Compare commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
d302602567 | ||
|
|
22698c1b5f | ||
|
|
de27053f74 | ||
|
|
5933d87647 | ||
|
|
72b18143f8 | ||
|
|
8886ce201f | ||
|
|
bee24e2b10 | ||
|
|
a7aac0df1d | ||
|
|
ec903b0d61 |
+527
-83
@@ -623,97 +623,280 @@ def verify_preflight_purity(
|
||||
remote: str | None = None,
|
||||
worktree_path: str | None = None,
|
||||
task: str | None = None,
|
||||
*,
|
||||
target_issue_number: int | None = None,
|
||||
require_author_lock: bool = False,
|
||||
):
|
||||
"""Verify that identity and capability were verified prior to session edits."""
|
||||
"""Verify identity/capability order, then production workspace guards.
|
||||
|
||||
#683: pytest/unittest must not skip production root/branches/scope
|
||||
enforcement when force-on signals request production behavior. The
|
||||
early return below only skips *preflight-order* purity checks under
|
||||
pure unit-test isolation — never when production guards are active.
|
||||
"""
|
||||
global _preflight_reviewer_violation_files
|
||||
|
||||
in_test = _preflight_in_test_mode()
|
||||
if in_test and not (
|
||||
os.environ.get("GITEA_TEST_FORCE_DIRTY")
|
||||
or os.environ.get("GITEA_TEST_PORCELAIN") is not None
|
||||
):
|
||||
return
|
||||
production_active = workflow_scope_guard.production_guards_active(
|
||||
in_test_mode=in_test
|
||||
)
|
||||
# Pure unit-test isolation: skip purity-order unless legacy dirty/porcelain
|
||||
# force flags request the dirtiness path. #683 FORCE_PRODUCTION_GUARDS alone
|
||||
# runs production root/branches/scope without requiring whoami/capability.
|
||||
skip_purity_order = in_test and not workflow_scope_guard.purity_order_forced()
|
||||
|
||||
if not _preflight_whoami_called:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Identity (gitea_whoami) has not been verified (fail closed)"
|
||||
)
|
||||
if not _preflight_capability_called:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Task capability (gitea_resolve_task_capability) has not been resolved (fail closed)"
|
||||
)
|
||||
if (
|
||||
task is not None
|
||||
and _preflight_resolved_task is not None
|
||||
and task != _preflight_resolved_task
|
||||
):
|
||||
raise RuntimeError(
|
||||
"Pre-flight task mismatch: "
|
||||
f"resolved '{_preflight_resolved_task}' but mutation requires "
|
||||
f"'{task}' (fail closed)"
|
||||
)
|
||||
|
||||
ctx = _resolve_namespace_mutation_context(worktree_path)
|
||||
workspace = ctx["workspace_path"]
|
||||
canonical_root = ctx["canonical_repo_root"]
|
||||
process_root = ctx["process_project_root"]
|
||||
real_workspace = os.path.realpath(workspace)
|
||||
role = ctx.get("workspace_role_kind") or _effective_workspace_role()
|
||||
|
||||
if real_workspace != process_root:
|
||||
if not _preflight_in_test_mode():
|
||||
membership = author_mutation_worktree.assess_workspace_repo_membership(
|
||||
workspace_path=workspace,
|
||||
canonical_repo_root=canonical_root,
|
||||
if not skip_purity_order:
|
||||
if not _preflight_whoami_called:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Identity (gitea_whoami) has not been verified (fail closed)"
|
||||
)
|
||||
if membership["block"]:
|
||||
if not _preflight_capability_called:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Task capability (gitea_resolve_task_capability) has not been resolved (fail closed)"
|
||||
)
|
||||
if (
|
||||
task is not None
|
||||
and _preflight_resolved_task is not None
|
||||
and task != _preflight_resolved_task
|
||||
):
|
||||
raise RuntimeError(
|
||||
"Pre-flight task mismatch: "
|
||||
f"resolved '{_preflight_resolved_task}' but mutation requires "
|
||||
f"'{task}' (fail closed)"
|
||||
)
|
||||
|
||||
# #671: block review/merge/close/completion mutations while the session is
|
||||
# contaminated by a direct stable-branch push attempt (reconciler-exempt).
|
||||
_enforce_stable_branch_contamination_gate(task, remote)
|
||||
|
||||
ctx = _resolve_namespace_mutation_context(worktree_path)
|
||||
workspace = ctx["workspace_path"]
|
||||
canonical_root = ctx["canonical_repo_root"]
|
||||
process_root = ctx["process_project_root"]
|
||||
real_workspace = os.path.realpath(workspace)
|
||||
role = ctx.get("workspace_role_kind") or _effective_workspace_role()
|
||||
|
||||
if real_workspace != process_root:
|
||||
if not _preflight_in_test_mode():
|
||||
membership = author_mutation_worktree.assess_workspace_repo_membership(
|
||||
workspace_path=workspace,
|
||||
canonical_repo_root=canonical_root,
|
||||
)
|
||||
if membership["block"]:
|
||||
raise RuntimeError(
|
||||
author_mutation_worktree.format_workspace_repo_membership_error(
|
||||
membership
|
||||
)
|
||||
)
|
||||
|
||||
dirty_files = sorted(
|
||||
_parse_porcelain_entries(_get_workspace_porcelain(workspace))
|
||||
)
|
||||
if dirty_files:
|
||||
raise RuntimeError(
|
||||
author_mutation_worktree.format_workspace_repo_membership_error(
|
||||
membership
|
||||
nwb.format_namespace_workspace_binding_error(
|
||||
role_kind=role,
|
||||
workspace_path=workspace,
|
||||
binding_source=ctx.get("workspace_binding_source")
|
||||
or "unknown binding source",
|
||||
dirty_files=dirty_files,
|
||||
ignored_bindings=ctx.get("ignored_bindings"),
|
||||
)
|
||||
)
|
||||
|
||||
dirty_files = sorted(_parse_porcelain_entries(_get_workspace_porcelain(workspace)))
|
||||
if dirty_files:
|
||||
raise RuntimeError(
|
||||
nwb.format_namespace_workspace_binding_error(
|
||||
role_kind=role,
|
||||
workspace_path=workspace,
|
||||
binding_source=ctx.get("workspace_binding_source")
|
||||
or "unknown binding source",
|
||||
dirty_files=dirty_files,
|
||||
ignored_bindings=ctx.get("ignored_bindings"),
|
||||
)
|
||||
)
|
||||
else:
|
||||
if _preflight_whoami_violation:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Workspace file edits occurred before "
|
||||
f"gitea_whoami verification (fail closed). Offending files: "
|
||||
f"{_format_preflight_files(_preflight_whoami_violation_files)}"
|
||||
)
|
||||
if _preflight_capability_violation:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Workspace file edits occurred before "
|
||||
f"gitea_resolve_task_capability verification (fail closed). Offending files: "
|
||||
f"{_format_preflight_files(_preflight_capability_violation_files)}"
|
||||
)
|
||||
|
||||
if role in {"reviewer", "merger"}:
|
||||
current = _get_workspace_porcelain()
|
||||
baseline = _preflight_capability_baseline_porcelain or ""
|
||||
reviewer_delta = _new_tracked_changes_since(baseline, current)
|
||||
_preflight_reviewer_violation_files = reviewer_delta
|
||||
if reviewer_delta:
|
||||
else:
|
||||
if _preflight_whoami_violation:
|
||||
raise RuntimeError(
|
||||
f"{role.title()} role violation: profile is forbidden from modifying "
|
||||
"tracked workspace files (fail closed). Offending files: "
|
||||
f"{_format_preflight_files(reviewer_delta)}"
|
||||
"Pre-flight order violation: Workspace file edits occurred before "
|
||||
f"gitea_whoami verification (fail closed). Offending files: "
|
||||
f"{_format_preflight_files(_preflight_whoami_violation_files)}"
|
||||
)
|
||||
if _preflight_capability_violation:
|
||||
raise RuntimeError(
|
||||
"Pre-flight order violation: Workspace file edits occurred before "
|
||||
f"gitea_resolve_task_capability verification (fail closed). Offending files: "
|
||||
f"{_format_preflight_files(_preflight_capability_violation_files)}"
|
||||
)
|
||||
|
||||
_enforce_root_checkout_guard(worktree_path)
|
||||
_enforce_branches_only_author_mutation(worktree_path)
|
||||
_clear_preflight_capability_state()
|
||||
if role in {"reviewer", "merger"}:
|
||||
current = _get_workspace_porcelain()
|
||||
baseline = _preflight_capability_baseline_porcelain or ""
|
||||
reviewer_delta = _new_tracked_changes_since(baseline, current)
|
||||
_preflight_reviewer_violation_files = reviewer_delta
|
||||
if reviewer_delta:
|
||||
raise RuntimeError(
|
||||
f"{role.title()} role violation: profile is forbidden from modifying "
|
||||
"tracked workspace files (fail closed). Offending files: "
|
||||
f"{_format_preflight_files(reviewer_delta)}"
|
||||
)
|
||||
|
||||
# Historical path: root + branches after purity-order when dirty paths live.
|
||||
_enforce_root_checkout_guard(worktree_path)
|
||||
_enforce_branches_only_author_mutation(worktree_path)
|
||||
_enforce_issue_scope_guard(
|
||||
worktree_path,
|
||||
task=task,
|
||||
target_issue_number=target_issue_number,
|
||||
require_author_lock=require_author_lock,
|
||||
)
|
||||
_clear_preflight_capability_state()
|
||||
return
|
||||
|
||||
# #683: under pytest unit isolation, FORCE_PRODUCTION_GUARDS still runs
|
||||
# production root + branches + issue scope (no silent no-op of guards).
|
||||
if production_active:
|
||||
_enforce_root_checkout_guard(worktree_path)
|
||||
_enforce_branches_only_author_mutation(worktree_path)
|
||||
_enforce_issue_scope_guard(
|
||||
worktree_path,
|
||||
task=task,
|
||||
target_issue_number=target_issue_number,
|
||||
require_author_lock=require_author_lock,
|
||||
)
|
||||
|
||||
|
||||
def _session_issue_lock_snapshot(
|
||||
workspace_path: str | None = None,
|
||||
) -> dict:
|
||||
"""Return session lock fields relevant to #683 scope enforcement.
|
||||
|
||||
Branch-vs-lock comparison uses the live workspace branch only when the
|
||||
lock's worktree matches the mutation workspace. That prevents a foreign
|
||||
or leftover session lock from poisoning unrelated test worktrees while
|
||||
still fail-closing when the bound worktree drifts to another issue.
|
||||
"""
|
||||
lock = issue_lock_store.read_session_issue_lock() or {}
|
||||
raw = lock.get("issue_number")
|
||||
locked: int | None
|
||||
try:
|
||||
locked = int(raw) if raw is not None else None
|
||||
except (TypeError, ValueError):
|
||||
locked = None
|
||||
lock_wt = (lock.get("worktree_path") or "").strip()
|
||||
workspace = (workspace_path or "").strip()
|
||||
worktrees_match = False
|
||||
if lock_wt and workspace:
|
||||
try:
|
||||
worktrees_match = os.path.realpath(lock_wt) == os.path.realpath(workspace)
|
||||
except OSError:
|
||||
worktrees_match = False
|
||||
return {
|
||||
"locked_issue_number": locked,
|
||||
"lock_branch_name": (lock.get("branch_name") or "").strip() or None,
|
||||
"lock_worktree_path": lock_wt or None,
|
||||
"worktrees_match": worktrees_match,
|
||||
}
|
||||
|
||||
|
||||
def _session_locked_issue_number() -> int | None:
|
||||
"""Return the active session issue lock number when present (#683)."""
|
||||
return _session_issue_lock_snapshot().get("locked_issue_number")
|
||||
|
||||
|
||||
def _enforce_issue_scope_guard(
|
||||
worktree_path: str | None = None,
|
||||
*,
|
||||
task: str | None = None,
|
||||
target_issue_number: int | None = None,
|
||||
require_author_lock: bool = False,
|
||||
) -> None:
|
||||
"""#683: fail closed on missing/out-of-scope issue ownership for mutations."""
|
||||
ctx = _resolve_namespace_mutation_context(worktree_path)
|
||||
workspace = ctx["workspace_path"]
|
||||
git_state = issue_lock_worktree.read_worktree_git_state(workspace)
|
||||
# Honour actual profile role as well as poisoned task role (#540 / #683):
|
||||
# comment_issue preflight stamps required_role_kind=author, which must not
|
||||
# strip a genuine reconciler of control-checkout exemptions.
|
||||
role = ctx.get("workspace_role_kind") or _effective_workspace_role()
|
||||
actual = _actual_profile_role()
|
||||
if actual in nwb.NON_AUTHOR_ROLES:
|
||||
role = actual
|
||||
snap = _session_issue_lock_snapshot(workspace)
|
||||
# Scope uses the lock's recorded branch for issue-number matching.
|
||||
# Live workspace branch can inherit the parent control checkout's branch
|
||||
# name when a temp branches/ dir is not its own worktree tip — that must
|
||||
# not invent a false out-of-scope failure. Live branch drift is enforced
|
||||
# by issue_lock_store.verify_lock_for_mutation elsewhere.
|
||||
branch_for_scope = snap.get("lock_branch_name")
|
||||
if (
|
||||
snap.get("worktrees_match")
|
||||
and workflow_scope_guard.production_guards_forced()
|
||||
):
|
||||
live_branch = git_state.get("current_branch")
|
||||
live_issue = workflow_scope_guard.extract_issue_number_from_branch(
|
||||
live_branch
|
||||
)
|
||||
locked = snap.get("locked_issue_number")
|
||||
if (
|
||||
live_issue is not None
|
||||
and locked is not None
|
||||
and live_issue != locked
|
||||
):
|
||||
branch_for_scope = live_branch
|
||||
# Author implementation / source-adjacent mutations need ownership when forced.
|
||||
authorish = role == "author" or (
|
||||
task
|
||||
in {
|
||||
"create_issue",
|
||||
"comment_issue",
|
||||
"lock_issue",
|
||||
"create_pr",
|
||||
"commit_files",
|
||||
"gitea_commit_files",
|
||||
"mark_issue",
|
||||
}
|
||||
)
|
||||
require_lock = bool(require_author_lock) or (
|
||||
authorish
|
||||
and workflow_scope_guard.production_guards_forced()
|
||||
and role == "author"
|
||||
)
|
||||
assessment = workflow_scope_guard.assess_production_mutation_guards(
|
||||
workspace_path=workspace,
|
||||
canonical_repo_root=ctx["canonical_repo_root"],
|
||||
porcelain_status=git_state.get("porcelain_status") or "",
|
||||
current_branch=branch_for_scope,
|
||||
locked_issue_number=snap.get("locked_issue_number"),
|
||||
target_issue_number=target_issue_number,
|
||||
role_kind=role,
|
||||
require_author_lock=require_lock,
|
||||
in_test_mode=_preflight_in_test_mode(),
|
||||
)
|
||||
workflow_scope_guard.raise_if_blocked(assessment)
|
||||
|
||||
|
||||
def _production_guard_block_from_exc(exc: BaseException, **extra) -> dict | None:
|
||||
"""Map production-guard exceptions to typed tool block responses (#683)."""
|
||||
if isinstance(exc, workflow_scope_guard.ProductionGuardError):
|
||||
return workflow_scope_guard.block_response(exc, **extra)
|
||||
text = str(exc)
|
||||
if "Workflow scope guard (#683)" in text or "Root checkout guard (#475)" in text:
|
||||
kind = workflow_scope_guard.BLOCKER_PRODUCTION_GUARD
|
||||
if "root_diagnostic_edit" in text or "tracked source or test edits" in text:
|
||||
kind = workflow_scope_guard.BLOCKER_ROOT_DIAGNOSTIC_EDIT
|
||||
elif "Branches-only mutation guard" in text or "stable control checkout" in text:
|
||||
kind = workflow_scope_guard.BLOCKER_MISSING_WORKTREE
|
||||
elif "out-of-scope" in text or "locked to issue" in text:
|
||||
kind = workflow_scope_guard.BLOCKER_OUT_OF_SCOPE_ISSUE
|
||||
elif "no owning issue" in text:
|
||||
kind = workflow_scope_guard.BLOCKER_MISSING_ISSUE_SCOPE
|
||||
return workflow_scope_guard.block_response(
|
||||
blocker_kind=kind,
|
||||
reasons=[text],
|
||||
**extra,
|
||||
)
|
||||
if "Branches-only mutation guard" in text:
|
||||
return workflow_scope_guard.block_response(
|
||||
blocker_kind=workflow_scope_guard.BLOCKER_MISSING_WORKTREE,
|
||||
reasons=[text],
|
||||
**extra,
|
||||
)
|
||||
if "Root checkout guard" in text:
|
||||
return workflow_scope_guard.block_response(
|
||||
blocker_kind=workflow_scope_guard.BLOCKER_ROOT_DIAGNOSTIC_EDIT,
|
||||
reasons=[text],
|
||||
**extra,
|
||||
)
|
||||
return None
|
||||
|
||||
|
||||
def _verify_role_mutation_workspace(
|
||||
@@ -723,7 +906,13 @@ def _verify_role_mutation_workspace(
|
||||
worktree: str | None = None,
|
||||
task: str | None = None,
|
||||
) -> str:
|
||||
"""Bind reviewer/merger mutations to the active namespace workspace (#510)."""
|
||||
"""Bind reviewer/merger mutations to the active namespace workspace (#510).
|
||||
|
||||
#683: must NOT early-return solely because pytest/unittest is loaded.
|
||||
Production workspace binding always runs; test isolation uses explicit
|
||||
env fixtures / force-on flags, never a production short-circuit here.
