
"downstream_allowed": False,
|
||||
"reasons": [
|
||||
WRONG_ROLE_MERGER_MSG,
|
||||
"Merger tasks cannot run in author or reviewer sessions.",
|
||||
],
|
||||
"message": WRONG_ROLE_MERGER_MSG,
|
||||
"runtime_switching_supported": runtime_switching_supported,
|
||||
"profile_switch_blocked": not runtime_switching_supported,
|
||||
}
|
||||
_record_route(result)
|
||||
return result
|
||||
|
||||
if required_role == "author":
|
||||
route = ROUTE_TO_AUTHOR
|
||||
message = (
|
||||
|
||||
@@ -32,6 +32,15 @@ workflow file.
|
||||
mutation.
|
||||
- A nearby capability does not count.
|
||||
- Do not self-review or self-merge.
|
||||
- **Never push a stable branch directly.** Worker sessions (author/reviewer/merger)
|
||||
must never run `git push <remote> master` — or `main`/`dev`/other stable refs,
|
||||
including refspecs (`HEAD:master`), `--force`, `--delete`, or `--dry-run` no-op
|
||||
probes — and must never commit on the root/control checkout outside an issue
|
||||
feature branch. Stable-branch updates land ONLY through sanctioned Gitea merge
|
||||
tooling (`gitea_merge_pr`) or an explicitly authorized reconciler path. A
|
||||
detected attempt marks the session workflow-contaminated (#671) and fails
|
||||
closed on review/merge/close/completion until a reconciler audits and clears
|
||||
it. `git fetch` / `git pull --ff-only` and feature-branch pushes stay allowed.
|
||||
- Do not mix modes in one run.
|
||||
- **BLOCKED + DIAGNOSE default rule (required):** If any required workflow step, skill, tool, capability, preflight, instruction, profile, worktree binding, or terminal/MCP operation cannot be performed or loaded (including the canonical ones listed in this skill and its loaded workflow), immediately enter `BLOCKED + DIAGNOSE`. Stop before any git or Gitea mutation. Diagnose using the standard template in [`templates/blocked-diagnose-report.md`](templates/blocked-diagnose-report.md). Attempt *only* safe non-mutating recovery. Report using the template. Do not continue, use fallbacks, or treat the missing requirement as harmless.
|
||||
- If the required workflow cannot be loaded, stop and produce a recovery handoff
|
||||
@@ -48,6 +57,11 @@ workflow file.
|
||||
- wrong profile or role for the requested operation
|
||||
- dirty or misbound worktree (root checkout or non-branches/ path)
|
||||
- root checkout mutation risk
|
||||
- stable-branch push contamination (#671): a direct `git push <remote> master`
|
||||
(or `main`/`dev`) equivalent, or a root/control-checkout commit not on an issue
|
||||
feature branch, marks the session workflow-contaminated; review/merge/close/
|
||||
completion mutations then fail closed until a reconciler audits and clears it
|
||||
(`gitea_audit_stable_branch_contamination action=clear`, reconciler-only)
|
||||
- mutation guard failure (e.g. branches-only guard)
|
||||
- missing required MCP tool/schema or operation
|
||||
- stale or inconsistent runtime state (e.g. lease vs actual, dirty state disagreement)
|
||||
@@ -118,6 +132,42 @@ The main project checkout is a stable control checkout on `master`, `main`, or
|
||||
If `cwd` is not inside `branches/`, stop before any file edit, test write,
|
||||
commit, merge, rebase, or cleanup. The main checkout is orchestration-only.
|
||||
|
||||
## Stable Branch Push Protection (#671)
|
||||
|
||||
Worker sessions must **never** publish a stable branch directly. This is the
|
||||
prevention hardening for the #670 incident (a bare direct-to-master commit
|
||||
`2fa97c26` and a PR #654 merger `git push prgs master` attempt).
|
||||
|
||||
**Forbidden for author/reviewer/merger sessions:**
|
||||
|
||||
- `git push <remote> master` (and `main`, `dev`, `develop`, `development`),
|
||||
including refspecs (`HEAD:master`, `+refs/heads/x:refs/heads/master`),
|
||||
`--force`, `--delete` / `:master`, and `--dry-run`/`-n` no-op probes (a
|
||||
dry-run still proves intent and contaminates the session).
|
||||
- Local commits on the root/control checkout that are not carried by an issue
|
||||
feature branch under `branches/`.
|
||||
|
||||
**Allowed (never blocked):**
|
||||
|
||||
- `git fetch` and `git pull --ff-only` of master into the control checkout when
|
||||
authorized for sync.
|
||||
- Feature-branch pushes to non-stable refs (`git push <remote> fix/issue-N-...`).
|
||||
- Sanctioned merges via `gitea_merge_pr` / the Gitea API merge endpoint — the
|
||||
**only** way stable branches advance.
|
||||
|
||||
**What happens on a detected attempt:** the session is marked
|
||||
workflow-contaminated (durable `stable_branch_contamination` marker, redacted
|
||||
command summary + session id + remote + ref). While contaminated, all
|
||||
review / merge / close / issue-completion mutations fail closed. `comment_issue`
|
||||
and `lock_issue` remain allowed so the contaminated worker can post the durable
|
||||
audit comment and hand off. Contamination **cannot be self-cleared** — only a
|
||||
reconciler audit (`gitea_audit_stable_branch_contamination action=clear`) may
|
||||
clear it.
|
||||
|
||||
Tooling: call `gitea_record_stable_branch_push_attempt` to classify/record a
|
||||
proposed push before running it; `gitea_audit_stable_branch_contamination` to
|
||||
inspect or (reconciler-only) clear the marker.
|
||||
|
||||
## Shell Spawn Hard-Stop Rule
|
||||
|
||||
`exit_code: -1` with empty stdout/stderr means the shell failed to spawn — not a
|
||||
|
||||
@@ -344,6 +344,41 @@ If edits are needed, make the smallest correction necessary and report the corre
|
||||
|
||||
Do not silently change requested meaning.
|
||||
|
||||
## 14a. Enforced content preflight (#582)
|
||||
|
||||
`gitea_create_issue` runs a **content preflight gate** before duplicate
|
||||
search or creation. It fails closed (returns `BLOCKED + DIAGNOSE`, no issue
|
||||
created) when the title/body is a *vague reference* to out-of-band draft
|
||||
content the session cannot prove it holds, and no durable source pointer is
|
||||
present.
|
||||
|
||||
An LLM must never fabricate issue content from stale chat memory. If asked to
|
||||
create "the drafted issue" / "the prepared issue" / "the issue we discussed"
|
||||
/ "the previous draft" without the full content in the current context or a
|
||||
durable source pointer, stop and return `BLOCKED + DIAGNOSE` naming the exact
|
||||
vague/missing fields.
|
||||
|
||||
A **durable source pointer** is one of: an existing issue/PR reference
|
||||
(`#582`), a comment id (`comment 8155`), a checked-in file path
|
||||
(`task_capability_map.py`), a URL, or a scratchpad path. When a pointer is
|
||||
present, retrieve the real content from it before creating.
|
||||
|
||||
The gate does **not** require a non-empty body; explicit title-only creation
|
||||
stays allowed. It only blocks placeholder references. An operator may bypass
|
||||
it with `allow_incomplete_content=True` (report the override).
|
||||
|
||||
**Invalid prompts (must block):**
|
||||
|
||||
* "Create the drafted issue."
|
||||
* "File the prepared issue we discussed."
|
||||
* "Open the previous draft."
|
||||
|
||||
**Valid prompts (proceed):**
|
||||
|
||||
* Full title + body + acceptance criteria supplied inline.
|
||||
* "Create the issue drafted in `#582`." (durable pointer → fetch and use it)
|
||||
* "Create the issue from `scratchpad/issue-draft.md`." (durable file pointer)
|
||||
|
||||
## 15. Labels, assignees, and metadata
|
||||
|
||||
Apply labels, assignees, milestones, or project fields only if:
|
||||
|
||||
@@ -826,6 +826,75 @@ The final report must identify:
|
||||
* whether same-PR merge continuation was allowed
|
||||
* whether the run stopped as required
|
||||
|
||||
## 26A-1. Stale durable review-decision lock cleanup (#594)
|
||||
|
||||
After #559, the review-decision lock is durable under
|
||||
`~/.cache/gitea-tools/session-state/` (for example
|
||||
`review_decision_lock-prgs-reviewer.json`). That durability can outlive the work
|
||||
it protects: a terminal `approve` / `request_changes` on a PR that is already
|
||||
**merged or closed** still hard-stops later unrelated reviews under #332.
|
||||
|
||||
**Do not** delete session-state files by hand. Use the canonical MCP path.
|
||||
|
||||
### When cleanup is allowed
|
||||
|
||||
Use `gitea_cleanup_stale_review_decision_lock` when:
|
||||
|
||||
1. `gitea_mark_final_review_decision` / live review is blocked by
|
||||
`terminal review mutation already consumed ... (#332)`.
|
||||
2. Live Gitea state for the **last terminal mutation's PR** is **merged** or
|
||||
**closed** (no same-PR merge sequence remains).
|
||||
3. Active profile identity matches the durable lock (reviewer profile with
|
||||
`gitea.pr.review` for `apply=true`).
|
||||
4. Optional pin: pass `expected_terminal_pr` to the prior terminal PR number
|
||||
(for example `586` when resuming after a merged #586 lock).
|
||||
|
||||
Recommended sequence:
|
||||
|
||||
```text
|
||||
gitea_whoami
|
||||
gitea_resolve_task_capability(task="cleanup_stale_review_decision_lock")
|
||||
gitea_cleanup_stale_review_decision_lock(apply=false, remote=..., org=..., repo=...)
|
||||
# inspect is_moot / cleanup_allowed / last_terminal_pr
|
||||
gitea_cleanup_stale_review_decision_lock(
|
||||
apply=true,
|
||||
expected_terminal_pr=<last_terminal_pr>,
|
||||
remote=..., org=..., repo=...,
|
||||
)
|
||||
gitea_resolve_task_capability(task="review_pr")
|
||||
gitea_load_review_workflow()
|
||||
# continue formal mark + submit for the *new* PR
|
||||
```
|
||||
|
||||
Successful `apply=true` clears memory + durable store and returns an audit
|
||||
record (and posts a durable PR comment on the terminal PR when
|
||||
`post_audit_comment` is true and comment permission allows).
|
||||
|
||||
Same-profile auto-expire: after `gitea_merge_pr` succeeds for the PR that this
|
||||
profile just approved, the decision lock for that profile is cleared
|
||||
automatically. Cross-profile locks (for example reviewer approve, merger merge)
|
||||
still require `gitea_cleanup_stale_review_decision_lock`.
|
||||
|
||||
### When cleanup is forbidden
|
||||
|
||||
Refuse / fail-closed — keep #332 hard-stop — when:
|
||||
|
||||
* the last terminal PR is still **open** (active review or merge sequence may
|
||||
still apply)
|
||||
* live PR state cannot be fetched (ambiguous)
|
||||
* no lock or no terminal live mutation exists
|
||||
* profile identity does not match the lock
|
||||
* apply requested without authenticated identity or `gitea.pr.review`
|
||||
* `expected_terminal_pr` does not match the last terminal PR
|
||||
|
||||
Do **not** use cleanup to:
|
||||
|
||||
* bypass #332 on an open PR
|
||||
* replace `gitea_authorize_review_correction` for a mistaken review on a still
|
||||
active PR (#211)
|
||||
* auto-approve or auto-merge any PR
|
||||
* justify `rm` of session-state files
|
||||
|
||||
## 26B. Per-PR reviewer lease (#407)
|
||||
|
||||
Parallel reviewer sessions are allowed only when each session holds a distinct,
|
||||
@@ -1043,6 +1112,8 @@ Blocked handoffs must say to rerun the full workflow after the blocker clears.
|
||||
|
||||
If the blocker is a terminal review mutation already consumed in the current run, the handoff must say that the next run must start from the beginning and must not reuse stale ready/approved state.
|
||||
|
||||
If the referenced terminal PR is already **merged or closed** on live Gitea, the durable #332 decision lock is **moot**. Do **not** delete session-state files by hand. Use `gitea_cleanup_stale_review_decision_lock` (assess with `apply=false`, then `apply=true` with `expected_terminal_pr` set) from the reviewer profile after identity/profile checks (#594). Cleanup is **forbidden** while that PR is still open.
|
||||
|
||||
## 30. Final report must be precise
|
||||
|
||||
Include:
|
||||
|
||||
@@ -0,0 +1,478 @@
|
||||
"""Fail-closed guard against direct pushes to stable branches (#671).
|
||||
|
||||
MCP workflow sessions must never publish to a stable branch (``master``,
|
||||
``main``, ``dev``, ...) directly. Stable-branch updates land only through
|
||||
sanctioned Gitea merge tooling or an explicitly authorized reconciler path.
|
||||
|
||||
Incident origin (#670): a bare direct-to-master commit ``2fa97c26`` landed on
|
||||
``prgs/master`` without PR/review provenance, and a PR #654 merger run
|
||||
attempted ``git push prgs master`` (audited as a no-op, but the *intent* is the
|
||||
hazard). Partial protections already existed (``author_proofs.PROTECTED_BRANCHES``,
|
||||
``root_checkout_guard``, branch-push proofs) but did not detect shell push
|
||||
equivalents, mark the session contaminated after such an attempt, or fail
|
||||
closed on subsequent review/merge/close/completion mutations.
|
||||
|
||||
This module is the detection + contamination-policy core. Like
|
||||
``author_proofs`` and ``root_checkout_guard`` it is **pure**: callers gather
|
||||
the raw facts (the proposed command line, git state, the durable contamination
|
||||
marker) and pass them in, so the same logic serves prompts, MCP gates, and
|
||||
tests. Nothing here performs git or network calls or reads durable state; the
|
||||
server wires these helpers to ``mcp_session_state`` and ``verify_preflight_purity``.
|
||||
|
||||
Design rules honoured (from the #671 acceptance criteria):
|
||||
|
||||
* Detect ``git push <remote> master`` shell equivalents, including refspecs
|
||||
(``HEAD:master``, ``+refs/heads/x:refs/heads/master``), ``--force``,
|
||||
``--dry-run``/no-op intent, and delete refspecs (``:master``).
|
||||
* Never false-block a feature-branch push (``git push prgs fix/issue-671-...``).
|
||||
* Never treat ``git fetch`` / ``git pull --ff-only`` as a push.
|
||||
* Never treat sanctioned ``gitea_merge_pr`` / Gitea API merge as a push.
|
||||
* Fail closed on ambiguous targets that *may* resolve to a stable branch, but
|
||||
surface ambiguity as its own signal rather than silently blocking feature work.
|
||||
* Contamination must not be clearable by the same worker session — only a
|
||||
reconciler (audit) role may clear or bypass the gate.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import re
|
||||
from typing import Any, Iterable
|
||||
|
||||
from author_proofs import PROTECTED_BRANCHES
|
||||
|
||||
# Single source of truth for the stable branch set: the same protected set the
|
||||
# author branch-identity proofs already enforce (#177), so the two guards can
|
||||
# never drift apart.
|
||||
STABLE_BRANCHES = PROTECTED_BRANCHES
|
||||
|
||||
# Mutations that must fail closed once the session is contaminated by a direct
|
||||
# stable-branch push attempt (#671 AC4: review, merge, close, completion).
|
||||
# ``comment_issue`` / ``lock_issue`` / ``create_issue`` are deliberately NOT
|
||||
# gated so a contaminated worker can still post the durable audit comment and
|
||||
# hand off. Only a reconciler (audit) role bypasses this set.
|
||||
CONTAMINATION_GATED_TASKS = frozenset({
|
||||
"create_pr",
|
||||
"commit_files",
|
||||
"gitea_commit_files",
|
||||
"close_pr",
|
||||
"close_issue",
|
||||
"review_pr",
|
||||
"approve_pr",
|
||||
"request_changes_pr",
|
||||
"submit_pr_review",
|
||||
"merge_pr",
|
||||
"delete_branch",
|
||||
"complete_issue",
|
||||
})
|
||||
|
||||
CONTAMINATION_KIND = "stable_branch_push"
|
||||
|
||||
REMEDIATION = (
|
||||
"Direct stable-branch publication is forbidden for worker sessions. Stop, "
|
||||
"leave the stable branch untouched, and route the change through sanctioned "
|
||||
"Gitea merge tooling (gitea_merge_pr) or an explicitly authorized reconciler "
|
||||
"audit. This session is workflow-contaminated until a reconciler audits it."
|
||||
)
|
||||
|
||||
# ── command tokenising ────────────────────────────────────────────────────────
|
||||
|
||||
# Split a compound command line into individual simple commands on shell
|
||||
# separators so ``a && git push prgs master`` is analysed segment by segment.
|
||||
_SEGMENT_SPLIT_RE = re.compile(r"(?:\|\||&&|\||;|\n)")
|
||||
|
||||
_GIT_PUSH_RE = re.compile(r"\bgit\b[\w\s\-]*?\bpush\b", re.IGNORECASE)
|
||||
_GIT_FETCH_RE = re.compile(r"\bgit\b[\w\s\-]*?\b(?:fetch|pull)\b", re.IGNORECASE)
|
||||
|
||||
# Flags that take a value argument in ``git push`` (so the following token is
|
||||
# consumed as the flag's value, not a refspec).
|
||||
_VALUE_FLAGS = frozenset({
|
||||
"--repo",
|
||||
"-o",
|
||||
"--push-option",
|
||||
"--receive-pack",
|
||||
"--exec",
|
||||
})
|
||||
|
||||
_FORCE_FLAGS = frozenset({"-f", "--force"})
|
||||
_DRY_RUN_FLAGS = frozenset({"-n", "--dry-run"})
|
||||
_DELETE_FLAGS = frozenset({"-d", "--delete"})
|
||||
|
||||
|
||||
def _clean(value: str | None) -> str:
|
||||
return (value or "").strip()
|
||||
|
||||
|
||||
def _strip_ref_prefix(ref: str) -> str:
|
||||
ref = ref.strip()
|
||||
for prefix in ("refs/heads/", "heads/"):
|
||||
if ref.startswith(prefix):
|
||||
return ref[len(prefix):]
|
||||
return ref
|
||||
|
||||
|
||||
def is_stable_ref(ref: str | None) -> bool:
|
||||
"""True when ``ref`` names a configured stable branch."""
|
||||
name = _strip_ref_prefix(_clean(ref))
|
||||
return bool(name) and name in STABLE_BRANCHES
|
||||
|
||||
|
||||
# ── redaction ─────────────────────────────────────────────────────────────────
|
||||
|
||||
_URL_USERINFO_RE = re.compile(r"(https?://)[^/\s:@]+(?::[^/\s@]+)?@", re.IGNORECASE)
|
||||
_SECRET_ASSIGN_RE = re.compile(
|
||||
r"\b((?:GITEA_)?(?:TOKEN|PASSWORD|PASS|PAT|SECRET|API_KEY|AUTH))\s*=\s*\S+",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
_BEARER_RE = re.compile(r"\b(Bearer|token)\s+[A-Za-z0-9._\-]{8,}", re.IGNORECASE)
|
||||
|
||||
|
||||
def redact_command(command: str | None) -> str:
|
||||
"""Strip credentials/URLs from a command line before logging it (#671).
|
||||
|
||||
Redacts URL userinfo (``https://user:tok@host`` → ``https://***@host``),
|
||||
``TOKEN=...`` style assignments, and bearer/token headers. Leaves the
|
||||
structural parts (``git push <remote> master``) intact for audit value.
|
||||
"""
|
||||
text = _clean(command)
|
||||
if not text:
|
||||
return ""
|
||||
text = _URL_USERINFO_RE.sub(r"\1***@", text)
|
||||
text = _SECRET_ASSIGN_RE.sub(lambda m: f"{m.group(1)}=***", text)
|
||||
text = _BEARER_RE.sub(lambda m: f"{m.group(1)} ***", text)
|
||||
return text
|
||||
|
||||
|
||||
# ── push classification ───────────────────────────────────────────────────────
|
||||
|
||||
def _analyse_push_segment(segment: str) -> dict[str, Any]:
|
||||
"""Classify one ``git push ...`` command segment."""
|
||||
tokens = segment.split()
|
||||
# Drop everything up to and including the ``push`` verb.
|
||||
try:
|
||||
push_idx = next(
|
||||
i for i, tok in enumerate(tokens)
|
||||
if tok.lower() == "push"
|
||||
)
|
||||
except StopIteration:
|
||||
push_idx = -1
|
||||
args = tokens[push_idx + 1:] if push_idx >= 0 else []
|
||||
|
||||
is_force = False
|
||||
is_dry_run = False
|
||||
is_delete = False
|
||||
positionals: list[str] = []
|
||||
|
||||
skip_next = False
|
||||
for tok in args:
|
||||
if skip_next:
|
||||
skip_next = False
|
||||
continue
|
||||
if tok in _FORCE_FLAGS or tok.startswith("--force-with-lease") or tok.startswith("--force-if-includes"):
|
||||
is_force = True
|
||||
continue
|
||||
if tok in _DRY_RUN_FLAGS:
|
||||
is_dry_run = True
|
||||
continue
|
||||
if tok in _DELETE_FLAGS:
|
||||
is_delete = True
|
||||
continue
|
||||
if tok in _VALUE_FLAGS:
|
||||
skip_next = True
|
||||
continue
|
||||
if tok.startswith("--") and "=" in tok:
|
||||
# e.g. --repo=... : self-contained, not a refspec.
|
||||
continue
|
||||
if tok.startswith("-"):
|
||||
# Unknown/combined short flag; ignore for ref detection.
|
||||
continue
|
||||
positionals.append(tok)
|
||||
|
||||
# First positional after push is the remote (when any positional exists);
|
||||
# the rest are refspecs / branch names.
|
||||
remote = positionals[0] if positionals else None
|
||||
refspecs = positionals[1:]
|
||||
|
||||
stable_refs: list[str] = []
|
||||
force_to_stable = False
|
||||
delete_stable = False
|
||||
for spec in refspecs:
|
||||
force_spec = spec.startswith("+")
|
||||
body = spec[1:] if force_spec else spec
|
||||
if ":" in body:
|
||||
src, _, dst = body.partition(":")
|
||||
dest = dst
|
||||
if src == "" and dst:
|
||||
# ``:master`` — delete refspec.
|
||||
is_delete = True
|
||||
else:
|
||||
dest = body
|
||||
if is_stable_ref(dest):
|
||||
stable_refs.append(_strip_ref_prefix(dest))
|
||||
if force_spec or is_force:
|
||||
force_to_stable = True
|
||||
if is_delete:
|
||||
delete_stable = True
|
||||
|
||||
targets_stable = bool(stable_refs)
|
||||
# Ambiguous: ``git push <remote>`` (or bare ``git push``) with no refspec —
|
||||
# resolves to the current branch's upstream, which we cannot see from the
|
||||
# command alone. Flag it, but do not assert stable (would false-block
|
||||
# feature-branch pushes).
|
||||
ambiguous = not refspecs
|
||||
|
||||
return {
|
||||
"is_git_push": True,
|
||||
"remote": remote,
|
||||
"refspecs": refspecs,
|
||||
"targets_stable": targets_stable,
|
||||
"stable_refs": stable_refs,
|
||||
"is_force": is_force or force_to_stable,
|
||||
"is_dry_run": is_dry_run,
|
||||
"is_delete": is_delete or delete_stable,
|
||||
"ambiguous_target": ambiguous,
|
||||
}
|
||||
|
||||
|
||||
def classify_push_command(command: str | None) -> dict[str, Any]:
|
||||
"""Classify a shell command line for direct stable-branch push intent (#671).
|
||||
|
||||
Returns a dict describing whether the command is a ``git push`` targeting a
|
||||
stable branch. Fetch/pull are never pushes. A sanctioned Gitea merge (which
|
||||
is not a ``git push`` at all) classifies as non-push. Dry-run and no-op
|
||||
pushes still count as *intent* and are reported as contamination
|
||||
(``proves_intent``) so a ``--dry-run`` cannot be used to probe the gate.
|
||||
"""
|
||||
text = _clean(command)
|
||||
result: dict[str, Any] = {
|
||||
"command": text,
|
||||
"redacted_command": redact_command(text),
|
||||
"is_git_push": False,
|
||||
"is_fetch_or_pull": False,
|
||||
"targets_stable": False,
|
||||
"stable_refs": [],
|
||||
"is_force": False,
|
||||
"is_dry_run": False,
|
||||
"is_delete": False,
|
||||
"ambiguous_target": False,
|
||||
"contamination": False,
|
||||
"proves_intent": False,
|
||||
"reasons": [],
|
||||
}
|
||||
if not text:
|
||||
return result
|
||||
|
||||
stable_refs: list[str] = []
|
||||
saw_push = False
|
||||
for segment in _SEGMENT_SPLIT_RE.split(text):
|
||||
seg = segment.strip()
|
||||
if not seg:
|
||||
continue
|
||||
if _GIT_FETCH_RE.search(seg) and not _GIT_PUSH_RE.search(seg):
|
||||
result["is_fetch_or_pull"] = True
|
||||
continue
|
||||
if not _GIT_PUSH_RE.search(seg):
|
||||
continue
|
||||
saw_push = True
|
||||
analysis = _analyse_push_segment(seg)
|
||||
result["is_git_push"] = True
|
||||
result["is_force"] = result["is_force"] or analysis["is_force"]
|
||||
result["is_dry_run"] = result["is_dry_run"] or analysis["is_dry_run"]
|
||||
result["is_delete"] = result["is_delete"] or analysis["is_delete"]
|
||||
result["ambiguous_target"] = result["ambiguous_target"] or analysis["ambiguous_target"]
|
||||
stable_refs.extend(analysis["stable_refs"])
|
||||
|
||||
result["stable_refs"] = sorted(set(stable_refs))
|
||||
result["targets_stable"] = bool(stable_refs)
|
||||
|
||||
reasons: list[str] = []
|
||||
if result["targets_stable"]:
|
||||
refs = ", ".join(result["stable_refs"])
|
||||
verb = "delete" if result["is_delete"] else ("force-push" if result["is_force"] else "push")
|
||||
qualifier = " (dry-run/no-op still proves intent)" if result["is_dry_run"] else ""
|
||||
reasons.append(
|
||||
f"direct stable-branch {verb} detected targeting: {refs}{qualifier}; "
|
||||
"worker sessions must never publish stable branches directly"
|
||||
)
|
||||
result["contamination"] = True
|
||||
result["proves_intent"] = True
|
||||
elif saw_push and result["ambiguous_target"]:
|
||||
# Bare ``git push`` with no refspec: ambiguous. Report, but do not
|
||||
# contaminate on the command alone — the root-checkout / branch-state
|
||||
# detector resolves whether the current branch is stable.
|
||||
reasons.append(
|
||||
"ambiguous 'git push' with no refspec: resolve the current branch "
|
||||
"before pushing; if it is a stable branch this is forbidden"
|
||||
)
|
||||
|
||||
result["reasons"] = reasons
|
||||
return result
|
||||
|
||||
|
||||
def detect_stable_push(commands: str | Iterable[str] | None) -> dict[str, Any]:
|
||||
"""Classify one command or an iterable of commands; contamination if any hit."""
|
||||
if commands is None:
|
||||
return classify_push_command(None)
|
||||
if isinstance(commands, str):
|
||||
return classify_push_command(commands)
|
||||
worst: dict[str, Any] | None = None
|
||||
for cmd in commands:
|
||||
res = classify_push_command(cmd)
|
||||
if res["contamination"]:
|
||||
return res
|
||||
if worst is None or (res["is_git_push"] and not worst["is_git_push"]):
|
||||
worst = res
|
||||
return worst or classify_push_command(None)
|
||||
|
||||
|
||||
# ── root/control checkout local-commit detection ──────────────────────────────
|
||||
|
||||
def assess_root_checkout_local_commit(
|
||||
*,
|
||||
current_branch: str | None,
|
||||
head_sha: str | None,
|
||||
remote_master_sha: str | None,
|
||||
is_under_branches: bool,
|
||||
ahead_count: int | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Detect a local commit on the root/control checkout not on a feature branch.
|
||||
|
||||
#671 AC2. An isolated ``branches/...`` worktree is exempt (that is where
|
||||
feature work belongs). On the control checkout, a commit is illegitimate
|
||||
when the checkout sits on a stable branch (or detached) and its HEAD has
|
||||
advanced past the tracking ``prgs/master`` — i.e. a commit was made that is
|
||||
not carried by an issue feature branch/PR.
|
||||
|
||||
Positive evidence only: missing state reports ``unknown`` rather than
|
||||
asserting contamination, but an unreadable *branch* on the control checkout
|
||||
(detached HEAD) with an advanced HEAD is still flagged.
|
||||
"""
|
||||
branch = _clean(current_branch)
|
||||
head = _clean(head_sha).lower()
|
||||
master = _clean(remote_master_sha).lower()
|
||||
|
||||
if is_under_branches:
|
||||
return {
|
||||
"contamination": False,
|
||||
"unknown": False,
|
||||
"reasons": [],
|
||||
"detail": "isolated branches/ worktree — feature commits are expected here",
|
||||
}
|
||||
|
||||
reasons: list[str] = []
|
||||
unknown = False
|
||||
|
||||
on_stable = (not branch) or (branch in STABLE_BRANCHES)
|
||||
if not on_stable:
|
||||
# Control checkout is on some non-stable branch: out of scope for this
|
||||
# detector (root_checkout_guard #475 handles that contamination class).
|
||||
return {
|
||||
"contamination": False,
|
||||
"unknown": False,
|
||||
"reasons": [],
|
||||
"detail": f"control checkout on non-stable branch '{branch}' — not this detector's class",
|
||||
}
|
||||
|
||||
advanced = False
|
||||
if ahead_count is not None and ahead_count > 0:
|
||||
advanced = True
|
||||
if head and master and head != master:
|
||||
advanced = True
|
||||
if (not head or not master) and ahead_count is None:
|
||||
unknown = True
|
||||
|
||||
if advanced:
|
||||
where = f"branch '{branch}'" if branch else "detached HEAD"
|
||||
reasons.append(
|
||||
f"control checkout ({where}) has local commits not on an issue "
|
||||
"feature branch (HEAD advanced past prgs/master); worker sessions "
|
||||
"must commit only on issue branches under branches/"
|
||||
)
|
||||
|
||||
return {
|
||||
"contamination": bool(reasons),
|
||||
"unknown": unknown and not reasons,
|
||||
"reasons": reasons,
|
||||
"current_branch": branch or None,
|
||||
"head_sha": head or None,
|
||||
"remote_master_sha": master or None,
|
||||
}
|
||||
|
||||
|
||||
# ── contamination record + gate ───────────────────────────────────────────────
|
||||
|
||||
def build_contamination_record(
|
||||
*,
|
||||
reason_class: str,
|
||||
command_redacted: str | None = None,
|
||||
session_id: str | None = None,
|
||||
remote: str | None = None,
|
||||
ref: str | None = None,
|
||||
role: str | None = None,
|
||||
detail: str | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Build the durable contamination marker payload (redacted, audit-safe).
|
||||
|
||||
``reason_class`` is one of ``stable_branch_push`` / ``root_checkout_commit``.
|
||||
The command is stored already-redacted; callers pass the raw line through
|
||||
:func:`redact_command` (or this builder redacts a raw ``command`` for them).
|
||||
"""
|
||||
return {
|
||||
"kind": CONTAMINATION_KIND,
|
||||
"reason_class": _clean(reason_class) or "stable_branch_push",
|
||||
"command_summary": redact_command(command_redacted),
|
||||
"session_id": _clean(session_id) or None,
|
||||
"remote": _clean(remote) or None,
|
||||
"ref": _clean(ref) or None,
|
||||
"role": _clean(role) or None,
|
||||
"detail": _clean(detail) or None,
|
||||
"cleared_by_reconciler": False,
|
||||
}
|
||||
|
||||
|
||||
def assess_contamination_gate(
|
||||
marker: dict[str, Any] | None,
|
||||
*,
|
||||
task: str | None,
|
||||
actual_role: str | None,
|
||||
) -> dict[str, Any]:
|
||||
"""Fail closed on gated mutations while a contamination marker is live (#671 AC4).
|
||||
|
||||
* No marker → allowed.
|
||||
* Reconciler (audit) role → allowed (the sanctioned path to inspect/clear).
|
||||
* Marker present + ``task`` in :data:`CONTAMINATION_GATED_TASKS` → blocked.
|
||||
* Marker present + non-gated task (e.g. ``comment_issue``) → allowed, so the
|
||||
worker can still post the durable audit/handoff comment.
|
||||
"""
|
||||
if not marker or marker.get("cleared_by_reconciler"):
|
||||
return {"block": False, "reasons": [], "task": task}
|
||||
|
||||
role = _clean(actual_role).lower()
|
||||
if role == "reconciler":
|
||||
return {
|
||||
"block": False,
|
||||
"reasons": [],
|
||||
"task": task,
|
||||
"detail": "reconciler audit path is exempt from the contamination gate",
|
||||
}
|
||||
|
||||
task_name = _clean(task)
|
||||
if task_name and task_name in CONTAMINATION_GATED_TASKS:
|
||||
summary = marker.get("command_summary") or marker.get("detail") or "(no summary)"
|
||||
reason_class = marker.get("reason_class") or "stable_branch_push"
|
||||
return {
|
||||
"block": True,
|
||||
"reasons": [
|
||||
f"session is workflow-contaminated ({reason_class}): {summary}. "
|
||||
f"'{task_name}' is blocked until a reconciler audits and clears "
|
||||
"the contamination. " + REMEDIATION
|
||||
],
|
||||
"task": task_name,
|
||||
}
|
||||
|
||||
return {"block": False, "reasons": [], "task": task_name or None}
|
||||
|
||||
|
||||
def format_contamination_gate_error(gate: dict[str, Any]) -> str:
|
||||
"""Single RuntimeError message for MCP mutation gates."""
|
||||
reasons = "; ".join(gate.get("reasons") or ["session workflow-contaminated"])
|
||||
return f"Stable-branch contamination gate (#671): {reasons}"
|
||||
@@ -0,0 +1,440 @@
|
||||
"""Stale / moot #332 review-decision lock detection and cleanup policy (#594/#620).
|
||||
|
||||
#332 correctly hard-stops a reviewer session after a terminal live review
|
||||
mutation. After #559 those locks are durable on disk, so they can outlive the
|
||||
work they protect: when the referenced PR is already merged or closed, no
|
||||
same-PR merge sequence remains, yet the durable ledger still blocks unrelated
|
||||
new terminal reviews.
|
||||
|
||||
#620 scopes the terminal boundary by **reviewed head SHA**: a prior
|
||||
REQUEST_CHANGES (or APPROVE) on head A must not block a fresh formal decision
|
||||
on head B of the **same open PR**. Same-head duplicates remain fail-closed.
|
||||
Open-PR lock *cleanup* remains forbidden unless the PR is truly merged/closed
|
||||
(#594); new-head re-review is allowed without deleting the durable lock.
|
||||
|
||||
This module is pure policy (no Gitea I/O). The MCP tool
|
||||
``gitea_cleanup_stale_review_decision_lock`` fetches live PR state, calls these
|
||||
helpers, and only then clears durable state when cleanup is allowed.
|
||||
|
||||
Manual deletion of ``~/.cache/gitea-tools/session-state/*`` is never the
|
||||
canonical path.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from datetime import datetime, timezone
|
||||
from typing import Any
|
||||
|
||||
# Keep in sync with gitea_mcp_server._TERMINAL_REVIEW_ACTIONS.
|
||||
TERMINAL_REVIEW_ACTIONS = frozenset({"approve", "request_changes"})
|
||||
|
||||
|
||||
def normalize_head_sha(value: Any) -> str | None:
|
||||
"""Normalize a git SHA for equality comparison; None if empty/invalid."""
|
||||
if value is None:
|
||||
return None
|
||||
text = str(value).strip().lower()
|
||||
if not text:
|
||||
return None
|
||||
return text
|
||||
|
||||
|
||||
def heads_equal(a: Any, b: Any) -> bool:
|
||||
na = normalize_head_sha(a)
|
||||
nb = normalize_head_sha(b)
|
||||
if not na or not nb:
|
||||
return False
|
||||
return na == nb
|
||||
|
||||
|
||||
def mutation_head_sha(mutation: dict | None, lock: dict | None = None) -> str | None:
|
||||
"""Head SHA that bounds a live mutation (#620).
|
||||
|
||||
Prefers fields recorded on the mutation itself. For *legacy* mutations
|
||||
that predate head-scoping, falls back to the lock's
|
||||
``ready_expected_head_sha`` only when that ready binding is for the same
|
||||
PR number (the frozen durable PR #619-style ledger).
|
||||
"""
|
||||
if not isinstance(mutation, dict):
|
||||
return None
|
||||
for key in ("head_sha", "expected_head_sha", "reviewed_head_sha"):
|
||||
head = normalize_head_sha(mutation.get(key))
|
||||
if head:
|
||||
return head
|
||||
if not isinstance(lock, dict):
|
||||
return None
|
||||
if lock.get("ready_pr_number") != mutation.get("pr_number"):
|
||||
return None
|
||||
return normalize_head_sha(lock.get("ready_expected_head_sha"))
|
||||
|
||||
|
||||
def last_terminal_mutation(lock: dict | None) -> dict | None:
|
||||
"""Return the last terminal live mutation on *lock*, or None."""
|
||||
if not lock:
|
||||
return None
|
||||
terminals = [
|
||||
m
|
||||
for m in (lock.get("live_mutations") or [])
|
||||
if isinstance(m, dict) and m.get("action") in TERMINAL_REVIEW_ACTIONS
|
||||
]
|
||||
return terminals[-1] if terminals else None
|
||||
|
||||
|
||||
def prior_live_mutations_block_boundary(
|
||||
lock: dict | None,
|
||||
*,
|
||||
pr_number: int,
|
||||
expected_head_sha: str | None,
|
||||
) -> bool:
|
||||
"""True when prior live mutations block a new decision for PR+head (#620).
|
||||
|
||||
Historical terminals on a **different head of the same PR** do not block.
|
||||
Any prior mutation on another PR, the same head, or without a comparable
|
||||
head SHA fails closed (blocks).
|
||||
|
||||
Head resolution uses ``mutation_head_sha(m, lock)`` so pre-#620 ledgers
|
||||
that only stored ``ready_expected_head_sha`` still compare correctly
|
||||
(PR #619-style).
|
||||
"""
|
||||
if not lock:
|
||||
return False
|
||||
if lock.get("correction_authorized"):
|
||||
return False
|
||||
prior = list(lock.get("live_mutations") or [])
|
||||
if not prior:
|
||||
return False
|
||||
target = normalize_head_sha(expected_head_sha)
|
||||
for m in prior:
|
||||
if not isinstance(m, dict):
|
||||
return True
|
||||
m_pr = m.get("pr_number")
|
||||
m_head = mutation_head_sha(m, lock)
|
||||
if (
|
||||
m_pr == pr_number
|
||||
and target
|
||||
and m_head
|
||||
and not heads_equal(m_head, target)
|
||||
):
|
||||
# Same open PR, different reviewed head — historical boundary only.
|
||||
continue
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def terminal_boundary_allows_fresh_decision(
|
||||
lock: dict | None,
|
||||
*,
|
||||
pr_number: int,
|
||||
expected_head_sha: str | None,
|
||||
operation: str,
|
||||
) -> bool:
|
||||
"""Whether #332 hard-stop should yield for a new PR+head boundary (#620).
|
||||
|
||||
Only for ``mark_ready`` / ``review`` / ``resume`` on the **same PR** when
|
||||
the requested head differs from the last terminal's head. Merge is never
|
||||
reopened by head change (approved head merge path is separate).
|
||||
"""
|
||||
if operation not in ("mark_ready", "review", "resume"):
|
||||
return False
|
||||
if not lock:
|
||||
return False
|
||||
if lock.get("correction_authorized"):
|
||||
return True
|
||||
last = last_terminal_mutation(lock)
|
||||
if last is None:
|
||||
return True
|
||||
if last.get("pr_number") != pr_number:
|
||||
return False
|
||||
locked_head = mutation_head_sha(last, lock)
|
||||
target = normalize_head_sha(expected_head_sha)
|
||||
if not locked_head or not target:
|
||||
return False
|
||||
return not heads_equal(locked_head, target)
|
||||
|
||||
|
||||
def backfill_terminal_heads_from_ready(lock: dict) -> dict:
|
||||
"""Stamp head_sha onto legacy terminal mutations before overwriting ready_*.
|
||||
|
||||
Called when marking a fresh decision on a new head so historical rows keep
|
||||
their original boundary after ``ready_expected_head_sha`` advances (#620).
|
||||
"""
|
||||
if not isinstance(lock, dict):
|
||||
return lock
|
||||
ready_pr = lock.get("ready_pr_number")
|
||||
ready_head = normalize_head_sha(lock.get("ready_expected_head_sha"))
|
||||
if ready_pr is None or not ready_head:
|
||||
return lock
|
||||
mutations = list(lock.get("live_mutations") or [])
|
||||
changed = False
|
||||
for m in mutations:
|
||||
if not isinstance(m, dict):
|
||||
continue
|
||||
if m.get("action") not in TERMINAL_REVIEW_ACTIONS:
|
||||
continue
|
||||
if m.get("pr_number") != ready_pr:
|
||||
continue
|
||||
if mutation_head_sha(m):
|
||||
continue
|
||||
m["head_sha"] = ready_head
|
||||
changed = True
|
||||
if changed:
|
||||
lock["live_mutations"] = mutations
|
||||
return lock
|
||||
|
||||
|
||||
def classify_pr_live_state(pr_live: dict | None) -> dict[str, Any]:
|
||||
"""Normalize a Gitea PR payload into merge/closed flags."""
