Compare commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
3fd02a3c63 | ||
|
|
ea8e186549 | ||
|
|
22698c1b5f | ||
|
|
de27053f74 | ||
|
|
5933d87647 | ||
|
|
72b18143f8 | ||
|
|
8886ce201f | ||
|
|
bee24e2b10 | ||
|
|
a7aac0df1d | ||
|
|
ec903b0d61 | ||
|
|
f34319852e | ||
|
|
2fa97c26fb | ||
|
|
5ab5fe8583 | ||
|
|
f32aaaa3b5 | ||
|
|
5347b313ea | ||
|
|
1be4600261 | ||
|
|
780ef0b1be | ||
|
|
a654cda058 | ||
|
|
ab1c2d7973 | ||
|
|
6a179aeb85 | ||
|
|
f20c8436aa |
@@ -0,0 +1,807 @@
|
||||
"""Common anti-stomp preflight for every MCP mutation tool (#604).
|
||||
|
||||
Even with leases, mutation tools need a **shared** preflight that prevents
|
||||
stale sessions, wrong worktrees, wrong repos, old prompts, terminal locks,
|
||||
foreign leases, contaminated approvals, and root-checkout mutations from
|
||||
slipping through.
|
||||
|
||||
This module is the pure assessment core. Callers (MCP mutation entrypoints)
|
||||
gather live facts and pass them in — nothing here performs git, network, or
|
||||
durable-state I/O. Existing happy-path guards remain authoritative; this
|
||||
module composes them into one typed, fail-closed result.
|
||||
|
||||
Required checks (issue #604):
|
||||
|
||||
* repo/org verification
|
||||
* profile/role verification
|
||||
* root checkout clean and not used for mutation (when role requires branches/)
|
||||
* worktree under branches when required
|
||||
* active lease ownership (when lease is required for the mutation)
|
||||
* terminal lock status (when applicable)
|
||||
* expected head SHA (when pinned)
|
||||
* stale runtime status
|
||||
* workflow hash (when a workflow load is required)
|
||||
* source contamination status
|
||||
* no manual state/mtime/source-file bypass
|
||||
|
||||
Failure returns a typed blocker and an exact next action. There is **no**
|
||||
agent-facing bypass flag.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from typing import Any
|
||||
|
||||
import author_mutation_worktree
|
||||
import master_parity_gate
|
||||
import remote_repo_guard
|
||||
import root_checkout_guard
|
||||
import stable_branch_push_guard
|
||||
|
||||
# ── public constants ──────────────────────────────────────────────────────────
|
||||
|
||||
# Typed blocker kinds returned in the structured result.
|
||||
BLOCKER_WRONG_REPO = "wrong_repo"
|
||||
BLOCKER_WRONG_ROLE = "wrong_role"
|
||||
BLOCKER_ROOT_CHECKOUT = "root_checkout_mutation"
|
||||
BLOCKER_WRONG_WORKTREE = "wrong_worktree"
|
||||
BLOCKER_FOREIGN_LEASE = "foreign_lease"
|
||||
BLOCKER_TERMINAL_LOCK = "terminal_lock"
|
||||
BLOCKER_HEAD_SHA = "head_sha_mismatch"
|
||||
BLOCKER_STALE_RUNTIME = "stale_runtime"
|
||||
BLOCKER_WORKFLOW_HASH = "workflow_hash"
|
||||
BLOCKER_SOURCE_CONTAMINATION = "source_contamination"
|
||||
BLOCKER_MANUAL_BYPASS = "manual_bypass"
|
||||
|
||||
BLOCKER_KINDS = frozenset({
|
||||
BLOCKER_WRONG_REPO,
|
||||
BLOCKER_WRONG_ROLE,
|
||||
BLOCKER_ROOT_CHECKOUT,
|
||||
BLOCKER_WRONG_WORKTREE,
|
||||
BLOCKER_FOREIGN_LEASE,
|
||||
BLOCKER_TERMINAL_LOCK,
|
||||
BLOCKER_HEAD_SHA,
|
||||
BLOCKER_STALE_RUNTIME,
|
||||
BLOCKER_WORKFLOW_HASH,
|
||||
BLOCKER_SOURCE_CONTAMINATION,
|
||||
BLOCKER_MANUAL_BYPASS,
|
||||
})
|
||||
|
||||
# Mutation tasks that must invoke the shared anti-stomp preflight before
|
||||
# acting (issue #604 AC1). Every member must appear as a live task= kwarg
|
||||
# to verify_preflight_purity / _run_anti_stomp_preflight (or the review
|
||||
# anti_task map) in gitea_mcp_server.py. Inventory↔wiring tests fail if
|
||||
# a declared task is not wired.
|
||||
MUTATION_TASKS = frozenset({
|
||||
"create_issue",
|
||||
"comment_issue",
|
||||
"close_issue",
|
||||
"mark_issue",
|
||||
"lock_issue",
|
||||
"set_issue_labels",
|
||||
"create_label",
|
||||
"create_pr",
|
||||
"close_pr",
|
||||
"edit_pr",
|
||||
"commit_files",
|
||||
"gitea_commit_files",
|
||||
"delete_branch",
|
||||
"cleanup_merged_pr_branch",
|
||||
"cleanup_stale_claims",
|
||||
"reconcile_merged_cleanups",
|
||||
"reconcile_already_landed_pr",
|
||||
"reconcile_close_superseded_pr",
|
||||
"post_heartbeat",
|
||||
"acquire_reviewer_pr_lease",
|
||||
"gitea_acquire_reviewer_pr_lease",
|
||||
"adopt_merger_pr_lease",
|
||||
"review_pr",
|
||||
"submit_pr_review",
|
||||
"approve_pr",
|
||||
"request_changes_pr",
|
||||
"merge_pr",
|
||||
})
|
||||
|
||||
# Intentionally excluded from MUTATION_TASKS. Each has a dedicated
|
||||
# fail-closed gate that preserves decision-lock ownership, workflow-hash,
|
||||
# head-SHA, and repository consistency. Do not re-add without either
|
||||
# wiring shared preflight or updating this rationale (#604 Blocker B).
|
||||
DEDICATED_GATE_MUTATIONS: dict[str, str] = {
|
||||
"mark_final_review_decision": (
|
||||
"Local review-decision lock only. Enforced by session lock ownership, "
|
||||
"workflow-hash, expected head SHA, PR work lease, eligibility, and "
|
||||
"terminal-lock gates. No Gitea review POST; shared anti-stomp would "
|
||||
"duplicate without side-effect-ordering value."
|
||||
),
|
||||
"save_review_draft": (
|
||||
"Local session-state draft save with live PR head/base consistency "
|
||||
"checks. Not a Gitea review/merge mutation; dedicated head-SHA and "
|
||||
"worktree resolution gates apply."
|
||||
),
|
||||
"resume_review_draft": (
|
||||
"Live-state resume with terminal lock, lease ownership, head/base SHA, "
|
||||
"and parity checks. When submit=True, delegates to gitea_submit_pr_review "
|
||||
"which runs shared anti-stomp before the Gitea review POST."
|
||||
),
|
||||
"cleanup_stale_review_decision_lock": (
|
||||
"Moot-lock cleanup with identity match, live PR merged/closed proof, "
|
||||
"and reviewer capability gate (#594). Distinct from shared anti-stomp."
|
||||
),
|
||||
"gitea_cleanup_stale_review_decision_lock": (
|
||||
"Alias of cleanup_stale_review_decision_lock; dedicated #594 path."
|
||||
),
|
||||
"heartbeat_reviewer_pr_lease": (
|
||||
"Lease heartbeat posts via verify_preflight_purity(task='review_pr') "
|
||||
"plus in-session lease ownership checks; not a separate mutation class."
|
||||
),
|
||||
"release_reviewer_pr_lease": (
|
||||
"Lease release uses workspace binding + ownership checks; posts only "
|
||||
"when the session owns the active lease."
|
||||
),
|
||||
}
|
||||
|
||||
# Roles that must mutate from a branches/ worktree (not the control checkout).
|
||||
_BRANCHES_REQUIRED_ROLES = frozenset({"author"})
|
||||
|
||||
# Reviewer/merger mutations that require an owned lease + head pinning when
|
||||
# the caller supplies those facts.
|
||||
_LEASE_AWARE_TASKS = frozenset({
|
||||
"review_pr",
|
||||
"submit_pr_review",
|
||||
"approve_pr",
|
||||
"request_changes_pr",
|
||||
"merge_pr",
|
||||
"acquire_reviewer_pr_lease",
|
||||
"gitea_acquire_reviewer_pr_lease",
|
||||
"adopt_merger_pr_lease",
|
||||
})
|
||||
|
||||
_NEXT_ACTIONS: dict[str, str] = {
|
||||
BLOCKER_WRONG_REPO: (
|
||||
"Pass explicit org= and repo= matching the local git remote "
|
||||
"(e.g. org=Scaled-Tech-Consulting repo=Gitea-Tools) and retry."
|
||||
),
|
||||
BLOCKER_WRONG_ROLE: (
|
||||
"Call gitea_resolve_task_capability, switch to the required "
|
||||
"namespace/profile, re-verify with gitea_whoami, then retry."
|
||||
),
|
||||
BLOCKER_ROOT_CHECKOUT: (
|
||||
"Leave the root control checkout on clean master; create or switch "
|
||||
"to a session-owned worktree under branches/ and retry the mutation "
|
||||
"with worktree_path set."
|
||||
),
|
||||
BLOCKER_WRONG_WORKTREE: (
|
||||
"Create or bind a session-owned worktree under branches/, set "
|
||||
"worktree_path (or GITEA_ACTIVE_WORKTREE), and retry."
|
||||
),
|
||||
BLOCKER_FOREIGN_LEASE: (
|
||||
"Stop. Do not stomp a foreign lease. Wait for expiry, request "
|
||||
"takeover through the sanctioned path, or hand off to the owner."
|
||||
),
|
||||
BLOCKER_TERMINAL_LOCK: (
|
||||
"Stop. A terminal review-decision lock is active for this head. "
|
||||
"Do not re-approve/merge; follow the #332/#620 recovery path."
|
||||
),
|
||||
BLOCKER_HEAD_SHA: (
|
||||
"Re-fetch the live PR head with gitea_view_pr, re-pin "
|
||||
"expected_head_sha to the current head, re-validate, then retry."
|
||||
),
|
||||
BLOCKER_STALE_RUNTIME: (
|
||||
"Restart the Gitea MCP server so it reloads master's capability "
|
||||
"gates, re-run gitea_whoami + gitea_resolve_task_capability, then retry."
|
||||
),
|
||||
BLOCKER_WORKFLOW_HASH: (
|
||||
"Reload the canonical workflow via gitea_load_review_workflow, then "
|
||||
"rerun the full review-merge workflow from inventory (no approve/merge replay)."
|
||||
),
|
||||
BLOCKER_SOURCE_CONTAMINATION: (
|
||||
"Stop. Session is source-contaminated. Hand off to a reconciler for "
|
||||
"audit/clear; do not clear markers by deleting session-state files."
|
||||
),
|
||||
BLOCKER_MANUAL_BYPASS: (
|
||||
"Stop. Manual state/mtime/source-file bypass is forbidden. Use "
|
||||
"sanctioned MCP tools only; never delete or rewrite session-state "
|
||||
"or lock files by hand."
|
||||
),
|
||||
}
|
||||
|
||||
|
||||
def is_mutation_task(task: str | None) -> bool:
|
||||
"""True when *task* is in the #604 mutation set (normalized)."""
|
||||
name = (task or "").strip().lower().removeprefix("gitea_")
|
||||
if not name:
|
||||
return False
|
||||
if name in MUTATION_TASKS:
|
||||
return True
|
||||
# Accept gitea_ prefixed membership for aliases already in the set.
|
||||
return f"gitea_{name}" in MUTATION_TASKS
|
||||
|
||||
|
||||
def roles_compatible(active_role: str | None, required_role: str | None) -> bool:
|
||||
"""Whether *active_role* may perform a task that maps to *required_role*.
|
||||
|
||||
Exact match always passes. Reconcilers may run author-class mutations
|
||||
(comment/close/cleanup) that the capability map stamps as ``author`` —
|
||||
matching the long-standing reconciler exemption for control-checkout
|
||||
work. No other cross-role substitutions are allowed.
|
||||
|
||||
Capability-authorized multi-role tasks (e.g. reviewer holding
|
||||
``gitea.issue.comment`` for ``comment_issue``) are handled by
|
||||
:func:`authorization_compatible`, not by expanding this role matrix.
|
||||
"""
|
||||
active = (active_role or "").strip().lower()
|
||||
required = (required_role or "").strip().lower()
|
||||
if not active or not required:
|
||||
return True
|
||||
if active == required:
|
||||
return True
|
||||
if active == "reconciler" and required in {"author", "reconciler"}:
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def authorization_compatible(
|
||||
active_role: str | None,
|
||||
required_role: str | None,
|
||||
*,
|
||||
required_permission: str | None = None,
|
||||
allowed_operations: Any = None,
|
||||
) -> bool:
|
||||
"""Whether the active session may run a task given role *and* capability.
|
||||
|
||||
Order:
|
||||
|
||||
1. :func:`roles_compatible` (exact role or narrow reconciler→author).
|
||||
2. Capability possession: when *required_permission* is non-empty and
|
||||
present in *allowed_operations*, allow even if the nominal task role
|
||||
differs (e.g. reviewer/merger with ``gitea.issue.comment`` on
|
||||
``comment_issue`` / ``mark_issue`` / ``set_issue_labels`` /
|
||||
``lock_issue``).
|
||||
|
||||
Fail closed otherwise. This is **not** a broad reviewer→author or
|
||||
merger→author role rewrite: without the specific permission the check
|
||||
still denies. Missing *allowed_operations* when a permission is required
|
||||
also fails closed (callers must supply the live profile op list).
|
||||
"""
|
||||
if roles_compatible(active_role, required_role):
|
||||
return True
|
||||
perm = (required_permission or "").strip()
|
||||
if not perm:
|
||||
return False
|
||||
if allowed_operations is None:
|
||||
return False
|
||||
try:
|
||||
ops = {str(o).strip() for o in allowed_operations if o is not None}
|
||||
except TypeError:
|
||||
return False
|
||||
return perm in ops
|
||||
|
||||
|
||||
def _blocker(
|
||||
kind: str,
|
||||
reasons: list[str],
|
||||
*,
|
||||
exact_next_action: str | None = None,
|
||||
detail: dict | None = None,
|
||||
) -> dict[str, Any]:
|
||||
if kind not in BLOCKER_KINDS:
|
||||
raise ValueError(f"unknown anti-stomp blocker kind: {kind!r}")
|
||||
return {
|
||||
"kind": kind,
|
||||
"reasons": list(reasons),
|
||||
"exact_next_action": exact_next_action or _NEXT_ACTIONS[kind],
|
||||
"detail": dict(detail or {}),
|
||||
}
|
||||
|
||||
|
||||
def _allowed_result(checks: dict[str, Any]) -> dict[str, Any]:
|
||||
return {
|
||||
"allowed": True,
|
||||
"block": False,
|
||||
"blockers": [],
|
||||
"reasons": [],
|
||||
"exact_next_action": "proceed",
|
||||
"blocker_kind": None,
|
||||
"checks": checks,
|
||||
}
|
||||
|
||||
|
||||
def _blocked_result(
|
||||
blockers: list[dict[str, Any]],
|
||||
checks: dict[str, Any],
|
||||
) -> dict[str, Any]:
|
||||
primary = blockers[0]
|
||||
all_reasons: list[str] = []
|
||||
for b in blockers:
|
||||
for r in b.get("reasons") or []:
|
||||
if r not in all_reasons:
|
||||
all_reasons.append(r)
|
||||
return {
|
||||
"allowed": False,
|
||||
"block": True,
|
||||
"blockers": blockers,
|
||||
"reasons": all_reasons,
|
||||
"exact_next_action": primary["exact_next_action"],
|
||||
"blocker_kind": primary["kind"],
|
||||
"checks": checks,
|
||||
}
|
||||
|
||||
|
||||
def assess_anti_stomp_preflight(
|
||||
*,
|
||||
task: str | None = None,
|
||||
# repo/org
|
||||
remote: str | None = None,
|
||||
resolved_org: str | None = None,
|
||||
resolved_repo: str | None = None,
|
||||
local_remote_url: str | None = None,
|
||||
org_explicit: bool = False,
|
||||
repo_explicit: bool = False,
|
||||
check_repo: bool = True,
|
||||
# profile/role + capability
|
||||
profile_name: str | None = None,
|
||||
profile_role: str | None = None,
|
||||
required_role: str | None = None,
|
||||
required_permission: str | None = None,
|
||||
allowed_operations: Any = None,
|
||||
check_role: bool = True,
|
||||
# root checkout + worktree
|
||||
workspace_path: str | None = None,
|
||||
project_root: str | None = None,
|
||||
current_branch: str | None = None,
|
||||
root_head_sha: str | None = None,
|
||||
root_porcelain: str | None = None,
|
||||
remote_master_sha: str | None = None,
|
||||
check_root_checkout: bool = True,
|
||||
check_worktree: bool = True,
|
||||
# stale runtime (master parity)
|
||||
startup_head: str | None = None,
|
||||
current_code_head: str | None = None,
|
||||
check_stale_runtime: bool = True,
|
||||
# lease ownership
|
||||
lease_required: bool = False,
|
||||
foreign_lease: bool | None = None,
|
||||
lease_owner_session: str | None = None,
|
||||
active_session_id: str | None = None,
|
||||
lease_owner_identity: str | None = None,
|
||||
active_identity: str | None = None,
|
||||
lease_reasons: list[str] | None = None,
|
||||
# terminal lock
|
||||
terminal_lock_blocks: bool | None = None,
|
||||
terminal_lock_reasons: list[str] | None = None,
|
||||
# expected head SHA
|
||||
require_head_sha: bool = False,
|
||||
expected_head_sha: str | None = None,
|
||||
live_head_sha: str | None = None,
|
||||
# workflow hash
|
||||
workflow_hash_valid: bool | None = None,
|
||||
workflow_hash_reasons: list[str] | None = None,
|
||||
# source contamination (stable-branch push / approval contamination)
|
||||
source_contaminated: bool | None = None,
|
||||
contamination_reasons: list[str] | None = None,
|
||||
# manual bypass
|
||||
manual_bypass_attempted: bool = False,
|
||||
manual_bypass_reasons: list[str] | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Fail-closed common anti-stomp assessment (pure).
|
||||
|
||||
Only checks for which facts are supplied (or which are required by the
|
||||
mutation category) are evaluated. Unsupplied optional facts are recorded
|
||||
as ``skipped`` so callers can see coverage without inventing defaults.
|
||||
|
||||
Returns a structured dict with ``allowed``/``block``, typed ``blockers``,
|
||||
aggregated ``reasons``, ``exact_next_action``, and per-check ``checks``.
|
||||
"""
|
||||
task_name = (task or "").strip()
|
||||
role = (profile_role or "").strip().lower() or None
|
||||
req_role = (required_role or "").strip().lower() or None
|
||||
req_perm = (required_permission or "").strip() or None
|
||||
checks: dict[str, Any] = {
|
||||
"task": task_name or None,
|
||||
"profile_name": profile_name,
|
||||
"profile_role": role,
|
||||
"required_role": req_role,
|
||||
"required_permission": req_perm,
|
||||
}
|
||||
blockers: list[dict[str, Any]] = []
|
||||
|
||||
# ── manual bypass (always first; never skippable when attempted) ─────────
|
||||
if manual_bypass_attempted:
|
||||
reasons = list(manual_bypass_reasons or [
|
||||
"manual state/mtime/source-file bypass attempt detected (fail closed)"
|
||||
])
|
||||
blockers.append(_blocker(BLOCKER_MANUAL_BYPASS, reasons))
|
||||
checks["manual_bypass"] = {"block": True, "reasons": reasons}
|
||||
else:
|
||||
checks["manual_bypass"] = {"block": False, "skipped": False}
|
||||
|
||||
# ── repo/org ─────────────────────────────────────────────────────────────
|
||||
if check_repo and resolved_org is not None and resolved_repo is not None:
|
||||
repo_assessment = remote_repo_guard.assess_remote_repo_match(
|
||||
remote=remote or "",
|
||||
resolved_org=resolved_org,
|
||||
resolved_repo=resolved_repo,
|
||||
local_remote_url=local_remote_url,
|
||||
org_explicit=org_explicit,
|
||||
repo_explicit=repo_explicit,
|
||||
)
|
||||
checks["repo"] = {
|
||||
"block": bool(repo_assessment.get("block")),
|
||||
"reasons": list(repo_assessment.get("reasons") or []),
|
||||
"resolved_org": resolved_org,
|
||||
"resolved_repo": resolved_repo,
|
||||
}
|
||||
if repo_assessment.get("block"):
|
||||
blockers.append(
|
||||
_blocker(
|
||||
BLOCKER_WRONG_REPO,
|
||||
list(repo_assessment.get("reasons") or ["repo/org mismatch"]),
|
||||
detail={
|
||||
"resolved_org": resolved_org,
|
||||
"resolved_repo": resolved_repo,
|
||||
"local_remote_url": local_remote_url,
|
||||
},
|
||||
)
|
||||
)
|
||||
else:
|
||||
checks["repo"] = {"block": False, "skipped": True}
|
||||
|
||||
# ── profile/role + capability ────────────────────────────────────────────
|
||||
# Role match OR possession of the task's required permission (Blocker A).
|
||||
# Reviewer/merger may run issue-comment-class tasks when they hold
|
||||
# gitea.issue.comment; unauthorized escalation without the permission
|
||||
# still fails closed.
|
||||
if check_role and req_role and role:
|
||||
authorized = authorization_compatible(
|
||||
role,
|
||||
req_role,
|
||||
required_permission=req_perm,
|
||||
allowed_operations=allowed_operations,
|
||||
)
|
||||
if not authorized:
|
||||
perm_clause = (
|
||||
f", required_permission='{req_perm}'" if req_perm else ""
|
||||
)
|
||||
reasons = [
|
||||
f"active profile role '{role}' is not authorized for task "
|
||||
f"'{task_name or '(unknown)'}' (required_role='{req_role}'"
|
||||
f"{perm_clause}; profile={profile_name or '(unknown)'})"
|
||||
]
|
||||
checks["role"] = {
|
||||
"block": True,
|
||||
"reasons": reasons,
|
||||
"required_permission": req_perm,
|
||||
"capability_authorized": False,
|
||||
}
|
||||
blockers.append(
|
||||
_blocker(
|
||||
BLOCKER_WRONG_ROLE,
|
||||
reasons,
|
||||
detail={
|
||||
"profile_name": profile_name,
|
||||
"profile_role": role,
|
||||
"required_role": req_role,
|
||||
"required_permission": req_perm,
|
||||
},
|
||||
)
|
||||
)
|
||||
else:
|
||||
checks["role"] = {
|
||||
"block": False,
|
||||
"reasons": [],
|
||||
"required_permission": req_perm,
|
||||
"capability_authorized": bool(
|
||||
req_perm
|
||||
and allowed_operations is not None
|
||||
and req_perm in {
|
||||
str(o).strip() for o in (allowed_operations or [])
|
||||
if o is not None
|
||||
}
|
||||
and not roles_compatible(role, req_role)
|
||||
),
|
||||
}
|
||||
else:
|
||||
checks["role"] = {"block": False, "skipped": True}
|
||||
|
||||
# ── stale runtime (master parity) ────────────────────────────────────────
|
||||
if check_stale_runtime and (
|
||||
startup_head is not None or current_code_head is not None
|
||||
):
|
||||
parity = master_parity_gate.assess_master_parity(
|
||||
{"startup_head": startup_head},
|
||||
current_code_head,
|
||||
)
|
||||
stale_reasons = master_parity_gate.parity_block_reasons(parity)
|
||||
checks["stale_runtime"] = {
|
||||
"block": bool(stale_reasons),
|
||||
"reasons": list(stale_reasons),
|
||||
"startup_head": startup_head,
|
||||
"current_code_head": current_code_head,
|
||||
"stale": bool(parity.get("stale")),
|
||||
}
|
||||
if stale_reasons:
|
||||
blockers.append(
|
||||
_blocker(
|
||||
BLOCKER_STALE_RUNTIME,
|
||||
list(stale_reasons),
|
||||
detail={
|
||||
"startup_head": startup_head,
|
||||
"current_code_head": current_code_head,
|
||||
},
|
||||
)
|
||||
)
|
||||
else:
|
||||
checks["stale_runtime"] = {"block": False, "skipped": True}
|
||||
|
||||
# ── root checkout ────────────────────────────────────────────────────────
|
||||
if (
|
||||
check_root_checkout
|
||||
and workspace_path is not None
|
||||
and project_root is not None
|
||||
and root_porcelain is not None
|
||||
):
|
||||
root_assessment = root_checkout_guard.assess_root_checkout_guard(
|
||||
workspace_path=workspace_path,
|
||||
canonical_repo_root=project_root,
|
||||
current_branch=current_branch,
|
||||
head_sha=root_head_sha,
|
||||
porcelain_status=root_porcelain,
|
||||
remote_master_sha=remote_master_sha,
|
||||
resolved_role=req_role or role,
|
||||
actual_role=role,
|
||||
)
|
||||
checks["root_checkout"] = {
|
||||
"block": bool(root_assessment.get("block")),
|
||||
"reasons": list(root_assessment.get("reasons") or []),
|
||||
}
|
||||
if root_assessment.get("block"):
|
||||
blockers.append(
|
||||
_blocker(
|
||||
BLOCKER_ROOT_CHECKOUT,
|
||||
list(root_assessment.get("reasons") or [
|
||||
"control checkout is not clean master"
|
||||
]),
|
||||
detail={
|
||||
"workspace_path": workspace_path,
|
||||
"project_root": project_root,
|
||||
"current_branch": current_branch,
|
||||
},
|
||||
)
|
||||
)
|
||||
else:
|
||||
checks["root_checkout"] = {"block": False, "skipped": True}
|
||||
|
||||
# ── worktree under branches (author) ─────────────────────────────────────
|
||||
worktree_role = role or req_role
|
||||
if (
|
||||
check_worktree
|
||||
and workspace_path is not None
|
||||
and project_root is not None
|
||||
and worktree_role in _BRANCHES_REQUIRED_ROLES
|
||||
):
|
||||
wt = author_mutation_worktree.assess_author_mutation_worktree(
|
||||
workspace_path=workspace_path,
|
||||
project_root=project_root,
|
||||
current_branch=current_branch,
|
||||
)
|
||||
checks["worktree"] = {
|
||||
"block": bool(wt.get("block")),
|
||||
"reasons": list(wt.get("reasons") or []),
|
||||
"under_branches": wt.get("under_branches"),
|
||||
}
|
||||
if wt.get("block"):
|
||||
blockers.append(
|
||||
_blocker(
|
||||
BLOCKER_WRONG_WORKTREE,
|
||||
list(wt.get("reasons") or [
|
||||
"mutation worktree is not under branches/"
|
||||
]),
|
||||
detail={
|
||||
"workspace_path": workspace_path,
|
||||
"project_root": project_root,
|
||||
},
|
||||
)
|
||||
)
|
||||
else:
|
||||
checks["worktree"] = {
|
||||
"block": False,
|
||||
"skipped": worktree_role not in _BRANCHES_REQUIRED_ROLES
|
||||
or workspace_path is None,
|
||||
}
|
||||
|
||||
# ── foreign lease ────────────────────────────────────────────────────────
|
||||
lease_needed = lease_required or (
|
||||
task_name.removeprefix("gitea_") in {
|
||||
t.removeprefix("gitea_") for t in _LEASE_AWARE_TASKS
|
||||
}
|
||||
and foreign_lease is not None
|
||||
)
|
||||
if lease_needed or foreign_lease is True:
|
||||
is_foreign = bool(foreign_lease)
|
||||
if foreign_lease is None and lease_required:
|
||||
# Ownership must be proven when lease_required; missing ownership
|
||||
# facts fail closed.
|
||||
owner_ok = (
|
||||
(not lease_owner_session and not active_session_id)
|
||||
or (
|
||||
lease_owner_session
|
||||
and active_session_id
|
||||
and lease_owner_session == active_session_id
|
||||
)
|
||||
)
|
||||
identity_ok = (
|
||||
(not lease_owner_identity and not active_identity)
|
||||
or (
|
||||
lease_owner_identity
|
||||
and active_identity
|
||||
and lease_owner_identity == active_identity
|
||||
)
|
||||
)
|
||||
if not owner_ok or not identity_ok:
|
||||
is_foreign = True
|
||||
reasons = list(lease_reasons or [])
|
||||
if is_foreign and not reasons:
|
||||
reasons = [
|
||||
"active lease is owned by a foreign session or identity "
|
||||
"(anti-stomp fail closed)"
|
||||
]
|
||||
checks["lease"] = {
|
||||
"block": is_foreign,
|
||||
"reasons": reasons if is_foreign else [],
|
||||
"lease_owner_session": lease_owner_session,
|
||||
"active_session_id": active_session_id,
|
||||
}
|
||||
if is_foreign:
|
||||
blockers.append(
|
||||
_blocker(BLOCKER_FOREIGN_LEASE, reasons)
|
||||
)
|
||||
else:
|
||||
checks["lease"] = {"block": False, "skipped": True}
|
||||
|
||||
# ── terminal lock ────────────────────────────────────────────────────────
|
||||
if terminal_lock_blocks is not None:
|
||||
reasons = list(terminal_lock_reasons or [])
|
||||
if terminal_lock_blocks and not reasons:
|
||||
reasons = [
|
||||
"terminal review-decision lock is active for this head "
|
||||
"(anti-stomp fail closed)"
|
||||
]
|
||||
checks["terminal_lock"] = {
|
||||
"block": bool(terminal_lock_blocks),
|
||||
"reasons": reasons if terminal_lock_blocks else [],
|
||||
}
|
||||
if terminal_lock_blocks:
|
||||
blockers.append(_blocker(BLOCKER_TERMINAL_LOCK, reasons))
|
||||
else:
|
||||
checks["terminal_lock"] = {"block": False, "skipped": True}
|
||||
|
||||
# ── expected head SHA ────────────────────────────────────────────────────
|
||||
if require_head_sha or (
|
||||
expected_head_sha is not None and live_head_sha is not None
|
||||
):
|
||||
exp = (expected_head_sha or "").strip().lower()
|
||||
live = (live_head_sha or "").strip().lower()
|
||||
mismatch = False
|
||||
reasons: list[str] = []
|
||||
if require_head_sha and not exp:
|
||||
mismatch = True
|
||||
reasons.append(
|
||||
"expected_head_sha is required before this mutation "
|
||||
"(anti-stomp fail closed)"
|
||||
)
|
||||
elif exp and live and exp != live:
|
||||
mismatch = True
|
||||
reasons.append(
|
||||
f"expected_head_sha '{exp}' does not match live PR head "
|
||||
f"'{live}' (anti-stomp fail closed; stale prompt data)"
|
||||
)
|
||||
elif require_head_sha and exp and not live:
|
||||
mismatch = True
|
||||
reasons.append(
|
||||
"live PR head SHA could not be determined to corroborate "
|
||||
"expected_head_sha (anti-stomp fail closed)"
|
||||
)
|
||||
checks["head_sha"] = {
|
||||
"block": mismatch,
|
||||
"reasons": reasons,
|
||||
"expected_head_sha": expected_head_sha,
|
||||
"live_head_sha": live_head_sha,
|
||||
}
|
||||
if mismatch:
|
||||
blockers.append(_blocker(BLOCKER_HEAD_SHA, reasons))
|
||||
else:
|
||||
checks["head_sha"] = {"block": False, "skipped": True}
|
||||
|
||||
# ── workflow hash ────────────────────────────────────────────────────────
|
||||
if workflow_hash_valid is not None:
|
||||
reasons = list(workflow_hash_reasons or [])
|
||||
if not workflow_hash_valid and not reasons:
|
||||
reasons = [
|
||||
"workflow load proof missing or hash stale "
|
||||
"(anti-stomp fail closed)"
|
||||
]
|
||||
checks["workflow_hash"] = {
|
||||
"block": not bool(workflow_hash_valid),
|
||||
"reasons": reasons if not workflow_hash_valid else [],
|
||||
}
|
||||
if not workflow_hash_valid:
|
||||
blockers.append(_blocker(BLOCKER_WORKFLOW_HASH, reasons))
|
||||
else:
|
||||
checks["workflow_hash"] = {"block": False, "skipped": True}
|
||||
|
||||
# ── source contamination ─────────────────────────────────────────────────
|
||||
if source_contaminated is not None:
|
||||
reasons = list(contamination_reasons or [])
|
||||
if source_contaminated and not reasons:
|
||||
reasons = [
|
||||
"session is source-contaminated (stable-branch push or "
|
||||
"contaminated approval path); anti-stomp fail closed"
|
||||
]
|
||||
checks["source_contamination"] = {
|
||||
"block": bool(source_contaminated),
|
||||
"reasons": reasons if source_contaminated else [],
|
||||
}
|
||||
if source_contaminated:
|
||||
blockers.append(
|
||||
_blocker(BLOCKER_SOURCE_CONTAMINATION, reasons)
|
||||
)
|
||||
else:
|
||||
checks["source_contamination"] = {"block": False, "skipped": True}
|
||||
|
||||
if blockers:
|
||||
return _blocked_result(blockers, checks)
|
||||
return _allowed_result(checks)
|
||||
|
||||
|
||||
def format_anti_stomp_error(assessment: dict[str, Any]) -> str:
|
||||
"""Single RuntimeError message for MCP mutation gates."""
|
||||
kind = assessment.get("blocker_kind") or "unknown"
|
||||
reasons = "; ".join(
|
||||
assessment.get("reasons")
|
||||
or ["anti-stomp preflight blocked the mutation"]
|
||||
)
|
||||
next_action = assessment.get("exact_next_action") or "stop and diagnose"
|
||||
return (
|
||||
f"Anti-stomp preflight (#604) blocked mutation "
|
||||
f"[{kind}]: {reasons}. "
|
||||
f"exact_next_action: {next_action}"
|
||||
)
|
||||
|
||||
|
||||
def block_response(
|
||||
assessment: dict[str, Any],
|
||||
**extra_fields: Any,
|
||||
) -> dict[str, Any]:
|
||||
"""Structured tool-return payload for a blocked mutation."""
|
||||
payload = {
|
||||
"success": False,
|
||||
"performed": False,
|
||||
"blocked": True,
|
||||
"anti_stomp": True,
|
||||
"blocker_kind": assessment.get("blocker_kind"),
|
||||
"blockers": list(assessment.get("blockers") or []),
|
||||
"reasons": list(assessment.get("reasons") or []),
|
||||
"exact_next_action": assessment.get("exact_next_action"),
|
||||
"checks": assessment.get("checks") or {},
|
||||
}
|
||||
payload.update(extra_fields)
|
||||
return payload
|
||||
|
||||
|
||||
def contamination_from_stable_marker(
|
||||
marker: dict | None,
|
||||
*,
|
||||
task: str | None,
|
||||
actual_role: str | None,
|
||||
) -> tuple[bool, list[str]]:
|
||||
"""Derive source-contamination facts from a #671 durable marker."""
|
||||
if not marker:
|
||||
return False, []
|
||||
gate = stable_branch_push_guard.assess_contamination_gate(
|
||||
marker,
|
||||
task=task,
|
||||
actual_role=actual_role,
|
||||
)
|
||||
if gate.get("block"):
|
||||
return True, list(gate.get("reasons") or [])
|
||||
return False, []
|
||||
+625
-25
@@ -11,9 +11,9 @@ Implements the durable coordination store described by
|
||||
shared Postgres or single allocator daemon can replace the connection
|
||||
layer later without changing call sites.
|
||||
|
||||
This module is the **substrate** for #600 (allocator policy/tool) and #612
|
||||
(incident bridge). It does **not** implement ``gitea_allocate_next_work``
|
||||
routing policy or provider adapters.