|
||||
"""
|
||||
|
||||
# Check running runtimes to prevent stale mutations
|
||||
try:
|
||||
if "PYTEST_CURRENT_TEST" not in os.environ or "GITEA_FORCE_MCP_RUNTIME_CHECK" in os.environ:
|
||||
@@ -809,6 +998,80 @@ def _enforce_root_checkout_guard(worktree_path: str | None = None) -> None:
|
||||
raise RuntimeError(root_checkout_guard.format_root_checkout_guard_error(assessment))
|
||||
|
||||
|
||||
# ── stable-branch push contamination (#671) ──────────────────────────────────
|
||||
# A worker session that attempts a direct stable-branch push (or a
|
||||
# root-checkout local commit) is workflow-contaminated. The marker is durable
|
||||
# (survives daemon process pools like the other session proofs) and keyed per
|
||||
# profile identity. It fails closed on gated mutations until a reconciler
|
||||
# audits and clears it.
|
||||
|
||||
def _stable_contamination_profile_identity() -> str:
|
||||
return mcp_session_state.current_profile_identity(
|
||||
profile_name=get_profile().get("profile_name"),
|
||||
)
|
||||
|
||||
|
||||
def _load_stable_contamination_marker(remote: str | None = None) -> dict | None:
|
||||
return mcp_session_state.load_state(
|
||||
kind=mcp_session_state.KIND_STABLE_BRANCH_CONTAMINATION,
|
||||
remote=remote,
|
||||
profile_identity=_stable_contamination_profile_identity(),
|
||||
)
|
||||
|
||||
|
||||
def _save_stable_contamination_marker(
|
||||
record: dict,
|
||||
*,
|
||||
remote: str | None = None,
|
||||
) -> dict | None:
|
||||
return mcp_session_state.save_state(
|
||||
kind=mcp_session_state.KIND_STABLE_BRANCH_CONTAMINATION,
|
||||
payload=record,
|
||||
remote=remote,
|
||||
profile_identity=_stable_contamination_profile_identity(),
|
||||
)
|
||||
|
||||
|
||||
def _clear_stable_contamination_marker(
|
||||
*,
|
||||
remote: str | None = None,
|
||||
profile_identity: str | None = None,
|
||||
) -> None:
|
||||
mcp_session_state.clear_state(
|
||||
kind=mcp_session_state.KIND_STABLE_BRANCH_CONTAMINATION,
|
||||
remote=remote,
|
||||
profile_identity=profile_identity or _stable_contamination_profile_identity(),
|
||||
)
|
||||
|
||||
|
||||
def _enforce_stable_branch_contamination_gate(
|
||||
task: str | None,
|
||||
remote: str | None = None,
|
||||
) -> None:
|
||||
"""#671 AC4: fail closed on gated mutations while contaminated.
|
||||
|
||||
Reconciler role is exempt (the sanctioned audit/clear path). Non-gated
|
||||
tasks (comment_issue, lock_issue) stay allowed so a contaminated worker can
|
||||
still post the durable audit comment and hand off.
|
||||
"""
|
||||
if _preflight_in_test_mode() and not os.environ.get(
|
||||
"GITEA_TEST_FORCE_STABLE_CONTAMINATION"
|
||||
):
|
||||
return
|
||||
marker = _load_stable_contamination_marker(remote)
|
||||
if not marker:
|
||||
return
|
||||
gate = stable_branch_push_guard.assess_contamination_gate(
|
||||
marker,
|
||||
task=task,
|
||||
actual_role=_actual_profile_role(),
|
||||
)
|
||||
if gate["block"]:
|
||||
raise RuntimeError(
|
||||
stable_branch_push_guard.format_contamination_gate_error(gate)
|
||||
)
|
||||
|
||||
|
||||
from mcp.server.fastmcp import FastMCP # noqa: E402
|
||||
|
||||
from gitea_auth import ( # noqa: E402
|
||||
@@ -849,6 +1112,8 @@ import merge_approval_gate # noqa: E402
|
||||
import already_landed_reconcile # noqa: E402
|
||||
import author_mutation_worktree # noqa: E402
|
||||
import root_checkout_guard # noqa: E402
|
||||
import workflow_scope_guard # noqa: E402 # #683 production scope / force-on guards
|
||||
import stable_branch_push_guard # noqa: E402
|
||||
import remote_repo_guard # noqa: E402
|
||||
import issue_claim_heartbeat # noqa: E402
|
||||
import issue_work_duplicate_gate # noqa: E402
|
||||
@@ -1816,7 +2081,15 @@ def gitea_create_issue(
|
||||
)
|
||||
if blocked:
|
||||
return blocked
|
||||
verify_preflight_purity(remote, worktree_path=worktree_path, task="create_issue")
|
||||
try:
|
||||
verify_preflight_purity(
|
||||
remote, worktree_path=worktree_path, task="create_issue"
|
||||
)
|
||||
except Exception as exc:
|
||||
typed = _production_guard_block_from_exc(exc, number=None)
|
||||
if typed is not None:
|
||||
return typed
|
||||
raise
|
||||
content_gate = issue_content_gate.pre_create_issue_content_gate(
|
||||
title,
|
||||
body,
|
||||
@@ -8087,9 +8360,26 @@ def gitea_create_issue_comment(
|
||||
with the reveal opt-in); on a permission block or empty body,
|
||||
'success'/'performed' False and 'reasons' with no API call made
|
||||
(permission blocks also carry a structured 'permission_report',
|
||||
#142).
|
||||
#142). On production-guard blocks (#683): 'blocker_kind' and
|
||||
'exact_next_action' with no API side effect.
|
||||
"""
|
||||
verify_preflight_purity(remote, worktree_path=worktree_path, task="comment_issue")
|
||||
try:
|
||||
# Do not pass target_issue_number: comments on other issues remain
|
||||
# allowed while an author holds a different implementation lock.
|
||||
# Scope ownership for source edits is enforced via branch/worktree
|
||||
# binding + root diagnostic checks (#683).
|
||||
verify_preflight_purity(
|
||||
remote,
|
||||
worktree_path=worktree_path,
|
||||
task="comment_issue",
|
||||
)
|
||||
except Exception as exc:
|
||||
typed = _production_guard_block_from_exc(
|
||||
exc, issue_number=issue_number
|
||||
)
|
||||
if typed is not None:
|
||||
return typed
|
||||
raise
|
||||
gate_reasons = _profile_operation_gate("gitea.issue.comment")
|
||||
reasons = list(gate_reasons)
|
||||
if not (body or "").strip():
|
||||
@@ -9273,6 +9563,160 @@ def gitea_diagnose_terminal(
|
||||
}
|
||||
|
||||
|
||||
@mcp.tool()
|
||||
def gitea_record_stable_branch_push_attempt(
|
||||
command: str | None = None,
|
||||
remote: str = "dadeschools",
|
||||
ref: str | None = None,
|
||||
session_id: str | None = None,
|
||||
mark: bool = True,
|
||||
current_branch: str | None = None,
|
||||
head_sha: str | None = None,
|
||||
remote_master_sha: str | None = None,
|
||||
is_under_branches: bool | None = None,
|
||||
ahead_count: int | None = None,
|
||||
) -> dict:
|
||||
"""Classify a proposed command for direct stable-branch push intent (#671).
|
||||
|
||||
Worker sessions must never publish stable branches (``master``/``main``/
|
||||
``dev``/...) directly. This tool detects ``git push <remote> master``
|
||||
equivalents (refspecs, ``HEAD:master``, ``--force``, ``--dry-run`` no-op
|
||||
intent, ``:master`` delete) and — separately — a root/control-checkout
|
||||
local commit not carried by an issue feature branch.
|
||||
|
||||
When ``mark`` is true and contamination is detected, a durable
|
||||
``stable_branch_contamination`` marker is written for the active profile
|
||||
identity. Subsequent review/merge/close/completion mutations then fail
|
||||
closed (via the pre-flight gate) until a reconciler audits and clears it.
|
||||
The stored command summary is redacted; secrets never persist.
|
||||
|
||||
Read-only when nothing is detected (or ``mark`` is false). Returns the
|
||||
classification, any root-checkout assessment, and the marker state.
|
||||
"""
|
||||
classification = stable_branch_push_guard.classify_push_command(command)
|
||||
|
||||
root_checkout = None
|
||||
if any(v is not None for v in (current_branch, head_sha, remote_master_sha,
|
||||
is_under_branches, ahead_count)):
|
||||
root_checkout = stable_branch_push_guard.assess_root_checkout_local_commit(
|
||||
current_branch=current_branch,
|
||||
head_sha=head_sha,
|
||||
remote_master_sha=remote_master_sha,
|
||||
is_under_branches=bool(is_under_branches),
|
||||
ahead_count=ahead_count,
|
||||
)
|
||||
|
||||
push_contam = bool(classification.get("contamination"))
|
||||
root_contam = bool(root_checkout and root_checkout.get("contamination"))
|
||||
contaminated = push_contam or root_contam
|
||||
|
||||
marker = None
|
||||
marked = False
|
||||
if contaminated and mark:
|
||||
if push_contam:
|
||||
reason_class = "stable_branch_push"
|
||||
command_redacted = classification.get("redacted_command")
|
||||
detail = "; ".join(classification.get("reasons") or [])
|
||||
resolved_ref = ref or (
|
||||
(classification.get("stable_refs") or [None])[0]
|
||||
)
|
||||
else:
|
||||
reason_class = "root_checkout_commit"
|
||||
command_redacted = None
|
||||
detail = "; ".join(root_checkout.get("reasons") or [])
|
||||
resolved_ref = ref or root_checkout.get("current_branch")
|
||||
record = stable_branch_push_guard.build_contamination_record(
|
||||
reason_class=reason_class,
|
||||
command_redacted=command_redacted,
|
||||
session_id=session_id,
|
||||
remote=remote,
|
||||
ref=resolved_ref,
|
||||
role=_actual_profile_role(),
|
||||
detail=detail,
|
||||
)
|
||||
marker = _save_stable_contamination_marker(record, remote=remote)
|
||||
marked = marker is not None
|
||||
|
||||
return {
|
||||
"classification": classification,
|
||||
"root_checkout": root_checkout,
|
||||
"contaminated": contaminated,
|
||||
"marked": marked,
|
||||
"marker": marker,
|
||||
"profile_identity": _stable_contamination_profile_identity(),
|
||||
"remediation": stable_branch_push_guard.REMEDIATION if contaminated else None,
|
||||
}
|
||||
|
||||
|
||||
@mcp.tool()
|
||||
def gitea_audit_stable_branch_contamination(
|
||||
action: str = "inspect",
|
||||
remote: str = "dadeschools",
|
||||
profile_identity: str | None = None,
|
||||
) -> dict:
|
||||
"""Reconciler audit of a stable-branch contamination marker (#671).
|
||||
|
||||
``action='inspect'`` (default, read-only) loads the durable marker for the
|
||||
given ``profile_identity`` (or the active session's) and reports it.
|
||||
|
||||
``action='clear'`` removes the marker so the contaminated session may
|
||||
resume gated mutations. Clearing is the reconciler audit path and requires
|
||||
an active reconciler profile — a worker session must never self-clear
|
||||
(#671 security requirement). ``profile_identity`` targets the contaminated
|
||||
worker's marker (a reconciler runs under its own identity).
|
||||
"""
|
||||
act = (action or "inspect").strip().lower()
|
||||
target_identity = (profile_identity or "").strip() or _stable_contamination_profile_identity()
|
||||
|
||||
marker = mcp_session_state.load_state(
|
||||
kind=mcp_session_state.KIND_STABLE_BRANCH_CONTAMINATION,
|
||||
remote=remote,
|
||||
profile_identity=target_identity,
|
||||
)
|
||||
|
||||
if act == "inspect":
|
||||
return {
|
||||
"action": "inspect",
|
||||
"profile_identity": target_identity,
|
||||
"contaminated": marker is not None,
|
||||
"marker": marker,
|
||||
"read_only": True,
|
||||
}
|
||||
|
||||
if act == "clear":
|
||||
role = _actual_profile_role()
|
||||
if role != "reconciler":
|
||||
return {
|
||||
"action": "clear",
|
||||
"success": False,
|
||||
"performed": False,
|
||||
"profile_identity": target_identity,
|
||||
"reasons": [
|
||||
"stable-branch contamination may only be cleared by a "
|
||||
f"reconciler audit; active role is '{role}' (fail closed). "
|
||||
"The contaminated worker session must not self-clear."
|
||||
],
|
||||
}
|
||||
_clear_stable_contamination_marker(
|
||||
remote=remote,
|
||||
profile_identity=target_identity,
|
||||
)
|
||||
return {
|
||||
"action": "clear",
|
||||
"success": True,
|
||||
"performed": True,
|
||||
"profile_identity": target_identity,
|
||||
"was_contaminated": marker is not None,
|
||||
}
|
||||
|
||||
return {
|
||||
"action": act,
|
||||
"success": False,
|
||||
"performed": False,
|
||||
"reasons": [f"unknown action '{act}'; use 'inspect' or 'clear'"],
|
||||
}
|
||||
|
||||
|
||||
@mcp.tool()
|
||||
def gitea_validate_review_final_report(
|
||||
report_text: str,
|
||||
|
||||
@@ -29,6 +29,11 @@ class UnsanctionedRuntimeError(RuntimeError):
|
||||
|
||||
|
||||
def is_pytest_runtime() -> bool:
|
||||
if os.environ.get("GITEA_TEST_FORCE_UNSANCTIONED") == "1":
|
||||
return False
|
||||
import sys
|
||||
if "pytest" in sys.modules:
|
||||
return True
|
||||
return bool((os.environ.get("PYTEST_CURRENT_TEST") or "").strip())
|
||||
|
||||
|
||||
|
||||
+2
-1
@@ -6,7 +6,8 @@ Runs over stdio. All tools authenticate via macOS keychain (git credential fill)
|
||||
import os
|
||||
import sys
|
||||
|
||||
sys.stderr = open("/tmp/mcp_server_stderr.log", "a", buffering=1)
|
||||
if "PYTEST_CURRENT_TEST" not in os.environ:
|
||||
sys.stderr = open("/tmp/mcp_server_stderr.log", "a", buffering=1)
|
||||
sys.stderr.write(f"\n--- MCP SERVER STARTUP (PID {os.getpid()}) ---\n")
|
||||
|
||||
from role_session_router import (
|
||||
|
||||
@@ -31,6 +31,11 @@ DEFAULT_TTL_HOURS = 4.0
|
||||
KIND_WORKFLOW_LOAD = "review_workflow_load"
|
||||
KIND_DECISION_LOCK = "review_decision_lock"
|
||||
KIND_REVIEW_DRAFT = "review_draft"
|
||||
# Durable marker set when a worker session attempts a direct stable-branch push
|
||||
# or a root-checkout local commit (#671). Keyed per profile identity like the
|
||||
# other session proofs; a contaminated session fails closed on gated mutations
|
||||
# until a reconciler audits and clears it.
|
||||
KIND_STABLE_BRANCH_CONTAMINATION = "stable_branch_contamination"
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -27,6 +27,20 @@ _READONLY_REVIEWER_GIT = re.compile(
|
||||
_GIT_INVOCATION = re.compile(r"\bgit\b", re.IGNORECASE)
|
||||
|
||||
|
||||
# #673: Canonical pattern for identifying review worktrees under branches/.
|
||||
REVIEW_WORKTREE_RE = re.compile(
|
||||
r"branches/(?:review-pr\d+[\w/-]*|merge-simulation-pr\d+|review-[\w-]+)",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
|
||||
|
||||
def is_review_worktree_path(path: str) -> bool:
|
||||
"""True when the path belongs to a reviewer or simulation worktree."""
|
||||
normalized = (path or "").replace("\\", "/")
|
||||
return bool(REVIEW_WORKTREE_RE.search(normalized))
|
||||
|
||||
|
||||
|
||||
def parse_dirty_tracked_files(porcelain: str) -> list[str]:
|
||||
"""Return tracked paths with local modifications from ``git status --porcelain``.
|
||||
|
||||
|
||||
@@ -5,10 +5,9 @@ from __future__ import annotations
|
||||
import re
|
||||
from typing import Any
|
||||
|
||||
_SESSION_OWNED_RE = re.compile(
|
||||
r"branches/(?:review-pr\d+[\w/-]*|review-[\w-]+)",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
from reviewer_worktree import REVIEW_WORKTREE_RE
|
||||
|
||||
_SESSION_OWNED_RE = REVIEW_WORKTREE_RE
|
||||
_WORKTREE_PATH_RE = re.compile(
|
||||
r"(?:review worktree path|worktree path|session-owned worktree)\s*:\s*(\S+)",
|
||||
re.IGNORECASE,
|
||||
|
||||
@@ -32,6 +32,15 @@ workflow file.
|
||||
mutation.
|
||||
- A nearby capability does not count.
|
||||
- Do not self-review or self-merge.
|
||||
- **Never push a stable branch directly.** Worker sessions (author/reviewer/merger)
|
||||
must never run `git push <remote> master` — or `main`/`dev`/other stable refs,
|
||||
including refspecs (`HEAD:master`), `--force`, `--delete`, or `--dry-run` no-op
|
||||
probes — and must never commit on the root/control checkout outside an issue
|
||||
feature branch. Stable-branch updates land ONLY through sanctioned Gitea merge
|
||||
tooling (`gitea_merge_pr`) or an explicitly authorized reconciler path. A
|
||||
detected attempt marks the session workflow-contaminated (#671) and fails
|
||||
closed on review/merge/close/completion until a reconciler audits and clears
|
||||
it. `git fetch` / `git pull --ff-only` and feature-branch pushes stay allowed.
|
||||
- Do not mix modes in one run.
|
||||
- **BLOCKED + DIAGNOSE default rule (required):** If any required workflow step, skill, tool, capability, preflight, instruction, profile, worktree binding, or terminal/MCP operation cannot be performed or loaded (including the canonical ones listed in this skill and its loaded workflow), immediately enter `BLOCKED + DIAGNOSE`. Stop before any git or Gitea mutation. Diagnose using the standard template in [`templates/blocked-diagnose-report.md`](templates/blocked-diagnose-report.md). Attempt *only* safe non-mutating recovery. Report using the template. Do not continue, use fallbacks, or treat the missing requirement as harmless.
|
||||
- If the required workflow cannot be loaded, stop and produce a recovery handoff
|
||||
@@ -48,6 +57,11 @@ workflow file.