|
||||
pr = pr_live or {}
|
||||
merged = bool(pr.get("merged") or pr.get("merged_at"))
|
||||
state = (pr.get("state") or "").strip().lower() or None
|
||||
closed = state == "closed"
|
||||
head = pr.get("head") if isinstance(pr.get("head"), dict) else {}
|
||||
head_sha = normalize_head_sha(
|
||||
pr.get("head_sha") or pr.get("head_commit_sha") or head.get("sha")
|
||||
)
|
||||
return {
|
||||
"pr_state": state,
|
||||
"pr_merged": merged,
|
||||
"pr_merged_or_closed": merged or closed,
|
||||
"merge_commit_sha": pr.get("merge_commit_sha")
|
||||
or pr.get("merged_commit_sha"),
|
||||
"current_pr_head_sha": head_sha,
|
||||
}
|
||||
|
||||
|
||||
def lock_summary(lock: dict | None) -> dict[str, Any] | None:
|
||||
"""LLM-safe summary of a decision lock (no secrets)."""
|
||||
if lock is None:
|
||||
return None
|
||||
last = last_terminal_mutation(lock)
|
||||
mutations = list(lock.get("live_mutations") or [])
|
||||
last_head = mutation_head_sha(last, lock) if last else None
|
||||
return {
|
||||
"task": lock.get("task"),
|
||||
"remote": lock.get("remote"),
|
||||
"org": lock.get("org") or lock.get("ready_org"),
|
||||
"repo": lock.get("repo") or lock.get("ready_repo"),
|
||||
"profile_identity": lock.get("profile_identity")
|
||||
or lock.get("session_profile_lock")
|
||||
or lock.get("session_profile"),
|
||||
"session_profile": lock.get("session_profile"),
|
||||
"ready_pr_number": lock.get("ready_pr_number"),
|
||||
"ready_action": lock.get("ready_action"),
|
||||
"ready_expected_head_sha": normalize_head_sha(
|
||||
lock.get("ready_expected_head_sha")
|
||||
),
|
||||
"live_mutations_count": len(mutations),
|
||||
"last_terminal": (
|
||||
{
|
||||
"pr_number": last.get("pr_number"),
|
||||
"action": last.get("action"),
|
||||
"review_id": last.get("review_id"),
|
||||
"head_sha": last_head,
|
||||
}
|
||||
if last
|
||||
else None
|
||||
),
|
||||
"locked_head_sha": last_head,
|
||||
"correction_authorized": bool(lock.get("correction_authorized")),
|
||||
"updated_at": lock.get("updated_at") or lock.get("recorded_at"),
|
||||
}
|
||||
|
||||
|
||||
def assess_stale_review_decision_lock(
|
||||
lock: dict | None,
|
||||
*,
|
||||
pr_live: dict | None = None,
|
||||
pr_lookup_error: str | None = None,
|
||||
active_profile_identity: str | None = None,
|
||||
current_pr_head_sha: str | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Assess whether a durable review-decision lock is stale/moot (#594/#620).
|
||||
|
||||
*pr_live* must be the live Gitea payload for the **last terminal
|
||||
mutation's PR**. When no lock / no terminal mutation exists, cleanup is
|
||||
not applicable. When the PR is still open (or lookup fails), cleanup is
|
||||
forbidden (#594). Open PR + different live head reports
|
||||
``stale_by_head`` / ``fresh_review_on_current_head_allowed`` (#620)
|
||||
without enabling cleanup.
|
||||
"""
|
||||
summary = lock_summary(lock)
|
||||
result: dict[str, Any] = {
|
||||
"has_lock": lock is not None,
|
||||
"lock_summary": summary,
|
||||
"last_terminal_pr": None,
|
||||
"last_terminal_action": None,
|
||||
"locked_head_sha": None,
|
||||
"current_pr_head_sha": normalize_head_sha(current_pr_head_sha),
|
||||
"stale_by_head": False,
|
||||
"fresh_review_on_current_head_allowed": False,
|
||||
"is_moot": False,
|
||||
"cleanup_allowed": False,
|
||||
"profile_match": True,
|
||||
"pr_state": None,
|
||||
"pr_merged": False,
|
||||
"pr_merged_or_closed": False,
|
||||
"merge_commit_sha": None,
|
||||
"reasons": [],
|
||||
"recovery_tool": "gitea_cleanup_stale_review_decision_lock",
|
||||
}
|
||||
|
||||
if lock is None:
|
||||
result["reasons"].append("no review decision lock present")
|
||||
return result
|
||||
|
||||
# Profile identity gate (caller may re-check with env; pure assess still
|
||||
# reports mismatch when active identity is supplied).
|
||||
stored = (
|
||||
(lock.get("profile_identity") or lock.get("session_profile_lock") or "")
|
||||
.strip()
|
||||
)
|
||||
active = (active_profile_identity or "").strip()
|
||||
if active and stored and active != stored:
|
||||
result["profile_match"] = False
|
||||
result["reasons"].append(
|
||||
"review decision lock profile identity does not match active "
|
||||
f"profile '{active}' (fail closed, #594)"
|
||||
)
|
||||
return result
|
||||
|
||||
last = last_terminal_mutation(lock)
|
||||
if last is None:
|
||||
result["reasons"].append(
|
||||
"review decision lock has no terminal live mutations; nothing to clear"
|
||||
)
|
||||
return result
|
||||
|
||||
pr_number = last.get("pr_number")
|
||||
action = last.get("action")
|
||||
locked_head = mutation_head_sha(last, lock)
|
||||
result["last_terminal_pr"] = pr_number
|
||||
result["last_terminal_action"] = action
|
||||
result["locked_head_sha"] = locked_head
|
||||
|
||||
if pr_number is None:
|
||||
result["reasons"].append(
|
||||
"last terminal mutation missing pr_number; refuse cleanup (fail closed)"
|
||||
)
|
||||
return result
|
||||
|
||||
if pr_lookup_error:
|
||||
result["reasons"].append(
|
||||
f"could not load live state for PR #{pr_number}: {pr_lookup_error} "
|
||||
"(fail closed, #594)"
|
||||
)
|
||||
return result
|
||||
|
||||
if pr_live is None:
|
||||
result["reasons"].append(
|
||||
f"live PR state required for terminal PR #{pr_number} before cleanup "
|
||||
"(fail closed, #594)"
|
||||
)
|
||||
return result
|
||||
|
||||
live = classify_pr_live_state(pr_live)
|
||||
current_head = normalize_head_sha(
|
||||
current_pr_head_sha or live.get("current_pr_head_sha")
|
||||
)
|
||||
result.update(
|
||||
{
|
||||
"pr_state": live["pr_state"],
|
||||
"pr_merged": live["pr_merged"],
|
||||
"pr_merged_or_closed": live["pr_merged_or_closed"],
|
||||
"merge_commit_sha": live["merge_commit_sha"],
|
||||
"current_pr_head_sha": current_head,
|
||||
}
|
||||
)
|
||||
|
||||
if not live["pr_merged_or_closed"]:
|
||||
stale_by_head = bool(
|
||||
locked_head and current_head and not heads_equal(locked_head, current_head)
|
||||
)
|
||||
result["stale_by_head"] = stale_by_head
|
||||
# Fresh formal decision is allowed on the new head without cleanup (#620).
|
||||
result["fresh_review_on_current_head_allowed"] = stale_by_head
|
||||
if stale_by_head:
|
||||
result["reasons"].append(
|
||||
f"terminal {action} on PR #{pr_number} is bound to head "
|
||||
f"{locked_head[:12]}…; live head is {current_head[:12]}… — "
|
||||
"fresh formal review on current head is allowed without "
|
||||
"cleanup (fail closed for cleanup, #620); #332 same-head "
|
||||
"duplicate protection remains"
|
||||
)
|
||||
else:
|
||||
result["reasons"].append(
|
||||
f"terminal review mutation on open PR #{pr_number} is still active "
|
||||
f"({action}); #332 hard-stop remains — cleanup forbidden (#594)"
|
||||
)
|
||||
return result
|
||||
|
||||
# Merged or closed: lock is moot. Same-PR merge continuation is impossible.
|
||||
result["is_moot"] = True
|
||||
result["cleanup_allowed"] = True
|
||||
result["stale_by_head"] = False
|
||||
result["fresh_review_on_current_head_allowed"] = False
|
||||
result["reasons"].append(
|
||||
f"terminal mutation ({action} on PR #{pr_number}) is moot: PR is "
|
||||
f"{'merged' if live['pr_merged'] else 'closed'}; canonical cleanup allowed (#594)"
|
||||
)
|
||||
return result
|
||||
|
||||
|
||||
def build_cleanup_audit_record(
|
||||
*,
|
||||
assessment: dict[str, Any],
|
||||
actor_username: str | None,
|
||||
profile_name: str | None,
|
||||
applied: bool,
|
||||
) -> dict[str, Any]:
|
||||
"""Structured durable audit payload for a cleanup attempt."""
|
||||
last = (assessment.get("lock_summary") or {}).get("last_terminal") or {}
|
||||
return {
|
||||
"event": "stale_review_decision_lock_cleanup",
|
||||
"issue_ref": "#594",
|
||||
"applied": bool(applied),
|
||||
"timestamp": datetime.now(timezone.utc).isoformat(),
|
||||
"actor_username": actor_username,
|
||||
"profile_name": profile_name,
|
||||
"last_terminal_pr": assessment.get("last_terminal_pr") or last.get("pr_number"),
|
||||
"last_terminal_action": assessment.get("last_terminal_action")
|
||||
or last.get("action"),
|
||||
"pr_state": assessment.get("pr_state"),
|
||||
"pr_merged": assessment.get("pr_merged"),
|
||||
"pr_merged_or_closed": assessment.get("pr_merged_or_closed"),
|
||||
"merge_commit_sha": assessment.get("merge_commit_sha"),
|
||||
"prior_live_mutations_count": (
|
||||
(assessment.get("lock_summary") or {}).get("live_mutations_count")
|
||||
),
|
||||
"prior_profile_identity": (
|
||||
(assessment.get("lock_summary") or {}).get("profile_identity")
|
||||
),
|
||||
"cleanup_allowed": assessment.get("cleanup_allowed"),
|
||||
"is_moot": assessment.get("is_moot"),
|
||||
"reasons": list(assessment.get("reasons") or []),
|
||||
}
|
||||
|
||||
|
||||
def format_cleanup_audit_comment(audit: dict[str, Any]) -> str:
|
||||
"""Markdown body for a durable Gitea audit comment after cleanup."""
|
||||
status = "APPLIED" if audit.get("applied") else "ASSESSED (not applied)"
|
||||
lines = [
|
||||
"## Stale #332 review-decision lock cleanup (#594)",
|
||||
"",
|
||||
f"Status: **{status}**",
|
||||
"",
|
||||
f"- actor: `{audit.get('actor_username')}`",
|
||||
f"- profile: `{audit.get('profile_name')}`",
|
||||
f"- timestamp: `{audit.get('timestamp')}`",
|
||||
f"- last terminal: `{audit.get('last_terminal_action')}` on "
|
||||
f"PR #{audit.get('last_terminal_pr')}",
|
||||
f"- PR state: `{audit.get('pr_state')}` "
|
||||
f"(merged={audit.get('pr_merged')})",
|
||||
f"- merge_commit_sha: `{audit.get('merge_commit_sha')}`",
|
||||
f"- prior live_mutations_count: "
|
||||
f"`{audit.get('prior_live_mutations_count')}`",
|
||||
f"- prior profile_identity: `{audit.get('prior_profile_identity')}`",
|
||||
"",
|
||||
"Manual deletion of session-state files is **not** the workflow.",
|
||||
"This path only clears a lock when the referenced PR is merged/closed.",
|
||||
]
|
||||
return "\n".join(lines)
|
||||
@@ -96,6 +96,17 @@ TASK_CAPABILITY_MAP: dict[str, dict[str, str]] = {
|
||||
"permission": "gitea.pr.approve",
|
||||
"role": "reviewer",
|
||||
},
|
||||
# #594: clear durable #332 decision lock only when last terminal PR is
|
||||
# already merged/closed (moot). Apply path requires reviewer review
|
||||
# permission; assessment itself uses gitea.read inside the tool.
|
||||
"cleanup_stale_review_decision_lock": {
|
||||
"permission": "gitea.pr.review",
|
||||
"role": "reviewer",
|
||||
},
|
||||
"gitea_cleanup_stale_review_decision_lock": {
|
||||
"permission": "gitea.pr.review",
|
||||
"role": "reviewer",
|
||||
},
|
||||
"delete_branch": {
|
||||
"permission": "gitea.branch.delete",
|
||||
"role": "author",
|
||||
@@ -128,6 +139,103 @@ TASK_CAPABILITY_MAP: dict[str, dict[str, str]] = {
|
||||
"permission": "gitea.pr.create",
|
||||
"role": "author",
|
||||
},
|
||||
# #600: controller-owned allocator — any authenticated profile may call;
|
||||
# routing enforces role match to selected work. Uses control-plane DB (#613).
|
||||
"allocate_next_work": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_allocate_next_work": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
|
||||
# #601 first-class lease lifecycle — inspect/list need read; mutations gate on
|
||||
# ownership in the control-plane DB (not a separate Gitea write permission).
|
||||
"list_workflow_leases": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_list_workflow_leases": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"inspect_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_inspect_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"adopt_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_adopt_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"release_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_release_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"expire_workflow_leases": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_expire_workflow_leases": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"abandon_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_abandon_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"reclaim_expired_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_reclaim_expired_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
# #612 incident bridge — reconcile uses create_issue for apply;
|
||||
# dry-run needs read only. Tools gate apply paths themselves.
|
||||
"observability_reconcile_incident": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_observability_reconcile_incident": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"observability_list_projects": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_observability_list_projects": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"observability_link_issue": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_observability_link_issue": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
|
||||
|
||||
"reconcile_landed_pr": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
@@ -150,6 +258,18 @@ TASK_CAPABILITY_MAP: dict[str, dict[str, str]] = {
|
||||
"permission": "gitea.issue.close",
|
||||
"role": "reconciler",
|
||||
},
|
||||
"reconcile_close_superseded_pr": {
|
||||
"permission": "gitea.pr.close",
|
||||
"role": "reconciler",
|
||||
},
|
||||
"reconcile_close_satisfied_issue": {
|
||||
"permission": "gitea.issue.close",
|
||||
"role": "reconciler",
|
||||
},
|
||||
"reconcile_create_followup_issue": {
|
||||
"permission": "gitea.issue.create",
|
||||
"role": "reconciler",
|
||||
},
|
||||
"post_heartbeat": {
|
||||
"permission": "gitea.issue.comment",
|
||||
"role": "author",
|
||||
|
||||
+185
-25
@@ -1,20 +1,45 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Live health-check script to verify Gitea MCP namespace connections.
|
||||
"""Offline-only MCP namespace spawn probe (NOT IDE-namespace proof).
|
||||
|
||||
Spawns the MCP server processes as defined in the IDE's global config,
|
||||
performs the JSON-RPC handshake, and queries the tools list to verify
|
||||
that the connection is fully operational and doesn't return EOF.
|
||||
Spawns a *separate* MCP server process from config via subprocess.Popen,
|
||||
performs the JSON-RPC handshake, verifies the required tool is registered,
|
||||
and invokes that tool. Results are classified with
|
||||
``probe_source=offline_spawn``.
|
||||
|
||||
This path is useful for offline launch/registration debugging. It does
|
||||
**not** prove the IDE-managed MCP client namespace is healthy (#543). For
|
||||
workflow gates, pass live IDE call evidence with
|
||||
``probe_source=client_namespace`` to ``gitea_assess_mcp_namespace_health``.
|
||||
"""
|
||||
|
||||
import argparse
|
||||
import json
|
||||
import os
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
def run_connection_test(name, config):
|
||||
from mcp_namespace_health import REQUIRED_NAMESPACE_TOOLS, classify_namespace_probe
|
||||
|
||||
|
||||
def _read_json_line(proc):
|
||||
line = proc.stdout.readline()
|
||||
if not line:
|
||||
stderr_content = proc.stderr.read()
|
||||
return None, stderr_content
|
||||
return json.loads(line), None
|
||||
|
||||
|
||||
def _write_message(proc, payload):
|
||||
proc.stdin.write(json.dumps(payload) + "\n")
|
||||
proc.stdin.flush()
|
||||
|
||||
|
||||
def run_connection_test(name, config, *, required_tool=None, config_path=None):
|
||||
print(f"Testing MCP connection for '{name}'...")
|
||||
command = config.get("command")
|
||||
args = config.get("args", [])
|
||||
env = config.get("env", {})
|
||||
tool_name = required_tool or REQUIRED_NAMESPACE_TOOLS.get(name) or "gitea_whoami"
|
||||
|
||||
# Merge current environment
|
||||
run_env = os.environ.copy()
|
||||
@@ -31,8 +56,17 @@ def run_connection_test(name, config):
|
||||
bufsize=1,
|
||||
env=run_env
|
||||
)
|
||||
except Exception as e:
|
||||
print(f" [FAIL] Failed to spawn process: {e}")
|
||||
except Exception as exc:
|
||||
print(f" [FAIL] Failed to spawn process: {exc}")
|
||||
assessment = classify_namespace_probe(
|
||||
name,
|
||||
required_tool=tool_name,
|
||||
probe_result={"success": False, "error": str(exc)},
|
||||
process={"profile": env.get("GITEA_MCP_PROFILE"), "env": env},
|
||||
config_path=config_path,
|
||||
probe_source="offline_spawn",
|
||||
)
|
||||
print(f" diagnostics: {json.dumps(assessment['diagnostics'], sort_keys=True)}")
|
||||
return False
|
||||
|
||||
# Send initialize request
|
||||
@@ -48,26 +82,36 @@ def run_connection_test(name, config):
|
||||
}
|
||||
|
||||
try:
|
||||
proc.stdin.write(json.dumps(init_req) + "\n")
|
||||
proc.stdin.flush()
|
||||
_write_message(proc, init_req)
|
||||
|
||||
# Read response
|
||||
line = proc.stdout.readline()
|
||||
if not line:
|
||||
stderr_content = proc.stderr.read()
|
||||
res, stderr_content = _read_json_line(proc)
|
||||
if res is None:
|
||||
print(f" [FAIL] Received EOF from process. Stderr:\n{stderr_content}")
|
||||
assessment = classify_namespace_probe(
|
||||
name,
|
||||
required_tool=tool_name,
|
||||
probe_result={"success": False, "error": stderr_content or "EOF"},
|
||||
process={
|
||||
"pid": proc.pid,
|
||||
"profile": env.get("GITEA_MCP_PROFILE"),
|
||||
"env": env,
|
||||
},
|
||||
config_path=config_path,
|
||||
probe_source="offline_spawn",
|
||||
)
|
||||
print(f" remediation: {' '.join(assessment['remediation'])}")
|
||||
proc.terminate()
|
||||
return False
|
||||
|
||||
print(f" [OK] Received initialize response: {line.strip()[:150]}...")
|
||||
print(f" [OK] Received initialize response: {str(res)[:150]}...")
|
||||
|
||||
# Send initialized notification
|
||||
init_notif = {
|
||||
"jsonrpc": "2.0",
|
||||
"method": "notifications/initialized"
|
||||
}
|
||||
proc.stdin.write(json.dumps(init_notif) + "\n")
|
||||
proc.stdin.flush()
|
||||
_write_message(proc, init_notif)
|
||||
|
||||
# Send tools/list request
|
||||
list_req = {
|
||||
@@ -76,16 +120,27 @@ def run_connection_test(name, config):
|
||||
"params": {},
|
||||
"id": 2
|
||||
}
|
||||
proc.stdin.write(json.dumps(list_req) + "\n")
|
||||
proc.stdin.flush()
|
||||
_write_message(proc, list_req)
|
||||
|
||||
line = proc.stdout.readline()
|
||||
if not line:
|
||||
res, stderr_content = _read_json_line(proc)
|
||||
if res is None:
|
||||
print(" [FAIL] Received EOF on tools/list request.")
|
||||
assessment = classify_namespace_probe(
|
||||
name,
|
||||
required_tool=tool_name,
|
||||
probe_result={"success": False, "error": stderr_content or "EOF"},
|
||||
process={
|
||||
"pid": proc.pid,
|
||||
"profile": env.get("GITEA_MCP_PROFILE"),
|
||||
"env": env,
|
||||
},
|
||||
config_path=config_path,
|
||||
probe_source="offline_spawn",
|
||||
)
|
||||
print(f" remediation: {' '.join(assessment['remediation'])}")
|
||||
proc.terminate()
|
||||
return False
|
||||
|
||||
res = json.loads(line)
|
||||
if "error" in res:
|
||||
print(f" [FAIL] Server returned error: {res['error']}")
|
||||
proc.terminate()
|
||||
@@ -94,16 +149,115 @@ def run_connection_test(name, config):
|
||||
tools = res.get("result", {}).get("tools", [])
|
||||
tool_names = [t.get("name") for t in tools]
|
||||
print(f" [OK] Successfully retrieved {len(tool_names)} tools: {tool_names[:5]}...")
|
||||
if tool_name not in tool_names:
|
||||
assessment = classify_namespace_probe(
|
||||
name,
|
||||
required_tool=tool_name,
|
||||
registered_tools=tool_names,
|
||||
probe_result={"success": False, "error": "required tool missing"},
|
||||
process={
|
||||
"pid": proc.pid,
|
||||
"profile": env.get("GITEA_MCP_PROFILE"),
|
||||
"env": env,
|
||||
},
|
||||
config_path=config_path,
|
||||
probe_source="offline_spawn",
|
||||
)
|
||||
print(f" [FAIL] Required tool '{tool_name}' is not registered.")
|
||||
print(f" remediation: {' '.join(assessment['remediation'])}")
|
||||
proc.terminate()
|
||||
return False
|
||||
|
||||
call_req = {
|
||||
"jsonrpc": "2.0",
|
||||
"method": "tools/call",
|
||||
"params": {"name": tool_name, "arguments": {}},
|
||||
"id": 3,
|
||||
}
|
||||
_write_message(proc, call_req)
|
||||
|
||||
call_res, stderr_content = _read_json_line(proc)
|
||||
if call_res is None:
|
||||
assessment = classify_namespace_probe(
|
||||
name,
|
||||
required_tool=tool_name,
|
||||
registered_tools=tool_names,
|
||||
probe_result={"success": False, "error": stderr_content or "EOF"},
|
||||
process={
|
||||
"pid": proc.pid,
|
||||
"profile": env.get("GITEA_MCP_PROFILE"),
|
||||
"env": env,
|
||||
},
|
||||
config_path=config_path,
|
||||
probe_source="offline_spawn",
|
||||
)
|
||||
print(f" [FAIL] Received EOF on {tool_name} invocation.")
|
||||
print(f" diagnostics: {json.dumps(assessment['diagnostics'], sort_keys=True)}")
|
||||
print(f" remediation: {' '.join(assessment['remediation'])}")
|
||||
proc.terminate()
|
||||
return False
|
||||
if "error" in call_res:
|
||||
assessment = classify_namespace_probe(
|
||||
name,
|
||||
required_tool=tool_name,
|
||||
registered_tools=tool_names,
|
||||
probe_result={"success": False, "error": call_res["error"]},
|
||||
process={
|
||||
"pid": proc.pid,
|
||||
"profile": env.get("GITEA_MCP_PROFILE"),
|
||||
"env": env,
|
||||
},
|
||||
config_path=config_path,
|
||||
probe_source="offline_spawn",
|
||||
)
|
||||
print(f" [FAIL] {tool_name} invocation returned error: {call_res['error']}")
|
||||
print(f" remediation: {' '.join(assessment['remediation'])}")
|
||||
proc.terminate()
|
||||
return False
|
||||
|
||||
assessment = classify_namespace_probe(
|
||||
name,
|
||||
required_tool=tool_name,
|
||||
registered_tools=tool_names,
|
||||
probe_result={"success": True, "result": call_res.get("result")},
|
||||
process={
|
||||
"pid": proc.pid,
|
||||
"profile": env.get("GITEA_MCP_PROFILE"),
|
||||
"env": env,
|
||||
},
|
||||
config_path=config_path,
|
||||
probe_source="offline_spawn",
|
||||
)
|
||||
print(f" [OK] Successfully invoked required tool '{tool_name}'.")
|
||||
print(f" diagnostics: {json.dumps(assessment['diagnostics'], sort_keys=True)}")
|
||||
|
||||
proc.terminate()
|
||||
return True
|
||||
except Exception as e:
|
||||
print(f" [FAIL] Error during handshake: {e}")
|
||||
except Exception as exc:
|
||||
print(f" [FAIL] Error during handshake: {exc}")
|
||||
proc.terminate()
|
||||
return False
|
||||
|
||||
|
||||
def main():
|
||||
config_path = "/Users/jasonwalker/.gemini/config/mcp_config.json"
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument(
|
||||
"--config",
|
||||
default=os.environ.get(
|
||||
"MCP_CONFIG_PATH",
|
||||
os.path.expanduser("~/.gemini/config/mcp_config.json"),
|
||||
),
|
||||
help="Path to MCP config JSON.",
|
||||
)
|
||||
parser.add_argument(
|
||||
"--namespace",
|
||||
action="append",
|
||||
dest="namespaces",
|
||||
help="Namespace to test. May be repeated.",
|
||||
)
|
||||
args = parser.parse_args()
|
||||
|
||||
config_path = args.config
|
||||
try:
|
||||
with open(config_path) as f:
|
||||
mcp_config = json.load(f)
|
||||
@@ -112,10 +266,16 @@ def main():
|
||||
sys.exit(1)
|
||||
|
||||
servers = mcp_config.get("mcpServers", {})
|
||||
namespaces = args.namespaces or list(REQUIRED_NAMESPACE_TOOLS)
|
||||
failed = False
|
||||
for name in ["gitea-author", "gitea-reviewer"]:
|
||||
for name in namespaces:
|
||||
if name in servers:
|
||||
if not run_connection_test(name, servers[name]):
|
||||
if not run_connection_test(
|
||||
name,
|
||||
servers[name],
|
||||
required_tool=REQUIRED_NAMESPACE_TOOLS.get(name),
|
||||
config_path=config_path,
|
||||
):
|
||||
failed = True
|
||||
else:
|
||||
print(f"Server '{name}' not found in mcp_config.json")
|
||||
|
||||
+44
-1
@@ -1,4 +1,5 @@
|
||||
"""Shared pytest fixtures for the Gitea-Tools test suite."""
|
||||
import os
|
||||
import sys
|
||||
|
||||
import pytest
|
||||
@@ -16,13 +17,46 @@ def _reset_mutation_authority(monkeypatch):
|
||||
the next test. It must never replace verify_mutation_authority with a
|
||||
no-op: individual tests that need a specific authority state set it up
|
||||
explicitly.
|
||||
|
||||
Session-state isolation (#559 / #590 / #594): many tests use
|
||||
``patch.dict(os.environ, ..., clear=True)``, which drops
|
||||
``GITEA_MCP_SESSION_STATE_DIR``. Relying only on the env var therefore
|
||||
re-exposes the operator host cache
|
||||
(``~/.cache/gitea-tools/session-state``) and its review-mutation ledger.
|
||||
Pin ``default_state_dir`` / ``DEFAULT_STATE_DIR`` to a per-test temp dir
|
||||
so durable load/save never touches host state even after env clears.
|
||||
"""
|
||||
monkeypatch.delenv("GITEA_SESSION_PROFILE_LOCK", raising=False)
|
||||
# Isolate durable session-state files so tests never share host cache (#559).
|
||||
import tempfile
|
||||
|
||||
_state_tmp = tempfile.TemporaryDirectory(prefix="gitea-session-state-")
|
||||
monkeypatch.setenv("GITEA_MCP_SESSION_STATE_DIR", _state_tmp.name)
|
||||
state_dir = _state_tmp.name
|
||||
monkeypatch.setenv("GITEA_MCP_SESSION_STATE_DIR", state_dir)
|
||||
try:
|
||||
import mcp_session_state
|
||||
except Exception:
|
||||
mcp_session_state = None
|
||||
if mcp_session_state is not None:
|
||||
# Survive patch.dict(..., clear=True) that drops the env var (#590).
|
||||
# Still honor an explicit GITEA_MCP_SESSION_STATE_DIR when tests set
|
||||
# their own temp dir (see tests/test_mcp_session_state.py).
|
||||
monkeypatch.setattr(
|
||||
mcp_session_state, "DEFAULT_STATE_DIR", state_dir, raising=False
|
||||
)
|
||||
|
||||
def _isolated_default_state_dir(
|
||||
_fallback: str = state_dir,
|
||||
_env_key: str = mcp_session_state.STATE_DIR_ENV,
|
||||
) -> str:
|
||||
raw = (os.environ.get(_env_key) or "").strip()
|
||||
return raw or _fallback
|
||||
|
||||
monkeypatch.setattr(
|
||||
mcp_session_state,
|
||||
"default_state_dir",
|
||||
_isolated_default_state_dir,
|
||||
)
|
||||
try:
|
||||
import mcp_server
|
||||
except Exception:
|
||||
@@ -32,6 +66,7 @@ def _reset_mutation_authority(monkeypatch):
|
||||
monkeypatch.setattr(mcp_server, "_MUTATION_AUTHORITY", None)
|
||||
monkeypatch.setattr(mcp_server, "_IDENTITY_CACHE", {})
|
||||
monkeypatch.setattr(mcp_server, "_REVIEW_DECISION_LOCK", None)
|
||||
monkeypatch.setattr(mcp_server, "_LIVE_NAMESPACE_HEALTH", {})
|
||||
monkeypatch.setattr(mcp_server, "_preflight_whoami_called", False)
|
||||
monkeypatch.setattr(mcp_server, "_preflight_capability_called", False)
|
||||
monkeypatch.setattr(mcp_server, "_preflight_resolved_role", None)
|
||||
@@ -40,6 +75,14 @@ def _reset_mutation_authority(monkeypatch):
|
||||
monkeypatch.setattr(mcp_server, "_preflight_capability_baseline_porcelain", None)
|
||||
monkeypatch.setattr(mcp_server, "_preflight_resolved_task", None)
|
||||
monkeypatch.setattr(mcp_server, "_preflight_reviewer_violation_files", [])
|
||||
# Unit tests must not depend on live host MCP process health. Tests that
|
||||
# use patch.dict(..., clear=True) drop PYTEST_CURRENT_TEST, which would
|
||||
# otherwise re-enable the stale-runtime probe against operator daemons.
|
||||
monkeypatch.setattr(
|
||||
mcp_server,
|
||||
"_check_mcp_runtimes_diagnostics",
|
||||
lambda *args, **kwargs: [],
|
||||
)
|
||||
try:
|
||||
import review_workflow_load
|
||||
review_workflow_load._REVIEW_WORKFLOW_LOAD = None
|
||||
|
||||
@@ -0,0 +1,366 @@
|
||||
"""Tests for controller-owned allocator (#600) on control-plane DB (#613)."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import tempfile
|
||||
import threading
|
||||
import unittest
|
||||
from concurrent.futures import ThreadPoolExecutor, as_completed
|
||||
|
||||
from allocator_service import (
|
||||
OUTCOME_ASSIGNED,
|
||||
OUTCOME_BLOCKED_TERMINAL,
|
||||
OUTCOME_NO_SAFE,
|
||||
OUTCOME_PREVIEW,
|
||||
OUTCOME_WAIT,
|
||||
WorkCandidate,
|
||||
allocate_next_work,
|
||||
candidate_from_dict,
|
||||
classify_skip,
|
||||
expected_role_for_candidate,
|
||||
)
|
||||
from control_plane_db import ControlPlaneDB, InvalidWorkKindError
|
||||
|
||||
|
||||
class AllocatorServiceTest(unittest.TestCase):
|
||||
def setUp(self) -> None:
|
||||
self._tmp = tempfile.TemporaryDirectory()
|
||||
self.db_path = os.path.join(self._tmp.name, "cp.sqlite3")
|
||||
self.db = ControlPlaneDB(self.db_path)
|
||||
|
||||
def tearDown(self) -> None:
|
||||
self._tmp.cleanup()
|
||||
|
||||
def _alloc(self, **kwargs):
|
||||
defaults = dict(
|
||||
db=self.db,
|
||||
session_id="s-test",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="org",
|
||||
repo="repo",
|
||||
candidates=[],
|
||||
apply=False,
|
||||
profile_name="prgs-author",
|
||||
username="jcwalker3",
|
||||
)
|
||||
defaults.update(kwargs)
|
||||
return allocate_next_work(**defaults)
|
||||
|
||||
def test_selects_ready_issue_for_author(self) -> None:
|
||||
cands = [
|
||||
WorkCandidate(
|
||||
kind="issue",
|
||||
number=612,
|
||||
labels=("status:ready",),
|
||||
title="bridge",
|
||||
dependency_unmet=True,
|
||||
dependency_reason="downstream of #600",
|
||||
),
|
||||
WorkCandidate(
|
||||
kind="issue",
|
||||
number=600,
|
||||
labels=("status:ready", "type:feature"),
|
||||
title="allocator",
|
||||
priority=50,
|
||||
),
|
||||
WorkCandidate(
|
||||
kind="issue",
|
||||
number=601,
|
||||
labels=("status:blocked",),
|
||||
title="blocked",
|
||||
blocked=True,
|
||||
),
|
||||
]
|
||||
res = self._alloc(candidates=cands, apply=False)
|
||||
self.assertTrue(res["success"])
|
||||
self.assertEqual(res["outcome"], OUTCOME_PREVIEW)
|
||||
self.assertEqual(res["selected"]["number"], 600)
|
||||
self.assertEqual(res["selected"]["kind"], "issue")
|
||||
# When 600 is highest priority valid work, lower-priority blocked/dep
|
||||
# candidates are not visited. Prove they are skipped when they sort first.
|
||||
res2 = self._alloc(
|
||||
candidates=[
|
||||
WorkCandidate(
|
||||
kind="issue",
|
||||
number=612,
|
||||
labels=("status:ready",),
|
||||
priority=99,
|
||||
dependency_unmet=True,
|
||||
dependency_reason="downstream of #600",
|
||||
),
|
||||
WorkCandidate(
|
||||
kind="issue",
|
||||
number=601,
|
||||
labels=("status:blocked",),
|
||||
priority=98,
|
||||
blocked=True,
|
||||
),
|
||||
WorkCandidate(
|
||||
kind="issue",
|
||||
number=600,
|
||||
labels=("status:ready",),
|
||||
priority=1,
|
||||
),
|
||||
],
|
||||
apply=False,
|
||||
)
|
||||
skipped_nums = {s["number"] for s in res2["skipped"]}
|
||||
self.assertIn(612, skipped_nums)
|
||||
self.assertIn(601, skipped_nums)
|
||||
self.assertEqual(res2["selected"]["number"], 600)
|
||||
self.assertIsNone(res["assignment"])
|
||||
self.assertFalse(res["file_lock_only"])
|
||||
self.assertFalse(res["comment_lease_only"])
|
||||
|
||||
def test_atomic_assign_and_lease_on_apply(self) -> None:
|
||||
cands = [
|
||||
WorkCandidate(
|
||||
kind="issue",
|
||||
number=600,
|
||||
labels=("status:ready",),
|
||||
priority=10,
|
||||
)
|
||||
]
|
||||
res = self._alloc(candidates=cands, apply=True, session_id="s-a")
|
||||
self.assertEqual(res["outcome"], OUTCOME_ASSIGNED)
|
||||
asn = res["assignment"]
|
||||
self.assertEqual(asn["outcome"], "assigned")
|
||||
self.assertIsNotNone(asn["assignment_id"])
|
||||
self.assertIsNotNone(asn["lease_id"])
|
||||
self.assertEqual(asn["work_number"], 600)
|
||||
self.assertIn("implement", asn["allowed_actions"])
|
||||
self.assertIn("merge", asn["forbidden_actions"])
|
||||
proof = res["lease_proof"]
|
||||
self.assertEqual(proof["source"], "control_plane_db.assign_and_lease")
|
||||
|
||||
def test_concurrent_allocators_no_double_assign(self) -> None:
|
||||
cand = WorkCandidate(
|
||||
kind="pr",
|
||||
number=100,
|
||||
head_sha="a" * 40,
|
||||
priority=10,
|
||||
)
|
||||
# Seed work item so both race the same target
|
||||
self.db.upsert_work_item(
|
||||
remote="prgs",
|
||||
org="org",
|
||||
repo="repo",
|
||||
kind="pr",
|
||||
number=100,
|
||||
current_head_sha="a" * 40,
|
||||
)
|
||||
results = []
|
||||
lock = threading.Lock()
|
||||
|
||||
def worker(sid: str):
|
||||
r = allocate_next_work(
|
||||
self.db,
|
||||
session_id=sid,
|
||||
role="reviewer",
|
||||
remote="prgs",
|
||||
org="org",
|
||||
repo="repo",
|
||||
candidates=[cand],
|
||||
apply=True,
|
||||
profile_name="prgs-reviewer",
|
||||
)
|
||||
with lock:
|
||||
results.append(r)
|
||||
|
||||
with ThreadPoolExecutor(max_workers=2) as pool:
|
||||
futs = [pool.submit(worker, f"s-{i}") for i in range(2)]
|
||||
for f in as_completed(futs):
|
||||
f.result()
|
||||
|
||||
outcomes = [r["outcome"] for r in results]
|
||||
self.assertEqual(outcomes.count(OUTCOME_ASSIGNED), 1, outcomes)
|
||||
self.assertEqual(outcomes.count(OUTCOME_WAIT), 1, outcomes)
|
||||
|
||||
def test_blocked_and_dependency_skipped(self) -> None:
|
||||
cands = [
|
||||
WorkCandidate(kind="issue", number=1, blocked=True, labels=("status:blocked",)),
|
||||
WorkCandidate(
|
||||
kind="issue",
|
||||
number=612,
|
||||
labels=("status:ready",),
|
||||
dependency_unmet=True,
|
||||
dependency_reason="downstream of #600",
|
||||
),
|
||||
]
|
||||
res = self._alloc(candidates=cands, apply=True, role="author")
|
||||
self.assertEqual(res["outcome"], OUTCOME_NO_SAFE)
|
||||
self.assertIsNone(res["selected"])
|
||||
reasons = " ".join(s["reason"] for s in res["skipped"])
|
||||
self.assertIn("blocked", reasons.lower())
|
||||
self.assertIn("600", reasons)
|
||||
|
||||
def test_already_leased_returns_wait(self) -> None:
|
||||
self.db.upsert_session(session_id="owner", role="author")
|
||||
self.db.assign_and_lease(
|
||||
session_id="owner",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="org",
|
||||
repo="repo",
|
||||
kind="issue",
|
||||
number=50,
|
||||
)
|
||||
res = self._alloc(
|
||||
session_id="other",
|
||||
candidates=[
|
||||
WorkCandidate(kind="issue", number=50, labels=("status:ready",))
|
||||
],
|
||||
apply=True,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_WAIT)
|
||||
self.assertEqual(res["owner_session_id"], "owner")
|
||||
|
||||
def test_role_ineligible_skipped(self) -> None:
|
||||
# PR with current-head REQUEST_CHANGES expects author, not reviewer.
|
||||
cand = WorkCandidate(
|
||||
kind="pr",
|
||||
number=9,
|
||||
head_sha="b" * 40,
|
||||
request_changes_current_head=True,
|
||||
)
|
||||
self.assertEqual(expected_role_for_candidate(cand), "author")
|
||||
res = self._alloc(
|
||||
role="reviewer",
|
||||
profile_name="prgs-reviewer",
|
||||
candidates=[cand],
|
||||
apply=False,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_NO_SAFE)
|
||||
self.assertTrue(any("expects role" in s["reason"] for s in res["skipped"]))
|
||||
|
||||
def test_terminal_lock_blocks_downstream_reviewer_prs(self) -> None:
|
||||
self.db.set_terminal_lock(
|
||||
remote="prgs",
|
||||
org="org",
|
||||
repo="repo",
|
||||
terminal_pr=10,
|
||||
decision="request_changes",
|
||||
status="active",
|
||||
)
|
||||
cands = [
|
||||
WorkCandidate(kind="pr", number=11, head_sha="c" * 40, priority=5),
|
||||
WorkCandidate(kind="pr", number=10, head_sha="d" * 40, priority=1),
|
||||
]
|
||||
res = self._alloc(
|
||||
role="reviewer",
|
||||
profile_name="prgs-reviewer",
|
||||
candidates=cands,
|
||||
apply=False,
|
||||
)