|
||||
This module is the **substrate** for #600 (allocator policy/tool), #601
|
||||
(first-class lease lifecycle), and #612 (incident bridge). It does **not**
|
||||
implement ``gitea_allocate_next_work`` routing policy or provider adapters.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
@@ -29,7 +29,7 @@ from dataclasses import dataclass
|
||||
from datetime import datetime, timedelta, timezone
|
||||
from typing import Any, Iterator, Sequence
|
||||
|
||||
SCHEMA_VERSION = 2
|
||||
SCHEMA_VERSION = 3
|
||||
|
||||
# Assignable work kinds only — raw monitoring incidents are never work items.
|
||||
WORK_KINDS = frozenset({"issue", "pr"})
|
||||
@@ -301,6 +301,7 @@ class ControlPlaneDB:
|
||||
try:
|
||||
conn.executescript(_SCHEMA_SQL)
|
||||
self._migrate_incident_links_null_scope(conn)
|
||||
self._migrate_lease_lifecycle_columns(conn)
|
||||
conn.execute(
|
||||
"INSERT OR REPLACE INTO schema_meta(key, value) VALUES (?, ?)",
|
||||
("schema_version", str(SCHEMA_VERSION)),
|
||||
@@ -604,6 +605,8 @@ class ControlPlaneDB:
|
||||
lease_ttl_seconds: int = DEFAULT_LEASE_TTL_SECONDS,
|
||||
phase: str = "claimed",
|
||||
now: datetime | None = None,
|
||||
worktree_path: str | None = None,
|
||||
owner_pid: int | None = None,
|
||||
) -> AssignmentResult:
|
||||
"""Atomically create assignment + lease for one Gitea work item.
|
||||
|
||||
@@ -746,6 +749,32 @@ class ControlPlaneDB:
|
||||
""",
|
||||
(lease_id, work_item_id, session_id, role, phase, expires, now_s),
|
||||
)
|
||||
# #601 optional lifecycle columns (present after schema v3 migration)
|
||||
try:
|
||||
lcols = {
|
||||
r[1]
|
||||
for r in conn.execute("PRAGMA table_info(leases)").fetchall()
|
||||
}
|
||||
if "worktree_path" in lcols and worktree_path:
|
||||
conn.execute(
|
||||
"UPDATE leases SET worktree_path = ? WHERE lease_id = ?",
|
||||
(worktree_path, lease_id),
|
||||
)
|
||||
if "owner_pid" in lcols:
|
||||
conn.execute(
|
||||
"UPDATE leases SET owner_pid = ? WHERE lease_id = ?",
|
||||
(
|
||||
owner_pid if owner_pid is not None else os.getpid(),
|
||||
lease_id,
|
||||
),
|
||||
)
|
||||
if "expected_head_sha" in lcols and expected_head_sha:
|
||||
conn.execute(
|
||||
"UPDATE leases SET expected_head_sha = ? WHERE lease_id = ?",
|
||||
(expected_head_sha, lease_id),
|
||||
)
|
||||
except sqlite3.Error:
|
||||
pass
|
||||
conn.execute(
|
||||
"""
|
||||
INSERT INTO assignments(
|
||||
@@ -876,32 +905,15 @@ class ControlPlaneDB:
|
||||
}
|
||||
|
||||
def release_lease(self, lease_id: str, *, session_id: str) -> None:
|
||||
with self._tx() as conn:
|
||||
"""Release a lease; unknown ids are no-ops for backward compatibility."""
|
||||
with self._tx(immediate=False) as conn:
|
||||
row = conn.execute(
|
||||
"SELECT * FROM leases WHERE lease_id = ?",
|
||||
"SELECT lease_id FROM leases WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
).fetchone()
|
||||
if not row:
|
||||
return
|
||||
if row["session_id"] != session_id:
|
||||
raise ForeignLeaseError(
|
||||
f"cannot release lease {lease_id} owned by {row['session_id']}"
|
||||
)
|
||||
conn.execute(
|
||||
"UPDATE leases SET status = 'released' WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
)
|
||||
conn.execute(
|
||||
"UPDATE assignments SET status = 'released' WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
)
|
||||
conn.execute(
|
||||
"""
|
||||
INSERT INTO events(work_item_id, event_type, message, created_at)
|
||||
VALUES (?, 'lease_released', ?, ?)
|
||||
""",
|
||||
(row["work_item_id"], f"session {session_id} released {lease_id}", _ts()),
|
||||
)
|
||||
self.release_lease_recorded(lease_id, session_id=session_id)
|
||||
|
||||
def require_valid_assignment(
|
||||
self,
|
||||
@@ -1149,3 +1161,591 @@ class ControlPlaneDB:
|
||||
(gitea_org, gitea_repo, int(gitea_issue_number)),
|
||||
).fetchone()
|
||||
return dict(row) if row else None
|
||||
|
||||
def get_incident_link_by_provider(
|
||||
self,
|
||||
*,
|
||||
provider: str,
|
||||
provider_issue_id: str,
|
||||
provider_base_url: str | None = None,
|
||||
provider_org: str | None = None,
|
||||
provider_project: str | None = None,
|
||||
) -> dict[str, Any] | None:
|
||||
"""Lookup canonical incident_links row by provider key (#612 / #613)."""
|
||||
base_url = _norm_scope(provider_base_url)
|
||||
p_org = _norm_scope(provider_org)
|
||||
p_project = _norm_scope(provider_project)
|
||||
with self._tx(immediate=False) as conn:
|
||||
row = conn.execute(
|
||||
"""
|
||||
SELECT * FROM incident_links
|
||||
WHERE provider = ?
|
||||
AND provider_base_url = ?
|
||||
AND provider_org = ?
|
||||
AND provider_project = ?
|
||||
AND provider_issue_id = ?
|
||||
LIMIT 1
|
||||
""",
|
||||
(provider, base_url, p_org, p_project, str(provider_issue_id)),
|
||||
).fetchone()
|
||||
return dict(row) if row else None
|
||||
|
||||
|
||||
# ── lease lifecycle (#601) ────────────────────────────────────────────
|
||||
|
||||
_LEASE_LIFECYCLE_COLUMNS: tuple[tuple[str, str], ...] = (
|
||||
("worktree_path", "TEXT"),
|
||||
("owner_pid", "INTEGER"),
|
||||
("expected_head_sha", "TEXT"),
|
||||
("adopted_from_session_id", "TEXT"),
|
||||
("adopted_by_session_id", "TEXT"),
|
||||
("provenance_json", "TEXT"),
|
||||
("abandon_proof_json", "TEXT"),
|
||||
)
|
||||
|
||||
def _migrate_lease_lifecycle_columns(self, conn: sqlite3.Connection) -> None:
|
||||
"""Add provenance/worktree columns to leases for first-class lifecycle (#601)."""
|
||||
cols = {
|
||||
row[1]
|
||||
for row in conn.execute("PRAGMA table_info(leases)").fetchall()
|
||||
}
|
||||
if not cols:
|
||||
return
|
||||
for name, decl in self._LEASE_LIFECYCLE_COLUMNS:
|
||||
if name not in cols:
|
||||
conn.execute(f"ALTER TABLE leases ADD COLUMN {name} {decl}")
|
||||
|
||||
def _lease_columns(self, conn: sqlite3.Connection) -> set[str]:
|
||||
return {
|
||||
row[1]
|
||||
for row in conn.execute("PRAGMA table_info(leases)").fetchall()
|
||||
}
|
||||
|
||||
def list_leases(
|
||||
self,
|
||||
*,
|
||||
remote: str | None = None,
|
||||
org: str | None = None,
|
||||
repo: str | None = None,
|
||||
role: str | None = None,
|
||||
statuses: Sequence[str] | None = None,
|
||||
limit: int = 100,
|
||||
) -> list[dict[str, Any]]:
|
||||
"""List leases joined with work_items as first-class workflow state."""
|
||||
clauses: list[str] = []
|
||||
params: list[Any] = []
|
||||
if remote:
|
||||
clauses.append("w.remote = ?")
|
||||
params.append(remote)
|
||||
if org:
|
||||
clauses.append("w.org = ?")
|
||||
params.append(org)
|
||||
if repo:
|
||||
clauses.append("w.repo = ?")
|
||||
params.append(repo)
|
||||
if role:
|
||||
clauses.append("l.role = ?")
|
||||
params.append(role)
|
||||
if statuses:
|
||||
placeholders = ", ".join("?" for _ in statuses)
|
||||
clauses.append(f"l.status IN ({placeholders})")
|
||||
params.extend(statuses)
|
||||
where = ("WHERE " + " AND ".join(clauses)) if clauses else ""
|
||||
sql = f"""
|
||||
SELECT l.*, w.remote, w.org, w.repo, w.kind AS work_kind,
|
||||
w.number AS work_number, w.state AS work_state,
|
||||
w.current_head_sha AS work_head_sha,
|
||||
s.pid AS session_pid, s.profile AS session_profile,
|
||||
s.status AS session_status
|
||||
FROM leases l
|
||||
JOIN work_items w ON w.work_item_id = l.work_item_id
|
||||
LEFT JOIN sessions s ON s.session_id = l.session_id
|
||||
{where}
|
||||
ORDER BY l.expires_at DESC
|
||||
LIMIT ?
|
||||
"""
|
||||
params.append(max(1, int(limit)))
|
||||
with self._tx(immediate=False) as conn:
|
||||
rows = conn.execute(sql, params).fetchall()
|
||||
return [dict(r) for r in rows]
|
||||
|
||||
def get_lease_workflow_state(self, lease_id: str) -> dict[str, Any] | None:
|
||||
"""Return lease + assignment + work_item + session for one lease id."""
|
||||
with self._tx(immediate=False) as conn:
|
||||
lease = conn.execute(
|
||||
"SELECT * FROM leases WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
).fetchone()
|
||||
if not lease:
|
||||
return None
|
||||
work = conn.execute(
|
||||
"SELECT * FROM work_items WHERE work_item_id = ?",
|
||||
(lease["work_item_id"],),
|
||||
).fetchone()
|
||||
asn = conn.execute(
|
||||
"""
|
||||
SELECT * FROM assignments
|
||||
WHERE lease_id = ?
|
||||
ORDER BY created_at DESC LIMIT 1
|
||||
""",
|
||||
(lease_id,),
|
||||
).fetchone()
|
||||
sess = conn.execute(
|
||||
"SELECT * FROM sessions WHERE session_id = ?",
|
||||
(lease["session_id"],),
|
||||
).fetchone()
|
||||
provenance = None
|
||||
if "provenance_json" in lease.keys() and lease["provenance_json"]:
|
||||
try:
|
||||
provenance = json.loads(lease["provenance_json"])
|
||||
except (TypeError, json.JSONDecodeError):
|
||||
provenance = {"raw": lease["provenance_json"]}
|
||||
return {
|
||||
"lease": dict(lease),
|
||||
"work_item": dict(work) if work else None,
|
||||
"assignment": dict(asn) if asn else None,
|
||||
"session": dict(sess) if sess else None,
|
||||
"provenance": provenance,
|
||||
}
|
||||
|
||||
def attach_lease_provenance(
|
||||
self, lease_id: str, provenance: dict[str, Any]
|
||||
) -> None:
|
||||
payload = json.dumps(provenance)
|
||||
with self._tx() as conn:
|
||||
cols = self._lease_columns(conn)
|
||||
if "provenance_json" not in cols:
|
||||
return
|
||||
conn.execute(
|
||||
"UPDATE leases SET provenance_json = ? WHERE lease_id = ?",
|
||||
(payload, lease_id),
|
||||
)
|
||||
if provenance.get("adopted_from_session_id") and "adopted_from_session_id" in cols:
|
||||
conn.execute(
|
||||
"""
|
||||
UPDATE leases
|
||||
SET adopted_from_session_id = ?, adopted_by_session_id = ?
|
||||
WHERE lease_id = ?
|
||||
""",
|
||||
(
|
||||
provenance.get("adopted_from_session_id"),
|
||||
provenance.get("adopted_by_session_id"),
|
||||
lease_id,
|
||||
),
|
||||
)
|
||||
if provenance.get("worktree_path") and "worktree_path" in cols:
|
||||
conn.execute(
|
||||
"UPDATE leases SET worktree_path = ? WHERE lease_id = ?",
|
||||
(provenance.get("worktree_path"), lease_id),
|
||||
)
|
||||
if provenance.get("expected_head_sha") and "expected_head_sha" in cols:
|
||||
conn.execute(
|
||||
"UPDATE leases SET expected_head_sha = ? WHERE lease_id = ?",
|
||||
(provenance.get("expected_head_sha"), lease_id),
|
||||
)
|
||||
|
||||
def release_lease_recorded(
|
||||
self, lease_id: str, *, session_id: str
|
||||
) -> dict[str, Any]:
|
||||
"""Explicit release with audit event + provenance proof (#601)."""
|
||||
now_s = _ts()
|
||||
with self._tx() as conn:
|
||||
row = conn.execute(
|
||||
"SELECT * FROM leases WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
).fetchone()
|
||||
if not row:
|
||||
raise ControlPlaneError(f"unknown lease_id {lease_id}")
|
||||
if row["session_id"] != session_id:
|
||||
raise ForeignLeaseError(
|
||||
f"cannot release lease {lease_id} owned by {row['session_id']}"
|
||||
)
|
||||
if row["status"] not in ("active", "expired"):
|
||||
# idempotent-ish for already released
|
||||
if row["status"] == "released":
|
||||
return {
|
||||
"lease_id": lease_id,
|
||||
"status": "released",
|
||||
"session_id": session_id,
|
||||
"released_at": now_s,
|
||||
"idempotent": True,
|
||||
}
|
||||
conn.execute(
|
||||
"UPDATE leases SET status = 'released' WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
)
|
||||
conn.execute(
|
||||
"UPDATE assignments SET status = 'released' WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
)
|
||||
proof = {
|
||||
"lease_id": lease_id,
|
||||
"status": "released",
|
||||
"session_id": session_id,
|
||||
"released_at": now_s,
|
||||
"prior_status": row["status"],
|
||||
"work_item_id": row["work_item_id"],
|
||||
}
|
||||
cols = self._lease_columns(conn)
|
||||
if "provenance_json" in cols:
|
||||
prior = {}
|
||||
if row["provenance_json"]:
|
||||
try:
|
||||
prior = json.loads(row["provenance_json"])
|
||||
except (TypeError, json.JSONDecodeError):
|
||||
prior = {}
|
||||
prior["last_release"] = proof
|
||||
conn.execute(
|
||||
"UPDATE leases SET provenance_json = ? WHERE lease_id = ?",
|
||||
(json.dumps(prior), lease_id),
|
||||
)
|
||||
conn.execute(
|
||||
"""
|
||||
INSERT INTO events(work_item_id, event_type, message, created_at)
|
||||
VALUES (?, 'lease_released', ?, ?)
|
||||
""",
|
||||
(
|
||||
row["work_item_id"],
|
||||
f"session {session_id} released {lease_id}",
|
||||
now_s,
|
||||
),
|
||||
)
|
||||
return proof
|
||||
|
||||
def force_expire_lease(self, lease_id: str, *, reason: str = "") -> None:
|
||||
now_s = _ts()
|
||||
with self._tx() as conn:
|
||||
row = conn.execute(
|
||||
"SELECT * FROM leases WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
).fetchone()
|
||||
if not row:
|
||||
raise ControlPlaneError(f"unknown lease_id {lease_id}")
|
||||
conn.execute(
|
||||
"UPDATE leases SET status = 'expired' WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
)
|
||||
conn.execute(
|
||||
"UPDATE assignments SET status = 'expired' WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
)
|
||||
conn.execute(
|
||||
"""
|
||||
INSERT INTO events(work_item_id, event_type, message, created_at)
|
||||
VALUES (?, 'lease_expired', ?, ?)
|
||||
""",
|
||||
(
|
||||
row["work_item_id"],
|
||||
f"lease {lease_id} force-expired: {reason or 'unspecified'}",
|
||||
now_s,
|
||||
),
|
||||
)
|
||||
|
||||
def abandon_lease(
|
||||
self,
|
||||
*,
|
||||
lease_id: str,
|
||||
requester_session_id: str,
|
||||
proof: dict[str, Any],
|
||||
) -> dict[str, Any]:
|
||||
now_s = _ts()
|
||||
with self._tx() as conn:
|
||||
row = conn.execute(
|
||||
"SELECT * FROM leases WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
).fetchone()
|
||||
if not row:
|
||||
raise ControlPlaneError(f"unknown lease_id {lease_id}")
|
||||
conn.execute(
|
||||
"UPDATE leases SET status = 'abandoned' WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
)
|
||||
conn.execute(
|
||||
"UPDATE assignments SET status = 'abandoned' WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
)
|
||||
cols = self._lease_columns(conn)
|
||||
if "abandon_proof_json" in cols:
|
||||
conn.execute(
|
||||
"UPDATE leases SET abandon_proof_json = ? WHERE lease_id = ?",
|
||||
(json.dumps(proof), lease_id),
|
||||
)
|
||||
msg = (
|
||||
f"session {requester_session_id} abandoned lease {lease_id} "
|
||||
f"(prior owner {row['session_id']})"
|
||||
)
|
||||
conn.execute(
|
||||
"""
|
||||
INSERT INTO events(work_item_id, event_type, message, created_at)
|
||||
VALUES (?, 'lease_abandoned', ?, ?)
|
||||
""",
|
||||
(row["work_item_id"], msg, now_s),
|
||||
)
|
||||
return {
|
||||
"lease_id": lease_id,
|
||||
"status": "abandoned",
|
||||
"prior_owner_session_id": row["session_id"],
|
||||
"requester_session_id": requester_session_id,
|
||||
"abandoned_at": now_s,
|
||||
"proof": proof,
|
||||
}
|
||||
|
||||
def adopt_lease(
|
||||
self,
|
||||
*,
|
||||
lease_id: str,
|
||||
adopter_session_id: str,
|
||||
role: str,
|
||||
worktree_path: str | None = None,
|
||||
expected_head_sha: str | None = None,
|
||||
owner_pid: int | None = None,
|
||||
provenance: dict[str, Any] | None = None,
|
||||
lease_ttl_seconds: int = DEFAULT_LEASE_TTL_SECONDS,
|
||||
) -> dict[str, Any]:
|
||||
"""Transfer or refresh a lease with provenance (#601).
|
||||
|
||||
* Same owner + active → refresh (owner-resume).
|
||||
* Expired/abandoned/released → create new assignment+lease with provenance.
|
||||
* Active foreign → raise ForeignLeaseError (never silent steal).
|
||||
"""
|
||||
now = _utc_now()
|
||||
now_s = _ts(now)
|
||||
expires = _ts(now + timedelta(seconds=int(lease_ttl_seconds)))
|
||||
provenance = provenance or {}
|
||||
|
||||
with self._tx(immediate=True) as conn:
|
||||
lease = conn.execute(
|
||||
"SELECT * FROM leases WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
).fetchone()
|
||||
if not lease:
|
||||
raise ControlPlaneError(f"unknown lease_id {lease_id}")
|
||||
work = conn.execute(
|
||||
"SELECT * FROM work_items WHERE work_item_id = ?",
|
||||
(lease["work_item_id"],),
|
||||
).fetchone()
|
||||
if not work:
|
||||
raise ControlPlaneError("lease has no work_item")
|
||||
|
||||
# Expire by time if needed
|
||||
exp = _parse_ts(lease["expires_at"])
|
||||
status = lease["status"]
|
||||
if status == "active" and exp and exp <= now:
|
||||
conn.execute(
|
||||
"UPDATE leases SET status = 'expired' WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
)
|
||||
conn.execute(
|
||||
"UPDATE assignments SET status = 'expired' WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
)
|
||||
status = "expired"
|
||||
|
||||
owner = lease["session_id"]
|
||||
if status == "active" and owner != adopter_session_id:
|
||||
raise ForeignLeaseError(
|
||||
f"cannot adopt active foreign lease {lease_id} owned by {owner}"
|
||||
)
|
||||
|
||||
# Ensure adopter session exists
|
||||
sess = conn.execute(
|
||||
"SELECT session_id FROM sessions WHERE session_id = ?",
|
||||
(adopter_session_id,),
|
||||
).fetchone()
|
||||
if not sess:
|
||||
conn.execute(
|
||||
"""
|
||||
INSERT INTO sessions(
|
||||
session_id, role, profile, namespace, pid,
|
||||
started_at, last_heartbeat_at, status
|
||||
) VALUES (?, ?, NULL, NULL, ?, ?, ?, 'active')
|
||||
""",
|
||||
(adopter_session_id, role, owner_pid or os.getpid(), now_s, now_s),
|
||||
)
|
||||
|
||||
cols = self._lease_columns(conn)
|
||||
|
||||
if status == "active" and owner == adopter_session_id:
|
||||
# Owner-resume refresh
|
||||
conn.execute(
|
||||
"""
|
||||
UPDATE leases
|
||||
SET heartbeat_at = ?, expires_at = ?, phase = ?
|
||||
WHERE lease_id = ?
|
||||
""",
|
||||
(now_s, expires, "adopted", lease_id),
|
||||
)
|
||||
if "worktree_path" in cols and worktree_path:
|
||||
conn.execute(
|
||||
"UPDATE leases SET worktree_path = ? WHERE lease_id = ?",
|
||||
(worktree_path, lease_id),
|
||||
)
|
||||
if "owner_pid" in cols and owner_pid is not None:
|
||||
conn.execute(
|
||||
"UPDATE leases SET owner_pid = ? WHERE lease_id = ?",
|
||||
(owner_pid, lease_id),
|
||||
)
|
||||
if "provenance_json" in cols:
|
||||
prior = {}
|
||||
if lease["provenance_json"]:
|
||||
try:
|
||||
prior = json.loads(lease["provenance_json"])
|
||||
except (TypeError, json.JSONDecodeError):
|
||||
prior = {}
|
||||
prior["last_adopt"] = provenance
|
||||
conn.execute(
|
||||
"UPDATE leases SET provenance_json = ? WHERE lease_id = ?",
|
||||
(json.dumps(prior), lease_id),
|
||||
)
|
||||
asn = conn.execute(
|
||||
"""
|
||||
SELECT * FROM assignments
|
||||
WHERE lease_id = ? AND status = 'active'
|
||||
ORDER BY created_at DESC LIMIT 1
|
||||
""",
|
||||
(lease_id,),
|
||||
).fetchone()
|
||||
lease2 = conn.execute(
|
||||
"SELECT * FROM leases WHERE lease_id = ?", (lease_id,)
|
||||
).fetchone()
|
||||
conn.execute(
|
||||
"""
|
||||
INSERT INTO events(work_item_id, event_type, message, created_at)
|
||||
VALUES (?, 'lease_adopted', ?, ?)
|
||||
""",
|
||||
(
|
||||
lease["work_item_id"],
|
||||
f"owner-resume adopt lease {lease_id} by {adopter_session_id}",
|
||||
now_s,
|
||||
),
|
||||
)
|
||||
return {
|
||||
"outcome": "adopted_owner_resume",
|
||||
"lease": dict(lease2) if lease2 else dict(lease),
|
||||
"assignment": dict(asn) if asn else None,
|
||||
"reasons": ["owner-resume: refreshed lease with provenance"],
|
||||
}
|
||||
|
||||
# Non-active: create new lease + assignment (transfer)
|
||||
new_lease_id = f"lease-{uuid.uuid4().hex[:16]}"
|
||||
new_asn_id = f"asn-{uuid.uuid4().hex[:16]}"
|
||||
# Mark prior non-active if still active somehow
|
||||
if status == "active":
|
||||
conn.execute(
|
||||
"UPDATE leases SET status = 'released' WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
)
|
||||
conn.execute(
|
||||
"UPDATE assignments SET status = 'released' WHERE lease_id = ?",
|
||||
(lease_id,),
|
||||
)
|
||||
|
||||
# Prefer prior assignment allowed/forbidden
|
||||
prior_asn = conn.execute(
|
||||
"""
|
||||
SELECT * FROM assignments WHERE lease_id = ?
|
||||
ORDER BY created_at DESC LIMIT 1
|
||||
""",
|
||||
(lease_id,),
|
||||
).fetchone()
|
||||
allowed = (
|
||||
prior_asn["allowed_actions"]
|
||||
if prior_asn
|
||||
else json.dumps(["implement", "comment", "push", "create_pr"])
|
||||
)
|
||||
forbidden = (
|
||||
prior_asn["forbidden_actions"]
|
||||
if prior_asn
|
||||
else json.dumps(
|
||||
["approve", "merge", "request_changes", "self_select_without_assignment"]
|
||||
)
|
||||
)
|
||||
head = expected_head_sha or (
|
||||
prior_asn["expected_head_sha"] if prior_asn else work["current_head_sha"]
|
||||
)
|
||||
|
||||
# Dynamic insert for optional columns
|
||||
base_cols = [
|
||||
"lease_id",
|
||||
"work_item_id",
|
||||
"session_id",
|
||||
"role",
|
||||
"phase",
|
||||
"expires_at",
|
||||
"heartbeat_at",
|
||||
"status",
|
||||
]
|
||||
base_vals: list[Any] = [
|
||||
new_lease_id,
|
||||
lease["work_item_id"],
|
||||
adopter_session_id,
|
||||
role,
|
||||
"adopted",
|
||||
expires,
|
||||
now_s,
|
||||
"active",
|
||||
]
|
||||
optional = {
|
||||
"worktree_path": worktree_path,
|
||||
"owner_pid": owner_pid,
|
||||
"expected_head_sha": head,
|
||||
"adopted_from_session_id": owner,
|
||||
"adopted_by_session_id": adopter_session_id,
|
||||
"provenance_json": json.dumps(provenance),
|
||||
}
|
||||
for col, val in optional.items():
|
||||
if col in cols and val is not None:
|
||||
base_cols.append(col)
|
||||
base_vals.append(val)
|
||||
placeholders = ", ".join("?" for _ in base_cols)
|
||||
conn.execute(
|
||||
f"INSERT INTO leases({', '.join(base_cols)}) VALUES ({placeholders})",
|
||||
base_vals,
|
||||
)
|
||||
conn.execute(
|
||||
"""
|
||||
INSERT INTO assignments(
|
||||
assignment_id, work_item_id, session_id, lease_id,
|
||||
allowed_actions, forbidden_actions, expected_head_sha,
|
||||
role, status, created_at
|
||||
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, 'active', ?)
|
||||
""",
|
||||
(
|
||||
new_asn_id,
|
||||
lease["work_item_id"],
|
||||
adopter_session_id,
|
||||
new_lease_id,
|
||||
allowed if isinstance(allowed, str) else json.dumps(list(allowed)),
|
||||
forbidden if isinstance(forbidden, str) else json.dumps(list(forbidden)),
|
||||
head,
|
||||
role,
|
||||
now_s,
|
||||
),
|
||||
)
|
||||
conn.execute(
|
||||
"""
|
||||
INSERT INTO events(work_item_id, event_type, message, created_at)
|
||||
VALUES (?, 'lease_adopted', ?, ?)
|
||||
""",
|
||||
(
|
||||
lease["work_item_id"],
|
||||
f"session {adopter_session_id} adopted from {owner} "
|
||||
f"prior={lease_id} new={new_lease_id}",
|
||||
now_s,
|
||||
),
|
||||
)
|
||||
lease2 = conn.execute(
|
||||
"SELECT * FROM leases WHERE lease_id = ?", (new_lease_id,)
|
||||
).fetchone()
|
||||
asn2 = conn.execute(
|
||||
"SELECT * FROM assignments WHERE assignment_id = ?",
|
||||
(new_asn_id,),
|
||||
).fetchone()
|
||||
return {
|
||||
"outcome": "adopted_transfer",
|
||||
"lease": dict(lease2) if lease2 else None,
|
||||
"assignment": dict(asn2) if asn2 else None,
|
||||
"reasons": [
|
||||
f"transferred lease ownership from {owner} to {adopter_session_id}"
|
||||
],
|
||||
}
|
||||
|
||||
@@ -49,12 +49,54 @@ Module: `allocator_service.py` · MCP tool: `gitea_allocate_next_work`
|
||||
- `apply=true` reserves via `ControlPlaneDB.assign_and_lease` (atomic assignment+lease).
|
||||
- Coordination source is **always** the control-plane DB — not file locks or comment-only leases.
|
||||
- Routing follows ADR §5.3 (REQUEST_CHANGES → author, terminal path first, foreign lease → wait).
|
||||
- Raw monitoring incidents are never candidates (#612 remains downstream).
|
||||
- Raw monitoring incidents are never candidates.
|
||||
|
||||
|
||||
## Lease lifecycle API (#601)
|
||||
|
||||
Module: `lease_lifecycle.py` · MCP tools: `gitea_*_workflow_lease(s)`
|
||||
|
||||
Active control-plane leases are **first-class workflow state**:
|
||||
|
||||
| Tool | Purpose |
|
||||
|------|---------|
|
||||
| `gitea_list_workflow_leases` | List active (or all) leases for a repo |
|
||||
| `gitea_inspect_workflow_lease` | Freshness + `safe_next_action` for one lease id |
|
||||
| `gitea_adopt_workflow_lease` | Owner-resume or sanctioned reclaim with provenance |
|
||||
| `gitea_release_workflow_lease` | Explicit owner release (audited) |
|
||||
| `gitea_expire_workflow_leases` | Deterministic expire of past-`expires_at` leases |
|
||||
| `gitea_abandon_workflow_lease` | Abandon with required proof |
|
||||
| `gitea_reclaim_expired_workflow_lease` | Expire + re-assign with provenance |
|
||||
|
||||
### Hard rules
|
||||
|
||||
1. Control-plane DB is the coordination authority — file locks / comment-only leases are not authoritative alone.
|
||||
2. Active foreign leases cannot be stolen; inspect returns `wait_foreign_active`.
|
||||
3. Abandon requires `(dead_process OR missing_worktree)` and `no_live_mutation_risk`; foreign abandon also needs `operator_authorized` or full dead+missing+no_open_pr proof.
|
||||
4. Adopt provenance always records `adopted_from_session_id`, `adopted_by_session_id`, work identity, optional head SHA, and worktree path.
|
||||
5. Reviewer→merger comment handoff (`gitea_adopt_merger_pr_lease`) is unchanged and remains the Gitea-thread durability path.
|
||||
|
||||
```bash
|
||||
python3 -m pytest tests/test_lease_lifecycle.py tests/test_control_plane_db.py tests/test_allocator_service.py tests/test_merger_lease_adoption.py -q
|
||||
```
|
||||
|
||||
## Incident bridge (#612)
|
||||
|
||||
Module: `incident_bridge.py` · MCP tools: `gitea_observability_*`
|
||||
|
||||
- Bridge converts Sentry/GlitchTip observations → **normal Gitea issues** + `incident_links`.
|
||||
- Phase-1: `gitea_observability_reconcile_incident(apply=false|true)` with JSON observation.
|
||||
- Dry-run performs **no** Gitea mutation and **no** DB write.
|
||||
- Apply reuses existing links or creates one Gitea issue; never invents `work_items.kind=incident`.
|
||||
- Config: `GITEA_OBSERVABILITY_PROJECTS_JSON` or `GITEA_OBSERVABILITY_PROJECTS_FILE`.
|
||||
- Provider tokens never appear in issue bodies, links, or tool results.
|
||||
- Allocator sees bridge work only after a Gitea issue exists.
|
||||
|
||||
## Non-goals (intentionally deferred)
|
||||
|
||||
- Sentry/GlitchTip provider adapters and auto-watchdog — **#612**
|
||||
- Gitea comment/label mirror writers (may be added by allocator tooling later)
|
||||
- Full unsupervised watchdog auto-filing (prefer explicit reconcile first)
|
||||
- Assuming GlitchTip writeback API equals Sentry without verification
|
||||
- Gitea comment/label mirror writers for every assignment (optional later)
|
||||
|
||||
## Tests
|
||||
|
||||
|
||||
@@ -39,6 +39,7 @@ one.
|
||||
| `status:blocked` | Issue is blocked |
|
||||
| `status:needs-review` | Issue work needs review |
|
||||
| `status:pr-open` | A linked PR is open |
|
||||
| `status:changes-requested` | Reviewer requested changes on the linked PR |
|
||||
| `status:approved` | Linked PR is approved |
|
||||
| `status:merged` | Linked PR is merged |
|
||||
| `status:reconcile` | Issue needs reconciliation |
|
||||
@@ -46,6 +47,72 @@ one.
|
||||
| `status:duplicate` | Issue is a duplicate |
|
||||
| `status:wontfix` | Issue will not be fixed |
|
||||
|
||||
## Role Ownership Labels (#603)
|
||||
|
||||
A single `role:*` label shows which workflow role currently owns the item. It is
|
||||
advisory visibility only — the control-plane lease (#601) is the source of truth
|
||||
for mutation authority. Only one `role:*` label is active at a time; tooling
|
||||
replaces it on handoff via `transition_role_labels`.
|
||||
|
||||
| Label | Use |
|
||||
| --- | --- |
|
||||
| `role:author` | Author currently owns the item |
|
||||
| `role:reviewer` | Reviewer currently owns the item |
|
||||
| `role:merger` | Merger currently owns the item |
|
||||
|
||||
## Hazard Labels (#603)
|
||||
|
||||
Hazard labels are orthogonal warning flags. Unlike `status:*` and `role:*`,
|
||||
**more than one hazard may be active at once**, and a hazard never substitutes
|
||||
for a live lease / PR-state check. Add/remove with `add_hazard_label` /
|
||||
`clear_hazard_label`.
|
||||
|
||||
| Label | Use |
|
||||
| --- | --- |
|
||||
| `hazard:stale-lease` | A stale or expired lease references this item |
|
||||
| `hazard:workflow-contaminated` | Session/workflow state is contaminated; do not mutate |
|
||||
| `hazard:conflicted` | Linked PR has merge conflicts |
|
||||
| `hazard:root-mutation` | Work was mutated in the project root checkout |
|
||||
| `hazard:manual-state` | Session or lease state was edited manually |
|
||||
| `hazard:terminal-blocker` | A terminal review/merge lock blocks progress (#332/#602) |
|
||||
|
||||
Any item that carries `status:blocked` or any `hazard:*` flag must also have a
|
||||
blocking-reason / next-action comment (`requires_blocking_reason`).
|
||||
|
||||
## `state:*` → canonical mapping (#603 migration)
|
||||
|
||||
Issue #603 proposed a parallel `state:*` vocabulary. To avoid a conflicting
|
||||
second lifecycle prefix, those requested states are folded into the existing
|
||||
canonical labels rather than introduced as `state:*`. `state:*` is **not** a
|
||||
supported prefix; use the canonical label on the right.
|
||||
|
||||
| Requested `state:*` | Canonical label |
|
||||
| --- | --- |
|
||||
| `state:needs-triage` | `status:triage` |
|
||||
| `state:claimed` | `status:claimed` |
|
||||
| `state:authoring` | `status:in-progress` |
|
||||
| `state:needs-review` | `status:needs-review` |
|
||||
| `state:reviewing` | `status:needs-review` |
|
||||
| `state:changes-requested` | `status:changes-requested` |
|
||||
| `state:approved` | `status:approved` |
|
||||
| `state:merge-ready` | `status:approved` |
|
||||
| `state:merged` | `status:merged` |
|
||||
| `state:blocked` | `status:blocked` |
|
||||
| `state:terminal-blocker` | `hazard:terminal-blocker` |
|
||||
| `state:abandoned` | `status:wontfix` |
|
||||
|
||||
The transition helpers accept these names as synonyms (e.g.
|
||||
`canonical_status_label("authoring")` → `status:in-progress`), so callers may use
|
||||
the #603 wording while a single canonical status stays active.
|
||||
|
||||
## Allocator Cross-Check (#603)
|
||||
|
||||
Labels are advisory queue hints. The work allocator (#600/#613) uses labels as
|
||||
one signal but **cross-checks live leases and PR state** and never trusts labels
|
||||
alone. Discussion issues (`type:discussion`) are excluded from implementation
|
||||
queues (`is_implementation_candidate`) unless a controller explicitly selects
|
||||
them.