|
||||
- wrong profile or role for the requested operation
|
||||
- dirty or misbound worktree (root checkout or non-branches/ path)
|
||||
- root checkout mutation risk
|
||||
- stable-branch push contamination (#671): a direct `git push <remote> master`
|
||||
(or `main`/`dev`) equivalent, or a root/control-checkout commit not on an issue
|
||||
feature branch, marks the session workflow-contaminated; review/merge/close/
|
||||
completion mutations then fail closed until a reconciler audits and clears it
|
||||
(`gitea_audit_stable_branch_contamination action=clear`, reconciler-only)
|
||||
- mutation guard failure (e.g. branches-only guard)
|
||||
- missing required MCP tool/schema or operation
|
||||
- stale or inconsistent runtime state (e.g. lease vs actual, dirty state disagreement)
|
||||
@@ -118,6 +132,42 @@ The main project checkout is a stable control checkout on `master`, `main`, or
|
||||
If `cwd` is not inside `branches/`, stop before any file edit, test write,
|
||||
commit, merge, rebase, or cleanup. The main checkout is orchestration-only.
|
||||
|
||||
## Stable Branch Push Protection (#671)
|
||||
|
||||
Worker sessions must **never** publish a stable branch directly. This is the
|
||||
prevention hardening for the #670 incident (a bare direct-to-master commit
|
||||
`2fa97c26` and a PR #654 merger `git push prgs master` attempt).
|
||||
|
||||
**Forbidden for author/reviewer/merger sessions:**
|
||||
|
||||
- `git push <remote> master` (and `main`, `dev`, `develop`, `development`),
|
||||
including refspecs (`HEAD:master`, `+refs/heads/x:refs/heads/master`),
|
||||
`--force`, `--delete` / `:master`, and `--dry-run`/`-n` no-op probes (a
|
||||
dry-run still proves intent and contaminates the session).
|
||||
- Local commits on the root/control checkout that are not carried by an issue
|
||||
feature branch under `branches/`.
|
||||
|
||||
**Allowed (never blocked):**
|
||||
|
||||
- `git fetch` and `git pull --ff-only` of master into the control checkout when
|
||||
authorized for sync.
|
||||
- Feature-branch pushes to non-stable refs (`git push <remote> fix/issue-N-...`).
|
||||
- Sanctioned merges via `gitea_merge_pr` / the Gitea API merge endpoint — the
|
||||
**only** way stable branches advance.
|
||||
|
||||
**What happens on a detected attempt:** the session is marked
|
||||
workflow-contaminated (durable `stable_branch_contamination` marker, redacted
|
||||
command summary + session id + remote + ref). While contaminated, all
|
||||
review / merge / close / issue-completion mutations fail closed. `comment_issue`
|
||||
and `lock_issue` remain allowed so the contaminated worker can post the durable
|
||||
audit comment and hand off. Contamination **cannot be self-cleared** — only a
|
||||
reconciler audit (`gitea_audit_stable_branch_contamination action=clear`) may
|
||||
clear it.
|
||||
|
||||
Tooling: call `gitea_record_stable_branch_push_attempt` to classify/record a
|
||||
proposed push before running it; `gitea_audit_stable_branch_contamination` to
|
||||
inspect or (reconciler-only) clear the marker.
|
||||
|
||||
## Shell Spawn Hard-Stop Rule
|
||||
|
||||
`exit_code: -1` with empty stdout/stderr means the shell failed to spawn — not a
|
||||
|
||||
@@ -0,0 +1,478 @@
|
||||
"""Fail-closed guard against direct pushes to stable branches (#671).
|
||||
|
||||
MCP workflow sessions must never publish to a stable branch (``master``,
|
||||
``main``, ``dev``, ...) directly. Stable-branch updates land only through
|
||||
sanctioned Gitea merge tooling or an explicitly authorized reconciler path.
|
||||
|
||||
Incident origin (#670): a bare direct-to-master commit ``2fa97c26`` landed on
|
||||
``prgs/master`` without PR/review provenance, and a PR #654 merger run
|
||||
attempted ``git push prgs master`` (audited as a no-op, but the *intent* is the
|
||||
hazard). Partial protections already existed (``author_proofs.PROTECTED_BRANCHES``,
|
||||
``root_checkout_guard``, branch-push proofs) but did not detect shell push
|
||||
equivalents, mark the session contaminated after such an attempt, or fail
|
||||
closed on subsequent review/merge/close/completion mutations.
|
||||
|
||||
This module is the detection + contamination-policy core. Like
|
||||
``author_proofs`` and ``root_checkout_guard`` it is **pure**: callers gather
|
||||
the raw facts (the proposed command line, git state, the durable contamination
|
||||
marker) and pass them in, so the same logic serves prompts, MCP gates, and
|
||||
tests. Nothing here performs git or network calls or reads durable state; the
|
||||
server wires these helpers to ``mcp_session_state`` and ``verify_preflight_purity``.
|
||||
|
||||
Design rules honoured (from the #671 acceptance criteria):
|
||||
|
||||
* Detect ``git push <remote> master`` shell equivalents, including refspecs
|
||||
(``HEAD:master``, ``+refs/heads/x:refs/heads/master``), ``--force``,
|
||||
``--dry-run``/no-op intent, and delete refspecs (``:master``).
|
||||
* Never false-block a feature-branch push (``git push prgs fix/issue-671-...``).
|
||||
* Never treat ``git fetch`` / ``git pull --ff-only`` as a push.
|
||||
* Never treat sanctioned ``gitea_merge_pr`` / Gitea API merge as a push.
|
||||
* Fail closed on ambiguous targets that *may* resolve to a stable branch, but
|
||||
surface ambiguity as its own signal rather than silently blocking feature work.
|
||||
* Contamination must not be clearable by the same worker session — only a
|
||||
reconciler (audit) role may clear or bypass the gate.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import re
|
||||
from typing import Any, Iterable
|
||||
|
||||
from author_proofs import PROTECTED_BRANCHES
|
||||
|
||||
# Single source of truth for the stable branch set: the same protected set the
|
||||
# author branch-identity proofs already enforce (#177), so the two guards can
|
||||
# never drift apart.
|
||||
STABLE_BRANCHES = PROTECTED_BRANCHES
|
||||
|
||||
# Mutations that must fail closed once the session is contaminated by a direct
|
||||
# stable-branch push attempt (#671 AC4: review, merge, close, completion).
|
||||
# ``comment_issue`` / ``lock_issue`` / ``create_issue`` are deliberately NOT
|
||||
# gated so a contaminated worker can still post the durable audit comment and
|
||||
# hand off. Only a reconciler (audit) role bypasses this set.
|
||||
CONTAMINATION_GATED_TASKS = frozenset({
|
||||
"create_pr",
|
||||
"commit_files",
|
||||
"gitea_commit_files",
|
||||
"close_pr",
|
||||
"close_issue",
|
||||
"review_pr",
|
||||
"approve_pr",
|
||||
"request_changes_pr",
|
||||
"submit_pr_review",
|
||||
"merge_pr",
|
||||
"delete_branch",
|
||||
"complete_issue",
|
||||
})
|
||||
|
||||
CONTAMINATION_KIND = "stable_branch_push"
|
||||
|
||||
REMEDIATION = (
|
||||
"Direct stable-branch publication is forbidden for worker sessions. Stop, "
|
||||
"leave the stable branch untouched, and route the change through sanctioned "
|
||||
"Gitea merge tooling (gitea_merge_pr) or an explicitly authorized reconciler "
|
||||
"audit. This session is workflow-contaminated until a reconciler audits it."
|
||||
)
|
||||
|
||||
# ── command tokenising ────────────────────────────────────────────────────────
|
||||
|
||||
# Split a compound command line into individual simple commands on shell
|
||||
# separators so ``a && git push prgs master`` is analysed segment by segment.
|
||||
_SEGMENT_SPLIT_RE = re.compile(r"(?:\|\||&&|\||;|\n)")
|
||||
|
||||
_GIT_PUSH_RE = re.compile(r"\bgit\b[\w\s\-]*?\bpush\b", re.IGNORECASE)
|
||||
_GIT_FETCH_RE = re.compile(r"\bgit\b[\w\s\-]*?\b(?:fetch|pull)\b", re.IGNORECASE)
|
||||
|
||||
# Flags that take a value argument in ``git push`` (so the following token is
|
||||
# consumed as the flag's value, not a refspec).
|
||||
_VALUE_FLAGS = frozenset({
|
||||
"--repo",
|
||||
"-o",
|
||||
"--push-option",
|
||||
"--receive-pack",
|
||||
"--exec",
|
||||
})
|
||||
|
||||
_FORCE_FLAGS = frozenset({"-f", "--force"})
|
||||
_DRY_RUN_FLAGS = frozenset({"-n", "--dry-run"})
|
||||
_DELETE_FLAGS = frozenset({"-d", "--delete"})
|
||||
|
||||
|
||||
def _clean(value: str | None) -> str:
|
||||
return (value or "").strip()
|
||||
|
||||
|
||||
def _strip_ref_prefix(ref: str) -> str:
|
||||
ref = ref.strip()
|
||||
for prefix in ("refs/heads/", "heads/"):
|
||||
if ref.startswith(prefix):
|
||||
return ref[len(prefix):]
|
||||
return ref
|
||||
|
||||
|
||||
def is_stable_ref(ref: str | None) -> bool:
|
||||
"""True when ``ref`` names a configured stable branch."""
|
||||
name = _strip_ref_prefix(_clean(ref))
|
||||
return bool(name) and name in STABLE_BRANCHES
|
||||
|
||||
|
||||
# ── redaction ─────────────────────────────────────────────────────────────────
|
||||
|
||||
_URL_USERINFO_RE = re.compile(r"(https?://)[^/\s:@]+(?::[^/\s@]+)?@", re.IGNORECASE)
|
||||
_SECRET_ASSIGN_RE = re.compile(
|
||||
r"\b((?:GITEA_)?(?:TOKEN|PASSWORD|PASS|PAT|SECRET|API_KEY|AUTH))\s*=\s*\S+",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
_BEARER_RE = re.compile(r"\b(Bearer|token)\s+[A-Za-z0-9._\-]{8,}", re.IGNORECASE)
|
||||
|
||||
|
||||
def redact_command(command: str | None) -> str:
|
||||
"""Strip credentials/URLs from a command line before logging it (#671).
|
||||
|
||||
Redacts URL userinfo (``https://user:tok@host`` → ``https://***@host``),
|
||||
``TOKEN=...`` style assignments, and bearer/token headers. Leaves the
|
||||
structural parts (``git push <remote> master``) intact for audit value.
|
||||
"""
|
||||
text = _clean(command)
|
||||
if not text:
|
||||
return ""
|
||||
text = _URL_USERINFO_RE.sub(r"\1***@", text)
|
||||
text = _SECRET_ASSIGN_RE.sub(lambda m: f"{m.group(1)}=***", text)
|
||||
text = _BEARER_RE.sub(lambda m: f"{m.group(1)} ***", text)
|
||||
return text
|
||||
|
||||
|
||||
# ── push classification ───────────────────────────────────────────────────────
|
||||
|
||||
def _analyse_push_segment(segment: str) -> dict[str, Any]:
|
||||
"""Classify one ``git push ...`` command segment."""
|
||||
tokens = segment.split()
|
||||
# Drop everything up to and including the ``push`` verb.
|
||||
try:
|
||||
push_idx = next(
|
||||
i for i, tok in enumerate(tokens)
|
||||
if tok.lower() == "push"
|
||||
)
|
||||
except StopIteration:
|
||||
push_idx = -1
|
||||
args = tokens[push_idx + 1:] if push_idx >= 0 else []
|
||||
|
||||
is_force = False
|
||||
is_dry_run = False
|
||||
is_delete = False
|
||||
positionals: list[str] = []
|
||||
|
||||
skip_next = False
|
||||
for tok in args:
|
||||
if skip_next:
|
||||
skip_next = False
|
||||
continue
|
||||
if tok in _FORCE_FLAGS or tok.startswith("--force-with-lease") or tok.startswith("--force-if-includes"):
|
||||
is_force = True
|
||||
continue
|
||||
if tok in _DRY_RUN_FLAGS:
|
||||
is_dry_run = True
|
||||
continue
|
||||
if tok in _DELETE_FLAGS:
|
||||
is_delete = True
|
||||
continue
|
||||
if tok in _VALUE_FLAGS:
|
||||
skip_next = True
|
||||
continue
|
||||
if tok.startswith("--") and "=" in tok:
|
||||
# e.g. --repo=... : self-contained, not a refspec.
|
||||
continue
|
||||
if tok.startswith("-"):
|
||||
# Unknown/combined short flag; ignore for ref detection.
|
||||
continue
|
||||
positionals.append(tok)
|
||||
|
||||
# First positional after push is the remote (when any positional exists);
|
||||
# the rest are refspecs / branch names.
|
||||
remote = positionals[0] if positionals else None
|
||||
refspecs = positionals[1:]
|
||||
|
||||
stable_refs: list[str] = []
|
||||
force_to_stable = False
|
||||
delete_stable = False
|
||||
for spec in refspecs:
|
||||
force_spec = spec.startswith("+")
|
||||
body = spec[1:] if force_spec else spec
|
||||
if ":" in body:
|
||||
src, _, dst = body.partition(":")
|
||||
dest = dst
|
||||
if src == "" and dst:
|
||||
# ``:master`` — delete refspec.
|
||||
is_delete = True
|
||||
else:
|
||||
dest = body
|
||||
if is_stable_ref(dest):
|
||||
stable_refs.append(_strip_ref_prefix(dest))
|
||||
if force_spec or is_force:
|
||||
force_to_stable = True
|
||||
if is_delete:
|
||||
delete_stable = True
|
||||
|
||||
targets_stable = bool(stable_refs)
|
||||
# Ambiguous: ``git push <remote>`` (or bare ``git push``) with no refspec —
|
||||
# resolves to the current branch's upstream, which we cannot see from the
|
||||
# command alone. Flag it, but do not assert stable (would false-block
|
||||
# feature-branch pushes).
|
||||
ambiguous = not refspecs
|
||||
|
||||
return {
|
||||
"is_git_push": True,
|
||||
"remote": remote,
|
||||
"refspecs": refspecs,
|
||||
"targets_stable": targets_stable,
|
||||
"stable_refs": stable_refs,
|
||||
"is_force": is_force or force_to_stable,
|
||||
"is_dry_run": is_dry_run,
|
||||
"is_delete": is_delete or delete_stable,
|
||||
"ambiguous_target": ambiguous,
|
||||
}
|
||||
|
||||
|
||||
def classify_push_command(command: str | None) -> dict[str, Any]:
|
||||
"""Classify a shell command line for direct stable-branch push intent (#671).
|
||||
|
||||
Returns a dict describing whether the command is a ``git push`` targeting a
|
||||
stable branch. Fetch/pull are never pushes. A sanctioned Gitea merge (which
|
||||
is not a ``git push`` at all) classifies as non-push. Dry-run and no-op
|
||||
pushes still count as *intent* and are reported as contamination
|
||||
(``proves_intent``) so a ``--dry-run`` cannot be used to probe the gate.
|
||||
"""
|
||||
text = _clean(command)
|
||||
result: dict[str, Any] = {
|
||||
"command": text,
|
||||
"redacted_command": redact_command(text),
|
||||
"is_git_push": False,
|
||||
"is_fetch_or_pull": False,
|
||||
"targets_stable": False,
|
||||
"stable_refs": [],
|
||||
"is_force": False,
|
||||
"is_dry_run": False,
|
||||
"is_delete": False,
|
||||
"ambiguous_target": False,
|
||||
"contamination": False,
|
||||
"proves_intent": False,
|
||||
"reasons": [],
|
||||
}
|
||||
if not text:
|
||||
return result
|
||||
|
||||
stable_refs: list[str] = []
|
||||
saw_push = False
|
||||
for segment in _SEGMENT_SPLIT_RE.split(text):
|
||||
seg = segment.strip()
|
||||
if not seg:
|
||||
continue
|
||||
if _GIT_FETCH_RE.search(seg) and not _GIT_PUSH_RE.search(seg):
|
||||
result["is_fetch_or_pull"] = True
|
||||
continue
|
||||
if not _GIT_PUSH_RE.search(seg):
|
||||
continue
|
||||
saw_push = True
|
||||
analysis = _analyse_push_segment(seg)
|
||||
result["is_git_push"] = True
|
||||
result["is_force"] = result["is_force"] or analysis["is_force"]
|
||||
result["is_dry_run"] = result["is_dry_run"] or analysis["is_dry_run"]
|
||||
result["is_delete"] = result["is_delete"] or analysis["is_delete"]
|
||||
result["ambiguous_target"] = result["ambiguous_target"] or analysis["ambiguous_target"]
|
||||
stable_refs.extend(analysis["stable_refs"])
|
||||
|
||||
result["stable_refs"] = sorted(set(stable_refs))
|
||||
result["targets_stable"] = bool(stable_refs)
|
||||
|
||||
reasons: list[str] = []
|
||||
if result["targets_stable"]:
|
||||
refs = ", ".join(result["stable_refs"])
|
||||
verb = "delete" if result["is_delete"] else ("force-push" if result["is_force"] else "push")
|
||||
qualifier = " (dry-run/no-op still proves intent)" if result["is_dry_run"] else ""
|
||||
reasons.append(
|
||||
f"direct stable-branch {verb} detected targeting: {refs}{qualifier}; "
|
||||
"worker sessions must never publish stable branches directly"
|
||||
)
|
||||
result["contamination"] = True
|
||||
result["proves_intent"] = True
|
||||
elif saw_push and result["ambiguous_target"]:
|
||||
# Bare ``git push`` with no refspec: ambiguous. Report, but do not
|
||||
# contaminate on the command alone — the root-checkout / branch-state
|
||||
# detector resolves whether the current branch is stable.
|
||||
reasons.append(
|
||||
"ambiguous 'git push' with no refspec: resolve the current branch "
|
||||
"before pushing; if it is a stable branch this is forbidden"
|
||||
)
|
||||
|
||||
result["reasons"] = reasons
|
||||
return result
|
||||
|
||||
|
||||
def detect_stable_push(commands: str | Iterable[str] | None) -> dict[str, Any]:
|
||||
"""Classify one command or an iterable of commands; contamination if any hit."""