|
||||
# Terminal PR #10 is selectable; #11 skipped for terminal path.
|
||||
self.assertEqual(res["selected"]["number"], 10)
|
||||
self.assertTrue(
|
||||
any(
|
||||
s["number"] == 11 and "terminal-review lock" in s["reason"]
|
||||
for s in res["skipped"]
|
||||
)
|
||||
)
|
||||
|
||||
def test_terminal_lock_blocks_all_when_only_downstream(self) -> None:
|
||||
self.db.set_terminal_lock(
|
||||
remote="prgs",
|
||||
org="org",
|
||||
repo="repo",
|
||||
terminal_pr=10,
|
||||
decision="request_changes",
|
||||
status="active",
|
||||
)
|
||||
res = self._alloc(
|
||||
role="reviewer",
|
||||
profile_name="prgs-reviewer",
|
||||
candidates=[
|
||||
WorkCandidate(kind="pr", number=99, head_sha="e" * 40),
|
||||
],
|
||||
apply=False,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_BLOCKED_TERMINAL)
|
||||
|
||||
def test_no_work_structured(self) -> None:
|
||||
res = self._alloc(candidates=[], apply=True)
|
||||
self.assertEqual(res["outcome"], OUTCOME_NO_SAFE)
|
||||
self.assertIsNone(res["selected"])
|
||||
self.assertTrue(res["reasons"])
|
||||
|
||||
def test_rejects_incident_kind(self) -> None:
|
||||
with self.assertRaises(InvalidWorkKindError):
|
||||
WorkCandidate(kind="sentry_incident", number=1)
|
||||
|
||||
def test_612_downstream_marker_in_result(self) -> None:
|
||||
res = self._alloc(
|
||||
candidates=[
|
||||
WorkCandidate(kind="issue", number=600, labels=("status:ready",))
|
||||
],
|
||||
apply=True,
|
||||
)
|
||||
self.assertIn("612", res.get("downstream_note", ""))
|
||||
|
||||
def test_substrate_not_file_or_comment_lease(self) -> None:
|
||||
res = self._alloc(
|
||||
candidates=[
|
||||
WorkCandidate(kind="issue", number=1, labels=("status:ready",))
|
||||
],
|
||||
apply=True,
|
||||
)
|
||||
self.assertEqual(res["substrate"], "control_plane_db")
|
||||
self.assertFalse(res["file_lock_only"])
|
||||
self.assertFalse(res["comment_lease_only"])
|
||||
self.assertEqual(
|
||||
res["lease_proof"]["source"], "control_plane_db.assign_and_lease"
|
||||
)
|
||||
|
||||
def test_candidate_from_dict(self) -> None:
|
||||
c = candidate_from_dict(
|
||||
{
|
||||
"kind": "pr",
|
||||
"number": 7,
|
||||
"head_sha": "f" * 40,
|
||||
"approval_on_current_head": True,
|
||||
"mergeable": True,
|
||||
}
|
||||
)
|
||||
self.assertEqual(expected_role_for_candidate(c), "merger")
|
||||
|
||||
def test_merger_gets_clean_approval(self) -> None:
|
||||
c = WorkCandidate(
|
||||
kind="pr",
|
||||
number=3,
|
||||
head_sha="1" * 40,
|
||||
approval_on_current_head=True,
|
||||
mergeable=True,
|
||||
priority=100,
|
||||
)
|
||||
res = self._alloc(
|
||||
role="merger",
|
||||
profile_name="prgs-merger",
|
||||
candidates=[c],
|
||||
apply=True,
|
||||
session_id="merger-1",
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_ASSIGNED)
|
||||
self.assertEqual(res["assignment"]["work_number"], 3)
|
||||
self.assertIn("merge", res["assignment"]["allowed_actions"])
|
||||
|
||||
def test_db_unavailable_fails_closed(self) -> None:
|
||||
res = allocate_next_work(
|
||||
None, # type: ignore[arg-type]
|
||||
session_id="x",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
candidates=[],
|
||||
apply=True,
|
||||
)
|
||||
self.assertFalse(res["success"])
|
||||
self.assertIn("unavailable", res["reasons"][0].lower())
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -82,13 +82,14 @@ class TestPreflightIntegration(unittest.TestCase):
|
||||
control_root = "/repo/Gitea-Tools"
|
||||
with mock.patch.object(mcp_server, "PROJECT_ROOT", control_root):
|
||||
with mock.patch.object(mcp_server, "_enforce_root_checkout_guard"):
|
||||
with mock.patch.dict(
|
||||
"os.environ",
|
||||
{"GITEA_TEST_PORCELAIN": ""},
|
||||
clear=False,
|
||||
):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.verify_preflight_purity()
|
||||
with mock.patch("gitea_auth.get_profile", return_value={"profile_name": "gitea-author"}):
|
||||
with mock.patch.dict(
|
||||
"os.environ",
|
||||
{"GITEA_TEST_PORCELAIN": ""},
|
||||
clear=False,
|
||||
):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.verify_preflight_purity()
|
||||
self.assertIn("Branches-only mutation guard", str(ctx.exception))
|
||||
|
||||
def test_verify_preflight_allows_branches_worktree(self):
|
||||
|
||||
@@ -0,0 +1,824 @@
|
||||
"""Tests for control-plane DB substrate (#613)."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import tempfile
|
||||
import threading
|
||||
import unittest
|
||||
from concurrent.futures import ThreadPoolExecutor, as_completed
|
||||
from datetime import timedelta
|
||||
|
||||
from control_plane_db import (
|
||||
ControlPlaneDB,
|
||||
InvalidWorkKindError,
|
||||
LeaseRequiredError,
|
||||
WORK_KINDS,
|
||||
_ts,
|
||||
_utc_now,
|
||||
)
|
||||
|
||||
|
||||
class ControlPlaneDBTest(unittest.TestCase):
|
||||
def setUp(self) -> None:
|
||||
self._tmp = tempfile.TemporaryDirectory()
|
||||
self.db_path = os.path.join(self._tmp.name, "cp.sqlite3")
|
||||
self.db = ControlPlaneDB(self.db_path)
|
||||
|
||||
def tearDown(self) -> None:
|
||||
self._tmp.cleanup()
|
||||
|
||||
def test_schema_and_architecture_meta(self) -> None:
|
||||
import sqlite3
|
||||
|
||||
conn = sqlite3.connect(self.db_path)
|
||||
try:
|
||||
rows = dict(conn.execute("SELECT key, value FROM schema_meta").fetchall())
|
||||
finally:
|
||||
conn.close()
|
||||
self.assertEqual(rows["schema_version"], "3")
|
||||
self.assertIn("DB coordinates", rows["architecture"])
|
||||
self.assertIn("bridge", rows["architecture"].lower())
|
||||
|
||||
def test_rejects_raw_incident_as_work_kind(self) -> None:
|
||||
with self.assertRaises(InvalidWorkKindError):
|
||||
self.db.upsert_work_item(
|
||||
remote="prgs",
|
||||
org="org",
|
||||
repo="repo",
|
||||
kind="sentry_incident",
|
||||
number=1,
|
||||
)
|
||||
with self.assertRaises(InvalidWorkKindError):
|
||||
self.db.assign_and_lease(
|
||||
session_id="s1",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="org",
|
||||
repo="repo",
|
||||
kind="glitchtip_incident",
|
||||
number=9,
|
||||
)
|
||||
self.assertEqual(WORK_KINDS, frozenset({"issue", "pr"}))
|
||||
|
||||
def test_atomic_assign_and_lease_fields(self) -> None:
|
||||
self.db.upsert_session(session_id="s-a", role="author", profile="prgs-author")
|
||||
result = self.db.assign_and_lease(
|
||||
session_id="s-a",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
kind="issue",
|
||||
number=613,
|
||||
expected_head_sha="abc123",
|
||||
allowed_actions=("implement", "comment"),
|
||||
forbidden_actions=("approve", "merge"),
|
||||
)
|
||||
self.assertEqual(result.outcome, "assigned")
|
||||
self.assertIsNotNone(result.assignment_id)
|
||||
self.assertIsNotNone(result.lease_id)
|
||||
self.assertEqual(result.role, "author")
|
||||
self.assertEqual(result.work_kind, "issue")
|
||||
self.assertEqual(result.work_number, 613)
|
||||
self.assertEqual(result.expected_head_sha, "abc123")
|
||||
self.assertIn("implement", result.allowed_actions)
|
||||
self.assertIn("merge", result.forbidden_actions)
|
||||
self.assertIsNotNone(result.expires_at)
|
||||
|
||||
def test_second_session_waits_on_foreign_lease(self) -> None:
|
||||
self.db.upsert_session(session_id="s1", role="author")
|
||||
self.db.upsert_session(session_id="s2", role="author")
|
||||
first = self.db.assign_and_lease(
|
||||
session_id="s1",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=100,
|
||||
expected_head_sha="deadbeef",
|
||||
)
|
||||
self.assertEqual(first.outcome, "assigned")
|
||||
second = self.db.assign_and_lease(
|
||||
session_id="s2",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=100,
|
||||
expected_head_sha="deadbeef",
|
||||
)
|
||||
self.assertEqual(second.outcome, "wait")
|
||||
self.assertEqual(second.owner_session_id, "s1")
|
||||
|
||||
def test_owner_resume_refreshes_lease(self) -> None:
|
||||
self.db.upsert_session(session_id="s1", role="reviewer")
|
||||
a = self.db.assign_and_lease(
|
||||
session_id="s1",
|
||||
role="reviewer",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=50,
|
||||
expected_head_sha="head-50",
|
||||
)
|
||||
b = self.db.assign_and_lease(
|
||||
session_id="s1",
|
||||
role="reviewer",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=50,
|
||||
expected_head_sha="head-50",
|
||||
)
|
||||
self.assertEqual(b.outcome, "assigned")
|
||||
self.assertEqual(b.lease_id, a.lease_id)
|
||||
self.assertIn("owner-resume", b.reason)
|
||||
|
||||
def test_require_valid_assignment_gates_mutations(self) -> None:
|
||||
self.db.upsert_session(session_id="s1", role="author")
|
||||
self.db.assign_and_lease(
|
||||
session_id="s1",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=7,
|
||||
allowed_actions=("implement",),
|
||||
forbidden_actions=("merge",),
|
||||
)
|
||||
proof = self.db.require_valid_assignment(
|
||||
session_id="s1",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=7,
|
||||
action="implement",
|
||||
)
|
||||
self.assertEqual(proof["session_id"], "s1")
|
||||
with self.assertRaises(LeaseRequiredError):
|
||||
self.db.require_valid_assignment(
|
||||
session_id="s1",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=7,
|
||||
action="merge",
|
||||
)
|
||||
with self.assertRaises(LeaseRequiredError):
|
||||
self.db.require_valid_assignment(
|
||||
session_id="s-other",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=7,
|
||||
action="implement",
|
||||
)
|
||||
|
||||
def test_expired_lease_allows_reassign(self) -> None:
|
||||
self.db.upsert_session(session_id="s1", role="author")
|
||||
self.db.upsert_session(session_id="s2", role="author")
|
||||
past = _utc_now() - timedelta(hours=1)
|
||||
# Create lease already expired by using negative TTL edge via direct assign then expire
|
||||
assigned = self.db.assign_and_lease(
|
||||
session_id="s1",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=3,
|
||||
lease_ttl_seconds=1,
|
||||
)
|
||||
self.assertEqual(assigned.outcome, "assigned")
|
||||
# Force expiry in DB
|
||||
import sqlite3
|
||||
|
||||
conn = sqlite3.connect(self.db_path)
|
||||
try:
|
||||
conn.execute(
|
||||
"UPDATE leases SET expires_at = ? WHERE lease_id = ?",
|
||||
(_ts(past), assigned.lease_id),
|
||||
)
|
||||
conn.commit()
|
||||
finally:
|
||||
conn.close()
|
||||
n = self.db.expire_stale_leases()
|
||||
self.assertGreaterEqual(n, 1)
|
||||
second = self.db.assign_and_lease(
|
||||
session_id="s2",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=3,
|
||||
)
|
||||
self.assertEqual(second.outcome, "assigned")
|
||||
self.assertEqual(second.session_id, "s2")
|
||||
|
||||
def test_merged_work_never_assigned(self) -> None:
|
||||
self.db.upsert_session(session_id="s1", role="merger")
|
||||
self.db.upsert_work_item(
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=99,
|
||||
state="merged",
|
||||
)
|
||||
result = self.db.assign_and_lease(
|
||||
session_id="s1",
|
||||
role="merger",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=99,
|
||||
expected_head_sha="merged-head",
|
||||
)
|
||||
self.assertEqual(result.outcome, "no_safe_work")
|
||||
|
||||
def test_four_concurrent_sessions_unique_assignments(self) -> None:
|
||||
"""Four concurrent assigners on four different issues — all succeed uniquely.
|
||||
|
||||
Also two concurrent assigners on the *same* issue: at most one assigned.
|
||||
"""
|
||||
for i in range(4):
|
||||
self.db.upsert_session(session_id=f"sess-{i}", role="author")
|
||||
|
||||
def claim_unique(i: int):
|
||||
return self.db.assign_and_lease(
|
||||
session_id=f"sess-{i}",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=1000 + i,
|
||||
)
|
||||
|
||||
with ThreadPoolExecutor(max_workers=4) as pool:
|
||||
results = [f.result() for f in as_completed([pool.submit(claim_unique, i) for i in range(4)])]
|
||||
self.assertEqual({r.outcome for r in results}, {"assigned"})
|
||||
numbers = sorted(r.work_number for r in results)
|
||||
self.assertEqual(numbers, [1000, 1001, 1002, 1003])
|
||||
|
||||
# Contention on one item
|
||||
self.db.upsert_session(session_id="c1", role="author")
|
||||
self.db.upsert_session(session_id="c2", role="author")
|
||||
self.db.upsert_session(session_id="c3", role="author")
|
||||
self.db.upsert_session(session_id="c4", role="author")
|
||||
barrier = threading.Barrier(4)
|
||||
outcomes: list[str] = []
|
||||
lock = threading.Lock()
|
||||
|
||||
def contend(sid: str) -> None:
|
||||
barrier.wait()
|
||||
res = self.db.assign_and_lease(
|
||||
session_id=sid,
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=7777,
|
||||
)
|
||||
with lock:
|
||||
outcomes.append(res.outcome)
|
||||
|
||||
threads = [threading.Thread(target=contend, args=(f"c{i}",)) for i in range(1, 5)]
|
||||
for t in threads:
|
||||
t.start()
|
||||
for t in threads:
|
||||
t.join()
|
||||
self.assertEqual(outcomes.count("assigned"), 1)
|
||||
self.assertEqual(outcomes.count("wait"), 3)
|
||||
|
||||
def test_terminal_lock_index(self) -> None:
|
||||
self.db.set_terminal_lock(
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
terminal_pr=332,
|
||||
review_id="rev-1",
|
||||
decision="approve",
|
||||
)
|
||||
row = self.db.get_active_terminal_lock(remote="prgs", org="o", repo="r")
|
||||
self.assertIsNotNone(row)
|
||||
assert row is not None
|
||||
self.assertEqual(row["terminal_pr"], 332)
|
||||
self.assertEqual(row["status"], "active")
|
||||
|
||||
def test_incident_links_not_work_items(self) -> None:
|
||||
link = self.db.upsert_incident_link(
|
||||
provider="sentry",
|
||||
provider_base_url="https://sentry.prgs.cc",
|
||||
provider_org="prgs",
|
||||
provider_project="gitea-tools-mcp",
|
||||
provider_issue_id="12345",
|
||||
gitea_org="Scaled-Tech-Consulting",
|
||||
gitea_repo="Gitea-Tools",
|
||||
gitea_issue_number=9001,
|
||||
fingerprint="fp-1",
|
||||
)
|
||||
self.assertEqual(link["gitea_issue_number"], 9001)
|
||||
found = self.db.get_incident_link_for_gitea_issue(
|
||||
gitea_org="Scaled-Tech-Consulting",
|
||||
gitea_repo="Gitea-Tools",
|
||||
gitea_issue_number=9001,
|
||||
)
|
||||
self.assertIsNotNone(found)
|
||||
# Linking does not create a work_item of incident kind
|
||||
with self.assertRaises(InvalidWorkKindError):
|
||||
self.db.upsert_work_item(
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
kind="sentry",
|
||||
number=12345,
|
||||
)
|
||||
|
||||
def test_heartbeat_and_release(self) -> None:
|
||||
self.db.upsert_session(session_id="s1", role="author")
|
||||
a = self.db.assign_and_lease(
|
||||
session_id="s1",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=1,
|
||||
)
|
||||
hb = self.db.heartbeat_lease(a.lease_id, session_id="s1")
|
||||
self.assertEqual(hb["lease_id"], a.lease_id)
|
||||
self.db.release_lease(a.lease_id, session_id="s1")
|
||||
# After release another session can claim
|
||||
self.db.upsert_session(session_id="s2", role="author")
|
||||
b = self.db.assign_and_lease(
|
||||
session_id="s2",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=1,
|
||||
)
|
||||
self.assertEqual(b.outcome, "assigned")
|
||||
self.assertEqual(b.session_id, "s2")
|
||||
|
||||
def test_require_valid_assignment_rejects_stale_head(self) -> None:
|
||||
"""Assignment must not authorize mutations after work-item head drifts."""
|
||||
self.db.upsert_session(session_id="s1", role="author")
|
||||
self.db.assign_and_lease(
|
||||
session_id="s1",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=42,
|
||||
expected_head_sha="head-v1",
|
||||
allowed_actions=("implement",),
|
||||
)
|
||||
# Head drifts after assignment
|
||||
self.db.upsert_work_item(
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=42,
|
||||
current_head_sha="head-v2",
|
||||
)
|
||||
with self.assertRaises(LeaseRequiredError) as ctx:
|
||||
self.db.require_valid_assignment(
|
||||
session_id="s1",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=42,
|
||||
action="implement",
|
||||
)
|
||||
self.assertIn("stale head", str(ctx.exception).lower())
|
||||
|
||||
def test_require_valid_assignment_rejects_terminal_state(self) -> None:
|
||||
"""Assignment must not authorize mutations after work item is merged/closed."""
|
||||
self.db.upsert_session(session_id="s1", role="author")
|
||||
self.db.assign_and_lease(
|
||||
session_id="s1",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=55,
|
||||
expected_head_sha="abc",
|
||||
allowed_actions=("implement",),
|
||||
)
|
||||
self.db.upsert_work_item(
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=55,
|
||||
state="merged",
|
||||
current_head_sha="abc",
|
||||
)
|
||||
with self.assertRaises(LeaseRequiredError) as ctx:
|
||||
self.db.require_valid_assignment(
|
||||
session_id="s1",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=55,
|
||||
action="implement",
|
||||
)
|
||||
self.assertIn("terminal", str(ctx.exception).lower())
|
||||
|
||||
self.db.upsert_work_item(
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=56,
|
||||
state="open",
|
||||
)
|
||||
self.db.assign_and_lease(
|
||||
session_id="s1",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=56,
|
||||
allowed_actions=("implement",),
|
||||
)
|
||||
self.db.upsert_work_item(
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=56,
|
||||
state="closed",
|
||||
)
|
||||
with self.assertRaises(LeaseRequiredError):
|
||||
self.db.require_valid_assignment(
|
||||
session_id="s1",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="issue",
|
||||
number=56,
|
||||
action="implement",
|
||||
)
|
||||
|
||||
def test_pr_assignment_requires_expected_head_sha(self) -> None:
|
||||
"""PR assign and mutation must fail closed without a head pin."""
|
||||
self.db.upsert_session(session_id="s1", role="author")
|
||||
with self.assertRaises(LeaseRequiredError) as ctx:
|
||||
self.db.assign_and_lease(
|
||||
session_id="s1",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=88,
|
||||
expected_head_sha=None,
|
||||
allowed_actions=("implement",),
|
||||
)
|
||||
self.assertIn("expected_head_sha", str(ctx.exception))
|
||||
|
||||
# Legacy path: force an unpinned PR assignment into the DB, then
|
||||
# populate head and prove mutation is still rejected.
|
||||
import sqlite3
|
||||
|
||||
self.db.upsert_work_item(
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=89,
|
||||
current_head_sha=None,
|
||||
)
|
||||
conn = sqlite3.connect(self.db_path)
|
||||
try:
|
||||
wid = conn.execute(
|
||||
"SELECT work_item_id FROM work_items WHERE kind='pr' AND number=89"
|
||||
).fetchone()[0]
|
||||
conn.execute(
|
||||
"""
|
||||
INSERT INTO sessions(session_id, role, started_at, last_heartbeat_at, status)
|
||||
VALUES ('legacy', 'author', '2020-01-01T00:00:00Z', '2020-01-01T00:00:00Z', 'active')
|
||||
"""
|
||||
)
|
||||
conn.execute(
|
||||
"""
|
||||
INSERT INTO leases(
|
||||
lease_id, work_item_id, session_id, role, phase,
|
||||
expires_at, heartbeat_at, status
|
||||
) VALUES (
|
||||
'lease-legacy', ?, 'legacy', 'author', 'claimed',
|
||||
'2099-01-01T00:00:00Z', '2020-01-01T00:00:00Z', 'active'
|
||||
)
|
||||
""",
|
||||
(wid,),
|
||||
)
|
||||
conn.execute(
|
||||
"""
|
||||
INSERT INTO assignments(
|
||||
assignment_id, work_item_id, session_id, lease_id,
|
||||
allowed_actions, forbidden_actions, expected_head_sha,
|
||||
role, status, created_at
|
||||
) VALUES (
|
||||
'asn-legacy', ?, 'legacy', 'lease-legacy',
|
||||
'["implement"]', '["merge"]', NULL,
|
||||
'author', 'active', '2020-01-01T00:00:00Z'
|
||||
)
|
||||
""",
|
||||
(wid,),
|
||||
)
|
||||
conn.commit()
|
||||
finally:
|
||||
conn.close()
|
||||
self.db.upsert_work_item(
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=89,
|
||||
current_head_sha="populated-head",
|
||||
)
|
||||
with self.assertRaises(LeaseRequiredError) as ctx2:
|
||||
self.db.require_valid_assignment(
|
||||
session_id="legacy",
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="pr",
|
||||
number=89,
|
||||
action="implement",
|
||||
)
|
||||
self.assertIn("expected_head_sha pin", str(ctx2.exception))
|
||||
|
||||
def test_migrate_duplicate_null_scope_incident_links(self) -> None:
|
||||
"""Legacy NULL-scope duplicates must migrate without UNIQUE crash."""
|
||||
import sqlite3
|
||||
|
||||
from control_plane_db import ControlPlaneDB, ControlPlaneError
|
||||
|
||||
# Build a v1-like table with nullable scope columns and insert dups
|
||||
# that collapse under normalization, then open ControlPlaneDB on it.
|
||||
path = os.path.join(self._tmp.name, "legacy_dups.sqlite3")
|
||||
conn = sqlite3.connect(path)
|
||||
try:
|
||||
conn.executescript(
|
||||
"""
|
||||
CREATE TABLE schema_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL);
|
||||
CREATE TABLE incident_links (
|
||||
link_id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
provider TEXT NOT NULL,
|
||||
provider_base_url TEXT,
|
||||
provider_org TEXT,
|
||||
provider_project TEXT,
|
||||
provider_issue_id TEXT NOT NULL,
|
||||
provider_short_id TEXT,
|
||||
provider_permalink TEXT,
|
||||
fingerprint TEXT,
|
||||
gitea_org TEXT NOT NULL,
|
||||
gitea_repo TEXT NOT NULL,
|
||||
gitea_issue_number INTEGER NOT NULL,
|
||||
linked_pr_numbers TEXT,
|
||||
first_seen TEXT,
|
||||
last_seen TEXT,
|
||||
event_count INTEGER,
|
||||
status TEXT NOT NULL DEFAULT 'open',
|
||||
release_resolved_at TEXT,
|
||||
last_sync_at TEXT,
|
||||
UNIQUE (
|
||||
provider, provider_base_url, provider_org,
|
||||
provider_project, provider_issue_id
|
||||
)
|
||||
);
|
||||
INSERT INTO incident_links(
|
||||
provider, provider_base_url, provider_org, provider_project,
|
||||
provider_issue_id, gitea_org, gitea_repo, gitea_issue_number, status
|
||||
) VALUES
|
||||
('sentry', NULL, NULL, NULL, 'dup-1', 'org', 'repo', 10, 'open'),
|
||||
('sentry', NULL, NULL, NULL, 'dup-1', 'org', 'repo', 10, 'open');
|
||||
"""
|
||||
)
|
||||
# SQLite allows two NULL-scope rows with same provider/issue under UNIQUE.
|
||||
n = conn.execute("SELECT COUNT(*) FROM incident_links").fetchone()[0]
|
||||
self.assertEqual(n, 2)
|
||||
conn.commit()
|
||||
finally:
|
||||
conn.close()
|
||||
|
||||
db = ControlPlaneDB(path)
|
||||
conn2 = sqlite3.connect(path)
|
||||
try:
|
||||
n2 = conn2.execute("SELECT COUNT(*) FROM incident_links").fetchone()[0]
|
||||
rows = conn2.execute(
|
||||
"SELECT provider_base_url, provider_org, provider_project, gitea_issue_number "
|
||||
"FROM incident_links"
|
||||
).fetchall()
|
||||
finally:
|
||||
conn2.close()
|
||||
self.assertEqual(n2, 1)
|
||||
self.assertEqual(rows[0][0], "")
|
||||
self.assertEqual(rows[0][1], "")
|
||||
self.assertEqual(rows[0][2], "")
|
||||
self.assertEqual(rows[0][3], 10)
|
||||
# Touch to silence unused import in type checkers if needed
|
||||
self.assertTrue(issubclass(ControlPlaneError, Exception))
|
||||
del db
|
||||
|
||||
def test_migrate_conflicting_duplicate_incident_links_fails_closed(self) -> None:
|
||||
"""Conflicting Gitea targets for the same provider key must fail closed."""
|
||||
import sqlite3
|
||||
from control_plane_db import ControlPlaneDB, ControlPlaneError
|
||||
|
||||
path = os.path.join(self._tmp.name, "legacy_conflict.sqlite3")
|
||||
conn = sqlite3.connect(path)
|
||||
try:
|
||||
conn.executescript(
|
||||
"""
|
||||
CREATE TABLE incident_links (
|
||||
link_id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
provider TEXT NOT NULL,
|
||||
provider_base_url TEXT,
|
||||
provider_org TEXT,
|
||||
provider_project TEXT,
|
||||
provider_issue_id TEXT NOT NULL,
|
||||
gitea_org TEXT NOT NULL,
|
||||
gitea_repo TEXT NOT NULL,
|
||||
gitea_issue_number INTEGER NOT NULL,
|
||||
status TEXT NOT NULL DEFAULT 'open',
|
||||
UNIQUE (
|
||||
provider, provider_base_url, provider_org,
|
||||
provider_project, provider_issue_id
|
||||
)
|
||||
);
|
||||
INSERT INTO incident_links(
|
||||
provider, provider_base_url, provider_org, provider_project,
|
||||
provider_issue_id, gitea_org, gitea_repo, gitea_issue_number
|
||||
) VALUES
|
||||
('sentry', NULL, NULL, NULL, 'dup-c', 'org', 'repo', 1),
|
||||
('sentry', NULL, NULL, NULL, 'dup-c', 'org', 'repo', 2);
|
||||
"""
|
||||
)
|
||||
conn.commit()
|
||||
finally:
|
||||
conn.close()
|
||||
|
||||
with self.assertRaises(ControlPlaneError) as ctx:
|
||||
ControlPlaneDB(path)
|
||||
self.assertIn("conflicting", str(ctx.exception).lower())
|
||||
|
||||
def test_migrate_conflicting_observation_metadata_fails_closed(self) -> None:
|
||||
"""Same provider key + same Gitea target but differing obs metadata must fail closed.
|
||||
|
||||
Regression for silent data loss: migration used to keep lowest link_id and
|
||||
delete peers after comparing only Gitea targets (#619 RC3).
|
||||
"""
|
||||
import sqlite3
|
||||
from control_plane_db import ControlPlaneDB, ControlPlaneError
|
||||
|
||||
path = os.path.join(self._tmp.name, "legacy_meta_conflict.sqlite3")
|
||||
conn = sqlite3.connect(path)
|
||||
try:
|
||||
conn.executescript(
|
||||
"""
|
||||
CREATE TABLE schema_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL);
|
||||
CREATE TABLE incident_links (
|
||||
link_id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
provider TEXT NOT NULL,
|
||||
provider_base_url TEXT,
|
||||
provider_org TEXT,
|
||||
provider_project TEXT,
|
||||
provider_issue_id TEXT NOT NULL,
|
||||
provider_short_id TEXT,
|
||||
provider_permalink TEXT,
|
||||
fingerprint TEXT,
|
||||
gitea_org TEXT NOT NULL,
|
||||
gitea_repo TEXT NOT NULL,
|
||||
gitea_issue_number INTEGER NOT NULL,
|
||||
linked_pr_numbers TEXT,
|
||||
first_seen TEXT,
|
||||
last_seen TEXT,
|
||||
event_count INTEGER,
|
||||
status TEXT NOT NULL DEFAULT 'open',
|
||||
release_resolved_at TEXT,
|
||||
last_sync_at TEXT,
|
||||
UNIQUE (
|
||||
provider, provider_base_url, provider_org,
|
||||
provider_project, provider_issue_id
|
||||
)
|
||||
);
|
||||
INSERT INTO incident_links(
|
||||
provider, provider_base_url, provider_org, provider_project,
|
||||
provider_issue_id, provider_permalink, fingerprint,
|
||||
gitea_org, gitea_repo, gitea_issue_number,
|
||||
event_count, status, first_seen, last_seen
|
||||
) VALUES
|
||||
(
|
||||
'sentry', NULL, NULL, NULL, 'dup-meta',
|
||||
'https://sentry.example/issues/1', 'fingerprint-A',
|
||||
'org', 'repo', 42,
|
||||
1, 'open', '2026-01-01T00:00:00Z', '2026-01-01T01:00:00Z'
|
||||
),
|
||||
(
|
||||
'sentry', NULL, NULL, NULL, 'dup-meta',
|
||||
'https://sentry.example/issues/1', 'fingerprint-B',
|
||||
'org', 'repo', 42,
|
||||
99, 'resolved', '2026-01-01T00:00:00Z', '2026-01-02T00:00:00Z'
|
||||
);
|
||||
"""
|
||||
)
|
||||
n = conn.execute("SELECT COUNT(*) FROM incident_links").fetchone()[0]
|
||||
self.assertEqual(n, 2)
|
||||
conn.commit()
|
||||
finally:
|
||||
conn.close()
|
||||
|
||||
with self.assertRaises(ControlPlaneError) as ctx:
|
||||
ControlPlaneDB(path)
|
||||
msg = str(ctx.exception).lower()
|
||||
self.assertIn("conflicting", msg)
|
||||
self.assertIn("observation metadata", msg)
|
||||
|
||||
# Rows must still be present — migration must not delete before failing.
|
||||
conn2 = sqlite3.connect(path)
|
||||
try:
|
||||
remaining = conn2.execute("SELECT COUNT(*) FROM incident_links").fetchone()[0]
|
||||
fps = {
|
||||
r[0]
|
||||
for r in conn2.execute(
|
||||
"SELECT fingerprint FROM incident_links ORDER BY link_id"
|
||||
).fetchall()
|
||||
}
|
||||
finally:
|
||||
conn2.close()
|
||||
self.assertEqual(remaining, 2)
|
||||
self.assertEqual(fps, {"fingerprint-A", "fingerprint-B"})
|
||||
|
||||
def test_incident_links_minimal_upsert_is_canonical(self) -> None:
|
||||
"""Repeated minimal upserts must update one row (NULL-safe uniqueness)."""
|
||||
a = self.db.upsert_incident_link(
|
||||
provider="sentry",
|
||||
provider_issue_id="inc-1",
|
||||
gitea_org="org",
|
||||
gitea_repo="repo",
|
||||
gitea_issue_number=1,
|
||||
)
|
||||
b = self.db.upsert_incident_link(
|
||||
provider="sentry",
|
||||
provider_issue_id="inc-1",
|
||||
gitea_org="org",
|
||||
gitea_repo="repo",
|
||||
gitea_issue_number=2,
|
||||
# omit optional scope fields again
|
||||
)
|
||||
c = self.db.upsert_incident_link(
|
||||
provider="sentry",
|
||||
provider_issue_id="inc-1",
|
||||
gitea_org="org",
|
||||
gitea_repo="repo",
|
||||
gitea_issue_number=3,
|
||||
provider_base_url=None,
|
||||
provider_org="",
|
||||
provider_project=" ",
|
||||
)
|
||||
self.assertEqual(a["link_id"], b["link_id"])
|
||||
self.assertEqual(b["link_id"], c["link_id"])
|
||||
self.assertEqual(c["gitea_issue_number"], 3)
|
||||
self.assertEqual(c["provider_base_url"], "")
|
||||
self.assertEqual(c["provider_org"], "")
|
||||
self.assertEqual(c["provider_project"], "")
|
||||
|
||||
import sqlite3
|
||||
|
||||
conn = sqlite3.connect(self.db_path)
|
||||
try:
|
||||
n = conn.execute(
|
||||
"SELECT COUNT(*) FROM incident_links WHERE provider_issue_id = ?",
|
||||
("inc-1",),
|
||||
).fetchone()[0]
|
||||
finally:
|
||||
conn.close()
|
||||
self.assertEqual(n, 1)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -0,0 +1,113 @@
|
||||
"""Controller-closure baseline-proof gate tests (#529, criterion 6)."""
|
||||
|
||||
import unittest
|
||||
|
||||
from controller_closure_baseline_proof import (
|
||||
assess_controller_closure_baseline_proof,
|
||||
)
|
||||
from premerge_baseline_proof import (
|
||||
CLEAN_PASS,
|
||||
PREMERGE_BASELINE_PROVEN_FAILURE,
|
||||
UNRESOLVED_REGRESSION_RISK,
|
||||
)
|
||||
from final_report_validator import assess_final_report_validator
|
||||
|
||||
# Complete pre-merge proof fields for a baseline claim (see #533).
|
||||
_PROOF_FIELDS = (
|
||||
"Pre-merge base commit: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b\n"
|
||||
"Tested commit: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b\n"
|
||||
"Command: venv/bin/python -m pytest tests/test_foo.py -q\n"
|
||||
"Exit status: 1\n"
|
||||
"Failure signature: AssertionError: None is not true\n"
|
||||
)
|
||||
|
||||
|
||||
class TestControllerClosureBaselineProof(unittest.TestCase):
|
||||
def test_empty_report_skipped_and_allowed(self):
|
||||
result = assess_controller_closure_baseline_proof("")
|
||||
self.assertFalse(result["block"])
|
||||
self.assertTrue(result["skipped"])
|
||||
self.assertEqual(result["label"], CLEAN_PASS)
|
||||
|
||||
def test_none_report_allowed(self):
|
||||
result = assess_controller_closure_baseline_proof(None)
|
||||
self.assertFalse(result["block"])
|
||||
self.assertTrue(result["skipped"])
|
||||
|
||||
def test_clean_pass_closure_allowed(self):
|
||||
result = assess_controller_closure_baseline_proof(
|
||||
"Closing #529. Validation: full suite passed, exit status 0. Clean pass."
|
||||
)
|
||||
self.assertFalse(result["block"])
|
||||
self.assertEqual(result["label"], CLEAN_PASS)
|
||||
|
||||
def test_expected_preexisting_failure_without_proof_blocked(self):
|
||||
report = (
|
||||
"Closing #529. Full suite: 1 failed. This is an expected "
|
||||
"pre-existing failure, safe to close."
|
||||
)
|
||||
result = assess_controller_closure_baseline_proof(report)
|
||||
self.assertTrue(result["block"])
|
||||
self.assertFalse(result["proven"])
|
||||
self.assertEqual(result["label"], UNRESOLVED_REGRESSION_RISK)
|
||||
self.assertTrue(result["reasons"])
|
||||
self.assertTrue(result["safe_next_action"])
|
||||
|
||||
def test_current_master_reproduction_only_blocked(self):
|
||||
report = (
|
||||
"Closing #529. Full suite: 1 failed. Pre-existing baseline failure — "
|
||||
"reproduced on current master after merge.\n"
|
||||
"Command: venv/bin/python -m pytest tests/test_foo.py -q\n"
|
||||
"Exit status: 1\n"
|
||||
"Failure signature: AssertionError: None is not true\n"
|
||||
)
|
||||
result = assess_controller_closure_baseline_proof(report)
|
||||
self.assertTrue(result["block"])
|
||||
|
||||
def test_proven_baseline_closure_allowed(self):
|
||||
report = (
|
||||
"Closing #529. Full suite: 1 failed, an expected pre-existing "
|
||||
"baseline failure proven on the PR pre-merge base commit.\n"
|
||||
+ _PROOF_FIELDS
|
||||
)
|
||||
result = assess_controller_closure_baseline_proof(report)
|
||||
self.assertFalse(result["block"])
|
||||
self.assertEqual(result["label"], PREMERGE_BASELINE_PROVEN_FAILURE)
|
||||
|
||||
|
||||
class TestControllerCloseTaskKind(unittest.TestCase):
|
||||
"""The composable validator must cover the controller_close task kind."""
|
||||
|
||||
def test_controller_close_blocks_unproven_baseline(self):
|
||||
report = (
|
||||
"Full suite: 1 failed. Expected pre-existing failure, closing the "
|
||||
"tracking issue."
|
||||
)
|
||||
result = assess_final_report_validator(report, "controller_close")
|
||||
self.assertTrue(result["blocked"])
|
||||
self.assertTrue(
|
||||
any(
|
||||
"premerge_baseline_proof" in f["rule_id"]
|
||||
for f in result["findings"]
|
||||
)
|
||||
)
|
||||
|
||||
def test_controller_close_alias_close_issue(self):
|
||||
report = (
|
||||
"Full suite: 1 failed. Expected pre-existing failure, closing the "
|
||||
"tracking issue."
|
||||
)
|
||||
result = assess_final_report_validator(report, "close_issue")
|
||||
self.assertTrue(result["blocked"])
|
||||
|
||||
def test_controller_close_allows_proven_baseline(self):
|
||||
report = (
|
||||
"Full suite: 1 failed, expected pre-existing baseline failure proven "
|
||||
"on the PR pre-merge base commit.\n" + _PROOF_FIELDS
|
||||
)
|
||||
result = assess_final_report_validator(report, "controller_close")
|
||||
self.assertFalse(result["blocked"])
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -11,7 +11,11 @@ import gitea_mcp_server as srv
|
||||
|
||||
FAKE_AUTH = {"Authorization": "token test-token"}
|
||||
# Stable control checkout (parent of branches/), not the MCP server worktree root.
|
||||
CONTROL_CHECKOUT_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[3])
|
||||
else:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[1])
|
||||
PROJECT_ROOT = srv.PROJECT_ROOT
|
||||
|
||||
|
||||
|
||||
@@ -781,6 +781,103 @@ class TestMergePrRules(unittest.TestCase):
|
||||
self.assertEqual(result["grade"], "A")
|
||||
self.assertFalse(result["blocked"])
|
||||
|
||||
def test_manual_seeded_lease_claim_blocks_without_mcp_evidence(self):
|
||||
lines = [
|
||||
"## Controller Handoff",
|
||||
"",
|
||||
"- Task: merge PR #203",
|
||||
"- Repo: Scaled-Tech-Consulting/Gitea-Tools",
|
||||
"- Role: merger",
|
||||
"- Identity: sysadmin / prgs-merger",
|
||||
"- Issue/PR: #182 / PR #203",
|
||||
"- Branch/SHA: feat/x @ 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Files changed: review_proofs.py",
|
||||
"- Validation: pytest in branches/review-203",
|
||||
"- Mutations: merge completed",
|
||||
"- File edits by reviewer: none",
|
||||
"- Worktree/index mutations: none",
|
||||
"- Git ref mutations: git fetch prgs master",
|
||||
"- MCP/Gitea mutations: merge completed",
|
||||
"- Review mutations: none",
|
||||
"- Merge mutations: merged using manually seeded lease proof",
|
||||
"- Cleanup mutations: none",
|
||||
"- External-state mutations: none",
|
||||
"- Read-only diagnostics: metadata check",
|
||||
"- Current status: PR merged",
|
||||
"- Blockers: none",
|
||||
"- Next: none",
|
||||
"- Safety: review and merge are separate roles",
|
||||
"- Selected PR: #203",
|
||||
"- Pinned reviewed head: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Reviewed head SHA: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Final live head SHA before approval: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Final live head SHA before merge: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Push occurred during validation: no",
|
||||
"- Active profile: prgs-merger",
|
||||
"- Role kind: merger",
|
||||
"- Merge capability source: profile",
|
||||
"- Explicit operator authorization: MERGE PR 203",
|
||||
"- Expected head SHA: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Approval at current head: yes",
|
||||
"- Merge result: PR merged successfully",
|
||||
"- Cleanup status: complete",
|
||||
]
|
||||
report = "\n".join(lines)
|
||||
result = assess_final_report_validator(report, "merge_pr")
|
||||
self.assertTrue(result["blocked"])
|
||||
codes = {f.get("rule_id") for f in result.get("findings") or []}
|
||||
self.assertIn("shared.manual_lease_proof_handoff", codes)
|
||||
|
||||
def test_manual_seeded_claim_allowed_when_adoption_cited(self):
|
||||
lines = [
|
||||
"## Controller Handoff",
|
||||
"",
|
||||
"- Task: merge PR #203",
|
||||
"- Repo: Scaled-Tech-Consulting/Gitea-Tools",
|
||||
"- Role: merger",
|
||||
"- Identity: sysadmin / prgs-merger",
|
||||
"- Issue/PR: #182 / PR #203",
|
||||
"- Branch/SHA: feat/x @ 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Files changed: review_proofs.py",
|
||||
"- Validation: pytest in branches/review-203",
|
||||
"- Mutations: merge completed",
|
||||
"- File edits by reviewer: none",
|
||||
"- Worktree/index mutations: none",
|
||||
"- Git ref mutations: git fetch prgs master",
|
||||
"- MCP/Gitea mutations: gitea_adopt_merger_pr_lease then merge",
|
||||
"- Review mutations: none",
|
||||
"- Merge mutations: historical manual seed replaced by sanctioned adoption",
|
||||
"- Cleanup mutations: none",
|
||||
"- External-state mutations: none",
|
||||
"- Read-only diagnostics: metadata check",
|
||||
"- Current status: PR merged",
|
||||
"- Blockers: none",
|
||||
"- Next: none",
|
||||
"- Safety: review and merge are separate roles",
|
||||
"- Selected PR: #203",
|
||||
"- Pinned reviewed head: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Reviewed head SHA: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Final live head SHA before approval: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Final live head SHA before merge: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Push occurred during validation: no",
|
||||
"- Active profile: prgs-merger",
|
||||
"- Role kind: merger",
|
||||
"- Merge capability source: profile",
|
||||
"- Explicit operator authorization: MERGE PR 203",
|
||||
"- Expected head SHA: 0fdc8f582026b72a229d59a172c0a63ac4aaeaf9",
|
||||
"- Approval at current head: yes",
|
||||
"- lease_proof_source: gitea_adopt_merger_pr_lease",
|
||||
"- lease_proof_kind: sanctioned_adoption",
|
||||
"- adoption_comment_id: 8288",
|
||||
"- Merge result: PR merged successfully",
|
||||
"- Cleanup status: complete",
|
||||
]
|
||||
report = "\n".join(lines)
|
||||
result = assess_final_report_validator(report, "merge_pr")
|
||||
self.assertFalse(result["blocked"])
|
||||
codes = {f.get("rule_id") for f in result.get("findings") or []}
|
||||
self.assertNotIn("shared.manual_lease_proof_handoff", codes)
|
||||
|
||||
def test_missing_merger_fields_blocks(self):
|
||||
lines = [
|
||||
"## Controller Handoff",
|
||||
|
||||
@@ -0,0 +1,397 @@
|
||||
"""Head-scoped #332 review-decision locks (#620).