|
||||
|
||||
## Transition Rules
|
||||
|
||||
Suggested lifecycle:
|
||||
|
||||
+3
-2
@@ -20,14 +20,15 @@ from dotenv import dotenv_values, load_dotenv
|
||||
|
||||
import gitea_config
|
||||
|
||||
PROJECT_ROOT = os.path.dirname(os.path.abspath(__file__))
|
||||
|
||||
# Load standard .env if present
|
||||
load_dotenv()
|
||||
load_dotenv(os.path.join(PROJECT_ROOT, ".env"))
|
||||
|
||||
# Dictionary to store configurations parsed dynamically from .env.* files
|
||||
DYNAMIC_CONFIGS = {}
|
||||
|
||||
# Scan all files starting with .env in the project root to load multiple configurations
|
||||
PROJECT_ROOT = os.path.dirname(os.path.abspath(__file__))
|
||||
for env_path in glob.glob(os.path.join(PROJECT_ROOT, ".env*")):
|
||||
# Skip directories and the example template
|
||||
if os.path.basename(env_path) == ".env.example":
|
||||
|
||||
+1110
-54
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,788 @@
|
||||
"""Observability incident bridge (#612).
|
||||
|
||||
Converts Sentry/GlitchTip **observations** into durable **Gitea issues** and
|
||||
``incident_links`` rows on the #613 control-plane DB.
|
||||
|
||||
Hard rules (ADR):
|
||||
* Gitea owns work; providers own incidents; the bridge only links them.
|
||||
* Raw monitoring incidents are **never** assignable ``work_items``.
|
||||
* The #600 allocator sees bridge work only as normal Gitea issues.
|
||||
* Phase-1 prefers dry-run / explicit reconcile; apply creates/links issues.
|
||||
* No tokens, DSNs, cookies, or other secrets in bodies, DB, or logs.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import json
|
||||
import os
|
||||
import re
|
||||
from dataclasses import dataclass, field
|
||||
from typing import Any, Callable, Sequence
|
||||
|
||||
from control_plane_db import ControlPlaneDB, ControlPlaneError, WORK_KINDS, _norm_scope
|
||||
|
||||
PROVIDERS = frozenset({"sentry", "glitchtip"})
|
||||
|
||||
OUTCOME_PREVIEW = "preview"
|
||||
OUTCOME_LINKED = "linked_existing"
|
||||
OUTCOME_CREATED = "created_issue"
|
||||
OUTCOME_UPDATED = "updated_link"
|
||||
OUTCOME_BLOCKED = "blocked"
|
||||
OUTCOME_NO_ACTION = "no_safe_action"
|
||||
|
||||
# Patterns scrubbed from any bridge-facing text (bodies, titles, tags, logs).
|
||||
_SECRET_PATTERNS: tuple[re.Pattern[str], ...] = (
|
||||
re.compile(
|
||||
r"(?i)\b(api[_-]?token|token|secret|password|passwd)\s*[:=]\s*\S+"
|
||||
),
|
||||
re.compile(
|
||||
r"(?i)\bAuthorization\s*[:=]\s*(?:Bearer\s+)?[A-Za-z0-9._\-+=/]{8,}"
|
||||
),
|
||||
re.compile(r"(?i)\bBearer\s+[A-Za-z0-9._\-]{8,}"),
|
||||
re.compile(r"(?i)\bBasic\s+[A-Za-z0-9+/=]{8,}"),
|
||||
re.compile(r"(?i)\b(dsn|sentry_dsn|glitchtip_dsn)\s*[:=]\s*\S+"),
|
||||
re.compile(r"https?://[^/\s]+:[^@/\s]+@"), # user:pass@host
|
||||
re.compile(r"(?i)\b(keychain[_-]?id|private[_-]?key)\s*[:=]\s*\S+"),
|
||||
re.compile(r"(?i)cookie\s*[:=]\s*[^\s;]+"),
|
||||
re.compile(r"(?i)\bsession[_-]?id\s*[:=]\s*\S+"),
|
||||
)
|
||||
|
||||
_SENSITIVE_TAG_KEYS = frozenset(
|
||||
{
|
||||
"authorization",
|
||||
"cookie",
|
||||
"set-cookie",
|
||||
"password",
|
||||
"passwd",
|
||||
"secret",
|
||||
"token",
|
||||
"api_key",
|
||||
"apikey",
|
||||
"dsn",
|
||||
"sentry_dsn",
|
||||
"access_token",
|
||||
"refresh_token",
|
||||
}
|
||||
)
|
||||
|
||||
DEFAULT_LABELS = (
|
||||
"type:bug",
|
||||
"observability",
|
||||
"status:ready",
|
||||
)
|
||||
|
||||
|
||||
@dataclass(frozen=True)
|
||||
class ProjectMapping:
|
||||
"""Maps a monitoring project to a Gitea repository."""
|
||||
|
||||
name: str
|
||||
provider: str
|
||||
monitor_base_url: str
|
||||
monitor_org: str
|
||||
monitor_project: str
|
||||
gitea_org: str
|
||||
gitea_repo: str
|
||||
default_labels: tuple[str, ...] = DEFAULT_LABELS
|
||||
environment_filters: tuple[str, ...] = ()
|
||||
severity_threshold: str | None = None
|
||||
|
||||
def __post_init__(self) -> None:
|
||||
prov = (self.provider or "").strip().lower()
|
||||
if prov not in PROVIDERS:
|
||||
raise ControlPlaneError(
|
||||
f"unknown provider '{self.provider}'; expected one of {sorted(PROVIDERS)}"
|
||||
)
|
||||
object.__setattr__(self, "provider", prov)
|
||||
object.__setattr__(self, "monitor_base_url", (self.monitor_base_url or "").rstrip("/"))
|
||||
object.__setattr__(self, "monitor_org", (self.monitor_org or "").strip())
|
||||
object.__setattr__(self, "monitor_project", (self.monitor_project or "").strip())
|
||||
object.__setattr__(self, "gitea_org", (self.gitea_org or "").strip())
|
||||
object.__setattr__(self, "gitea_repo", (self.gitea_repo or "").strip())
|
||||
object.__setattr__(
|
||||
self,
|
||||
"default_labels",
|
||||
tuple(str(x).strip() for x in (self.default_labels or DEFAULT_LABELS) if str(x).strip()),
|
||||
)
|
||||
|
||||
def as_dict(self) -> dict[str, Any]:
|
||||
return {
|
||||
"name": self.name,
|
||||
"provider": self.provider,
|
||||
"monitor_base_url": self.monitor_base_url,
|
||||
"monitor_org": self.monitor_org,
|
||||
"monitor_project": self.monitor_project,
|
||||
"gitea_org": self.gitea_org,
|
||||
"gitea_repo": self.gitea_repo,
|
||||
"default_labels": list(self.default_labels),
|
||||
"environment_filters": list(self.environment_filters),
|
||||
"severity_threshold": self.severity_threshold,
|
||||
}
|
||||
|
||||
def matches_observation(self, obs: dict[str, Any]) -> bool:
|
||||
if (obs.get("provider") or "").strip().lower() != self.provider:
|
||||
return False
|
||||
base = (obs.get("provider_base_url") or obs.get("monitor_base_url") or "").rstrip("/")
|
||||
if base and self.monitor_base_url and base != self.monitor_base_url:
|
||||
return False
|
||||
org = (obs.get("provider_org") or obs.get("monitor_org") or "").strip()
|
||||
if org and self.monitor_org and org != self.monitor_org:
|
||||
return False
|
||||
project = (obs.get("provider_project") or obs.get("monitor_project") or "").strip()
|
||||
if project and self.monitor_project and project != self.monitor_project:
|
||||
return False
|
||||
return True
|
||||
|
||||
|
||||
@dataclass
|
||||
class NormalizedIncident:
|
||||
provider: str
|
||||
provider_base_url: str
|
||||
provider_org: str
|
||||
provider_project: str
|
||||
provider_issue_id: str
|
||||
provider_short_id: str | None = None
|
||||
provider_permalink: str | None = None
|
||||
fingerprint: str | None = None
|
||||
first_seen: str | None = None
|
||||
last_seen: str | None = None
|
||||
event_count: int | None = None
|
||||
status: str = "open"
|
||||
environment: str | None = None
|
||||
severity: str | None = None
|
||||
culprit: str | None = None
|
||||
title: str = ""
|
||||
summary: str = ""
|
||||
tags: dict[str, str] = field(default_factory=dict)
|
||||
gitea_org: str = ""
|
||||
gitea_repo: str = ""
|
||||
default_labels: tuple[str, ...] = DEFAULT_LABELS
|
||||
|
||||
def provider_key(self) -> tuple[str, str, str, str, str]:
|
||||
return (
|
||||
self.provider,
|
||||
_norm_scope(self.provider_base_url),
|
||||
_norm_scope(self.provider_org),
|
||||
_norm_scope(self.provider_project),
|
||||
str(self.provider_issue_id),
|
||||
)
|
||||
|
||||
def as_dict(self) -> dict[str, Any]:
|
||||
return {
|
||||
"provider": self.provider,
|
||||
"provider_base_url": self.provider_base_url,
|
||||
"provider_org": self.provider_org,
|
||||
"provider_project": self.provider_project,
|
||||
"provider_issue_id": self.provider_issue_id,
|
||||
"provider_short_id": self.provider_short_id,
|
||||
"provider_permalink": self.provider_permalink,
|
||||
"fingerprint": self.fingerprint,
|
||||
"first_seen": self.first_seen,
|
||||
"last_seen": self.last_seen,
|
||||
"event_count": self.event_count,
|
||||
"status": self.status,
|
||||
"environment": self.environment,
|
||||
"severity": self.severity,
|
||||
"culprit": self.culprit,
|
||||
"title": self.title,
|
||||
"summary": self.summary,
|
||||
"tags": dict(self.tags),
|
||||
"gitea_org": self.gitea_org,
|
||||
"gitea_repo": self.gitea_repo,
|
||||
"default_labels": list(self.default_labels),
|
||||
}
|
||||
|
||||
|
||||
def redact_text(value: Any) -> str:
|
||||
"""Redact secret-like material from a string (fail closed to empty)."""
|
||||
if value is None:
|
||||
return ""
|
||||
text = str(value)
|
||||
for pat in _SECRET_PATTERNS:
|
||||
text = pat.sub("[REDACTED]", text)
|
||||
return text
|
||||
|
||||
|
||||
def sanitize_tags(tags: Any) -> dict[str, str]:
|
||||
if not isinstance(tags, dict):
|
||||
return {}
|
||||
out: dict[str, str] = {}
|
||||
for k, v in tags.items():
|
||||
key = str(k).strip().lower()
|
||||
if not key or key in _SENSITIVE_TAG_KEYS:
|
||||
continue
|
||||
if any(s in key for s in ("token", "secret", "password", "cookie", "auth", "dsn")):
|
||||
continue
|
||||
val = redact_text(v)
|
||||
if "[REDACTED]" in val:
|
||||
continue
|
||||
if len(val) > 200:
|
||||
val = val[:200] + "…"
|
||||
out[key] = val
|
||||
return out
|
||||
|
||||
|
||||
def project_mapping_from_dict(data: dict[str, Any]) -> ProjectMapping:
|
||||
labels = data.get("default_labels") or DEFAULT_LABELS
|
||||
envs = data.get("environment_filters") or ()
|
||||
return ProjectMapping(
|
||||
name=str(data.get("name") or data.get("monitor_project") or "unnamed"),
|
||||
provider=str(data.get("provider") or ""),
|
||||
monitor_base_url=str(data.get("monitor_base_url") or data.get("provider_base_url") or ""),
|
||||
monitor_org=str(data.get("monitor_org") or data.get("provider_org") or ""),
|
||||
monitor_project=str(data.get("monitor_project") or data.get("provider_project") or ""),
|
||||
gitea_org=str(data.get("gitea_org") or ""),
|
||||
gitea_repo=str(data.get("gitea_repo") or ""),
|
||||
default_labels=tuple(labels),
|
||||
environment_filters=tuple(envs),
|
||||
severity_threshold=data.get("severity_threshold"),
|
||||
)
|
||||
|
||||
|
||||
def load_project_mappings(
|
||||
*,
|
||||
config_path: str | None = None,
|
||||
mappings_json: str | None = None,
|
||||
) -> list[ProjectMapping]:
|
||||
"""Load project mappings from JSON env, file, or explicit JSON string.
|
||||
|
||||
Env: ``GITEA_OBSERVABILITY_PROJECTS_JSON`` or path
|
||||
``GITEA_OBSERVABILITY_PROJECTS_FILE``.
|
||||
"""
|
||||
raw: Any = None
|
||||
if mappings_json:
|
||||
raw = json.loads(mappings_json)
|
||||
else:
|
||||
env_json = (os.environ.get("GITEA_OBSERVABILITY_PROJECTS_JSON") or "").strip()
|
||||
path = (
|
||||
(config_path or "").strip()
|
||||
or (os.environ.get("GITEA_OBSERVABILITY_PROJECTS_FILE") or "").strip()
|
||||
)
|
||||
if env_json:
|
||||
raw = json.loads(env_json)
|
||||
elif path and os.path.isfile(path):
|
||||
with open(path, encoding="utf-8") as fh:
|
||||
raw = json.load(fh)
|
||||
if raw is None:
|
||||
return []
|
||||
if isinstance(raw, dict) and "projects" in raw:
|
||||
raw = raw["projects"]
|
||||
if not isinstance(raw, list):
|
||||
raise ControlPlaneError("observability project mappings must be a list")
|
||||
return [project_mapping_from_dict(item) for item in raw if isinstance(item, dict)]
|
||||
|
||||
|
||||
def resolve_mapping(
|
||||
observation: dict[str, Any],
|
||||
mappings: Sequence[ProjectMapping],
|
||||
*,
|
||||
explicit: ProjectMapping | None = None,
|
||||
) -> ProjectMapping | None:
|
||||
if explicit is not None:
|
||||
return explicit
|
||||
matches = [m for m in mappings if m.matches_observation(observation)]
|
||||
if len(matches) == 1:
|
||||
return matches[0]
|
||||
if len(matches) > 1:
|
||||
raise ControlPlaneError(
|
||||
"ambiguous project mapping for observation: "
|
||||
+ ", ".join(m.name for m in matches)
|
||||
+ " (fail closed, #612)"
|
||||
)
|
||||
# Fallback: observation itself may carry gitea targets
|
||||
g_org = (observation.get("gitea_org") or "").strip()
|
||||
g_repo = (observation.get("gitea_repo") or "").strip()
|
||||
provider = (observation.get("provider") or "").strip().lower()
|
||||
if g_org and g_repo and provider in PROVIDERS:
|
||||
return ProjectMapping(
|
||||
name=f"inline-{provider}",
|
||||
provider=provider,
|
||||
monitor_base_url=str(
|
||||
observation.get("provider_base_url")
|
||||
or observation.get("monitor_base_url")
|
||||
or ""
|
||||
),
|
||||
monitor_org=str(
|
||||
observation.get("provider_org") or observation.get("monitor_org") or ""
|
||||
),
|
||||
monitor_project=str(
|
||||
observation.get("provider_project")
|
||||
or observation.get("monitor_project")
|
||||
or ""
|
||||
),
|
||||
gitea_org=g_org,
|
||||
gitea_repo=g_repo,
|
||||
default_labels=tuple(observation.get("default_labels") or DEFAULT_LABELS),
|
||||
)
|
||||
return None
|
||||
|
||||
|
||||
def normalize_incident(
|
||||
observation: dict[str, Any],
|
||||
mapping: ProjectMapping,
|
||||
) -> NormalizedIncident:
|
||||
"""Normalize + sanitize a raw provider observation (fail closed)."""
|
||||
if not isinstance(observation, dict):
|
||||
raise ControlPlaneError("observation must be a dict (fail closed, #612)")
|
||||
|
||||
provider = (observation.get("provider") or mapping.provider or "").strip().lower()
|
||||
if provider not in PROVIDERS:
|
||||
raise ControlPlaneError(
|
||||
f"unknown provider '{provider}'; expected {sorted(PROVIDERS)} (fail closed)"
|
||||
)
|
||||
if provider != mapping.provider:
|
||||
raise ControlPlaneError(
|
||||
f"observation provider '{provider}' does not match mapping "
|
||||
f"'{mapping.provider}' (fail closed, #612)"
|
||||
)
|
||||
|
||||
issue_id = observation.get("provider_issue_id") or observation.get("id")
|
||||
if issue_id is None or str(issue_id).strip() == "":
|
||||
raise ControlPlaneError(
|
||||
"observation missing provider_issue_id (fail closed, #612)"
|
||||
)
|
||||
|
||||
base = (
|
||||
observation.get("provider_base_url")
|
||||
or observation.get("monitor_base_url")
|
||||
or mapping.monitor_base_url
|
||||
or ""
|
||||
)
|
||||
org = (
|
||||
observation.get("provider_org")
|
||||
or observation.get("monitor_org")
|
||||
or mapping.monitor_org
|
||||
or ""
|
||||
)
|
||||
project = (
|
||||
observation.get("provider_project")
|
||||
or observation.get("monitor_project")
|
||||
or mapping.monitor_project
|
||||
or ""
|
||||
)
|
||||
|
||||
title = redact_text(
|
||||
observation.get("title")
|
||||
or observation.get("culprit")
|
||||
or f"{provider} incident {issue_id}"
|
||||
)
|
||||
meta = observation.get("metadata")
|
||||
meta_value = meta.get("value") if isinstance(meta, dict) else None
|
||||
raw_sum = (
|
||||
observation.get("summary")
|
||||
or observation.get("message")
|
||||
or meta_value
|
||||
or title
|
||||
)
|
||||
summary = redact_text(raw_sum)
|
||||
|
||||
permalink = observation.get("provider_permalink") or observation.get("permalink")
|
||||
if permalink:
|
||||
permalink = redact_text(permalink)
|
||||
if "[REDACTED]" in permalink:
|
||||
permalink = None
|
||||
|
||||
tags = sanitize_tags(observation.get("tags") or {})
|
||||
event_count = observation.get("event_count") or observation.get("count")
|
||||
try:
|
||||
event_count_i = int(event_count) if event_count is not None else None
|
||||
except (TypeError, ValueError):
|
||||
event_count_i = None
|
||||
|
||||
return NormalizedIncident(
|
||||
provider=provider,
|
||||
provider_base_url=str(base).rstrip("/"),
|
||||
provider_org=str(org).strip(),
|
||||
provider_project=str(project).strip(),
|
||||
provider_issue_id=str(issue_id).strip(),
|
||||
provider_short_id=redact_text(observation.get("provider_short_id") or observation.get("shortId") or "")
|
||||
or None,
|
||||
provider_permalink=permalink,
|
||||
fingerprint=redact_text(observation.get("fingerprint") or "") or None,
|
||||
first_seen=str(observation.get("first_seen") or observation.get("firstSeen") or "")
|
||||
or None,
|
||||
last_seen=str(observation.get("last_seen") or observation.get("lastSeen") or "")
|
||||
or None,
|
||||
event_count=event_count_i,
|
||||
status=str(observation.get("status") or "open").strip().lower() or "open",
|
||||
environment=redact_text(observation.get("environment") or "") or None,
|
||||
severity=redact_text(observation.get("severity") or observation.get("level") or "")
|
||||
or None,
|
||||
culprit=redact_text(observation.get("culprit") or "") or None,
|
||||
title=title[:200],
|
||||
summary=summary[:2000],
|
||||
tags=tags,
|
||||
gitea_org=mapping.gitea_org,
|
||||
gitea_repo=mapping.gitea_repo,
|
||||
default_labels=mapping.default_labels,
|
||||
)
|
||||
|
||||
|
||||
def build_gitea_issue_title(inc: NormalizedIncident) -> str:
|
||||
env = f" [{inc.environment}]" if inc.environment else ""
|
||||
sev = f" ({inc.severity})" if inc.severity else ""
|
||||
return redact_text(f"[obs:{inc.provider}]{env}{sev} {inc.title}")[:180]
|
||||
|
||||
|
||||
def build_gitea_issue_body(inc: NormalizedIncident) -> str:
|
||||
"""Sanitized durable issue body (no secrets)."""
|
||||
lines = [
|
||||
"## Observability incident (bridge #612)",
|
||||
"",
|
||||
"<!-- mcp-incident-bridge:v1 -->",
|
||||
f"<!-- provider={inc.provider} issue_id={inc.provider_issue_id} -->",
|
||||
"",
|
||||
f"- **provider:** `{inc.provider}`",
|
||||
f"- **provider_issue_id:** `{inc.provider_issue_id}`",
|
||||
]
|
||||
if inc.provider_short_id:
|
||||
lines.append(f"- **provider_short_id:** `{inc.provider_short_id}`")
|
||||
if inc.provider_permalink:
|
||||
lines.append(f"- **provider_url:** {inc.provider_permalink}")
|
||||
lines.extend(
|
||||
[
|
||||
f"- **provider_org/project:** `{inc.provider_org}` / `{inc.provider_project}`",
|
||||
f"- **base_url:** `{inc.provider_base_url}`",
|
||||
f"- **fingerprint:** `{inc.fingerprint or ''}`",
|
||||
f"- **first_seen:** `{inc.first_seen or ''}`",
|
||||
f"- **last_seen:** `{inc.last_seen or ''}`",
|
||||
f"- **event_count:** `{inc.event_count if inc.event_count is not None else ''}`",
|
||||
f"- **environment:** `{inc.environment or ''}`",
|
||||
f"- **severity:** `{inc.severity or ''}`",
|
||||
f"- **culprit:** `{inc.culprit or ''}`",
|
||||
f"- **status:** `{inc.status}`",
|
||||
"",
|
||||
"### Summary",
|
||||
"",
|
||||
redact_text(inc.summary) or "(no summary)",
|
||||
"",
|
||||
"### Safe tags",
|
||||
"",
|
||||
]
|
||||
)
|
||||
if inc.tags:
|
||||
for k, v in sorted(inc.tags.items()):
|
||||
lines.append(f"- `{k}`: `{v}`")
|
||||
else:
|
||||
lines.append("- (none)")
|
||||
lines.extend(
|
||||
[
|
||||
"",
|
||||
"### Canonical next action",
|
||||
"",
|
||||
"Author: investigate and fix under normal Gitea workflow. "
|
||||
"Allocator may select this issue as ordinary Gitea work "
|
||||
"(never as a raw provider incident).",
|
||||
"",
|
||||
"### Bridge notes",
|
||||
"",
|
||||
"- Raw Sentry/GlitchTip incidents are **not** assignable work items.",
|
||||
"- Gitea remains the durable work record; DB stores `incident_links` only.",
|
||||
"- Provider tokens must never appear in this issue.",
|
||||
]
|
||||
)
|
||||
return "\n".join(lines)
|
||||
|
||||
|
||||
def _link_conflict(existing: dict[str, Any], inc: NormalizedIncident) -> str | None:
|
||||
"""Fail closed if existing link targets a different Gitea issue/repo."""
|
||||
eg_org = str(existing.get("gitea_org") or "")
|
||||
eg_repo = str(existing.get("gitea_repo") or "")
|
||||
eg_num = existing.get("gitea_issue_number")
|
||||
if eg_org and eg_org != inc.gitea_org:
|
||||
return (
|
||||
f"existing link points to org '{eg_org}', mapping wants "
|
||||
f"'{inc.gitea_org}' (fail closed, #612)"
|
||||
)
|
||||
if eg_repo and eg_repo != inc.gitea_repo:
|
||||
return (
|
||||
f"existing link points to repo '{eg_repo}', mapping wants "
|
||||
f"'{inc.gitea_repo}' (fail closed, #612)"
|
||||
)
|
||||
# fingerprint conflict when both present and disagree
|
||||
ef = (existing.get("fingerprint") or "").strip()
|
||||
nf = (inc.fingerprint or "").strip()
|
||||
if ef and nf and ef != nf:
|
||||
# Same provider issue id with different fingerprints is ambiguous.
|
||||
return (
|
||||
f"fingerprint conflict for provider issue {inc.provider_issue_id}: "
|
||||
f"link has '{ef}', observation has '{nf}' (fail closed, #612)"
|
||||
)
|
||||
return None
|
||||
|
||||
|
||||
CreateIssueFn = Callable[[str, str, list[str], str, str], dict[str, Any]]
|
||||
# create_issue_fn(title, body, labels, gitea_org, gitea_repo) -> {"number": int, ...}
|
||||
|
||||
|
||||
def reconcile_incident(
|
||||
db: ControlPlaneDB | None,
|
||||
*,
|
||||
observation: dict[str, Any],
|
||||
mappings: Sequence[ProjectMapping] | None = None,
|
||||
mapping: ProjectMapping | None = None,
|
||||
apply: bool = False,
|
||||
create_issue_fn: CreateIssueFn | None = None,
|
||||
force_gitea_issue_number: int | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Reconcile one observation into incident_links + optional Gitea issue.
|
||||
|
||||
*apply=False* (default): preview only — no DB mutation, no Gitea mutation.
|
||||
*apply=True*: upsert link; create Gitea issue when none linked (requires
|
||||
``create_issue_fn``) or use ``force_gitea_issue_number`` for explicit link.
|
||||
|
||||
Never creates control-plane ``work_items`` for raw incidents.
|
||||
"""
|
||||
base: dict[str, Any] = {
|
||||
"success": False,
|
||||
"apply": bool(apply),
|
||||
"outcome": OUTCOME_NO_ACTION,
|
||||
"performed": False,
|
||||
"gitea_mutated": False,
|
||||
"db_mutated": False,
|
||||
"raw_incident_assignable": False,
|
||||
"work_item_kind_would_be": None,
|
||||
"reasons": [],
|
||||
"skipped": None,
|
||||
"incident": None,
|
||||
"existing_link": None,
|
||||
"gitea_issue": None,
|
||||
"action": None,
|
||||
"mapping": None,
|
||||
"substrate": "control_plane_db.incident_links",
|
||||
"durable_work_system": "gitea_issues",
|
||||
}
|
||||
|
||||
if db is None:
|
||||
base["reasons"] = [
|
||||
"control-plane DB substrate unavailable (fail closed, #613/#612)"
|
||||
]
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
return base
|
||||
|
||||
try:
|
||||
maps = list(mappings or [])
|
||||
resolved = resolve_mapping(observation, maps, explicit=mapping)
|
||||
if resolved is None:
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [
|
||||
"no project mapping for observation (fail closed, #612); "
|
||||
"configure GITEA_OBSERVABILITY_PROJECTS_JSON or pass mapping"
|
||||
]
|
||||
return base
|
||||
base["mapping"] = resolved.as_dict()
|
||||
inc = normalize_incident(observation, resolved)
|
||||
base["incident"] = inc.as_dict()
|
||||
except (ControlPlaneError, json.JSONDecodeError, TypeError, ValueError) as exc:
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [str(exc)]
|
||||
return base
|
||||
|
||||
# Environment filter (optional)
|
||||
if resolved.environment_filters and inc.environment:
|
||||
allowed = {e.lower() for e in resolved.environment_filters}
|
||||
if inc.environment.lower() not in allowed:
|
||||
base["outcome"] = OUTCOME_NO_ACTION
|
||||
base["reasons"] = [
|
||||
f"environment '{inc.environment}' not in filters "
|
||||
f"{sorted(allowed)}; skip (policy)"
|
||||
]
|
||||
base["success"] = True
|
||||
base["action"] = "skip_environment_filter"
|
||||
return base
|
||||
|
||||
existing = db.get_incident_link_by_provider(
|
||||
provider=inc.provider,
|
||||
provider_issue_id=inc.provider_issue_id,
|
||||
provider_base_url=inc.provider_base_url,
|
||||
provider_org=inc.provider_org,
|
||||
provider_project=inc.provider_project,
|
||||
)
|
||||
base["existing_link"] = existing
|
||||
|
||||
if existing:
|
||||
conflict = _link_conflict(existing, inc)
|
||||
if conflict:
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [conflict]
|
||||
return base
|
||||
|
||||
title = build_gitea_issue_title(inc)
|
||||
body = build_gitea_issue_body(inc)
|
||||
labels = list(inc.default_labels)
|
||||
if inc.provider and f"{inc.provider}" not in labels:
|
||||
labels.append(inc.provider)
|
||||
if "observability" not in labels:
|
||||
labels.append("observability")
|
||||
|
||||
preview_issue = {
|
||||
"title": title,
|
||||
"body_preview": body[:500] + ("…" if len(body) > 500 else ""),
|
||||
"labels": labels,
|
||||
"gitea_org": inc.gitea_org,
|
||||
"gitea_repo": inc.gitea_repo,
|
||||
"would_create": existing is None and force_gitea_issue_number is None,
|
||||
"would_reuse_issue": int(existing["gitea_issue_number"])
|
||||
if existing
|
||||
else force_gitea_issue_number,
|
||||
}
|
||||
base["gitea_issue_preview"] = preview_issue
|
||||
|
||||
if not apply:
|
||||
base["success"] = True
|
||||
base["outcome"] = OUTCOME_PREVIEW
|
||||
base["action"] = (
|
||||
"preview_reuse_link" if existing else "preview_create_issue"
|
||||
)
|
||||
base["reasons"] = [
|
||||
"dry-run only (apply=false); no Gitea mutation and no DB write — "
|
||||
"call again with apply=true to create/link"
|
||||
]
|
||||
if existing:
|
||||
base["gitea_issue"] = {
|
||||
"number": existing.get("gitea_issue_number"),
|
||||
"org": existing.get("gitea_org"),
|
||||
"repo": existing.get("gitea_repo"),
|
||||
}
|
||||
# Prove we never treat this as work_item kind incident
|
||||
base["raw_incident_assignable"] = False
|
||||
base["work_item_kind_would_be"] = "issue" # only after Gitea issue exists
|
||||
return base
|
||||
|
||||
# --- apply path ---
|
||||
issue_number: int | None = None
|
||||
created = False
|
||||
if existing:
|
||||
issue_number = int(existing["gitea_issue_number"])
|
||||
action = "updated_existing_link"
|
||||
outcome = OUTCOME_UPDATED
|
||||
elif force_gitea_issue_number is not None:
|
||||
issue_number = int(force_gitea_issue_number)
|
||||
action = "link_explicit_issue"
|
||||
outcome = OUTCOME_LINKED
|
||||
else:
|
||||
if create_issue_fn is None:
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [
|
||||
"apply=true requires create_issue_fn when no existing link "
|
||||
"(fail closed, #612)"
|
||||
]
|
||||
return base
|
||||
try:
|
||||
created_res = create_issue_fn(
|
||||
title, body, labels, inc.gitea_org, inc.gitea_repo
|
||||
)
|
||||
except Exception as exc: # noqa: BLE001
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [
|
||||
f"Gitea issue creation failed: {redact_text(exc)} (fail closed)"
|
||||
]
|
||||
return base
|
||||
number = created_res.get("number") if isinstance(created_res, dict) else None
|
||||
if number is None:
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [
|
||||
"Gitea issue creation returned no issue number (fail closed, #612)"
|
||||
]
|
||||
base["create_result"] = created_res
|
||||
return base
|
||||
issue_number = int(number)
|
||||
created = True
|
||||
action = "created_gitea_issue"
|
||||
outcome = OUTCOME_CREATED
|
||||
base["gitea_mutated"] = True
|
||||
base["create_result"] = {
|
||||
k: created_res.get(k)
|
||||
for k in ("number", "success", "performed", "reasons")
|
||||
if isinstance(created_res, dict)
|
||||
}
|
||||
|
||||
assert issue_number is not None
|
||||
try:
|
||||
link = db.upsert_incident_link(
|
||||
provider=inc.provider,
|
||||
provider_issue_id=inc.provider_issue_id,
|
||||
gitea_org=inc.gitea_org,
|
||||
gitea_repo=inc.gitea_repo,
|
||||
gitea_issue_number=issue_number,
|
||||
provider_base_url=inc.provider_base_url,
|
||||
provider_org=inc.provider_org,
|
||||
provider_project=inc.provider_project,
|
||||
provider_short_id=inc.provider_short_id,
|
||||
provider_permalink=inc.provider_permalink,
|
||||
fingerprint=inc.fingerprint,
|
||||
first_seen=inc.first_seen,
|
||||
last_seen=inc.last_seen,
|
||||
event_count=inc.event_count,
|
||||
status=inc.status if not created else "open",
|
||||
)
|
||||
except Exception as exc: # noqa: BLE001
|
||||
base["outcome"] = OUTCOME_BLOCKED
|
||||
base["reasons"] = [
|
||||
f"incident_links upsert failed: {redact_text(exc)} (fail closed, #613)"
|
||||
]
|
||||
base["gitea_issue"] = {
|
||||
"number": issue_number,
|
||||
"org": inc.gitea_org,
|
||||
"repo": inc.gitea_repo,
|
||||
"created": created,
|
||||
}
|
||||
return base
|
||||
|
||||
base["success"] = True
|
||||
base["performed"] = True
|
||||
base["db_mutated"] = True
|
||||
base["outcome"] = outcome
|
||||
base["action"] = action
|
||||
base["gitea_issue"] = {
|
||||
"number": issue_number,
|
||||
"org": inc.gitea_org,
|
||||
"repo": inc.gitea_repo,
|
||||
"created": created,
|
||||
}
|
||||
base["link"] = {
|
||||
k: link.get(k)
|
||||
for k in (
|
||||
"link_id",
|
||||
"provider",
|
||||
"provider_issue_id",
|
||||
"gitea_org",
|
||||
"gitea_repo",
|
||||
"gitea_issue_number",
|
||||
"fingerprint",
|
||||
"event_count",
|
||||
"status",
|
||||
"last_sync_at",
|
||||
)
|
||||
}
|
||||
base["reasons"] = [
|
||||
(
|
||||
f"reused Gitea issue #{issue_number} for provider "
|
||||
f"{inc.provider}:{inc.provider_issue_id}"
|
||||
if not created
|
||||
else f"created Gitea issue #{issue_number} and stored incident_links row"
|
||||
),
|
||||
"raw provider incident is not an assignable work_item "
|
||||
f"(WORK_KINDS={sorted(WORK_KINDS)})",
|
||||
]
|
||||
base["raw_incident_assignable"] = False
|
||||
base["work_item_kind_would_be"] = "issue"
|
||||
base["allocator_visible_as"] = {
|
||||
"kind": "issue",
|
||||
"number": issue_number,
|
||||
"org": inc.gitea_org,
|
||||
"repo": inc.gitea_repo,
|
||||
"note": "allocator selects normal Gitea issues only (#600/#612)",
|
||||
}
|
||||
return base
|
||||
|
||||
|
||||
def assert_not_raw_incident_work_item(kind: str) -> None:
|
||||
"""Guard used by tests / callers: incidents must not enter WORK_KINDS."""
|
||||
k = (kind or "").strip().lower()
|
||||
if k not in WORK_KINDS:
|
||||
if k in ("sentry_incident", "glitchtip_incident", "incident", "observation"):
|
||||
raise ControlPlaneError(
|
||||
f"kind '{k}' is not assignable; bridge must create Gitea issues first (#612)"
|
||||
)
|
||||
raise ControlPlaneError(f"kind '{k}' is not assignable")
|
||||
@@ -375,6 +375,64 @@ def _same_realpath(left: str | None, right: str | None) -> bool:
|
||||
return left == right
|
||||
|
||||
|
||||
|
||||
def assess_expired_lock_reclaim(
|
||||
existing_lock: dict[str, Any] | None,
|
||||
*,
|
||||
now: datetime | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Decide whether an expired/stale author issue lock may be reclaimed (#601).