|
||||
if commands is None:
|
||||
return classify_push_command(None)
|
||||
if isinstance(commands, str):
|
||||
return classify_push_command(commands)
|
||||
worst: dict[str, Any] | None = None
|
||||
for cmd in commands:
|
||||
res = classify_push_command(cmd)
|
||||
if res["contamination"]:
|
||||
return res
|
||||
if worst is None or (res["is_git_push"] and not worst["is_git_push"]):
|
||||
worst = res
|
||||
return worst or classify_push_command(None)
|
||||
|
||||
|
||||
# ── root/control checkout local-commit detection ──────────────────────────────
|
||||
|
||||
def assess_root_checkout_local_commit(
|
||||
*,
|
||||
current_branch: str | None,
|
||||
head_sha: str | None,
|
||||
remote_master_sha: str | None,
|
||||
is_under_branches: bool,
|
||||
ahead_count: int | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Detect a local commit on the root/control checkout not on a feature branch.
|
||||
|
||||
#671 AC2. An isolated ``branches/...`` worktree is exempt (that is where
|
||||
feature work belongs). On the control checkout, a commit is illegitimate
|
||||
when the checkout sits on a stable branch (or detached) and its HEAD has
|
||||
advanced past the tracking ``prgs/master`` — i.e. a commit was made that is
|
||||
not carried by an issue feature branch/PR.
|
||||
|
||||
Positive evidence only: missing state reports ``unknown`` rather than
|
||||
asserting contamination, but an unreadable *branch* on the control checkout
|
||||
(detached HEAD) with an advanced HEAD is still flagged.
|
||||
"""
|
||||
branch = _clean(current_branch)
|
||||
head = _clean(head_sha).lower()
|
||||
master = _clean(remote_master_sha).lower()
|
||||
|
||||
if is_under_branches:
|
||||
return {
|
||||
"contamination": False,
|
||||
"unknown": False,
|
||||
"reasons": [],
|
||||
"detail": "isolated branches/ worktree — feature commits are expected here",
|
||||
}
|
||||
|
||||
reasons: list[str] = []
|
||||
unknown = False
|
||||
|
||||
on_stable = (not branch) or (branch in STABLE_BRANCHES)
|
||||
if not on_stable:
|
||||
# Control checkout is on some non-stable branch: out of scope for this
|
||||
# detector (root_checkout_guard #475 handles that contamination class).
|
||||
return {
|
||||
"contamination": False,
|
||||
"unknown": False,
|
||||
"reasons": [],
|
||||
"detail": f"control checkout on non-stable branch '{branch}' — not this detector's class",
|
||||
}
|
||||
|
||||
advanced = False
|
||||
if ahead_count is not None and ahead_count > 0:
|
||||
advanced = True
|
||||
if head and master and head != master:
|
||||
advanced = True
|
||||
if (not head or not master) and ahead_count is None:
|
||||
unknown = True
|
||||
|
||||
if advanced:
|
||||
where = f"branch '{branch}'" if branch else "detached HEAD"
|
||||
reasons.append(
|
||||
f"control checkout ({where}) has local commits not on an issue "
|
||||
"feature branch (HEAD advanced past prgs/master); worker sessions "
|
||||
"must commit only on issue branches under branches/"
|
||||
)
|
||||
|
||||
return {
|
||||
"contamination": bool(reasons),
|
||||
"unknown": unknown and not reasons,
|
||||
"reasons": reasons,
|
||||
"current_branch": branch or None,
|
||||
"head_sha": head or None,
|
||||
"remote_master_sha": master or None,
|
||||
}
|
||||
|
||||
|
||||
# ── contamination record + gate ───────────────────────────────────────────────
|
||||
|
||||
def build_contamination_record(
|
||||
*,
|
||||
reason_class: str,
|
||||
command_redacted: str | None = None,
|
||||
session_id: str | None = None,
|
||||
remote: str | None = None,
|
||||
ref: str | None = None,
|
||||
role: str | None = None,
|
||||
detail: str | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Build the durable contamination marker payload (redacted, audit-safe).
|
||||
|
||||
``reason_class`` is one of ``stable_branch_push`` / ``root_checkout_commit``.
|
||||
The command is stored already-redacted; callers pass the raw line through
|
||||
:func:`redact_command` (or this builder redacts a raw ``command`` for them).
|
||||
"""
|
||||
return {
|
||||
"kind": CONTAMINATION_KIND,
|
||||
"reason_class": _clean(reason_class) or "stable_branch_push",
|
||||
"command_summary": redact_command(command_redacted),
|
||||
"session_id": _clean(session_id) or None,
|
||||
"remote": _clean(remote) or None,
|
||||
"ref": _clean(ref) or None,
|
||||
"role": _clean(role) or None,
|
||||
"detail": _clean(detail) or None,
|
||||
"cleared_by_reconciler": False,
|
||||
}
|
||||
|
||||
|
||||
def assess_contamination_gate(
|
||||
marker: dict[str, Any] | None,
|
||||
*,
|
||||
task: str | None,
|
||||
actual_role: str | None,
|
||||
) -> dict[str, Any]:
|
||||
"""Fail closed on gated mutations while a contamination marker is live (#671 AC4).
|
||||
|
||||
* No marker → allowed.
|
||||
* Reconciler (audit) role → allowed (the sanctioned path to inspect/clear).
|
||||
* Marker present + ``task`` in :data:`CONTAMINATION_GATED_TASKS` → blocked.
|
||||
* Marker present + non-gated task (e.g. ``comment_issue``) → allowed, so the
|
||||
worker can still post the durable audit/handoff comment.
|
||||
"""
|
||||
if not marker or marker.get("cleared_by_reconciler"):
|
||||
return {"block": False, "reasons": [], "task": task}
|
||||
|
||||
role = _clean(actual_role).lower()
|
||||
if role == "reconciler":
|
||||
return {
|
||||
"block": False,
|
||||
"reasons": [],
|
||||
"task": task,
|
||||
"detail": "reconciler audit path is exempt from the contamination gate",
|
||||
}
|
||||
|
||||
task_name = _clean(task)
|
||||
if task_name and task_name in CONTAMINATION_GATED_TASKS:
|
||||
summary = marker.get("command_summary") or marker.get("detail") or "(no summary)"
|
||||
reason_class = marker.get("reason_class") or "stable_branch_push"
|
||||
return {
|
||||
"block": True,
|
||||
"reasons": [
|
||||
f"session is workflow-contaminated ({reason_class}): {summary}. "
|
||||
f"'{task_name}' is blocked until a reconciler audits and clears "
|
||||
"the contamination. " + REMEDIATION
|
||||
],
|
||||
"task": task_name,
|
||||
}
|
||||
|
||||
return {"block": False, "reasons": [], "task": task_name or None}
|
||||
|
||||
|
||||
def format_contamination_gate_error(gate: dict[str, Any]) -> str:
|
||||
"""Single RuntimeError message for MCP mutation gates."""
|
||||
reasons = "; ".join(gate.get("reasons") or ["session workflow-contaminated"])
|
||||
return f"Stable-branch contamination gate (#671): {reasons}"
|
||||
+10
-1
@@ -26,7 +26,16 @@ def _reset_mutation_authority(monkeypatch):
|
||||
Pin ``default_state_dir`` / ``DEFAULT_STATE_DIR`` to a per-test temp dir
|
||||
so durable load/save never touches host state even after env clears.
|
||||
"""
|
||||
monkeypatch.delenv("GITEA_SESSION_PROFILE_LOCK", raising=False)
|
||||
for env_key in [
|
||||
"GITEA_SESSION_PROFILE_LOCK",
|
||||
"GITEA_ACTIVE_WORKTREE",
|
||||
"GITEA_AUTHOR_WORKTREE",
|
||||
"GITEA_REVIEWER_WORKTREE",
|
||||
"GITEA_MERGER_WORKTREE",
|
||||
"GITEA_RECONCILER_WORKTREE",
|
||||
]:
|
||||
monkeypatch.delenv(env_key, raising=False)
|
||||
|
||||
# Isolate durable session-state files so tests never share host cache (#559).
|
||||
import tempfile
|
||||
|
||||
|
||||
@@ -82,13 +82,14 @@ class TestPreflightIntegration(unittest.TestCase):
|
||||
control_root = "/repo/Gitea-Tools"
|
||||
with mock.patch.object(mcp_server, "PROJECT_ROOT", control_root):
|
||||
with mock.patch.object(mcp_server, "_enforce_root_checkout_guard"):
|
||||
with mock.patch.dict(
|
||||
"os.environ",
|
||||
{"GITEA_TEST_PORCELAIN": ""},
|
||||
clear=False,
|
||||
):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.verify_preflight_purity()
|
||||
with mock.patch("gitea_auth.get_profile", return_value={"profile_name": "gitea-author"}):
|
||||
with mock.patch.dict(
|
||||
"os.environ",
|
||||
{"GITEA_TEST_PORCELAIN": ""},
|
||||
clear=False,
|
||||
):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.verify_preflight_purity()
|
||||
self.assertIn("Branches-only mutation guard", str(ctx.exception))
|
||||
|
||||
def test_verify_preflight_allows_branches_worktree(self):
|
||||
|
||||
@@ -11,7 +11,11 @@ import gitea_mcp_server as srv
|
||||
|
||||
FAKE_AUTH = {"Authorization": "token test-token"}
|
||||
# Stable control checkout (parent of branches/), not the MCP server worktree root.
|
||||
CONTROL_CHECKOUT_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[3])
|
||||
else:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[1])
|
||||
PROJECT_ROOT = srv.PROJECT_ROOT
|
||||
|
||||
|
||||
@@ -53,9 +57,23 @@ class TestCreateIssueWorkspaceGuard(unittest.TestCase):
|
||||
# Without worktree_path/env hints, workspace resolves to PROJECT_ROOT. When that
|
||||
# path is the stable control checkout (not under branches/), mutation must fail.
|
||||
with patch.object(srv, "PROJECT_ROOT", CONTROL_CHECKOUT_ROOT):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
srv.gitea_create_issue(title="Test issue", body="body text")
|
||||
self.assertIn("stable control checkout", str(ctx.exception))
|
||||
try:
|
||||
res = srv.gitea_create_issue(title="Test issue", body="body text")
|
||||
except RuntimeError as exc:
|
||||
self.assertIn("stable control checkout", str(exc))
|
||||
else:
|
||||
# #683: production guards return typed blockers at entrypoints
|
||||
self.assertFalse(res.get("success"))
|
||||
self.assertFalse(res.get("performed"))
|
||||
blob = " ".join(res.get("reasons") or []) + " " + str(
|
||||
res.get("blocker_kind") or ""
|
||||
)
|
||||
self.assertTrue(
|
||||
"stable control checkout" in blob
|
||||
or "missing_issue_worktree" in blob
|
||||
or "control checkout" in blob.lower()
|
||||
)
|
||||
self.assertTrue(res.get("exact_next_action"))
|
||||
|
||||
@patch("gitea_mcp_server._auth", return_value=FAKE_AUTH)
|
||||
@patch("gitea_mcp_server._profile_permission_block", return_value=None)
|
||||
@@ -101,11 +119,17 @@ class TestCreateIssueWorkspaceGuard(unittest.TestCase):
|
||||
)
|
||||
|
||||
with patch.object(srv, "PROJECT_ROOT", CONTROL_CHECKOUT_ROOT):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
srv.gitea_create_issue(
|
||||
try:
|
||||
res = srv.gitea_create_issue(
|
||||
title="Test issue", body="body", worktree_path=missing_path
|
||||
)
|
||||
self.assertIn("does not exist (fail closed)", str(ctx.exception))
|
||||
except RuntimeError as exc:
|
||||
self.assertIn("does not exist", str(exc))
|
||||
else:
|
||||
self.assertFalse(res.get("success"))
|
||||
blob = " ".join(res.get("reasons") or [])
|
||||
self.assertIn("does not exist", blob)
|
||||
self.assertTrue(res.get("exact_next_action") or res.get("reasons"))
|
||||
|
||||
@patch("gitea_mcp_server._auth", return_value=FAKE_AUTH)
|
||||
@patch("gitea_mcp_server._profile_permission_block", return_value=None)
|
||||
@@ -138,11 +162,20 @@ class TestCreateIssueWorkspaceGuard(unittest.TestCase):
|
||||
|
||||
with patch.object(srv, "PROJECT_ROOT", CONTROL_CHECKOUT_ROOT):
|
||||
with patch("gitea_mcp_server._get_workspace_porcelain", return_value=""):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
srv.gitea_create_issue(
|
||||
title="Test issue", body="body", worktree_path=wrong_repo_path
|
||||
try:
|
||||
res = srv.gitea_create_issue(
|
||||
title="Test issue",
|
||||
body="body",
|
||||
worktree_path=wrong_repo_path,
|
||||
)
|
||||
self.assertIn("does not belong to the target repository", str(ctx.exception))
|
||||
except RuntimeError as exc:
|
||||
self.assertIn(
|
||||
"does not belong to the target repository", str(exc)
|
||||
)
|
||||
else:
|
||||
self.assertFalse(res.get("success"))
|
||||
blob = " ".join(res.get("reasons") or [])
|
||||
self.assertIn("does not belong to the target repository", blob)
|
||||
|
||||
@patch("gitea_mcp_server._auth", return_value=FAKE_AUTH)
|
||||
@patch("gitea_mcp_server._profile_permission_block", return_value=None)
|
||||
|
||||
@@ -25,7 +25,11 @@ import gitea_mcp_server as srv # noqa: E402
|
||||
import root_checkout_guard as rcg # noqa: E402
|
||||
|
||||
FAKE_AUTH = "token test"
|
||||
CONTROL_CHECKOUT_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[3])
|
||||
else:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[1])
|
||||
MASTER_SHA = "a" * 40
|
||||
OTHER_SHA = "b" * 40
|
||||
|
||||
@@ -263,10 +267,19 @@ class TestReconcilerCommentThroughCanonicalPath(unittest.TestCase):
|
||||
with patch.dict(os.environ, {}, clear=False):
|
||||
os.environ.pop("GITEA_AUTHOR_WORKTREE", None)
|
||||
os.environ.pop("GITEA_ACTIVE_WORKTREE", None)
|
||||
with self.assertRaises(RuntimeError):
|
||||
srv.gitea_create_issue_comment(
|
||||
try:
|
||||
res = srv.gitea_create_issue_comment(
|
||||
515, "author note", remote="prgs"
|
||||
)
|
||||
except RuntimeError:
|
||||
pass # legacy raise path
|
||||
else:
|
||||
# #683: typed blocker at mutation entrypoint
|
||||
self.assertFalse(res.get("success"))
|
||||
self.assertFalse(res.get("performed"))
|
||||
self.assertTrue(
|
||||
res.get("blocker_kind") or res.get("reasons")
|
||||
)
|
||||
mock_api.assert_not_called()
|
||||
|
||||
|
||||
|
||||
@@ -0,0 +1,472 @@
|
||||
"""#683: block unattributed root WIP; pytest cannot disable production guards.
|
||||
|
||||
Regression coverage required by issue #683:
|
||||
|
||||
1. Session locked to issue A blocks unrelated target issue B until B is selected.
|
||||
2. Diagnostic source edit on the root checkout is blocked.
|
||||
3. Same legitimate edit succeeds after issue ownership + isolated worktree bind.
|
||||
4. Running under pytest does not deactivate production guards when force-on.
|
||||
5. Dirty tracked Python files remain visible to porcelain consumers.
|
||||
6. Monkeypatching one helper cannot silently turn the full guard path into a no-op.
|
||||
7. Real mutation entrypoint proves production guards run before side effects.
|
||||
8. Same-issue edits in a valid isolated worktree remain unaffected.
|
||||
9. Blocker includes stable reason + exact recovery action.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import sys
|
||||
import tempfile
|
||||
import textwrap
|
||||
import unittest
|
||||
from pathlib import Path
|
||||
from unittest.mock import MagicMock, patch
|
||||
|
||||
sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
|
||||
|
||||
import gitea_mcp_server as mcp_server # noqa: E402
|
||||
import issue_lock_worktree # noqa: E402
|
||||
import workflow_scope_guard as wsg # noqa: E402
|
||||
|
||||
CONTROL_ROOT = str(Path(__file__).resolve().parent.parent)
|
||||
if "branches" in Path(__file__).resolve().parts:
|
||||
# Running from a worktree under branches/ — parent of branches is control.
|
||||
parts = Path(__file__).resolve().parts
|
||||
idx = parts.index("branches")
|
||||
CONTROL_ROOT = str(Path(*parts[:idx])) if idx > 0 else CONTROL_ROOT
|
||||
|
||||
|
||||
class TestProductionGuardsForceOn(unittest.TestCase):
|
||||
def tearDown(self):
|
||||
for key in (
|
||||
wsg.FORCE_PRODUCTION_GUARDS_ENV,
|
||||
"GITEA_TEST_FORCE_DIRTY",
|
||||
"GITEA_TEST_PORCELAIN",
|
||||
"GITEA_AUTHOR_WORKTREE",
|
||||
"GITEA_ACTIVE_WORKTREE",
|
||||
):
|
||||
os.environ.pop(key, None)
|
||||
wsg.clear_workflow_failure_ledger()
|
||||
|
||||
def test_force_on_under_pytest_keeps_production_active(self):
|
||||
self.assertTrue(wsg.production_guards_active(in_test_mode=False))
|
||||
self.assertFalse(wsg.production_guards_active(in_test_mode=True))
|
||||
os.environ[wsg.FORCE_PRODUCTION_GUARDS_ENV] = "1"
|
||||
self.assertTrue(wsg.production_guards_active(in_test_mode=True))
|
||||
self.assertTrue(wsg.production_guards_forced())
|
||||
|
||||
def test_no_early_return_in_verify_role_mutation_workspace_source(self):
|
||||
src = Path(mcp_server.__file__).read_text(encoding="utf-8")