|
||||
|
||||
Proves:
|
||||
* REQUEST_CHANGES on head A does not block mark_ready/submit on head B
|
||||
* APPROVE on head B is allowed after RC on head A (same open PR)
|
||||
* same-head duplicate terminal remains blocked
|
||||
* open-PR cleanup remains forbidden; assessment reports stale_by_head
|
||||
* historical mutations keep their head_sha (preserved ledger)
|
||||
* PR #619-style: old RC at 036b78e…, current head 2429d9d…, approve allowed
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import unittest
|
||||
from unittest.mock import patch
|
||||
|
||||
import mcp_server
|
||||
import stale_review_decision_lock as srdl
|
||||
|
||||
HEAD_A = "036b78e31ea5d036452b3a52e0e086b01e0c763f"
|
||||
HEAD_B = "2429d9d2e826e519eb8eb4ade45987c00838aefb"
|
||||
HEAD_C = "c" * 40
|
||||
|
||||
|
||||
def _lock(mutations=None, correction=False, ready_pr=None, ready_head=None, ready_action=None):
|
||||
return {
|
||||
"task": "review_pr",
|
||||
"remote": "prgs",
|
||||
"org": "Scaled-Tech-Consulting",
|
||||
"repo": "Gitea-Tools",
|
||||
"session_pid": os.getpid(),
|
||||
"session_profile": "prgs-reviewer",
|
||||
"session_profile_lock": "prgs-reviewer",
|
||||
"profile_identity": "prgs-reviewer",
|
||||
"final_review_decision_ready": False,
|
||||
"ready_pr_number": ready_pr,
|
||||
"ready_action": ready_action,
|
||||
"ready_expected_head_sha": ready_head,
|
||||
"ready_remote": "prgs" if ready_pr else None,
|
||||
"ready_org": "Scaled-Tech-Consulting" if ready_pr else None,
|
||||
"ready_repo": "Gitea-Tools" if ready_pr else None,
|
||||
"live_mutations": list(mutations or []),
|
||||
"correction_authorized": correction,
|
||||
"correction_reason": None,
|
||||
}
|
||||
|
||||
|
||||
RC_619_LEGACY = {
|
||||
"pr_number": 619,
|
||||
"action": "request_changes",
|
||||
"review_id": 410,
|
||||
"review_state": "request_changes",
|
||||
# no head_sha — pre-#620 durable ledger shape
|
||||
}
|
||||
RC_619_HEAD_A = {
|
||||
"pr_number": 619,
|
||||
"action": "request_changes",
|
||||
"review_id": 410,
|
||||
"review_state": "request_changes",
|
||||
"head_sha": HEAD_A,
|
||||
}
|
||||
APPROVE_619_HEAD_B = {
|
||||
"pr_number": 619,
|
||||
"action": "approve",
|
||||
"review_id": 411,
|
||||
"review_state": "approve",
|
||||
"head_sha": HEAD_B,
|
||||
}
|
||||
|
||||
|
||||
def _seed(mutations=None, **kwargs):
|
||||
import review_workflow_load
|
||||
|
||||
review_workflow_load.record_review_workflow_load(mcp_server.PROJECT_ROOT)
|
||||
mcp_server._save_review_decision_lock(_lock(mutations, **kwargs))
|
||||
mcp_server.gitea_load_review_workflow()
|
||||
|
||||
|
||||
def _open_pr(pr_number=619, head=HEAD_B):
|
||||
return {
|
||||
"number": pr_number,
|
||||
"state": "open",
|
||||
"merged": False,
|
||||
"merged_at": None,
|
||||
"head": {"sha": head},
|
||||
}
|
||||
|
||||
|
||||
def _no_lease():
|
||||
return {"block": False, "reasons": [], "mutation_allowed": True}
|
||||
|
||||
|
||||
def _feedback(blocking=False, stale=False, success=True):
|
||||
return {
|
||||
"success": success,
|
||||
"has_blocking_change_requests": blocking,
|
||||
"review_feedback_stale": stale,
|
||||
"current_head_sha": HEAD_B,
|
||||
}
|
||||
|
||||
|
||||
class TestPureHeadScopeHelpers(unittest.TestCase):
|
||||
def test_mutation_head_prefers_recorded_sha(self):
|
||||
m = {"pr_number": 1, "head_sha": HEAD_A}
|
||||
self.assertEqual(srdl.mutation_head_sha(m), HEAD_A)
|
||||
|
||||
def test_legacy_mutation_uses_ready_expected_for_same_pr(self):
|
||||
lock = _lock(
|
||||
[RC_619_LEGACY],
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_A,
|
||||
ready_action="request_changes",
|
||||
)
|
||||
self.assertEqual(srdl.mutation_head_sha(RC_619_LEGACY, lock), HEAD_A)
|
||||
|
||||
def test_legacy_mutation_ignores_ready_for_other_pr(self):
|
||||
lock = _lock([RC_619_LEGACY], ready_pr=1, ready_head=HEAD_A)
|
||||
self.assertIsNone(srdl.mutation_head_sha(RC_619_LEGACY, lock))
|
||||
|
||||
def test_prior_blocks_same_head_not_other_head(self):
|
||||
lock = _lock([RC_619_HEAD_A])
|
||||
self.assertTrue(
|
||||
srdl.prior_live_mutations_block_boundary(
|
||||
lock, pr_number=619, expected_head_sha=HEAD_A
|
||||
)
|
||||
)
|
||||
self.assertFalse(
|
||||
srdl.prior_live_mutations_block_boundary(
|
||||
lock, pr_number=619, expected_head_sha=HEAD_B
|
||||
)
|
||||
)
|
||||
|
||||
def test_backfill_stamps_legacy_terminals(self):
|
||||
lock = _lock(
|
||||
[dict(RC_619_LEGACY)],
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_A,
|
||||
ready_action="request_changes",
|
||||
)
|
||||
srdl.backfill_terminal_heads_from_ready(lock)
|
||||
self.assertEqual(lock["live_mutations"][0]["head_sha"], HEAD_A)
|
||||
|
||||
|
||||
class TestHardStopHeadScope(unittest.TestCase):
|
||||
def tearDown(self):
|
||||
mcp_server._save_review_decision_lock(None)
|
||||
mcp_server.review_workflow_load.clear_review_workflow_load()
|
||||
|
||||
def test_rc_head_a_allows_mark_ready_head_b(self):
|
||||
_seed(
|
||||
[RC_619_HEAD_A],
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_A,
|
||||
ready_action="request_changes",
|
||||
)
|
||||
self.assertEqual(
|
||||
mcp_server.terminal_review_hard_stop_reasons(
|
||||
619, "mark_ready", expected_head_sha=HEAD_B
|
||||
),
|
||||
[],
|
||||
)
|
||||
|
||||
def test_rc_head_a_blocks_mark_ready_same_head(self):
|
||||
_seed(
|
||||
[RC_619_HEAD_A],
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_A,
|
||||
ready_action="request_changes",
|
||||
)
|
||||
reasons = mcp_server.terminal_review_hard_stop_reasons(
|
||||
619, "mark_ready", expected_head_sha=HEAD_A
|
||||
)
|
||||
self.assertTrue(reasons)
|
||||
self.assertIn("#332", reasons[0])
|
||||
|
||||
def test_rc_head_a_blocks_other_pr(self):
|
||||
_seed([RC_619_HEAD_A], ready_pr=619, ready_head=HEAD_A)
|
||||
reasons = mcp_server.terminal_review_hard_stop_reasons(
|
||||
700, "mark_ready", expected_head_sha=HEAD_B
|
||||
)
|
||||
self.assertTrue(reasons)
|
||||
|
||||
def test_legacy_619_ledger_allows_new_head(self):
|
||||
"""PR #619-style durable lock without mutation head_sha."""
|
||||
_seed(
|
||||
[RC_619_LEGACY],
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_A,
|
||||
ready_action="request_changes",
|
||||
)
|
||||
self.assertEqual(
|
||||
mcp_server.terminal_review_hard_stop_reasons(
|
||||
619, "mark_ready", expected_head_sha=HEAD_B
|
||||
),
|
||||
[],
|
||||
)
|
||||
|
||||
|
||||
class TestMarkFinalAndRecord(unittest.TestCase):
|
||||
def tearDown(self):
|
||||
mcp_server._save_review_decision_lock(None)
|
||||
mcp_server.review_workflow_load.clear_review_workflow_load()
|
||||
|
||||
def _mark(self, pr, action, head, feedback=None):
|
||||
with patch("mcp_server._list_pr_lease_comments", return_value=[]), patch(
|
||||
"mcp_server._pr_work_lease_reviewer_block", return_value=_no_lease()
|
||||
), patch.object(
|
||||
mcp_server,
|
||||
"gitea_get_pr_review_feedback",
|
||||
return_value=feedback or _feedback(blocking=False, stale=True),
|
||||
), patch.object(
|
||||
mcp_server,
|
||||
"gitea_check_pr_eligibility",
|
||||
return_value={"eligible": True, "head_sha": head},
|
||||
):
|
||||
return mcp_server.gitea_mark_final_review_decision(
|
||||
pr_number=pr,
|
||||
action=action,
|
||||
expected_head_sha=head,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
)
|
||||
|
||||
def test_rc_then_rc_on_new_head(self):
|
||||
_seed(
|
||||
[RC_619_HEAD_A],
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_A,
|
||||
ready_action="request_changes",
|
||||
)
|
||||
# Prior RC at head A is unresolved but head moved → feedback stale.
|
||||
res = self._mark(
|
||||
619,
|
||||
"request_changes",
|
||||
HEAD_B,
|
||||
feedback=_feedback(blocking=True, stale=True),
|
||||
)
|
||||
self.assertTrue(res.get("marked_ready"), res)
|
||||
lock = mcp_server._load_review_decision_lock()
|
||||
# Historical head A preserved on mutation after backfill.
|
||||
heads = {
|
||||
m.get("head_sha")
|
||||
for m in lock["live_mutations"]
|
||||
if m.get("action") == "request_changes"
|
||||
}
|
||||
self.assertIn(HEAD_A, heads)
|
||||
self.assertEqual(lock["ready_expected_head_sha"], HEAD_B)
|
||||
|
||||
def test_rc_then_approve_on_new_head(self):
|
||||
_seed(
|
||||
[RC_619_HEAD_A],
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_A,
|
||||
ready_action="request_changes",
|
||||
)
|
||||
res = self._mark(619, "approve", HEAD_B)
|
||||
self.assertTrue(res.get("marked_ready"), res)
|
||||
self.assertTrue(res.get("head_scoped"))
|
||||
|
||||
def test_same_head_rc_still_blocked_by_hard_stop(self):
|
||||
_seed(
|
||||
[RC_619_HEAD_A],
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_A,
|
||||
ready_action="request_changes",
|
||||
)
|
||||
res = self._mark(619, "approve", HEAD_A)
|
||||
self.assertFalse(res.get("marked_ready"))
|
||||
self.assertTrue(any("#332" in r for r in res.get("reasons") or []))
|
||||
|
||||
def test_pr619_style_legacy_lock_approve_on_current_head(self):
|
||||
_seed(
|
||||
[RC_619_LEGACY],
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_A,
|
||||
ready_action="request_changes",
|
||||
)
|
||||
res = self._mark(619, "approve", HEAD_B)
|
||||
self.assertTrue(res.get("marked_ready"), res)
|
||||
lock = mcp_server._load_review_decision_lock()
|
||||
# Backfill should have stamped HEAD_A onto the legacy mutation.
|
||||
self.assertEqual(lock["live_mutations"][0].get("head_sha"), HEAD_A)
|
||||
self.assertEqual(lock["ready_expected_head_sha"], HEAD_B)
|
||||
|
||||
def test_record_live_mutation_stores_head(self):
|
||||
_seed(ready_pr=619, ready_head=HEAD_B, ready_action="approve")
|
||||
lock = mcp_server._load_review_decision_lock()
|
||||
lock["final_review_decision_ready"] = True
|
||||
lock["ready_pr_number"] = 619
|
||||
lock["ready_expected_head_sha"] = HEAD_B
|
||||
mcp_server._save_review_decision_lock(lock)
|
||||
mcp_server.record_live_review_mutation(619, "approve", review_id=99)
|
||||
stored = mcp_server._load_review_decision_lock()["live_mutations"][-1]
|
||||
self.assertEqual(stored["head_sha"], HEAD_B)
|
||||
self.assertEqual(stored["pr_number"], 619)
|
||||
|
||||
def test_submit_gate_allows_new_head_after_prior_terminal(self):
|
||||
"""check_review_decision_gate must not block different-head submit."""
|
||||
mutations = [RC_619_HEAD_A]
|
||||
_seed(
|
||||
mutations,
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_B,
|
||||
ready_action="approve",
|
||||
)
|
||||
lock = mcp_server._load_review_decision_lock()
|
||||
lock["final_review_decision_ready"] = True
|
||||
lock["ready_pr_number"] = 619
|
||||
lock["ready_action"] = "approve"
|
||||
lock["ready_expected_head_sha"] = HEAD_B
|
||||
lock["ready_remote"] = "prgs"
|
||||
lock["ready_org"] = "Scaled-Tech-Consulting"
|
||||
lock["ready_repo"] = "Gitea-Tools"
|
||||
mcp_server._save_review_decision_lock(lock)
|
||||
reasons = mcp_server.check_review_decision_gate(
|
||||
619,
|
||||
"approve",
|
||||
final_review_decision_ready=True,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
)
|
||||
self.assertEqual(reasons, [], reasons)
|
||||
|
||||
def test_submit_gate_blocks_same_head_duplicate(self):
|
||||
mutations = [RC_619_HEAD_A]
|
||||
_seed(
|
||||
mutations,
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_A,
|
||||
ready_action="request_changes",
|
||||
)
|
||||
lock = mcp_server._load_review_decision_lock()
|
||||
lock["final_review_decision_ready"] = True
|
||||
lock["ready_pr_number"] = 619
|
||||
lock["ready_action"] = "request_changes"
|
||||
lock["ready_expected_head_sha"] = HEAD_A
|
||||
lock["ready_remote"] = "prgs"
|
||||
lock["ready_org"] = "Scaled-Tech-Consulting"
|
||||
lock["ready_repo"] = "Gitea-Tools"
|
||||
mcp_server._save_review_decision_lock(lock)
|
||||
reasons = mcp_server.check_review_decision_gate(
|
||||
619,
|
||||
"request_changes",
|
||||
final_review_decision_ready=True,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
)
|
||||
self.assertTrue(reasons)
|
||||
|
||||
|
||||
class TestAssessmentOpenPrHead(unittest.TestCase):
|
||||
def test_open_pr_stale_by_head_no_cleanup(self):
|
||||
lock = _lock(
|
||||
[RC_619_HEAD_A],
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_A,
|
||||
ready_action="request_changes",
|
||||
)
|
||||
a = srdl.assess_stale_review_decision_lock(
|
||||
lock, pr_live=_open_pr(619, HEAD_B)
|
||||
)
|
||||
self.assertTrue(a["has_lock"])
|
||||
self.assertFalse(a["is_moot"])
|
||||
self.assertFalse(a["cleanup_allowed"])
|
||||
self.assertTrue(a["stale_by_head"])
|
||||
self.assertTrue(a["fresh_review_on_current_head_allowed"])
|
||||
self.assertEqual(a["locked_head_sha"], HEAD_A)
|
||||
self.assertEqual(a["current_pr_head_sha"], HEAD_B)
|
||||
|
||||
def test_open_pr_same_head_no_fresh(self):
|
||||
lock = _lock([RC_619_HEAD_A], ready_pr=619, ready_head=HEAD_A)
|
||||
a = srdl.assess_stale_review_decision_lock(
|
||||
lock, pr_live=_open_pr(619, HEAD_A)
|
||||
)
|
||||
self.assertFalse(a["stale_by_head"])
|
||||
self.assertFalse(a["fresh_review_on_current_head_allowed"])
|
||||
self.assertFalse(a["cleanup_allowed"])
|
||||
|
||||
def test_historical_mutation_preserved_in_summary(self):
|
||||
lock = _lock(
|
||||
[RC_619_HEAD_A, APPROVE_619_HEAD_B],
|
||||
ready_pr=619,
|
||||
ready_head=HEAD_B,
|
||||
ready_action="approve",
|
||||
)
|
||||
summary = srdl.lock_summary(lock)
|
||||
self.assertEqual(summary["live_mutations_count"], 2)
|
||||
self.assertEqual(summary["last_terminal"]["head_sha"], HEAD_B)
|
||||
self.assertEqual(summary["locked_head_sha"], HEAD_B)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -0,0 +1,345 @@
|
||||
"""Tests for observability incident bridge (#612) on #613 substrate."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import json
|
||||
import os
|
||||
import tempfile
|
||||
import unittest
|
||||
|
||||
from control_plane_db import ControlPlaneDB, InvalidWorkKindError, WORK_KINDS
|
||||
from incident_bridge import (
|
||||
OUTCOME_BLOCKED,
|
||||
OUTCOME_CREATED,
|
||||
OUTCOME_LINKED,
|
||||
OUTCOME_PREVIEW,
|
||||
OUTCOME_UPDATED,
|
||||
ProjectMapping,
|
||||
assert_not_raw_incident_work_item,
|
||||
build_gitea_issue_body,
|
||||
load_project_mappings,
|
||||
normalize_incident,
|
||||
project_mapping_from_dict,
|
||||
reconcile_incident,
|
||||
redact_text,
|
||||
sanitize_tags,
|
||||
)
|
||||
|
||||
|
||||
def _mapping(**kwargs) -> ProjectMapping:
|
||||
base = dict(
|
||||
name="gitea-tools-mcp",
|
||||
provider="sentry",
|
||||
monitor_base_url="https://sentry.prgs.cc",
|
||||
monitor_org="prgs",
|
||||
monitor_project="gitea-tools-mcp",
|
||||
gitea_org="Scaled-Tech-Consulting",
|
||||
gitea_repo="Gitea-Tools",
|
||||
default_labels=("type:bug", "observability", "sentry", "status:ready"),
|
||||
)
|
||||
base.update(kwargs)
|
||||
return ProjectMapping(**base)
|
||||
|
||||
|
||||
def _obs(**kwargs) -> dict:
|
||||
base = dict(
|
||||
provider="sentry",
|
||||
provider_base_url="https://sentry.prgs.cc",
|
||||
provider_org="prgs",
|
||||
provider_project="gitea-tools-mcp",
|
||||
provider_issue_id="ISSUE-100",
|
||||
provider_short_id="GITEA-TOOLS-1A",
|
||||
provider_permalink="https://sentry.prgs.cc/organizations/prgs/issues/100/",
|
||||
fingerprint="fp-abc",
|
||||
title="TypeError: boom",
|
||||
summary="TypeError: boom in handle_request",
|
||||
first_seen="2026-07-01T00:00:00Z",
|
||||
last_seen="2026-07-10T00:00:00Z",
|
||||
event_count=3,
|
||||
environment="production",
|
||||
severity="error",
|
||||
culprit="handle_request",
|
||||
tags={"runtime": "python", "release": "1.2.3"},
|
||||
)
|
||||
base.update(kwargs)
|
||||
return base
|
||||
|
||||
|
||||
class IncidentBridgeTest(unittest.TestCase):
|
||||
def setUp(self) -> None:
|
||||
self._tmp = tempfile.TemporaryDirectory()
|
||||
self.db = ControlPlaneDB(os.path.join(self._tmp.name, "cp.sqlite3"))
|
||||
self.mapping = _mapping()
|
||||
self.created: list[dict] = []
|
||||
|
||||
def tearDown(self) -> None:
|
||||
self._tmp.cleanup()
|
||||
|
||||
def _create_issue(self, title, body, labels, g_org, g_repo):
|
||||
n = 9000 + len(self.created)
|
||||
rec = {
|
||||
"number": n,
|
||||
"success": True,
|
||||
"performed": True,
|
||||
"title": title,
|
||||
"body": body,
|
||||
"labels": labels,
|
||||
"org": g_org,
|
||||
"repo": g_repo,
|
||||
}
|
||||
self.created.append(rec)
|
||||
return rec
|
||||
|
||||
def test_redact_secrets(self) -> None:
|
||||
dirty = "token=supersecret123 Authorization: Bearer abcdefghijklmnop"
|
||||
clean = redact_text(dirty)
|
||||
self.assertNotIn("supersecret", clean)
|
||||
self.assertNotIn("abcdefghijklmnop", clean)
|
||||
self.assertIn("[REDACTED]", clean)
|
||||
tags = sanitize_tags(
|
||||
{"token": "x", "runtime": "py", "password": "nope", "release": "1.0"}
|
||||
)
|
||||
self.assertEqual(tags, {"runtime": "py", "release": "1.0"})
|
||||
|
||||
def test_body_contains_no_secrets(self) -> None:
|
||||
inc = normalize_incident(
|
||||
_obs(
|
||||
summary="fail password=hunter2 token: abc",
|
||||
tags={"cookie": "sid=1", "runtime": "py"},
|
||||
),
|
||||
self.mapping,
|
||||
)
|
||||
body = build_gitea_issue_body(inc)
|
||||
self.assertNotIn("hunter2", body)
|
||||
self.assertNotIn("sid=1", body)
|
||||
self.assertIn("provider_issue_id", body)
|
||||
self.assertIn("not** assignable", body.lower())
|
||||
|
||||
def test_preview_no_mutation(self) -> None:
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(),
|
||||
mapping=self.mapping,
|
||||
apply=False,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertTrue(res["success"])
|
||||
self.assertEqual(res["outcome"], OUTCOME_PREVIEW)
|
||||
self.assertFalse(res["gitea_mutated"])
|
||||
self.assertFalse(res["db_mutated"])
|
||||
self.assertFalse(res["raw_incident_assignable"])
|
||||
self.assertEqual(len(self.created), 0)
|
||||
self.assertIsNone(
|
||||
self.db.get_incident_link_by_provider(
|
||||
provider="sentry",
|
||||
provider_issue_id="ISSUE-100",
|
||||
provider_base_url="https://sentry.prgs.cc",
|
||||
provider_org="prgs",
|
||||
provider_project="gitea-tools-mcp",
|
||||
)
|
||||
)
|
||||
|
||||
def test_apply_creates_issue_and_link(self) -> None:
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertTrue(res["success"])
|
||||
self.assertEqual(res["outcome"], OUTCOME_CREATED)
|
||||
self.assertTrue(res["gitea_mutated"])
|
||||
self.assertTrue(res["db_mutated"])
|
||||
self.assertEqual(len(self.created), 1)
|
||||
self.assertEqual(res["gitea_issue"]["number"], self.created[0]["number"])
|
||||
link = self.db.get_incident_link_by_provider(
|
||||
provider="sentry",
|
||||
provider_issue_id="ISSUE-100",
|
||||
provider_base_url="https://sentry.prgs.cc",
|
||||
provider_org="prgs",
|
||||
provider_project="gitea-tools-mcp",
|
||||
)
|
||||
self.assertIsNotNone(link)
|
||||
self.assertEqual(int(link["gitea_issue_number"]), self.created[0]["number"])
|
||||
self.assertEqual(res["allocator_visible_as"]["kind"], "issue")
|
||||
|
||||
def test_duplicate_observation_reuses_issue(self) -> None:
|
||||
first = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
second = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(event_count=9, last_seen="2026-07-11T00:00:00Z"),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertEqual(first["outcome"], OUTCOME_CREATED)
|
||||
self.assertEqual(second["outcome"], OUTCOME_UPDATED)
|
||||
self.assertEqual(len(self.created), 1)
|
||||
self.assertEqual(
|
||||
second["gitea_issue"]["number"], first["gitea_issue"]["number"]
|
||||
)
|
||||
link = self.db.get_incident_link_by_provider(
|
||||
provider="sentry",
|
||||
provider_issue_id="ISSUE-100",
|
||||
provider_base_url="https://sentry.prgs.cc",
|
||||
provider_org="prgs",
|
||||
provider_project="gitea-tools-mcp",
|
||||
)
|
||||
self.assertEqual(int(link["event_count"]), 9)
|
||||
|
||||
def test_explicit_link_existing_issue(self) -> None:
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(provider_issue_id="ISSUE-200"),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
force_gitea_issue_number=555,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_LINKED)
|
||||
self.assertEqual(len(self.created), 0)
|
||||
self.assertEqual(res["gitea_issue"]["number"], 555)
|
||||
link = self.db.get_incident_link_for_gitea_issue(
|
||||
gitea_org="Scaled-Tech-Consulting",
|
||||
gitea_repo="Gitea-Tools",
|
||||
gitea_issue_number=555,
|
||||
)
|
||||
self.assertIsNotNone(link)
|
||||
|
||||
def test_fingerprint_conflict_fails_closed(self) -> None:
|
||||
reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(fingerprint="fp-a"),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(fingerprint="fp-b"),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_BLOCKED)
|
||||
self.assertIn("fingerprint conflict", res["reasons"][0].lower())
|
||||
self.assertEqual(len(self.created), 1)
|
||||
|
||||
def test_ambiguous_mapping_fails_closed(self) -> None:
|
||||
maps = [
|
||||
_mapping(name="a", monitor_project="gitea-tools-mcp"),
|
||||
_mapping(name="b", monitor_project="gitea-tools-mcp"),
|
||||
]
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(),
|
||||
mappings=maps,
|
||||
apply=False,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_BLOCKED)
|
||||
self.assertIn("ambiguous", res["reasons"][0].lower())
|
||||
|
||||
def test_missing_provider_issue_id_fails_closed(self) -> None:
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(provider_issue_id=""),
|
||||
mapping=self.mapping,
|
||||
apply=False,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_BLOCKED)
|
||||
|
||||
def test_raw_incident_not_work_kind(self) -> None:
|
||||
self.assertNotIn("sentry_incident", WORK_KINDS)
|
||||
with self.assertRaises(InvalidWorkKindError):
|
||||
self.db.upsert_work_item(
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="sentry_incident",
|
||||
number=1,
|
||||
)
|
||||
with self.assertRaises(Exception):
|
||||
assert_not_raw_incident_work_item("glitchtip_incident")
|
||||
|
||||
def test_db_unavailable(self) -> None:
|
||||
res = reconcile_incident(
|
||||
None,
|
||||
observation=_obs(),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertFalse(res["success"])
|
||||
self.assertEqual(res["outcome"], OUTCOME_BLOCKED)
|
||||
|
||||
def test_structured_skip_reason_environment(self) -> None:
|
||||
m = _mapping(environment_filters=("staging",))
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(environment="production"),
|
||||
mapping=m,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertTrue(res["success"])
|
||||
self.assertEqual(res["action"], "skip_environment_filter")
|
||||
self.assertEqual(len(self.created), 0)
|
||||
|
||||
def test_load_mappings_json(self) -> None:
|
||||
payload = json.dumps(
|
||||
{
|
||||
"projects": [
|
||||
{
|
||||
"name": "gt",
|
||||
"provider": "glitchtip",
|
||||
"monitor_base_url": "https://glitchtip.example",
|
||||
"monitor_org": "org",
|
||||
"monitor_project": "proj",
|
||||
"gitea_org": "Scaled-Tech-Consulting",
|
||||
"gitea_repo": "Gitea-Tools",
|
||||
}
|
||||
]
|
||||
}
|
||||
)
|
||||
maps = load_project_mappings(mappings_json=payload)
|
||||
self.assertEqual(len(maps), 1)
|
||||
self.assertEqual(maps[0].provider, "glitchtip")
|
||||
|
||||
def test_glitchtip_provider_accepted(self) -> None:
|
||||
m = _mapping(provider="glitchtip", monitor_base_url="https://glitchtip.example")
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(
|
||||
provider="glitchtip",
|
||||
provider_base_url="https://glitchtip.example",
|
||||
),
|
||||
mapping=m,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_CREATED)
|
||||
self.assertEqual(res["incident"]["provider"], "glitchtip")
|
||||
|
||||
def test_allocator_only_sees_issue_kind(self) -> None:
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
vis = res["allocator_visible_as"]
|
||||
self.assertEqual(vis["kind"], "issue")
|
||||
self.assertIn(vis["kind"], WORK_KINDS)
|
||||
self.assertFalse(res["raw_incident_assignable"])
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -25,7 +25,11 @@ import gitea_mcp_server as srv # noqa: E402
|
||||
import root_checkout_guard as rcg # noqa: E402
|
||||
|
||||
FAKE_AUTH = "token test"
|
||||
CONTROL_CHECKOUT_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[3])
|
||||
else:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[1])
|
||||
MASTER_SHA = "a" * 40
|
||||
OTHER_SHA = "b" * 40
|
||||
|
||||
|
||||
@@ -10,7 +10,11 @@ import gitea_mcp_server as srv
|
||||
|
||||
|
||||
FAKE_AUTH = {"Authorization": "token test-token"}
|
||||
CONTROL_CHECKOUT_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[3])
|
||||
else:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[1])
|
||||
|
||||
|
||||
class TestIssueCommentWorkspaceGuard(unittest.TestCase):
|
||||
|
||||
@@ -0,0 +1,195 @@
|
||||
"""Tests for the pre-create issue content gate (Issue #582)."""
|
||||
import sys
|
||||
import unittest
|
||||
from unittest.mock import patch
|
||||
|
||||
sys.path.insert(0, str(__import__("pathlib").Path(__file__).resolve().parent.parent))
|
||||
|
||||
from issue_content_gate import ( # noqa: E402
|
||||
assess_issue_content,
|
||||
find_vague_reference,
|
||||
has_durable_source_pointer,
|
||||
normalize_text,
|
||||
pre_create_issue_content_gate,
|
||||
)
|
||||
from mcp_server import gitea_create_issue # noqa: E402
|
||||
|
||||
FAKE_AUTH = "Basic dGVzdDp0ZXN0"
|
||||
ISSUE_WRITE_ENV = {
|
||||
"GITEA_ALLOWED_OPERATIONS": "gitea.issue.create",
|
||||
}
|
||||
|
||||
|
||||
class TestNormalizeAndPointers(unittest.TestCase):
|
||||
|
||||
def test_normalize_strips_punctuation_and_case(self):
|
||||
self.assertEqual(normalize_text(" The Drafted-Issue! "), "the drafted issue")
|
||||
|
||||
def test_issue_ref_is_durable_pointer(self):
|
||||
self.assertTrue(has_durable_source_pointer("See #402 for the spec"))
|
||||
|
||||
def test_file_path_is_durable_pointer(self):
|
||||
self.assertTrue(has_durable_source_pointer("Draft in task_capability_map.py"))
|
||||
|
||||
def test_scratchpad_is_durable_pointer(self):
|
||||
self.assertTrue(has_durable_source_pointer("Full text in scratchpad/draft.md"))
|
||||
|
||||
def test_url_is_durable_pointer(self):
|
||||
self.assertTrue(
|
||||
has_durable_source_pointer("https://gitea.prgs.cc/issues/1 has it")
|
||||
)
|
||||
|
||||
def test_plain_text_has_no_durable_pointer(self):
|
||||
self.assertFalse(has_durable_source_pointer("just some words here"))
|
||||
|
||||
|
||||
class TestFindVagueReference(unittest.TestCase):
|
||||
|
||||
def test_bare_vague_phrases_are_flagged(self):
|
||||
for text in (
|
||||
"the drafted issue",
|
||||
"The prepared issue",
|
||||
"the issue we discussed",
|
||||
"the previous draft",
|
||||
"Create the drafted issue",
|
||||
"please file the prepared issue",
|
||||
):
|
||||
with self.subTest(text=text):
|
||||
self.assertIsNotNone(find_vague_reference(text))
|
||||
|
||||
def test_durable_pointer_defeats_vague_reference(self):
|
||||
# Same vague phrase but with a durable pointer -> not vague.
|
||||
self.assertIsNone(find_vague_reference("the drafted issue in #402"))
|
||||
self.assertIsNone(
|
||||
find_vague_reference("the prepared issue: see scratchpad/draft.md")
|
||||
)
|
||||
|
||||
def test_long_specific_body_with_incidental_phrase_is_not_vague(self):
|
||||
body = (
|
||||
"As discussed, the create_issue tool must reject vague references. "
|
||||
"Add a preflight check that lists the exact missing fields and "
|
||||
"returns BLOCKED + DIAGNOSE with concrete acceptance criteria."
|
||||
)
|
||||
self.assertIsNone(find_vague_reference(body))
|
||||
|
||||
def test_concrete_short_body_is_not_vague(self):
|
||||
self.assertIsNone(find_vague_reference("Fix null deref in auth handler"))
|
||||
|
||||
def test_empty_is_not_vague(self):
|
||||
self.assertIsNone(find_vague_reference(""))
|
||||
|
||||
|
||||
class TestAssessIssueContent(unittest.TestCase):
|
||||
|
||||
def test_missing_title_is_incomplete(self):
|
||||
result = assess_issue_content("", "some body")
|
||||
self.assertFalse(result["complete"])
|
||||
self.assertIn("title", result["missing_fields"])
|
||||
|
||||
def test_vague_body_is_incomplete_and_diagnosed(self):
|
||||
result = assess_issue_content("Add the thing", "the drafted issue")
|
||||
self.assertFalse(result["complete"])
|
||||
self.assertIn("body", result["vague_fields"])
|
||||
self.assertIn("vague reference", result["diagnose"])
|
||||
|
||||
def test_vague_title_is_incomplete(self):
|
||||
result = assess_issue_content("the prepared issue", "")
|
||||
self.assertFalse(result["complete"])
|
||||
self.assertIn("title", result["vague_fields"])
|
||||
|
||||
def test_complete_content_passes(self):
|
||||
result = assess_issue_content(
|
||||
"Block vague issue creation",
|
||||
"Add a preflight gate that rejects placeholder references.",
|
||||
)
|
||||
self.assertTrue(result["complete"])
|
||||
self.assertEqual(result["missing_fields"], [])
|
||||
self.assertEqual(result["vague_fields"], [])
|
||||
|
||||
def test_title_only_is_allowed(self):
|
||||
# Empty body must NOT block: title-only creation stays allowed.
|
||||
result = assess_issue_content("A concrete specific title", "")
|
||||
self.assertTrue(result["complete"])
|
||||
|
||||
def test_durable_pointer_body_passes(self):
|
||||
result = assess_issue_content(
|
||||
"Implement the drafted change",
|
||||
"the drafted issue is fully specified in #582",
|
||||
)
|
||||
self.assertTrue(result["complete"])
|
||||
|
||||
def test_allow_incomplete_override(self):
|
||||
result = assess_issue_content(
|
||||
"the drafted issue", "the drafted issue", allow_incomplete=True
|
||||
)
|
||||
self.assertTrue(result["complete"])
|
||||
self.assertTrue(result["override_applied"])
|
||||
|
||||
def test_gate_wrapper_sets_performed(self):
|
||||
blocked = pre_create_issue_content_gate("Add x", "the drafted issue")
|
||||
self.assertFalse(blocked["performed"])
|
||||
ok = pre_create_issue_content_gate("Add x", "concrete actionable body")
|
||||
self.assertTrue(ok["performed"])
|
||||
|
||||
|
||||
class TestCreateIssueContentMCPGate(unittest.TestCase):
|
||||
|
||||
@patch("mcp_server.role_session_router.check_author_mutation_after_reviewer_stop")
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_blocks_vague_reference_without_creating(
|
||||
self, _auth, mock_get_all, mock_api, mock_role_check
|
||||
):
|
||||
mock_role_check.return_value = (True, [])
|
||||
with patch.dict(__import__("os").environ, ISSUE_WRITE_ENV, clear=True):
|
||||
result = gitea_create_issue(
|
||||
title="Create the drafted issue",
|
||||
body="the drafted issue",
|
||||
remote="prgs",
|
||||
)
|
||||
self.assertFalse(result["performed"])
|
||||
self.assertIn("content_gate", result)
|
||||
self.assertIn("body", result["content_gate"]["vague_fields"])
|
||||
self.assertTrue(any("BLOCKED + DIAGNOSE" in r for r in result["reasons"]))
|
||||
mock_api.assert_not_called()
|
||||
mock_get_all.assert_not_called()
|
||||
|
||||
@patch("mcp_server.role_session_router.check_author_mutation_after_reviewer_stop")
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all", return_value=[])
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_creates_when_content_is_concrete(
|
||||
self, _auth, _get_all, mock_api, mock_role_check
|
||||
):
|
||||
mock_role_check.return_value = (True, [])
|
||||
mock_api.return_value = {"number": 7, "html_url": "https://x/issues/7"}
|
||||
with patch.dict(__import__("os").environ, ISSUE_WRITE_ENV, clear=True):
|
||||
result = gitea_create_issue(
|
||||
title="Block vague issue creation",
|
||||
body="Add a preflight gate rejecting placeholder references.",
|
||||
remote="prgs",
|
||||
)
|
||||
self.assertEqual(result["number"], 7)
|
||||
|
||||
@patch("mcp_server.role_session_router.check_author_mutation_after_reviewer_stop")
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all", return_value=[])
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_override_creates_despite_vague_content(
|
||||
self, _auth, _get_all, mock_api, mock_role_check
|
||||
):
|
||||
mock_role_check.return_value = (True, [])
|
||||
mock_api.return_value = {"number": 8, "html_url": "https://x/issues/8"}
|
||||
with patch.dict(__import__("os").environ, ISSUE_WRITE_ENV, clear=True):
|
||||
result = gitea_create_issue(
|
||||
title="the drafted issue",
|
||||
body="the drafted issue",
|
||||
remote="prgs",
|
||||
allow_incomplete_content=True,
|
||||
)
|
||||
self.assertEqual(result["number"], 8)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -103,20 +103,40 @@ class TestIssueLockStore(unittest.TestCase):
|
||||
self.assertIn("live foreign issue lock", block or "")
|
||||
|
||||
def test_expired_lease_allows_takeover_with_conflict_check(self):
|
||||
# #601: expired + dead pid / missing worktree → sanctioned reclaim (no block).
|
||||
existing = _lock_record(
|
||||
branch_name="feat/issue-420-other",
|
||||
worktree_path="/tmp/other",
|
||||
worktree_path="/tmp/other-does-not-exist-420",
|
||||
session_pid=1,
|
||||
work_lease=_lease("2000-01-01T00:00:00Z"),
|
||||
)
|
||||
incoming = _lock_record(worktree_path="/tmp/mine")
|
||||
self.assertIsNone(ils.assess_foreign_lock_overwrite(existing, incoming))
|
||||
block = ils.assess_same_issue_lease_conflict(
|
||||
existing,
|
||||
issue_number=420,
|
||||
branch_name="feat/issue-420-server-code-parity",
|
||||
worktree_path="/tmp/mine",
|
||||
with mock.patch.object(ils, "is_process_alive", return_value=False):
|
||||
block = ils.assess_same_issue_lease_conflict(
|
||||
existing,
|
||||
issue_number=420,
|
||||
branch_name="feat/issue-420-server-code-parity",
|
||||
worktree_path="/tmp/mine",
|
||||
)
|
||||
self.assertIsNone(block)