|
||||
|
||||
Required proof (any reclaim of non-live lock):
|
||||
* lease not live (expired or dead pid)
|
||||
* owner process dead OR worktree missing
|
||||
* no force-delete of live foreign ownership
|
||||
"""
|
||||
if not existing_lock:
|
||||
return {
|
||||
"reclaim_allowed": True,
|
||||
"reasons": ["no existing lock"],
|
||||
"freshness": assess_lock_freshness(None, now=now),
|
||||
}
|
||||
freshness = assess_lock_freshness(existing_lock, now=now)
|
||||
if freshness.get("live"):
|
||||
return {
|
||||
"reclaim_allowed": False,
|
||||
"reasons": ["lock is still live; cannot reclaim (fail closed)"],
|
||||
"freshness": freshness,
|
||||
}
|
||||
pid = existing_lock.get("session_pid")
|
||||
if pid is None:
|
||||
pid = existing_lock.get("pid")
|
||||
dead = not is_process_alive(pid) if pid is not None else True
|
||||
wt = str(existing_lock.get("worktree_path") or "")
|
||||
missing_wt = (not wt) or (not os.path.isdir(os.path.realpath(wt)))
|
||||
if not (dead or missing_wt):
|
||||
return {
|
||||
"reclaim_allowed": False,
|
||||
"reasons": [
|
||||
"expired/stale lock still has live owner pid and present worktree; "
|
||||
"recovery review required (fail closed)"
|
||||
],
|
||||
"freshness": freshness,
|
||||
"owner_pid_dead": dead,
|
||||
"worktree_missing": missing_wt,
|
||||
}
|
||||
return {
|
||||
"reclaim_allowed": True,
|
||||
"reasons": [
|
||||
"non-live lock with dead process and/or missing worktree; "
|
||||
"sanctioned reclaim allowed"
|
||||
],
|
||||
"freshness": freshness,
|
||||
"owner_pid_dead": dead,
|
||||
"worktree_missing": missing_wt,
|
||||
"prior_branch": existing_lock.get("branch_name"),
|
||||
"prior_worktree": existing_lock.get("worktree_path"),
|
||||
"prior_pid": pid,
|
||||
}
|
||||
|
||||
|
||||
def assess_same_issue_lease_conflict(
|
||||
existing_lock: dict[str, Any] | None,
|
||||
*,
|
||||
@@ -405,6 +463,11 @@ def assess_same_issue_lease_conflict(
|
||||
and _same_realpath(str(existing_worktree or ""), worktree_path)
|
||||
)
|
||||
if is_lease_expired(existing_lock, now=now):
|
||||
reclaim = assess_expired_lock_reclaim(existing_lock, now=now)
|
||||
if reclaim.get("reclaim_allowed"):
|
||||
# #601: expired + dead pid / missing worktree may be reclaimed
|
||||
# through the normal lock path (sanctioned overwrite).
|
||||
return None
|
||||
return (
|
||||
f"Issue #{issue_number} has an expired {operation_type} lease on "
|
||||
f"branch '{existing_branch}' from worktree '{existing_worktree}'. "
|
||||
|
||||
+187
-1
@@ -34,6 +34,11 @@ STATUS_LABEL_SPECS: tuple[LabelSpec, ...] = (
|
||||
LabelSpec("status:blocked", "b60205", "Issue is blocked"),
|
||||
LabelSpec("status:needs-review", "0052cc", "Issue work needs review"),
|
||||
LabelSpec("status:pr-open", "1d76db", "A linked PR is open"),
|
||||
LabelSpec(
|
||||
"status:changes-requested",
|
||||
"e11d21",
|
||||
"Reviewer requested changes on the linked PR",
|
||||
),
|
||||
LabelSpec("status:approved", "0e8a16", "Linked PR is approved"),
|
||||
LabelSpec("status:merged", "5319e7", "Linked PR is merged"),
|
||||
LabelSpec("status:reconcile", "d93f0b", "Issue needs reconciliation"),
|
||||
@@ -65,8 +70,42 @@ VALIDATION_LABEL_SPECS: tuple[LabelSpec, ...] = (
|
||||
),
|
||||
)
|
||||
|
||||
# Lifecycle role-ownership labels (#603): which workflow role currently owns the
|
||||
# item. Advisory visibility only — the control-plane lease (#601) remains the
|
||||
# source of truth for mutation authority. Only one role:* label is active at a
|
||||
# time, mirroring the single-active-status invariant.
|
||||
ROLE_LABEL_SPECS: tuple[LabelSpec, ...] = (
|
||||
LabelSpec("role:author", "1d76db", "Author currently owns the item"),
|
||||
LabelSpec("role:reviewer", "5319e7", "Reviewer currently owns the item"),
|
||||
LabelSpec("role:merger", "0e8a16", "Merger currently owns the item"),
|
||||
)
|
||||
|
||||
# Lifecycle hazard labels (#603): orthogonal warning flags surfacing dangerous
|
||||
# coordination conditions. Unlike status/role, multiple hazard:* labels may be
|
||||
# active at once, and they never substitute for live lease / PR state checks.
|
||||
HAZARD_LABEL_SPECS: tuple[LabelSpec, ...] = (
|
||||
LabelSpec("hazard:stale-lease", "d93f0b", "A stale or expired lease references this item"),
|
||||
LabelSpec(
|
||||
"hazard:workflow-contaminated",
|
||||
"b60205",
|
||||
"Session/workflow state is contaminated and must not mutate",
|
||||
),
|
||||
LabelSpec("hazard:conflicted", "e11d21", "Linked PR has merge conflicts"),
|
||||
LabelSpec("hazard:root-mutation", "b60205", "Work was mutated in the project root checkout"),
|
||||
LabelSpec("hazard:manual-state", "d93f0b", "Session or lease state was edited manually"),
|
||||
LabelSpec(
|
||||
"hazard:terminal-blocker",
|
||||
"000000",
|
||||
"A terminal review/merge lock blocks progress (#332/#602)",
|
||||
),
|
||||
)
|
||||
|
||||
CANONICAL_LABEL_SPECS: tuple[LabelSpec, ...] = (
|
||||
TYPE_LABEL_SPECS + STATUS_LABEL_SPECS + VALIDATION_LABEL_SPECS
|
||||
TYPE_LABEL_SPECS
|
||||
+ STATUS_LABEL_SPECS
|
||||
+ VALIDATION_LABEL_SPECS
|
||||
+ ROLE_LABEL_SPECS
|
||||
+ HAZARD_LABEL_SPECS
|
||||
)
|
||||
|
||||
TYPE_LABELS: frozenset[str] = frozenset(spec.name for spec in TYPE_LABEL_SPECS)
|
||||
@@ -74,6 +113,8 @@ STATUS_LABELS: frozenset[str] = frozenset(spec.name for spec in STATUS_LABEL_SPE
|
||||
VALIDATION_LABELS: frozenset[str] = frozenset(
|
||||
spec.name for spec in VALIDATION_LABEL_SPECS
|
||||
)
|
||||
ROLE_LABELS: frozenset[str] = frozenset(spec.name for spec in ROLE_LABEL_SPECS)
|
||||
HAZARD_LABELS: frozenset[str] = frozenset(spec.name for spec in HAZARD_LABEL_SPECS)
|
||||
CANONICAL_LABELS: frozenset[str] = frozenset(
|
||||
spec.name for spec in CANONICAL_LABEL_SPECS
|
||||
)
|
||||
@@ -91,9 +132,15 @@ STATUS_TRANSITIONS: dict[str, str] = {
|
||||
"blocked": "status:blocked",
|
||||
"needs_review": "status:needs-review",
|
||||
"needs-review": "status:needs-review",
|
||||
"reviewing": "status:needs-review",
|
||||
"pr_open": "status:pr-open",
|
||||
"pr-open": "status:pr-open",
|
||||
"changes_requested": "status:changes-requested",
|
||||
"changes-requested": "status:changes-requested",
|
||||
"changes": "status:changes-requested",
|
||||
"approved": "status:approved",
|
||||
"merge_ready": "status:approved",
|
||||
"merge-ready": "status:approved",
|
||||
"merge": "status:reconcile",
|
||||
"merged": "status:reconcile",
|
||||
"reconcile": "status:reconcile",
|
||||
@@ -101,6 +148,37 @@ STATUS_TRANSITIONS: dict[str, str] = {
|
||||
"complete": "status:done",
|
||||
"duplicate": "status:duplicate",
|
||||
"wontfix": "status:wontfix",
|
||||
"abandoned": "status:wontfix",
|
||||
# #603 requested state:* synonyms folded into the canonical status vocabulary
|
||||
"needs_triage": "status:triage",
|
||||
"needs-triage": "status:triage",
|
||||
"authoring": "status:in-progress",
|
||||
}
|
||||
|
||||
# #603: single-active role ownership. Maps role kinds / role:* labels to the
|
||||
# canonical role label. Mirrors STATUS_TRANSITIONS for the role dimension.
|
||||
ROLE_TRANSITIONS: dict[str, str] = {
|
||||
"author": "role:author",
|
||||
"reviewer": "role:reviewer",
|
||||
"merger": "role:merger",
|
||||
}
|
||||
|
||||
# #603: hazard flag synonyms. Hazards are additive (not single-active), so this
|
||||
# only normalizes names; it does not drive replacement.
|
||||
HAZARD_TRANSITIONS: dict[str, str] = {
|
||||
"stale_lease": "hazard:stale-lease",
|
||||
"stale-lease": "hazard:stale-lease",
|
||||
"workflow_contaminated": "hazard:workflow-contaminated",
|
||||
"workflow-contaminated": "hazard:workflow-contaminated",
|
||||
"contaminated": "hazard:workflow-contaminated",
|
||||
"conflicted": "hazard:conflicted",
|
||||
"conflict": "hazard:conflicted",
|
||||
"root_mutation": "hazard:root-mutation",
|
||||
"root-mutation": "hazard:root-mutation",
|
||||
"manual_state": "hazard:manual-state",
|
||||
"manual-state": "hazard:manual-state",
|
||||
"terminal_blocker": "hazard:terminal-blocker",
|
||||
"terminal-blocker": "hazard:terminal-blocker",
|
||||
}
|
||||
|
||||
|
||||
@@ -155,6 +233,100 @@ def transition_status_labels(
|
||||
return kept
|
||||
|
||||
|
||||
def role_labels(labels: Iterable[str | Mapping[str, object]] | Mapping[str, object]) -> list[str]:
|
||||
return [name for name in label_names(labels) if name.startswith("role:")]
|
||||
|
||||
|
||||
def hazard_labels(labels: Iterable[str | Mapping[str, object]] | Mapping[str, object]) -> list[str]:
|
||||
return [name for name in label_names(labels) if name.startswith("hazard:")]
|
||||
|
||||
|
||||
def canonical_role_label(role_or_transition: str) -> str:
|
||||
role = role_or_transition.strip()
|
||||
if role in ROLE_LABELS:
|
||||
return role
|
||||
normalized = role.lower().replace(" ", "-")
|
||||
try:
|
||||
return ROLE_TRANSITIONS[normalized]
|
||||
except KeyError as exc:
|
||||
raise ValueError(
|
||||
f"unknown workflow role or transition '{role_or_transition}'"
|
||||
) from exc
|
||||
|
||||
|
||||
def transition_role_labels(
|
||||
existing_labels: Iterable[str | Mapping[str, object]] | Mapping[str, object],
|
||||
role_or_transition: str,
|
||||
) -> list[str]:
|
||||
"""Replace all active role labels with the requested canonical role."""
|
||||
new_role = canonical_role_label(role_or_transition)
|
||||
kept = [name for name in label_names(existing_labels) if not name.startswith("role:")]
|
||||
if new_role not in kept:
|
||||
kept.append(new_role)
|
||||
return kept
|
||||
|
||||
|
||||
def canonical_hazard_label(hazard: str) -> str:
|
||||
name = hazard.strip()
|
||||
if name in HAZARD_LABELS:
|
||||
return name
|
||||
normalized = name.lower().replace(" ", "-")
|
||||
try:
|
||||
return HAZARD_TRANSITIONS[normalized]
|
||||
except KeyError as exc:
|
||||
raise ValueError(f"unknown workflow hazard '{hazard}'") from exc
|
||||
|
||||
|
||||
def add_hazard_label(
|
||||
existing_labels: Iterable[str | Mapping[str, object]] | Mapping[str, object],
|
||||
hazard: str,
|
||||
) -> list[str]:
|
||||
"""Add a hazard flag without disturbing status/role/type labels (additive)."""
|
||||
new_hazard = canonical_hazard_label(hazard)
|
||||
kept = label_names(existing_labels)
|
||||
if new_hazard not in kept:
|
||||
kept.append(new_hazard)
|
||||
return kept
|
||||
|
||||
|
||||
def clear_hazard_label(
|
||||
existing_labels: Iterable[str | Mapping[str, object]] | Mapping[str, object],
|
||||
hazard: str,
|
||||
) -> list[str]:
|
||||
"""Remove a single hazard flag, leaving all other labels intact."""
|
||||
target = canonical_hazard_label(hazard)
|
||||
return [name for name in label_names(existing_labels) if name != target]
|
||||
|
||||
|
||||
def is_discussion(labels: Iterable[str | Mapping[str, object]] | Mapping[str, object]) -> bool:
|
||||
return "type:discussion" in type_labels(labels)
|
||||
|
||||
|
||||
def is_implementation_candidate(
|
||||
labels: Iterable[str | Mapping[str, object]] | Mapping[str, object],
|
||||
) -> bool:
|
||||
"""Whether an item may enter an implementation queue on labels alone.
|
||||
|
||||
Discussion issues are excluded (#603 AC3) unless a controller explicitly
|
||||
selects them; the allocator still cross-checks live lease/PR state and never
|
||||
trusts labels alone (#603 AC2).
|
||||
"""
|
||||
return not is_discussion(labels)
|
||||
|
||||
|
||||
def requires_blocking_reason(
|
||||
labels: Iterable[str | Mapping[str, object]] | Mapping[str, object],
|
||||
) -> bool:
|
||||
"""Whether the item must carry a blocking-reason / next-action comment (AC4).
|
||||
|
||||
True when blocked or when any hazard flag is present.
|
||||
"""
|
||||
names = label_names(labels)
|
||||
if "status:blocked" in names:
|
||||
return True
|
||||
return any(name.startswith("hazard:") for name in names)
|
||||
|
||||
|
||||
def labels_for_new_issue(
|
||||
issue_type: str | None = None,
|
||||
initial_status: str | None = None,
|
||||
@@ -188,6 +360,8 @@ def assess_issue_labels(
|
||||
names = label_names(labels)
|
||||
found_types = type_labels(names)
|
||||
found_statuses = status_labels(names)
|
||||
found_roles = role_labels(names)
|
||||
found_hazards = hazard_labels(names)
|
||||
errors: list[str] = []
|
||||
warnings: list[str] = []
|
||||
|
||||
@@ -202,6 +376,10 @@ def assess_issue_labels(
|
||||
"issue has multiple active status:* labels: "
|
||||
+ ", ".join(found_statuses)
|
||||
)
|
||||
if len(found_roles) > 1:
|
||||
errors.append(
|
||||
"issue has multiple active role:* labels: " + ", ".join(found_roles)
|
||||
)
|
||||
|
||||
for name in found_types:
|
||||
if name not in TYPE_LABELS:
|
||||
@@ -209,12 +387,20 @@ def assess_issue_labels(
|
||||
for name in found_statuses:
|
||||
if name not in STATUS_LABELS:
|
||||
warnings.append(f"unknown status label '{name}'")
|
||||
for name in found_roles:
|
||||
if name not in ROLE_LABELS:
|
||||
warnings.append(f"unknown role label '{name}'")
|
||||
for name in found_hazards:
|
||||
if name not in HAZARD_LABELS:
|
||||
warnings.append(f"unknown hazard label '{name}'")
|
||||
|
||||
return {
|
||||
"valid": not errors,
|
||||
"labels": names,
|
||||
"type_labels": found_types,
|
||||
"status_labels": found_statuses,
|
||||
"role_labels": found_roles,
|
||||
"hazard_labels": found_hazards,
|
||||
"errors": errors,
|
||||
"warnings": warnings,
|
||||
}
|
||||
|
||||
@@ -0,0 +1,723 @@
|
||||
"""First-class control-plane lease lifecycle (#601).
|
||||
|
||||
Active leases are queryable workflow state. Canonical operations:
|
||||
|
||||
* list / inspect
|
||||
* adopt (with provenance)
|
||||
* release (explicit, recorded)
|
||||
* expire / reclaim
|
||||
* abandon (requires proof: dead process and/or missing worktree, etc.)
|
||||
|
||||
Authority model:
|
||||
|
||||
* Control-plane DB is the coordination source for assignment/lease.
|
||||
* File locks and comment-only leases are **not** authoritative alone.
|
||||
* Reviewer/merger comment leases (``reviewer_pr_lease`` / merger adoption)
|
||||
remain for Gitea-thread durability; they must not bypass DB assignment when
|
||||
the control-plane path is in use.
|
||||
|
||||
Fail closed on ambiguous ownership, active foreign leases, mismatched
|
||||
worktree, stale head, missing capability, and unsafe cleanup.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import json
|
||||
import os
|
||||
from dataclasses import dataclass, field
|
||||
from datetime import datetime, timezone
|
||||
from typing import Any, Callable, Mapping
|
||||
|
||||
import control_plane_db as cpd
|
||||
|
||||
# Outcomes / safe next actions (stable vocabulary for tools + tests).
|
||||
SAFE_OWNER_RESUME = "owner_resume"
|
||||
SAFE_WAIT_FOREIGN = "wait_foreign_active"
|
||||
SAFE_RECLAIM_EXPIRED = "reclaim_expired"
|
||||
SAFE_ABANDON_ALLOWED = "abandon_allowed"
|
||||
SAFE_RELEASE_OWNED = "release_owned"
|
||||
SAFE_STALE_PROMPT = "stale_prompt_lease"
|
||||
SAFE_UNKNOWN = "inspect_only"
|
||||
SAFE_NO_AUTHORITY = "file_or_comment_not_authoritative"
|
||||
|
||||
LEASE_STATUS_ACTIVE = "active"
|
||||
LEASE_STATUS_RELEASED = "released"
|
||||
LEASE_STATUS_EXPIRED = "expired"
|
||||
LEASE_STATUS_ABANDONED = "abandoned"
|
||||
|
||||
AUTHORITATIVE_SOURCE = "control_plane_db"
|
||||
|
||||
|
||||
class LeaseLifecycleError(RuntimeError):
|
||||
"""Fail-closed lifecycle policy error."""
|
||||
|
||||
|
||||
@dataclass(frozen=True)
|
||||
class AbandonProof:
|
||||
"""Required evidence to abandon a non-owned or expired lease safely."""
|
||||
|
||||
dead_process: bool = False
|
||||
missing_worktree: bool = False
|
||||
same_owner: bool = False
|
||||
no_open_pr: bool = False
|
||||
no_live_mutation_risk: bool = False
|
||||
operator_authorized: bool = False
|
||||
worktree_path: str | None = None
|
||||
owner_pid: int | None = None
|
||||
notes: str = ""
|
||||
|
||||
def as_dict(self) -> dict[str, Any]:
|
||||
return {
|
||||
"dead_process": self.dead_process,
|
||||
"missing_worktree": self.missing_worktree,
|
||||
"same_owner": self.same_owner,
|
||||
"no_open_pr": self.no_open_pr,
|
||||
"no_live_mutation_risk": self.no_live_mutation_risk,
|
||||
"operator_authorized": self.operator_authorized,
|
||||
"worktree_path": self.worktree_path,
|
||||
"owner_pid": self.owner_pid,
|
||||
"notes": self.notes,
|
||||
}
|
||||
|
||||
def is_sufficient(self) -> bool:
|
||||
"""Abandon requires process death or missing worktree + no mutation risk.
|
||||
|
||||
Foreign active leases additionally need operator_authorized unless the
|
||||
owner process is dead and the worktree is missing.
|
||||
"""
|
||||
if not self.no_live_mutation_risk:
|
||||
return False
|
||||
if not (self.dead_process or self.missing_worktree):
|
||||
return False
|
||||
if self.same_owner:
|
||||
return True
|
||||
# Foreign abandon: operator flag OR (dead + missing worktree + no risk)
|
||||
if self.operator_authorized:
|
||||
return True
|
||||
return bool(self.dead_process and self.missing_worktree and self.no_open_pr)
|
||||
|
||||
|
||||
def is_process_alive(pid: int | None) -> bool:
|
||||
if pid is None:
|
||||
return False
|
||||
try:
|
||||
pid_i = int(pid)
|
||||
except (TypeError, ValueError):
|
||||
return False
|
||||
if pid_i <= 0:
|
||||
return False
|
||||
try:
|
||||
os.kill(pid_i, 0)
|
||||
return True
|
||||
except ProcessLookupError:
|
||||
return False
|
||||
except PermissionError:
|
||||
# Exists but not owned by us — treat as alive (fail closed).
|
||||
return True
|
||||
except OSError:
|
||||
return False
|
||||
|
||||
|
||||
def worktree_exists(path: str | None) -> bool:
|
||||
if not path:
|
||||
return False
|
||||
try:
|
||||
return os.path.isdir(os.path.realpath(path))
|
||||
except OSError:
|
||||
return False
|
||||
|
||||
|
||||
def _utc_now() -> datetime:
|
||||
return datetime.now(timezone.utc)
|
||||
|
||||
|
||||
def _parse_ts(value: str | None) -> datetime | None:
|
||||
return cpd._parse_ts(value)
|
||||
|
||||
|
||||
def classify_lease_freshness(
|
||||
lease: Mapping[str, Any],
|
||||
*,
|
||||
now: datetime | None = None,
|
||||
pid_checker: Callable[[int | None], bool] = is_process_alive,
|
||||
worktree_checker: Callable[[str | None], bool] = worktree_exists,
|
||||
) -> dict[str, Any]:
|
||||
"""Classify a control-plane lease row for workflow tooling."""
|
||||
moment = now or _utc_now()
|
||||
status = (lease.get("status") or "").strip().lower()
|
||||
expires = _parse_ts(lease.get("expires_at"))
|
||||
owner_pid = lease.get("owner_pid")
|
||||
if owner_pid is None:
|
||||
owner_pid = lease.get("session_pid")
|
||||
wt = lease.get("worktree_path")
|
||||
pid_alive = pid_checker(owner_pid) if owner_pid is not None else None
|
||||
wt_present = worktree_checker(wt) if wt else None
|
||||
expired_by_time = bool(expires and expires <= moment)
|
||||
|
||||
if status == LEASE_STATUS_ABANDONED:
|
||||
freshness = "abandoned"
|
||||
elif status == LEASE_STATUS_RELEASED:
|
||||
freshness = "released"
|
||||
elif status == LEASE_STATUS_EXPIRED or expired_by_time:
|
||||
freshness = "expired"
|
||||
elif status != LEASE_STATUS_ACTIVE:
|
||||
freshness = status or "unknown"
|
||||
elif pid_alive is False:
|
||||
freshness = "stale_dead_process"
|
||||
elif wt is not None and wt_present is False:
|
||||
freshness = "stale_missing_worktree"
|
||||
else:
|
||||
freshness = "active"
|
||||
|
||||
return {
|
||||
"freshness": freshness,
|
||||
"status": status,
|
||||
"expired_by_time": expired_by_time,
|
||||
"owner_pid": owner_pid,
|
||||
"owner_pid_alive": pid_alive,
|
||||
"worktree_path": wt,
|
||||
"worktree_present": wt_present,
|
||||
"expires_at": lease.get("expires_at"),
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
|
||||
def decide_safe_next_action(
|
||||
*,
|
||||
lease: Mapping[str, Any] | None,
|
||||
caller_session_id: str,
|
||||
freshness: Mapping[str, Any] | None = None,
|
||||
caller_worktree: str | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Return safe_next_action + reasons for a caller inspecting a lease."""
|
||||
if not lease:
|
||||
return {
|
||||
"safe_next_action": SAFE_STALE_PROMPT,
|
||||
"reasons": ["lease not found in control-plane DB (stale prompt id?)"],
|
||||
"block": True,
|
||||
}
|
||||
fr = freshness or classify_lease_freshness(lease)
|
||||
owner = str(lease.get("session_id") or "")
|
||||
same_owner = owner == str(caller_session_id)
|
||||
status = fr.get("freshness")
|
||||
reasons: list[str] = []
|
||||
|
||||
# Worktree mismatch for owner resume
|
||||
lease_wt = lease.get("worktree_path")
|
||||
if (
|
||||
same_owner
|
||||
and lease_wt
|
||||
and caller_worktree
|
||||
and os.path.realpath(str(lease_wt)) != os.path.realpath(str(caller_worktree))
|
||||
):
|
||||
return {
|
||||
"safe_next_action": SAFE_UNKNOWN,
|
||||
"reasons": [
|
||||
f"worktree mismatch: lease has {lease_wt!r}, caller has "
|
||||
f"{caller_worktree!r} (fail closed)"
|
||||
],
|
||||
"block": True,
|
||||
"same_owner": True,
|
||||
}
|
||||
|
||||
if status in ("abandoned", "released"):
|
||||
return {
|
||||
"safe_next_action": SAFE_STALE_PROMPT,
|
||||
"reasons": [f"lease status is {status}; do not adopt blindly"],
|
||||
"block": True,
|
||||
"same_owner": same_owner,
|
||||
}
|
||||
|
||||
if status == "expired" or fr.get("expired_by_time"):
|
||||
return {
|
||||
"safe_next_action": SAFE_RECLAIM_EXPIRED,
|
||||
"reasons": ["lease expired; reclaim via expire+assign or adopt reclaim path"],
|
||||
"block": False,
|
||||
"same_owner": same_owner,
|
||||
}
|
||||
|
||||
if status in ("stale_dead_process", "stale_missing_worktree"):
|
||||
if same_owner:
|
||||
return {
|
||||
"safe_next_action": SAFE_OWNER_RESUME,
|
||||
"reasons": [
|
||||
f"caller owns lease with freshness={status}; rebind via "
|
||||
"adopt/owner-resume or abandon with proof"
|
||||
],
|
||||
"block": False,
|
||||
"same_owner": True,
|
||||
"also_allowed": [SAFE_ABANDON_ALLOWED, SAFE_RELEASE_OWNED],
|
||||
}
|
||||
return {
|
||||
"safe_next_action": SAFE_ABANDON_ALLOWED,
|
||||
"reasons": [
|
||||
f"lease freshness={status}; abandon with required proof then reassign"
|
||||
],
|
||||
"block": False,
|
||||
"same_owner": False,
|
||||
}
|
||||
|
||||
if same_owner and status == "active":
|
||||
return {
|
||||
"safe_next_action": SAFE_OWNER_RESUME,
|
||||
"reasons": [
|
||||
"caller owns active lease; resume via heartbeat/assign owner-resume "
|
||||
"or release explicitly"
|
||||
],
|
||||
"block": False,
|
||||
"same_owner": True,
|
||||
"also_allowed": [SAFE_RELEASE_OWNED],
|
||||
}
|
||||
|
||||
if not same_owner and status == "active":
|
||||
return {
|
||||
"safe_next_action": SAFE_WAIT_FOREIGN,
|
||||
"reasons": [
|
||||
f"foreign active lease held by session {owner}; "
|
||||
"do not steal (fail closed)"
|
||||
],
|
||||
"block": True,
|
||||
"same_owner": False,
|
||||
"owner_session_id": owner,
|
||||
}
|
||||
|
||||
return {
|
||||
"safe_next_action": SAFE_UNKNOWN,
|
||||
"reasons": [f"unclassified freshness={status}"],
|
||||
"block": True,
|
||||
"same_owner": same_owner,
|
||||
}
|
||||
|
||||
|
||||
def non_db_lease_authority_report(
|
||||
*,
|
||||
file_lock_present: bool = False,
|
||||
comment_lease_present: bool = False,
|
||||
db_lease_present: bool = False,
|
||||
) -> dict[str, Any]:
|
||||
"""File/comment leases alone are not coordination authority (#601 / #600)."""
|
||||
authoritative = bool(db_lease_present)
|
||||
reasons: list[str] = []
|
||||
if file_lock_present and not db_lease_present:
|
||||
reasons.append(
|
||||
"file lock present but control-plane DB lease absent — "
|
||||
"file lock is not authoritative alone"
|
||||
)
|
||||
if comment_lease_present and not db_lease_present:
|
||||
reasons.append(
|
||||
"comment-only lease present but control-plane DB lease absent — "
|
||||
"comment lease is not authoritative alone"
|
||||
)
|
||||
if authoritative:
|
||||
reasons.append("control-plane DB lease is the coordination authority")
|
||||
return {
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE if authoritative else None,
|
||||
"db_lease_present": db_lease_present,
|
||||
"file_lock_present": file_lock_present,
|
||||
"comment_lease_present": comment_lease_present,
|
||||
"safe_next_action": (
|
||||
SAFE_UNKNOWN if authoritative else SAFE_NO_AUTHORITY
|
||||
),
|
||||
"reasons": reasons,
|
||||
"file_lock_only": bool(file_lock_present and not db_lease_present),
|
||||
"comment_lease_only": bool(comment_lease_present and not db_lease_present),
|
||||
}
|
||||
|
||||
|
||||
def build_adopt_provenance(
|
||||
*,
|
||||
adopted_from_session_id: str,
|
||||
adopted_by_session_id: str,
|
||||
work_kind: str,
|
||||
work_number: int,
|
||||
remote: str,
|
||||
org: str,
|
||||
repo: str,
|
||||
worktree_path: str | None,
|
||||
expected_head_sha: str | None,
|
||||
prior_lease_id: str | None,
|
||||
reason: str,
|
||||
) -> dict[str, Any]:
|
||||
return {
|
||||
"adopted_from_session_id": adopted_from_session_id,
|
||||
"adopted_by_session_id": adopted_by_session_id,
|
||||
"work_kind": work_kind,
|
||||
"work_number": int(work_number),
|
||||
"remote": remote,
|
||||
"org": org,
|
||||
"repo": repo,
|
||||
"worktree_path": worktree_path,
|
||||
"expected_head_sha": expected_head_sha,
|
||||
"prior_lease_id": prior_lease_id,
|
||||
"reason": reason,
|
||||
"recorded_at": cpd._ts(),
|
||||
"source": "lease_lifecycle.adopt",
|
||||
}
|
||||
|
||||
|
||||
def inspect_lease(
|
||||
db: cpd.ControlPlaneDB,
|
||||
lease_id: str,
|
||||
*,
|
||||
caller_session_id: str,
|
||||
caller_worktree: str | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Full first-class lease workflow state for one lease id."""
|
||||
state = db.get_lease_workflow_state(lease_id)
|
||||
if not state:
|
||||
decision = decide_safe_next_action(
|
||||
lease=None, caller_session_id=caller_session_id
|
||||
)
|
||||
return {
|
||||
"success": True,
|
||||
"found": False,
|
||||
"lease_id": lease_id,
|
||||
"lease": None,
|
||||
"freshness": None,
|
||||
**decision,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
lease = state["lease"]
|
||||
freshness = classify_lease_freshness(lease)
|
||||
decision = decide_safe_next_action(
|
||||
lease=lease,
|
||||
caller_session_id=caller_session_id,
|
||||
freshness=freshness,
|
||||
caller_worktree=caller_worktree,
|
||||
)
|
||||
return {
|
||||
"success": True,
|
||||
"found": True,
|
||||
"lease_id": lease_id,
|
||||
"lease": lease,
|
||||
"assignment": state.get("assignment"),
|
||||
"work_item": state.get("work_item"),
|
||||
"session": state.get("session"),
|
||||
"freshness": freshness,
|
||||
"provenance": state.get("provenance"),
|
||||
**decision,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
|
||||
def list_active_leases(
|
||||
db: cpd.ControlPlaneDB,
|
||||
*,
|
||||
remote: str | None = None,
|
||||
org: str | None = None,
|
||||
repo: str | None = None,
|
||||
role: str | None = None,
|
||||
include_non_active: bool = False,
|
||||
limit: int = 100,
|
||||
) -> dict[str, Any]:
|
||||
statuses = None if include_non_active else (LEASE_STATUS_ACTIVE,)
|
||||
rows = db.list_leases(
|
||||
remote=remote,
|
||||
org=org,
|
||||
repo=repo,
|
||||
role=role,
|
||||
statuses=statuses,
|
||||
limit=limit,
|
||||
)
|
||||
enriched = []
|
||||
for row in rows:
|
||||
fr = classify_lease_freshness(row)
|
||||
enriched.append({**row, "freshness": fr})
|
||||
return {
|
||||
"success": True,
|
||||
"count": len(enriched),
|
||||
"leases": enriched,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
"include_non_active": include_non_active,
|
||||
}
|
||||
|
||||
|
||||
def adopt_lease(
|
||||
db: cpd.ControlPlaneDB,
|
||||
*,
|
||||
lease_id: str,
|
||||
adopter_session_id: str,
|
||||
role: str,
|
||||
worktree_path: str | None = None,
|
||||
expected_head_sha: str | None = None,
|
||||
owner_pid: int | None = None,
|
||||
operator_authorized: bool = False,
|
||||
) -> dict[str, Any]:
|
||||
"""Sanctioned adopt path with provenance; never silent foreign steal."""
|
||||
state = db.get_lease_workflow_state(lease_id)
|
||||
if not state:
|
||||
raise LeaseLifecycleError(
|
||||
f"unknown lease_id {lease_id}; stale prompt id (fail closed)"
|
||||
)
|
||||
lease = state["lease"]
|
||||
work = state["work_item"]
|
||||
freshness = classify_lease_freshness(lease)
|
||||
owner = str(lease.get("session_id") or "")
|
||||
same_owner = owner == str(adopter_session_id)
|
||||
|
||||
if freshness["freshness"] == "active" and not same_owner:
|
||||
raise LeaseLifecycleError(
|
||||
f"refusing to steal active foreign lease {lease_id} owned by "
|
||||
f"{owner} (fail closed)"
|
||||
)
|
||||
|
||||
if freshness["freshness"] in ("abandoned", "released"):
|
||||
raise LeaseLifecycleError(
|
||||
f"lease {lease_id} is {freshness['freshness']}; cannot adopt "
|
||||
"(fail closed)"
|
||||
)
|
||||
|
||||
# Expired or stale: require abandon-style safety before ownership transfer
|
||||
# when not same owner; same owner may reclaim.
|
||||
if not same_owner and freshness["freshness"] in (
|
||||
"expired",
|
||||
"stale_dead_process",
|
||||
"stale_missing_worktree",
|
||||
):
|
||||
if not operator_authorized and freshness["freshness"] == "expired":
|
||||
# Deterministic reclaim of expired foreign lease is allowed
|
||||
# without operator flag (sanctioned expire reclaim).
|
||||
pass
|
||||
elif freshness["freshness"] != "expired" and not operator_authorized:
|
||||
# stale active-looking requires abandon proof path
|
||||
raise LeaseLifecycleError(
|
||||
f"lease {lease_id} freshness={freshness['freshness']}; "
|
||||
"use abandon with proof before foreign adopt (fail closed)"
|
||||
)
|
||||
|
||||
provenance = build_adopt_provenance(
|
||||
adopted_from_session_id=owner,
|
||||
adopted_by_session_id=adopter_session_id,
|
||||
work_kind=str(work.get("kind")),
|
||||
work_number=int(work.get("number")),
|
||||
remote=str(work.get("remote")),
|
||||
org=str(work.get("org")),
|
||||
repo=str(work.get("repo")),
|
||||
worktree_path=worktree_path,
|
||||
expected_head_sha=expected_head_sha or lease.get("expected_head_sha"),
|
||||
prior_lease_id=lease_id,
|
||||
reason=(
|
||||
"owner-resume-adopt" if same_owner else "sanctioned-reclaim-adopt"
|
||||
),
|
||||
)
|
||||
|
||||
result = db.adopt_lease(
|
||||
lease_id=lease_id,
|
||||
adopter_session_id=adopter_session_id,
|
||||
role=role,
|
||||
worktree_path=worktree_path,
|
||||
expected_head_sha=expected_head_sha,
|
||||
owner_pid=owner_pid if owner_pid is not None else os.getpid(),
|
||||
provenance=provenance,
|
||||
)
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": result.get("outcome"),
|
||||
"same_owner": same_owner,
|
||||
"prior_lease_id": lease_id,
|
||||
"lease": result.get("lease"),
|
||||
"assignment": result.get("assignment"),
|
||||
"provenance": provenance,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
"reasons": result.get("reasons") or [],
|
||||
}
|
||||
|
||||
|
||||
def release_lease(
|
||||
db: cpd.ControlPlaneDB,
|
||||
*,
|
||||
lease_id: str,
|
||||
session_id: str,
|
||||
) -> dict[str, Any]:
|
||||
proof = db.release_lease_recorded(lease_id=lease_id, session_id=session_id)
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": "released",
|
||||
"lease_id": lease_id,
|
||||
"session_id": session_id,
|
||||
"release_proof": proof,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
|
||||
def expire_leases(db: cpd.ControlPlaneDB) -> dict[str, Any]:
|
||||
n = db.expire_stale_leases()
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": "expired",
|
||||
"expired_count": int(n),
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
|
||||
def reclaim_expired_lease(
|
||||
db: cpd.ControlPlaneDB,
|
||||
*,
|
||||
lease_id: str,
|
||||
session_id: str,
|
||||
role: str,
|
||||
worktree_path: str | None = None,
|
||||
expected_head_sha: str | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Expire-if-needed then assign to *session_id* for the same work item."""