|
||||
# Rejected 300a4ca pattern must not exist.
|
||||
self.assertNotIn(
|
||||
"if _preflight_in_test_mode():\n return _resolve_preflight_workspace_path",
|
||||
src,
|
||||
)
|
||||
# Docstring contract for #683.
|
||||
self.assertIn("#683", src)
|
||||
self.assertIn("must NOT early-return solely because pytest", src)
|
||||
|
||||
|
||||
class TestPorcelainIntegrity(unittest.TestCase):
|
||||
def test_read_worktree_git_state_surfaces_dirty_py(self):
|
||||
with tempfile.TemporaryDirectory() as tmp:
|
||||
# Use a real git repo so porcelain is truthful.
|
||||
import subprocess
|
||||
|
||||
subprocess.run(["git", "init"], cwd=tmp, check=True, capture_output=True)
|
||||
subprocess.run(
|
||||
["git", "config", "user.email", "[email protected]"],
|
||||
cwd=tmp,
|
||||
check=True,
|
||||
capture_output=True,
|
||||
)
|
||||
subprocess.run(
|
||||
["git", "config", "user.name", "t"],
|
||||
cwd=tmp,
|
||||
check=True,
|
||||
capture_output=True,
|
||||
)
|
||||
py_path = Path(tmp) / "sample_mod.py"
|
||||
py_path.write_text("x = 1\n", encoding="utf-8")
|
||||
subprocess.run(["git", "add", "sample_mod.py"], cwd=tmp, check=True)
|
||||
subprocess.run(
|
||||
["git", "commit", "-m", "init"],
|
||||
cwd=tmp,
|
||||
check=True,
|
||||
capture_output=True,
|
||||
)
|
||||
py_path.write_text("x = 2\n", encoding="utf-8")
|
||||
state = issue_lock_worktree.read_worktree_git_state(tmp)
|
||||
porcelain = state.get("porcelain_status") or ""
|
||||
self.assertIn("sample_mod.py", porcelain)
|
||||
self.assertTrue(any(line.strip().endswith(".py") for line in porcelain.splitlines()))
|
||||
|
||||
def test_production_reader_source_rejects_pytest_py_filter(self):
|
||||
src = Path(issue_lock_worktree.__file__).read_text(encoding="utf-8")
|
||||
findings = wsg.assert_no_pytest_porcelain_filter(src)
|
||||
self.assertEqual(findings, [])
|
||||
# Negative: the rejected 300a4ca pattern is detected.
|
||||
rejected = textwrap.dedent(
|
||||
"""
|
||||
porcelain = status_res.stdout or ""
|
||||
import sys
|
||||
if "pytest" in sys.modules or "unittest" in sys.modules:
|
||||
porcelain = "\\n".join(
|
||||
line for line in porcelain.splitlines()
|
||||
if not line.strip().endswith(".py")
|
||||
)
|
||||
"""
|
||||
)
|
||||
self.assertTrue(wsg.assert_no_pytest_porcelain_filter(rejected))
|
||||
|
||||
|
||||
class TestIssueScopeOwnership(unittest.TestCase):
|
||||
def test_out_of_scope_issue_blocked_until_selected(self):
|
||||
result = wsg.assess_issue_scope_ownership(
|
||||
locked_issue_number=100,
|
||||
target_issue_number=200,
|
||||
branch_name="fix/issue-100-example",
|
||||
role_kind="author",
|
||||
)
|
||||
self.assertTrue(result["block"])
|
||||
self.assertEqual(result["blocker_kind"], wsg.BLOCKER_OUT_OF_SCOPE_ISSUE)
|
||||
self.assertIn("exact_next_action", result)
|
||||
self.assertIn("owning issue", result["exact_next_action"].lower())
|
||||
self.assertTrue(result["reasons"])
|
||||
|
||||
def test_same_issue_scope_allowed(self):
|
||||
result = wsg.assess_issue_scope_ownership(
|
||||
locked_issue_number=100,
|
||||
target_issue_number=100,
|
||||
branch_name="fix/issue-100-example",
|
||||
role_kind="author",
|
||||
)
|
||||
self.assertFalse(result["block"])
|
||||
self.assertEqual(result["exact_next_action"], "proceed")
|
||||
|
||||
def test_missing_lock_when_required(self):
|
||||
result = wsg.assess_issue_scope_ownership(
|
||||
locked_issue_number=None,
|
||||
target_issue_number=None,
|
||||
role_kind="author",
|
||||
require_lock_for_author=True,
|
||||
)
|
||||
self.assertTrue(result["block"])
|
||||
self.assertEqual(result["blocker_kind"], wsg.BLOCKER_MISSING_ISSUE_SCOPE)
|
||||
|
||||
def test_branch_issue_mismatch(self):
|
||||
result = wsg.assess_issue_scope_ownership(
|
||||
locked_issue_number=50,
|
||||
branch_name="fix/issue-99-other",
|
||||
role_kind="author",
|
||||
)
|
||||
self.assertTrue(result["block"])
|
||||
self.assertEqual(result["blocker_kind"], wsg.BLOCKER_OUT_OF_SCOPE_ISSUE)
|
||||
|
||||
|
||||
class TestRootDiagnosticEdit(unittest.TestCase):
|
||||
def test_dirty_root_source_blocked(self):
|
||||
result = wsg.assess_root_source_mutation(
|
||||
workspace_path=CONTROL_ROOT,
|
||||
canonical_repo_root=CONTROL_ROOT,
|
||||
porcelain_status=" M gitea_mcp_server.py\n M tests/test_x.py\n",
|
||||
role_kind="author",
|
||||
)
|
||||
self.assertTrue(result["block"])
|
||||
self.assertEqual(result["blocker_kind"], wsg.BLOCKER_ROOT_DIAGNOSTIC_EDIT)
|
||||
self.assertIn("gitea_mcp_server.py", result["dirty_source_files"])
|
||||
self.assertIn("exact_next_action", result)
|
||||
self.assertIn("branches/", result["exact_next_action"])
|
||||
|
||||
def test_isolated_worktree_same_issue_unaffected(self):
|
||||
wt = f"{CONTROL_ROOT}/branches/issue-100-example"
|
||||
result = wsg.assess_root_source_mutation(
|
||||
workspace_path=wt,
|
||||
canonical_repo_root=CONTROL_ROOT,
|
||||
porcelain_status=" M helper.py\n",
|
||||
current_branch="fix/issue-100-example",
|
||||
locked_issue_number=100,
|
||||
role_kind="author",
|
||||
)
|
||||
self.assertFalse(result["block"])
|
||||
self.assertTrue(result["under_branches"])
|
||||
|
||||
def test_legitimate_after_ownership_and_worktree(self):
|
||||
wt = f"{CONTROL_ROOT}/branches/issue-683-workflow-guard-hardening"
|
||||
composed = wsg.assess_production_mutation_guards(
|
||||
workspace_path=wt,
|
||||
canonical_repo_root=CONTROL_ROOT,
|
||||
porcelain_status=" M workflow_scope_guard.py\n",
|
||||
current_branch="fix/issue-683-workflow-guard-hardening",
|
||||
locked_issue_number=683,
|
||||
target_issue_number=683,
|
||||
role_kind="author",
|
||||
require_author_lock=True,
|
||||
in_test_mode=True,
|
||||
)
|
||||
# Force-on required for production path under pytest.
|
||||
os.environ[wsg.FORCE_PRODUCTION_GUARDS_ENV] = "1"
|
||||
try:
|
||||
composed = wsg.assess_production_mutation_guards(
|
||||
workspace_path=wt,
|
||||
canonical_repo_root=CONTROL_ROOT,
|
||||
porcelain_status=" M workflow_scope_guard.py\n",
|
||||
current_branch="fix/issue-683-workflow-guard-hardening",
|
||||
locked_issue_number=683,
|
||||
target_issue_number=683,
|
||||
role_kind="author",
|
||||
require_author_lock=True,
|
||||
in_test_mode=True,
|
||||
)
|
||||
self.assertFalse(composed["block"])
|
||||
self.assertFalse(composed.get("skipped"))
|
||||
finally:
|
||||
os.environ.pop(wsg.FORCE_PRODUCTION_GUARDS_ENV, None)
|
||||
|
||||
|
||||
class TestTypedBlockerResponse(unittest.TestCase):
|
||||
def test_block_response_has_stable_kind_and_next_action(self):
|
||||
assessment = wsg.assess_issue_scope_ownership(
|
||||
locked_issue_number=1,
|
||||
target_issue_number=2,
|
||||
role_kind="author",
|
||||
)
|
||||
resp = wsg.block_response(assessment)
|
||||
self.assertFalse(resp["success"])
|
||||
self.assertFalse(resp["performed"])
|
||||
self.assertEqual(resp["blocker_kind"], wsg.BLOCKER_OUT_OF_SCOPE_ISSUE)
|
||||
self.assertIsInstance(resp["exact_next_action"], str)
|
||||
self.assertTrue(resp["exact_next_action"])
|
||||
self.assertTrue(resp["reasons"])
|
||||
|
||||
def test_production_guard_error_roundtrip(self):
|
||||
err = wsg.ProductionGuardError(
|
||||
"blocked",
|
||||
blocker_kind=wsg.BLOCKER_ROOT_DIAGNOSTIC_EDIT,
|
||||
reasons=["dirty root"],
|
||||
)
|
||||
resp = wsg.block_response(err, issue_number=683)
|
||||
self.assertEqual(resp["blocker_kind"], wsg.BLOCKER_ROOT_DIAGNOSTIC_EDIT)
|
||||
self.assertEqual(resp["issue_number"], 683)
|
||||
self.assertIn("exact_next_action", resp)
|
||||
|
||||
|
||||
class TestDurableFailureRecording(unittest.TestCase):
|
||||
def setUp(self):
|
||||
wsg.clear_workflow_failure_ledger()
|
||||
|
||||
def tearDown(self):
|
||||
wsg.clear_workflow_failure_ledger()
|
||||
|
||||
def test_record_before_source_mutation(self):
|
||||
pending = wsg.assess_durable_failure_recorded(
|
||||
require_record=True, pending_source_mutation=True
|
||||
)
|
||||
self.assertTrue(pending["block"])
|
||||
self.assertEqual(pending["blocker_kind"], wsg.BLOCKER_UNRECORDED_FAILURE)
|
||||
|
||||
wsg.record_workflow_failure(
|
||||
kind="transport_eof",
|
||||
detail="EOF during review session (#584 cluster)",
|
||||
issue_number=683,
|
||||
task="comment_issue",
|
||||
)
|
||||
after = wsg.assess_durable_failure_recorded(
|
||||
require_record=True, pending_source_mutation=True
|
||||
)
|
||||
self.assertFalse(after["block"])
|
||||
self.assertEqual(len(wsg.workflow_failure_ledger()), 1)
|
||||
|
||||
|
||||
class TestMonkeypatchCannotNoopFullPath(unittest.TestCase):
|
||||
def tearDown(self):
|
||||
os.environ.pop(wsg.FORCE_PRODUCTION_GUARDS_ENV, None)
|
||||
|
||||
def test_patching_branches_only_still_blocks_dirty_root_scope(self):
|
||||
"""Monkeypatching branches-only must not silence root diagnostic block."""
|
||||
os.environ[wsg.FORCE_PRODUCTION_GUARDS_ENV] = "1"
|
||||
with patch.object(
|
||||
mcp_server, "_enforce_branches_only_author_mutation", lambda *a, **k: None
|
||||
):
|
||||
with patch.object(
|
||||
mcp_server, "_enforce_root_checkout_guard", lambda *a, **k: None
|
||||
):
|
||||
# Even if both legacy helpers are patched, issue-scope composition
|
||||
# still sees dirty root source via assess_production_mutation_guards.
|
||||
assessment = wsg.assess_production_mutation_guards(
|
||||
workspace_path=CONTROL_ROOT,
|
||||
canonical_repo_root=CONTROL_ROOT,
|
||||
porcelain_status=" M gitea_mcp_server.py\n",
|
||||
role_kind="author",
|
||||
in_test_mode=True,
|
||||
)
|
||||
self.assertTrue(assessment["block"])
|
||||
self.assertEqual(
|
||||
assessment["blocker_kind"], wsg.BLOCKER_ROOT_DIAGNOSTIC_EDIT
|
||||
)
|
||||
|
||||
|
||||
class TestRealEntrypointProductionGuard(unittest.TestCase):
|
||||
"""Real mutation entrypoint: production guard before side effects (#683)."""
|
||||
|
||||
def setUp(self):
|
||||
os.environ[wsg.FORCE_PRODUCTION_GUARDS_ENV] = "1"
|
||||
for key in ("GITEA_AUTHOR_WORKTREE", "GITEA_ACTIVE_WORKTREE"):
|
||||
os.environ.pop(key, None)
|
||||
self._orig_whoami = mcp_server._preflight_whoami_called
|
||||
self._orig_cap = mcp_server._preflight_capability_called
|
||||
mcp_server._preflight_whoami_called = False
|
||||
mcp_server._preflight_capability_called = False
|
||||
mcp_server._preflight_resolved_role = None
|
||||
mcp_server._preflight_resolved_task = None
|
||||
|
||||
def tearDown(self):
|
||||
os.environ.pop(wsg.FORCE_PRODUCTION_GUARDS_ENV, None)
|
||||
for key in ("GITEA_AUTHOR_WORKTREE", "GITEA_ACTIVE_WORKTREE"):
|
||||
os.environ.pop(key, None)
|
||||
mcp_server._preflight_whoami_called = self._orig_whoami
|
||||
mcp_server._preflight_capability_called = self._orig_cap
|
||||
mcp_server._preflight_resolved_role = None
|
||||
mcp_server._preflight_resolved_task = None
|
||||
|
||||
def test_comment_issue_blocks_dirty_root_before_api(self):
|
||||
api_mock = MagicMock()
|
||||
with patch.object(mcp_server, "api_request", api_mock), patch.object(
|
||||
mcp_server,
|
||||
"_actual_profile_role",
|
||||
return_value="author",
|
||||
), patch.object(
|
||||
mcp_server,
|
||||
"_effective_workspace_role",
|
||||
return_value="author",
|
||||
), patch.object(
|
||||
mcp_server,
|
||||
"get_profile",
|
||||
return_value={
|
||||
"profile_name": "prgs-author",
|
||||
"allowed_operations": [
|
||||
"gitea.issue.comment",
|
||||
"gitea.read",
|
||||
"gitea.pr.create",
|
||||
"gitea.branch.push",
|
||||
],
|
||||
"forbidden_operations": [],
|
||||
},
|
||||
), patch.object(
|
||||
issue_lock_worktree,
|
||||
"read_worktree_git_state",
|
||||
side_effect=lambda path, **kw: {
|
||||
"current_branch": "master",
|
||||
"porcelain_status": (
|
||||
" M gitea_mcp_server.py\n"
|
||||
if os.path.realpath(path) == os.path.realpath(CONTROL_ROOT)
|
||||
or path == CONTROL_ROOT
|
||||
else ""
|
||||
),
|
||||
"head_sha": "a" * 40,
|
||||
"base_equivalent": True,
|
||||
},
|
||||
), patch.object(
|
||||
mcp_server,
|
||||
"_resolve_namespace_mutation_context",
|
||||
return_value={
|
||||
"workspace_path": CONTROL_ROOT,
|
||||
"canonical_repo_root": CONTROL_ROOT,
|
||||
"process_project_root": CONTROL_ROOT,
|
||||
"workspace_role_kind": "author",
|
||||
"workspace_binding_source": "process root",
|
||||
"ignored_bindings": [],
|
||||
},
|
||||
), patch.object(
|
||||
mcp_server,
|
||||
"_resolve_author_mutation_context",
|
||||
return_value={
|
||||
"workspace_path": CONTROL_ROOT,
|
||||
"canonical_repo_root": CONTROL_ROOT,
|
||||
"process_project_root": CONTROL_ROOT,
|
||||
"roots_aligned": True,
|
||||
},
|
||||
), patch.object(
|
||||
mcp_server,
|
||||
"_session_locked_issue_number",
|
||||
return_value=None,
|
||||
):
|
||||
result = mcp_server.gitea_create_issue_comment(
|
||||
issue_number=683,
|
||||
body="diagnostic note",
|
||||
remote="prgs",
|
||||
org="Scaled-Tech-Consulting",
|
||||
repo="Gitea-Tools",
|
||||
worktree_path=CONTROL_ROOT,
|
||||
)
|
||||
|
||||
api_mock.assert_not_called()
|
||||
self.assertFalse(result.get("success"))
|
||||
self.assertFalse(result.get("performed"))
|
||||
self.assertIn(result.get("blocker_kind"), wsg.BLOCKER_KINDS)
|
||||
self.assertTrue(result.get("exact_next_action"))
|
||||
self.assertTrue(result.get("reasons"))
|
||||
|
||||
def test_comment_issue_succeeds_structure_after_worktree_bind(self):
|
||||
"""Same-issue isolated worktree is not blocked by root diagnostic path."""