|
||||
|
||||
# Expired but still-live owner pid AND present worktree → fail closed.
|
||||
present_wt = self.lock_dir # exists
|
||||
sticky = _lock_record(
|
||||
branch_name="feat/issue-420-other",
|
||||
worktree_path=present_wt,
|
||||
session_pid=os.getpid(),
|
||||
work_lease=_lease("2000-01-01T00:00:00Z"),
|
||||
)
|
||||
self.assertIn("Recovery review is required", block or "")
|
||||
with mock.patch.object(ils, "is_process_alive", return_value=True):
|
||||
blocked = ils.assess_same_issue_lease_conflict(
|
||||
sticky,
|
||||
issue_number=420,
|
||||
branch_name="feat/issue-420-server-code-parity",
|
||||
worktree_path="/tmp/mine",
|
||||
)
|
||||
self.assertIn("Recovery review is required", blocked or "")
|
||||
|
||||
def test_same_owner_lease_conflict_allows_refresh(self):
|
||||
worktree = "/tmp/wt-420"
|
||||
|
||||
@@ -69,5 +69,139 @@ class TestIssueWorkflowStatusTransitions(unittest.TestCase):
|
||||
self.assertEqual(result, ["type:process", "status:duplicate"])
|
||||
|
||||
|
||||
class TestLifecycleRoleLabels(unittest.TestCase):
|
||||
def test_role_transition_author_to_reviewer_to_merger_single_active(self):
|
||||
after_author = labels.transition_role_labels(
|
||||
["type:feature", "status:pr-open"], "author"
|
||||
)
|
||||
self.assertEqual(after_author, ["type:feature", "status:pr-open", "role:author"])
|
||||
|
||||
after_reviewer = labels.transition_role_labels(after_author, "reviewer")
|
||||
self.assertEqual(
|
||||
after_reviewer, ["type:feature", "status:pr-open", "role:reviewer"]
|
||||
)
|
||||
self.assertNotIn("role:author", after_reviewer)
|
||||
|
||||
after_merger = labels.transition_role_labels(after_reviewer, "merger")
|
||||
self.assertEqual(labels.role_labels(after_merger), ["role:merger"])
|
||||
|
||||
def test_role_transition_accepts_canonical_label(self):
|
||||
result = labels.transition_role_labels(["type:bug"], "role:reviewer")
|
||||
self.assertEqual(result, ["type:bug", "role:reviewer"])
|
||||
|
||||
def test_unknown_role_raises(self):
|
||||
with self.assertRaises(ValueError):
|
||||
labels.canonical_role_label("wizard")
|
||||
|
||||
def test_assess_reports_multiple_active_role_labels(self):
|
||||
result = labels.assess_issue_labels(
|
||||
["type:feature", "status:pr-open", "role:author", "role:reviewer"]
|
||||
)
|
||||
self.assertFalse(result["valid"])
|
||||
self.assertTrue(
|
||||
any("multiple active role:* labels" in err for err in result["errors"])
|
||||
)
|
||||
self.assertEqual(
|
||||
sorted(result["role_labels"]), ["role:author", "role:reviewer"]
|
||||
)
|
||||
|
||||
|
||||
class TestLifecycleHazardLabels(unittest.TestCase):
|
||||
def test_hazards_are_additive_and_multiple(self):
|
||||
one = labels.add_hazard_label(["type:bug", "status:blocked"], "conflicted")
|
||||
two = labels.add_hazard_label(one, "stale-lease")
|
||||
self.assertIn("hazard:conflicted", two)
|
||||
self.assertIn("hazard:stale-lease", two)
|
||||
# status/type untouched
|
||||
self.assertIn("status:blocked", two)
|
||||
self.assertIn("type:bug", two)
|
||||
self.assertEqual(len(labels.hazard_labels(two)), 2)
|
||||
|
||||
def test_add_hazard_is_idempotent(self):
|
||||
once = labels.add_hazard_label(["type:bug", "status:ready"], "root-mutation")
|
||||
twice = labels.add_hazard_label(once, "root_mutation")
|
||||
self.assertEqual(twice.count("hazard:root-mutation"), 1)
|
||||
|
||||
def test_clear_hazard_leaves_others_intact(self):
|
||||
start = ["type:bug", "status:blocked", "hazard:conflicted", "hazard:stale-lease"]
|
||||
cleared = labels.clear_hazard_label(start, "conflicted")
|
||||
self.assertNotIn("hazard:conflicted", cleared)
|
||||
self.assertIn("hazard:stale-lease", cleared)
|
||||
self.assertIn("status:blocked", cleared)
|
||||
|
||||
def test_terminal_blocker_hazard_normalizes(self):
|
||||
self.assertEqual(
|
||||
labels.canonical_hazard_label("terminal-blocker"),
|
||||
"hazard:terminal-blocker",
|
||||
)
|
||||
|
||||
def test_assess_surfaces_hazard_labels(self):
|
||||
result = labels.assess_issue_labels(
|
||||
["type:bug", "status:blocked", "hazard:conflicted"]
|
||||
)
|
||||
self.assertEqual(result["hazard_labels"], ["hazard:conflicted"])
|
||||
|
||||
|
||||
class TestDiscussionExclusion(unittest.TestCase):
|
||||
def test_discussion_issue_excluded_from_implementation_queue(self):
|
||||
self.assertTrue(labels.is_discussion(["type:discussion", "status:ready"]))
|
||||
self.assertFalse(
|
||||
labels.is_implementation_candidate(["type:discussion", "status:ready"])
|
||||
)
|
||||
|
||||
def test_non_discussion_issue_is_candidate(self):
|
||||
self.assertTrue(
|
||||
labels.is_implementation_candidate(["type:feature", "status:ready"])
|
||||
)
|
||||
|
||||
|
||||
class TestBlockingReasonRequirement(unittest.TestCase):
|
||||
def test_blocked_requires_reason(self):
|
||||
self.assertTrue(
|
||||
labels.requires_blocking_reason(["type:bug", "status:blocked"])
|
||||
)
|
||||
|
||||
def test_hazard_requires_reason(self):
|
||||
self.assertTrue(
|
||||
labels.requires_blocking_reason(
|
||||
["type:bug", "status:ready", "hazard:stale-lease"]
|
||||
)
|
||||
)
|
||||
|
||||
def test_clean_ready_issue_needs_no_reason(self):
|
||||
self.assertFalse(
|
||||
labels.requires_blocking_reason(["type:feature", "status:ready"])
|
||||
)
|
||||
|
||||
|
||||
class TestState603SynonymTransitions(unittest.TestCase):
|
||||
def test_authoring_maps_to_in_progress(self):
|
||||
self.assertEqual(
|
||||
labels.canonical_status_label("authoring"), "status:in-progress"
|
||||
)
|
||||
|
||||
def test_changes_requested_transition(self):
|
||||
result = labels.transition_status_labels(
|
||||
["type:feature", "status:needs-review"], "changes-requested"
|
||||
)
|
||||
self.assertEqual(result, ["type:feature", "status:changes-requested"])
|
||||
|
||||
def test_merge_ready_maps_to_approved(self):
|
||||
self.assertEqual(labels.canonical_status_label("merge-ready"), "status:approved")
|
||||
|
||||
def test_abandoned_maps_to_wontfix(self):
|
||||
self.assertEqual(labels.canonical_status_label("abandoned"), "status:wontfix")
|
||||
|
||||
def test_blocked_and_merged_transitions(self):
|
||||
blocked = labels.transition_status_labels(
|
||||
["type:bug", "status:in-progress"], "blocked"
|
||||
)
|
||||
self.assertEqual(blocked, ["type:bug", "status:blocked"])
|
||||
merged = labels.transition_status_labels(
|
||||
["type:feature", "status:approved"], "merged"
|
||||
)
|
||||
self.assertEqual(merged, ["type:feature", "status:reconcile"])
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
|
||||
@@ -0,0 +1,392 @@
|
||||
"""Tests for first-class control-plane lease lifecycle (#601)."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import tempfile
|
||||
import unittest
|
||||
from datetime import timedelta
|
||||
from unittest import mock
|
||||
|
||||
from allocator_service import allocate_next_work, WorkCandidate
|
||||
from control_plane_db import ControlPlaneDB, ForeignLeaseError, _ts, _utc_now
|
||||
import lease_lifecycle as ll
|
||||
import merger_lease_adoption as mla
|
||||
import reviewer_pr_lease as rpl
|
||||
from datetime import datetime, timezone
|
||||
|
||||
|
||||
class LeaseLifecycleTest(unittest.TestCase):
|
||||
def setUp(self) -> None:
|
||||
self._tmp = tempfile.TemporaryDirectory()
|
||||
self.db_path = os.path.join(self._tmp.name, "cp.sqlite3")
|
||||
self.db = ControlPlaneDB(self.db_path)
|
||||
self.db.upsert_session(session_id="owner", role="author", profile="prgs-author", pid=111)
|
||||
self.db.upsert_session(session_id="other", role="author", profile="prgs-author", pid=222)
|
||||
|
||||
def tearDown(self) -> None:
|
||||
self._tmp.cleanup()
|
||||
|
||||
def _assign(self, session_id="owner", number=601, **kwargs):
|
||||
return self.db.assign_and_lease(
|
||||
session_id=session_id,
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
kind="issue",
|
||||
number=number,
|
||||
allowed_actions=("implement", "comment", "push", "create_pr"),
|
||||
forbidden_actions=("approve", "merge", "self_select_without_assignment"),
|
||||
worktree_path=kwargs.pop("worktree_path", self._tmp.name),
|
||||
owner_pid=kwargs.pop("owner_pid", os.getpid()),
|
||||
**kwargs,
|
||||
)
|
||||
|
||||
def test_list_active_leases_as_workflow_state(self) -> None:
|
||||
a = self._assign(number=601)
|
||||
self._assign(session_id="other", number=602)
|
||||
listed = ll.list_active_leases(
|
||||
self.db, remote="prgs", org="Scaled-Tech-Consulting", repo="Gitea-Tools"
|
||||
)
|
||||
self.assertTrue(listed["success"])
|
||||
self.assertEqual(listed["count"], 2)
|
||||
self.assertEqual(listed["authoritative_source"], "control_plane_db")
|
||||
self.assertFalse(listed["file_lock_only"])
|
||||
self.assertFalse(listed["comment_lease_only"])
|
||||
numbers = sorted(x["work_number"] for x in listed["leases"])
|
||||
self.assertEqual(numbers, [601, 602])
|
||||
self.assertIsNotNone(a.lease_id)
|
||||
|
||||
def test_adopt_lease_owner_resume_preserves_provenance(self) -> None:
|
||||
a = self._assign()
|
||||
res = ll.adopt_lease(
|
||||
self.db,
|
||||
lease_id=a.lease_id,
|
||||
adopter_session_id="owner",
|
||||
role="author",
|
||||
worktree_path=self._tmp.name,
|
||||
)
|
||||
self.assertTrue(res["success"])
|
||||
self.assertTrue(res["same_owner"])
|
||||
prov = res["provenance"]
|
||||
self.assertEqual(prov["adopted_from_session_id"], "owner")
|
||||
self.assertEqual(prov["adopted_by_session_id"], "owner")
|
||||
self.assertEqual(prov["work_number"], 601)
|
||||
self.assertEqual(prov["worktree_path"], self._tmp.name)
|
||||
state = self.db.get_lease_workflow_state(a.lease_id)
|
||||
self.assertIsNotNone(state)
|
||||
self.assertEqual(state["lease"]["status"], "active")
|
||||
|
||||
def test_release_lease_explicit_recorded(self) -> None:
|
||||
a = self._assign()
|
||||
res = ll.release_lease(self.db, lease_id=a.lease_id, session_id="owner")
|
||||
self.assertEqual(res["outcome"], "released")
|
||||
self.assertIn("release_proof", res)
|
||||
self.assertEqual(res["release_proof"]["status"], "released")
|
||||
state = self.db.get_lease_workflow_state(a.lease_id)
|
||||
self.assertEqual(state["lease"]["status"], "released")
|
||||
|
||||
def test_expire_and_reclaim_expired_lease(self) -> None:
|
||||
a = self._assign(lease_ttl_seconds=1)
|
||||
past = _utc_now() - timedelta(hours=2)
|
||||
import sqlite3
|
||||
|
||||
conn = sqlite3.connect(self.db_path)
|
||||
try:
|
||||
conn.execute(
|
||||
"UPDATE leases SET expires_at = ? WHERE lease_id = ?",
|
||||
(_ts(past), a.lease_id),
|
||||
)
|
||||
conn.commit()
|
||||
finally:
|
||||
conn.close()
|
||||
exp = ll.expire_leases(self.db)
|
||||
self.assertGreaterEqual(exp["expired_count"], 1)
|
||||
reclaimed = ll.reclaim_expired_lease(
|
||||
self.db,
|
||||
lease_id=a.lease_id,
|
||||
session_id="other",
|
||||
role="author",
|
||||
worktree_path=self._tmp.name,
|
||||
)
|
||||
self.assertEqual(reclaimed["outcome"], "reclaimed")
|
||||
self.assertEqual(reclaimed["assignment"]["session_id"], "other")
|
||||
self.assertEqual(
|
||||
reclaimed["provenance"]["adopted_from_session_id"], "owner"
|
||||
)
|
||||
self.assertEqual(
|
||||
reclaimed["provenance"]["adopted_by_session_id"], "other"
|
||||
)
|
||||
|
||||
def test_abandon_stale_lease_with_required_proof(self) -> None:
|
||||
a = self._assign(owner_pid=99999999, worktree_path="/nonexistent/path/for-601")
|
||||
# Force active but dead pid + missing worktree
|
||||
proof = ll.AbandonProof(
|
||||
dead_process=True,
|
||||
missing_worktree=True,
|
||||
no_open_pr=True,
|
||||
no_live_mutation_risk=True,
|
||||
owner_pid=99999999,
|
||||
worktree_path="/nonexistent/path/for-601",
|
||||
)
|
||||
res = ll.abandon_lease(
|
||||
self.db,
|
||||
lease_id=a.lease_id,
|
||||
requester_session_id="other",
|
||||
proof=proof,
|
||||
)
|
||||
self.assertEqual(res["outcome"], "abandoned")
|
||||
self.assertEqual(res["prior_owner_session_id"], "owner")
|
||||
self.assertTrue(res["abandon_proof"]["dead_process"])
|
||||
state = self.db.get_lease_workflow_state(a.lease_id)
|
||||
self.assertEqual(state["lease"]["status"], "abandoned")
|
||||
|
||||
def test_refuse_steal_active_foreign_lease(self) -> None:
|
||||
a = self._assign()
|
||||
with self.assertRaises(ll.LeaseLifecycleError) as ctx:
|
||||
ll.adopt_lease(
|
||||
self.db,
|
||||
lease_id=a.lease_id,
|
||||
adopter_session_id="other",
|
||||
role="author",
|
||||
)
|
||||
self.assertIn("steal", str(ctx.exception).lower())
|
||||
decision = ll.inspect_lease(
|
||||
self.db, a.lease_id, caller_session_id="other"
|
||||
)
|
||||
self.assertEqual(decision["safe_next_action"], ll.SAFE_WAIT_FOREIGN)
|
||||
self.assertTrue(decision["block"])
|
||||
|
||||
def test_refuse_ambiguous_lease_ownership_stale_id(self) -> None:
|
||||
decision = ll.inspect_lease(
|
||||
self.db, "lease-does-not-exist", caller_session_id="owner"
|
||||
)
|
||||
self.assertFalse(decision["found"])
|
||||
self.assertEqual(decision["safe_next_action"], ll.SAFE_STALE_PROMPT)
|
||||
with self.assertRaises(ll.LeaseLifecycleError):
|
||||
ll.adopt_lease(
|
||||
self.db,
|
||||
lease_id="lease-does-not-exist",
|
||||
adopter_session_id="owner",
|
||||
role="author",
|
||||
)
|
||||
|
||||
def test_provenance_on_adopt_release_abandon(self) -> None:
|
||||
a = self._assign()
|
||||
adopted = ll.adopt_lease(
|
||||
self.db,
|
||||
lease_id=a.lease_id,
|
||||
adopter_session_id="owner",
|
||||
role="author",
|
||||
worktree_path=self._tmp.name,
|
||||
expected_head_sha="abc",
|
||||
)
|
||||
self.assertIn("adopted_from_session_id", adopted["provenance"])
|
||||
self.assertIn("adopted_by_session_id", adopted["provenance"])
|
||||
released = ll.release_lease(
|
||||
self.db, lease_id=a.lease_id, session_id="owner"
|
||||
)
|
||||
self.assertEqual(released["release_proof"]["session_id"], "owner")
|
||||
|
||||
b = self._assign(number=700, owner_pid=1, worktree_path="/no/such/wt")
|
||||
abandoned = ll.abandon_lease(
|
||||
self.db,
|
||||
lease_id=b.lease_id,
|
||||
requester_session_id="owner",
|
||||
proof=ll.AbandonProof(
|
||||
dead_process=True,
|
||||
missing_worktree=True,
|
||||
no_live_mutation_risk=True,
|
||||
no_open_pr=True,
|
||||
),
|
||||
)
|
||||
self.assertIn("abandon_proof", abandoned)
|
||||
self.assertEqual(abandoned["abandon_proof"]["dead_process"], True)
|
||||
|
||||
def test_allocator_assignment_lease_compatible(self) -> None:
|
||||
"""Allocator assign+lease still works and is listable/inspectable."""
|
||||
cands = [
|
||||
WorkCandidate(
|
||||
kind="issue",
|
||||
number=601,
|
||||
labels=("status:ready",),
|
||||
title="leases",
|
||||
priority=20,
|
||||
)
|
||||
]
|
||||
res = allocate_next_work(
|
||||
self.db,
|
||||
session_id="alloc-s",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
candidates=cands,
|
||||
apply=True,
|
||||
profile_name="prgs-author",
|
||||
username="jcwalker3",
|
||||
)
|
||||
self.assertEqual(res["outcome"], "assigned_work")
|
||||
lid = res["assignment"]["lease_id"]
|
||||
listed = ll.list_active_leases(self.db, remote="prgs")
|
||||
ids = [x["lease_id"] for x in listed["leases"]]
|
||||
self.assertIn(lid, ids)
|
||||
insp = ll.inspect_lease(self.db, lid, caller_session_id="alloc-s")
|
||||
self.assertTrue(insp["found"])
|
||||
self.assertIn(
|
||||
insp["safe_next_action"],
|
||||
(ll.SAFE_OWNER_RESUME, ll.SAFE_ABANDON_ALLOWED),
|
||||
)
|
||||
|
||||
def test_reviewer_merger_lease_handoff_still_works(self) -> None:
|
||||
"""#536 merger adoption path is independent and must not regress."""
|
||||
rpl.clear_session_lease()
|
||||
body = mla.format_adoption_body(
|
||||
repo="Scaled-Tech-Consulting/Gitea-Tools",
|
||||
pr_number=999,
|
||||
issue_number=601,
|
||||
adopter_identity="sysadmin",
|
||||
adopter_profile="prgs-merger",
|
||||
adopter_session_id="merger-1",
|
||||
worktree="branches/merge-pr999",
|
||||
candidate_head="a" * 40,
|
||||
target_branch="master",
|
||||
target_branch_sha="b" * 40,
|
||||
adopted_from_session_id="reviewer-1",
|
||||
adopted_from_profile="prgs-reviewer",
|
||||
adopted_from_reviewer_identity="sysadmin",
|
||||
adopted_from_comment_id=42,
|
||||
)
|
||||
self.assertIn(mla.ADOPTION_MARKER, body)
|
||||
self.assertIn("adopted_from_session_id: reviewer-1", body)
|
||||
self.assertIn("adopted_by_profile: prgs-merger", body)
|
||||
prov = mla.build_lease_provenance(
|
||||
source=mla.SOURCE_ADOPT,
|
||||
comment_id=42,
|
||||
adopted_from_session_id="reviewer-1",
|
||||
adoption_reason=mla.DEFAULT_ADOPTION_REASON,
|
||||
)
|
||||
rpl.record_session_lease(
|
||||
{
|
||||
"pr_number": 999,
|
||||
"session_id": "merger-1",
|
||||
"comment_id": 42,
|
||||
},
|
||||
lease_provenance=prov,
|
||||
)
|
||||
proof = mla.describe_session_lease_proof(rpl.get_session_lease())
|
||||
self.assertTrue(proof["lease_proof_sanctioned"])
|
||||
self.assertEqual(proof["lease_proof_source"], mla.SOURCE_ADOPT)
|
||||
rpl.clear_session_lease()
|
||||
|
||||
def test_missing_worktree_and_dead_pid_handled_safely(self) -> None:
|
||||
a = self._assign(owner_pid=1, worktree_path="/definitely/missing/wt-601")
|
||||
with mock.patch.object(ll, "is_process_alive", return_value=False):
|
||||
fr = ll.classify_lease_freshness(
|
||||
self.db.get_lease_workflow_state(a.lease_id)["lease"]
|
||||
)
|
||||
self.assertIn(fr["freshness"], ("stale_dead_process", "stale_missing_worktree"))
|
||||
# Insufficient abandon proof fails closed
|
||||
with self.assertRaises(ll.LeaseLifecycleError):
|
||||
ll.abandon_lease(
|
||||
self.db,
|
||||
lease_id=a.lease_id,
|
||||
requester_session_id="other",
|
||||
proof=ll.AbandonProof(dead_process=True), # missing no_live_mutation_risk
|
||||
)
|
||||
|
||||
def test_file_lock_or_comment_not_authoritative_alone(self) -> None:
|
||||
report = ll.non_db_lease_authority_report(
|
||||
file_lock_present=True,
|
||||
comment_lease_present=False,
|
||||
db_lease_present=False,
|
||||
)
|
||||
self.assertEqual(report["safe_next_action"], ll.SAFE_NO_AUTHORITY)
|
||||
self.assertTrue(report["file_lock_only"])
|
||||
self.assertIsNone(report["authoritative_source"])
|
||||
report2 = ll.non_db_lease_authority_report(
|
||||
file_lock_present=True,
|
||||
comment_lease_present=True,
|
||||
db_lease_present=True,
|
||||
)
|
||||
self.assertEqual(report2["authoritative_source"], "control_plane_db")
|
||||
self.assertFalse(report2["file_lock_only"])
|
||||
self.assertFalse(report2["comment_lease_only"])
|
||||
|
||||
def test_abandon_proof_is_sufficient_rules(self) -> None:
|
||||
self.assertFalse(ll.AbandonProof(dead_process=True).is_sufficient())
|
||||
self.assertTrue(
|
||||
ll.AbandonProof(
|
||||
dead_process=True,
|
||||
missing_worktree=True,
|
||||
no_live_mutation_risk=True,
|
||||
no_open_pr=True,
|
||||
).is_sufficient()
|
||||
)
|
||||
self.assertTrue(
|
||||
ll.AbandonProof(
|
||||
dead_process=True,
|
||||
no_live_mutation_risk=True,
|
||||
same_owner=True,
|
||||
).is_sufficient()
|
||||
)
|
||||
self.assertTrue(
|
||||
ll.AbandonProof(
|
||||
missing_worktree=True,
|
||||
no_live_mutation_risk=True,
|
||||
operator_authorized=True,
|
||||
).is_sufficient()
|
||||
)
|
||||
|
||||
|
||||
class IssueLockExpiredReclaimTest(unittest.TestCase):
|
||||
def test_expired_lock_reclaim_allowed_when_dead_and_missing_wt(self) -> None:
|
||||
import issue_lock_store as ils
|
||||
|
||||
lock = {
|
||||
"issue_number": 601,
|
||||
"branch_name": "feat/issue-601-x",
|
||||
"worktree_path": "/no/such/worktree-601",
|
||||
"session_pid": 1,
|
||||
"work_lease": {
|
||||
"operation_type": "author_issue_work",
|
||||
"expires_at": "2000-01-01T00:00:00Z",
|
||||
},
|
||||
}
|
||||
with mock.patch.object(ils, "is_process_alive", return_value=False):
|
||||
res = ils.assess_expired_lock_reclaim(lock)
|
||||
self.assertTrue(res["reclaim_allowed"])
|
||||
# Conflict assessor allows takeover
|
||||
block = ils.assess_same_issue_lease_conflict(
|
||||
lock,
|
||||
issue_number=601,
|
||||
branch_name="feat/issue-601-first-class-leases",
|
||||
worktree_path="/tmp/new",
|
||||
)
|
||||
self.assertIsNone(block)
|
||||
|
||||
def test_live_lock_reclaim_refused(self) -> None:
|
||||
import issue_lock_store as ils
|
||||
from datetime import datetime, timedelta, timezone
|
||||
|
||||
future = (datetime.now(timezone.utc) + timedelta(hours=2)).strftime(
|
||||
"%Y-%m-%dT%H:%M:%SZ"
|
||||
)
|
||||
lock = {
|
||||
"issue_number": 601,
|
||||
"branch_name": "feat/issue-601-x",
|
||||
"worktree_path": tempfile.gettempdir(),
|
||||
"session_pid": os.getpid(),
|
||||
"work_lease": {
|
||||
"operation_type": "author_issue_work",
|
||||
"expires_at": future,
|
||||
"last_heartbeat_at": future,
|
||||
},
|
||||
}
|
||||
res = ils.assess_expired_lock_reclaim(lock)
|
||||
self.assertFalse(res["reclaim_allowed"])
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
+29
-34
@@ -28,33 +28,31 @@ class TestLabelCreation(unittest.TestCase):
|
||||
"""Verify create-or-skip logic for the label set."""
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all")
|
||||
@patch("manage_labels.api")
|
||||
def test_skips_existing_labels(self, mock_api, _auth):
|
||||
# Simulate all labels already exist
|
||||
def test_skips_existing_labels(self, mock_api, mock_get_all, _auth):
|
||||
# Simulate all labels already exist (paginated inventory #627)
|
||||
existing = [_make_label(l["name"], i) for i, l in enumerate(manage_labels.LABELS)]
|
||||
mock_api.return_value = existing # first call is GET /labels
|
||||
mock_get_all.return_value = existing
|
||||
|
||||
# Patch sys.argv to avoid --dry
|
||||
with patch.object(sys, "argv", ["manage_labels.py"]):
|
||||
with contextlib.redirect_stdout(io.StringIO()), contextlib.redirect_stderr(io.StringIO()):
|
||||
manage_labels.main()
|
||||
|
||||
# The GET call happens, but no POST calls for label creation
|
||||
get_calls = [c for c in mock_api.call_args_list if c[0][0] == "GET"]
|
||||
mock_get_all.assert_called()
|
||||
post_label_calls = [
|
||||
c for c in mock_api.call_args_list
|
||||
if c[0][0] == "POST" and c[0][1] == "/labels"
|
||||
]
|
||||
self.assertGreaterEqual(len(get_calls), 1)
|
||||
self.assertEqual(len(post_label_calls), 0)
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all", return_value=[])
|
||||
@patch("manage_labels.api")
|
||||
def test_creates_missing_labels(self, mock_api, _auth):
|
||||
def test_creates_missing_labels(self, mock_api, _get_all, _auth):
|
||||
# Simulate no existing labels
|
||||
def side_effect(method, path, auth, payload=None):
|
||||
if method == "GET" and "/labels" in path:
|
||||
return [] # no existing labels
|
||||
if method == "POST" and path == "/labels":
|
||||
return {"id": 999, "name": payload["name"]}
|
||||
if method == "PUT":
|
||||
@@ -79,15 +77,14 @@ class TestLabelCreation(unittest.TestCase):
|
||||
class TestDryRun(unittest.TestCase):
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all", return_value=[])
|
||||
@patch("manage_labels.api")
|
||||
def test_dry_run_makes_no_writes(self, mock_api, _auth):
|
||||
mock_api.return_value = [] # no existing labels
|
||||
|
||||
def test_dry_run_makes_no_writes(self, mock_api, _get_all, _auth):
|
||||
with patch.object(sys, "argv", ["manage_labels.py", "--dry"]):
|
||||
with contextlib.redirect_stdout(io.StringIO()), contextlib.redirect_stderr(io.StringIO()):
|
||||
manage_labels.main()
|
||||
|
||||
# Only the GET call should be made, no POST or PUT
|
||||
# Dry run should not call write methods via api()
|
||||
for c in mock_api.call_args_list:
|
||||
method = c[0][0]
|
||||
self.assertEqual(method, "GET",
|
||||
@@ -100,13 +97,13 @@ class TestDryRun(unittest.TestCase):
|
||||
class TestLabelMapping(unittest.TestCase):
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all")
|
||||
@patch("manage_labels.api")
|
||||
def test_applies_mapping_to_issues(self, mock_api, _auth):
|
||||
def test_applies_mapping_to_issues(self, mock_api, mock_get_all, _auth):
|
||||
existing = [_make_label(l["name"], i + 1) for i, l in enumerate(manage_labels.LABELS)]
|
||||
mock_get_all.return_value = existing
|
||||
|
||||
def side_effect(method, path, auth, payload=None):
|
||||
if method == "GET":
|
||||
return existing
|
||||
if method == "PUT":
|
||||
return [{"name": "applied"}]
|
||||
return None
|
||||
@@ -158,11 +155,10 @@ class TestModes(unittest.TestCase):
|
||||
return [(c[0][0], c[0][1]) for c in mock_api.call_args_list]
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all", return_value=[])
|
||||
@patch("manage_labels.api")
|
||||
def test_create_labels_only_no_mapping(self, mock_api, _auth):
|
||||
def test_create_labels_only_no_mapping(self, mock_api, _get_all, _auth):
|
||||
def se(method, path, auth, payload=None):
|
||||
if method == "GET":
|
||||
return [] # no existing labels
|
||||
if method == "POST" and path == "/labels":
|
||||
return {"id": 1, "name": payload["name"]}
|
||||
return None
|
||||
@@ -173,14 +169,14 @@ class TestModes(unittest.TestCase):
|
||||
self.assertFalse(any(m[0] == "PUT" for m in methods)) # no mapping applied
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all")
|
||||
@patch("manage_labels.api")
|
||||
def test_apply_mapping_only_no_label_creation(self, mock_api, _auth):
|
||||
def test_apply_mapping_only_no_label_creation(self, mock_api, mock_get_all, _auth):
|
||||
existing = [_make_label(l["name"], i + 1)
|
||||
for i, l in enumerate(manage_labels.LABELS)]
|
||||
mock_get_all.return_value = existing
|
||||
|
||||
def se(method, path, auth, payload=None):
|
||||
if method == "GET":
|
||||
return existing
|
||||
if method == "PUT":
|
||||
return [{"name": "applied"}]
|
||||
return None
|
||||
@@ -192,13 +188,10 @@ class TestModes(unittest.TestCase):
|
||||
self.assertEqual(len(put_calls), len(manage_labels.MAPPING))
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all", return_value=[_make_label("chore", 5)])
|
||||
@patch("manage_labels.api")
|
||||
def test_add_label_appends_to_issue(self, mock_api, _auth):
|
||||
existing = [_make_label("chore", 5)]
|
||||
|
||||
def test_add_label_appends_to_issue(self, mock_api, _get_all, _auth):
|
||||
def se(method, path, auth, payload=None):
|
||||
if method == "GET":
|
||||
return existing
|
||||
if method == "POST":
|
||||
return [{"name": "chore"}]
|
||||
return None
|
||||
@@ -212,19 +205,21 @@ class TestModes(unittest.TestCase):
|
||||
self.assertFalse(any(c[0][0] == "PUT" for c in mock_api.call_args_list))
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all", return_value=[])
|
||||
@patch("manage_labels.api")
|
||||
def test_add_label_unknown_makes_no_write(self, mock_api, _auth):
|
||||
mock_api.side_effect = lambda *a, **k: [] if a[0] == "GET" else None
|
||||
def test_add_label_unknown_makes_no_write(self, mock_api, _get_all, _auth):
|
||||
manage_labels.main(["--add-label", "42", "ghost"])
|
||||
# Only the GET label lookup; no POST/PUT for an undefined label.
|
||||
self.assertTrue(all(c[0][0] == "GET" for c in mock_api.call_args_list))
|
||||
# No write via api() for an undefined label.
|
||||
self.assertTrue(all(c[0][0] == "GET" for c in mock_api.call_args_list)
|
||||
or len(mock_api.call_args_list) == 0)
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all", return_value=[_make_label("chore", 5)])
|
||||
@patch("manage_labels.api")
|
||||
def test_add_label_dry_makes_no_write(self, mock_api, _auth):
|
||||
mock_api.side_effect = lambda *a, **k: [_make_label("chore", 5)] if a[0] == "GET" else None
|
||||
def test_add_label_dry_makes_no_write(self, mock_api, _get_all, _auth):
|
||||
manage_labels.main(["--dry", "--add-label", "42", "chore"])
|
||||
self.assertTrue(all(c[0][0] == "GET" for c in mock_api.call_args_list))
|
||||
self.assertTrue(all(c[0][0] == "GET" for c in mock_api.call_args_list)
|
||||
or len(mock_api.call_args_list) == 0)
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api")
|
||||
|
||||
@@ -17,6 +17,7 @@ class TestMcpDaemonGuard(unittest.TestCase):
|
||||
mcp_daemon_guard.ALLOW_DIRECT_IMPORT_ENV,
|
||||
"PYTEST_CURRENT_TEST",
|
||||
}}
|
||||
env["GITEA_TEST_FORCE_UNSANCTIONED"] = "1"
|
||||
with patch.dict(os.environ, env, clear=True):
|
||||
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
|
||||
mcp_daemon_guard.assert_sanctioned_mutation_runtime("test")
|
||||
@@ -43,6 +44,7 @@ class TestMcpDaemonGuard(unittest.TestCase):
|
||||
"PYTEST_CURRENT_TEST",
|
||||
}
|
||||
}
|
||||
env["GITEA_TEST_FORCE_UNSANCTIONED"] = "1"
|
||||
with patch.dict(os.environ, env, clear=True):
|
||||
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
|
||||
mcp_daemon_guard.assert_keychain_access_allowed()
|
||||
@@ -58,6 +60,7 @@ class TestMcpDaemonGuard(unittest.TestCase):
|
||||
"PYTEST_CURRENT_TEST",
|
||||
}
|
||||
}
|
||||
env["GITEA_TEST_FORCE_UNSANCTIONED"] = "1"
|
||||
with patch.dict(os.environ, env, clear=True):
|
||||
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
|
||||
gitea_auth.get_auth_header("gitea.prgs.cc")
|
||||
|
||||
@@ -0,0 +1,208 @@
|
||||
import unittest
|
||||
|
||||
import gitea_mcp_server
|
||||
import mcp_namespace_health
|
||||
import review_merge_state_machine as rmsm
|
||||
|
||||
|
||||
class TestMcpNamespaceHealth(unittest.TestCase):
|
||||
def setUp(self):
|
||||
gitea_mcp_server._LIVE_NAMESPACE_HEALTH.clear()
|
||||
|
||||
def test_registered_tool_but_live_eof_blocks_merge(self):
|
||||
result = mcp_namespace_health.classify_namespace_probe(
|
||||
"gitea-reviewer",
|
||||
required_tool="gitea_whoami",
|
||||
registered_tools=["gitea_whoami", "gitea_list_profiles"],
|
||||
probe_result={
|
||||
"success": False,
|
||||
"error": "client is closing: EOF",
|
||||
},
|
||||
process={
|
||||
"pid": 4321,
|
||||
"profile": "prgs-reviewer",
|
||||
"env": {
|
||||
"GITEA_MCP_PROFILE": "prgs-reviewer",
|
||||
"GITEA_TOKEN": "must-not-leak",
|
||||
},
|
||||
},
|
||||
config_path="/Users/jasonwalker/.gemini/config/mcp_config.json",
|
||||
probe_source="client_namespace",
|
||||
)
|
||||
|
||||
self.assertFalse(result["healthy"])
|
||||
self.assertEqual(result["error_type"], "namespace_eof")
|
||||
self.assertTrue(result["required_tool_registered"])
|
||||
self.assertFalse(result["required_tool_callable"])
|
||||
self.assertTrue(result["blocks_merge_workflow"])
|
||||
self.assertFalse(result["ide_namespace_proven"])
|
||||
self.assertEqual(result["probe_source"], "client_namespace")
|
||||
self.assertEqual(result["diagnostics"]["process_pid"], 4321)
|
||||
self.assertEqual(result["diagnostics"]["profile"], "prgs-reviewer")
|
||||
self.assertEqual(
|
||||
result["diagnostics"]["env"]["GITEA_MCP_PROFILE"],
|
||||
"prgs-reviewer",
|
||||
)
|
||||
self.assertNotIn("GITEA_TOKEN", result["diagnostics"]["env"])
|
||||
self.assertIn("gitea-reviewer", result["reasons"][0])
|
||||
self.assertIn("gitea_whoami", result["reasons"][0])
|
||||
|
||||
def test_successful_client_namespace_invocation_is_ide_proven(self):
|
||||
result = mcp_namespace_health.classify_namespace_probe(
|
||||
"gitea-author",
|
||||
registered_tools=["gitea_whoami"],
|
||||
probe_result={"success": True, "result": {"authenticated": True}},
|
||||
process={"pid": 1234, "profile": "prgs-author"},
|
||||
config_path="/tmp/mcp_config.json",
|
||||
probe_source="client_namespace",
|
||||
)
|
||||
|
||||
self.assertTrue(result["healthy"])
|
||||
self.assertTrue(result["required_tool_registered"])
|
||||
self.assertTrue(result["required_tool_callable"])
|
||||
self.assertTrue(result["ide_namespace_proven"])
|
||||
self.assertFalse(result["blocks_merge_workflow"])
|
||||
self.assertIsNone(result["error_type"])
|
||||
|
||||
def test_offline_spawn_success_is_not_ide_proof(self):
|
||||
result = mcp_namespace_health.classify_namespace_probe(
|
||||
"gitea-merger",
|
||||
registered_tools=["gitea_whoami"],
|
||||
probe_result={"success": True, "result": {}},
|
||||
process={"pid": 99, "profile": "prgs-merger"},
|
||||
probe_source="offline_spawn",
|
||||
)
|
||||
self.assertTrue(result["healthy"])
|
||||
self.assertFalse(result["ide_namespace_proven"])
|
||||
self.assertFalse(result["blocks_merge_workflow"])
|
||||
self.assertTrue(
|
||||
any("offline_spawn" in r for r in result["reasons"])
|
||||
)
|
||||
|
||||
def test_registered_missing_required_tool_fails_before_probe_success(self):
|
||||
result = mcp_namespace_health.classify_namespace_probe(
|
||||
"gitea-tools",
|
||||
registered_tools=["gitea_whoami"],
|
||||
probe_result={"success": True, "result": {}},
|
||||
probe_source="client_namespace",
|
||||
)
|
||||
|
||||
self.assertFalse(result["healthy"])
|
||||
self.assertEqual(result["required_tool"], "gitea_list_profiles")
|
||||
self.assertFalse(result["required_tool_registered"])
|
||||
self.assertEqual(result["error_type"], "tool_missing")
|
||||
|
||||
def test_server_tool_exposes_same_assessment_and_records_session(self):
|
||||
result = gitea_mcp_server.gitea_assess_mcp_namespace_health(
|
||||
"gitea-merger",
|
||||
registered_tools=["gitea_whoami"],
|
||||
probe_result={"success": False, "error": "transport closed"},
|
||||
process={"pid": 9876, "profile": "prgs-merger"},
|
||||
probe_source="client_namespace",
|
||||
)
|
||||
|
||||
self.assertFalse(result["success"])
|
||||
self.assertEqual(result["error_type"], "namespace_eof")
|
||||
self.assertEqual(result["namespace"], "gitea-merger")
|
||||
self.assertEqual(result["diagnostics"]["process_pid"], 9876)
|
||||
self.assertIn("gitea-merger", gitea_mcp_server._LIVE_NAMESPACE_HEALTH)
|
||||
gate = gitea_mcp_server._live_namespace_health_gate("merge_pr")
|
||||
self.assertTrue(gate)
|
||||
self.assertTrue(any("gitea-merger" in r for r in gate))
|
||||
|
||||
|
||||
class TestLiveNamespaceBlocksMerge(unittest.TestCase):
|
||||
"""AC5: a broken live namespace must hard-block the review/merge state machine."""
|
||||
|
||||
def setUp(self):
|
||||
gitea_mcp_server._LIVE_NAMESPACE_HEALTH.clear()
|
||||
|
||||
def _merge_ready_completion(self):
|
||||
# Completion through PRE_MERGE_RECHECK is the state where a clean merge
|
||||
# is otherwise allowed (see test_merge_allowed_with_pre_merge_gates).
|
||||
idx = rmsm.REVIEW_MERGE_STATES.index("PRE_MERGE_RECHECK")
|
||||
return {state: True for state in rmsm.REVIEW_MERGE_STATES[: idx + 1]}
|
||||
|
||||
def _all_gates(self):
|
||||
return {gate: True for gate in rmsm._PRE_MERGE_REQUIRED_GATES}
|
||||
|
||||
def test_assess_workflow_blockers_flags_live_namespace_broken(self):
|
||||
clean = rmsm.assess_workflow_blockers()
|
||||
self.assertFalse(clean["block"])
|
||||
|
||||
broken = rmsm.assess_workflow_blockers(live_namespace_broken=True)
|
||||
self.assertTrue(broken["block"])
|
||||
self.assertTrue(any("namespace" in r.lower() for r in broken["reasons"]))
|
||||
|
||||
def test_can_merge_blocks_even_when_all_gates_pass(self):
|
||||
# Without the namespace blocker a fully-complete workflow can merge...
|
||||
allowed = rmsm.can_merge(
|
||||
self._merge_ready_completion(), pre_merge_gates=self._all_gates()
|
||||
)
|
||||
self.assertTrue(allowed["allowed"])
|
||||
|
||||
# ...but a broken live namespace overrides every satisfied gate.
|
||||
blocked = rmsm.can_merge(
|
||||
self._merge_ready_completion(),
|
||||
pre_merge_gates=self._all_gates(),
|
||||
live_namespace_broken=True,
|
||||
)
|
||||
self.assertTrue(blocked["block"])
|
||||
self.assertFalse(blocked["allowed"])
|
||||
|
||||
def test_workflow_status_forwards_namespace_blocker(self):
|
||||
status = rmsm.workflow_status(
|
||||
self._merge_ready_completion(), live_namespace_broken=True
|
||||
)
|
||||
self.assertFalse(status["merge_allowed"])
|
||||
self.assertFalse(status["approve_allowed"])
|
||||
|
||||
def test_server_tool_blocks_merge_on_live_namespace_broken(self):
|
||||
result = gitea_mcp_server.gitea_assess_review_merge_state_machine(
|
||||
state_completion=self._merge_ready_completion(),
|
||||
pre_merge_gates=self._all_gates(),
|
||||
live_namespace_broken=True,
|
||||
)
|
||||
self.assertTrue(result["blockers"]["block"])
|
||||
self.assertFalse(result["merge"]["allowed"])
|
||||
|
||||
def test_classify_verdict_bridges_into_merge_block(self):
|
||||
# The classify verdict is the intended feed for live_namespace_broken.
|
||||
verdict = mcp_namespace_health.classify_namespace_probe(
|
||||
"gitea-merger",
|
||||
registered_tools=["gitea_whoami", "gitea_adopt_merger_pr_lease"],
|
||||
probe_result={"success": False, "error": "client is closing: EOF"},
|
||||
process={"pid": 555, "profile": "prgs-merger"},
|
||||
probe_source="client_namespace",
|
||||
)
|
||||
self.assertTrue(verdict["blocks_merge_workflow"])
|
||||
blocked = rmsm.can_merge(
|
||||
self._merge_ready_completion(),
|
||||
pre_merge_gates=self._all_gates(),
|
||||
live_namespace_broken=verdict["blocks_merge_workflow"],
|
||||
)
|
||||
self.assertFalse(blocked["allowed"])
|
||||
|
||||
def test_offline_spawn_does_not_authorize_mutation_gate(self):
|
||||
gitea_mcp_server.gitea_assess_mcp_namespace_health(
|
||||
"gitea-merger",
|
||||
registered_tools=["gitea_whoami"],
|
||||
probe_result={"success": True, "result": {}},
|
||||
probe_source="offline_spawn",
|
||||
)
|
||||
gate = gitea_mcp_server._live_namespace_health_gate("merge_pr")
|
||||
self.assertTrue(gate)
|
||||
self.assertTrue(any("offline_spawn" in r or "client_namespace" in r for r in gate))
|
||||
|
||||
def test_client_namespace_healthy_clears_mutation_gate(self):
|
||||
gitea_mcp_server.gitea_assess_mcp_namespace_health(
|
||||
"gitea-merger",
|
||||
registered_tools=["gitea_whoami"],
|
||||
probe_result={"success": True, "result": {}},
|
||||
probe_source="client_namespace",
|
||||
)
|
||||
self.assertEqual(gitea_mcp_server._live_namespace_health_gate("merge_pr"), [])
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
+152
-6
@@ -5,6 +5,7 @@ the MCP protocol) with mocked API responses.