|
||||
state = db.get_lease_workflow_state(lease_id)
|
||||
if not state:
|
||||
raise LeaseLifecycleError(f"unknown lease_id {lease_id}")
|
||||
lease = state["lease"]
|
||||
work = state["work_item"]
|
||||
freshness = classify_lease_freshness(lease)
|
||||
if freshness["freshness"] == "active":
|
||||
if lease.get("session_id") != session_id:
|
||||
raise LeaseLifecycleError(
|
||||
f"cannot reclaim active foreign lease {lease_id} (fail closed)"
|
||||
)
|
||||
# owner resume
|
||||
return adopt_lease(
|
||||
db,
|
||||
lease_id=lease_id,
|
||||
adopter_session_id=session_id,
|
||||
role=role,
|
||||
worktree_path=worktree_path,
|
||||
expected_head_sha=expected_head_sha,
|
||||
)
|
||||
if freshness["freshness"] not in (
|
||||
"expired",
|
||||
"stale_dead_process",
|
||||
"stale_missing_worktree",
|
||||
"abandoned",
|
||||
"released",
|
||||
):
|
||||
raise LeaseLifecycleError(
|
||||
f"lease {lease_id} freshness={freshness['freshness']} not reclaimable"
|
||||
)
|
||||
|
||||
# Ensure expired marker is applied
|
||||
db.expire_stale_leases()
|
||||
# If still active due to clock skew / non-time stale, force expire this lease
|
||||
refreshed = db.get_lease_workflow_state(lease_id)
|
||||
if refreshed and refreshed["lease"].get("status") == "active":
|
||||
db.force_expire_lease(lease_id, reason="reclaim_expired_lease")
|
||||
|
||||
head = expected_head_sha or work.get("current_head_sha")
|
||||
assigned = db.assign_and_lease(
|
||||
session_id=session_id,
|
||||
role=role,
|
||||
remote=str(work["remote"]),
|
||||
org=str(work["org"]),
|
||||
repo=str(work["repo"]),
|
||||
kind=str(work["kind"]),
|
||||
number=int(work["number"]),
|
||||
expected_head_sha=head,
|
||||
phase="reclaimed",
|
||||
worktree_path=worktree_path,
|
||||
owner_pid=os.getpid(),
|
||||
)
|
||||
if assigned.outcome != "assigned":
|
||||
raise LeaseLifecycleError(
|
||||
f"reclaim assign failed: {assigned.outcome} — {assigned.reason}"
|
||||
)
|
||||
provenance = build_adopt_provenance(
|
||||
adopted_from_session_id=str(lease.get("session_id")),
|
||||
adopted_by_session_id=session_id,
|
||||
work_kind=str(work["kind"]),
|
||||
work_number=int(work["number"]),
|
||||
remote=str(work["remote"]),
|
||||
org=str(work["org"]),
|
||||
repo=str(work["repo"]),
|
||||
worktree_path=worktree_path,
|
||||
expected_head_sha=head,
|
||||
prior_lease_id=lease_id,
|
||||
reason="reclaim_expired",
|
||||
)
|
||||
db.attach_lease_provenance(assigned.lease_id, provenance)
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": "reclaimed",
|
||||
"prior_lease_id": lease_id,
|
||||
"assignment": assigned.as_dict(),
|
||||
"provenance": provenance,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
|
||||
|
||||
def abandon_lease(
|
||||
db: cpd.ControlPlaneDB,
|
||||
*,
|
||||
lease_id: str,
|
||||
requester_session_id: str,
|
||||
proof: AbandonProof,
|
||||
) -> dict[str, Any]:
|
||||
state = db.get_lease_workflow_state(lease_id)
|
||||
if not state:
|
||||
raise LeaseLifecycleError(f"unknown lease_id {lease_id}")
|
||||
lease = state["lease"]
|
||||
owner = str(lease.get("session_id") or "")
|
||||
same_owner = owner == str(requester_session_id)
|
||||
|
||||
# Enrich proof with live checks when not provided
|
||||
owner_pid = proof.owner_pid
|
||||
if owner_pid is None:
|
||||
owner_pid = lease.get("owner_pid")
|
||||
wt = proof.worktree_path if proof.worktree_path is not None else lease.get(
|
||||
"worktree_path"
|
||||
)
|
||||
dead = proof.dead_process or (
|
||||
owner_pid is not None and not is_process_alive(owner_pid)
|
||||
)
|
||||
missing_wt = proof.missing_worktree or (
|
||||
bool(wt) and not worktree_exists(str(wt))
|
||||
)
|
||||
enriched = AbandonProof(
|
||||
dead_process=bool(dead),
|
||||
missing_worktree=bool(missing_wt),
|
||||
same_owner=same_owner or proof.same_owner,
|
||||
no_open_pr=proof.no_open_pr,
|
||||
no_live_mutation_risk=proof.no_live_mutation_risk,
|
||||
operator_authorized=proof.operator_authorized,
|
||||
worktree_path=str(wt) if wt else None,
|
||||
owner_pid=int(owner_pid) if owner_pid is not None else None,
|
||||
notes=proof.notes,
|
||||
)
|
||||
if not enriched.is_sufficient():
|
||||
raise LeaseLifecycleError(
|
||||
"abandon proof insufficient: need (dead_process or missing_worktree) "
|
||||
"and no_live_mutation_risk; foreign abandon also needs "
|
||||
"operator_authorized or (dead+missing_worktree+no_open_pr). "
|
||||
f"proof={enriched.as_dict()}"
|
||||
)
|
||||
|
||||
# Active foreign with live process + present worktree: never abandon without
|
||||
# operator (already covered by is_sufficient).
|
||||
result = db.abandon_lease(
|
||||
lease_id=lease_id,
|
||||
requester_session_id=requester_session_id,
|
||||
proof=enriched.as_dict(),
|
||||
)
|
||||
return {
|
||||
"success": True,
|
||||
"outcome": "abandoned",
|
||||
"lease_id": lease_id,
|
||||
"requester_session_id": requester_session_id,
|
||||
"prior_owner_session_id": owner,
|
||||
"abandon_proof": enriched.as_dict(),
|
||||
"audit": result,
|
||||
"authoritative_source": AUTHORITATIVE_SOURCE,
|
||||
"file_lock_only": False,
|
||||
"comment_lease_only": False,
|
||||
}
|
||||
+12
-4
@@ -22,7 +22,7 @@ venv_python = os.path.join(PROJECT_ROOT, "venv", "bin", "python3")
|
||||
if os.path.exists(venv_python) and sys.executable != venv_python:
|
||||
os.execv(venv_python, [venv_python] + sys.argv)
|
||||
|
||||
from gitea_auth import get_auth_header, api_request, repo_api_url
|
||||
from gitea_auth import get_auth_header, api_request, api_get_all, repo_api_url
|
||||
import issue_workflow_labels
|
||||
|
||||
HOST = "gitea.dadeschools.net"
|
||||
@@ -82,9 +82,17 @@ def api(method, path, auth, payload=None):
|
||||
|
||||
|
||||
def _labels_by_name(auth):
|
||||
"""Return {label name: id} for the repo's existing labels."""
|
||||
existing = api("GET", "/labels?limit=100", auth) or []
|
||||
return {lb["name"]: lb["id"] for lb in existing}
|
||||
"""Return {label name: id} for the repo's existing labels (all pages, #627)."""
|
||||
existing = api_get_all(f"{BASE_URL}/labels", auth) or []
|
||||
name_to_id = {}
|
||||
for lb in existing:
|
||||
if not isinstance(lb, dict):
|
||||
continue
|
||||
name = lb.get("name")
|
||||
lid = lb.get("id")
|
||||
if name and lid is not None and name not in name_to_id:
|
||||
name_to_id[name] = lid
|
||||
return name_to_id
|
||||
|
||||
|
||||
def create_labels(auth, dry=False):
|
||||
|
||||
+5
-5
@@ -17,7 +17,7 @@ if os.path.exists(venv_python) and sys.executable != venv_python:
|
||||
|
||||
from gitea_auth import (
|
||||
get_auth_header, resolve_remote, add_remote_args,
|
||||
api_request, repo_api_url,
|
||||
api_request, api_get_all, repo_api_url,
|
||||
)
|
||||
|
||||
LABEL_NAME = "status:in-progress"
|
||||
@@ -45,12 +45,12 @@ def main(argv=None):
|
||||
base = repo_api_url(host, org, repo)
|
||||
|
||||
try:
|
||||
# Find the label ID
|
||||
labels = api_request("GET", f"{base}/labels?limit=100", auth)
|
||||
# Paginated inventory (#627): Gitea caps single pages at 50.
|
||||
labels = api_get_all(f"{base}/labels", auth) or []
|
||||
label_id = None
|
||||
for lb in labels:
|
||||
if lb["name"] == LABEL_NAME:
|
||||
label_id = lb["id"]
|
||||
if lb.get("name") == LABEL_NAME:
|
||||
label_id = lb.get("id")
|
||||
break
|
||||
|
||||
if label_id is None:
|
||||
|
||||
@@ -29,6 +29,11 @@ class UnsanctionedRuntimeError(RuntimeError):
|
||||
|
||||
|
||||
def is_pytest_runtime() -> bool:
|
||||
if os.environ.get("GITEA_TEST_FORCE_UNSANCTIONED") == "1":
|
||||
return False
|
||||
import sys
|
||||
if "pytest" in sys.modules:
|
||||
return True
|
||||
return bool((os.environ.get("PYTEST_CURRENT_TEST") or "").strip())
|
||||
|
||||
|
||||
|
||||
+2
-1
@@ -6,7 +6,8 @@ Runs over stdio. All tools authenticate via macOS keychain (git credential fill)
|
||||
import os
|
||||
import sys
|
||||
|
||||
sys.stderr = open("/tmp/mcp_server_stderr.log", "a", buffering=1)
|
||||
if "PYTEST_CURRENT_TEST" not in os.environ:
|
||||
sys.stderr = open("/tmp/mcp_server_stderr.log", "a", buffering=1)
|
||||
sys.stderr.write(f"\n--- MCP SERVER STARTUP (PID {os.getpid()}) ---\n")
|
||||
|
||||
from role_session_router import (
|
||||
|
||||
@@ -31,6 +31,11 @@ DEFAULT_TTL_HOURS = 4.0
|
||||
KIND_WORKFLOW_LOAD = "review_workflow_load"
|
||||
KIND_DECISION_LOCK = "review_decision_lock"
|
||||
KIND_REVIEW_DRAFT = "review_draft"
|
||||
# Durable marker set when a worker session attempts a direct stable-branch push
|
||||
# or a root-checkout local commit (#671). Keyed per profile identity like the
|
||||
# other session proofs; a contaminated session fails closed on gated mutations
|
||||
# until a reconciler audits and clears it.
|
||||
KIND_STABLE_BRANCH_CONTAMINATION = "stable_branch_contamination"
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -27,6 +27,20 @@ _READONLY_REVIEWER_GIT = re.compile(
|
||||
_GIT_INVOCATION = re.compile(r"\bgit\b", re.IGNORECASE)
|
||||
|
||||
|
||||
# #673: Canonical pattern for identifying review worktrees under branches/.
|
||||
REVIEW_WORKTREE_RE = re.compile(
|
||||
r"branches/(?:review-pr\d+[\w/-]*|merge-simulation-pr\d+|review-[\w-]+)",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
|
||||
|
||||
def is_review_worktree_path(path: str) -> bool:
|
||||
"""True when the path belongs to a reviewer or simulation worktree."""
|
||||
normalized = (path or "").replace("\\", "/")
|
||||
return bool(REVIEW_WORKTREE_RE.search(normalized))
|
||||
|
||||
|
||||
|
||||
def parse_dirty_tracked_files(porcelain: str) -> list[str]:
|
||||
"""Return tracked paths with local modifications from ``git status --porcelain``.
|
||||
|
||||
|
||||
@@ -5,10 +5,9 @@ from __future__ import annotations
|
||||
import re
|
||||
from typing import Any
|
||||
|
||||
_SESSION_OWNED_RE = re.compile(
|
||||
r"branches/(?:review-pr\d+[\w/-]*|review-[\w-]+)",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
from reviewer_worktree import REVIEW_WORKTREE_RE
|
||||
|
||||
_SESSION_OWNED_RE = REVIEW_WORKTREE_RE
|
||||
_WORKTREE_PATH_RE = re.compile(
|
||||
r"(?:review worktree path|worktree path|session-owned worktree)\s*:\s*(\S+)",
|
||||
re.IGNORECASE,
|
||||
|
||||
@@ -32,6 +32,15 @@ workflow file.
|
||||
mutation.
|
||||
- A nearby capability does not count.
|
||||
- Do not self-review or self-merge.
|
||||
- **Never push a stable branch directly.** Worker sessions (author/reviewer/merger)
|
||||
must never run `git push <remote> master` — or `main`/`dev`/other stable refs,
|
||||
including refspecs (`HEAD:master`), `--force`, `--delete`, or `--dry-run` no-op
|
||||
probes — and must never commit on the root/control checkout outside an issue
|
||||
feature branch. Stable-branch updates land ONLY through sanctioned Gitea merge
|
||||
tooling (`gitea_merge_pr`) or an explicitly authorized reconciler path. A
|
||||
detected attempt marks the session workflow-contaminated (#671) and fails
|
||||
closed on review/merge/close/completion until a reconciler audits and clears
|
||||
it. `git fetch` / `git pull --ff-only` and feature-branch pushes stay allowed.
|
||||
- Do not mix modes in one run.
|
||||
- **BLOCKED + DIAGNOSE default rule (required):** If any required workflow step, skill, tool, capability, preflight, instruction, profile, worktree binding, or terminal/MCP operation cannot be performed or loaded (including the canonical ones listed in this skill and its loaded workflow), immediately enter `BLOCKED + DIAGNOSE`. Stop before any git or Gitea mutation. Diagnose using the standard template in [`templates/blocked-diagnose-report.md`](templates/blocked-diagnose-report.md). Attempt *only* safe non-mutating recovery. Report using the template. Do not continue, use fallbacks, or treat the missing requirement as harmless.
|
||||
- If the required workflow cannot be loaded, stop and produce a recovery handoff
|
||||
@@ -48,6 +57,11 @@ workflow file.
|
||||
- wrong profile or role for the requested operation
|
||||
- dirty or misbound worktree (root checkout or non-branches/ path)
|
||||
- root checkout mutation risk
|
||||
- stable-branch push contamination (#671): a direct `git push <remote> master`
|
||||
(or `main`/`dev`) equivalent, or a root/control-checkout commit not on an issue
|
||||
feature branch, marks the session workflow-contaminated; review/merge/close/
|
||||
completion mutations then fail closed until a reconciler audits and clears it
|
||||
(`gitea_audit_stable_branch_contamination action=clear`, reconciler-only)
|
||||
- mutation guard failure (e.g. branches-only guard)
|
||||
- missing required MCP tool/schema or operation
|
||||
- stale or inconsistent runtime state (e.g. lease vs actual, dirty state disagreement)
|
||||
@@ -118,6 +132,42 @@ The main project checkout is a stable control checkout on `master`, `main`, or
|
||||
If `cwd` is not inside `branches/`, stop before any file edit, test write,
|
||||
commit, merge, rebase, or cleanup. The main checkout is orchestration-only.
|
||||
|
||||
## Stable Branch Push Protection (#671)
|
||||
|
||||
Worker sessions must **never** publish a stable branch directly. This is the
|
||||
prevention hardening for the #670 incident (a bare direct-to-master commit
|
||||
`2fa97c26` and a PR #654 merger `git push prgs master` attempt).
|
||||
|
||||
**Forbidden for author/reviewer/merger sessions:**
|
||||
|
||||
- `git push <remote> master` (and `main`, `dev`, `develop`, `development`),
|
||||
including refspecs (`HEAD:master`, `+refs/heads/x:refs/heads/master`),
|
||||
`--force`, `--delete` / `:master`, and `--dry-run`/`-n` no-op probes (a
|
||||
dry-run still proves intent and contaminates the session).
|
||||
- Local commits on the root/control checkout that are not carried by an issue
|
||||
feature branch under `branches/`.
|
||||
|
||||
**Allowed (never blocked):**
|
||||
|
||||
- `git fetch` and `git pull --ff-only` of master into the control checkout when
|
||||
authorized for sync.
|
||||
- Feature-branch pushes to non-stable refs (`git push <remote> fix/issue-N-...`).
|
||||
- Sanctioned merges via `gitea_merge_pr` / the Gitea API merge endpoint — the
|
||||
**only** way stable branches advance.
|
||||
|
||||
**What happens on a detected attempt:** the session is marked
|
||||
workflow-contaminated (durable `stable_branch_contamination` marker, redacted
|
||||
command summary + session id + remote + ref). While contaminated, all
|
||||
review / merge / close / issue-completion mutations fail closed. `comment_issue`
|
||||
and `lock_issue` remain allowed so the contaminated worker can post the durable
|
||||
audit comment and hand off. Contamination **cannot be self-cleared** — only a
|
||||
reconciler audit (`gitea_audit_stable_branch_contamination action=clear`) may
|
||||
clear it.
|
||||
|
||||
Tooling: call `gitea_record_stable_branch_push_attempt` to classify/record a
|
||||
proposed push before running it; `gitea_audit_stable_branch_contamination` to
|
||||
inspect or (reconciler-only) clear the marker.
|
||||
|
||||
## Shell Spawn Hard-Stop Rule
|
||||
|
||||
`exit_code: -1` with empty stdout/stderr means the shell failed to spawn — not a
|
||||
|
||||
@@ -0,0 +1,478 @@
|
||||
"""Fail-closed guard against direct pushes to stable branches (#671).
|
||||
|
||||
MCP workflow sessions must never publish to a stable branch (``master``,
|
||||
``main``, ``dev``, ...) directly. Stable-branch updates land only through
|
||||
sanctioned Gitea merge tooling or an explicitly authorized reconciler path.
|
||||
|
||||
Incident origin (#670): a bare direct-to-master commit ``2fa97c26`` landed on
|
||||
``prgs/master`` without PR/review provenance, and a PR #654 merger run
|
||||
attempted ``git push prgs master`` (audited as a no-op, but the *intent* is the
|
||||
hazard). Partial protections already existed (``author_proofs.PROTECTED_BRANCHES``,
|
||||
``root_checkout_guard``, branch-push proofs) but did not detect shell push
|
||||
equivalents, mark the session contaminated after such an attempt, or fail
|
||||
closed on subsequent review/merge/close/completion mutations.
|
||||
|
||||
This module is the detection + contamination-policy core. Like
|
||||
``author_proofs`` and ``root_checkout_guard`` it is **pure**: callers gather
|
||||
the raw facts (the proposed command line, git state, the durable contamination
|
||||
marker) and pass them in, so the same logic serves prompts, MCP gates, and
|
||||
tests. Nothing here performs git or network calls or reads durable state; the
|
||||
server wires these helpers to ``mcp_session_state`` and ``verify_preflight_purity``.
|
||||
|
||||
Design rules honoured (from the #671 acceptance criteria):
|
||||
|
||||
* Detect ``git push <remote> master`` shell equivalents, including refspecs
|
||||
(``HEAD:master``, ``+refs/heads/x:refs/heads/master``), ``--force``,
|
||||
``--dry-run``/no-op intent, and delete refspecs (``:master``).
|
||||
* Never false-block a feature-branch push (``git push prgs fix/issue-671-...``).
|
||||
* Never treat ``git fetch`` / ``git pull --ff-only`` as a push.
|
||||
* Never treat sanctioned ``gitea_merge_pr`` / Gitea API merge as a push.
|
||||
* Fail closed on ambiguous targets that *may* resolve to a stable branch, but
|
||||
surface ambiguity as its own signal rather than silently blocking feature work.
|
||||
* Contamination must not be clearable by the same worker session — only a
|
||||
reconciler (audit) role may clear or bypass the gate.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import re
|
||||
from typing import Any, Iterable
|
||||
|
||||
from author_proofs import PROTECTED_BRANCHES
|
||||
|
||||
# Single source of truth for the stable branch set: the same protected set the
|
||||
# author branch-identity proofs already enforce (#177), so the two guards can
|
||||
# never drift apart.
|
||||
STABLE_BRANCHES = PROTECTED_BRANCHES
|
||||
|
||||
# Mutations that must fail closed once the session is contaminated by a direct
|
||||
# stable-branch push attempt (#671 AC4: review, merge, close, completion).
|
||||
# ``comment_issue`` / ``lock_issue`` / ``create_issue`` are deliberately NOT
|
||||
# gated so a contaminated worker can still post the durable audit comment and
|
||||
# hand off. Only a reconciler (audit) role bypasses this set.
|
||||
CONTAMINATION_GATED_TASKS = frozenset({
|
||||
"create_pr",
|
||||
"commit_files",
|
||||
"gitea_commit_files",
|
||||
"close_pr",
|
||||
"close_issue",
|
||||
"review_pr",
|
||||
"approve_pr",
|
||||
"request_changes_pr",
|
||||
"submit_pr_review",
|
||||
"merge_pr",
|
||||
"delete_branch",
|
||||
"complete_issue",
|
||||
})
|
||||
|
||||
CONTAMINATION_KIND = "stable_branch_push"
|
||||
|
||||
REMEDIATION = (
|
||||
"Direct stable-branch publication is forbidden for worker sessions. Stop, "
|
||||
"leave the stable branch untouched, and route the change through sanctioned "
|
||||
"Gitea merge tooling (gitea_merge_pr) or an explicitly authorized reconciler "
|
||||
"audit. This session is workflow-contaminated until a reconciler audits it."
|
||||
)
|
||||
|
||||
# ── command tokenising ────────────────────────────────────────────────────────
|
||||
|
||||
# Split a compound command line into individual simple commands on shell
|
||||
# separators so ``a && git push prgs master`` is analysed segment by segment.
|
||||
_SEGMENT_SPLIT_RE = re.compile(r"(?:\|\||&&|\||;|\n)")
|
||||
|
||||
_GIT_PUSH_RE = re.compile(r"\bgit\b[\w\s\-]*?\bpush\b", re.IGNORECASE)
|
||||
_GIT_FETCH_RE = re.compile(r"\bgit\b[\w\s\-]*?\b(?:fetch|pull)\b", re.IGNORECASE)
|
||||
|
||||
# Flags that take a value argument in ``git push`` (so the following token is
|
||||
# consumed as the flag's value, not a refspec).
|
||||
_VALUE_FLAGS = frozenset({
|
||||
"--repo",
|
||||
"-o",
|
||||
"--push-option",
|
||||
"--receive-pack",
|
||||
"--exec",
|
||||
})
|
||||
|
||||
_FORCE_FLAGS = frozenset({"-f", "--force"})
|
||||
_DRY_RUN_FLAGS = frozenset({"-n", "--dry-run"})
|
||||
_DELETE_FLAGS = frozenset({"-d", "--delete"})
|
||||
|
||||
|
||||
def _clean(value: str | None) -> str:
|
||||
return (value or "").strip()
|
||||
|
||||
|
||||
def _strip_ref_prefix(ref: str) -> str:
|
||||
ref = ref.strip()
|
||||
for prefix in ("refs/heads/", "heads/"):
|
||||
if ref.startswith(prefix):
|
||||
return ref[len(prefix):]
|
||||
return ref
|
||||
|
||||
|
||||
def is_stable_ref(ref: str | None) -> bool:
|
||||
"""True when ``ref`` names a configured stable branch."""
|
||||
name = _strip_ref_prefix(_clean(ref))
|
||||
return bool(name) and name in STABLE_BRANCHES
|
||||
|
||||
|
||||
# ── redaction ─────────────────────────────────────────────────────────────────
|
||||
|
||||
_URL_USERINFO_RE = re.compile(r"(https?://)[^/\s:@]+(?::[^/\s@]+)?@", re.IGNORECASE)
|
||||
_SECRET_ASSIGN_RE = re.compile(
|
||||
r"\b((?:GITEA_)?(?:TOKEN|PASSWORD|PASS|PAT|SECRET|API_KEY|AUTH))\s*=\s*\S+",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
_BEARER_RE = re.compile(r"\b(Bearer|token)\s+[A-Za-z0-9._\-]{8,}", re.IGNORECASE)
|
||||
|
||||
|
||||
def redact_command(command: str | None) -> str:
|
||||
"""Strip credentials/URLs from a command line before logging it (#671).
|
||||
|
||||
Redacts URL userinfo (``https://user:tok@host`` → ``https://***@host``),
|
||||
``TOKEN=...`` style assignments, and bearer/token headers. Leaves the
|
||||
structural parts (``git push <remote> master``) intact for audit value.
|
||||
"""
|
||||
text = _clean(command)
|
||||
if not text:
|
||||
return ""
|
||||
text = _URL_USERINFO_RE.sub(r"\1***@", text)
|
||||
text = _SECRET_ASSIGN_RE.sub(lambda m: f"{m.group(1)}=***", text)
|
||||
text = _BEARER_RE.sub(lambda m: f"{m.group(1)} ***", text)
|
||||
return text
|
||||
|
||||
|
||||
# ── push classification ───────────────────────────────────────────────────────
|
||||
|
||||
def _analyse_push_segment(segment: str) -> dict[str, Any]:
|
||||
"""Classify one ``git push ...`` command segment."""
|
||||
tokens = segment.split()
|
||||
# Drop everything up to and including the ``push`` verb.
|
||||
try:
|
||||
push_idx = next(
|
||||
i for i, tok in enumerate(tokens)
|
||||
if tok.lower() == "push"
|
||||
)
|
||||
except StopIteration:
|
||||
push_idx = -1
|
||||
args = tokens[push_idx + 1:] if push_idx >= 0 else []
|
||||
|
||||
is_force = False
|
||||
is_dry_run = False
|
||||
is_delete = False
|
||||
positionals: list[str] = []
|
||||
|
||||
skip_next = False
|
||||
for tok in args:
|
||||
if skip_next:
|
||||
skip_next = False
|
||||
continue
|
||||
if tok in _FORCE_FLAGS or tok.startswith("--force-with-lease") or tok.startswith("--force-if-includes"):
|
||||
is_force = True
|
||||
continue
|
||||
if tok in _DRY_RUN_FLAGS:
|
||||
is_dry_run = True
|
||||
continue
|
||||
if tok in _DELETE_FLAGS:
|
||||
is_delete = True
|
||||
continue
|
||||
if tok in _VALUE_FLAGS:
|
||||
skip_next = True
|
||||
continue
|
||||
if tok.startswith("--") and "=" in tok:
|
||||
# e.g. --repo=... : self-contained, not a refspec.
|
||||
continue
|
||||
if tok.startswith("-"):
|
||||
# Unknown/combined short flag; ignore for ref detection.
|
||||
continue
|
||||
positionals.append(tok)
|
||||
|
||||
# First positional after push is the remote (when any positional exists);
|
||||
# the rest are refspecs / branch names.
|
||||
remote = positionals[0] if positionals else None
|
||||
refspecs = positionals[1:]
|
||||
|
||||
stable_refs: list[str] = []
|
||||
force_to_stable = False
|
||||
delete_stable = False
|
||||
for spec in refspecs:
|
||||
force_spec = spec.startswith("+")
|
||||
body = spec[1:] if force_spec else spec
|
||||
if ":" in body:
|
||||
src, _, dst = body.partition(":")
|
||||
dest = dst
|
||||
if src == "" and dst:
|
||||
# ``:master`` — delete refspec.
|
||||
is_delete = True
|
||||
else:
|
||||
dest = body
|
||||
if is_stable_ref(dest):
|
||||
stable_refs.append(_strip_ref_prefix(dest))
|
||||
if force_spec or is_force:
|
||||
force_to_stable = True
|
||||
if is_delete:
|
||||
delete_stable = True
|
||||
|
||||
targets_stable = bool(stable_refs)
|
||||
# Ambiguous: ``git push <remote>`` (or bare ``git push``) with no refspec —
|
||||
# resolves to the current branch's upstream, which we cannot see from the
|
||||
# command alone. Flag it, but do not assert stable (would false-block
|
||||
# feature-branch pushes).
|
||||
ambiguous = not refspecs
|
||||
|
||||
return {
|
||||
"is_git_push": True,
|
||||
"remote": remote,
|
||||
"refspecs": refspecs,
|
||||
"targets_stable": targets_stable,
|
||||
"stable_refs": stable_refs,
|
||||
"is_force": is_force or force_to_stable,
|
||||
"is_dry_run": is_dry_run,
|
||||
"is_delete": is_delete or delete_stable,
|
||||
"ambiguous_target": ambiguous,
|
||||
}
|
||||
|
||||
|
||||
def classify_push_command(command: str | None) -> dict[str, Any]:
|
||||
"""Classify a shell command line for direct stable-branch push intent (#671).
|
||||
|
||||
Returns a dict describing whether the command is a ``git push`` targeting a
|
||||
stable branch. Fetch/pull are never pushes. A sanctioned Gitea merge (which
|
||||
is not a ``git push`` at all) classifies as non-push. Dry-run and no-op
|
||||
pushes still count as *intent* and are reported as contamination
|
||||
(``proves_intent``) so a ``--dry-run`` cannot be used to probe the gate.
|
||||
"""
|
||||
text = _clean(command)
|
||||
result: dict[str, Any] = {
|
||||
"command": text,
|
||||
"redacted_command": redact_command(text),
|
||||
"is_git_push": False,
|
||||
"is_fetch_or_pull": False,
|
||||
"targets_stable": False,
|
||||
"stable_refs": [],
|
||||
"is_force": False,
|
||||
"is_dry_run": False,
|
||||
"is_delete": False,
|
||||
"ambiguous_target": False,
|
||||
"contamination": False,
|
||||
"proves_intent": False,
|
||||
"reasons": [],
|
||||
}
|
||||
if not text:
|
||||
return result
|
||||
|
||||
stable_refs: list[str] = []
|
||||
saw_push = False
|
||||
for segment in _SEGMENT_SPLIT_RE.split(text):
|
||||
seg = segment.strip()
|
||||
if not seg:
|
||||
continue
|
||||
if _GIT_FETCH_RE.search(seg) and not _GIT_PUSH_RE.search(seg):
|
||||
result["is_fetch_or_pull"] = True
|
||||
continue
|
||||
if not _GIT_PUSH_RE.search(seg):
|
||||
continue
|
||||
saw_push = True
|
||||
analysis = _analyse_push_segment(seg)
|
||||
result["is_git_push"] = True
|
||||
result["is_force"] = result["is_force"] or analysis["is_force"]
|
||||
result["is_dry_run"] = result["is_dry_run"] or analysis["is_dry_run"]
|
||||
result["is_delete"] = result["is_delete"] or analysis["is_delete"]
|
||||
result["ambiguous_target"] = result["ambiguous_target"] or analysis["ambiguous_target"]
|
||||
stable_refs.extend(analysis["stable_refs"])
|
||||
|
||||
result["stable_refs"] = sorted(set(stable_refs))
|
||||
result["targets_stable"] = bool(stable_refs)
|
||||
|
||||
reasons: list[str] = []
|
||||
if result["targets_stable"]:
|
||||
refs = ", ".join(result["stable_refs"])
|
||||
verb = "delete" if result["is_delete"] else ("force-push" if result["is_force"] else "push")
|
||||
qualifier = " (dry-run/no-op still proves intent)" if result["is_dry_run"] else ""
|
||||
reasons.append(
|
||||
f"direct stable-branch {verb} detected targeting: {refs}{qualifier}; "
|
||||
"worker sessions must never publish stable branches directly"
|
||||
)
|
||||
result["contamination"] = True
|
||||
result["proves_intent"] = True
|
||||
elif saw_push and result["ambiguous_target"]:
|
||||
# Bare ``git push`` with no refspec: ambiguous. Report, but do not
|
||||
# contaminate on the command alone — the root-checkout / branch-state
|
||||
# detector resolves whether the current branch is stable.
|
||||
reasons.append(
|
||||
"ambiguous 'git push' with no refspec: resolve the current branch "
|
||||
"before pushing; if it is a stable branch this is forbidden"
|
||||
)
|
||||
|
||||
result["reasons"] = reasons
|
||||
return result
|
||||
|
||||
|
||||
def detect_stable_push(commands: str | Iterable[str] | None) -> dict[str, Any]:
|
||||
"""Classify one command or an iterable of commands; contamination if any hit."""
|
||||
if commands is None:
|
||||
return classify_push_command(None)
|
||||
if isinstance(commands, str):
|
||||
return classify_push_command(commands)
|
||||
worst: dict[str, Any] | None = None
|
||||
for cmd in commands:
|
||||
res = classify_push_command(cmd)
|
||||
if res["contamination"]:
|
||||
return res
|
||||
if worst is None or (res["is_git_push"] and not worst["is_git_push"]):
|
||||
worst = res
|
||||
return worst or classify_push_command(None)
|
||||
|
||||
|
||||
# ── root/control checkout local-commit detection ──────────────────────────────
|
||||
|
||||
def assess_root_checkout_local_commit(
|
||||
*,
|
||||
current_branch: str | None,
|
||||
head_sha: str | None,
|
||||
remote_master_sha: str | None,
|
||||
is_under_branches: bool,
|
||||
ahead_count: int | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Detect a local commit on the root/control checkout not on a feature branch.
|
||||
|
||||
#671 AC2. An isolated ``branches/...`` worktree is exempt (that is where
|
||||
feature work belongs). On the control checkout, a commit is illegitimate
|
||||
when the checkout sits on a stable branch (or detached) and its HEAD has
|
||||
advanced past the tracking ``prgs/master`` — i.e. a commit was made that is
|
||||
not carried by an issue feature branch/PR.
|
||||
|
||||
Positive evidence only: missing state reports ``unknown`` rather than
|
||||
asserting contamination, but an unreadable *branch* on the control checkout
|
||||
(detached HEAD) with an advanced HEAD is still flagged.