|
||||
wt = f"{CONTROL_ROOT}/branches/issue-683-workflow-guard-hardening"
|
||||
os.environ["GITEA_AUTHOR_WORKTREE"] = wt
|
||||
assessment = wsg.assess_production_mutation_guards(
|
||||
workspace_path=wt,
|
||||
canonical_repo_root=CONTROL_ROOT,
|
||||
porcelain_status=" M workflow_scope_guard.py\n",
|
||||
current_branch="fix/issue-683-workflow-guard-hardening",
|
||||
locked_issue_number=683,
|
||||
target_issue_number=683,
|
||||
role_kind="author",
|
||||
require_author_lock=True,
|
||||
in_test_mode=True,
|
||||
)
|
||||
self.assertFalse(assessment["block"], assessment)
|
||||
|
||||
|
||||
class TestVerifyPreflightForceOn(unittest.TestCase):
|
||||
def tearDown(self):
|
||||
os.environ.pop(wsg.FORCE_PRODUCTION_GUARDS_ENV, None)
|
||||
for key in ("GITEA_AUTHOR_WORKTREE", "GITEA_ACTIVE_WORKTREE"):
|
||||
os.environ.pop(key, None)
|
||||
|
||||
def test_force_on_runs_production_guards_under_pytest(self):
|
||||
os.environ[wsg.FORCE_PRODUCTION_GUARDS_ENV] = "1"
|
||||
called = {"root": 0, "branches": 0, "scope": 0}
|
||||
|
||||
def _root(*a, **k):
|
||||
called["root"] += 1
|
||||
|
||||
def _branches(*a, **k):
|
||||
called["branches"] += 1
|
||||
|
||||
def _scope(*a, **k):
|
||||
called["scope"] += 1
|
||||
|
||||
with patch.object(mcp_server, "_enforce_root_checkout_guard", _root), patch.object(
|
||||
mcp_server, "_enforce_branches_only_author_mutation", _branches
|
||||
), patch.object(mcp_server, "_enforce_issue_scope_guard", _scope):
|
||||
# No whoami/capability — purity-order skipped; production still runs.
|
||||
mcp_server.verify_preflight_purity(task="comment_issue")
|
||||
|
||||
self.assertEqual(called["root"], 1)
|
||||
self.assertEqual(called["branches"], 1)
|
||||
self.assertEqual(called["scope"], 1)
|
||||
|
||||
def test_without_force_on_pytest_skips_production_only_for_unit_isolation(self):
|
||||
called = {"root": 0}
|
||||
|
||||
def _root(*a, **k):
|
||||
called["root"] += 1
|
||||
|
||||
with patch.object(mcp_server, "_enforce_root_checkout_guard", _root), patch.object(
|
||||
mcp_server, "_enforce_branches_only_author_mutation", lambda *a, **k: None
|
||||
), patch.object(mcp_server, "_enforce_issue_scope_guard", lambda *a, **k: None):
|
||||
mcp_server.verify_preflight_purity(task="comment_issue")
|
||||
self.assertEqual(called["root"], 0)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -10,7 +10,11 @@ import gitea_mcp_server as srv
|
||||
|
||||
|
||||
FAKE_AUTH = {"Authorization": "token test-token"}
|
||||
CONTROL_CHECKOUT_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[3])
|
||||
else:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[1])
|
||||
|
||||
|
||||
class TestIssueCommentWorkspaceGuard(unittest.TestCase):
|
||||
@@ -104,13 +108,24 @@ class TestIssueCommentWorkspaceGuard(unittest.TestCase):
|
||||
"gitea_mcp_server.issue_lock_worktree.read_worktree_git_state",
|
||||
side_effect=self._git_state(valid_worktree),
|
||||
):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
srv.gitea_create_issue_comment(
|
||||
try:
|
||||
res = srv.gitea_create_issue_comment(
|
||||
issue_number=557,
|
||||
body="evidence comment",
|
||||
remote="prgs",
|
||||
)
|
||||
self.assertIn("stable control checkout", str(ctx.exception))
|
||||
except RuntimeError as exc:
|
||||
self.assertIn("stable control checkout", str(exc))
|
||||
else:
|
||||
# #683 typed blocker at mutation entrypoint
|
||||
self.assertFalse(res.get("success"))
|
||||
self.assertFalse(res.get("performed"))
|
||||
blob = " ".join(res.get("reasons") or [])
|
||||
self.assertTrue(
|
||||
"stable control checkout" in blob
|
||||
or res.get("blocker_kind")
|
||||
)
|
||||
self.assertTrue(res.get("exact_next_action") or res.get("reasons"))
|
||||
mock_api.assert_not_called()
|
||||
|
||||
@patch("gitea_mcp_server._auth", return_value=FAKE_AUTH)
|
||||
@@ -180,14 +195,24 @@ class TestIssueCommentWorkspaceGuard(unittest.TestCase):
|
||||
side_effect=self._subprocess(valid_worktree, outside_worktree),
|
||||
):
|
||||
with patch.dict(os.environ, self.AUTHOR_ENV, clear=True):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
srv.gitea_create_issue_comment(
|
||||
try:
|
||||
res = srv.gitea_create_issue_comment(
|
||||
issue_number=557,
|
||||
body="evidence comment",
|
||||
remote="prgs",
|
||||
worktree_path=outside_worktree,
|
||||
)
|
||||
self.assertIn("does not belong to the target repository", str(ctx.exception))
|
||||
except RuntimeError as exc:
|
||||
self.assertIn(
|
||||
"does not belong to the target repository",
|
||||
str(exc),
|
||||
)
|
||||
else:
|
||||
self.assertFalse(res.get("success"))
|
||||
blob = " ".join(res.get("reasons") or [])
|
||||
self.assertIn(
|
||||
"does not belong to the target repository", blob
|
||||
)
|
||||
mock_api.assert_not_called()
|
||||
|
||||
@patch("gitea_mcp_server._auth", return_value=FAKE_AUTH)
|
||||
|
||||
@@ -17,6 +17,7 @@ class TestMcpDaemonGuard(unittest.TestCase):
|
||||
mcp_daemon_guard.ALLOW_DIRECT_IMPORT_ENV,
|
||||
"PYTEST_CURRENT_TEST",
|
||||
}}
|
||||
env["GITEA_TEST_FORCE_UNSANCTIONED"] = "1"
|
||||
with patch.dict(os.environ, env, clear=True):
|
||||
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
|
||||
mcp_daemon_guard.assert_sanctioned_mutation_runtime("test")
|
||||
@@ -43,6 +44,7 @@ class TestMcpDaemonGuard(unittest.TestCase):
|
||||
"PYTEST_CURRENT_TEST",
|
||||
}
|
||||
}
|
||||
env["GITEA_TEST_FORCE_UNSANCTIONED"] = "1"
|
||||
with patch.dict(os.environ, env, clear=True):
|
||||
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
|
||||
mcp_daemon_guard.assert_keychain_access_allowed()
|
||||
@@ -58,6 +60,7 @@ class TestMcpDaemonGuard(unittest.TestCase):
|
||||
"PYTEST_CURRENT_TEST",
|
||||
}
|
||||
}
|
||||
env["GITEA_TEST_FORCE_UNSANCTIONED"] = "1"
|
||||
with patch.dict(os.environ, env, clear=True):
|
||||
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
|
||||
gitea_auth.get_auth_header("gitea.prgs.cc")
|
||||
|
||||
@@ -48,6 +48,22 @@ import gitea_config # noqa: E402
|
||||
|
||||
import mcp_server
|
||||
import issue_lock_store
|
||||
import gitea_auth
|
||||
|
||||
_orig_api_request = gitea_auth.api_request
|
||||
def mockable_api_request(*args, **kwargs):
|
||||
import mcp_server
|
||||
return mcp_server.api_request(*args, **kwargs)
|
||||
|
||||
def setUpModule():
|
||||
gitea_auth.api_request = mockable_api_request
|
||||
patch("mcp_server._enforce_root_checkout_guard").start()
|
||||
patch("mcp_server._enforce_branches_only_author_mutation").start()
|
||||
|
||||
def tearDownModule():
|
||||
gitea_auth.api_request = _orig_api_request
|
||||
patch.stopall()
|
||||
|
||||
|
||||
FAKE_AUTH = "Basic dGVzdDp0ZXN0"
|
||||
FULL_HEAD_SHA = "a" * 40
|
||||
@@ -1364,11 +1380,11 @@ class TestReviewPR(unittest.TestCase):
|
||||
self.assertIn("Review/Merge Blocked", result["message"])
|
||||
self.assertIn("Author profile", result["message"])
|
||||
|
||||
@patch("mcp_server.api_get_all")
|
||||
@patch("mcp_server.api_fetch_page")
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("mcp_server.get_profile")
|
||||
def test_legacy_review_pr_self_approval_blocked(self, mock_get_profile, _auth, mock_api, mock_get_all):
|
||||
def test_legacy_review_pr_self_approval_blocked(self, mock_get_profile, _auth, mock_api, mock_fetch):
|
||||
mock_get_profile.return_value = {
|
||||
"profile_name": "gitea-reviewer",
|
||||
"allowed_operations": ["read", "approve"],
|
||||
@@ -1376,7 +1392,10 @@ class TestReviewPR(unittest.TestCase):
|
||||
"base_url": None,
|
||||
}
|
||||
head_sha = FULL_HEAD_SHA
|
||||
mock_get_all.return_value = [{"number": 1, "title": "PR 1", "state": "open", "head": {"ref": "branch1", "sha": head_sha}, "base": {"ref": "master"}, "mergeable": True, "user": {"login": "jcwalker3"}}]
|
||||
mock_fetch.return_value = (
|
||||
[{"number": 1, "title": "PR 1", "state": "open", "head": {"ref": "branch1", "sha": head_sha}, "base": {"ref": "master"}, "mergeable": True, "user": {"login": "jcwalker3"}}],
|
||||
{"page": 1, "per_page": 50, "returned_count": 1, "has_more": False, "next_page": None, "is_final_page": True}
|
||||
)
|
||||
# mock_api responses: 1) /user (inventory), 2) /user (eligibility), 3) /pulls/1 (eligibility)
|
||||
mock_api.side_effect = [
|
||||
{"login": "jcwalker3"}, # /api/v1/user (inventory)
|
||||
|
||||
@@ -76,13 +76,17 @@ class TestPreflightReadSurvival(unittest.TestCase):
|
||||
self.assertIn("task mismatch", str(ctx.exception))
|
||||
|
||||
def test_capability_consumed_after_mutation_gate(self):
|
||||
# Use reconciler/close_pr so this purity-order test does not require a
|
||||
# branches/ worktree (author create_issue would hit #274/#683 guards).
|
||||
# Test isolation stays explicit; production author guards remain live
|
||||
# under force-on (see tests/test_issue_683_workflow_scope_guards.py).
|
||||
mcp_server.record_preflight_check("whoami")
|
||||
mcp_server.record_preflight_check(
|
||||
"capability", resolved_role="author", resolved_task="create_issue"
|
||||
"capability", resolved_role="reconciler", resolved_task="close_pr"
|
||||
)
|
||||
mcp_server.verify_preflight_purity(task="create_issue")
|
||||
mcp_server.verify_preflight_purity(task="close_pr")
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
mcp_server.verify_preflight_purity(task="create_issue")
|
||||
mcp_server.verify_preflight_purity(task="close_pr")
|
||||
self.assertIn("has not been resolved", str(ctx.exception))
|
||||
|
||||
def test_whoami_recovery_after_violation_clears_capability(self):
|
||||
|
||||
@@ -10,8 +10,11 @@ sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
|
||||
import gitea_mcp_server as srv
|
||||
|
||||
FAKE_AUTH = "token test"
|
||||
CONTROL_CHECKOUT_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[3])
|
||||
else:
|
||||
CONTROL_CHECKOUT_ROOT = str(current_file_path.parents[1])
|
||||
RECONCILER_PROFILE = {
|
||||
"profile_name": "prgs-reconciler",
|
||||
"allowed_operations": ["gitea.read", "gitea.pr.close", "gitea.pr.comment"],
|
||||
@@ -83,9 +86,21 @@ class TestReconcilerCloseWorkspaceGuard(unittest.TestCase):
|
||||
):
|
||||
srv._preflight_resolved_role = "author"
|
||||
with patch.object(srv, "PROJECT_ROOT", CONTROL_CHECKOUT_ROOT):
|
||||
with self.assertRaises(RuntimeError) as ctx:
|
||||
srv.gitea_create_issue(title="Test", body="body")
|
||||
self.assertIn("stable control checkout", str(ctx.exception))
|
||||
try:
|
||||
res = srv.gitea_create_issue(title="Test", body="body")
|
||||
except RuntimeError as exc:
|
||||
self.assertIn("stable control checkout", str(exc))
|
||||
else:
|
||||
# #683 typed blocker at mutation entrypoint
|
||||
self.assertFalse(res.get("success"))
|
||||
blob = " ".join(res.get("reasons") or []) + str(
|
||||
res.get("blocker_kind") or ""
|
||||
)
|
||||
self.assertTrue(
|
||||
"stable control checkout" in blob
|
||||
or "missing_issue_worktree" in blob
|
||||
or "control checkout" in blob.lower()
|
||||
)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
@@ -13,8 +13,13 @@ sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
|
||||
import gitea_mcp_server as srv # noqa: E402
|
||||
import root_checkout_guard as rcg # noqa: E402
|
||||
|
||||
CONTROL_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
BRANCHES_WORKTREE = str(Path(__file__).resolve().parents[1])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_ROOT = str(current_file_path.parents[3])
|
||||
BRANCHES_WORKTREE = str(current_file_path.parents[1])
|
||||
else:
|
||||
CONTROL_ROOT = str(current_file_path.parents[1])
|
||||
BRANCHES_WORKTREE = str(current_file_path.parents[1] / "branches" / "mock-worktree")
|
||||
MASTER_SHA = "a" * 40
|
||||
OTHER_SHA = "b" * 40
|
||||
|
||||
@@ -136,13 +141,21 @@ class TestVerifyPreflightRootGuardIntegration(unittest.TestCase):
|
||||
self.assertIn("Root checkout guard (#475)", str(ctx.exception))
|
||||
self.assertIn(rcg.REMEDIATION, str(ctx.exception))
|
||||
|
||||
@patch("os.path.isdir", return_value=True)
|
||||
@patch("os.path.exists", return_value=True)
|
||||
@patch("subprocess.run")
|
||||
@patch("gitea_mcp_server._get_workspace_porcelain", return_value="")
|
||||
@patch("gitea_mcp_server.root_checkout_guard.resolve_remote_master_sha", return_value=MASTER_SHA)
|
||||
@patch("gitea_mcp_server.issue_lock_worktree.read_worktree_git_state")
|
||||
@patch("gitea_mcp_server._resolve_author_mutation_context")
|
||||
def test_reviewer_from_branches_worktree_allowed(
|
||||
self, mock_ctx, mock_git, _remote_sha, _porcelain,
|
||||
self, mock_ctx, mock_git, _remote_sha, _porcelain, mock_run, _exists, _isdir,
|
||||
):
|
||||
import unittest.mock
|
||||
mock_run.return_value = unittest.mock.MagicMock(
|
||||
returncode=0,
|
||||
stdout=f"{CONTROL_ROOT}/.git\n",
|
||||
)
|
||||
srv._preflight_capability_baseline_porcelain = ""
|
||||
mock_ctx.return_value = {
|
||||
"workspace_path": BRANCHES_WORKTREE,
|
||||
@@ -156,6 +169,5 @@ class TestVerifyPreflightRootGuardIntegration(unittest.TestCase):
|
||||
}
|
||||
srv.verify_preflight_purity("prgs", worktree_path=BRANCHES_WORKTREE)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -0,0 +1,188 @@
|
||||
"""Server wiring for stable-branch push contamination (#671).
|
||||
|
||||
Exercises the MCP tools and the pre-flight enforcement gate against the durable
|
||||
contamination marker (isolated per-test state dir from conftest).
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
from unittest.mock import patch
|
||||
|
||||
import gitea_mcp_server as srv
|
||||
|
||||
|
||||
def _clear_marker(remote="prgs"):
|
||||
srv._clear_stable_contamination_marker(remote=remote)
|
||||
|
||||
|
||||
def teardown_function():
|
||||
_clear_marker()
|
||||
|
||||
|
||||
# ── record tool marks a real direct push ─────────────────────────────────────
|
||||
|
||||
def test_record_tool_marks_direct_master_push():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
assert res["contaminated"] is True
|
||||
assert res["marked"] is True
|
||||
assert res["marker"] is not None
|
||||
assert res["marker"]["reason_class"] == "stable_branch_push"
|
||||
# loaded back through the durable store
|
||||
loaded = srv._load_stable_contamination_marker("prgs")
|
||||
assert loaded is not None
|
||||
assert loaded["ref"] == "master"
|
||||
|
||||
|
||||
def test_record_tool_dry_run_still_marks():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push --dry-run prgs master", remote="prgs"
|
||||
)
|
||||
assert res["contaminated"] is True
|
||||
assert res["marked"] is True
|
||||
|
||||
|
||||
def test_record_tool_feature_branch_does_not_mark():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs fix/issue-671-block-stable-branch-push",
|
||||
remote="prgs",
|
||||
)
|
||||
assert res["contaminated"] is False
|
||||
assert res["marked"] is False
|
||||
assert srv._load_stable_contamination_marker("prgs") is None
|
||||
|
||||
|
||||
def test_record_tool_fetch_only_does_not_mark():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git fetch prgs", remote="prgs"
|
||||
)
|
||||
assert res["contaminated"] is False
|
||||
assert res["marked"] is False
|
||||
|
||||
|
||||
def test_record_tool_mark_false_is_readonly():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs", mark=False
|
||||
)
|
||||
assert res["contaminated"] is True
|
||||
assert res["marked"] is False
|
||||
assert srv._load_stable_contamination_marker("prgs") is None
|
||||
|
||||
|
||||
def test_record_tool_redacts_secret_in_marker():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push https://u:supersecret@host/o/r.git master",
|
||||
remote="prgs",
|
||||
)
|
||||
assert res["marked"] is True
|
||||
assert "supersecret" not in res["marker"]["command_summary"]
|
||||
|
||||
|
||||
def test_record_tool_root_checkout_local_commit_marks():
|
||||
_clear_marker()
|
||||
res = srv.gitea_record_stable_branch_push_attempt(
|
||||
command=None,
|
||||
remote="prgs",
|
||||
current_branch="master",
|
||||
head_sha="a" * 40,
|
||||
remote_master_sha="b" * 40,
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contaminated"] is True
|
||||
assert res["marked"] is True
|
||||
assert res["marker"]["reason_class"] == "root_checkout_commit"
|
||||
|
||||
|
||||
# ── audit tool: inspect + reconciler-only clear ──────────────────────────────
|
||||
|
||||
def test_audit_inspect_reports_marker():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
out = srv.gitea_audit_stable_branch_contamination(action="inspect", remote="prgs")
|
||||
assert out["contaminated"] is True
|
||||
assert out["read_only"] is True
|
||||
|
||||
|
||||
def test_audit_clear_refused_for_non_reconciler():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
with patch.object(srv, "_actual_profile_role", return_value="author"):
|
||||
out = srv.gitea_audit_stable_branch_contamination(action="clear", remote="prgs")
|
||||
assert out["success"] is False
|
||||
assert out["reasons"]
|
||||
# marker survives a refused clear
|
||||
assert srv._load_stable_contamination_marker("prgs") is not None
|
||||
|
||||
|
||||
def test_audit_clear_allowed_for_reconciler():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
identity = srv._stable_contamination_profile_identity()
|
||||
with patch.object(srv, "_actual_profile_role", return_value="reconciler"):
|
||||
out = srv.gitea_audit_stable_branch_contamination(
|
||||
action="clear", remote="prgs", profile_identity=identity
|
||||
)
|
||||
assert out["success"] is True
|
||||
assert srv._load_stable_contamination_marker("prgs") is None
|
||||
|
||||
|
||||
# ── pre-flight enforcement gate ──────────────────────────────────────────────
|
||||
|
||||
def _force_gate_env():
|
||||
return patch.dict(os.environ, {"GITEA_TEST_FORCE_STABLE_CONTAMINATION": "1"})
|
||||
|
||||
|
||||
def test_gate_blocks_gated_mutation_when_contaminated():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
with _force_gate_env(), patch.object(srv, "_actual_profile_role", return_value="author"):
|
||||
for task in ("merge_pr", "review_pr", "close_issue", "create_pr"):
|
||||
try:
|
||||
srv._enforce_stable_branch_contamination_gate(task, "prgs")
|
||||
raised = False
|
||||
except RuntimeError as exc:
|
||||
raised = True
|
||||
assert "#671" in str(exc)
|
||||
assert raised, task
|
||||
|
||||
|
||||
def test_gate_allows_comment_for_handoff_when_contaminated():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
with _force_gate_env(), patch.object(srv, "_actual_profile_role", return_value="author"):
|
||||
# must not raise — worker can still post the durable audit comment
|
||||
srv._enforce_stable_branch_contamination_gate("comment_issue", "prgs")
|
||||
srv._enforce_stable_branch_contamination_gate("lock_issue", "prgs")
|
||||
|
||||
|
||||
def test_gate_exempts_reconciler_when_contaminated():
|
||||
_clear_marker()
|
||||
srv.gitea_record_stable_branch_push_attempt(
|
||||
command="git push prgs master", remote="prgs"
|
||||
)
|
||||
with _force_gate_env(), patch.object(srv, "_actual_profile_role", return_value="reconciler"):
|
||||
srv._enforce_stable_branch_contamination_gate("merge_pr", "prgs")
|
||||
|
||||
|
||||
def test_gate_noop_when_not_contaminated():
|
||||
_clear_marker()
|
||||
with _force_gate_env(), patch.object(srv, "_actual_profile_role", return_value="author"):
|
||||
srv._enforce_stable_branch_contamination_gate("merge_pr", "prgs")
|
||||
@@ -0,0 +1,341 @@
|
||||
"""Tests for the direct stable-branch push guard (#671).