|
||||
"""
|
||||
import json
|
||||
import os
|
||||
import shutil
|
||||
import sys
|
||||
import tempfile
|
||||
import unittest
|
||||
@@ -47,6 +48,22 @@ import gitea_config # noqa: E402
|
||||
|
||||
import mcp_server
|
||||
import issue_lock_store
|
||||
import gitea_auth
|
||||
|
||||
_orig_api_request = gitea_auth.api_request
|
||||
def mockable_api_request(*args, **kwargs):
|
||||
import mcp_server
|
||||
return mcp_server.api_request(*args, **kwargs)
|
||||
|
||||
def setUpModule():
|
||||
gitea_auth.api_request = mockable_api_request
|
||||
patch("mcp_server._enforce_root_checkout_guard").start()
|
||||
patch("mcp_server._enforce_branches_only_author_mutation").start()
|
||||
|
||||
def tearDownModule():
|
||||
gitea_auth.api_request = _orig_api_request
|
||||
patch.stopall()
|
||||
|
||||
|
||||
FAKE_AUTH = "Basic dGVzdDp0ZXN0"
|
||||
FULL_HEAD_SHA = "a" * 40
|
||||
@@ -774,6 +791,9 @@ class TestMergePR(unittest.TestCase):
|
||||
def setUp(self):
|
||||
import reviewer_pr_lease
|
||||
|
||||
# Clean ledger each merge test so residual/host durable #332 state
|
||||
# cannot short-circuit eligibility gates (#590 / #594).
|
||||
mcp_server._save_review_decision_lock(None)
|
||||
mcp_server.gitea_load_review_workflow()
|
||||
self._lease_patch = _install_owned_reviewer_lease(8)
|
||||
self._lease_patch.start()
|
||||
@@ -1003,6 +1023,64 @@ class TestMergePR(unittest.TestCase):
|
||||
r["reasons"])
|
||||
self._assert_no_merge_call(mock_api)
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_env_clear_does_not_adopt_host_review_mutation_ledger(
|
||||
self, _auth, mock_api
|
||||
):
|
||||
"""#590: patch.dict(clear=True) must not load host terminal mutations.
|
||||
|
||||
Simulates a dirty host session-state file for profile gitea-default
|
||||
(the profile active when env is fully cleared). Isolation must keep
|
||||
the #332 hard-stop ledger clean so the empty-profile gate fires.
|
||||
"""
|
||||
import tempfile
|
||||
|
||||
import mcp_session_state
|
||||
|
||||
poison_dir = tempfile.mkdtemp(prefix="gitea-host-poison-")
|
||||
mcp_session_state.save_state(
|
||||
kind=mcp_session_state.KIND_DECISION_LOCK,
|
||||
profile_identity="gitea-default",
|
||||
state_dir=poison_dir,
|
||||
payload={
|
||||
"task": "review_pr",
|
||||
"remote": "prgs",
|
||||
"final_review_decision_ready": True,
|
||||
"ready_pr_number": 8,
|
||||
"ready_action": "request_changes",
|
||||
"live_mutations": [
|
||||
{
|
||||
"pr_number": 8,
|
||||
"action": "request_changes",
|
||||
"review_id": 99,
|
||||
"review_state": "request_changes",
|
||||
}
|
||||
],
|
||||
},
|
||||
)
|
||||
# If isolation only used the env var, clear=True would fall back to
|
||||
# DEFAULT_STATE_DIR and adopt this poison ledger.
|
||||
mcp_server._REVIEW_DECISION_LOCK = None
|
||||
mock_api.side_effect = [{"login": "merger-bot"}, self._pr("author-bot")]
|
||||
with patch.object(mcp_session_state, "DEFAULT_STATE_DIR", poison_dir):
|
||||
with patch.dict(os.environ, {}, clear=True):
|
||||
r = gitea_merge_pr(
|
||||
pr_number=8,
|
||||
confirmation=self._confirm(8),
|
||||
remote="prgs",
|
||||
)
|
||||
self.assertFalse(r["performed"])
|
||||
self.assertIn(
|
||||
"profile has no configured allowed operations (fail closed)",
|
||||
r["reasons"],
|
||||
)
|
||||
self.assertFalse(
|
||||
any("terminal review mutation already consumed" in x for x in r["reasons"]),
|
||||
msg=f"host ledger leaked into reasons: {r['reasons']}",
|
||||
)
|
||||
self._assert_no_merge_call(mock_api)
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_profile_without_merge_permission_blocks(self, _auth, mock_api):
|
||||
@@ -1302,11 +1380,11 @@ class TestReviewPR(unittest.TestCase):
|
||||
self.assertIn("Review/Merge Blocked", result["message"])
|
||||
self.assertIn("Author profile", result["message"])
|
||||
|
||||
@patch("mcp_server.api_get_all")
|
||||
@patch("mcp_server.api_fetch_page")
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("mcp_server.get_profile")
|
||||
def test_legacy_review_pr_self_approval_blocked(self, mock_get_profile, _auth, mock_api, mock_get_all):
|
||||
def test_legacy_review_pr_self_approval_blocked(self, mock_get_profile, _auth, mock_api, mock_fetch):
|
||||
mock_get_profile.return_value = {
|
||||
"profile_name": "gitea-reviewer",
|
||||
"allowed_operations": ["read", "approve"],
|
||||
@@ -1314,7 +1392,10 @@ class TestReviewPR(unittest.TestCase):
|
||||
"base_url": None,
|
||||
}
|
||||
head_sha = FULL_HEAD_SHA
|
||||
mock_get_all.return_value = [{"number": 1, "title": "PR 1", "state": "open", "head": {"ref": "branch1", "sha": head_sha}, "base": {"ref": "master"}, "mergeable": True, "user": {"login": "jcwalker3"}}]
|
||||
mock_fetch.return_value = (
|
||||
[{"number": 1, "title": "PR 1", "state": "open", "head": {"ref": "branch1", "sha": head_sha}, "base": {"ref": "master"}, "mergeable": True, "user": {"login": "jcwalker3"}}],
|
||||
{"page": 1, "per_page": 50, "returned_count": 1, "has_more": False, "next_page": None, "is_final_page": True}
|
||||
)
|
||||
# mock_api responses: 1) /user (inventory), 2) /user (eligibility), 3) /pulls/1 (eligibility)
|
||||
mock_api.side_effect = [
|
||||
{"login": "jcwalker3"}, # /api/v1/user (inventory)
|
||||
@@ -2672,6 +2753,56 @@ class TestTrackerHygieneCleanup(unittest.TestCase):
|
||||
self.assertTrue(res["success"])
|
||||
self.assertEqual(res["cleanup_status"].get(1), "not present")
|
||||
|
||||
def test_close_issue_blocks_unproven_expected_preexisting_failure(self):
|
||||
# #529: a closure report calling a non-zero suite exit an "expected
|
||||
# pre-existing failure" without pre-merge proof must fail closed and
|
||||
# never PATCH the issue state.
|
||||
patched = []
|
||||
|
||||
def api_side_effect(method, url, auth, payload=None):
|
||||
if method == "PATCH":
|
||||
patched.append(url)
|
||||
return {}
|
||||
self.mock_api.side_effect = api_side_effect
|
||||
|
||||
res = gitea_close_issue(
|
||||
issue_number=1,
|
||||
closure_report=(
|
||||
"Full suite: 1 failed. Expected pre-existing failure, safe to close."
|
||||
),
|
||||
)
|
||||
self.assertFalse(res["success"])
|
||||
self.assertTrue(res.get("blocked"))
|
||||
self.assertTrue(res.get("reasons"))
|
||||
self.assertFalse(
|
||||
patched, "must not PATCH issue state when the closure gate blocks"
|
||||
)
|
||||
|
||||
def test_close_issue_allows_proven_baseline_closure(self):
|
||||
def api_side_effect(method, url, auth, payload=None):
|
||||
if method == "PATCH" and "issues/1" in url:
|
||||
return {"state": "closed"}
|
||||
if method == "GET" and "labels" in url and "issues" not in url:
|
||||
return [{"name": "bug", "id": 2}]
|
||||
if method == "GET" and "issues/1" in url:
|
||||
return {"labels": [{"name": "bug"}]}
|
||||
return {}
|
||||
self.mock_api.side_effect = api_side_effect
|
||||
|
||||
res = gitea_close_issue(
|
||||
issue_number=1,
|
||||
closure_report=(
|
||||
"Full suite: 1 failed, expected pre-existing baseline failure "
|
||||
"proven on the PR pre-merge base commit.\n"
|
||||
"Pre-merge base commit: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b\n"
|
||||
"Tested commit: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b\n"
|
||||
"Command: venv/bin/python -m pytest -q\n"
|
||||
"Exit status: 1\n"
|
||||
"Failure signature: AssertionError: None is not true\n"
|
||||
),
|
||||
)
|
||||
self.assertTrue(res["success"])
|
||||
|
||||
def test_merge_pr_with_closes_removes_label(self):
|
||||
import reviewer_pr_lease
|
||||
|
||||
@@ -3700,7 +3831,15 @@ class TestIssueLocking(unittest.TestCase):
|
||||
@patch("mcp_server.api_get_all", return_value=[])
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_lock_issue_blocks_expired_same_operation_lease_for_recovery(self, _auth, _api, _git_state):
|
||||
"""#601: expired lease still blocks takeover when owner pid is live AND worktree exists.
|
||||
|
||||
Dead-pid / missing-worktree reclaim is covered by issue_lock_store unit tests.
|
||||
This MCP path must remain fail-closed for sticky expired foreign ownership.
|
||||
"""
|
||||
prgs_repo = mcp_server.REMOTES["prgs"]["repo"]
|
||||
# Present worktree + live pid => reclaim_allowed=False even though expires_at is past.
|
||||
sticky_worktree = tempfile.mkdtemp(prefix="gitea-sticky-lease-")
|
||||
self.addCleanup(lambda: shutil.rmtree(sticky_worktree, ignore_errors=True))
|
||||
issue_lock_store.save_lock_file(
|
||||
issue_lock_store.lock_file_path(
|
||||
remote="prgs",
|
||||
@@ -3714,15 +3853,22 @@ class TestIssueLocking(unittest.TestCase):
|
||||
"remote": "prgs",
|
||||
"org": "Scaled-Tech-Consulting",
|
||||
"repo": prgs_repo,
|
||||
"worktree_path": "/tmp/other-worktree",
|
||||
"worktree_path": sticky_worktree,
|
||||
"session_pid": os.getpid(),
|
||||
"pid": os.getpid(),
|
||||
"work_lease": {
|
||||
"operation_type": "author_issue_work",
|
||||
"expires_at": "2000-01-01T00:00:00Z",
|
||||
},
|
||||
},
|
||||
)
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
gitea_lock_issue(issue_number=196, branch_name="feat/issue-196-mutations", remote="prgs")
|
||||
with patch.object(issue_lock_store, "is_process_alive", return_value=True):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
gitea_lock_issue(
|
||||
issue_number=196,
|
||||
branch_name="feat/issue-196-mutations",
|
||||
remote="prgs",
|
||||
)
|
||||
self.assertIn("Recovery review is required before takeover", str(ctx.exception))
|
||||
|
||||
@patch("mcp_server.api_get_all", return_value=[])
|
||||
|
||||
@@ -67,5 +67,66 @@ class TestMcpStaleRuntime(unittest.TestCase):
|
||||
# But does NOT contain missing author profile error
|
||||
self.assertFalse(any("None of the matching profiles for task" in r for r in reasons_author))
|
||||
|
||||
@patch("subprocess.run")
|
||||
@patch("os.path.getmtime")
|
||||
@patch("os.path.exists")
|
||||
@patch("os.getpid")
|
||||
@patch.dict("os.environ", {"GITEA_FORCE_MCP_RUNTIME_CHECK": "1"})
|
||||
def test_git_head_change_triggers_staleness(self, mock_getpid, mock_exists, mock_getmtime, mock_run):
|
||||
# Set boot SHA to FAKE1 and current to FAKE2
|
||||
gitea_mcp_server._process_boot_head_sha = "FAKE1"
|
||||
mock_getpid.return_value = 12345
|
||||
mock_exists.return_value = True
|
||||
|
||||
# Code time is in the past (fresh process chronologically)
|
||||
code_time = datetime(2026, 7, 8, 11, 0, 0)
|
||||
mock_getmtime.return_value = code_time.timestamp()
|
||||
|
||||
ps_output = (
|
||||
" PID LSTART COMMAND\n"
|
||||
"12345 Wed Jul 8 12:00:00 2026 /path/to/python mcp_server.py\n"
|
||||
)
|
||||
|
||||
mock_run_ps = MagicMock()
|
||||
mock_run_ps.stdout = ps_output
|
||||
|
||||
mock_run_env = MagicMock()
|
||||
mock_run_env.stdout = "GITEA_MCP_PROFILE=prgs-author"
|
||||
|
||||
mock_run_git = MagicMock()
|
||||
mock_run_git.stdout = "FAKE2" # different SHA
|
||||
|
||||
def side_effect(args, **kwargs):
|
||||
if args[0] == "ps" and "eww" in args:
|
||||
return mock_run_env
|
||||
elif args[0] == "ps":
|
||||
return mock_run_ps
|
||||
elif args[0] == "git" and "rev-parse" in args:
|
||||
return mock_run_git
|
||||
raise ValueError(f"Unexpected: {args}")
|
||||
|
||||
mock_run.side_effect = side_effect
|
||||
|
||||
# Stale even though process started AFTER code mtime, because git HEAD changed
|
||||
reasons = gitea_mcp_server._check_mcp_runtimes_diagnostics("create_issue", ["prgs-author"])
|
||||
self.assertTrue(any("stale-runtime: The active Gitea MCP server process is stale" in r for r in reasons))
|
||||
|
||||
@patch("threading.Thread")
|
||||
@patch("os.utime")
|
||||
@patch("os.path.exists")
|
||||
@patch.dict("os.environ", {"MCP_CONFIG_PATH": "/tmp/mcp_config.json"})
|
||||
def test_auto_restart_trigger_touches_and_spawns(self, mock_exists, mock_utime, mock_thread):
|
||||
mock_exists.return_value = True
|
||||
gitea_mcp_server._restart_triggered = False
|
||||
|
||||
# Ensure we are not skipped in test mode for testing purposes
|
||||
with patch("gitea_mcp_server._preflight_in_test_mode", return_value=False):
|
||||
gitea_mcp_server._trigger_mcp_auto_restart()
|
||||
|
||||
mock_utime.assert_called_once_with("/tmp/mcp_config.json", None)
|
||||
mock_thread.assert_called_once()
|
||||
self.assertTrue(gitea_mcp_server._restart_triggered)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
|
||||
@@ -42,6 +42,96 @@ def _lease_comment(
|
||||
HEAD = "f" * 40
|
||||
|
||||
|
||||
class TestDescribeSessionLeaseProof(unittest.TestCase):
|
||||
def setUp(self):
|
||||
leases.clear_session_lease()
|
||||
|
||||
def test_empty_session_is_none_kind(self):
|
||||
proof = mla.describe_session_lease_proof(None)
|
||||
self.assertIsNone(proof["lease_proof_source"])
|
||||
self.assertEqual(proof["lease_proof_kind"], "none")
|
||||
self.assertFalse(proof["lease_proof_sanctioned"])
|
||||
|
||||
def test_manual_seed_without_provenance(self):
|
||||
leases.record_session_lease({
|
||||
"pr_number": 536,
|
||||
"session_id": "manual",
|
||||
"comment_id": 1,
|
||||
})
|
||||
proof = mla.describe_session_lease_proof(leases.get_session_lease())
|
||||
self.assertIsNone(proof["lease_proof_source"])
|
||||
self.assertEqual(proof["lease_proof_kind"], "unsanctioned_manual_seed")
|
||||
self.assertFalse(proof["lease_proof_sanctioned"])
|
||||
|
||||
def test_sanctioned_adopt_fields(self):
|
||||
leases.record_session_lease(
|
||||
{
|
||||
"pr_number": 536,
|
||||
"session_id": "merger-sess",
|
||||
"comment_id": 700,
|
||||
},
|
||||
lease_provenance=mla.build_lease_provenance(
|
||||
source=mla.SOURCE_ADOPT,
|
||||
comment_id=700,
|
||||
adopted_from_session_id="reviewer-sess",
|
||||
adoption_reason=mla.DEFAULT_ADOPTION_REASON,
|
||||
),
|
||||
)
|
||||
proof = mla.describe_session_lease_proof(leases.get_session_lease())
|
||||
self.assertEqual(proof["lease_proof_source"], mla.SOURCE_ADOPT)
|
||||
self.assertEqual(proof["lease_proof_kind"], "sanctioned_adoption")
|
||||
self.assertTrue(proof["lease_proof_sanctioned"])
|
||||
self.assertEqual(
|
||||
proof["lease_recovery_reason"], mla.DEFAULT_ADOPTION_REASON
|
||||
)
|
||||
self.assertEqual(proof["lease_proof_comment_id"], 700)
|
||||
self.assertEqual(proof["lease_adopted_from_session_id"], "reviewer-sess")
|
||||
|
||||
def test_sanctioned_acquire_fields(self):
|
||||
leases.record_session_lease(
|
||||
{
|
||||
"pr_number": 536,
|
||||
"session_id": "rev",
|
||||
"comment_id": 50,
|
||||
},
|
||||
lease_provenance=mla.build_lease_provenance(
|
||||
source=mla.SOURCE_ACQUIRE,
|
||||
comment_id=50,
|
||||
),
|
||||
)
|
||||
proof = mla.describe_session_lease_proof(leases.get_session_lease())
|
||||
self.assertEqual(proof["lease_proof_source"], mla.SOURCE_ACQUIRE)
|
||||
self.assertEqual(proof["lease_proof_kind"], "sanctioned_acquire")
|
||||
self.assertTrue(proof["lease_proof_sanctioned"])
|
||||
|
||||
|
||||
class TestManualLeaseProofHandoffAudit(unittest.TestCase):
|
||||
def test_clean_merge_report_passes(self):
|
||||
text = (
|
||||
"Merged via gitea_merge_pr after gitea_adopt_merger_pr_lease. "
|
||||
"lease_proof_source: gitea_adopt_merger_pr_lease"
|
||||
)
|
||||
result = mla.assess_manual_lease_proof_handoff(text)
|
||||
self.assertTrue(result["proven"])
|
||||
self.assertFalse(result["block"])
|
||||
|
||||
def test_manual_seeded_claim_without_mcp_evidence_blocks(self):
|
||||
text = "Merged using manually seeded lease proof from prior session."
|
||||
result = mla.assess_manual_lease_proof_handoff(text)
|
||||
self.assertFalse(result["proven"])
|
||||
self.assertTrue(result["block"])
|
||||
self.assertTrue(any("#535" in r for r in result["reasons"]))
|
||||
|
||||
def test_historical_manual_mention_allowed_with_adoption_evidence(self):
|
||||
text = (
|
||||
"Historical incident used manually seeded lease; this merge used "
|
||||
"gitea_adopt_merger_pr_lease with adoption_comment_id: 8288."
|
||||
)
|
||||
result = mla.assess_manual_lease_proof_handoff(text)
|
||||
self.assertTrue(result["proven"])
|
||||
self.assertFalse(result["block"])
|
||||
|
||||
|
||||
class TestSanctionedProvenance(unittest.TestCase):
|
||||
def setUp(self):
|
||||
leases.clear_session_lease()
|
||||
|
||||
@@ -88,6 +88,21 @@ class TestControlPlaneGuide(GuideTestBase):
|
||||
blob = " ".join(g["guidance"]).lower()
|
||||
self.assertIn("forbidden", blob)
|
||||
self.assertIn("review", blob)
|
||||
self.assertIn("resolved_repository", g)
|
||||
|
||||
@patch("mcp_server.api_request", return_value={"login": "author-bot"})
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_guide_explicit_org_repo_parameters(self, _auth, _api):
|
||||
with patch.dict(os.environ, AUTHOR_ENV, clear=True):
|
||||
g = mcp_get_control_plane_guide(
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
)
|
||||
self.assertEqual(
|
||||
g["resolved_repository"],
|
||||
{"org": "Scaled-Tech-Consulting", "repo": "Gitea-Tools"},
|
||||
)
|
||||
|
||||
@patch("mcp_server.api_request", return_value={"login": "reviewer-bot"})
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
|
||||
@@ -0,0 +1,119 @@
|
||||
"""Post-merge moot validation wording + label tests (#529, criteria 1/4/5)."""
|
||||
|
||||
import unittest
|
||||
|
||||
from post_merge_validation import (
|
||||
BASELINE_ACCEPTED_OUTCOME,
|
||||
BLOCKED_OUTCOME,
|
||||
CLEAN_PASS_OUTCOME,
|
||||
LABEL_BASELINE_ACCEPTED,
|
||||
LABEL_BLOCKED,
|
||||
LABEL_CLEAN_PASS,
|
||||
LABEL_POST_MERGE_MOOT,
|
||||
POST_MERGE_MOOT_OUTCOME,
|
||||
assess_post_merge_validation,
|
||||
process_state_label,
|
||||
)
|
||||
from final_report_validator import assess_final_report_validator
|
||||
from issue_workflow_labels import CANONICAL_LABELS, VALIDATION_LABELS
|
||||
|
||||
_MOOT_PROOF = (
|
||||
"Validation status: post-merge moot validation\n"
|
||||
"PR state: merged\n"
|
||||
"Merge commit sha: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b\n"
|
||||
"Validation finding: full suite passed, for the record.\n"
|
||||
)
|
||||
|
||||
|
||||
class TestPostMergeValidation(unittest.TestCase):
|
||||
def test_not_applicable_when_no_merged_or_moot_signal(self):
|
||||
result = assess_post_merge_validation(
|
||||
"Review decision: approve. Validation: full suite passed."
|
||||
)
|
||||
self.assertFalse(result["block"])
|
||||
self.assertTrue(result["skipped"])
|
||||
|
||||
def test_active_approval_on_merged_pr_blocked(self):
|
||||
report = (
|
||||
"PR is already merged. Review decision: approve. "
|
||||
"Validation: full suite passed."
|
||||
)
|
||||
result = assess_post_merge_validation(report)
|
||||
self.assertTrue(result["block"])
|
||||
self.assertEqual(result["outcome"], POST_MERGE_MOOT_OUTCOME)
|
||||
self.assertEqual(result["process_state_label"], LABEL_POST_MERGE_MOOT)
|
||||
|
||||
def test_active_approval_on_merged_pr_via_structured_signal_blocked(self):
|
||||
report = "Review decision: approve. Validation: full suite passed."
|
||||
result = assess_post_merge_validation(report, pr_merged_or_closed=True)
|
||||
self.assertTrue(result["block"])
|
||||
|
||||
def test_moot_wording_without_proof_blocked(self):
|
||||
report = "Recording post-merge moot validation for this PR."
|
||||
result = assess_post_merge_validation(report)
|
||||
self.assertTrue(result["block"])
|
||||
self.assertTrue(result["reasons"])
|
||||
|
||||
def test_moot_wording_with_full_proof_allowed(self):
|
||||
result = assess_post_merge_validation(_MOOT_PROOF)
|
||||
self.assertFalse(result["block"])
|
||||
self.assertEqual(result["outcome"], POST_MERGE_MOOT_OUTCOME)
|
||||
|
||||
def test_merged_signal_only_guides_without_blocking(self):
|
||||
result = assess_post_merge_validation(
|
||||
"PR was already merged before review; recording findings."
|
||||
)
|
||||
self.assertFalse(result["block"])
|
||||
self.assertTrue(result["safe_next_action"])
|
||||
|
||||
def test_process_state_label_mapping(self):
|
||||
self.assertEqual(process_state_label(CLEAN_PASS_OUTCOME), LABEL_CLEAN_PASS)
|
||||
self.assertEqual(
|
||||
process_state_label(BASELINE_ACCEPTED_OUTCOME), LABEL_BASELINE_ACCEPTED
|
||||
)
|
||||
self.assertEqual(process_state_label(BLOCKED_OUTCOME), LABEL_BLOCKED)
|
||||
self.assertEqual(
|
||||
process_state_label(POST_MERGE_MOOT_OUTCOME), LABEL_POST_MERGE_MOOT
|
||||
)
|
||||
self.assertIsNone(process_state_label("nonsense"))
|
||||
|
||||
|
||||
class TestValidationLabelsRegistered(unittest.TestCase):
|
||||
def test_validation_labels_are_canonical(self):
|
||||
for label in (
|
||||
LABEL_CLEAN_PASS,
|
||||
LABEL_BASELINE_ACCEPTED,
|
||||
LABEL_BLOCKED,
|
||||
LABEL_POST_MERGE_MOOT,
|
||||
):
|
||||
self.assertIn(label, VALIDATION_LABELS)
|
||||
self.assertIn(label, CANONICAL_LABELS)
|
||||
|
||||
|
||||
class TestPostMergeValidationWiredIntoReview(unittest.TestCase):
|
||||
def test_review_pr_blocks_active_approval_on_merged_pr(self):
|
||||
report = (
|
||||
"PR is already merged. Review decision: approve. "
|
||||
"Validation: full suite passed."
|
||||
)
|
||||
result = assess_final_report_validator(report, "review_pr")
|
||||
self.assertTrue(result["blocked"])
|
||||
self.assertTrue(
|
||||
any(
|
||||
f["rule_id"] == "reviewer.post_merge_validation"
|
||||
for f in result["findings"]
|
||||
)
|
||||
)
|
||||
|
||||
def test_review_pr_allows_proven_post_merge_moot(self):
|
||||
result = assess_final_report_validator(_MOOT_PROOF, "review_pr")
|
||||
self.assertFalse(
|
||||
any(
|
||||
f["rule_id"] == "reviewer.post_merge_validation"
|
||||
for f in result["findings"]
|
||||
)
|
||||
)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
+15
-24
@@ -64,54 +64,45 @@ class TestMarkIssueCLI(unittest.TestCase):
|
||||
with self.assertRaises(SystemExit):
|
||||
mark_issue.main(["10", "bogus_action"])
|
||||
|
||||
@patch("mark_issue.api_get_all", return_value=[{"id": 101, "name": "status:in-progress"}])
|
||||
@patch("mark_issue.api_request")
|
||||
@patch("mark_issue.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_successful_start(self, _auth, mock_api):
|
||||
# First call is GET labels, second is POST label
|
||||
mock_api.side_effect = [
|
||||
[{"id": 101, "name": "status:in-progress"}],
|
||||
[{"name": "status:in-progress"}],
|
||||
]
|
||||
def test_successful_start(self, _auth, mock_api, mock_get_all):
|
||||
mock_api.return_value = [{"name": "status:in-progress"}]
|
||||
with contextlib.redirect_stdout(io.StringIO()), contextlib.redirect_stderr(io.StringIO()):
|
||||
rc = mark_issue.main(["15", "start"])
|
||||
self.assertEqual(rc, 0)
|
||||
self.assertEqual(mock_api.call_count, 2)
|
||||
|
||||
# Verify GET labels call
|
||||
get_call = mock_api.call_args_list[0]
|
||||
self.assertEqual(get_call[0][0], "GET")
|
||||
self.assertIn("/labels?limit=100", get_call[0][1])
|
||||
mock_get_all.assert_called()
|
||||
self.assertIn("/labels", mock_get_all.call_args[0][0])
|
||||
|
||||
# Verify POST labels call
|
||||
post_call = mock_api.call_args_list[1]
|
||||
post_call = mock_api.call_args_list[0]
|
||||
self.assertEqual(post_call[0][0], "POST")
|
||||
self.assertIn("/issues/15/labels", post_call[0][1])
|
||||
self.assertEqual(post_call[0][3], {"labels": [101]})
|
||||
|
||||
@patch("mark_issue.api_get_all", return_value=[{"id": 101, "name": "status:in-progress"}])
|
||||
@patch("mark_issue.api_request")
|
||||
@patch("mark_issue.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_successful_done(self, _auth, mock_api):
|
||||
# First call is GET labels, second is DELETE label
|
||||
mock_api.side_effect = [
|
||||
[{"id": 101, "name": "status:in-progress"}],
|
||||
None,
|
||||
]
|
||||
def test_successful_done(self, _auth, mock_api, _get_all):
|
||||
mock_api.return_value = None
|
||||
rc = mark_issue.main(["15", "done"])
|
||||
self.assertEqual(rc, 0)
|
||||
self.assertEqual(mock_api.call_count, 2)
|
||||
self.assertEqual(mock_api.call_count, 1)
|
||||
|
||||
# Verify DELETE labels call
|
||||
delete_call = mock_api.call_args_list[1]
|
||||
delete_call = mock_api.call_args_list[0]
|
||||
self.assertEqual(delete_call[0][0], "DELETE")
|
||||
self.assertIn("/issues/15/labels/101", delete_call[0][1])
|
||||
|
||||
@patch("mark_issue.api_get_all", return_value=[{"id": 1, "name": "bug"}])
|
||||
@patch("mark_issue.api_request")
|
||||
@patch("mark_issue.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_label_not_found(self, _auth, mock_api):
|
||||
# GET labels returns no status:in-progress label
|
||||
mock_api.return_value = [{"id": 1, "name": "bug"}]
|
||||
def test_label_not_found(self, _auth, mock_api, _get_all):
|
||||
# Paginated inventory returns no status:in-progress label
|
||||
rc = mark_issue.main(["15", "start"])
|
||||
self.assertEqual(rc, 1)
|
||||
mock_api.assert_not_called()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
@@ -10,8 +10,11 @@ sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
|
||||
import gitea_mcp_server as srv
|
||||
|
||||
FAKE_AUTH = "token test"
|
||||
CONTROL_CHECKOUT_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[3])
|
||||
else:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[1])
|
||||
RECONCILER_PROFILE = {
|
||||
"profile_name": "prgs-reconciler",
|
||||
"allowed_operations": ["gitea.read", "gitea.pr.close", "gitea.pr.comment"],
|
||||
|
||||
@@ -0,0 +1,245 @@
|
||||
"""Issue #525: reconciler supersession close path."""
|
||||
|
||||
import sys
|
||||
import unittest
|
||||
from unittest.mock import patch
|
||||
|
||||
sys.path.insert(0, str(__import__("pathlib").Path(__file__).resolve().parent.parent))
|
||||
|
||||
import mcp_server # noqa: E402
|
||||
import role_session_router # noqa: E402
|
||||
import task_capability_map # noqa: E402
|
||||
from review_proofs import assess_reconciler_supersession_close_gate # noqa: E402
|
||||
|
||||
|
||||
HEAD = "0fdc8f582026b72a229d59a172c0a63ac4aaeaf9"
|
||||
MERGE = "1111111111111111111111111111111111111111"
|
||||
TARGET = "2222222222222222222222222222222222222222"
|
||||
|
||||
|
||||
def _target_pr(mergeable=False):
|
||||
return {
|
||||
"number": 490,
|
||||
"state": "open",
|
||||
"mergeable": mergeable,
|
||||
"head": {"sha": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},
|
||||
}
|
||||
|
||||
|
||||
def _superseding_pr():
|
||||
return {
|
||||
"number": 502,
|
||||
"state": "closed",
|
||||
"merged": True,
|
||||
"merge_commit_sha": MERGE,
|
||||
"head": {"sha": HEAD},
|
||||
}
|
||||
|
||||
|
||||
class TestReconcilerSupersessionCapabilityMap(unittest.TestCase):
|
||||
def test_supersession_tasks_route_to_reconciler(self):
|
||||
self.assertEqual(
|
||||
task_capability_map.required_permission(
|
||||
"reconcile_close_superseded_pr"),
|
||||
"gitea.pr.close",
|
||||
)
|
||||
self.assertEqual(
|
||||
task_capability_map.required_role("reconcile_close_superseded_pr"),
|
||||
"reconciler",
|
||||
)
|
||||
self.assertEqual(
|
||||
task_capability_map.required_permission(
|
||||
"reconcile_close_satisfied_issue"),
|
||||
"gitea.issue.close",
|
||||
)
|
||||
self.assertEqual(
|
||||
task_capability_map.required_role("reconcile_create_followup_issue"),
|
||||
"reconciler",
|
||||
)
|
||||
|
||||
def test_author_session_cannot_route_supersession_close(self):
|
||||
result = role_session_router.route_task_session(
|
||||
"reconcile_close_superseded_pr",
|
||||
active_profile="prgs-author",
|
||||
active_role_kind="author",
|
||||
allowed_in_current_session=False,
|
||||
)
|
||||
self.assertEqual(result["route_result"], "wrong_role_stop")
|
||||
self.assertFalse(result["downstream_allowed"])
|
||||
|
||||
|
||||
class TestReconcilerSupersessionCloseGate(unittest.TestCase):
|
||||
def _gate(self, **overrides):
|
||||
kwargs = {
|
||||
"target_pr_number": 490,
|
||||
"target_pr_state": "open",
|
||||
"target_pr_mergeable": False,
|
||||
"target_independently_required": False,
|
||||
"superseding_pr_number": 502,
|
||||
"superseding_pr_state": "closed",
|
||||
"superseding_pr_merged": True,
|
||||
"superseding_merge_commit_sha": MERGE,
|
||||
"superseding_head_sha": HEAD,
|
||||
"target_branch": "master",
|
||||
"target_branch_sha": TARGET,
|
||||
"superseding_head_is_ancestor_of_target": True,
|
||||
"canonical_comment_valid": True,
|
||||
"canonical_comment_mentions_superseding_pr": True,
|
||||
"canonical_comment_mentions_merge_commit": True,
|
||||
"close_pr_capability": True,
|
||||
"close_issue_capability": True,
|
||||
"target_issue_state": "open",
|
||||
"issue_satisfied_by_superseding": True,
|
||||
}
|
||||
kwargs.update(overrides)
|
||||
return assess_reconciler_supersession_close_gate(**kwargs)
|
||||
|
||||
def test_supersession_close_allowed_with_full_proof(self):
|
||||
result = self._gate()
|
||||
self.assertEqual(result["outcome"], "SUPERSESSION_CLOSE_ALLOWED")
|
||||
self.assertTrue(result["pr_close_allowed"])
|
||||
self.assertTrue(result["issue_close_allowed"])
|
||||
self.assertFalse(result["review_allowed"])
|
||||
self.assertFalse(result["merge_allowed"])
|
||||
|
||||
def test_mergeable_target_still_blocks(self):
|
||||
result = self._gate(target_pr_mergeable=True)
|
||||
self.assertEqual(result["outcome"], "GATE_NOT_PROVEN")
|
||||
self.assertFalse(result["pr_close_allowed"])
|
||||
self.assertTrue(any("mergeable" in r for r in result["reasons"]))
|
||||
|
||||
def test_requires_canonical_comment_with_merge_commit(self):
|
||||
result = self._gate(canonical_comment_mentions_merge_commit=False)
|
||||
self.assertEqual(result["outcome"], "GATE_NOT_PROVEN")
|
||||
self.assertFalse(result["pr_close_allowed"])
|
||||
self.assertTrue(any("merge commit" in r for r in result["reasons"]))
|
||||
|
||||
def test_superseding_head_must_be_on_target_branch(self):
|
||||
result = self._gate(superseding_head_is_ancestor_of_target=False)
|
||||
self.assertEqual(result["outcome"], "SUPERSEDING_PR_NOT_ON_TARGET")
|
||||
self.assertFalse(result["pr_close_allowed"])
|
||||
|
||||
def test_close_capability_required(self):
|
||||
result = self._gate(close_pr_capability=False)
|
||||
self.assertEqual(result["outcome"], "RECOVERY_HANDOFF_REQUIRED")
|
||||
self.assertFalse(result["pr_close_allowed"])
|
||||
|
||||
|
||||
class TestReconcilerSupersessionMcpTool(unittest.TestCase):
|
||||
def _comment(self):
|
||||
return f"""## Canonical PR State
|
||||
STATE: superseded
|
||||
NEXT_ACTION: Close superseded PR #490 and issue #470; PR #502 is canonical.
|
||||
NEXT_ACTOR: prgs-reconciler
|
||||
SUMMARY: PR #490 is superseded by merged PR #502 at merge commit {MERGE}.
|
||||
CANONICAL_ITEM: PR #502
|
||||
SUPERSEDED_ITEM: PR #490
|
||||
CLOSE_OR_KEEP_OPEN: close superseded PR #490 and satisfied issue #470
|
||||
"""
|
||||
|
||||
@patch("mcp_server.verify_preflight_purity")
|
||||
@patch("mcp_server._canonical_comment_gate")
|
||||
@patch("already_landed_reconcile.is_head_ancestor_of_ref", return_value=True)
|
||||
@patch("already_landed_reconcile.fetch_target_branch")
|
||||
@patch("mcp_server._profile_operation_gate", return_value=[])
|
||||
@patch("mcp_server._auth", return_value="token test")
|
||||
@patch("mcp_server.api_request")
|
||||
def test_tool_posts_comment_and_closes_superseded_pr_issue(
|
||||
self,
|
||||
api,
|
||||
_auth,
|
||||
_profile_gate,
|
||||
fetch_target,
|
||||
_ancestor,
|
||||
canonical_gate,
|
||||
verify_preflight,
|
||||
):
|
||||
fetch_target.return_value = {
|
||||
"success": True,
|
||||
"target_branch": "master",
|
||||
"target_ref": "prgs/master",
|
||||
"target_branch_sha": TARGET,
|
||||
}
|
||||
canonical_gate.return_value = {
|
||||
"blocked": False,
|
||||
"canonical_comment_validation": {"valid": True},
|
||||
}
|
||||
api.side_effect = [
|
||||
_target_pr(),
|
||||
_superseding_pr(),
|
||||
{"number": 470, "state": "open"},
|
||||
{"id": 123},
|
||||
{"state": "closed"},
|
||||
{"state": "closed"},
|
||||
]
|
||||
|
||||
result = mcp_server.gitea_reconcile_superseded_by_merged_pr(
|
||||
target_pr_number=490,
|
||||
superseding_pr_number=502,
|
||||
target_issue_number=470,
|
||||
target_independently_required=False,
|
||||
issue_satisfied_by_superseding=True,
|
||||
close_pr=True,
|
||||
close_issue=True,
|
||||
post_comment=True,
|
||||
comment_body=self._comment(),
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
)
|
||||
|
||||
self.assertTrue(result["success"])
|
||||
self.assertTrue(result["performed"])
|
||||
self.assertTrue(result["pr_comment_posted"])
|
||||
self.assertTrue(result["pr_closed"])
|
||||
self.assertTrue(result["issue_closed"])
|
||||
verify_preflight.assert_called_once_with(
|
||||
"prgs", task="reconcile_close_superseded_pr")
|
||||
|
||||
@patch("mcp_server.verify_preflight_purity")
|
||||
@patch("mcp_server._canonical_comment_gate")
|
||||
@patch("already_landed_reconcile.is_head_ancestor_of_ref", return_value=True)
|
||||
@patch("already_landed_reconcile.fetch_target_branch")
|
||||
@patch("mcp_server._profile_operation_gate", return_value=[])
|
||||
@patch("mcp_server._auth", return_value="token test")
|
||||
@patch("mcp_server.api_request")
|
||||
def test_tool_does_not_mutate_when_target_still_mergeable(
|
||||
self,
|
||||
api,
|
||||
_auth,
|
||||
_profile_gate,
|
||||
fetch_target,
|
||||
_ancestor,
|
||||
canonical_gate,
|
||||
verify_preflight,
|
||||
):
|
||||
fetch_target.return_value = {
|
||||
"success": True,
|
||||
"target_branch": "master",
|
||||
"target_ref": "prgs/master",
|
||||
"target_branch_sha": TARGET,
|
||||
}
|
||||
canonical_gate.return_value = {
|
||||
"blocked": False,
|
||||
"canonical_comment_validation": {"valid": True},
|
||||
}
|
||||
api.side_effect = [_target_pr(mergeable=True), _superseding_pr()]
|
||||
|
||||
result = mcp_server.gitea_reconcile_superseded_by_merged_pr(
|
||||
target_pr_number=490,
|
||||
superseding_pr_number=502,
|
||||
target_independently_required=False,
|
||||
close_pr=True,
|
||||
post_comment=True,
|
||||
comment_body=self._comment(),
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
)
|
||||
|
||||
self.assertFalse(result["success"])
|
||||
self.assertFalse(result["performed"])
|
||||
self.assertFalse(result["pr_closed"])
|
||||
self.assertFalse(result["pr_comment_posted"])
|
||||
verify_preflight.assert_not_called()
|
||||
self.assertEqual(api.call_count, 2)
|
||||
@@ -111,6 +111,23 @@ class TestAssessRemoteRepoMatch(unittest.TestCase):
|
||||
self.assertIn("Gitea-Tools", message)
|
||||
self.assertIn("org=", message)
|
||||
self.assertIn("repo=", message)
|
||||
# Recovery text must name a tool that actually accepts org/repo (#530 follow-up).
|
||||
self.assertIn("mcp_get_control_plane_guide", message)
|
||||
self.assertIn("schema does not list", message)
|
||||
|
||||
def test_parse_org_repo_from_https_url(self):
|
||||
parsed = remote_repo_guard.parse_org_repo_from_remote_url(LOCAL_GITEA_TOOLS_URL)
|
||||
self.assertEqual(parsed, ("Scaled-Tech-Consulting", "Gitea-Tools"))
|
||||
|
||||
def test_parse_org_repo_from_ssh_url(self):
|
||||
parsed = remote_repo_guard.parse_org_repo_from_remote_url(
|
||||
"[email protected]:Scaled-Tech-Consulting/Gitea-Tools.git"
|
||||
)
|
||||
self.assertEqual(parsed, ("Scaled-Tech-Consulting", "Gitea-Tools"))
|
||||
|
||||
def test_parse_org_repo_empty(self):
|
||||
self.assertIsNone(remote_repo_guard.parse_org_repo_from_remote_url(None))
|
||||
self.assertIsNone(remote_repo_guard.parse_org_repo_from_remote_url(""))
|
||||
|
||||
|
||||
class TestResolveServerWiring(unittest.TestCase):
|
||||
@@ -173,6 +190,82 @@ class TestResolveServerWiring(unittest.TestCase):
|
||||
with self.assertRaises(RuntimeError):
|
||||
self.server.gitea_view_issue(issue_number=1, remote="prgs")
|
||||
|
||||
def test_control_plane_guide_accepts_explicit_gitea_tools(self):
|
||||
"""Guide schema accepts org/repo and resolves Gitea-Tools, not Timesheet."""