|
||||
"""
|
||||
branch = _clean(current_branch)
|
||||
head = _clean(head_sha).lower()
|
||||
master = _clean(remote_master_sha).lower()
|
||||
|
||||
if is_under_branches:
|
||||
return {
|
||||
"contamination": False,
|
||||
"unknown": False,
|
||||
"reasons": [],
|
||||
"detail": "isolated branches/ worktree — feature commits are expected here",
|
||||
}
|
||||
|
||||
reasons: list[str] = []
|
||||
unknown = False
|
||||
|
||||
on_stable = (not branch) or (branch in STABLE_BRANCHES)
|
||||
if not on_stable:
|
||||
# Control checkout is on some non-stable branch: out of scope for this
|
||||
# detector (root_checkout_guard #475 handles that contamination class).
|
||||
return {
|
||||
"contamination": False,
|
||||
"unknown": False,
|
||||
"reasons": [],
|
||||
"detail": f"control checkout on non-stable branch '{branch}' — not this detector's class",
|
||||
}
|
||||
|
||||
advanced = False
|
||||
if ahead_count is not None and ahead_count > 0:
|
||||
advanced = True
|
||||
if head and master and head != master:
|
||||
advanced = True
|
||||
if (not head or not master) and ahead_count is None:
|
||||
unknown = True
|
||||
|
||||
if advanced:
|
||||
where = f"branch '{branch}'" if branch else "detached HEAD"
|
||||
reasons.append(
|
||||
f"control checkout ({where}) has local commits not on an issue "
|
||||
"feature branch (HEAD advanced past prgs/master); worker sessions "
|
||||
"must commit only on issue branches under branches/"
|
||||
)
|
||||
|
||||
return {
|
||||
"contamination": bool(reasons),
|
||||
"unknown": unknown and not reasons,
|
||||
"reasons": reasons,
|
||||
"current_branch": branch or None,
|
||||
"head_sha": head or None,
|
||||
"remote_master_sha": master or None,
|
||||
}
|
||||
|
||||
|
||||
# ── contamination record + gate ───────────────────────────────────────────────
|
||||
|
||||
def build_contamination_record(
|
||||
*,
|
||||
reason_class: str,
|
||||
command_redacted: str | None = None,
|
||||
session_id: str | None = None,
|
||||
remote: str | None = None,
|
||||
ref: str | None = None,
|
||||
role: str | None = None,
|
||||
detail: str | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Build the durable contamination marker payload (redacted, audit-safe).
|
||||
|
||||
``reason_class`` is one of ``stable_branch_push`` / ``root_checkout_commit``.
|
||||
The command is stored already-redacted; callers pass the raw line through
|
||||
:func:`redact_command` (or this builder redacts a raw ``command`` for them).
|
||||
"""
|
||||
return {
|
||||
"kind": CONTAMINATION_KIND,
|
||||
"reason_class": _clean(reason_class) or "stable_branch_push",
|
||||
"command_summary": redact_command(command_redacted),
|
||||
"session_id": _clean(session_id) or None,
|
||||
"remote": _clean(remote) or None,
|
||||
"ref": _clean(ref) or None,
|
||||
"role": _clean(role) or None,
|
||||
"detail": _clean(detail) or None,
|
||||
"cleared_by_reconciler": False,
|
||||
}
|
||||
|
||||
|
||||
def assess_contamination_gate(
|
||||
marker: dict[str, Any] | None,
|
||||
*,
|
||||
task: str | None,
|
||||
actual_role: str | None,
|
||||
) -> dict[str, Any]:
|
||||
"""Fail closed on gated mutations while a contamination marker is live (#671 AC4).
|
||||
|
||||
* No marker → allowed.
|
||||
* Reconciler (audit) role → allowed (the sanctioned path to inspect/clear).
|
||||
* Marker present + ``task`` in :data:`CONTAMINATION_GATED_TASKS` → blocked.
|
||||
* Marker present + non-gated task (e.g. ``comment_issue``) → allowed, so the
|
||||
worker can still post the durable audit/handoff comment.
|
||||
"""
|
||||
if not marker or marker.get("cleared_by_reconciler"):
|
||||
return {"block": False, "reasons": [], "task": task}
|
||||
|
||||
role = _clean(actual_role).lower()
|
||||
if role == "reconciler":
|
||||
return {
|
||||
"block": False,
|
||||
"reasons": [],
|
||||
"task": task,
|
||||
"detail": "reconciler audit path is exempt from the contamination gate",
|
||||
}
|
||||
|
||||
task_name = _clean(task)
|
||||
if task_name and task_name in CONTAMINATION_GATED_TASKS:
|
||||
summary = marker.get("command_summary") or marker.get("detail") or "(no summary)"
|
||||
reason_class = marker.get("reason_class") or "stable_branch_push"
|
||||
return {
|
||||
"block": True,
|
||||
"reasons": [
|
||||
f"session is workflow-contaminated ({reason_class}): {summary}. "
|
||||
f"'{task_name}' is blocked until a reconciler audits and clears "
|
||||
"the contamination. " + REMEDIATION
|
||||
],
|
||||
"task": task_name,
|
||||
}
|
||||
|
||||
return {"block": False, "reasons": [], "task": task_name or None}
|
||||
|
||||
|
||||
def format_contamination_gate_error(gate: dict[str, Any]) -> str:
|
||||
"""Single RuntimeError message for MCP mutation gates."""
|
||||
reasons = "; ".join(gate.get("reasons") or ["session workflow-contaminated"])
|
||||
return f"Stable-branch contamination gate (#671): {reasons}"
|
||||
@@ -60,6 +60,15 @@ TASK_CAPABILITY_MAP: dict[str, dict[str, str]] = {
|
||||
"permission": "gitea.pr.close",
|
||||
"role": "author",
|
||||
},
|
||||
# Non-closing PR metadata edits (title/body/base). Closing uses close_pr.
|
||||
"edit_pr": {
|
||||
"permission": "gitea.pr.create",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_edit_pr": {
|
||||
"permission": "gitea.pr.create",
|
||||
"role": "author",
|
||||
},
|
||||
"address_pr_change_requests": {
|
||||
"permission": "gitea.branch.push",
|
||||
"role": "author",
|
||||
@@ -68,10 +77,22 @@ TASK_CAPABILITY_MAP: dict[str, dict[str, str]] = {
|
||||
"permission": "gitea.pr.review",
|
||||
"role": "reviewer",
|
||||
},
|
||||
"submit_pr_review": {
|
||||
"permission": "gitea.pr.review",
|
||||
"role": "reviewer",
|
||||
},
|
||||
"merge_pr": {
|
||||
"permission": "gitea.pr.merge",
|
||||
"role": "merger",
|
||||
},
|
||||
"acquire_reviewer_pr_lease": {
|
||||
"permission": "gitea.pr.comment",
|
||||
"role": "reviewer",
|
||||
},
|
||||
"gitea_acquire_reviewer_pr_lease": {
|
||||
"permission": "gitea.pr.comment",
|
||||
"role": "reviewer",
|
||||
},
|
||||
"adopt_merger_pr_lease": {
|
||||
"permission": "gitea.pr.comment",
|
||||
"role": "reviewer",
|
||||
@@ -150,6 +171,92 @@ TASK_CAPABILITY_MAP: dict[str, dict[str, str]] = {
|
||||
"role": "author",
|
||||
},
|
||||
|
||||
# #601 first-class lease lifecycle — inspect/list need read; mutations gate on
|
||||
# ownership in the control-plane DB (not a separate Gitea write permission).
|
||||
"list_workflow_leases": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_list_workflow_leases": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"inspect_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_inspect_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"adopt_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_adopt_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"release_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_release_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"expire_workflow_leases": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_expire_workflow_leases": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"abandon_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_abandon_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"reclaim_expired_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_reclaim_expired_workflow_lease": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
# #612 incident bridge — reconcile uses create_issue for apply;
|
||||
# dry-run needs read only. Tools gate apply paths themselves.
|
||||
"observability_reconcile_incident": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_observability_reconcile_incident": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"observability_list_projects": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_observability_list_projects": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"observability_link_issue": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
"gitea_observability_link_issue": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
},
|
||||
|
||||
|
||||
"reconcile_landed_pr": {
|
||||
"permission": "gitea.read",
|
||||
"role": "author",
|
||||
|
||||
+10
-1
@@ -26,7 +26,16 @@ def _reset_mutation_authority(monkeypatch):
|
||||
Pin ``default_state_dir`` / ``DEFAULT_STATE_DIR`` to a per-test temp dir
|
||||
so durable load/save never touches host state even after env clears.
|
||||
"""
|
||||
monkeypatch.delenv("GITEA_SESSION_PROFILE_LOCK", raising=False)
|
||||
for env_key in [
|
||||
"GITEA_SESSION_PROFILE_LOCK",
|
||||
"GITEA_ACTIVE_WORKTREE",
|
||||
"GITEA_AUTHOR_WORKTREE",
|
||||
"GITEA_REVIEWER_WORKTREE",
|
||||
"GITEA_MERGER_WORKTREE",
|
||||
"GITEA_RECONCILER_WORKTREE",
|
||||
]:
|
||||
monkeypatch.delenv(env_key, raising=False)
|
||||
|
||||
# Isolate durable session-state files so tests never share host cache (#559).
|
||||
import tempfile
|
||||
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -82,13 +82,14 @@ class TestPreflightIntegration(unittest.TestCase):
|
||||
control_root = "/repo/Gitea-Tools"
|
||||
with mock.patch.object(mcp_server, "PROJECT_ROOT", control_root):
|
||||
with mock.patch.object(mcp_server, "_enforce_root_checkout_guard"):
|
||||
with mock.patch.dict(
|
||||
"os.environ",
|
||||
{"GITEA_TEST_PORCELAIN": ""},
|
||||
clear=False,
|
||||
):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.verify_preflight_purity()
|
||||
with mock.patch("gitea_auth.get_profile", return_value={"profile_name": "gitea-author"}):
|
||||
with mock.patch.dict(
|
||||
"os.environ",
|
||||
{"GITEA_TEST_PORCELAIN": ""},
|
||||
clear=False,
|
||||
):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.verify_preflight_purity()
|
||||
self.assertIn("Branches-only mutation guard", str(ctx.exception))
|
||||
|
||||
def test_verify_preflight_allows_branches_worktree(self):
|
||||
|
||||
@@ -36,7 +36,7 @@ class ControlPlaneDBTest(unittest.TestCase):
|
||||
rows = dict(conn.execute("SELECT key, value FROM schema_meta").fetchall())
|
||||
finally:
|
||||
conn.close()
|
||||
self.assertEqual(rows["schema_version"], "2")
|
||||
self.assertEqual(rows["schema_version"], "3")
|
||||
self.assertIn("DB coordinates", rows["architecture"])
|
||||
self.assertIn("bridge", rows["architecture"].lower())
|
||||
|
||||
|
||||
@@ -11,7 +11,11 @@ import gitea_mcp_server as srv
|
||||
|
||||
FAKE_AUTH = {"Authorization": "token test-token"}
|
||||
# Stable control checkout (parent of branches/), not the MCP server worktree root.
|
||||
CONTROL_CHECKOUT_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[3])
|
||||
else:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[1])
|
||||
PROJECT_ROOT = srv.PROJECT_ROOT
|
||||
|
||||
|
||||
|
||||
@@ -0,0 +1,345 @@
|
||||
"""Tests for observability incident bridge (#612) on #613 substrate."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import json
|
||||
import os
|
||||
import tempfile
|
||||
import unittest
|
||||
|
||||
from control_plane_db import ControlPlaneDB, InvalidWorkKindError, WORK_KINDS
|
||||
from incident_bridge import (
|
||||
OUTCOME_BLOCKED,
|
||||
OUTCOME_CREATED,
|
||||
OUTCOME_LINKED,
|
||||
OUTCOME_PREVIEW,
|
||||
OUTCOME_UPDATED,
|
||||
ProjectMapping,
|
||||
assert_not_raw_incident_work_item,
|
||||
build_gitea_issue_body,
|
||||
load_project_mappings,
|
||||
normalize_incident,
|
||||
project_mapping_from_dict,
|
||||
reconcile_incident,
|
||||
redact_text,
|
||||
sanitize_tags,
|
||||
)
|
||||
|
||||
|
||||
def _mapping(**kwargs) -> ProjectMapping:
|
||||
base = dict(
|
||||
name="gitea-tools-mcp",
|
||||
provider="sentry",
|
||||
monitor_base_url="https://sentry.prgs.cc",
|
||||
monitor_org="prgs",
|
||||
monitor_project="gitea-tools-mcp",
|
||||
gitea_org="Scaled-Tech-Consulting",
|
||||
gitea_repo="Gitea-Tools",
|
||||
default_labels=("type:bug", "observability", "sentry", "status:ready"),
|
||||
)
|
||||
base.update(kwargs)
|
||||
return ProjectMapping(**base)
|
||||
|
||||
|
||||
def _obs(**kwargs) -> dict:
|
||||
base = dict(
|
||||
provider="sentry",
|
||||
provider_base_url="https://sentry.prgs.cc",
|
||||
provider_org="prgs",
|
||||
provider_project="gitea-tools-mcp",
|
||||
provider_issue_id="ISSUE-100",
|
||||
provider_short_id="GITEA-TOOLS-1A",
|
||||
provider_permalink="https://sentry.prgs.cc/organizations/prgs/issues/100/",
|
||||
fingerprint="fp-abc",
|
||||
title="TypeError: boom",
|
||||
summary="TypeError: boom in handle_request",
|
||||
first_seen="2026-07-01T00:00:00Z",
|
||||
last_seen="2026-07-10T00:00:00Z",
|
||||
event_count=3,
|
||||
environment="production",
|
||||
severity="error",
|
||||
culprit="handle_request",
|
||||
tags={"runtime": "python", "release": "1.2.3"},
|
||||
)
|
||||
base.update(kwargs)
|
||||
return base
|
||||
|
||||
|
||||
class IncidentBridgeTest(unittest.TestCase):
|
||||
def setUp(self) -> None:
|
||||
self._tmp = tempfile.TemporaryDirectory()
|
||||
self.db = ControlPlaneDB(os.path.join(self._tmp.name, "cp.sqlite3"))
|
||||
self.mapping = _mapping()
|
||||
self.created: list[dict] = []
|
||||
|
||||
def tearDown(self) -> None:
|
||||
self._tmp.cleanup()
|
||||
|
||||
def _create_issue(self, title, body, labels, g_org, g_repo):
|
||||
n = 9000 + len(self.created)
|
||||
rec = {
|
||||
"number": n,
|
||||
"success": True,
|
||||
"performed": True,
|
||||
"title": title,
|
||||
"body": body,
|
||||
"labels": labels,
|
||||
"org": g_org,
|
||||
"repo": g_repo,
|
||||
}
|
||||
self.created.append(rec)
|
||||
return rec
|
||||
|
||||
def test_redact_secrets(self) -> None:
|
||||
dirty = "token=supersecret123 Authorization: Bearer abcdefghijklmnop"
|
||||
clean = redact_text(dirty)
|
||||
self.assertNotIn("supersecret", clean)
|
||||
self.assertNotIn("abcdefghijklmnop", clean)
|
||||
self.assertIn("[REDACTED]", clean)
|
||||
tags = sanitize_tags(
|
||||
{"token": "x", "runtime": "py", "password": "nope", "release": "1.0"}
|
||||
)
|
||||
self.assertEqual(tags, {"runtime": "py", "release": "1.0"})
|
||||
|
||||
def test_body_contains_no_secrets(self) -> None:
|
||||
inc = normalize_incident(
|
||||
_obs(
|
||||
summary="fail password=hunter2 token: abc",
|
||||
tags={"cookie": "sid=1", "runtime": "py"},
|
||||
),
|
||||
self.mapping,
|
||||
)
|
||||
body = build_gitea_issue_body(inc)
|
||||
self.assertNotIn("hunter2", body)
|
||||
self.assertNotIn("sid=1", body)
|
||||
self.assertIn("provider_issue_id", body)
|
||||
self.assertIn("not** assignable", body.lower())
|
||||
|
||||
def test_preview_no_mutation(self) -> None:
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(),
|
||||
mapping=self.mapping,
|
||||
apply=False,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertTrue(res["success"])
|
||||
self.assertEqual(res["outcome"], OUTCOME_PREVIEW)
|
||||
self.assertFalse(res["gitea_mutated"])
|
||||
self.assertFalse(res["db_mutated"])
|
||||
self.assertFalse(res["raw_incident_assignable"])
|
||||
self.assertEqual(len(self.created), 0)
|
||||
self.assertIsNone(
|
||||
self.db.get_incident_link_by_provider(
|
||||
provider="sentry",
|
||||
provider_issue_id="ISSUE-100",
|
||||
provider_base_url="https://sentry.prgs.cc",
|
||||
provider_org="prgs",
|
||||
provider_project="gitea-tools-mcp",
|
||||
)
|
||||
)
|
||||
|
||||
def test_apply_creates_issue_and_link(self) -> None:
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertTrue(res["success"])
|
||||
self.assertEqual(res["outcome"], OUTCOME_CREATED)
|
||||
self.assertTrue(res["gitea_mutated"])
|
||||
self.assertTrue(res["db_mutated"])
|
||||
self.assertEqual(len(self.created), 1)
|
||||
self.assertEqual(res["gitea_issue"]["number"], self.created[0]["number"])
|
||||
link = self.db.get_incident_link_by_provider(
|
||||
provider="sentry",
|
||||
provider_issue_id="ISSUE-100",
|
||||
provider_base_url="https://sentry.prgs.cc",
|
||||
provider_org="prgs",
|
||||
provider_project="gitea-tools-mcp",
|
||||
)
|
||||
self.assertIsNotNone(link)
|
||||
self.assertEqual(int(link["gitea_issue_number"]), self.created[0]["number"])
|
||||
self.assertEqual(res["allocator_visible_as"]["kind"], "issue")
|
||||
|
||||
def test_duplicate_observation_reuses_issue(self) -> None:
|
||||
first = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
second = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(event_count=9, last_seen="2026-07-11T00:00:00Z"),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertEqual(first["outcome"], OUTCOME_CREATED)
|
||||
self.assertEqual(second["outcome"], OUTCOME_UPDATED)
|
||||
self.assertEqual(len(self.created), 1)
|
||||
self.assertEqual(
|
||||
second["gitea_issue"]["number"], first["gitea_issue"]["number"]
|
||||
)
|
||||
link = self.db.get_incident_link_by_provider(
|
||||
provider="sentry",
|
||||
provider_issue_id="ISSUE-100",
|
||||
provider_base_url="https://sentry.prgs.cc",
|
||||
provider_org="prgs",
|
||||
provider_project="gitea-tools-mcp",
|
||||
)
|
||||
self.assertEqual(int(link["event_count"]), 9)
|
||||
|
||||
def test_explicit_link_existing_issue(self) -> None:
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(provider_issue_id="ISSUE-200"),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
force_gitea_issue_number=555,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_LINKED)
|
||||
self.assertEqual(len(self.created), 0)
|
||||
self.assertEqual(res["gitea_issue"]["number"], 555)
|
||||
link = self.db.get_incident_link_for_gitea_issue(
|
||||
gitea_org="Scaled-Tech-Consulting",
|
||||
gitea_repo="Gitea-Tools",
|
||||
gitea_issue_number=555,
|
||||
)
|
||||
self.assertIsNotNone(link)
|
||||
|
||||
def test_fingerprint_conflict_fails_closed(self) -> None:
|
||||
reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(fingerprint="fp-a"),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(fingerprint="fp-b"),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_BLOCKED)
|
||||
self.assertIn("fingerprint conflict", res["reasons"][0].lower())
|
||||
self.assertEqual(len(self.created), 1)
|
||||
|
||||
def test_ambiguous_mapping_fails_closed(self) -> None:
|
||||
maps = [
|
||||
_mapping(name="a", monitor_project="gitea-tools-mcp"),
|
||||
_mapping(name="b", monitor_project="gitea-tools-mcp"),
|
||||
]
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(),
|
||||
mappings=maps,
|
||||
apply=False,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_BLOCKED)
|
||||
self.assertIn("ambiguous", res["reasons"][0].lower())
|
||||
|
||||
def test_missing_provider_issue_id_fails_closed(self) -> None:
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(provider_issue_id=""),
|
||||
mapping=self.mapping,
|
||||
apply=False,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_BLOCKED)
|
||||
|
||||
def test_raw_incident_not_work_kind(self) -> None:
|
||||
self.assertNotIn("sentry_incident", WORK_KINDS)
|
||||
with self.assertRaises(InvalidWorkKindError):
|
||||
self.db.upsert_work_item(
|
||||
remote="prgs",
|
||||
org="o",
|
||||
repo="r",
|
||||
kind="sentry_incident",
|
||||
number=1,
|
||||
)
|
||||
with self.assertRaises(Exception):
|
||||
assert_not_raw_incident_work_item("glitchtip_incident")
|
||||
|
||||
def test_db_unavailable(self) -> None:
|
||||
res = reconcile_incident(
|
||||
None,
|
||||
observation=_obs(),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertFalse(res["success"])
|
||||
self.assertEqual(res["outcome"], OUTCOME_BLOCKED)
|
||||
|
||||
def test_structured_skip_reason_environment(self) -> None:
|
||||
m = _mapping(environment_filters=("staging",))
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(environment="production"),
|
||||
mapping=m,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertTrue(res["success"])
|
||||
self.assertEqual(res["action"], "skip_environment_filter")
|
||||
self.assertEqual(len(self.created), 0)
|
||||
|
||||
def test_load_mappings_json(self) -> None:
|
||||
payload = json.dumps(
|
||||
{
|
||||
"projects": [
|
||||
{
|
||||
"name": "gt",
|
||||
"provider": "glitchtip",
|
||||
"monitor_base_url": "https://glitchtip.example",
|
||||
"monitor_org": "org",
|
||||
"monitor_project": "proj",
|
||||
"gitea_org": "Scaled-Tech-Consulting",
|
||||
"gitea_repo": "Gitea-Tools",
|
||||
}
|
||||
]
|
||||
}
|
||||
)
|
||||
maps = load_project_mappings(mappings_json=payload)
|
||||
self.assertEqual(len(maps), 1)
|
||||
self.assertEqual(maps[0].provider, "glitchtip")
|
||||
|
||||
def test_glitchtip_provider_accepted(self) -> None:
|
||||
m = _mapping(provider="glitchtip", monitor_base_url="https://glitchtip.example")
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(
|
||||
provider="glitchtip",
|
||||
provider_base_url="https://glitchtip.example",
|
||||
),
|
||||
mapping=m,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
self.assertEqual(res["outcome"], OUTCOME_CREATED)
|
||||
self.assertEqual(res["incident"]["provider"], "glitchtip")
|
||||
|
||||
def test_allocator_only_sees_issue_kind(self) -> None:
|
||||
res = reconcile_incident(
|
||||
self.db,
|
||||
observation=_obs(),
|
||||
mapping=self.mapping,
|
||||
apply=True,
|
||||
create_issue_fn=self._create_issue,
|
||||
)
|
||||
vis = res["allocator_visible_as"]
|
||||
self.assertEqual(vis["kind"], "issue")
|
||||
self.assertIn(vis["kind"], WORK_KINDS)
|
||||
self.assertFalse(res["raw_incident_assignable"])
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -25,7 +25,11 @@ import gitea_mcp_server as srv # noqa: E402
|
||||
import root_checkout_guard as rcg # noqa: E402
|
||||
|
||||
FAKE_AUTH = "token test"
|
||||
CONTROL_CHECKOUT_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[3])
|
||||
else:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[1])
|
||||
MASTER_SHA = "a" * 40
|
||||
OTHER_SHA = "b" * 40
|
||||
|
||||
|
||||
@@ -10,7 +10,11 @@ import gitea_mcp_server as srv
|
||||
|
||||
|
||||
FAKE_AUTH = {"Authorization": "token test-token"}
|
||||
CONTROL_CHECKOUT_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[3])
|
||||
else:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[1])
|
||||
|
||||
|
||||
class TestIssueCommentWorkspaceGuard(unittest.TestCase):
|
||||
|
||||
@@ -103,20 +103,40 @@ class TestIssueLockStore(unittest.TestCase):
|
||||
self.assertIn("live foreign issue lock", block or "")
|
||||
|
||||
def test_expired_lease_allows_takeover_with_conflict_check(self):
|
||||
# #601: expired + dead pid / missing worktree → sanctioned reclaim (no block).
|
||||
existing = _lock_record(
|
||||
branch_name="feat/issue-420-other",
|
||||
worktree_path="/tmp/other",
|
||||
worktree_path="/tmp/other-does-not-exist-420",
|
||||
session_pid=1,
|
||||
work_lease=_lease("2000-01-01T00:00:00Z"),
|
||||
)
|
||||
incoming = _lock_record(worktree_path="/tmp/mine")
|
||||
self.assertIsNone(ils.assess_foreign_lock_overwrite(existing, incoming))
|
||||
block = ils.assess_same_issue_lease_conflict(
|
||||
existing,
|
||||
issue_number=420,
|
||||
branch_name="feat/issue-420-server-code-parity",
|
||||
worktree_path="/tmp/mine",
|
||||
with mock.patch.object(ils, "is_process_alive", return_value=False):
|
||||
block = ils.assess_same_issue_lease_conflict(
|
||||
existing,
|
||||
issue_number=420,
|
||||
branch_name="feat/issue-420-server-code-parity",
|
||||
worktree_path="/tmp/mine",
|
||||
)
|
||||
self.assertIsNone(block)
|
||||
|
||||
# Expired but still-live owner pid AND present worktree → fail closed.
|
||||
present_wt = self.lock_dir # exists
|
||||
sticky = _lock_record(
|
||||
branch_name="feat/issue-420-other",
|
||||
worktree_path=present_wt,
|
||||
session_pid=os.getpid(),
|
||||
work_lease=_lease("2000-01-01T00:00:00Z"),
|
||||
)
|
||||
self.assertIn("Recovery review is required", block or "")
|
||||
with mock.patch.object(ils, "is_process_alive", return_value=True):
|
||||
blocked = ils.assess_same_issue_lease_conflict(
|
||||
sticky,
|
||||
issue_number=420,
|
||||
branch_name="feat/issue-420-server-code-parity",
|
||||
worktree_path="/tmp/mine",
|
||||
)
|
||||
self.assertIn("Recovery review is required", blocked or "")
|
||||
|
||||
def test_same_owner_lease_conflict_allows_refresh(self):
|
||||
worktree = "/tmp/wt-420"
|
||||
|
||||
@@ -69,5 +69,139 @@ class TestIssueWorkflowStatusTransitions(unittest.TestCase):
|
||||
self.assertEqual(result, ["type:process", "status:duplicate"])
|
||||
|
||||
|
||||
class TestLifecycleRoleLabels(unittest.TestCase):
|
||||
def test_role_transition_author_to_reviewer_to_merger_single_active(self):
|
||||
after_author = labels.transition_role_labels(
|
||||
["type:feature", "status:pr-open"], "author"
|
||||
)
|
||||
self.assertEqual(after_author, ["type:feature", "status:pr-open", "role:author"])
|
||||
|
||||
after_reviewer = labels.transition_role_labels(after_author, "reviewer")
|
||||
self.assertEqual(
|
||||
after_reviewer, ["type:feature", "status:pr-open", "role:reviewer"]
|
||||
)
|
||||
self.assertNotIn("role:author", after_reviewer)
|
||||
|
||||
after_merger = labels.transition_role_labels(after_reviewer, "merger")
|
||||
self.assertEqual(labels.role_labels(after_merger), ["role:merger"])
|
||||
|
||||
def test_role_transition_accepts_canonical_label(self):
|
||||
result = labels.transition_role_labels(["type:bug"], "role:reviewer")
|
||||
self.assertEqual(result, ["type:bug", "role:reviewer"])
|
||||
|
||||
def test_unknown_role_raises(self):
|
||||
with self.assertRaises(ValueError):
|
||||
labels.canonical_role_label("wizard")
|
||||
|
||||
def test_assess_reports_multiple_active_role_labels(self):
|
||||
result = labels.assess_issue_labels(
|
||||
["type:feature", "status:pr-open", "role:author", "role:reviewer"]
|
||||
)
|
||||
self.assertFalse(result["valid"])
|
||||
self.assertTrue(
|
||||
any("multiple active role:* labels" in err for err in result["errors"])
|
||||
)
|
||||
self.assertEqual(
|
||||
sorted(result["role_labels"]), ["role:author", "role:reviewer"]
|
||||
)
|
||||
|
||||
|
||||
class TestLifecycleHazardLabels(unittest.TestCase):
|
||||
def test_hazards_are_additive_and_multiple(self):
|
||||
one = labels.add_hazard_label(["type:bug", "status:blocked"], "conflicted")
|
||||
two = labels.add_hazard_label(one, "stale-lease")
|
||||
self.assertIn("hazard:conflicted", two)
|
||||
self.assertIn("hazard:stale-lease", two)
|
||||
# status/type untouched
|
||||
self.assertIn("status:blocked", two)
|
||||
self.assertIn("type:bug", two)
|
||||
self.assertEqual(len(labels.hazard_labels(two)), 2)
|
||||
|
||||
def test_add_hazard_is_idempotent(self):
|
||||
once = labels.add_hazard_label(["type:bug", "status:ready"], "root-mutation")
|
||||
twice = labels.add_hazard_label(once, "root_mutation")
|
||||
self.assertEqual(twice.count("hazard:root-mutation"), 1)
|
||||
|
||||
def test_clear_hazard_leaves_others_intact(self):
|
||||
start = ["type:bug", "status:blocked", "hazard:conflicted", "hazard:stale-lease"]
|
||||
cleared = labels.clear_hazard_label(start, "conflicted")
|
||||
self.assertNotIn("hazard:conflicted", cleared)
|
||||
self.assertIn("hazard:stale-lease", cleared)
|
||||
self.assertIn("status:blocked", cleared)
|
||||
|
||||
def test_terminal_blocker_hazard_normalizes(self):
|
||||
self.assertEqual(
|
||||
labels.canonical_hazard_label("terminal-blocker"),
|
||||
"hazard:terminal-blocker",
|
||||
)
|
||||
|
||||
def test_assess_surfaces_hazard_labels(self):
|
||||
result = labels.assess_issue_labels(
|
||||
["type:bug", "status:blocked", "hazard:conflicted"]
|
||||
)
|
||||
self.assertEqual(result["hazard_labels"], ["hazard:conflicted"])
|
||||
|
||||
|
||||
class TestDiscussionExclusion(unittest.TestCase):
|
||||
def test_discussion_issue_excluded_from_implementation_queue(self):
|
||||
self.assertTrue(labels.is_discussion(["type:discussion", "status:ready"]))
|
||||
self.assertFalse(
|
||||
labels.is_implementation_candidate(["type:discussion", "status:ready"])
|
||||
)
|
||||
|
||||
def test_non_discussion_issue_is_candidate(self):
|
||||
self.assertTrue(
|
||||
labels.is_implementation_candidate(["type:feature", "status:ready"])
|
||||
)
|
||||
|
||||
|
||||
class TestBlockingReasonRequirement(unittest.TestCase):
|
||||
def test_blocked_requires_reason(self):
|
||||
self.assertTrue(
|
||||
labels.requires_blocking_reason(["type:bug", "status:blocked"])
|
||||
)
|
||||
|
||||
def test_hazard_requires_reason(self):
|
||||
self.assertTrue(
|
||||
labels.requires_blocking_reason(
|
||||
["type:bug", "status:ready", "hazard:stale-lease"]
|
||||
)
|
||||
)
|
||||
|
||||
def test_clean_ready_issue_needs_no_reason(self):
|
||||
self.assertFalse(
|
||||
labels.requires_blocking_reason(["type:feature", "status:ready"])
|
||||
)
|
||||
|
||||
|
||||
class TestState603SynonymTransitions(unittest.TestCase):
|
||||
def test_authoring_maps_to_in_progress(self):
|
||||
self.assertEqual(
|
||||
labels.canonical_status_label("authoring"), "status:in-progress"
|
||||
)
|
||||
|
||||
def test_changes_requested_transition(self):
|
||||
result = labels.transition_status_labels(
|
||||
["type:feature", "status:needs-review"], "changes-requested"
|
||||
)
|
||||
self.assertEqual(result, ["type:feature", "status:changes-requested"])
|
||||
|
||||
def test_merge_ready_maps_to_approved(self):
|
||||
self.assertEqual(labels.canonical_status_label("merge-ready"), "status:approved")
|
||||
|
||||
def test_abandoned_maps_to_wontfix(self):
|
||||
self.assertEqual(labels.canonical_status_label("abandoned"), "status:wontfix")
|
||||
|
||||
def test_blocked_and_merged_transitions(self):
|
||||
blocked = labels.transition_status_labels(
|
||||
["type:bug", "status:in-progress"], "blocked"
|
||||
)
|
||||
self.assertEqual(blocked, ["type:bug", "status:blocked"])
|
||||
merged = labels.transition_status_labels(
|
||||
["type:feature", "status:approved"], "merged"
|
||||
)
|
||||
self.assertEqual(merged, ["type:feature", "status:reconcile"])
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
|
||||
@@ -0,0 +1,392 @@
|
||||
"""Tests for first-class control-plane lease lifecycle (#601)."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import tempfile
|
||||
import unittest
|
||||
from datetime import timedelta
|
||||
from unittest import mock
|
||||
|
||||
from allocator_service import allocate_next_work, WorkCandidate
|
||||
from control_plane_db import ControlPlaneDB, ForeignLeaseError, _ts, _utc_now
|
||||
import lease_lifecycle as ll
|
||||
import merger_lease_adoption as mla
|
||||
import reviewer_pr_lease as rpl
|
||||
from datetime import datetime, timezone
|
||||
|
||||
|
||||
class LeaseLifecycleTest(unittest.TestCase):
|
||||
def setUp(self) -> None:
|
||||
self._tmp = tempfile.TemporaryDirectory()
|
||||
self.db_path = os.path.join(self._tmp.name, "cp.sqlite3")
|
||||
self.db = ControlPlaneDB(self.db_path)
|
||||
self.db.upsert_session(session_id="owner", role="author", profile="prgs-author", pid=111)
|
||||
self.db.upsert_session(session_id="other", role="author", profile="prgs-author", pid=222)
|
||||
|
||||
def tearDown(self) -> None:
|
||||
self._tmp.cleanup()
|
||||
|
||||
def _assign(self, session_id="owner", number=601, **kwargs):
|
||||
return self.db.assign_and_lease(
|
||||
session_id=session_id,
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
kind="issue",
|
||||
number=number,
|
||||
allowed_actions=("implement", "comment", "push", "create_pr"),
|
||||
forbidden_actions=("approve", "merge", "self_select_without_assignment"),
|
||||
worktree_path=kwargs.pop("worktree_path", self._tmp.name),
|
||||
owner_pid=kwargs.pop("owner_pid", os.getpid()),
|
||||
**kwargs,
|
||||
)
|
||||
|
||||
def test_list_active_leases_as_workflow_state(self) -> None:
|
||||
a = self._assign(number=601)
|
||||
self._assign(session_id="other", number=602)
|
||||
listed = ll.list_active_leases(
|
||||
self.db, remote="prgs", org="Scaled-Tech-Consulting", repo="Gitea-Tools"
|
||||
)
|
||||
self.assertTrue(listed["success"])
|
||||
self.assertEqual(listed["count"], 2)
|
||||
self.assertEqual(listed["authoritative_source"], "control_plane_db")
|
||||
self.assertFalse(listed["file_lock_only"])
|
||||
self.assertFalse(listed["comment_lease_only"])
|
||||
numbers = sorted(x["work_number"] for x in listed["leases"])
|
||||
self.assertEqual(numbers, [601, 602])
|
||||
self.assertIsNotNone(a.lease_id)
|
||||
|
||||
def test_adopt_lease_owner_resume_preserves_provenance(self) -> None:
|
||||
a = self._assign()
|
||||
res = ll.adopt_lease(
|
||||
self.db,
|
||||
lease_id=a.lease_id,
|
||||
adopter_session_id="owner",
|
||||
role="author",
|
||||
worktree_path=self._tmp.name,
|
||||
)
|
||||
self.assertTrue(res["success"])
|
||||
self.assertTrue(res["same_owner"])
|
||||
prov = res["provenance"]
|
||||
self.assertEqual(prov["adopted_from_session_id"], "owner")
|
||||
self.assertEqual(prov["adopted_by_session_id"], "owner")
|
||||
self.assertEqual(prov["work_number"], 601)
|
||||
self.assertEqual(prov["worktree_path"], self._tmp.name)
|
||||
state = self.db.get_lease_workflow_state(a.lease_id)
|
||||
self.assertIsNotNone(state)
|
||||
self.assertEqual(state["lease"]["status"], "active")
|
||||
|
||||
def test_release_lease_explicit_recorded(self) -> None:
|
||||
a = self._assign()
|
||||
res = ll.release_lease(self.db, lease_id=a.lease_id, session_id="owner")
|
||||
self.assertEqual(res["outcome"], "released")
|
||||
self.assertIn("release_proof", res)
|
||||
self.assertEqual(res["release_proof"]["status"], "released")
|
||||
state = self.db.get_lease_workflow_state(a.lease_id)
|
||||
self.assertEqual(state["lease"]["status"], "released")
|
||||
|
||||
def test_expire_and_reclaim_expired_lease(self) -> None:
|
||||
a = self._assign(lease_ttl_seconds=1)
|
||||
past = _utc_now() - timedelta(hours=2)
|
||||
import sqlite3
|
||||
|
||||
conn = sqlite3.connect(self.db_path)
|
||||
try:
|
||||
conn.execute(
|
||||
"UPDATE leases SET expires_at = ? WHERE lease_id = ?",
|
||||
(_ts(past), a.lease_id),
|
||||
)
|
||||
conn.commit()
|
||||
finally:
|
||||
conn.close()
|
||||
exp = ll.expire_leases(self.db)
|
||||
self.assertGreaterEqual(exp["expired_count"], 1)
|
||||
reclaimed = ll.reclaim_expired_lease(
|
||||
self.db,
|
||||
lease_id=a.lease_id,
|
||||
session_id="other",
|
||||
role="author",
|
||||
worktree_path=self._tmp.name,
|
||||
)
|
||||
self.assertEqual(reclaimed["outcome"], "reclaimed")
|
||||
self.assertEqual(reclaimed["assignment"]["session_id"], "other")
|
||||
self.assertEqual(
|
||||
reclaimed["provenance"]["adopted_from_session_id"], "owner"
|
||||
)
|
||||
self.assertEqual(
|
||||
reclaimed["provenance"]["adopted_by_session_id"], "other"
|
||||
)
|
||||
|
||||
def test_abandon_stale_lease_with_required_proof(self) -> None:
|
||||
a = self._assign(owner_pid=99999999, worktree_path="/nonexistent/path/for-601")
|
||||
# Force active but dead pid + missing worktree
|
||||
proof = ll.AbandonProof(
|
||||
dead_process=True,
|
||||
missing_worktree=True,
|
||||
no_open_pr=True,
|
||||
no_live_mutation_risk=True,
|
||||
owner_pid=99999999,
|
||||
worktree_path="/nonexistent/path/for-601",
|
||||
)
|
||||
res = ll.abandon_lease(
|
||||
self.db,
|
||||
lease_id=a.lease_id,
|
||||
requester_session_id="other",
|
||||
proof=proof,
|
||||
)
|
||||
self.assertEqual(res["outcome"], "abandoned")
|
||||
self.assertEqual(res["prior_owner_session_id"], "owner")
|
||||
self.assertTrue(res["abandon_proof"]["dead_process"])
|
||||
state = self.db.get_lease_workflow_state(a.lease_id)
|
||||
self.assertEqual(state["lease"]["status"], "abandoned")
|
||||
|
||||
def test_refuse_steal_active_foreign_lease(self) -> None:
|
||||
a = self._assign()
|
||||
with self.assertRaises(ll.LeaseLifecycleError) as ctx:
|
||||
ll.adopt_lease(
|
||||
self.db,
|
||||
lease_id=a.lease_id,
|
||||
adopter_session_id="other",
|
||||
role="author",
|
||||
)
|
||||
self.assertIn("steal", str(ctx.exception).lower())
|
||||
decision = ll.inspect_lease(
|
||||
self.db, a.lease_id, caller_session_id="other"
|
||||
)
|
||||
self.assertEqual(decision["safe_next_action"], ll.SAFE_WAIT_FOREIGN)
|
||||
self.assertTrue(decision["block"])
|
||||
|
||||
def test_refuse_ambiguous_lease_ownership_stale_id(self) -> None:
|
||||
decision = ll.inspect_lease(
|
||||
self.db, "lease-does-not-exist", caller_session_id="owner"
|
||||
)
|
||||
self.assertFalse(decision["found"])
|
||||
self.assertEqual(decision["safe_next_action"], ll.SAFE_STALE_PROMPT)
|
||||
with self.assertRaises(ll.LeaseLifecycleError):
|
||||
ll.adopt_lease(
|
||||
self.db,
|
||||
lease_id="lease-does-not-exist",
|
||||
adopter_session_id="owner",
|
||||
role="author",
|
||||
)
|
||||
|
||||
def test_provenance_on_adopt_release_abandon(self) -> None:
|
||||
a = self._assign()
|
||||
adopted = ll.adopt_lease(
|
||||
self.db,
|
||||
lease_id=a.lease_id,
|
||||
adopter_session_id="owner",
|
||||
role="author",
|
||||
worktree_path=self._tmp.name,
|
||||
expected_head_sha="abc",
|
||||
)
|
||||
self.assertIn("adopted_from_session_id", adopted["provenance"])
|
||||
self.assertIn("adopted_by_session_id", adopted["provenance"])
|
||||
released = ll.release_lease(
|
||||
self.db, lease_id=a.lease_id, session_id="owner"
|
||||
)
|
||||
self.assertEqual(released["release_proof"]["session_id"], "owner")
|
||||
|
||||
b = self._assign(number=700, owner_pid=1, worktree_path="/no/such/wt")
|
||||
abandoned = ll.abandon_lease(
|
||||
self.db,
|
||||
lease_id=b.lease_id,
|
||||
requester_session_id="owner",
|
||||
proof=ll.AbandonProof(
|
||||
dead_process=True,
|
||||
missing_worktree=True,
|
||||
no_live_mutation_risk=True,
|
||||
no_open_pr=True,
|
||||
),
|
||||
)
|
||||
self.assertIn("abandon_proof", abandoned)
|
||||
self.assertEqual(abandoned["abandon_proof"]["dead_process"], True)
|
||||
|
||||
def test_allocator_assignment_lease_compatible(self) -> None:
|
||||
"""Allocator assign+lease still works and is listable/inspectable."""