|
||||
|
||||
Covers the acceptance criteria:
|
||||
1. detect shell ``git push <remote> master`` equivalents
|
||||
2. detect root/control-checkout local commits not on an issue branch
|
||||
3. contamination record shape
|
||||
4. fail-closed gate on review/merge/close/completion (reconciler-exempt)
|
||||
5. AC5 case matrix: no-op dry-run push, real direct push, sanctioned Gitea
|
||||
merge, fetch-only, root-checkout local commit; plus feature-branch push
|
||||
still allowed and sanctioned merge still allowed
|
||||
6. redaction of credentials in logged command summaries
|
||||
"""
|
||||
|
||||
import stable_branch_push_guard as guard
|
||||
|
||||
|
||||
# ── AC1: detect direct stable-branch push equivalents ────────────────────────
|
||||
|
||||
def test_plain_git_push_remote_master_is_contamination():
|
||||
res = guard.classify_push_command("git push prgs master")
|
||||
assert res["is_git_push"] is True
|
||||
assert res["targets_stable"] is True
|
||||
assert res["stable_refs"] == ["master"]
|
||||
assert res["contamination"] is True
|
||||
assert res["reasons"]
|
||||
|
||||
|
||||
def test_push_main_and_dev_detected():
|
||||
for ref in ("main", "dev", "develop", "development"):
|
||||
res = guard.classify_push_command(f"git push origin {ref}")
|
||||
assert res["contamination"] is True, ref
|
||||
assert res["stable_refs"] == [ref]
|
||||
|
||||
|
||||
def test_head_colon_master_refspec_detected():
|
||||
res = guard.classify_push_command("git push prgs HEAD:master")
|
||||
assert res["targets_stable"] is True
|
||||
assert res["stable_refs"] == ["master"]
|
||||
assert res["contamination"] is True
|
||||
|
||||
|
||||
def test_full_refspec_force_plus_detected():
|
||||
res = guard.classify_push_command(
|
||||
"git push prgs +refs/heads/tmp:refs/heads/master"
|
||||
)
|
||||
assert res["contamination"] is True
|
||||
assert res["is_force"] is True
|
||||
assert res["stable_refs"] == ["master"]
|
||||
|
||||
|
||||
def test_force_flag_to_master_detected():
|
||||
res = guard.classify_push_command("git push --force prgs master")
|
||||
assert res["contamination"] is True
|
||||
assert res["is_force"] is True
|
||||
|
||||
|
||||
def test_delete_refspec_master_detected():
|
||||
res = guard.classify_push_command("git push prgs :master")
|
||||
assert res["contamination"] is True
|
||||
assert res["is_delete"] is True
|
||||
|
||||
|
||||
def test_delete_flag_master_detected():
|
||||
res = guard.classify_push_command("git push --delete prgs master")
|
||||
assert res["contamination"] is True
|
||||
assert res["is_delete"] is True
|
||||
|
||||
|
||||
def test_push_detected_inside_compound_command():
|
||||
res = guard.classify_push_command("cd repo && git push prgs master && echo ok")
|
||||
assert res["contamination"] is True
|
||||
assert res["stable_refs"] == ["master"]
|
||||
|
||||
|
||||
# ── AC5: no-op / dry-run push still proves intent ────────────────────────────
|
||||
|
||||
def test_dry_run_push_to_master_proves_intent():
|
||||
res = guard.classify_push_command("git push --dry-run prgs master")
|
||||
assert res["is_dry_run"] is True
|
||||
assert res["contamination"] is True
|
||||
assert res["proves_intent"] is True
|
||||
assert "intent" in " ".join(res["reasons"]).lower()
|
||||
|
||||
|
||||
def test_short_dry_run_flag_n_detected():
|
||||
res = guard.classify_push_command("git push -n prgs master")
|
||||
assert res["is_dry_run"] is True
|
||||
assert res["contamination"] is True
|
||||
|
||||
|
||||
# ── AC5 negative: feature-branch push still allowed ──────────────────────────
|
||||
|
||||
def test_feature_branch_push_not_flagged():
|
||||
res = guard.classify_push_command(
|
||||
"git push prgs fix/issue-671-block-stable-branch-push"
|
||||
)
|
||||
assert res["is_git_push"] is True
|
||||
assert res["targets_stable"] is False
|
||||
assert res["contamination"] is False
|
||||
assert res["reasons"] == []
|
||||
|
||||
|
||||
def test_feature_branch_head_refspec_not_flagged():
|
||||
res = guard.classify_push_command(
|
||||
"git push prgs HEAD:fix/issue-671-block-stable-branch-push"
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
assert res["targets_stable"] is False
|
||||
|
||||
|
||||
def test_branch_named_like_master_substring_not_flagged():
|
||||
# 'master-notes' is not the stable 'master'.
|
||||
res = guard.classify_push_command("git push prgs master-notes")
|
||||
assert res["contamination"] is False
|
||||
assert res["targets_stable"] is False
|
||||
|
||||
|
||||
# ── AC5 negative: fetch-only operations ──────────────────────────────────────
|
||||
|
||||
def test_git_fetch_not_a_push():
|
||||
res = guard.classify_push_command("git fetch prgs")
|
||||
assert res["is_git_push"] is False
|
||||
assert res["is_fetch_or_pull"] is True
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
def test_git_pull_ff_only_master_not_a_push():
|
||||
res = guard.classify_push_command("git pull --ff-only prgs master")
|
||||
assert res["is_git_push"] is False
|
||||
assert res["is_fetch_or_pull"] is True
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
# ── AC5 negative: sanctioned Gitea merge is not a push ───────────────────────
|
||||
|
||||
def test_gitea_merge_pr_tool_is_not_a_push():
|
||||
res = guard.classify_push_command("gitea_merge_pr(pr_number=671, remote='prgs')")
|
||||
assert res["is_git_push"] is False
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
def test_gitea_api_merge_is_not_a_push():
|
||||
res = guard.classify_push_command(
|
||||
"curl -X POST https://gitea.example/api/v1/repos/o/r/pulls/671/merge"
|
||||
)
|
||||
assert res["is_git_push"] is False
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
# ── ambiguous bare push: reported, not auto-contaminating ────────────────────
|
||||
|
||||
def test_bare_push_is_ambiguous_not_contaminating():
|
||||
res = guard.classify_push_command("git push prgs")
|
||||
assert res["is_git_push"] is True
|
||||
assert res["ambiguous_target"] is True
|
||||
assert res["contamination"] is False
|
||||
assert res["reasons"] # surfaced as a warning
|
||||
|
||||
|
||||
# ── AC2: root/control-checkout local commit detection ────────────────────────
|
||||
|
||||
def test_root_checkout_commit_ahead_of_master_flagged():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="master",
|
||||
head_sha="a" * 40,
|
||||
remote_master_sha="b" * 40,
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contamination"] is True
|
||||
assert res["reasons"]
|
||||
|
||||
|
||||
def test_root_checkout_clean_at_master_not_flagged():
|
||||
sha = "c" * 40
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="master",
|
||||
head_sha=sha,
|
||||
remote_master_sha=sha,
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
assert res["unknown"] is False
|
||||
|
||||
|
||||
def test_branches_worktree_commit_is_exempt():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="fix/issue-671-block-stable-branch-push",
|
||||
head_sha="a" * 40,
|
||||
remote_master_sha="b" * 40,
|
||||
is_under_branches=True,
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
def test_root_checkout_ahead_count_flagged():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="master",
|
||||
head_sha="",
|
||||
remote_master_sha="",
|
||||
is_under_branches=False,
|
||||
ahead_count=2,
|
||||
)
|
||||
assert res["contamination"] is True
|
||||
|
||||
|
||||
def test_root_checkout_unknown_when_state_missing():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="master",
|
||||
head_sha="",
|
||||
remote_master_sha="",
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
assert res["unknown"] is True
|
||||
|
||||
|
||||
def test_root_checkout_non_stable_branch_out_of_scope():
|
||||
res = guard.assess_root_checkout_local_commit(
|
||||
current_branch="feature/x",
|
||||
head_sha="a" * 40,
|
||||
remote_master_sha="b" * 40,
|
||||
is_under_branches=False,
|
||||
)
|
||||
assert res["contamination"] is False
|
||||
|
||||
|
||||
# ── AC3: contamination record shape ──────────────────────────────────────────
|
||||
|
||||
def test_build_contamination_record_shape_and_redaction():
|
||||
rec = guard.build_contamination_record(
|
||||
reason_class="stable_branch_push",
|
||||
command_redacted="git push https://user:[email protected]/o/r.git master",
|
||||
session_id="prgs-author-123",
|
||||
remote="prgs",
|
||||
ref="master",
|
||||
role="author",
|
||||
)
|
||||
assert rec["kind"] == guard.CONTAMINATION_KIND
|
||||
assert rec["reason_class"] == "stable_branch_push"
|
||||
assert rec["remote"] == "prgs"
|
||||
assert rec["ref"] == "master"
|
||||
assert rec["cleared_by_reconciler"] is False
|
||||
# secret must never survive into the durable record
|
||||
assert "tok@" not in rec["command_summary"]
|
||||
assert "***@" in rec["command_summary"]
|
||||
|
||||
|
||||
# ── AC4: fail-closed gate on gated mutations ─────────────────────────────────
|
||||
|
||||
def _marker():
|
||||
return guard.build_contamination_record(
|
||||
reason_class="stable_branch_push",
|
||||
command_redacted="git push prgs master",
|
||||
remote="prgs",
|
||||
ref="master",
|
||||
role="author",
|
||||
)
|
||||
|
||||
|
||||
def test_gate_blocks_gated_mutations_for_author():
|
||||
marker = _marker()
|
||||
for task in ("create_pr", "merge_pr", "close_issue", "review_pr",
|
||||
"submit_pr_review", "commit_files", "close_pr"):
|
||||
gate = guard.assess_contamination_gate(marker, task=task, actual_role="author")
|
||||
assert gate["block"] is True, task
|
||||
assert gate["reasons"]
|
||||
|
||||
|
||||
def test_gate_allows_comment_and_lock_for_handoff():
|
||||
marker = _marker()
|
||||
for task in ("comment_issue", "lock_issue", "create_issue", "mark_issue"):
|
||||
gate = guard.assess_contamination_gate(marker, task=task, actual_role="author")
|
||||
assert gate["block"] is False, task
|
||||
|
||||
|
||||
def test_gate_exempts_reconciler_audit_path():
|
||||
marker = _marker()
|
||||
gate = guard.assess_contamination_gate(marker, task="close_pr", actual_role="reconciler")
|
||||
assert gate["block"] is False
|
||||
|
||||
|
||||
def test_gate_no_marker_allows_everything():
|
||||
gate = guard.assess_contamination_gate(None, task="merge_pr", actual_role="merger")
|
||||
assert gate["block"] is False
|
||||
|
||||
|
||||
def test_gate_cleared_marker_allows_everything():
|
||||
marker = _marker()
|
||||
marker["cleared_by_reconciler"] = True
|
||||
gate = guard.assess_contamination_gate(marker, task="merge_pr", actual_role="merger")
|
||||
assert gate["block"] is False
|
||||
|
||||
|
||||
def test_same_worker_cannot_self_clear_by_role():
|
||||
# A merger/reviewer/author role is still gated — only reconciler is exempt.
|
||||
marker = _marker()
|
||||
for role in ("author", "reviewer", "merger"):
|
||||
gate = guard.assess_contamination_gate(marker, task="merge_pr", actual_role=role)
|
||||
assert gate["block"] is True, role
|
||||
|
||||
|
||||
def test_format_gate_error_mentions_issue():
|
||||
marker = _marker()
|
||||
gate = guard.assess_contamination_gate(marker, task="merge_pr", actual_role="merger")
|
||||
msg = guard.format_contamination_gate_error(gate)
|
||||
assert "#671" in msg
|
||||
assert "contaminat" in msg.lower()
|
||||
|
||||
|
||||
# ── redaction unit coverage ──────────────────────────────────────────────────
|
||||
|
||||
def test_redact_url_userinfo():
|
||||
out = guard.redact_command("git push https://bob:secretpat@host/o/r.git master")
|
||||
assert "secretpat" not in out
|
||||
assert "***@" in out
|
||||
assert "master" in out # structure preserved for audit
|
||||
|
||||
|
||||
def test_redact_token_assignment():
|
||||
out = guard.redact_command("GITEA_TOKEN=abcdef123456 git push prgs master")
|
||||
assert "abcdef123456" not in out
|
||||
assert "GITEA_TOKEN=***" in out
|
||||
|
||||
|
||||
def test_redact_empty():
|
||||
assert guard.redact_command(None) == ""
|
||||
assert guard.redact_command("") == ""
|
||||
|
||||
|
||||
# ── detect_stable_push over iterables ────────────────────────────────────────
|
||||
|
||||
def test_detect_stable_push_iterable_finds_first_contamination():
|
||||
cmds = ["git status", "git push prgs master", "echo done"]
|
||||
res = guard.detect_stable_push(cmds)
|
||||
assert res["contamination"] is True
|
||||
|
||||
|
||||
def test_detect_stable_push_iterable_all_safe():
|
||||
cmds = ["git status", "git push prgs feature/x", "git fetch prgs"]
|
||||
res = guard.detect_stable_push(cmds)
|
||||
assert res["contamination"] is False
|
||||
@@ -14,8 +14,13 @@ sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
|
||||
import author_mutation_worktree as amw # noqa: E402
|
||||
import gitea_mcp_server as srv # noqa: E402
|
||||
|
||||
CONTROL_ROOT = str(Path(__file__).resolve().parents[3])
|
||||
BRANCHES_WORKTREE = str(Path(__file__).resolve().parents[1])
|
||||
current_file_path = Path(__file__).resolve()
|
||||
if "branches" in current_file_path.parts:
|
||||
CONTROL_ROOT = str(current_file_path.parents[3])
|
||||
BRANCHES_WORKTREE = str(current_file_path.parents[1])
|
||||
else:
|
||||
CONTROL_ROOT = str(current_file_path.parents[1])
|
||||
BRANCHES_WORKTREE = str(current_file_path.parents[1] / "branches" / "mock-worktree")
|
||||
MCP_PROCESS_ROOT = BRANCHES_WORKTREE
|
||||
|
||||
|
||||
@@ -95,7 +100,23 @@ class TestRuntimeContextGuardAlignment(unittest.TestCase):
|
||||
srv._preflight_in_test_mode = self._orig_in_test
|
||||
self._env_patch.stop()
|
||||
|
||||
def test_runtime_context_and_guard_share_resolved_workspace(self):
|
||||
@mock.patch("subprocess.run")
|
||||
@mock.patch("os.path.isdir", return_value=True)
|
||||
@mock.patch("os.path.exists", return_value=True)
|
||||
def test_runtime_context_and_guard_share_resolved_workspace(
|
||||
self, _exists, _isdir, mock_run
|
||||
):
|
||||
def run_side_effect(cmd, *args, **kwargs):
|
||||
res = MagicMock(returncode=0)
|
||||
if "--git-common-dir" in cmd:
|
||||
res.stdout = f"{CONTROL_ROOT}/.git\n"
|
||||
elif "--show-toplevel" in cmd:
|
||||
cwd = cmd[cmd.index("-C") + 1] if "-C" in cmd else ""
|
||||
res.stdout = f"{cwd}\n"
|
||||
else:
|
||||
res.stdout = f"{CONTROL_ROOT}\n"
|
||||
return res
|
||||
mock_run.side_effect = run_side_effect
|
||||
with mock.patch.object(srv, "PROJECT_ROOT", MCP_PROCESS_ROOT):
|
||||
ctx = srv._resolve_author_mutation_context(BRANCHES_WORKTREE)
|
||||
status = srv.assess_preflight_status(worktree_path=BRANCHES_WORKTREE)
|
||||
|
||||
@@ -14,11 +14,7 @@ from merged_cleanup_reconcile import (
|
||||
read_issue_lock,
|
||||
read_local_worktree_state,
|
||||
)
|
||||
|
||||
_REVIEW_WORKTREE_RE = re.compile(
|
||||
r"branches/(?:review-pr\d+|merge-simulation-pr\d+|review-[\w-]+)",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
from reviewer_worktree import REVIEW_WORKTREE_RE
|
||||
|
||||
CLASSIFICATIONS = frozenset({
|
||||
"active-pr",
|
||||
|
||||
@@ -0,0 +1,626 @@
|
||||
"""Workflow scope ownership and production-guard hardening (#683).