|
||||
self._set_prgs_default_repo("Timesheet")
|
||||
with mock.patch.object(
|
||||
self.server, "api_request", return_value={"login": "guide-bot"}
|
||||
), mock.patch.object(
|
||||
self.server, "get_auth_header", return_value="Basic dGVzdA=="
|
||||
), mock.patch.dict(
|
||||
os.environ,
|
||||
{
|
||||
"GITEA_PROFILE_NAME": "author-test",
|
||||
"GITEA_ALLOWED_OPERATIONS": "gitea.read",
|
||||
"GITEA_FORBIDDEN_OPERATIONS": "gitea.pr.merge",
|
||||
},
|
||||
clear=False,
|
||||
):
|
||||
guide = self.server.mcp_get_control_plane_guide(
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
)
|
||||
self.assertTrue(guide["read_only"])
|
||||
self.assertEqual(
|
||||
guide["resolved_repository"],
|
||||
{"org": "Scaled-Tech-Consulting", "repo": "Gitea-Tools"},
|
||||
)
|
||||
self.assertNotEqual(guide["resolved_repository"]["repo"], "Timesheet")
|
||||
|
||||
def test_control_plane_guide_bare_remote_aligns_to_local_gitea_tools(self):
|
||||
"""Bare remote=prgs in a Gitea-Tools worktree must not stay on Timesheet."""
|
||||
self._set_prgs_default_repo("Timesheet")
|
||||
with mock.patch.object(
|
||||
self.server, "api_request", return_value={"login": "guide-bot"}
|
||||
), mock.patch.object(
|
||||
self.server, "get_auth_header", return_value="Basic dGVzdA=="
|
||||
), mock.patch.dict(
|
||||
os.environ,
|
||||
{
|
||||
"GITEA_PROFILE_NAME": "author-test",
|
||||
"GITEA_ALLOWED_OPERATIONS": "gitea.read",
|
||||
"GITEA_FORBIDDEN_OPERATIONS": "gitea.pr.merge",
|
||||
},
|
||||
clear=False,
|
||||
):
|
||||
guide = self.server.mcp_get_control_plane_guide(remote="prgs")
|
||||
self.assertEqual(guide["resolved_repository"]["repo"], "Gitea-Tools")
|
||||
self.assertEqual(
|
||||
guide["resolved_repository"]["org"], "Scaled-Tech-Consulting"
|
||||
)
|
||||
|
||||
def test_control_plane_guide_wrong_default_fails_closed_without_local(self):
|
||||
"""Without local remote context, mismatched defaults still fail closed."""
|
||||
self._set_prgs_default_repo("Timesheet")
|
||||
with mock.patch.object(
|
||||
self.server, "_local_git_remote_url", return_value=None
|
||||
):
|
||||
# No local URL → preference cannot recover; bare resolve uses Timesheet
|
||||
# and guard is skipped only because local URL is missing (best-effort).
|
||||
host, org, repo = self.server._resolve_control_plane_guide_target(
|
||||
"prgs", None, None, None
|
||||
)
|
||||
self.assertEqual(repo, "Timesheet")
|
||||
|
||||
def test_control_plane_guide_schema_recovery_matches_parameters(self):
|
||||
"""Remediation must only recommend parameters the guide actually accepts."""
|
||||
import inspect
|
||||
|
||||
sig = inspect.signature(self.server.mcp_get_control_plane_guide)
|
||||
self.assertIn("org", sig.parameters)
|
||||
self.assertIn("repo", sig.parameters)
|
||||
self.assertIn("remote", sig.parameters)
|
||||
remediation = remote_repo_guard.REMEDIATION
|
||||
self.assertIn("mcp_get_control_plane_guide", remediation)
|
||||
self.assertIn("org=", remediation)
|
||||
self.assertIn("repo=", remediation)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
|
||||
@@ -287,6 +287,49 @@ class TestResolveTaskCapability(unittest.TestCase):
|
||||
self.assertEqual(res["required_operation_permission"], "gitea.pr.merge")
|
||||
self.assertEqual(res["required_role_kind"], "merger")
|
||||
|
||||
@patch("mcp_server.api_request", return_value={"login": "reviewer-user"})
|
||||
@patch("mcp_server.get_auth_header", return_value="token reviewer-pass")
|
||||
def test_reviewer_role_with_merge_permission_still_cannot_merge(self, _auth, _api):
|
||||
# #539: exact permission alone is insufficient. The active profile
|
||||
# role must also be merger for merge_pr.
|
||||
config = json.loads(json.dumps(CONFIG_RESOLVER))
|
||||
config["profiles"]["reviewer-with-merge"] = {
|
||||
"enabled": True,
|
||||
"context": "ctx",
|
||||
"role": "reviewer",
|
||||
"username": "reviewer-user",
|
||||
"auth": {"type": "env", "name": "GITEA_TOKEN_REVIEWER"},
|
||||
"allowed_operations": [
|
||||
"gitea.read", "gitea.pr.review", "gitea.pr.approve",
|
||||
"gitea.pr.merge",
|
||||
],
|
||||
"forbidden_operations": ["gitea.pr.create", "gitea.branch.push"],
|
||||
"execution_profile": "reviewer-with-merge",
|
||||
}
|
||||
self._write_config(config)
|
||||
with patch.dict(os.environ, self._env("reviewer-with-merge")):
|
||||
res = mcp_server.gitea_resolve_task_capability(
|
||||
task="merge_pr", remote="prgs"
|
||||
)
|
||||
self.assertEqual(res["required_role_kind"], "merger")
|
||||
self.assertEqual(res["active_role_kind"], "reviewer")
|
||||
self.assertTrue(res["active_profile_permission_allowed"])
|
||||
self.assertFalse(res["allowed_in_current_session"])
|
||||
self.assertTrue(res["stop_required"])
|
||||
self.assertIn("cannot perform merger task", " ".join(res["task_role_guidance"]))
|
||||
|
||||
@patch("mcp_server.api_request", return_value={"login": "merger-user"})
|
||||
@patch("mcp_server.get_auth_header", return_value="token merger-pass")
|
||||
def test_merger_profile_can_resolve_merge_task(self, _auth, _api):
|
||||
with patch.dict(os.environ, self._env("merger-profile")):
|
||||
res = mcp_server.gitea_resolve_task_capability(
|
||||
task="merge_pr", remote="prgs"
|
||||
)
|
||||
self.assertEqual(res["required_role_kind"], "merger")
|
||||
self.assertEqual(res["active_role_kind"], "merger")
|
||||
self.assertTrue(res["allowed_in_current_session"])
|
||||
self.assertFalse(res["stop_required"])
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
def test_self_review_blocked_structured(self, mock_api):
|
||||
# Test that self-approve (self-review gate) is blocked and returns structured reasons
|
||||
|
||||
@@ -0,0 +1,287 @@
|
||||
"""Tests for preserving and resuming prepared Gitea review drafts (#609)."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import sys
|
||||
import tempfile
|
||||
import unittest
|
||||
from pathlib import Path
|
||||
from unittest.mock import patch, MagicMock
|
||||
|
||||
sys_path_root = str(Path(__file__).resolve().parent.parent)
|
||||
if sys_path_root not in sys.path:
|
||||
sys.path.insert(0, sys_path_root)
|
||||
|
||||
import mcp_session_state
|
||||
import gitea_mcp_server
|
||||
import reviewer_pr_lease
|
||||
|
||||
|
||||
class TestReviewDrafts(unittest.TestCase):
|
||||
def setUp(self):
|
||||
self._tmpdir = tempfile.TemporaryDirectory()
|
||||
self.state_dir = self._tmpdir.name
|
||||
self._env = patch.dict(
|
||||
os.environ,
|
||||
{
|
||||
mcp_session_state.STATE_DIR_ENV: self.state_dir,
|
||||
mcp_session_state.SESSION_PROFILE_LOCK_ENV: "prgs-reviewer",
|
||||
"GITEA_MCP_PROFILE": "prgs-reviewer",
|
||||
"GITEA_PROFILE_NAME": "prgs-reviewer",
|
||||
"PYTEST_CURRENT_TEST": "1", # skip runtime stale checks
|
||||
},
|
||||
clear=False,
|
||||
)
|
||||
self._env.start()
|
||||
|
||||
# Mock workspace binding to pass in test context
|
||||
self._nwb_patch = patch(
|
||||
"gitea_mcp_server.nwb.assess_namespace_mutation_workspace",
|
||||
return_value={"block": False, "mutation_workspace": "/tmp/test-worktree"},
|
||||
)
|
||||
self._nwb_patch.start()
|
||||
|
||||
# Mock authentication headers
|
||||
self._auth_patch = patch(
|
||||
"gitea_mcp_server.get_auth_header",
|
||||
return_value="Bearer mock-token",
|
||||
)
|
||||
self._auth_patch.start()
|
||||
|
||||
self._username_patch = patch(
|
||||
"gitea_mcp_server._authenticated_username",
|
||||
return_value="sysadmin",
|
||||
)
|
||||
self._username_patch.start()
|
||||
|
||||
# Clear/Mock local session lease in-memory state
|
||||
reviewer_pr_lease.clear_session_lease()
|
||||
|
||||
def tearDown(self):
|
||||
self._username_patch.stop()
|
||||
self._auth_patch.stop()
|
||||
self._nwb_patch.stop()
|
||||
self._env.stop()
|
||||
self._tmpdir.cleanup()
|
||||
reviewer_pr_lease.clear_session_lease()
|
||||
|
||||
@patch("gitea_mcp_server.api_request")
|
||||
def test_save_draft_success(self, mock_api):
|
||||
print("GITEA_MCP_SERVER FILE:", gitea_mcp_server.__file__)
|
||||
print("DIR OF GITEA_MCP_SERVER:", dir(gitea_mcp_server))
|
||||
mock_api.return_value = {
|
||||
"head": {"sha": "headsha1234567890"},
|
||||
"base": {"ref": "master", "sha": "basesha0987654321"},
|
||||
}
|
||||
res = gitea_mcp_server.gitea_save_review_draft(
|
||||
pr_number=587,
|
||||
action="approve",
|
||||
body="Good changes",
|
||||
expected_head_sha="headsha1234567890",
|
||||
validation_commands="pytest tests/",
|
||||
validation_results="all pass",
|
||||
blocker_reason="stale daemon",
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
worktree_path="/tmp/test-worktree",
|
||||
)
|
||||
self.assertTrue(res.get("success"))
|
||||
self.assertEqual(res.get("head_sha"), "headsha1234567890")
|
||||
|
||||
# Load draft and verify fields
|
||||
draft = mcp_session_state.load_state(
|
||||
kind=mcp_session_state.KIND_REVIEW_DRAFT,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
profile_identity="prgs-reviewer",
|
||||
)
|
||||
self.assertIsNotNone(draft)
|
||||
self.assertEqual(draft.get("pr_number"), 587)
|
||||
self.assertEqual(draft.get("action"), "approve")
|
||||
self.assertEqual(draft.get("body"), "Good changes")
|
||||
self.assertEqual(draft.get("validation_commands"), "pytest tests/")
|
||||
self.assertEqual(draft.get("validation_results"), "all pass")
|
||||
self.assertEqual(draft.get("blocker_reason"), "stale daemon")
|
||||
self.assertEqual(os.path.realpath(draft.get("worktree_path")), os.path.realpath("/tmp/test-worktree"))
|
||||
|
||||
@patch("gitea_mcp_server.api_request")
|
||||
@patch("gitea_mcp_server._fetch_pr_comments")
|
||||
@patch("gitea_mcp_server.gitea_submit_pr_review")
|
||||
def test_resume_draft_and_submit_success(self, mock_submit, mock_comments, mock_api):
|
||||
# 1. Save draft
|
||||
mock_api.return_value = {
|
||||
"state": "open",
|
||||
"head": {"sha": "headsha1234567890"},
|
||||
"base": {"ref": "master", "sha": "basesha0987654321"},
|
||||
}
|
||||
|
||||
gitea_mcp_server.gitea_save_review_draft(
|
||||
pr_number=587,
|
||||
action="approve",
|
||||
body="Good changes",
|
||||
expected_head_sha="headsha1234567890",
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
worktree_path="/tmp/test-worktree",
|
||||
)
|
||||
|
||||
# Seed local session lease
|
||||
reviewer_pr_lease.record_session_lease({
|
||||
"pr_number": 587,
|
||||
"session_id": "session-1234",
|
||||
})
|
||||
|
||||
# Mock Gitea comments to return active reviewer lease owned by us
|
||||
mock_comments.return_value = [
|
||||
{
|
||||
"id": 1,
|
||||
"user": {"username": "sysadmin"},
|
||||
"body": (
|
||||
"<!-- mcp-review-lease:v1 -->\n"
|
||||
"repo: Scaled-Tech-Consulting/Gitea-Tools\n"
|
||||
"pr: #587\n"
|
||||
"reviewer_identity: sysadmin\n"
|
||||
"profile: prgs-reviewer\n"
|
||||
"session_id: session-1234\n"
|
||||
"phase: claimed\n"
|
||||
),
|
||||
}
|
||||
]
|
||||
|
||||
mock_submit.return_value = {"performed": True, "success": True}
|
||||
|
||||
# 2. Resume draft
|
||||
res = gitea_mcp_server.gitea_resume_review_draft(
|
||||
pr_number=587,
|
||||
submit=True,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
worktree_path="/tmp/test-worktree",
|
||||
)
|
||||
|
||||
self.assertTrue(res.get("success"))
|
||||
self.assertTrue(res.get("marked_ready"))
|
||||
self.assertTrue(res.get("submitted"))
|
||||
mock_submit.assert_called_once()
|
||||
|
||||
# Verify draft was deleted after successful submit
|
||||
draft = mcp_session_state.load_state(
|
||||
kind=mcp_session_state.KIND_REVIEW_DRAFT,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
profile_identity="prgs-reviewer",
|
||||
)
|
||||
self.assertIsNone(draft)
|
||||
|
||||
@patch("gitea_mcp_server.api_request")
|
||||
@patch("gitea_mcp_server._fetch_pr_comments")
|
||||
def test_resume_draft_fails_checks(self, mock_comments, mock_api):
|
||||
# Save a draft
|
||||
mock_api.return_value = {
|
||||
"state": "open",
|
||||
"head": {"sha": "headsha1234567890"},
|
||||
"base": {"ref": "master", "sha": "basesha0987654321"},
|
||||
}
|
||||
gitea_mcp_server.gitea_save_review_draft(
|
||||
pr_number=587,
|
||||
action="approve",
|
||||
body="Good changes",
|
||||
expected_head_sha="headsha1234567890",
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
worktree_path="/tmp/test-worktree",
|
||||
)
|
||||
|
||||
# Seed local session lease
|
||||
reviewer_pr_lease.record_session_lease({
|
||||
"pr_number": 587,
|
||||
"session_id": "session-1234",
|
||||
})
|
||||
|
||||
# Mock Gitea comments to return active reviewer lease owned by us
|
||||
mock_comments.return_value = [
|
||||
{
|
||||
"id": 1,
|
||||
"user": {"username": "sysadmin"},
|
||||
"body": (
|
||||
"<!-- mcp-review-lease:v1 -->\n"
|
||||
"repo: Scaled-Tech-Consulting/Gitea-Tools\n"
|
||||
"pr: #587\n"
|
||||
"reviewer_identity: sysadmin\n"
|
||||
"profile: prgs-reviewer\n"
|
||||
"session_id: session-1234\n"
|
||||
"phase: claimed\n"
|
||||
),
|
||||
}
|
||||
]
|
||||
|
||||
# Case A: PR closed
|
||||
mock_api.return_value = {
|
||||
"state": "closed",
|
||||
"head": {"sha": "headsha1234567890"},
|
||||
"base": {"ref": "master", "sha": "basesha0987654321"},
|
||||
}
|
||||
res = gitea_mcp_server.gitea_resume_review_draft(
|
||||
pr_number=587,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
worktree_path="/tmp/test-worktree",
|
||||
)
|
||||
self.assertFalse(res.get("success"))
|
||||
self.assertIn("PR #587 is not open", res.get("reasons")[0])
|
||||
|
||||
# Case B: Head changed
|
||||
mock_api.return_value = {
|
||||
"state": "open",
|
||||
"head": {"sha": "headsha_NEW"},
|
||||
"base": {"ref": "master", "sha": "basesha0987654321"},
|
||||
}
|
||||
res = gitea_mcp_server.gitea_resume_review_draft(
|
||||
pr_number=587,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
worktree_path="/tmp/test-worktree",
|
||||
)
|
||||
self.assertFalse(res.get("success"))
|
||||
self.assertIn("PR head SHA changed", res.get("reasons")[0])
|
||||
|
||||
# Case C: Target branch changed
|
||||
mock_api.return_value = {
|
||||
"state": "open",
|
||||
"head": {"sha": "headsha1234567890"},
|
||||
"base": {"ref": "master", "sha": "basesha_NEW"},
|
||||
}
|
||||
res = gitea_mcp_server.gitea_resume_review_draft(
|
||||
pr_number=587,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
worktree_path="/tmp/test-worktree",
|
||||
)
|
||||
self.assertFalse(res.get("success"))
|
||||
self.assertIn("target branch SHA changed", res.get("reasons")[0])
|
||||
|
||||
# Case D: Worktree mismatch
|
||||
mock_api.return_value = {
|
||||
"state": "open",
|
||||
"head": {"sha": "headsha1234567890"},
|
||||
"base": {"ref": "master", "sha": "basesha0987654321"},
|
||||
}
|
||||
res = gitea_mcp_server.gitea_resume_review_draft(
|
||||
pr_number=587,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
worktree_path="/tmp/different-worktree",
|
||||
)
|
||||
self.assertFalse(res.get("success"))
|
||||
self.assertIn("worktree binding mismatch", res.get("reasons")[0])
|
||||
@@ -237,5 +237,113 @@ class TestReviewerLeaseMcpGate(unittest.TestCase):
|
||||
self.assertTrue(any("lease" in r.lower() for r in reasons))
|
||||
|
||||
|
||||
|
||||
class TestReviewerLeaseHandoffDiagnose(unittest.TestCase):
|
||||
"""#599: canonical next-action diagnosis for open-PR lease handoff."""
|
||||
|
||||
def setUp(self):
|
||||
leases.clear_session_lease()
|
||||
|
||||
def test_no_lease_next_action_acquire(self):
|
||||
result = leases.diagnose_reviewer_pr_lease_handoff(
|
||||
[],
|
||||
pr_number=592,
|
||||
current_session_id="me-1",
|
||||
current_reviewer_identity="sysadmin",
|
||||
proposed_worktree="branches/review-pr-592",
|
||||
)
|
||||
self.assertEqual(result["classification"], "no_lease")
|
||||
self.assertEqual(result["next_action"], leases.NEXT_ACTION_ACQUIRE)
|
||||
self.assertIsNone(result["active_lease"])
|
||||
|
||||
def test_foreign_active_wait_pr592_style(self):
|
||||
# Instructed lease gone; newer foreign claim is active.
|
||||
old = _lease_comment(592, "23139-da018dab43ba", phase="released")
|
||||
old["id"] = 8640
|
||||
active = _lease_comment(592, "51515-2bfb70f0685f", phase="claimed")
|
||||
active["id"] = 8647
|
||||
result = leases.diagnose_reviewer_pr_lease_handoff(
|
||||
[old, active],
|
||||
pr_number=592,
|
||||
current_session_id="fresh-session",
|
||||
current_reviewer_identity="sysadmin",
|
||||
proposed_worktree="branches/review-pr-592-issue-590",
|
||||
instructed_session_id="23139-da018dab43ba",
|
||||
instructed_comment_id=8640,
|
||||
)
|
||||
self.assertEqual(
|
||||
result["classification"],
|
||||
"instructed_lease_missing_with_replacement",
|
||||
)
|
||||
self.assertEqual(result["next_action"], leases.NEXT_ACTION_WAIT)
|
||||
self.assertTrue(result["instructed_lease_missing_with_replacement"])
|
||||
self.assertEqual(result["active_lease"]["session_id"], "51515-2bfb70f0685f")
|
||||
self.assertEqual(result["active_lease"]["comment_id"], 8647)
|
||||
self.assertFalse(result["mutation_allowed"])
|
||||
|
||||
def test_foreign_reclaimable_release_expired(self):
|
||||
reclaim = _lease_comment(
|
||||
592, "foreign-old", phase="claimed", minutes_ago=65
|
||||
)
|
||||
reclaim["id"] = 99
|
||||
result = leases.diagnose_reviewer_pr_lease_handoff(
|
||||
[reclaim],
|
||||
pr_number=592,
|
||||
current_session_id="me-1",
|
||||
current_reviewer_identity="sysadmin",
|
||||
proposed_worktree="branches/review-pr-592",
|
||||
)
|
||||
self.assertEqual(result["classification"], "foreign_reclaimable")
|
||||
self.assertEqual(
|
||||
result["next_action"], leases.NEXT_ACTION_RELEASE_EXPIRED_LEASE
|
||||
)
|
||||
|
||||
def test_own_active_resume(self):
|
||||
head = "a" * 40
|
||||
claim = _lease_comment(592, "me-1", phase="claimed", candidate_head=head)
|
||||
claim["id"] = 10
|
||||
leases.record_session_lease({
|
||||
"pr_number": 592,
|
||||
"session_id": "me-1",
|
||||
"candidate_head": head,
|
||||
"comment_id": 10,
|
||||
}, lease_provenance=mla.build_lease_provenance(
|
||||
source=mla.SOURCE_ACQUIRE,
|
||||
comment_id=10,
|
||||
))
|
||||
result = leases.diagnose_reviewer_pr_lease_handoff(
|
||||
[claim],
|
||||
pr_number=592,
|
||||
current_session_id="me-1",
|
||||
current_reviewer_identity="rev1",
|
||||
proposed_worktree="branches/review-pr382",
|
||||
)
|
||||
self.assertEqual(result["classification"], "own_active")
|
||||
self.assertEqual(
|
||||
result["next_action"], leases.NEXT_ACTION_RESUME_EXACT_OWNER_SESSION
|
||||
)
|
||||
self.assertTrue(result["mutation_allowed"])
|
||||
|
||||
def test_worktree_binding_mismatch(self):
|
||||
claim = _lease_comment(592, "me-1", phase="claimed")
|
||||
claim["id"] = 11
|
||||
# _lease_comment uses branches/review-pr382
|
||||
result = leases.diagnose_reviewer_pr_lease_handoff(
|
||||
[claim],
|
||||
pr_number=592,
|
||||
current_session_id="me-1",
|
||||
current_reviewer_identity="rev1",
|
||||
proposed_worktree="branches/review-pr-592-issue-590",
|
||||
env_bound_worktree="branches/review-pr-538",
|
||||
)
|
||||
self.assertEqual(result["classification"], "worktree_binding_mismatch")
|
||||
self.assertEqual(
|
||||
result["next_action"], leases.NEXT_ACTION_REPAIR_WORKTREE_BINDING
|
||||
)
|
||||
self.assertFalse(result["worktree_binding"]["match"])
|
||||
self.assertFalse(result["mutation_allowed"])
|
||||
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -52,6 +52,20 @@ CONFIG = {
|
||||
],
|
||||
"execution_profile": "prgs-reviewer",
|
||||
},
|
||||
"prgs-merger": {
|
||||
"enabled": True,
|
||||
"context": "ctx",
|
||||
"role": "merger",
|
||||
"username": "sysadmin",
|
||||
"auth": {"type": "env", "name": "GITEA_TOKEN_MERGER"},
|
||||
"allowed_operations": [
|
||||
"gitea.read", "gitea.pr.merge", "gitea.issue.comment",
|
||||
],
|
||||
"forbidden_operations": [
|
||||
"gitea.pr.create", "gitea.branch.push", "gitea.pr.approve",
|
||||
],
|
||||
"execution_profile": "prgs-merger",
|
||||
},
|
||||
"prgs-reconciler": {
|
||||
"enabled": True,
|
||||
"context": "ctx",
|
||||
@@ -104,6 +118,7 @@ class TestRoleSessionRouter(unittest.TestCase):
|
||||
"GITEA_MCP_PROFILE": profile,
|
||||
"GITEA_TOKEN_AUTHOR": "author-pass",
|
||||
"GITEA_TOKEN_REVIEWER": "reviewer-pass",
|
||||
"GITEA_TOKEN_MERGER": "merger-pass",
|
||||
"GITEA_TOKEN_RECONCILER": "reconciler-pass",
|
||||
}
|
||||
|
||||
@@ -227,6 +242,31 @@ class TestRoleSessionRouter(unittest.TestCase):
|
||||
self.assertEqual(route["route_result"], role_session_router.ROUTE_ALLOWED)
|
||||
self.assertTrue(route["downstream_allowed"])
|
||||
|
||||
@patch("mcp_server.api_request", return_value={"login": "sysadmin"})
|
||||
@patch("mcp_server.get_auth_header", return_value="token reviewer-pass")
|
||||
def test_merge_task_under_reviewer_profile_wrong_role_stop(self, _auth, _api):
|
||||
# #539: a reviewer session must not pass the pre-task merge route
|
||||
# even if its config accidentally includes gitea.pr.merge.
|
||||
with patch.dict(os.environ, self._env("prgs-reviewer")):
|
||||
route = mcp_server.gitea_route_task_session(
|
||||
task_type="merge_pr", remote="prgs"
|
||||
)
|
||||
self.assertEqual(route["required_role"], "merger")
|
||||
self.assertEqual(route["route_result"], role_session_router.ROUTE_WRONG_ROLE)
|
||||
self.assertFalse(route["downstream_allowed"])
|
||||
self.assertIn("merger", route["message"].lower())
|
||||
|
||||
@patch("mcp_server.api_request", return_value={"login": "sysadmin"})
|
||||
@patch("mcp_server.get_auth_header", return_value="token merger-pass")
|
||||
def test_merge_task_under_merger_profile_allowed(self, _auth, _api):
|
||||
with patch.dict(os.environ, self._env("prgs-merger")):
|
||||
route = mcp_server.gitea_route_task_session(
|
||||
task_type="merge_pr", remote="prgs"
|
||||
)
|
||||
self.assertEqual(route["required_role"], "merger")
|
||||
self.assertEqual(route["route_result"], role_session_router.ROUTE_ALLOWED)
|
||||
self.assertTrue(route["downstream_allowed"])
|
||||
|
||||
@patch("mcp_server.api_request", return_value={"login": "sysadmin"})
|
||||
@patch("mcp_server.get_auth_header", return_value="token reviewer-pass")
|
||||
def test_author_task_under_reviewer_profile_routes_to_author(self, _auth, _api):
|
||||
@@ -334,4 +374,4 @@ class TestCheckMidMerge(unittest.TestCase):
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
unittest.main()
|
||||
|
||||
@@ -13,8 +13,13 @@ sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
|
||||
import gitea_mcp_server as srv # noqa: E402
|
||||
import root_checkout_guard as rcg # noqa: E402
|
||||
|
||||
CONTROL_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
BRANCHES_WORKTREE = str(Path(__file__).resolve().parents[1])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_ROOT = str(current_file_path.parents[3])
|
||||
BRANCHES_WORKTREE = str(current_file_path.parents[1])
|
||||
else:
|
||||
CONTROL_ROOT = str(current_file_path.parents[1])
|
||||
BRANCHES_WORKTREE = str(current_file_path.parents[1] / "branches" / "mock-worktree")
|
||||
MASTER_SHA = "a" * 40
|
||||
OTHER_SHA = "b" * 40
|
||||
|
||||
|
||||
@@ -0,0 +1,62 @@
|
||||
"""Regression: durable session-state isolation survives env clears (#590)."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
from pathlib import Path
|
||||
from unittest.mock import patch
|
||||
|
||||
import mcp_session_state
|
||||
|
||||
|
||||
def test_default_state_dir_survives_env_clear():
|
||||
"""conftest pins default_state_dir so clear=True cannot hit host cache."""
|
||||
isolated = os.environ.get("GITEA_MCP_SESSION_STATE_DIR")
|
||||
assert isolated, "conftest must set GITEA_MCP_SESSION_STATE_DIR"
|
||||
host_cache = Path.home() / ".cache" / "gitea-tools" / "session-state"
|
||||
with patch.dict(os.environ, {}, clear=True):
|
||||
assert os.environ.get("GITEA_MCP_SESSION_STATE_DIR") is None
|
||||
resolved = mcp_session_state.default_state_dir()
|
||||
assert resolved == isolated
|
||||
assert Path(resolved).resolve() != host_cache.resolve()
|
||||
|
||||
|
||||
def test_decision_lock_save_load_stays_in_isolated_dir():
|
||||
"""Review-mutation ledger files land only under the per-test state dir."""
|
||||
isolated = os.environ.get("GITEA_MCP_SESSION_STATE_DIR")
|
||||
assert isolated
|
||||
with patch.dict(os.environ, {}, clear=True):
|
||||
saved = mcp_session_state.save_state(
|
||||
kind=mcp_session_state.KIND_DECISION_LOCK,
|
||||
profile_identity="gitea-default",
|
||||
payload={
|
||||
"live_mutations": [
|
||||
{"pr_number": 1, "action": "request_changes"}
|
||||
],
|
||||
},
|
||||
)
|
||||
assert saved is not None
|
||||
path = mcp_session_state.state_file_path(
|
||||
kind=mcp_session_state.KIND_DECISION_LOCK,
|
||||
profile_identity="gitea-default",
|
||||
)
|
||||
assert path.startswith(isolated + os.sep) or path.startswith(
|
||||
isolated + "/"
|
||||
)
|
||||
loaded = mcp_session_state.load_state(
|
||||
kind=mcp_session_state.KIND_DECISION_LOCK,
|
||||
profile_identity="gitea-default",
|
||||
)
|
||||
assert loaded is not None
|
||||
assert loaded.get("live_mutations")
|
||||
host_path = (
|
||||
Path.home()
|
||||
/ ".cache"
|
||||
/ "gitea-tools"
|
||||
/ "session-state"
|
||||
/ "review_decision_lock-gitea-default.json"
|
||||
)
|
||||
# Host file may exist from operator use; this write must not refresh it.
|
||||
# Prove our isolated file is distinct and present.
|
||||
assert Path(path).is_file()
|
||||
assert Path(path).resolve() != host_path.resolve()
|
||||
@@ -0,0 +1,318 @@
|
||||
"""#627: paginated repository-label resolution for gitea_set_issue_labels.
|
||||
|
||||
Reproduces the post-merge #601 reconciliation failure where later-page
|
||||
labels (e.g. type:feature, workflow-hardening) were falsely rejected as
|
||||
nonexistent because inventory used a single-page GET labels?limit=100.
|
||||
"""
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import sys
|
||||
import unittest
|
||||
from unittest.mock import patch, call
|
||||
|
||||
sys.path.insert(0, str(__import__("pathlib").Path(__file__).resolve().parent.parent))
|
||||
|
||||
import mcp_server
|
||||
import gitea_auth
|
||||
|
||||
|
||||
FAKE_AUTH = "token test-token"
|
||||
PAGE_SIZE = 50 # Gitea effective max; see gitea_auth.api_get_all
|
||||
|
||||
|
||||
def _lb(name: str, lid: int) -> dict:
|
||||
return {"id": lid, "name": name, "color": "000000"}
|
||||
|
||||
|
||||
def _pages(labels: list[dict], page_size: int = PAGE_SIZE) -> list[list[dict]]:
|
||||
if not labels:
|
||||
return [[]]
|
||||
pages = []
|
||||
for i in range(0, len(labels), page_size):
|
||||
pages.append(labels[i : i + page_size])
|
||||
return pages
|
||||
|
||||
|
||||
class TestRepoLabelIdMapPagination(unittest.TestCase):
|
||||
"""_repo_label_id_map must use api_get_all (all pages)."""
|
||||
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_fewer_than_one_page(self, mock_all):
|
||||
labels = [_lb(f"l{i}", i) for i in range(3)]
|
||||
mock_all.return_value = labels
|
||||
m = mcp_server._repo_label_id_map("https://gitea.example/api/v1/repos/o/r", FAKE_AUTH)
|
||||
self.assertEqual(m, {"l0": 0, "l1": 1, "l2": 2})
|
||||
mock_all.assert_called_once()
|
||||
self.assertIn("/labels", mock_all.call_args[0][0])
|
||||
self.assertNotIn("limit=100", mock_all.call_args[0][0])
|
||||
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_exactly_one_full_page(self, mock_all):
|
||||
labels = [_lb(f"l{i:03d}", i) for i in range(PAGE_SIZE)]
|
||||
mock_all.return_value = labels
|
||||
m = mcp_server._repo_label_id_map("https://gitea.example/api/v1/repos/o/r", FAKE_AUTH)
|
||||
self.assertEqual(len(m), PAGE_SIZE)
|
||||
self.assertEqual(m["l000"], 0)
|
||||
self.assertEqual(m[f"l{PAGE_SIZE - 1:03d}"], PAGE_SIZE - 1)
|
||||
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_more_than_one_page_includes_later_labels(self, mock_all):
|
||||
# Page 1: 50 early labels; page 2: type:feature + workflow-hardening (#601 style)
|
||||
early = [_lb(f"early-{i:02d}", i) for i in range(PAGE_SIZE)]
|
||||
late = [
|
||||
_lb("type:feature", 1001),
|
||||
_lb("workflow-hardening", 1002),
|
||||
]
|
||||
mock_all.return_value = early + late
|
||||
m = mcp_server._repo_label_id_map("https://gitea.example/api/v1/repos/o/r", FAKE_AUTH)
|
||||
self.assertEqual(len(m), PAGE_SIZE + 2)
|
||||
self.assertEqual(m["type:feature"], 1001)
|
||||
self.assertEqual(m["workflow-hardening"], 1002)
|
||||
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_duplicate_names_keep_first_seen_id(self, mock_all):
|
||||
mock_all.return_value = [
|
||||
_lb("type:feature", 103),
|
||||
_lb("type:feature", 130), # duplicate id later
|
||||
_lb("workflow-hardening", 105),
|
||||
_lb("workflow-hardening", 128),
|
||||
]
|
||||
m = mcp_server._repo_label_id_map("https://gitea.example/api/v1/repos/o/r", FAKE_AUTH)
|
||||
self.assertEqual(m["type:feature"], 103)
|
||||
self.assertEqual(m["workflow-hardening"], 105)
|
||||
|
||||
@patch("mcp_server.api_get_all", return_value={"not": "a list"})
|
||||
def test_non_list_inventory_fails_closed(self, _all):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server._repo_label_id_map("https://gitea.example/api/v1/repos/o/r", FAKE_AUTH)
|
||||
self.assertIn("expected a list", str(ctx.exception).lower())
|
||||
|
||||
@patch("mcp_server.api_get_all", side_effect=RuntimeError("page 2 failed: connection reset"))
|
||||
def test_later_page_failure_propagates(self, _all):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server._repo_label_id_map("https://gitea.example/api/v1/repos/o/r", FAKE_AUTH)
|
||||
self.assertIn("page 2 failed", str(ctx.exception))
|
||||
|
||||
|
||||
class TestSetIssueLabelsPagination(unittest.TestCase):
|
||||
"""gitea_set_issue_labels full-set replacement with multi-page inventory."""
|
||||
|
||||
def setUp(self):
|
||||
self._remotes = patch.dict(
|
||||
mcp_server.REMOTES,
|
||||
{"prgs": {"host": "gitea.example.com", "org": "Scaled-Tech-Consulting",
|
||||
"repo": "Gitea-Tools"}},
|
||||
)
|
||||
self._remotes.start()
|
||||
# Allow mutation path without full preflight stack when possible
|
||||
self._preflight = patch(
|
||||
"mcp_server.verify_preflight_purity", return_value=None
|
||||
)
|
||||
self._preflight.start()
|
||||
self._perm = patch(
|
||||
"mcp_server._profile_permission_block", return_value=None
|
||||
)
|
||||
self._perm.start()
|
||||
self._auth = patch(
|
||||
"mcp_server._auth", return_value=FAKE_AUTH
|
||||
)
|
||||
self._auth.start()
|
||||
self._audited = patch("mcp_server._audited")
|
||||
mock_aud = self._audited.start()
|
||||
mock_aud.return_value.__enter__ = lambda s: None
|
||||
mock_aud.return_value.__exit__ = lambda s, *a: None
|
||||
|
||||
def tearDown(self):
|
||||
self._remotes.stop()
|
||||
self._preflight.stop()
|
||||
self._perm.stop()
|
||||
self._auth.stop()
|
||||
self._audited.stop()
|
||||
|
||||
def _inventory_early_and_late(self) -> list[dict]:
|
||||
early = [_lb(f"alpha-{i:02d}", i + 1) for i in range(PAGE_SIZE)]
|
||||
late = [
|
||||
_lb("type:feature", 9001),
|
||||
_lb("workflow-hardening", 9002),
|
||||
_lb("status:ready", 9003),
|
||||
_lb("anti-stomp", 9004),
|
||||
_lb("leases", 9005),
|
||||
_lb("recovery", 9006),
|
||||
]
|
||||
return early + late
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_requested_labels_split_across_pages(self, mock_all, mock_req):
|
||||
inv = self._inventory_early_and_late()
|
||||
mock_all.return_value = inv
|
||||
requested = ["alpha-00", "type:feature", "workflow-hardening"]
|
||||
mock_req.return_value = [_lb(n, inv_i["id"]) for n in requested
|
||||
for inv_i in inv if inv_i["name"] == n]
|
||||
|
||||
res = mcp_server.gitea_set_issue_labels(
|
||||
issue_number=601,
|
||||
labels=requested,
|
||||
remote="prgs",
|
||||
)
|
||||
self.assertEqual({lb["name"] for lb in res}, set(requested))
|
||||
# PUT must use ids from both pages
|
||||
put = mock_req.call_args
|
||||
self.assertEqual(put[0][0], "PUT")
|
||||
payload_ids = put[0][3]["labels"]
|
||||
self.assertEqual(payload_ids, [1, 9001, 9002])
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_missing_requested_label_rejected_before_put(self, mock_all, mock_req):
|
||||
mock_all.return_value = [_lb("bug", 1), _lb("status:ready", 2)]
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.gitea_set_issue_labels(
|
||||
issue_number=9,
|
||||
labels=["bug", "does-not-exist"],
|
||||
remote="prgs",
|
||||
)
|
||||
self.assertIn("do not exist", str(ctx.exception))
|
||||
self.assertIn("does-not-exist", str(ctx.exception))
|
||||
mock_req.assert_not_called()
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_complete_set_preserves_later_page_labels(self, mock_all, mock_req):
|
||||
inv = self._inventory_early_and_late()
|
||||
mock_all.return_value = inv
|
||||
# Full-set replacement removing only status:pr-open style stale label:
|
||||
# keep later-page feature labels (the #601 reconciliation shape).
|
||||
requested = [
|
||||
"anti-stomp",
|
||||
"leases",
|
||||
"recovery",
|
||||
"type:feature",
|
||||
"workflow-hardening",
|
||||
]
|
||||
mock_req.return_value = [_lb(n, next(x["id"] for x in inv if x["name"] == n))
|
||||
for n in requested]
|
||||
res = mcp_server.gitea_set_issue_labels(
|
||||
issue_number=601, labels=requested, remote="prgs"
|
||||
)
|
||||
self.assertEqual([lb["name"] for lb in res], requested)
|
||||
payload_ids = mock_req.call_args[0][3]["labels"]
|
||||
self.assertEqual(payload_ids, [9004, 9005, 9006, 9001, 9002])
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_issue_601_regression_later_page_names_accepted(self, mock_all, mock_req):
|
||||
"""Regression: #601 reconciler rejected type:feature + workflow-hardening.
|
||||
|
||||
Single-page inventory would omit them; paginated inventory must accept.
|
||||
"""
|
||||
early = [_lb(f"page1-{i:02d}", i + 1) for i in range(PAGE_SIZE)]
|
||||
# Exactly the labels from the #601 residual set (minus status:pr-open)
|
||||
late = [
|
||||
_lb("type:feature", 103),
|
||||
_lb("workflow-hardening", 105),
|
||||
_lb("anti-stomp", 106),
|
||||
_lb("leases", 109),
|
||||
_lb("recovery", 110),
|
||||
]
|
||||
mock_all.return_value = early + late
|
||||
requested = [
|
||||
"anti-stomp",
|
||||
"leases",
|
||||
"recovery",
|
||||
"type:feature",
|
||||
"workflow-hardening",
|
||||
]
|
||||
mock_req.return_value = [
|
||||
_lb(n, next(x["id"] for x in late if x["name"] == n)) for n in requested
|
||||
]
|
||||
res = mcp_server.gitea_set_issue_labels(
|
||||
issue_number=601, labels=requested, remote="prgs"
|
||||
)
|
||||
names = {lb["name"] for lb in res}
|
||||
self.assertEqual(names, set(requested))
|
||||
self.assertNotIn("status:pr-open", names)
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_duplicate_label_ids_resolve_deterministically(self, mock_all, mock_req):
|
||||
mock_all.return_value = [
|
||||
_lb("type:feature", 103),
|
||||
_lb("type:feature", 130),
|
||||
_lb("workflow-hardening", 105),
|
||||
_lb("workflow-hardening", 128),
|
||||
]
|
||||
requested = ["type:feature", "workflow-hardening"]
|
||||
mock_req.return_value = [_lb("type:feature", 103), _lb("workflow-hardening", 105)]
|
||||
mcp_server.gitea_set_issue_labels(
|
||||
issue_number=1, labels=requested, remote="prgs"
|
||||
)
|
||||
self.assertEqual(mock_req.call_args[0][3]["labels"], [103, 105])
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_post_mutation_mismatch_fails_closed(self, mock_all, mock_req):
|
||||
mock_all.return_value = [_lb("bug", 1), _lb("status:ready", 2)]
|
||||
# Server returns incomplete set → verification must fail
|
||||
mock_req.return_value = [_lb("bug", 1)]
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.gitea_set_issue_labels(
|
||||
issue_number=9,
|
||||
labels=["bug", "status:ready"],
|
||||
remote="prgs",
|
||||
)
|
||||
self.assertIn("Post-mutation label verification failed", str(ctx.exception))
|
||||
self.assertIn("status:ready", str(ctx.exception))
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all", side_effect=RuntimeError("Gitea 502 on page 2"))
|
||||
def test_pagination_failure_fails_closed_before_put(self, _all, mock_req):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.gitea_set_issue_labels(
|
||||
issue_number=9, labels=["bug"], remote="prgs"
|
||||
)
|
||||
self.assertIn("page 2", str(ctx.exception))
|
||||
mock_req.assert_not_called()
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_empty_label_set_clears_all(self, mock_all, mock_req):
|
||||
mock_all.return_value = [_lb("bug", 1)]
|
||||
mock_req.return_value = []
|
||||
res = mcp_server.gitea_set_issue_labels(
|
||||
issue_number=9, labels=[], remote="prgs"
|
||||
)
|
||||
self.assertEqual(res, [])
|
||||
self.assertEqual(mock_req.call_args[0][3]["labels"], [])
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_does_not_call_single_page_limit_100(self, mock_all, mock_req):
|
||||
mock_all.return_value = [_lb("bug", 1)]
|
||||
mock_req.return_value = [_lb("bug", 1)]
|
||||
mcp_server.gitea_set_issue_labels(
|
||||
issue_number=9, labels=["bug"], remote="prgs"
|
||||
)
|
||||
for c in mock_req.call_args_list:
|
||||
url = c[0][1] if len(c[0]) > 1 else ""
|
||||
self.assertNotIn("labels?limit=100", str(url))
|
||||
mock_all.assert_called()
|
||||
|
||||
|
||||
class TestApiGetAllPageCapDocumentsGiteaLimit(unittest.TestCase):
|
||||
"""Sanity: api_get_all clamps page_size to 50 (root cause of limit=100 trap)."""
|
||||
|
||||
@patch("gitea_auth.api_request")
|
||||
def test_page_size_clamped_to_fifty(self, mock_req):
|
||||
mock_req.return_value = []
|
||||
gitea_auth.api_get_all("https://gitea.example/api/v1/repos/o/r/labels",
|
||||
FAKE_AUTH, page_size=100)
|
||||
# First (only) call must use limit=50, not 100
|
||||
url = mock_req.call_args[0][1]
|
||||
self.assertIn("limit=50", url)
|
||||
self.assertNotIn("limit=100", url)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -0,0 +1,188 @@
|
||||
"""Server wiring for stable-branch push contamination (#671).
|
||||
|
||||
Exercises the MCP tools and the pre-flight enforcement gate against the durable
|
||||
contamination marker (isolated per-test state dir from conftest).