|
||||
cands = [
|
||||
WorkCandidate(
|
||||
kind="issue",
|
||||
number=601,
|
||||
labels=("status:ready",),
|
||||
title="leases",
|
||||
priority=20,
|
||||
)
|
||||
]
|
||||
res = allocate_next_work(
|
||||
self.db,
|
||||
session_id="alloc-s",
|
||||
role="author",
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
candidates=cands,
|
||||
apply=True,
|
||||
profile_name="prgs-author",
|
||||
username="jcwalker3",
|
||||
)
|
||||
self.assertEqual(res["outcome"], "assigned_work")
|
||||
lid = res["assignment"]["lease_id"]
|
||||
listed = ll.list_active_leases(self.db, remote="prgs")
|
||||
ids = [x["lease_id"] for x in listed["leases"]]
|
||||
self.assertIn(lid, ids)
|
||||
insp = ll.inspect_lease(self.db, lid, caller_session_id="alloc-s")
|
||||
self.assertTrue(insp["found"])
|
||||
self.assertIn(
|
||||
insp["safe_next_action"],
|
||||
(ll.SAFE_OWNER_RESUME, ll.SAFE_ABANDON_ALLOWED),
|
||||
)
|
||||
|
||||
def test_reviewer_merger_lease_handoff_still_works(self) -> None:
|
||||
"""#536 merger adoption path is independent and must not regress."""
|
||||
rpl.clear_session_lease()
|
||||
body = mla.format_adoption_body(
|
||||
repo="Scaled-Tech-Consulting/Gitea-Tools",
|
||||
pr_number=999,
|
||||
issue_number=601,
|
||||
adopter_identity="sysadmin",
|
||||
adopter_profile="prgs-merger",
|
||||
adopter_session_id="merger-1",
|
||||
worktree="branches/merge-pr999",
|
||||
candidate_head="a" * 40,
|
||||
target_branch="master",
|
||||
target_branch_sha="b" * 40,
|
||||
adopted_from_session_id="reviewer-1",
|
||||
adopted_from_profile="prgs-reviewer",
|
||||
adopted_from_reviewer_identity="sysadmin",
|
||||
adopted_from_comment_id=42,
|
||||
)
|
||||
self.assertIn(mla.ADOPTION_MARKER, body)
|
||||
self.assertIn("adopted_from_session_id: reviewer-1", body)
|
||||
self.assertIn("adopted_by_profile: prgs-merger", body)
|
||||
prov = mla.build_lease_provenance(
|
||||
source=mla.SOURCE_ADOPT,
|
||||
comment_id=42,
|
||||
adopted_from_session_id="reviewer-1",
|
||||
adoption_reason=mla.DEFAULT_ADOPTION_REASON,
|
||||
)
|
||||
rpl.record_session_lease(
|
||||
{
|
||||
"pr_number": 999,
|
||||
"session_id": "merger-1",
|
||||
"comment_id": 42,
|
||||
},
|
||||
lease_provenance=prov,
|
||||
)
|
||||
proof = mla.describe_session_lease_proof(rpl.get_session_lease())
|
||||
self.assertTrue(proof["lease_proof_sanctioned"])
|
||||
self.assertEqual(proof["lease_proof_source"], mla.SOURCE_ADOPT)
|
||||
rpl.clear_session_lease()
|
||||
|
||||
def test_missing_worktree_and_dead_pid_handled_safely(self) -> None:
|
||||
a = self._assign(owner_pid=1, worktree_path="/definitely/missing/wt-601")
|
||||
with mock.patch.object(ll, "is_process_alive", return_value=False):
|
||||
fr = ll.classify_lease_freshness(
|
||||
self.db.get_lease_workflow_state(a.lease_id)["lease"]
|
||||
)
|
||||
self.assertIn(fr["freshness"], ("stale_dead_process", "stale_missing_worktree"))
|
||||
# Insufficient abandon proof fails closed
|
||||
with self.assertRaises(ll.LeaseLifecycleError):
|
||||
ll.abandon_lease(
|
||||
self.db,
|
||||
lease_id=a.lease_id,
|
||||
requester_session_id="other",
|
||||
proof=ll.AbandonProof(dead_process=True), # missing no_live_mutation_risk
|
||||
)
|
||||
|
||||
def test_file_lock_or_comment_not_authoritative_alone(self) -> None:
|
||||
report = ll.non_db_lease_authority_report(
|
||||
file_lock_present=True,
|
||||
comment_lease_present=False,
|
||||
db_lease_present=False,
|
||||
)
|
||||
self.assertEqual(report["safe_next_action"], ll.SAFE_NO_AUTHORITY)
|
||||
self.assertTrue(report["file_lock_only"])
|
||||
self.assertIsNone(report["authoritative_source"])
|
||||
report2 = ll.non_db_lease_authority_report(
|
||||
file_lock_present=True,
|
||||
comment_lease_present=True,
|
||||
db_lease_present=True,
|
||||
)
|
||||
self.assertEqual(report2["authoritative_source"], "control_plane_db")
|
||||
self.assertFalse(report2["file_lock_only"])
|
||||
self.assertFalse(report2["comment_lease_only"])
|
||||
|
||||
def test_abandon_proof_is_sufficient_rules(self) -> None:
|
||||
self.assertFalse(ll.AbandonProof(dead_process=True).is_sufficient())
|
||||
self.assertTrue(
|
||||
ll.AbandonProof(
|
||||
dead_process=True,
|
||||
missing_worktree=True,
|
||||
no_live_mutation_risk=True,
|
||||
no_open_pr=True,
|
||||
).is_sufficient()
|
||||
)
|
||||
self.assertTrue(
|
||||
ll.AbandonProof(
|
||||
dead_process=True,
|
||||
no_live_mutation_risk=True,
|
||||
same_owner=True,
|
||||
).is_sufficient()
|
||||
)
|
||||
self.assertTrue(
|
||||
ll.AbandonProof(
|
||||
missing_worktree=True,
|
||||
no_live_mutation_risk=True,
|
||||
operator_authorized=True,
|
||||
).is_sufficient()
|
||||
)
|
||||
|
||||
|
||||
class IssueLockExpiredReclaimTest(unittest.TestCase):
|
||||
def test_expired_lock_reclaim_allowed_when_dead_and_missing_wt(self) -> None:
|
||||
import issue_lock_store as ils
|
||||
|
||||
lock = {
|
||||
"issue_number": 601,
|
||||
"branch_name": "feat/issue-601-x",
|
||||
"worktree_path": "/no/such/worktree-601",
|
||||
"session_pid": 1,
|
||||
"work_lease": {
|
||||
"operation_type": "author_issue_work",
|
||||
"expires_at": "2000-01-01T00:00:00Z",
|
||||
},
|
||||
}
|
||||
with mock.patch.object(ils, "is_process_alive", return_value=False):
|
||||
res = ils.assess_expired_lock_reclaim(lock)
|
||||
self.assertTrue(res["reclaim_allowed"])
|
||||
# Conflict assessor allows takeover
|
||||
block = ils.assess_same_issue_lease_conflict(
|
||||
lock,
|
||||
issue_number=601,
|
||||
branch_name="feat/issue-601-first-class-leases",
|
||||
worktree_path="/tmp/new",
|
||||
)
|
||||
self.assertIsNone(block)
|
||||
|
||||
def test_live_lock_reclaim_refused(self) -> None:
|
||||
import issue_lock_store as ils
|
||||
from datetime import datetime, timedelta, timezone
|
||||
|
||||
future = (datetime.now(timezone.utc) + timedelta(hours=2)).strftime(
|
||||
"%Y-%m-%dT%H:%M:%SZ"
|
||||
)
|
||||
lock = {
|
||||
"issue_number": 601,
|
||||
"branch_name": "feat/issue-601-x",
|
||||
"worktree_path": tempfile.gettempdir(),
|
||||
"session_pid": os.getpid(),
|
||||
"work_lease": {
|
||||
"operation_type": "author_issue_work",
|
||||
"expires_at": future,
|
||||
"last_heartbeat_at": future,
|
||||
},
|
||||
}
|
||||
res = ils.assess_expired_lock_reclaim(lock)
|
||||
self.assertFalse(res["reclaim_allowed"])
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
+29
-34
@@ -28,33 +28,31 @@ class TestLabelCreation(unittest.TestCase):
|
||||
"""Verify create-or-skip logic for the label set."""
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all")
|
||||
@patch("manage_labels.api")
|
||||
def test_skips_existing_labels(self, mock_api, _auth):
|
||||
# Simulate all labels already exist
|
||||
def test_skips_existing_labels(self, mock_api, mock_get_all, _auth):
|
||||
# Simulate all labels already exist (paginated inventory #627)
|
||||
existing = [_make_label(l["name"], i) for i, l in enumerate(manage_labels.LABELS)]
|
||||
mock_api.return_value = existing # first call is GET /labels
|
||||
mock_get_all.return_value = existing
|
||||
|
||||
# Patch sys.argv to avoid --dry
|
||||
with patch.object(sys, "argv", ["manage_labels.py"]):
|
||||
with contextlib.redirect_stdout(io.StringIO()), contextlib.redirect_stderr(io.StringIO()):
|
||||
manage_labels.main()
|
||||
|
||||
# The GET call happens, but no POST calls for label creation
|
||||
get_calls = [c for c in mock_api.call_args_list if c[0][0] == "GET"]
|
||||
mock_get_all.assert_called()
|
||||
post_label_calls = [
|
||||
c for c in mock_api.call_args_list
|
||||
if c[0][0] == "POST" and c[0][1] == "/labels"
|
||||
]
|
||||
self.assertGreaterEqual(len(get_calls), 1)
|
||||
self.assertEqual(len(post_label_calls), 0)
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all", return_value=[])
|
||||
@patch("manage_labels.api")
|
||||
def test_creates_missing_labels(self, mock_api, _auth):
|
||||
def test_creates_missing_labels(self, mock_api, _get_all, _auth):
|
||||
# Simulate no existing labels
|
||||
def side_effect(method, path, auth, payload=None):
|
||||
if method == "GET" and "/labels" in path:
|
||||
return [] # no existing labels
|
||||
if method == "POST" and path == "/labels":
|
||||
return {"id": 999, "name": payload["name"]}
|
||||
if method == "PUT":
|
||||
@@ -79,15 +77,14 @@ class TestLabelCreation(unittest.TestCase):
|
||||
class TestDryRun(unittest.TestCase):
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all", return_value=[])
|
||||
@patch("manage_labels.api")
|
||||
def test_dry_run_makes_no_writes(self, mock_api, _auth):
|
||||
mock_api.return_value = [] # no existing labels
|
||||
|
||||
def test_dry_run_makes_no_writes(self, mock_api, _get_all, _auth):
|
||||
with patch.object(sys, "argv", ["manage_labels.py", "--dry"]):
|
||||
with contextlib.redirect_stdout(io.StringIO()), contextlib.redirect_stderr(io.StringIO()):
|
||||
manage_labels.main()
|
||||
|
||||
# Only the GET call should be made, no POST or PUT
|
||||
# Dry run should not call write methods via api()
|
||||
for c in mock_api.call_args_list:
|
||||
method = c[0][0]
|
||||
self.assertEqual(method, "GET",
|
||||
@@ -100,13 +97,13 @@ class TestDryRun(unittest.TestCase):
|
||||
class TestLabelMapping(unittest.TestCase):
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all")
|
||||
@patch("manage_labels.api")
|
||||
def test_applies_mapping_to_issues(self, mock_api, _auth):
|
||||
def test_applies_mapping_to_issues(self, mock_api, mock_get_all, _auth):
|
||||
existing = [_make_label(l["name"], i + 1) for i, l in enumerate(manage_labels.LABELS)]
|
||||
mock_get_all.return_value = existing
|
||||
|
||||
def side_effect(method, path, auth, payload=None):
|
||||
if method == "GET":
|
||||
return existing
|
||||
if method == "PUT":
|
||||
return [{"name": "applied"}]
|
||||
return None
|
||||
@@ -158,11 +155,10 @@ class TestModes(unittest.TestCase):
|
||||
return [(c[0][0], c[0][1]) for c in mock_api.call_args_list]
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all", return_value=[])
|
||||
@patch("manage_labels.api")
|
||||
def test_create_labels_only_no_mapping(self, mock_api, _auth):
|
||||
def test_create_labels_only_no_mapping(self, mock_api, _get_all, _auth):
|
||||
def se(method, path, auth, payload=None):
|
||||
if method == "GET":
|
||||
return [] # no existing labels
|
||||
if method == "POST" and path == "/labels":
|
||||
return {"id": 1, "name": payload["name"]}
|
||||
return None
|
||||
@@ -173,14 +169,14 @@ class TestModes(unittest.TestCase):
|
||||
self.assertFalse(any(m[0] == "PUT" for m in methods)) # no mapping applied
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all")
|
||||
@patch("manage_labels.api")
|
||||
def test_apply_mapping_only_no_label_creation(self, mock_api, _auth):
|
||||
def test_apply_mapping_only_no_label_creation(self, mock_api, mock_get_all, _auth):
|
||||
existing = [_make_label(l["name"], i + 1)
|
||||
for i, l in enumerate(manage_labels.LABELS)]
|
||||
mock_get_all.return_value = existing
|
||||
|
||||
def se(method, path, auth, payload=None):
|
||||
if method == "GET":
|
||||
return existing
|
||||
if method == "PUT":
|
||||
return [{"name": "applied"}]
|
||||
return None
|
||||
@@ -192,13 +188,10 @@ class TestModes(unittest.TestCase):
|
||||
self.assertEqual(len(put_calls), len(manage_labels.MAPPING))
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all", return_value=[_make_label("chore", 5)])
|
||||
@patch("manage_labels.api")
|
||||
def test_add_label_appends_to_issue(self, mock_api, _auth):
|
||||
existing = [_make_label("chore", 5)]
|
||||
|
||||
def test_add_label_appends_to_issue(self, mock_api, _get_all, _auth):
|
||||
def se(method, path, auth, payload=None):
|
||||
if method == "GET":
|
||||
return existing
|
||||
if method == "POST":
|
||||
return [{"name": "chore"}]
|
||||
return None
|
||||
@@ -212,19 +205,21 @@ class TestModes(unittest.TestCase):
|
||||
self.assertFalse(any(c[0][0] == "PUT" for c in mock_api.call_args_list))
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all", return_value=[])
|
||||
@patch("manage_labels.api")
|
||||
def test_add_label_unknown_makes_no_write(self, mock_api, _auth):
|
||||
mock_api.side_effect = lambda *a, **k: [] if a[0] == "GET" else None
|
||||
def test_add_label_unknown_makes_no_write(self, mock_api, _get_all, _auth):
|
||||
manage_labels.main(["--add-label", "42", "ghost"])
|
||||
# Only the GET label lookup; no POST/PUT for an undefined label.
|
||||
self.assertTrue(all(c[0][0] == "GET" for c in mock_api.call_args_list))
|
||||
# No write via api() for an undefined label.
|
||||
self.assertTrue(all(c[0][0] == "GET" for c in mock_api.call_args_list)
|
||||
or len(mock_api.call_args_list) == 0)
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api_get_all", return_value=[_make_label("chore", 5)])
|
||||
@patch("manage_labels.api")
|
||||
def test_add_label_dry_makes_no_write(self, mock_api, _auth):
|
||||
mock_api.side_effect = lambda *a, **k: [_make_label("chore", 5)] if a[0] == "GET" else None
|
||||
def test_add_label_dry_makes_no_write(self, mock_api, _get_all, _auth):
|
||||
manage_labels.main(["--dry", "--add-label", "42", "chore"])
|
||||
self.assertTrue(all(c[0][0] == "GET" for c in mock_api.call_args_list))
|
||||
self.assertTrue(all(c[0][0] == "GET" for c in mock_api.call_args_list)
|
||||
or len(mock_api.call_args_list) == 0)
|
||||
|
||||
@patch("manage_labels.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("manage_labels.api")
|
||||
|
||||
@@ -17,6 +17,7 @@ class TestMcpDaemonGuard(unittest.TestCase):
|
||||
mcp_daemon_guard.ALLOW_DIRECT_IMPORT_ENV,
|
||||
"PYTEST_CURRENT_TEST",
|
||||
}}
|
||||
env["GITEA_TEST_FORCE_UNSANCTIONED"] = "1"
|
||||
with patch.dict(os.environ, env, clear=True):
|
||||
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
|
||||
mcp_daemon_guard.assert_sanctioned_mutation_runtime("test")
|
||||
@@ -43,6 +44,7 @@ class TestMcpDaemonGuard(unittest.TestCase):
|
||||
"PYTEST_CURRENT_TEST",
|
||||
}
|
||||
}
|
||||
env["GITEA_TEST_FORCE_UNSANCTIONED"] = "1"
|
||||
with patch.dict(os.environ, env, clear=True):
|
||||
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
|
||||
mcp_daemon_guard.assert_keychain_access_allowed()
|
||||
@@ -58,6 +60,7 @@ class TestMcpDaemonGuard(unittest.TestCase):
|
||||
"PYTEST_CURRENT_TEST",
|
||||
}
|
||||
}
|
||||
env["GITEA_TEST_FORCE_UNSANCTIONED"] = "1"
|
||||
with patch.dict(os.environ, env, clear=True):
|
||||
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
|
||||
gitea_auth.get_auth_header("gitea.prgs.cc")
|
||||
|
||||
@@ -5,6 +5,7 @@ the MCP protocol) with mocked API responses.
|
||||
"""
|
||||
import json
|
||||
import os
|
||||
import shutil
|
||||
import sys
|
||||
import tempfile
|
||||
import unittest
|
||||
@@ -47,6 +48,22 @@ import gitea_config # noqa: E402
|
||||
|
||||
import mcp_server
|
||||
import issue_lock_store
|
||||
import gitea_auth
|
||||
|
||||
_orig_api_request = gitea_auth.api_request
|
||||
def mockable_api_request(*args, **kwargs):
|
||||
import mcp_server
|
||||
return mcp_server.api_request(*args, **kwargs)
|
||||
|
||||
def setUpModule():
|
||||
gitea_auth.api_request = mockable_api_request
|
||||
patch("mcp_server._enforce_root_checkout_guard").start()
|
||||
patch("mcp_server._enforce_branches_only_author_mutation").start()
|
||||
|
||||
def tearDownModule():
|
||||
gitea_auth.api_request = _orig_api_request
|
||||
patch.stopall()
|
||||
|
||||
|
||||
FAKE_AUTH = "Basic dGVzdDp0ZXN0"
|
||||
FULL_HEAD_SHA = "a" * 40
|
||||
@@ -1363,11 +1380,11 @@ class TestReviewPR(unittest.TestCase):
|
||||
self.assertIn("Review/Merge Blocked", result["message"])
|
||||
self.assertIn("Author profile", result["message"])
|
||||
|
||||
@patch("mcp_server.api_get_all")
|
||||
@patch("mcp_server.api_fetch_page")
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("mcp_server.get_profile")
|
||||
def test_legacy_review_pr_self_approval_blocked(self, mock_get_profile, _auth, mock_api, mock_get_all):
|
||||
def test_legacy_review_pr_self_approval_blocked(self, mock_get_profile, _auth, mock_api, mock_fetch):
|
||||
mock_get_profile.return_value = {
|
||||
"profile_name": "gitea-reviewer",
|
||||
"allowed_operations": ["read", "approve"],
|
||||
@@ -1375,7 +1392,10 @@ class TestReviewPR(unittest.TestCase):
|
||||
"base_url": None,
|
||||
}
|
||||
head_sha = FULL_HEAD_SHA
|
||||
mock_get_all.return_value = [{"number": 1, "title": "PR 1", "state": "open", "head": {"ref": "branch1", "sha": head_sha}, "base": {"ref": "master"}, "mergeable": True, "user": {"login": "jcwalker3"}}]
|
||||
mock_fetch.return_value = (
|
||||
[{"number": 1, "title": "PR 1", "state": "open", "head": {"ref": "branch1", "sha": head_sha}, "base": {"ref": "master"}, "mergeable": True, "user": {"login": "jcwalker3"}}],
|
||||
{"page": 1, "per_page": 50, "returned_count": 1, "has_more": False, "next_page": None, "is_final_page": True}
|
||||
)
|
||||
# mock_api responses: 1) /user (inventory), 2) /user (eligibility), 3) /pulls/1 (eligibility)
|
||||
mock_api.side_effect = [
|
||||
{"login": "jcwalker3"}, # /api/v1/user (inventory)
|
||||
@@ -3811,7 +3831,15 @@ class TestIssueLocking(unittest.TestCase):
|
||||
@patch("mcp_server.api_get_all", return_value=[])
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_lock_issue_blocks_expired_same_operation_lease_for_recovery(self, _auth, _api, _git_state):
|
||||
"""#601: expired lease still blocks takeover when owner pid is live AND worktree exists.
|
||||
|
||||
Dead-pid / missing-worktree reclaim is covered by issue_lock_store unit tests.
|
||||
This MCP path must remain fail-closed for sticky expired foreign ownership.
|
||||
"""
|
||||
prgs_repo = mcp_server.REMOTES["prgs"]["repo"]
|
||||
# Present worktree + live pid => reclaim_allowed=False even though expires_at is past.
|
||||
sticky_worktree = tempfile.mkdtemp(prefix="gitea-sticky-lease-")
|
||||
self.addCleanup(lambda: shutil.rmtree(sticky_worktree, ignore_errors=True))
|
||||
issue_lock_store.save_lock_file(
|
||||
issue_lock_store.lock_file_path(
|
||||
remote="prgs",
|
||||
@@ -3825,15 +3853,22 @@ class TestIssueLocking(unittest.TestCase):
|
||||
"remote": "prgs",
|
||||
"org": "Scaled-Tech-Consulting",
|
||||
"repo": prgs_repo,
|
||||
"worktree_path": "/tmp/other-worktree",
|
||||
"worktree_path": sticky_worktree,
|
||||
"session_pid": os.getpid(),
|
||||
"pid": os.getpid(),
|
||||
"work_lease": {
|
||||
"operation_type": "author_issue_work",
|
||||
"expires_at": "2000-01-01T00:00:00Z",
|
||||
},
|
||||
},
|
||||
)
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
gitea_lock_issue(issue_number=196, branch_name="feat/issue-196-mutations", remote="prgs")
|
||||
with patch.object(issue_lock_store, "is_process_alive", return_value=True):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
gitea_lock_issue(
|
||||
issue_number=196,
|
||||
branch_name="feat/issue-196-mutations",
|
||||
remote="prgs",
|
||||
)
|
||||
self.assertIn("Recovery review is required before takeover", str(ctx.exception))
|
||||
|
||||
@patch("mcp_server.api_get_all", return_value=[])
|
||||
|
||||
+15
-24
@@ -64,54 +64,45 @@ class TestMarkIssueCLI(unittest.TestCase):
|
||||
with self.assertRaises(SystemExit):
|
||||
mark_issue.main(["10", "bogus_action"])
|
||||
|
||||
@patch("mark_issue.api_get_all", return_value=[{"id": 101, "name": "status:in-progress"}])
|
||||
@patch("mark_issue.api_request")
|
||||
@patch("mark_issue.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_successful_start(self, _auth, mock_api):
|
||||
# First call is GET labels, second is POST label
|
||||
mock_api.side_effect = [
|
||||
[{"id": 101, "name": "status:in-progress"}],
|
||||
[{"name": "status:in-progress"}],
|
||||
]
|
||||
def test_successful_start(self, _auth, mock_api, mock_get_all):
|
||||
mock_api.return_value = [{"name": "status:in-progress"}]
|
||||
with contextlib.redirect_stdout(io.StringIO()), contextlib.redirect_stderr(io.StringIO()):
|
||||
rc = mark_issue.main(["15", "start"])
|
||||
self.assertEqual(rc, 0)
|
||||
self.assertEqual(mock_api.call_count, 2)
|
||||
|
||||
# Verify GET labels call
|
||||
get_call = mock_api.call_args_list[0]
|
||||
self.assertEqual(get_call[0][0], "GET")
|
||||
self.assertIn("/labels?limit=100", get_call[0][1])
|
||||
mock_get_all.assert_called()
|
||||
self.assertIn("/labels", mock_get_all.call_args[0][0])
|
||||
|
||||
# Verify POST labels call
|
||||
post_call = mock_api.call_args_list[1]
|
||||
post_call = mock_api.call_args_list[0]
|
||||
self.assertEqual(post_call[0][0], "POST")
|
||||
self.assertIn("/issues/15/labels", post_call[0][1])
|
||||
self.assertEqual(post_call[0][3], {"labels": [101]})
|
||||
|
||||
@patch("mark_issue.api_get_all", return_value=[{"id": 101, "name": "status:in-progress"}])
|
||||
@patch("mark_issue.api_request")
|
||||
@patch("mark_issue.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_successful_done(self, _auth, mock_api):
|
||||
# First call is GET labels, second is DELETE label
|
||||
mock_api.side_effect = [
|
||||
[{"id": 101, "name": "status:in-progress"}],
|
||||
None,
|
||||
]
|
||||
def test_successful_done(self, _auth, mock_api, _get_all):
|
||||
mock_api.return_value = None
|
||||
rc = mark_issue.main(["15", "done"])
|
||||
self.assertEqual(rc, 0)
|
||||
self.assertEqual(mock_api.call_count, 2)
|
||||
self.assertEqual(mock_api.call_count, 1)
|
||||
|
||||
# Verify DELETE labels call
|
||||
delete_call = mock_api.call_args_list[1]
|
||||
delete_call = mock_api.call_args_list[0]
|
||||
self.assertEqual(delete_call[0][0], "DELETE")
|
||||
self.assertIn("/issues/15/labels/101", delete_call[0][1])
|
||||
|
||||
@patch("mark_issue.api_get_all", return_value=[{"id": 1, "name": "bug"}])
|
||||
@patch("mark_issue.api_request")
|
||||
@patch("mark_issue.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_label_not_found(self, _auth, mock_api):
|
||||
# GET labels returns no status:in-progress label
|
||||
mock_api.return_value = [{"id": 1, "name": "bug"}]
|
||||
def test_label_not_found(self, _auth, mock_api, _get_all):
|
||||
# Paginated inventory returns no status:in-progress label
|
||||
rc = mark_issue.main(["15", "start"])
|
||||
self.assertEqual(rc, 1)
|
||||
mock_api.assert_not_called()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
@@ -10,8 +10,11 @@ sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
|
||||
import gitea_mcp_server as srv
|
||||
|
||||
FAKE_AUTH = "token test"
|
||||
CONTROL_CHECKOUT_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[3])
|
||||
else:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[1])
|
||||
RECONCILER_PROFILE = {
|
||||
"profile_name": "prgs-reconciler",
|
||||
"allowed_operations": ["gitea.read", "gitea.pr.close", "gitea.pr.comment"],
|
||||
|
||||
@@ -13,8 +13,13 @@ sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
|
||||
import gitea_mcp_server as srv # noqa: E402
|
||||
import root_checkout_guard as rcg # noqa: E402
|
||||
|
||||
CONTROL_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
BRANCHES_WORKTREE = str(Path(__file__).resolve().parents[1])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_ROOT = str(current_file_path.parents[3])
|
||||
BRANCHES_WORKTREE = str(current_file_path.parents[1])
|
||||
else:
|
||||
CONTROL_ROOT = str(current_file_path.parents[1])
|
||||
BRANCHES_WORKTREE = str(current_file_path.parents[1] / "branches" / "mock-worktree")
|
||||
MASTER_SHA = "a" * 40
|
||||
OTHER_SHA = "b" * 40
|
||||
|
||||
@@ -136,13 +141,21 @@ class TestVerifyPreflightRootGuardIntegration(unittest.TestCase):
|
||||
self.assertIn("Root checkout guard (#475)", str(ctx.exception))
|
||||
self.assertIn(rcg.REMEDIATION, str(ctx.exception))
|
||||
|
||||
@patch("os.path.isdir", return_value=True)
|
||||
@patch("os.path.exists", return_value=True)
|
||||
@patch("subprocess.run")
|
||||
@patch("gitea_mcp_server._get_workspace_porcelain", return_value="")
|
||||
@patch("gitea_mcp_server.root_checkout_guard.resolve_remote_master_sha", return_value=MASTER_SHA)
|
||||
@patch("gitea_mcp_server.issue_lock_worktree.read_worktree_git_state")
|
||||
@patch("gitea_mcp_server._resolve_author_mutation_context")
|
||||
def test_reviewer_from_branches_worktree_allowed(
|
||||
self, mock_ctx, mock_git, _remote_sha, _porcelain,
|
||||
self, mock_ctx, mock_git, _remote_sha, _porcelain, mock_run, _exists, _isdir,
|
||||
):
|
||||
import unittest.mock
|
||||
mock_run.return_value = unittest.mock.MagicMock(
|
||||
returncode=0,
|
||||
stdout=f"{CONTROL_ROOT}/.git\n",
|
||||
)
|
||||
srv._preflight_capability_baseline_porcelain = ""
|
||||
mock_ctx.return_value = {
|
||||
"workspace_path": BRANCHES_WORKTREE,
|
||||
@@ -156,6 +169,5 @@ class TestVerifyPreflightRootGuardIntegration(unittest.TestCase):
|
||||
}
|
||||
srv.verify_preflight_purity("prgs", worktree_path=BRANCHES_WORKTREE)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -0,0 +1,318 @@
|
||||
"""#627: paginated repository-label resolution for gitea_set_issue_labels.
|
||||
|
||||
Reproduces the post-merge #601 reconciliation failure where later-page
|
||||
labels (e.g. type:feature, workflow-hardening) were falsely rejected as
|
||||
nonexistent because inventory used a single-page GET labels?limit=100.
|
||||
"""
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import sys
|
||||
import unittest
|
||||
from unittest.mock import patch, call
|
||||
|
||||
sys.path.insert(0, str(__import__("pathlib").Path(__file__).resolve().parent.parent))
|
||||
|
||||
import mcp_server
|
||||
import gitea_auth
|
||||
|
||||
|
||||
FAKE_AUTH = "token test-token"
|
||||
PAGE_SIZE = 50 # Gitea effective max; see gitea_auth.api_get_all
|
||||
|
||||
|
||||
def _lb(name: str, lid: int) -> dict:
|
||||
return {"id": lid, "name": name, "color": "000000"}
|
||||
|
||||
|
||||
def _pages(labels: list[dict], page_size: int = PAGE_SIZE) -> list[list[dict]]:
|
||||
if not labels:
|
||||
return [[]]
|
||||
pages = []
|
||||
for i in range(0, len(labels), page_size):
|
||||
pages.append(labels[i : i + page_size])
|
||||
return pages
|
||||
|
||||
|
||||
class TestRepoLabelIdMapPagination(unittest.TestCase):
|
||||
"""_repo_label_id_map must use api_get_all (all pages)."""
|
||||
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_fewer_than_one_page(self, mock_all):
|
||||
labels = [_lb(f"l{i}", i) for i in range(3)]
|
||||
mock_all.return_value = labels
|
||||
m = mcp_server._repo_label_id_map("https://gitea.example/api/v1/repos/o/r", FAKE_AUTH)
|
||||
self.assertEqual(m, {"l0": 0, "l1": 1, "l2": 2})
|
||||
mock_all.assert_called_once()
|
||||
self.assertIn("/labels", mock_all.call_args[0][0])
|
||||
self.assertNotIn("limit=100", mock_all.call_args[0][0])
|
||||
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_exactly_one_full_page(self, mock_all):
|
||||
labels = [_lb(f"l{i:03d}", i) for i in range(PAGE_SIZE)]
|
||||
mock_all.return_value = labels
|
||||
m = mcp_server._repo_label_id_map("https://gitea.example/api/v1/repos/o/r", FAKE_AUTH)
|
||||
self.assertEqual(len(m), PAGE_SIZE)
|
||||
self.assertEqual(m["l000"], 0)
|
||||
self.assertEqual(m[f"l{PAGE_SIZE - 1:03d}"], PAGE_SIZE - 1)
|
||||
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_more_than_one_page_includes_later_labels(self, mock_all):
|
||||
# Page 1: 50 early labels; page 2: type:feature + workflow-hardening (#601 style)
|
||||
early = [_lb(f"early-{i:02d}", i) for i in range(PAGE_SIZE)]
|
||||
late = [
|
||||
_lb("type:feature", 1001),
|
||||
_lb("workflow-hardening", 1002),
|
||||
]
|
||||
mock_all.return_value = early + late
|
||||
m = mcp_server._repo_label_id_map("https://gitea.example/api/v1/repos/o/r", FAKE_AUTH)
|
||||
self.assertEqual(len(m), PAGE_SIZE + 2)
|
||||
self.assertEqual(m["type:feature"], 1001)
|
||||
self.assertEqual(m["workflow-hardening"], 1002)
|
||||
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_duplicate_names_keep_first_seen_id(self, mock_all):
|
||||
mock_all.return_value = [
|
||||
_lb("type:feature", 103),
|
||||
_lb("type:feature", 130), # duplicate id later
|
||||
_lb("workflow-hardening", 105),
|
||||
_lb("workflow-hardening", 128),
|
||||
]
|
||||
m = mcp_server._repo_label_id_map("https://gitea.example/api/v1/repos/o/r", FAKE_AUTH)
|
||||
self.assertEqual(m["type:feature"], 103)
|
||||
self.assertEqual(m["workflow-hardening"], 105)
|
||||
|
||||
@patch("mcp_server.api_get_all", return_value={"not": "a list"})
|
||||
def test_non_list_inventory_fails_closed(self, _all):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server._repo_label_id_map("https://gitea.example/api/v1/repos/o/r", FAKE_AUTH)
|
||||
self.assertIn("expected a list", str(ctx.exception).lower())
|
||||
|
||||
@patch("mcp_server.api_get_all", side_effect=RuntimeError("page 2 failed: connection reset"))
|
||||
def test_later_page_failure_propagates(self, _all):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server._repo_label_id_map("https://gitea.example/api/v1/repos/o/r", FAKE_AUTH)
|
||||
self.assertIn("page 2 failed", str(ctx.exception))
|
||||
|
||||
|
||||
class TestSetIssueLabelsPagination(unittest.TestCase):
|
||||
"""gitea_set_issue_labels full-set replacement with multi-page inventory."""
|
||||
|
||||
def setUp(self):
|
||||
self._remotes = patch.dict(
|
||||
mcp_server.REMOTES,
|
||||
{"prgs": {"host": "gitea.example.com", "org": "Scaled-Tech-Consulting",
|
||||
"repo": "Gitea-Tools"}},
|
||||
)
|
||||
self._remotes.start()
|
||||
# Allow mutation path without full preflight stack when possible
|
||||
self._preflight = patch(
|
||||
"mcp_server.verify_preflight_purity", return_value=None
|
||||
)
|
||||
self._preflight.start()
|
||||
self._perm = patch(
|
||||
"mcp_server._profile_permission_block", return_value=None
|
||||
)
|
||||
self._perm.start()
|
||||
self._auth = patch(
|
||||
"mcp_server._auth", return_value=FAKE_AUTH
|
||||
)
|
||||
self._auth.start()
|
||||
self._audited = patch("mcp_server._audited")
|
||||
mock_aud = self._audited.start()
|
||||
mock_aud.return_value.__enter__ = lambda s: None
|
||||
mock_aud.return_value.__exit__ = lambda s, *a: None
|
||||
|
||||
def tearDown(self):
|
||||
self._remotes.stop()
|
||||
self._preflight.stop()
|
||||
self._perm.stop()
|
||||
self._auth.stop()
|
||||
self._audited.stop()
|
||||
|
||||
def _inventory_early_and_late(self) -> list[dict]:
|
||||
early = [_lb(f"alpha-{i:02d}", i + 1) for i in range(PAGE_SIZE)]
|
||||
late = [
|
||||
_lb("type:feature", 9001),
|
||||
_lb("workflow-hardening", 9002),
|
||||
_lb("status:ready", 9003),
|
||||
_lb("anti-stomp", 9004),
|
||||
_lb("leases", 9005),
|
||||
_lb("recovery", 9006),
|
||||
]
|
||||
return early + late
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_requested_labels_split_across_pages(self, mock_all, mock_req):
|
||||
inv = self._inventory_early_and_late()
|
||||
mock_all.return_value = inv
|
||||
requested = ["alpha-00", "type:feature", "workflow-hardening"]
|
||||
mock_req.return_value = [_lb(n, inv_i["id"]) for n in requested
|
||||
for inv_i in inv if inv_i["name"] == n]
|
||||
|
||||
res = mcp_server.gitea_set_issue_labels(
|
||||
issue_number=601,
|
||||
labels=requested,
|
||||
remote="prgs",
|
||||
)
|
||||
self.assertEqual({lb["name"] for lb in res}, set(requested))
|
||||
# PUT must use ids from both pages
|
||||
put = mock_req.call_args
|
||||
self.assertEqual(put[0][0], "PUT")
|
||||
payload_ids = put[0][3]["labels"]
|
||||
self.assertEqual(payload_ids, [1, 9001, 9002])
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_missing_requested_label_rejected_before_put(self, mock_all, mock_req):
|
||||
mock_all.return_value = [_lb("bug", 1), _lb("status:ready", 2)]
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.gitea_set_issue_labels(
|
||||
issue_number=9,
|
||||
labels=["bug", "does-not-exist"],
|
||||
remote="prgs",
|
||||
)
|
||||
self.assertIn("do not exist", str(ctx.exception))
|
||||
self.assertIn("does-not-exist", str(ctx.exception))
|
||||
mock_req.assert_not_called()
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_complete_set_preserves_later_page_labels(self, mock_all, mock_req):
|
||||
inv = self._inventory_early_and_late()
|
||||
mock_all.return_value = inv
|
||||
# Full-set replacement removing only status:pr-open style stale label:
|
||||
# keep later-page feature labels (the #601 reconciliation shape).
|
||||
requested = [
|
||||
"anti-stomp",
|
||||
"leases",
|
||||
"recovery",
|
||||
"type:feature",
|
||||
"workflow-hardening",
|
||||
]
|
||||
mock_req.return_value = [_lb(n, next(x["id"] for x in inv if x["name"] == n))
|
||||
for n in requested]
|
||||
res = mcp_server.gitea_set_issue_labels(
|
||||
issue_number=601, labels=requested, remote="prgs"
|
||||
)
|
||||
self.assertEqual([lb["name"] for lb in res], requested)
|
||||
payload_ids = mock_req.call_args[0][3]["labels"]
|
||||
self.assertEqual(payload_ids, [9004, 9005, 9006, 9001, 9002])
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_issue_601_regression_later_page_names_accepted(self, mock_all, mock_req):
|
||||
"""Regression: #601 reconciler rejected type:feature + workflow-hardening.
|
||||
|
||||
Single-page inventory would omit them; paginated inventory must accept.
|
||||
"""
|
||||
early = [_lb(f"page1-{i:02d}", i + 1) for i in range(PAGE_SIZE)]
|
||||
# Exactly the labels from the #601 residual set (minus status:pr-open)
|
||||
late = [
|
||||
_lb("type:feature", 103),
|
||||
_lb("workflow-hardening", 105),
|
||||
_lb("anti-stomp", 106),
|
||||
_lb("leases", 109),
|
||||
_lb("recovery", 110),
|
||||
]
|
||||
mock_all.return_value = early + late
|
||||
requested = [
|
||||
"anti-stomp",
|
||||
"leases",
|
||||
"recovery",
|
||||
"type:feature",
|
||||
"workflow-hardening",
|
||||
]
|
||||
mock_req.return_value = [
|
||||
_lb(n, next(x["id"] for x in late if x["name"] == n)) for n in requested
|
||||
]
|
||||
res = mcp_server.gitea_set_issue_labels(
|
||||
issue_number=601, labels=requested, remote="prgs"
|
||||
)
|
||||
names = {lb["name"] for lb in res}
|
||||
self.assertEqual(names, set(requested))
|
||||
self.assertNotIn("status:pr-open", names)
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_duplicate_label_ids_resolve_deterministically(self, mock_all, mock_req):
|
||||
mock_all.return_value = [
|
||||
_lb("type:feature", 103),
|
||||
_lb("type:feature", 130),
|
||||
_lb("workflow-hardening", 105),
|
||||
_lb("workflow-hardening", 128),
|
||||
]
|
||||
requested = ["type:feature", "workflow-hardening"]
|
||||
mock_req.return_value = [_lb("type:feature", 103), _lb("workflow-hardening", 105)]
|
||||
mcp_server.gitea_set_issue_labels(
|
||||
issue_number=1, labels=requested, remote="prgs"
|
||||
)
|
||||
self.assertEqual(mock_req.call_args[0][3]["labels"], [103, 105])
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_post_mutation_mismatch_fails_closed(self, mock_all, mock_req):
|
||||
mock_all.return_value = [_lb("bug", 1), _lb("status:ready", 2)]
|
||||
# Server returns incomplete set → verification must fail
|
||||
mock_req.return_value = [_lb("bug", 1)]
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.gitea_set_issue_labels(
|
||||
issue_number=9,
|
||||
labels=["bug", "status:ready"],
|
||||
remote="prgs",
|
||||
)
|
||||
self.assertIn("Post-mutation label verification failed", str(ctx.exception))
|
||||
self.assertIn("status:ready", str(ctx.exception))
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all", side_effect=RuntimeError("Gitea 502 on page 2"))
|
||||
def test_pagination_failure_fails_closed_before_put(self, _all, mock_req):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.gitea_set_issue_labels(
|
||||
issue_number=9, labels=["bug"], remote="prgs"
|
||||
)
|
||||
self.assertIn("page 2", str(ctx.exception))
|
||||
mock_req.assert_not_called()
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_empty_label_set_clears_all(self, mock_all, mock_req):
|
||||
mock_all.return_value = [_lb("bug", 1)]
|
||||
mock_req.return_value = []
|
||||
res = mcp_server.gitea_set_issue_labels(
|
||||
issue_number=9, labels=[], remote="prgs"
|
||||
)
|
||||
self.assertEqual(res, [])
|
||||
self.assertEqual(mock_req.call_args[0][3]["labels"], [])
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.api_get_all")
|
||||
def test_does_not_call_single_page_limit_100(self, mock_all, mock_req):
|
||||
mock_all.return_value = [_lb("bug", 1)]
|
||||
mock_req.return_value = [_lb("bug", 1)]
|
||||
mcp_server.gitea_set_issue_labels(
|
||||
issue_number=9, labels=["bug"], remote="prgs"
|
||||
)
|
||||
for c in mock_req.call_args_list:
|
||||
url = c[0][1] if len(c[0]) > 1 else ""
|
||||
self.assertNotIn("labels?limit=100", str(url))
|
||||
mock_all.assert_called()
|
||||
|
||||
|
||||
class TestApiGetAllPageCapDocumentsGiteaLimit(unittest.TestCase):
|
||||
"""Sanity: api_get_all clamps page_size to 50 (root cause of limit=100 trap)."""
|
||||
|
||||
@patch("gitea_auth.api_request")
|
||||
def test_page_size_clamped_to_fifty(self, mock_req):
|
||||
mock_req.return_value = []
|
||||
gitea_auth.api_get_all("https://gitea.example/api/v1/repos/o/r/labels",
|
||||
FAKE_AUTH, page_size=100)
|
||||
# First (only) call must use limit=50, not 100
|
||||
url = mock_req.call_args[0][1]
|
||||
self.assertIn("limit=50", url)
|
||||
self.assertNotIn("limit=100", url)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -0,0 +1,188 @@
|
||||
"""Server wiring for stable-branch push contamination (#671).
|
||||
|
||||
Exercises the MCP tools and the pre-flight enforcement gate against the durable
|
||||
contamination marker (isolated per-test state dir from conftest).
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
from unittest.mock import patch
|
||||
|
||||
import gitea_mcp_server as srv
|
||||
|
||||
|
||||
def _clear_marker(remote="prgs"):
|
||||
srv._clear_stable_contamination_marker(remote=remote)
|
||||
|
||||
|
||||
def teardown_function():
|
||||
_clear_marker()
|
||||
|
||||
|
||||
# ── record tool marks a real direct push ─────────────────────────────────────
|
||||
|
||||
def test_record_tool_marks_direct_master_push():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
assert res["contaminated"] is True
|
||||
assert res["marked"] is True
|
||||
assert res["marker"] is not None
|
||||
assert res["marker"]["reason_class"] == "stable_branch_push"
|
||||
# loaded back through the durable store
|
||||
loaded = srv._load_stable_contamination_marker("prgs")
|
||||
assert loaded is not None
|
||||
assert loaded["ref"] == "master"
|
||||
|
||||
|
||||
def test_record_tool_dry_run_still_marks():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push --dry-run prgs master", remote="prgs"
|
||||
)
|
||||
assert res["contaminated"] is True
|
||||
assert res["marked"] is True
|
||||
|
||||
|
||||
def test_record_tool_feature_branch_does_not_mark():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs fix/issue-671-block-stable-branch-push",
|
||||
remote="prgs",
|
||||
)
|
||||
assert res["contaminated"] is False
|
||||
assert res["marked"] is False
|
||||
assert srv._load_stable_contamination_marker("prgs") is None
|
||||
|
||||
|
||||
def test_record_tool_fetch_only_does_not_mark():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git fetch prgs", remote="prgs"
|
||||
)
|
||||
assert res["contaminated"] is False
|
||||
assert res["marked"] is False
|
||||
|
||||
|
||||
def test_record_tool_mark_false_is_readonly():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs", mark=False
|
||||
)
|
||||
assert res["contaminated"] is True
|
||||
assert res["marked"] is False
|
||||
assert srv._load_stable_contamination_marker("prgs") is None
|
||||
|
||||
|
||||
def test_record_tool_redacts_secret_in_marker():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push https://u:supersecret@host/o/r.git master",
|
||||
remote="prgs",
|
||||
)
|
||||
assert res["marked"] is True
|
||||
assert "supersecret" not in res["marker"]["command_summary"]
|
||||
|
||||
|
||||
def test_record_tool_root_checkout_local_commit_marks():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command=None,
|
||||
remote="prgs",
|
||||
current_branch="master",
|
||||
head_sha="a" * 40,
|
||||
remote_master_sha="b" * 40,
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contaminated"] is True
|
||||
assert res["marked"] is True
|
||||
assert res["marker"]["reason_class"] == "root_checkout_commit"
|
||||
|
||||
|
||||
# ── audit tool: inspect + reconciler-only clear ──────────────────────────────
|
||||
|
||||
def test_audit_inspect_reports_marker():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
out = srv.gitea_audit_stable_branch_contamination(action="inspect", remote="prgs")
|
||||
assert out["contaminated"] is True
|
||||
assert out["read_only"] is True
|
||||
|
||||
|
||||
def test_audit_clear_refused_for_non_reconciler():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
with patch.object(srv, "_actual_profile_role", return_value="author"):
|
||||
out = srv.gitea_audit_stable_branch_contamination(action="clear", remote="prgs")
|
||||
assert out["success"] is False
|
||||
assert out["reasons"]
|
||||
# marker survives a refused clear
|
||||
assert srv._load_stable_contamination_marker("prgs") is not None
|
||||
|
||||
|
||||
def test_audit_clear_allowed_for_reconciler():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
identity = srv._stable_contamination_profile_identity()
|
||||
with patch.object(srv, "_actual_profile_role", return_value="reconciler"):
|
||||
out = srv.gitea_audit_stable_branch_contamination(
|
||||
action="clear", remote="prgs", profile_identity=identity
|
||||
)
|
||||
assert out["success"] is True
|
||||
assert srv._load_stable_contamination_marker("prgs") is None
|
||||
|
||||
|
||||
# ── pre-flight enforcement gate ──────────────────────────────────────────────
|
||||
|
||||
def _force_gate_env():
|
||||
return patch.dict(os.environ, {"GITEA_TEST_FORCE_STABLE_CONTAMINATION": "1"})
|
||||
|
||||
|
||||
def test_gate_blocks_gated_mutation_when_contaminated():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
with _force_gate_env(), patch.object(srv, "_actual_profile_role", return_value="author"):
|
||||
for task in ("merge_pr", "review_pr", "close_issue", "create_pr"):
|
||||
try:
|
||||
srv._enforce_stable_branch_contamination_gate(task, "prgs")
|
||||
raised = False
|
||||
except RuntimeError as exc:
|
||||
raised = True
|
||||
assert "#671" in str(exc)
|
||||
assert raised, task
|
||||
|
||||
|
||||
def test_gate_allows_comment_for_handoff_when_contaminated():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
with _force_gate_env(), patch.object(srv, "_actual_profile_role", return_value="author"):
|
||||
# must not raise — worker can still post the durable audit comment
|
||||
srv._enforce_stable_branch_contamination_gate("comment_issue", "prgs")
|
||||
srv._enforce_stable_branch_contamination_gate("lock_issue", "prgs")
|
||||
|
||||
|
||||
def test_gate_exempts_reconciler_when_contaminated():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
with _force_gate_env(), patch.object(srv, "_actual_profile_role", return_value="reconciler"):
|
||||
srv._enforce_stable_branch_contamination_gate("merge_pr", "prgs")
|
||||
|
||||
|
||||
def test_gate_noop_when_not_contaminated():
|
||||
_clear_marker()
|
||||
with _force_gate_env(), patch.object(srv, "_actual_profile_role", return_value="author"):
|
||||
srv._enforce_stable_branch_contamination_gate("merge_pr", "prgs")
|
||||
@@ -0,0 +1,341 @@
|
||||
"""Tests for the direct stable-branch push guard (#671).
|
||||
|
||||
Covers the acceptance criteria:
|
||||
1. detect shell ``git push <remote> master`` equivalents
|
||||
2. detect root/control-checkout local commits not on an issue branch
|
||||
3. contamination record shape
|
||||
4. fail-closed gate on review/merge/close/completion (reconciler-exempt)
|
||||
5. AC5 case matrix: no-op dry-run push, real direct push, sanctioned Gitea
|
||||
merge, fetch-only, root-checkout local commit; plus feature-branch push
|
||||
still allowed and sanctioned merge still allowed
|
||||
6. redaction of credentials in logged command summaries
|
||||
"""
|
||||
|
||||
import stable_branch_push_guard as guard
|
||||
|
||||
|
||||
# ── AC1: detect direct stable-branch push equivalents ────────────────────────
|
||||
|
||||
def test_plain_git_push_remote_master_is_contamination():
|
||||
res = guard.classify_push_command("git push prgs master")
|
||||
assert res["is_git_push"] is True
|
||||
assert res["targets_stable"] is True
|
||||
assert res["stable_refs"] == ["master"]
|
||||
assert res["contamination"] is True
|
||||
assert res["reasons"]
|
||||
|
||||
|
||||
def test_push_main_and_dev_detected():
|
||||
for ref in ("main", "dev", "develop", "development"):
|
||||
res = guard.classify_push_command(f"git push origin {ref}")
|
||||
assert res["contamination"] is True, ref
|
||||
assert res["stable_refs"] == [ref]
|
||||
|
||||
|
||||
def test_head_colon_master_refspec_detected():
|
||||
res = guard.classify_push_command("git push prgs HEAD:master")
|
||||
assert res["targets_stable"] is True
|
||||
assert res["stable_refs"] == ["master"]
|
||||
assert res["contamination"] is True
|
||||
|
||||
|
||||
def test_full_refspec_force_plus_detected():
|
||||
res = guard.classify_push_command(
|
||||
"git push prgs +refs/heads/tmp:refs/heads/master"
|
||||
)
|
||||
assert res["contamination"] is True
|
||||
assert res["is_force"] is True
|
||||
assert res["stable_refs"] == ["master"]
|
||||
|
||||
|
||||
def test_force_flag_to_master_detected():
|
||||
res = guard.classify_push_command("git push --force prgs master")
|
||||
assert res["contamination"] is True
|
||||
assert res["is_force"] is True
|
||||
|
||||
|
||||
def test_delete_refspec_master_detected():
|
||||
res = guard.classify_push_command("git push prgs :master")
|
||||
assert res["contamination"] is True
|
||||
assert res["is_delete"] is True
|
||||
|
||||
|
||||
def test_delete_flag_master_detected():
|
||||
res = guard.classify_push_command("git push --delete prgs master")
|
||||
assert res["contamination"] is True
|
||||
assert res["is_delete"] is True
|
||||
|
||||
|
||||
def test_push_detected_inside_compound_command():
|
||||
res = guard.classify_push_command("cd repo && git push prgs master && echo ok")
|
||||
assert res["contamination"] is True
|
||||
assert res["stable_refs"] == ["master"]
|
||||
|
||||
|
||||
# ── AC5: no-op / dry-run push still proves intent ────────────────────────────
|
||||
|
||||
def test_dry_run_push_to_master_proves_intent():
|
||||
res = guard.classify_push_command("git push --dry-run prgs master")
|
||||
assert res["is_dry_run"] is True
|
||||
assert res["contamination"] is True
|
||||
assert res["proves_intent"] is True
|
||||
assert "intent" in " ".join(res["reasons"]).lower()
|
||||
|
||||
|
||||
def test_short_dry_run_flag_n_detected():
|
||||
res = guard.classify_push_command("git push -n prgs master")
|
||||
assert res["is_dry_run"] is True
|
||||
assert res["contamination"] is True
|
||||
|
||||
|
||||
# ── AC5 negative: feature-branch push still allowed ──────────────────────────
|
||||
|
||||
def test_feature_branch_push_not_flagged():
|
||||
res = guard.classify_push_command(
|
||||
"git push prgs fix/issue-671-block-stable-branch-push"
|
||||
)
|
||||
assert res["is_git_push"] is True
|
||||
assert res["targets_stable"] is False
|
||||
assert res["contamination"] is False
|
||||
assert res["reasons"] == []
|
||||
|
||||
|
||||
def test_feature_branch_head_refspec_not_flagged():
|
||||
res = guard.classify_push_command(
|
||||
"git push prgs HEAD:fix/issue-671-block-stable-branch-push"
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
assert res["targets_stable"] is False
|
||||
|
||||
|
||||
def test_branch_named_like_master_substring_not_flagged():
|
||||
# 'master-notes' is not the stable 'master'.
|
||||
res = guard.classify_push_command("git push prgs master-notes")
|
||||
assert res["contamination"] is False
|
||||
assert res["targets_stable"] is False
|
||||
|
||||
|
||||
# ── AC5 negative: fetch-only operations ──────────────────────────────────────
|
||||
|
||||
def test_git_fetch_not_a_push():
|
||||
res = guard.classify_push_command("git fetch prgs")
|
||||
assert res["is_git_push"] is False
|
||||
assert res["is_fetch_or_pull"] is True
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
def test_git_pull_ff_only_master_not_a_push():
|
||||
res = guard.classify_push_command("git pull --ff-only prgs master")
|
||||
assert res["is_git_push"] is False
|
||||
assert res["is_fetch_or_pull"] is True
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
# ── AC5 negative: sanctioned Gitea merge is not a push ───────────────────────
|
||||
|
||||
def test_gitea_merge_pr_tool_is_not_a_push():
|
||||
res = guard.classify_push_command("gitea_merge_pr(pr_number=671, remote='prgs')")
|
||||
assert res["is_git_push"] is False
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
def test_gitea_api_merge_is_not_a_push():
|
||||
res = guard.classify_push_command(
|
||||
"curl -X POST https://gitea.example/api/v1/repos/o/r/pulls/671/merge"
|
||||
)
|
||||
assert res["is_git_push"] is False
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
# ── ambiguous bare push: reported, not auto-contaminating ────────────────────
|
||||
|
||||
def test_bare_push_is_ambiguous_not_contaminating():
|
||||
res = guard.classify_push_command("git push prgs")
|
||||
assert res["is_git_push"] is True
|
||||
assert res["ambiguous_target"] is True
|
||||
assert res["contamination"] is False
|
||||
assert res["reasons"] # surfaced as a warning
|
||||
|
||||
|
||||
# ── AC2: root/control-checkout local commit detection ────────────────────────
|
||||
|
||||
def test_root_checkout_commit_ahead_of_master_flagged():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="master",
|
||||
head_sha="a" * 40,
|
||||
remote_master_sha="b" * 40,
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contamination"] is True
|
||||
assert res["reasons"]
|
||||
|
||||
|
||||
def test_root_checkout_clean_at_master_not_flagged():
|
||||
sha = "c" * 40
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="master",
|
||||
head_sha=sha,
|
||||
remote_master_sha=sha,
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
assert res["unknown"] is False
|
||||
|
||||
|
||||
def test_branches_worktree_commit_is_exempt():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="fix/issue-671-block-stable-branch-push",
|
||||
head_sha="a" * 40,
|
||||
remote_master_sha="b" * 40,
|
||||
is_under_branches=True,
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
def test_root_checkout_ahead_count_flagged():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="master",
|
||||
head_sha="",
|
||||
remote_master_sha="",
|
||||
is_under_branches=False,
|
||||
ahead_count=2,
|
||||
)
|
||||
assert res["contamination"] is True
|
||||
|
||||
|
||||
def test_root_checkout_unknown_when_state_missing():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="master",
|
||||
head_sha="",
|
||||
remote_master_sha="",
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
assert res["unknown"] is True
|
||||
|
||||
|
||||
def test_root_checkout_non_stable_branch_out_of_scope():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="feature/x",
|
||||
head_sha="a" * 40,
|
||||
remote_master_sha="b" * 40,
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
# ── AC3: contamination record shape ──────────────────────────────────────────
|
||||
|
||||
def test_build_contamination_record_shape_and_redaction():
|
||||
rec = guard.build_contamination_record(
|
||||
reason_class="stable_branch_push",
|
||||
command_redacted="git push https://user:[email protected]/o/r.git master",
|
||||
session_id="prgs-author-123",
|
||||
remote="prgs",
|
||||
ref="master",
|
||||
role="author",
|
||||
)
|
||||
assert rec["kind"] == guard.CONTAMINATION_KIND
|
||||
assert rec["reason_class"] == "stable_branch_push"
|
||||
assert rec["remote"] == "prgs"
|
||||
assert rec["ref"] == "master"
|
||||
assert rec["cleared_by_reconciler"] is False
|
||||
# secret must never survive into the durable record
|
||||
assert "tok@" not in rec["command_summary"]
|
||||
assert "***@" in rec["command_summary"]
|
||||
|
||||
|
||||
# ── AC4: fail-closed gate on gated mutations ─────────────────────────────────
|
||||
|
||||
def _marker():
|
||||
return guard.build_contamination_record(
|
||||
reason_class="stable_branch_push",
|
||||
command_redacted="git push prgs master",
|
||||
remote="prgs",
|
||||
ref="master",
|
||||
role="author",
|
||||
)
|
||||
|
||||
|
||||
def test_gate_blocks_gated_mutations_for_author():
|
||||
marker = _marker()
|
||||
for task in ("create_pr", "merge_pr", "close_issue", "review_pr",
|
||||
"submit_pr_review", "commit_files", "close_pr"):
|
||||
gate = guard.assess_contamination_gate(marker, task=task, actual_role="author")
|
||||
assert gate["block"] is True, task
|
||||
assert gate["reasons"]
|
||||
|
||||
|
||||
def test_gate_allows_comment_and_lock_for_handoff():
|
||||
marker = _marker()
|
||||
for task in ("comment_issue", "lock_issue", "create_issue", "mark_issue"):
|
||||
gate = guard.assess_contamination_gate(marker, task=task, actual_role="author")
|
||||
assert gate["block"] is False, task
|
||||
|
||||
|
||||
def test_gate_exempts_reconciler_audit_path():
|
||||
marker = _marker()
|
||||
gate = guard.assess_contamination_gate(marker, task="close_pr", actual_role="reconciler")
|
||||
assert gate["block"] is False
|
||||
|
||||
|
||||
def test_gate_no_marker_allows_everything():
|
||||
gate = guard.assess_contamination_gate(None, task="merge_pr", actual_role="merger")
|
||||
assert gate["block"] is False
|
||||
|
||||
|
||||
def test_gate_cleared_marker_allows_everything():
|
||||
marker = _marker()
|
||||
marker["cleared_by_reconciler"] = True
|
||||
gate = guard.assess_contamination_gate(marker, task="merge_pr", actual_role="merger")
|
||||
assert gate["block"] is False
|
||||
|
||||
|
||||
def test_same_worker_cannot_self_clear_by_role():
|
||||
# A merger/reviewer/author role is still gated — only reconciler is exempt.
|
||||
marker = _marker()
|
||||
for role in ("author", "reviewer", "merger"):
|
||||
gate = guard.assess_contamination_gate(marker, task="merge_pr", actual_role=role)
|
||||
assert gate["block"] is True, role
|
||||
|
||||
|
||||
def test_format_gate_error_mentions_issue():
|
||||
marker = _marker()
|
||||
gate = guard.assess_contamination_gate(marker, task="merge_pr", actual_role="merger")
|
||||
msg = guard.format_contamination_gate_error(gate)
|
||||
assert "#671" in msg
|
||||
assert "contaminat" in msg.lower()
|
||||
|
||||
|
||||
# ── redaction unit coverage ──────────────────────────────────────────────────
|
||||
|
||||
def test_redact_url_userinfo():
|
||||
out = guard.redact_command("git push https://bob:secretpat@host/o/r.git master")
|
||||
assert "secretpat" not in out
|
||||
assert "***@" in out
|
||||
assert "master" in out # structure preserved for audit
|
||||
|
||||
|
||||
def test_redact_token_assignment():
|
||||
out = guard.redact_command("GITEA_TOKEN=abcdef123456 git push prgs master")
|
||||
assert "abcdef123456" not in out
|
||||
assert "GITEA_TOKEN=***" in out
|
||||
|
||||
|
||||
def test_redact_empty():
|
||||
assert guard.redact_command(None) == ""
|
||||
assert guard.redact_command("") == ""
|
||||
|
||||
|
||||
# ── detect_stable_push over iterables ────────────────────────────────────────
|
||||
|
||||
def test_detect_stable_push_iterable_finds_first_contamination():
|
||||
cmds = ["git status", "git push prgs master", "echo done"]
|
||||
res = guard.detect_stable_push(cmds)
|
||||
assert res["contamination"] is True
|
||||
|
||||
|
||||
def test_detect_stable_push_iterable_all_safe():
|
||||
cmds = ["git status", "git push prgs feature/x", "git fetch prgs"]
|
||||
res = guard.detect_stable_push(cmds)
|
||||
assert res["contamination"] is False
|
||||
@@ -14,8 +14,13 @@ sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
|
||||
import author_mutation_worktree as amw # noqa: E402
|
||||
import gitea_mcp_server as srv # noqa: E402
|
||||
|
||||
CONTROL_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
BRANCHES_WORKTREE = str(Path(__file__).resolve().parents[1])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_ROOT = str(current_file_path.parents[3])
|
||||
BRANCHES_WORKTREE = str(current_file_path.parents[1])
|
||||
else:
|
||||
CONTROL_ROOT = str(current_file_path.parents[1])
|
||||
BRANCHES_WORKTREE = str(current_file_path.parents[1] / "branches" / "mock-worktree")
|
||||
MCP_PROCESS_ROOT = BRANCHES_WORKTREE
|
||||
|
||||
|
||||
@@ -95,7 +100,23 @@ class TestRuntimeContextGuardAlignment(unittest.TestCase):
|
||||
srv._preflight_in_test_mode = self._orig_in_test
|
||||
self._env_patch.stop()
|
||||
|
||||
def test_runtime_context_and_guard_share_resolved_workspace(self):
|
||||
@mock.patch("subprocess.run")
|
||||
@mock.patch("os.path.isdir", return_value=True)
|
||||
@mock.patch("os.path.exists", return_value=True)
|
||||
def test_runtime_context_and_guard_share_resolved_workspace(
|
||||
self, _exists, _isdir, mock_run
|
||||
):
|
||||
def run_side_effect(cmd, *args, **kwargs):
|
||||
res = MagicMock(returncode=0)
|
||||
if "--git-common-dir" in cmd:
|
||||
res.stdout = f"{CONTROL_ROOT}/.git\n"
|
||||
elif "--show-toplevel" in cmd:
|
||||
cwd = cmd[cmd.index("-C") + 1] if "-C" in cmd else ""
|
||||
res.stdout = f"{cwd}\n"
|
||||
else:
|
||||
res.stdout = f"{CONTROL_ROOT}\n"
|
||||
return res
|
||||
mock_run.side_effect = run_side_effect
|
||||
with mock.patch.object(srv, "PROJECT_ROOT", MCP_PROCESS_ROOT):
|
||||
ctx = srv._resolve_author_mutation_context(BRANCHES_WORKTREE)
|
||||
status = srv.assess_preflight_status(worktree_path=BRANCHES_WORKTREE)
|
||||
|
||||
@@ -14,11 +14,7 @@ from merged_cleanup_reconcile import (
|
||||
read_issue_lock,
|
||||
read_local_worktree_state,
|
||||
)
|
||||
|
||||
_REVIEW_WORKTREE_RE = re.compile(
|
||||
r"branches/(?:review-pr\d+|merge-simulation-pr\d+|review-[\w-]+)",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
from reviewer_worktree import REVIEW_WORKTREE_RE
|
||||
|
||||
CLASSIFICATIONS = frozenset({
|
||||
"active-pr",
|
||||
|
||||
@@ -35,7 +35,7 @@ from datetime import datetime, timezone
|
||||
from typing import Any
|
||||
|
||||
from merged_cleanup_reconcile import branch_worktree_folder, read_local_worktree_state
|
||||
from reviewer_worktree import parse_dirty_tracked_files
|
||||
from reviewer_worktree import parse_dirty_tracked_files, REVIEW_WORKTREE_RE
|
||||
|
||||
PROTECTED_BRANCHES = frozenset({"master", "main", "dev"})
|
||||
DEFAULT_TTL_HOURS = float(os.environ.get("GITEA_WORKTREE_TTL_HOURS", "24") or 24)
|
||||
@@ -508,10 +508,8 @@ DISPOSITIONS = frozenset({
|
||||
"unsafe_unknown",
|
||||
})
|
||||
|
||||
REVIEW_WORKTREE_RE = re.compile(
|
||||
r"branches/(?:review-pr\d+|merge-simulation-pr\d+|review-[\w-]+)",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
|
||||
|
||||
|
||||
|
||||
def normalize_path(path: str) -> str:
|
||||
|
||||
Reference in New Issue
Block a user