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
from unittest.mock import patch
|
||||
|
||||
import gitea_mcp_server as srv
|
||||
|
||||
|
||||
def _clear_marker(remote="prgs"):
|
||||
srv._clear_stable_contamination_marker(remote=remote)
|
||||
|
||||
|
||||
def teardown_function():
|
||||
_clear_marker()
|
||||
|
||||
|
||||
# ── record tool marks a real direct push ─────────────────────────────────────
|
||||
|
||||
def test_record_tool_marks_direct_master_push():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
assert res["contaminated"] is True
|
||||
assert res["marked"] is True
|
||||
assert res["marker"] is not None
|
||||
assert res["marker"]["reason_class"] == "stable_branch_push"
|
||||
# loaded back through the durable store
|
||||
loaded = srv._load_stable_contamination_marker("prgs")
|
||||
assert loaded is not None
|
||||
assert loaded["ref"] == "master"
|
||||
|
||||
|
||||
def test_record_tool_dry_run_still_marks():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push --dry-run prgs master", remote="prgs"
|
||||
)
|
||||
assert res["contaminated"] is True
|
||||
assert res["marked"] is True
|
||||
|
||||
|
||||
def test_record_tool_feature_branch_does_not_mark():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs fix/issue-671-block-stable-branch-push",
|
||||
remote="prgs",
|
||||
)
|
||||
assert res["contaminated"] is False
|
||||
assert res["marked"] is False
|
||||
assert srv._load_stable_contamination_marker("prgs") is None
|
||||
|
||||
|
||||
def test_record_tool_fetch_only_does_not_mark():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git fetch prgs", remote="prgs"
|
||||
)
|
||||
assert res["contaminated"] is False
|
||||
assert res["marked"] is False
|
||||
|
||||
|
||||
def test_record_tool_mark_false_is_readonly():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs", mark=False
|
||||
)
|
||||
assert res["contaminated"] is True
|
||||
assert res["marked"] is False
|
||||
assert srv._load_stable_contamination_marker("prgs") is None
|
||||
|
||||
|
||||
def test_record_tool_redacts_secret_in_marker():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push https://u:supersecret@host/o/r.git master",
|
||||
remote="prgs",
|
||||
)
|
||||
assert res["marked"] is True
|
||||
assert "supersecret" not in res["marker"]["command_summary"]
|
||||
|
||||
|
||||
def test_record_tool_root_checkout_local_commit_marks():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command=None,
|
||||
remote="prgs",
|
||||
current_branch="master",
|
||||
head_sha="a" * 40,
|
||||
remote_master_sha="b" * 40,
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contaminated"] is True
|
||||
assert res["marked"] is True
|
||||
assert res["marker"]["reason_class"] == "root_checkout_commit"
|
||||
|
||||
|
||||
# ── audit tool: inspect + reconciler-only clear ──────────────────────────────
|
||||
|
||||
def test_audit_inspect_reports_marker():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
out = srv.gitea_audit_stable_branch_contamination(action="inspect", remote="prgs")
|
||||
assert out["contaminated"] is True
|
||||
assert out["read_only"] is True
|
||||
|
||||
|
||||
def test_audit_clear_refused_for_non_reconciler():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
with patch.object(srv, "_actual_profile_role", return_value="author"):
|
||||
out = srv.gitea_audit_stable_branch_contamination(action="clear", remote="prgs")
|
||||
assert out["success"] is False
|
||||
assert out["reasons"]
|
||||
# marker survives a refused clear
|
||||
assert srv._load_stable_contamination_marker("prgs") is not None
|
||||
|
||||
|
||||
def test_audit_clear_allowed_for_reconciler():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
identity = srv._stable_contamination_profile_identity()
|
||||
with patch.object(srv, "_actual_profile_role", return_value="reconciler"):
|
||||
out = srv.gitea_audit_stable_branch_contamination(
|
||||
action="clear", remote="prgs", profile_identity=identity
|
||||
)
|
||||
assert out["success"] is True
|
||||
assert srv._load_stable_contamination_marker("prgs") is None
|
||||
|
||||
|
||||
# ── pre-flight enforcement gate ──────────────────────────────────────────────
|
||||
|
||||
def _force_gate_env():
|
||||
return patch.dict(os.environ, {"GITEA_TEST_FORCE_STABLE_CONTAMINATION": "1"})
|
||||
|
||||
|
||||
def test_gate_blocks_gated_mutation_when_contaminated():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
with _force_gate_env(), patch.object(srv, "_actual_profile_role", return_value="author"):
|
||||
for task in ("merge_pr", "review_pr", "close_issue", "create_pr"):
|
||||
try:
|
||||
srv._enforce_stable_branch_contamination_gate(task, "prgs")
|
||||
raised = False
|
||||
except RuntimeError as exc:
|
||||
raised = True
|
||||
assert "#671" in str(exc)
|
||||
assert raised, task
|
||||
|
||||
|
||||
def test_gate_allows_comment_for_handoff_when_contaminated():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
with _force_gate_env(), patch.object(srv, "_actual_profile_role", return_value="author"):
|
||||
# must not raise — worker can still post the durable audit comment
|
||||
srv._enforce_stable_branch_contamination_gate("comment_issue", "prgs")
|
||||
srv._enforce_stable_branch_contamination_gate("lock_issue", "prgs")
|
||||
|
||||
|
||||
def test_gate_exempts_reconciler_when_contaminated():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
with _force_gate_env(), patch.object(srv, "_actual_profile_role", return_value="reconciler"):
|
||||
srv._enforce_stable_branch_contamination_gate("merge_pr", "prgs")
|
||||
|
||||
|
||||
def test_gate_noop_when_not_contaminated():
|
||||
_clear_marker()
|
||||
with _force_gate_env(), patch.object(srv, "_actual_profile_role", return_value="author"):
|
||||
srv._enforce_stable_branch_contamination_gate("merge_pr", "prgs")
|
||||
@@ -0,0 +1,341 @@
|
||||
"""Tests for the direct stable-branch push guard (#671).
|
||||
|
||||
Covers the acceptance criteria:
|
||||
1. detect shell ``git push <remote> master`` equivalents
|
||||
2. detect root/control-checkout local commits not on an issue branch
|
||||
3. contamination record shape
|
||||
4. fail-closed gate on review/merge/close/completion (reconciler-exempt)
|
||||
5. AC5 case matrix: no-op dry-run push, real direct push, sanctioned Gitea
|
||||
merge, fetch-only, root-checkout local commit; plus feature-branch push
|
||||
still allowed and sanctioned merge still allowed
|
||||
6. redaction of credentials in logged command summaries
|
||||
"""
|
||||
|
||||
import stable_branch_push_guard as guard
|
||||
|
||||
|
||||
# ── AC1: detect direct stable-branch push equivalents ────────────────────────
|
||||
|
||||
def test_plain_git_push_remote_master_is_contamination():
|
||||
res = guard.classify_push_command("git push prgs master")
|
||||
assert res["is_git_push"] is True
|
||||
assert res["targets_stable"] is True
|
||||
assert res["stable_refs"] == ["master"]
|
||||
assert res["contamination"] is True
|
||||
assert res["reasons"]
|
||||
|
||||
|
||||
def test_push_main_and_dev_detected():
|
||||
for ref in ("main", "dev", "develop", "development"):
|
||||
res = guard.classify_push_command(f"git push origin {ref}")
|
||||
assert res["contamination"] is True, ref
|
||||
assert res["stable_refs"] == [ref]
|
||||
|
||||
|
||||
def test_head_colon_master_refspec_detected():
|
||||
res = guard.classify_push_command("git push prgs HEAD:master")
|
||||
assert res["targets_stable"] is True
|
||||
assert res["stable_refs"] == ["master"]
|
||||
assert res["contamination"] is True
|
||||
|
||||
|
||||
def test_full_refspec_force_plus_detected():
|
||||
res = guard.classify_push_command(
|
||||
"git push prgs +refs/heads/tmp:refs/heads/master"
|
||||
)
|
||||
assert res["contamination"] is True
|
||||
assert res["is_force"] is True
|
||||
assert res["stable_refs"] == ["master"]
|
||||
|
||||
|
||||
def test_force_flag_to_master_detected():
|
||||
res = guard.classify_push_command("git push --force prgs master")
|
||||
assert res["contamination"] is True
|
||||
assert res["is_force"] is True
|
||||
|
||||
|
||||
def test_delete_refspec_master_detected():
|
||||
res = guard.classify_push_command("git push prgs :master")
|
||||
assert res["contamination"] is True
|
||||
assert res["is_delete"] is True
|
||||
|
||||
|
||||
def test_delete_flag_master_detected():
|
||||
res = guard.classify_push_command("git push --delete prgs master")
|
||||
assert res["contamination"] is True
|
||||
assert res["is_delete"] is True
|
||||
|
||||
|
||||
def test_push_detected_inside_compound_command():
|
||||
res = guard.classify_push_command("cd repo && git push prgs master && echo ok")
|
||||
assert res["contamination"] is True
|
||||
assert res["stable_refs"] == ["master"]
|
||||
|
||||
|
||||
# ── AC5: no-op / dry-run push still proves intent ────────────────────────────
|
||||
|
||||
def test_dry_run_push_to_master_proves_intent():
|
||||
res = guard.classify_push_command("git push --dry-run prgs master")
|
||||
assert res["is_dry_run"] is True
|
||||
assert res["contamination"] is True
|
||||
assert res["proves_intent"] is True
|
||||
assert "intent" in " ".join(res["reasons"]).lower()
|
||||
|
||||
|
||||
def test_short_dry_run_flag_n_detected():
|
||||
res = guard.classify_push_command("git push -n prgs master")
|
||||
assert res["is_dry_run"] is True
|
||||
assert res["contamination"] is True
|
||||
|
||||
|
||||
# ── AC5 negative: feature-branch push still allowed ──────────────────────────
|
||||
|
||||
def test_feature_branch_push_not_flagged():
|
||||
res = guard.classify_push_command(
|
||||
"git push prgs fix/issue-671-block-stable-branch-push"
|
||||
)
|
||||
assert res["is_git_push"] is True
|
||||
assert res["targets_stable"] is False
|
||||
assert res["contamination"] is False
|
||||
assert res["reasons"] == []
|
||||
|
||||
|
||||
def test_feature_branch_head_refspec_not_flagged():
|
||||
res = guard.classify_push_command(
|
||||
"git push prgs HEAD:fix/issue-671-block-stable-branch-push"
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
assert res["targets_stable"] is False
|
||||
|
||||
|
||||
def test_branch_named_like_master_substring_not_flagged():
|
||||
# 'master-notes' is not the stable 'master'.
|
||||
res = guard.classify_push_command("git push prgs master-notes")
|
||||
assert res["contamination"] is False
|
||||
assert res["targets_stable"] is False
|
||||
|
||||
|
||||
# ── AC5 negative: fetch-only operations ──────────────────────────────────────
|
||||
|
||||
def test_git_fetch_not_a_push():
|
||||
res = guard.classify_push_command("git fetch prgs")
|
||||
assert res["is_git_push"] is False
|
||||
assert res["is_fetch_or_pull"] is True
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
def test_git_pull_ff_only_master_not_a_push():
|
||||
res = guard.classify_push_command("git pull --ff-only prgs master")
|
||||
assert res["is_git_push"] is False
|
||||
assert res["is_fetch_or_pull"] is True
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
# ── AC5 negative: sanctioned Gitea merge is not a push ───────────────────────
|
||||
|
||||
def test_gitea_merge_pr_tool_is_not_a_push():
|
||||
res = guard.classify_push_command("gitea_merge_pr(pr_number=671, remote='prgs')")
|
||||
assert res["is_git_push"] is False
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
def test_gitea_api_merge_is_not_a_push():
|
||||
res = guard.classify_push_command(
|
||||
"curl -X POST https://gitea.example/api/v1/repos/o/r/pulls/671/merge"
|
||||
)
|
||||
assert res["is_git_push"] is False
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
# ── ambiguous bare push: reported, not auto-contaminating ────────────────────
|
||||
|
||||
def test_bare_push_is_ambiguous_not_contaminating():
|
||||
res = guard.classify_push_command("git push prgs")
|
||||
assert res["is_git_push"] is True
|
||||
assert res["ambiguous_target"] is True
|
||||
assert res["contamination"] is False
|
||||
assert res["reasons"] # surfaced as a warning
|
||||
|
||||
|
||||
# ── AC2: root/control-checkout local commit detection ────────────────────────
|
||||
|
||||
def test_root_checkout_commit_ahead_of_master_flagged():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="master",
|
||||
head_sha="a" * 40,
|
||||
remote_master_sha="b" * 40,
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contamination"] is True
|
||||
assert res["reasons"]
|
||||
|
||||
|
||||
def test_root_checkout_clean_at_master_not_flagged():
|
||||
sha = "c" * 40
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="master",
|
||||
head_sha=sha,
|
||||
remote_master_sha=sha,
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
assert res["unknown"] is False
|
||||
|
||||
|
||||
def test_branches_worktree_commit_is_exempt():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="fix/issue-671-block-stable-branch-push",
|
||||
head_sha="a" * 40,
|
||||
remote_master_sha="b" * 40,
|
||||
is_under_branches=True,
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
def test_root_checkout_ahead_count_flagged():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="master",
|
||||
head_sha="",
|
||||
remote_master_sha="",
|
||||
is_under_branches=False,
|
||||
ahead_count=2,
|
||||
)
|
||||
assert res["contamination"] is True
|
||||
|
||||
|
||||
def test_root_checkout_unknown_when_state_missing():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="master",
|
||||
head_sha="",
|
||||
remote_master_sha="",
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
assert res["unknown"] is True
|
||||
|
||||
|
||||
def test_root_checkout_non_stable_branch_out_of_scope():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="feature/x",
|
||||
head_sha="a" * 40,
|
||||
remote_master_sha="b" * 40,
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
# ── AC3: contamination record shape ──────────────────────────────────────────
|
||||
|
||||
def test_build_contamination_record_shape_and_redaction():
|
||||
rec = guard.build_contamination_record(
|
||||
reason_class="stable_branch_push",
|
||||
command_redacted="git push https://user:[email protected]/o/r.git master",
|
||||
session_id="prgs-author-123",
|
||||
remote="prgs",
|
||||
ref="master",
|
||||
role="author",
|
||||
)
|
||||
assert rec["kind"] == guard.CONTAMINATION_KIND
|
||||
assert rec["reason_class"] == "stable_branch_push"
|
||||
assert rec["remote"] == "prgs"
|
||||
assert rec["ref"] == "master"
|
||||
assert rec["cleared_by_reconciler"] is False
|
||||
# secret must never survive into the durable record
|
||||
assert "tok@" not in rec["command_summary"]
|
||||
assert "***@" in rec["command_summary"]
|
||||
|
||||
|
||||
# ── AC4: fail-closed gate on gated mutations ─────────────────────────────────
|
||||
|
||||
def _marker():
|
||||
return guard.build_contamination_record(
|
||||
reason_class="stable_branch_push",
|
||||
command_redacted="git push prgs master",
|
||||
remote="prgs",
|
||||
ref="master",
|
||||
role="author",
|
||||
)
|
||||
|
||||
|
||||
def test_gate_blocks_gated_mutations_for_author():
|
||||
marker = _marker()
|
||||
for task in ("create_pr", "merge_pr", "close_issue", "review_pr",
|
||||
"submit_pr_review", "commit_files", "close_pr"):
|
||||
gate = guard.assess_contamination_gate(marker, task=task, actual_role="author")
|
||||
assert gate["block"] is True, task
|
||||
assert gate["reasons"]
|
||||
|
||||
|
||||
def test_gate_allows_comment_and_lock_for_handoff():
|
||||
marker = _marker()
|
||||
for task in ("comment_issue", "lock_issue", "create_issue", "mark_issue"):
|
||||
gate = guard.assess_contamination_gate(marker, task=task, actual_role="author")
|
||||
assert gate["block"] is False, task
|
||||
|
||||
|
||||
def test_gate_exempts_reconciler_audit_path():
|
||||
marker = _marker()
|
||||
gate = guard.assess_contamination_gate(marker, task="close_pr", actual_role="reconciler")
|
||||
assert gate["block"] is False
|
||||
|
||||
|
||||
def test_gate_no_marker_allows_everything():
|
||||
gate = guard.assess_contamination_gate(None, task="merge_pr", actual_role="merger")
|
||||
assert gate["block"] is False
|
||||
|
||||
|
||||
def test_gate_cleared_marker_allows_everything():
|
||||
marker = _marker()
|
||||
marker["cleared_by_reconciler"] = True
|
||||
gate = guard.assess_contamination_gate(marker, task="merge_pr", actual_role="merger")
|
||||
assert gate["block"] is False
|
||||
|
||||
|
||||
def test_same_worker_cannot_self_clear_by_role():
|
||||
# A merger/reviewer/author role is still gated — only reconciler is exempt.
|
||||
marker = _marker()
|
||||
for role in ("author", "reviewer", "merger"):
|
||||
gate = guard.assess_contamination_gate(marker, task="merge_pr", actual_role=role)
|
||||
assert gate["block"] is True, role
|
||||
|
||||
|
||||
def test_format_gate_error_mentions_issue():
|
||||
marker = _marker()
|
||||
gate = guard.assess_contamination_gate(marker, task="merge_pr", actual_role="merger")
|
||||
msg = guard.format_contamination_gate_error(gate)
|
||||
assert "#671" in msg
|
||||
assert "contaminat" in msg.lower()
|
||||
|
||||
|
||||
# ── redaction unit coverage ──────────────────────────────────────────────────
|
||||
|
||||
def test_redact_url_userinfo():
|
||||
out = guard.redact_command("git push https://bob:secretpat@host/o/r.git master")
|
||||
assert "secretpat" not in out
|
||||
assert "***@" in out
|
||||
assert "master" in out # structure preserved for audit
|
||||
|
||||
|
||||
def test_redact_token_assignment():
|
||||
out = guard.redact_command("GITEA_TOKEN=abcdef123456 git push prgs master")
|
||||
assert "abcdef123456" not in out
|
||||
assert "GITEA_TOKEN=***" in out
|
||||
|
||||
|
||||
def test_redact_empty():
|
||||
assert guard.redact_command(None) == ""
|
||||
assert guard.redact_command("") == ""
|
||||
|
||||
|
||||
# ── detect_stable_push over iterables ────────────────────────────────────────
|
||||
|
||||
def test_detect_stable_push_iterable_finds_first_contamination():
|
||||
cmds = ["git status", "git push prgs master", "echo done"]
|
||||
res = guard.detect_stable_push(cmds)
|
||||
assert res["contamination"] is True
|
||||
|
||||
|
||||
def test_detect_stable_push_iterable_all_safe():
|
||||
cmds = ["git status", "git push prgs feature/x", "git fetch prgs"]
|
||||
res = guard.detect_stable_push(cmds)
|
||||
assert res["contamination"] is False
|
||||
@@ -0,0 +1,378 @@
|
||||
"""Stale #332 review-decision lock cleanup (#594).
|
||||
|
||||
Proves:
|
||||
a. active terminal locks still block unrelated terminal reviews
|
||||
b. merged/closed PR locks can be cleared canonically
|
||||
c. cleanup cannot bypass review gates on open PRs
|
||||
d. after moot cleanup, mark_ready for a different PR can proceed
|
||||
(PR #592-style after PR #586-style stale approve)
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import unittest
|
||||
from unittest.mock import patch
|
||||
|
||||
import mcp_server
|
||||
import stale_review_decision_lock as srdl
|
||||
from mcp_server import (
|
||||
gitea_cleanup_stale_review_decision_lock,
|
||||
gitea_mark_final_review_decision,
|
||||
)
|
||||
|
||||
HEAD = "a" * 40
|
||||
FAKE_AUTH = "Basic dGVzdDp0ZXN0"
|
||||
|
||||
REVIEWER_ENV = {
|
||||
"GITEA_PROFILE_NAME": "prgs-reviewer",
|
||||
"GITEA_ALLOWED_OPERATIONS": (
|
||||
"gitea.read,gitea.pr.review,gitea.pr.approve,"
|
||||
"gitea.pr.request_changes,gitea.pr.comment"
|
||||
),
|
||||
"GITEA_SESSION_PROFILE_LOCK": "prgs-reviewer",
|
||||
}
|
||||
|
||||
REVIEWER_PROFILE = {
|
||||
"profile_name": "prgs-reviewer",
|
||||
"allowed_operations": [
|
||||
"gitea.read",
|
||||
"gitea.pr.review",
|
||||
"gitea.pr.approve",
|
||||
"gitea.pr.request_changes",
|
||||
"gitea.pr.comment",
|
||||
],
|
||||
"forbidden_operations": [
|
||||
"gitea.pr.merge",
|
||||
"gitea.pr.create",
|
||||
"gitea.branch.push",
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
def _reviewer_profile_patch():
|
||||
return patch.object(mcp_server, "get_profile", return_value=REVIEWER_PROFILE)
|
||||
|
||||
|
||||
def _lock(mutations=None, correction=False):
|
||||
return {
|
||||
"task": "review_pr",
|
||||
"remote": "prgs",
|
||||
"org": "Scaled-Tech-Consulting",
|
||||
"repo": "Gitea-Tools",
|
||||
"session_pid": os.getpid(),
|
||||
"session_profile": "prgs-reviewer",
|
||||
"session_profile_lock": "prgs-reviewer",
|
||||
"profile_identity": "prgs-reviewer",
|
||||
"final_review_decision_ready": False,
|
||||
"ready_pr_number": None,
|
||||
"ready_action": None,
|
||||
"ready_expected_head_sha": None,
|
||||
"ready_remote": None,
|
||||
"ready_org": None,
|
||||
"ready_repo": None,
|
||||
"live_mutations": list(mutations or []),
|
||||
"correction_authorized": correction,
|
||||
"correction_reason": None,
|
||||
}
|
||||
|
||||
|
||||
APPROVED_586 = {
|
||||
"pr_number": 586,
|
||||
"action": "approve",
|
||||
"review_id": 395,
|
||||
"review_state": "approve",
|
||||
}
|
||||
APPROVED_OPEN = {
|
||||
"pr_number": 700,
|
||||
"action": "approve",
|
||||
"review_id": 1,
|
||||
"review_state": "approve",
|
||||
}
|
||||
RC_OPEN = {
|
||||
"pr_number": 701,
|
||||
"action": "request_changes",
|
||||
"review_id": 2,
|
||||
"review_state": "request_changes",
|
||||
}
|
||||
|
||||
|
||||
def _seed(mutations=None, correction=False):
|
||||
import review_workflow_load
|
||||
|
||||
review_workflow_load.record_review_workflow_load(mcp_server.PROJECT_ROOT)
|
||||
mcp_server._save_review_decision_lock(_lock(mutations, correction))
|
||||
mcp_server.gitea_load_review_workflow()
|
||||
|
||||
|
||||
def _merged_pr(pr_number=586, sha="6913ac9" + "0" * 33):
|
||||
return {
|
||||
"number": pr_number,
|
||||
"state": "closed",
|
||||
"merged": True,
|
||||
"merged_at": "2026-07-09T18:20:03Z",
|
||||
"merge_commit_sha": sha,
|
||||
}
|
||||
|
||||
|
||||
def _open_pr(pr_number=700):
|
||||
return {
|
||||
"number": pr_number,
|
||||
"state": "open",
|
||||
"merged": False,
|
||||
"merged_at": None,
|
||||
"merge_commit_sha": None,
|
||||
}
|
||||
|
||||
|
||||
# --------------------------------------------------------------------------- #
|
||||
# Pure assessment
|
||||
# --------------------------------------------------------------------------- #
|
||||
class TestAssessStaleLock(unittest.TestCase):
|
||||
def test_no_lock(self):
|
||||
a = srdl.assess_stale_review_decision_lock(None)
|
||||
self.assertFalse(a["cleanup_allowed"])
|
||||
self.assertFalse(a["is_moot"])
|
||||
|
||||
def test_no_terminal_mutations(self):
|
||||
a = srdl.assess_stale_review_decision_lock(_lock([]))
|
||||
self.assertFalse(a["cleanup_allowed"])
|
||||
|
||||
def test_open_pr_not_cleanable(self):
|
||||
a = srdl.assess_stale_review_decision_lock(
|
||||
_lock([APPROVED_OPEN]), pr_live=_open_pr(700)
|
||||
)
|
||||
self.assertFalse(a["is_moot"])
|
||||
self.assertFalse(a["cleanup_allowed"])
|
||||
self.assertTrue(any("open PR" in r for r in a["reasons"]))
|
||||
|
||||
def test_merged_pr_is_moot_and_cleanable(self):
|
||||
a = srdl.assess_stale_review_decision_lock(
|
||||
_lock([APPROVED_586]), pr_live=_merged_pr(586)
|
||||
)
|
||||
self.assertTrue(a["is_moot"])
|
||||
self.assertTrue(a["cleanup_allowed"])
|
||||
self.assertEqual(a["last_terminal_pr"], 586)
|
||||
|
||||
def test_closed_unmerged_is_moot(self):
|
||||
a = srdl.assess_stale_review_decision_lock(
|
||||
_lock([RC_OPEN]),
|
||||
pr_live={"number": 701, "state": "closed", "merged": False},
|
||||
)
|
||||
self.assertTrue(a["is_moot"])
|
||||
self.assertTrue(a["cleanup_allowed"])
|
||||
|
||||
def test_profile_mismatch_blocks(self):
|
||||
a = srdl.assess_stale_review_decision_lock(
|
||||
_lock([APPROVED_586]),
|
||||
pr_live=_merged_pr(586),
|
||||
active_profile_identity="other-profile",
|
||||
)
|
||||
self.assertFalse(a["cleanup_allowed"])
|
||||
self.assertFalse(a["profile_match"])
|
||||
|
||||
def test_lookup_error_fail_closed(self):
|
||||
a = srdl.assess_stale_review_decision_lock(
|
||||
_lock([APPROVED_586]),
|
||||
pr_lookup_error="timeout",
|
||||
)
|
||||
self.assertFalse(a["cleanup_allowed"])
|
||||
self.assertTrue(any("timeout" in r for r in a["reasons"]))
|
||||
|
||||
|
||||
# --------------------------------------------------------------------------- #
|
||||
# Hard-stop still blocks active locks
|
||||
# --------------------------------------------------------------------------- #
|
||||
class TestActiveHardStopPreserved(unittest.TestCase):
|
||||
def tearDown(self):
|
||||
mcp_server._save_review_decision_lock(None)
|
||||
mcp_server.review_workflow_load.clear_review_workflow_load()
|
||||
|
||||
def test_open_approve_still_blocks_other_pr_mark_ready(self):
|
||||
_seed([APPROVED_OPEN])
|
||||
reasons = mcp_server.terminal_review_hard_stop_reasons(592, "mark_ready")
|
||||
self.assertTrue(reasons)
|
||||
self.assertIn("#332", reasons[0])
|
||||
self.assertIn("gitea_cleanup_stale_review_decision_lock", reasons[0])
|
||||
|
||||
def test_request_changes_still_blocks_everything(self):
|
||||
_seed([RC_OPEN])
|
||||
for op in ("merge", "mark_ready", "review"):
|
||||
self.assertTrue(
|
||||
mcp_server.terminal_review_hard_stop_reasons(592, op),
|
||||
msg=op,
|
||||
)
|
||||
|
||||
|
||||
# --------------------------------------------------------------------------- #
|
||||
# MCP cleanup tool
|
||||
# --------------------------------------------------------------------------- #
|
||||
class TestCleanupTool(unittest.TestCase):
|
||||
def setUp(self):
|
||||
self._env = patch.dict(os.environ, REVIEWER_ENV, clear=False)
|
||||
self._env.start()
|
||||
|
||||
def tearDown(self):
|
||||
self._env.stop()
|
||||
mcp_server._save_review_decision_lock(None)
|
||||
mcp_server.review_workflow_load.clear_review_workflow_load()
|
||||
|
||||
def test_read_only_reports_moot_without_clearing(self):
|
||||
_seed([APPROVED_586])
|
||||
with patch.object(mcp_server, "api_request", return_value=_merged_pr()), \
|
||||
patch.object(mcp_server, "_auth", return_value=FAKE_AUTH), \
|
||||
patch.object(
|
||||
mcp_server, "_authenticated_username", return_value="sysadmin"
|
||||
), \
|
||||
_reviewer_profile_patch(), \
|
||||
patch.object(mcp_server, "_profile_operation_gate", return_value=[]):
|
||||
r = gitea_cleanup_stale_review_decision_lock(
|
||||
apply=False, remote="prgs",
|
||||
org="Scaled-Tech-Consulting", repo="Gitea-Tools",
|
||||
)
|
||||
self.assertTrue(r["success"])
|
||||
self.assertTrue(r["is_moot"])
|
||||
self.assertTrue(r["cleanup_allowed"])
|
||||
self.assertFalse(r["cleanup_performed"])
|
||||
self.assertIsNotNone(mcp_server._load_review_decision_lock())
|
||||
|
||||
def test_apply_clears_moot_lock(self):
|
||||
_seed([APPROVED_586])
|
||||
posts = []
|
||||
|
||||
def _api(method, url, auth, payload=None):
|
||||
if method == "GET" and "/pulls/586" in url:
|
||||
return _merged_pr()
|
||||
if method == "POST" and "/comments" in url:
|
||||
posts.append(payload)
|
||||
return {"id": 9999}
|
||||
return {}
|
||||
|
||||
with patch.object(mcp_server, "api_request", side_effect=_api), \
|
||||
patch.object(mcp_server, "_auth", return_value=FAKE_AUTH), \
|
||||
patch.object(
|
||||
mcp_server, "_authenticated_username", return_value="sysadmin"
|
||||
), \
|
||||
_reviewer_profile_patch(), \
|
||||
patch.object(mcp_server, "_profile_operation_gate", return_value=[]), \
|
||||
patch.object(
|
||||
mcp_server, "_audited",
|
||||
side_effect=lambda *a, **k: __import__(
|
||||
"contextlib"
|
||||
).nullcontext(),
|
||||
):
|
||||
r = gitea_cleanup_stale_review_decision_lock(
|
||||
apply=True,
|
||||
expected_terminal_pr=586,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
)
|
||||
self.assertTrue(r["cleanup_performed"], r)
|
||||
self.assertTrue(r["audit"]["applied"])
|
||||
self.assertIsNone(mcp_server._load_review_decision_lock())
|
||||
self.assertEqual(r.get("audit_comment_id"), 9999)
|
||||
self.assertTrue(posts)
|
||||
|
||||
def test_apply_refuses_open_pr(self):
|
||||
_seed([APPROVED_OPEN])
|
||||
with patch.object(mcp_server, "api_request", return_value=_open_pr(700)), \
|
||||
patch.object(mcp_server, "_auth", return_value=FAKE_AUTH), \
|
||||
patch.object(
|
||||
mcp_server, "_authenticated_username", return_value="sysadmin"
|
||||
), \
|
||||
_reviewer_profile_patch(), \
|
||||
patch.object(mcp_server, "_profile_operation_gate", return_value=[]):
|
||||
r = gitea_cleanup_stale_review_decision_lock(
|
||||
apply=True, remote="prgs",
|
||||
org="Scaled-Tech-Consulting", repo="Gitea-Tools",
|
||||
)
|
||||
self.assertFalse(r["cleanup_performed"])
|
||||
self.assertFalse(r["cleanup_allowed"])
|
||||
self.assertIsNotNone(mcp_server._load_review_decision_lock())
|
||||
|
||||
def test_expected_terminal_pr_pin(self):
|
||||
_seed([APPROVED_586])
|
||||
with patch.object(mcp_server, "api_request", return_value=_merged_pr()), \
|
||||
patch.object(mcp_server, "_auth", return_value=FAKE_AUTH), \
|
||||
patch.object(
|
||||
mcp_server, "_authenticated_username", return_value="sysadmin"
|
||||
), \
|
||||
_reviewer_profile_patch(), \
|
||||
patch.object(mcp_server, "_profile_operation_gate", return_value=[]):
|
||||
r = gitea_cleanup_stale_review_decision_lock(
|
||||
apply=True,
|
||||
expected_terminal_pr=999,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
)
|
||||
self.assertFalse(r["cleanup_performed"])
|
||||
self.assertTrue(any("expected_terminal_pr" in x for x in r["reasons"]))
|
||||
|
||||
def test_after_moot_cleanup_other_pr_mark_ready_unblocked(self):
|
||||
"""PR #592-style: after clearing merged #586 lock, new mark_ready works."""
|
||||
_seed([APPROVED_586])
|
||||
with patch.object(mcp_server, "api_request", return_value=_merged_pr()), \
|
||||
patch.object(mcp_server, "_auth", return_value=FAKE_AUTH), \
|
||||
patch.object(
|
||||
mcp_server, "_authenticated_username", return_value="sysadmin"
|
||||
), \
|
||||
_reviewer_profile_patch(), \
|
||||
patch.object(mcp_server, "_profile_operation_gate", return_value=[]), \
|
||||
patch.object(
|
||||
mcp_server, "_audited",
|
||||
side_effect=lambda *a, **k: __import__(
|
||||
"contextlib"
|
||||
).nullcontext(),
|
||||
):
|
||||
cleaned = gitea_cleanup_stale_review_decision_lock(
|
||||
apply=True,
|
||||
expected_terminal_pr=586,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
post_audit_comment=False,
|
||||
)
|
||||
self.assertTrue(cleaned["cleanup_performed"], cleaned)
|
||||
|
||||
# Hard-stop gone; re-init clean lock like a fresh review_pr resolve.
|
||||
mcp_server.init_review_decision_lock(remote="prgs", task="review_pr")
|
||||
mcp_server.gitea_load_review_workflow()
|
||||
self.assertEqual(
|
||||
mcp_server.terminal_review_hard_stop_reasons(592, "mark_ready"),
|
||||
[],
|
||||
)
|
||||
|
||||
no_lease = {"block": False, "reasons": [], "mutation_allowed": True}
|
||||
with patch.object(mcp_server, "_list_pr_lease_comments", return_value=[]), \
|
||||
patch.object(
|
||||
mcp_server, "_pr_work_lease_reviewer_block", return_value=no_lease
|
||||
), \
|
||||
patch.object(
|
||||
mcp_server,
|
||||
"gitea_check_pr_eligibility",
|
||||
return_value={
|
||||
"eligible": True,
|
||||
"reasons": [],
|
||||
"authenticated_user": "sysadmin",
|
||||
"pr_author": "jcwalker3",
|
||||
"self_author": False,
|
||||
},
|
||||
), \
|
||||
patch.object(
|
||||
mcp_server, "_authenticated_username", return_value="sysadmin"
|
||||
):
|
||||
marked = gitea_mark_final_review_decision(
|
||||
pr_number=592,
|
||||
action="approve",
|
||||
expected_head_sha=HEAD,
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
)
|
||||
self.assertTrue(marked.get("marked_ready"), marked)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -14,8 +14,13 @@ sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
|
||||
import author_mutation_worktree as amw # noqa: E402
|
||||
import gitea_mcp_server as srv # noqa: E402
|
||||
|
||||
CONTROL_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
BRANCHES_WORKTREE = str(Path(__file__).resolve().parents[1])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_ROOT = str(current_file_path.parents[3])
|
||||
BRANCHES_WORKTREE = str(current_file_path.parents[1])
|
||||
else:
|
||||
CONTROL_ROOT = str(current_file_path.parents[1])
|
||||
BRANCHES_WORKTREE = str(current_file_path.parents[1] / "branches" / "mock-worktree")
|
||||
MCP_PROCESS_ROOT = BRANCHES_WORKTREE
|
||||
|
||||
|
||||
|
||||
@@ -147,7 +147,7 @@ def classify_entry(
|
||||
if not record:
|
||||
return "orphan", "Directory exists but is not a registered git worktree"
|
||||
|
||||
if record.get("detached") and REVIEW_WORKTREE_RE.search(rel_path):
|
||||
if record.get("detached") and _REVIEW_WORKTREE_RE.search(rel_path):
|
||||
return "detached-review", "Detached HEAD in reviewer/simulation worktree"
|
||||
|
||||
if state.get("exists") and state.get("clean"):
|
||||
|
||||
Reference in New Issue
Block a user