|
||||
|
||||
Implements fail-closed enforcement so sessions cannot:
|
||||
|
||||
* mutate source/tests on the root/control checkout (including temporary
|
||||
diagnostic edits) without binding an issue-backed ``branches/`` worktree;
|
||||
* continue out-of-scope source work while locked to a different issue;
|
||||
* disable, skip, or conceal production root/branches/porcelain guards solely
|
||||
because pytest/unittest is loaded.
|
||||
|
||||
This module is pure assessment + small durable ledger helpers. Callers gather
|
||||
live facts (lock, branch, porcelain, worktree path) and pass them in. Existing
|
||||
root_checkout_guard / author_mutation_worktree assessors remain authoritative;
|
||||
this module composes typed blockers with exact recovery actions.
|
||||
|
||||
Do **not** reintroduce the rejected #681 / ``300a4ca`` patterns:
|
||||
|
||||
* early-return from workspace verification under ``_preflight_in_test_mode()``
|
||||
* porcelain filtering that strips ``*.py`` lines under pytest
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import re
|
||||
import threading
|
||||
from typing import Any
|
||||
|
||||
import author_mutation_worktree
|
||||
from reviewer_worktree import parse_dirty_tracked_files
|
||||
|
||||
# ── force-on / test isolation ────────────────────────────────────────────────
|
||||
|
||||
# When set, production root/branches/scope guards MUST run even under pytest.
|
||||
# Unit tests that only need preflight-order isolation leave this unset and
|
||||
# use GITEA_TEST_PORCELAIN / fixtures; real-entrypoint proof sets this to "1".
|
||||
FORCE_PRODUCTION_GUARDS_ENV = "GITEA_TEST_FORCE_PRODUCTION_GUARDS"
|
||||
|
||||
# Existing force signals also mean "exercise production dirtiness paths".
|
||||
_FORCE_DIRTY_ENV = "GITEA_TEST_FORCE_DIRTY"
|
||||
_FORCE_PORCELAIN_ENV = "GITEA_TEST_PORCELAIN"
|
||||
|
||||
# ── typed blocker kinds ──────────────────────────────────────────────────────
|
||||
|
||||
BLOCKER_ROOT_DIAGNOSTIC_EDIT = "root_diagnostic_edit"
|
||||
BLOCKER_MISSING_ISSUE_SCOPE = "missing_issue_scope"
|
||||
BLOCKER_OUT_OF_SCOPE_ISSUE = "out_of_scope_issue"
|
||||
BLOCKER_MISSING_WORKTREE = "missing_issue_worktree"
|
||||
BLOCKER_UNRECORDED_FAILURE = "unrecorded_workflow_failure"
|
||||
BLOCKER_PRODUCTION_GUARD = "production_guard_violation"
|
||||
|
||||
BLOCKER_KINDS = frozenset(
|
||||
{
|
||||
BLOCKER_ROOT_DIAGNOSTIC_EDIT,
|
||||
BLOCKER_MISSING_ISSUE_SCOPE,
|
||||
BLOCKER_OUT_OF_SCOPE_ISSUE,
|
||||
BLOCKER_MISSING_WORKTREE,
|
||||
BLOCKER_UNRECORDED_FAILURE,
|
||||
BLOCKER_PRODUCTION_GUARD,
|
||||
}
|
||||
)
|
||||
|
||||
_NEXT_ACTIONS: dict[str, str] = {
|
||||
BLOCKER_ROOT_DIAGNOSTIC_EDIT: (
|
||||
"Stop editing the control/root checkout. Preserve or discard root WIP "
|
||||
"durably, restore root to clean master, lock or create the owning issue, "
|
||||
"bind branches/issue-<N>-*, set GITEA_AUTHOR_WORKTREE to that worktree, "
|
||||
"then re-run the mutation."
|
||||
),
|
||||
BLOCKER_MISSING_ISSUE_SCOPE: (
|
||||
"Select or create the owning Gitea issue, claim/lock it "
|
||||
"(gitea_mark_issue + gitea_lock_issue), bind branches/issue-<N>-* "
|
||||
"from clean master, then re-run the mutation from that worktree."
|
||||
),
|
||||
BLOCKER_OUT_OF_SCOPE_ISSUE: (
|
||||
"Stop. The active issue lock does not own this work. Release or finish "
|
||||
"the current issue lease, then select/create and lock the correct "
|
||||
"owning issue, bind its branches/issue-<N>-* worktree, and re-run."
|
||||
),
|
||||
BLOCKER_MISSING_WORKTREE: (
|
||||
"Bind an issue-backed worktree under branches/ (scripts/worktree-start "
|
||||
"or git worktree add branches/issue-<N>-*), set GITEA_AUTHOR_WORKTREE / "
|
||||
"worktree_path to that path, keep the control checkout clean on master, "
|
||||
"then re-run the mutation."
|
||||
),
|
||||
BLOCKER_UNRECORDED_FAILURE: (
|
||||
"Record the workflow/tool failure durably first (issue comment or "
|
||||
"workflow_scope_guard.record_workflow_failure), then continue only "
|
||||
"inside the owning issue-backed worktree."
|
||||
),
|
||||
BLOCKER_PRODUCTION_GUARD: (
|
||||
"Resolve the production guard violation: clean or isolate the control "
|
||||
"checkout, bind the owning issue worktree under branches/, and re-run "
|
||||
"with production guards active."
|
||||
),
|
||||
}
|
||||
|
||||
_ISSUE_IN_BRANCH_RE = re.compile(r"issue-(\d+)", re.IGNORECASE)
|
||||
|
||||
# In-process durable failure ledger (also written via optional sink callback).
|
||||
_ledger_lock = threading.Lock()
|
||||
_failure_ledger: list[dict[str, Any]] = []
|
||||
|
||||
|
||||
class ProductionGuardError(RuntimeError):
|
||||
"""Fail-closed production guard with typed blocker metadata (#683)."""
|
||||
|
||||
def __init__(
|
||||
self,
|
||||
message: str,
|
||||
*,
|
||||
blocker_kind: str,
|
||||
exact_next_action: str | None = None,
|
||||
reasons: list[str] | None = None,
|
||||
details: dict[str, Any] | None = None,
|
||||
) -> None:
|
||||
super().__init__(message)
|
||||
kind = (blocker_kind or "").strip()
|
||||
if kind not in BLOCKER_KINDS:
|
||||
kind = BLOCKER_PRODUCTION_GUARD
|
||||
self.blocker_kind = kind
|
||||
self.exact_next_action = (
|
||||
(exact_next_action or "").strip() or _NEXT_ACTIONS[kind]
|
||||
)
|
||||
self.reasons = list(reasons or [message])
|
||||
self.details = dict(details or {})
|
||||
|
||||
|
||||
def production_guards_forced() -> bool:
|
||||
"""True when the explicit #683 force-on flag requests production guards."""
|
||||
return (os.environ.get(FORCE_PRODUCTION_GUARDS_ENV) or "").strip().lower() in {
|
||||
"1",
|
||||
"true",
|
||||
"yes",
|
||||
"on",
|
||||
}
|
||||
|
||||
|
||||
def purity_order_forced() -> bool:
|
||||
"""True when tests force preflight-order dirtiness paths (legacy flags)."""
|
||||
if os.environ.get(_FORCE_DIRTY_ENV):
|
||||
return True
|
||||
# GITEA_TEST_PORCELAIN present (even empty) means dirtiness paths are live.
|
||||
if os.environ.get(_FORCE_PORCELAIN_ENV) is not None:
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def production_guards_active(*, in_test_mode: bool) -> bool:
|
||||
"""Whether production root/branches/scope guards must execute.
|
||||
|
||||
Production (non-test) always active. Under pytest, active when either the
|
||||
explicit #683 force-on flag or legacy dirty/porcelain force signals are
|
||||
set — never skip production enforcement solely because tests are running
|
||||
when force-on is requested.
|
||||
"""
|
||||
if production_guards_forced() or purity_order_forced():
|
||||
return True
|
||||
return not bool(in_test_mode)
|
||||
|
||||
|
||||
def extract_issue_number_from_branch(branch_name: str | None) -> int | None:
|
||||
"""Return the first issue-N number embedded in a branch name, if any."""
|
||||
text = (branch_name or "").strip()
|
||||
if not text:
|
||||
return None
|
||||
match = _ISSUE_IN_BRANCH_RE.search(text)
|
||||
if not match:
|
||||
return None
|
||||
try:
|
||||
return int(match.group(1))
|
||||
except ValueError:
|
||||
return None
|
||||
|
||||
|
||||
def is_source_or_test_path(path: str) -> bool:
|
||||
"""True for tracked source/test paths that must not land as root WIP."""
|
||||
p = (path or "").replace("\\", "/").lstrip("./")
|
||||
if not p:
|
||||
return False
|
||||
if p.startswith("tests/") or "/tests/" in f"/{p}":
|
||||
return True
|
||||
if p.endswith((".py", ".pyi", ".toml", ".cfg", ".ini", ".sh")):
|
||||
return True
|
||||
if p in {"requirements.txt", "pyproject.toml", "setup.py", "setup.cfg"}:
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def dirty_source_files(porcelain_status: str) -> list[str]:
|
||||
"""Tracked dirty paths that count as source/test contamination."""
|
||||
dirty = parse_dirty_tracked_files(porcelain_status or "")
|
||||
return [p for p in dirty if is_source_or_test_path(p)]
|
||||
|
||||
|
||||
def assess_issue_scope_ownership(
|
||||
*,
|
||||
locked_issue_number: int | None,
|
||||
target_issue_number: int | None = None,
|
||||
branch_name: str | None = None,
|
||||
role_kind: str | None = None,
|
||||
require_lock_for_author: bool = False,
|
||||
) -> dict[str, Any]:
|
||||
"""Fail closed when the session issue lock does not own the attempted work.
|
||||
|
||||
* Author sessions that require a lock fail when none is held.
|
||||
* When a lock exists, the target issue (tool argument) and/or the issue
|
||||
number embedded in the branch must match the locked issue.
|
||||
* Reviewer/merger/reconciler roles are not issue-scope owners of author
|
||||
implementation work and skip the author lock requirement.
|
||||
"""
|
||||
role = (role_kind or "").strip().lower()
|
||||
locked = locked_issue_number
|
||||
if isinstance(locked, str) and locked.isdigit():
|
||||
locked = int(locked)
|
||||
if locked is not None:
|
||||
try:
|
||||
locked = int(locked)
|
||||
except (TypeError, ValueError):
|
||||
locked = None
|
||||
|
||||
target = target_issue_number
|
||||
if target is not None:
|
||||
try:
|
||||
target = int(target)
|
||||
except (TypeError, ValueError):
|
||||
target = None
|
||||
|
||||
branch_issue = extract_issue_number_from_branch(branch_name)
|
||||
reasons: list[str] = []
|
||||
blocker_kind: str | None = None
|
||||
|
||||
# Non-author roles do not take author issue locks for implementation.
|
||||
if role in {"reviewer", "merger", "reconciler"}:
|
||||
return _scope_ok(locked, target, branch_issue)
|
||||
|
||||
if require_lock_for_author and locked is None:
|
||||
reasons.append(
|
||||
"no owning issue lock is bound for this author session; "
|
||||
"source/test mutation requires selecting or creating an owning issue first"
|
||||
)
|
||||
blocker_kind = BLOCKER_MISSING_ISSUE_SCOPE
|
||||
|
||||
if locked is not None and target is not None and locked != target:
|
||||
reasons.append(
|
||||
f"session is locked to issue #{locked} but mutation targets issue "
|
||||
f"#{target}; out-of-scope until the owning issue is selected"
|
||||
)
|
||||
blocker_kind = BLOCKER_OUT_OF_SCOPE_ISSUE
|
||||
|
||||
if locked is not None and branch_issue is not None and locked != branch_issue:
|
||||
reasons.append(
|
||||
f"session is locked to issue #{locked} but workspace branch is for "
|
||||
f"issue #{branch_issue}; bind the matching issue-backed worktree"
|
||||
)
|
||||
blocker_kind = BLOCKER_OUT_OF_SCOPE_ISSUE
|
||||
|
||||
if reasons:
|
||||
kind = blocker_kind or BLOCKER_MISSING_ISSUE_SCOPE
|
||||
return {
|
||||
"proven": False,
|
||||
"block": True,
|
||||
"blocker_kind": kind,
|
||||
"exact_next_action": _NEXT_ACTIONS[kind],
|
||||
"reasons": reasons,
|
||||
"locked_issue_number": locked,
|
||||
"target_issue_number": target,
|
||||
"branch_issue_number": branch_issue,
|
||||
}
|
||||
return _scope_ok(locked, target, branch_issue)
|
||||
|
||||
|
||||
def assess_root_source_mutation(
|
||||
*,
|
||||
workspace_path: str,
|
||||
canonical_repo_root: str,
|
||||
porcelain_status: str,
|
||||
current_branch: str | None = None,
|
||||
locked_issue_number: int | None = None,
|
||||
role_kind: str | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Fail closed for diagnostic/source edits on the control/root checkout.
|
||||
|
||||
Allowed only when the active workspace is under ``branches/``. Dirty
|
||||
tracked source/test files on the control checkout always block, including
|
||||
temporary/diagnostic/test-only intent.
|
||||
"""
|
||||
role = (role_kind or "").strip().lower()
|
||||
if role == "reconciler":
|
||||
return {
|
||||
"proven": True,
|
||||
"block": False,
|
||||
"blocker_kind": None,
|
||||
"exact_next_action": "proceed",
|
||||
"reasons": [],
|
||||
"dirty_source_files": [],
|
||||
}
|
||||
|
||||
root = os.path.realpath(canonical_repo_root or "")
|
||||
workspace = os.path.realpath(workspace_path or root or ".")
|
||||
under_branches = author_mutation_worktree.is_path_under_branches(workspace, root)
|
||||
dirty_src = dirty_source_files(porcelain_status)
|
||||
reasons: list[str] = []
|
||||
blocker_kind: str | None = None
|
||||
|
||||
if not under_branches and workspace == root and dirty_src:
|
||||
# Root workspace with source dirtiness is unattributed root WIP.
|
||||
# (Clean-root author binding is enforced by branches-only #274.)
|
||||
reasons.append(
|
||||
"control/root checkout has tracked source or test edits "
|
||||
f"(dirty files: {', '.join(dirty_src)}); diagnostic or temporary "
|
||||
"edits on the root checkout are forbidden"
|
||||
)
|
||||
blocker_kind = BLOCKER_ROOT_DIAGNOSTIC_EDIT
|
||||
|
||||
if (
|
||||
not under_branches
|
||||
and workspace == root
|
||||
and not dirty_src
|
||||
and role == "author"
|
||||
):
|
||||
# Explicit missing-worktree signal for force-on author entrypoints.
|
||||
reasons.append(
|
||||
"author source/test mutation from the stable control checkout is "
|
||||
"forbidden; bind an issue-backed worktree under branches/ first"
|
||||
)
|
||||
blocker_kind = BLOCKER_MISSING_WORKTREE
|
||||
|
||||
if reasons:
|
||||
kind = blocker_kind or BLOCKER_ROOT_DIAGNOSTIC_EDIT
|
||||
return {
|
||||
"proven": False,
|
||||
"block": True,
|
||||
"blocker_kind": kind,
|
||||
"exact_next_action": _NEXT_ACTIONS[kind],
|
||||
"reasons": reasons,
|
||||
"dirty_source_files": dirty_src,
|
||||
"workspace_path": workspace,
|
||||
"canonical_repo_root": root,
|
||||
"under_branches": under_branches,
|
||||
"locked_issue_number": locked_issue_number,
|
||||
}
|
||||
return {
|
||||
"proven": True,
|
||||
"block": False,
|
||||
"blocker_kind": None,
|
||||
"exact_next_action": "proceed",
|
||||
"reasons": [],
|
||||
"dirty_source_files": dirty_src,
|
||||
"workspace_path": workspace,
|
||||
"canonical_repo_root": root,
|
||||
"under_branches": under_branches,
|
||||
"locked_issue_number": locked_issue_number,
|
||||
}
|
||||
|
||||
|
||||
def assess_production_mutation_guards(
|
||||
*,
|
||||
workspace_path: str,
|
||||
canonical_repo_root: str,
|
||||
porcelain_status: str,
|
||||
current_branch: str | None = None,
|
||||
locked_issue_number: int | None = None,
|
||||
target_issue_number: int | None = None,
|
||||
role_kind: str | None = None,
|
||||
require_author_lock: bool = False,
|
||||
in_test_mode: bool = False,
|
||||
) -> dict[str, Any]:
|
||||
"""Compose root + scope production guards when they must be active (#683)."""
|
||||
if not production_guards_active(in_test_mode=in_test_mode):
|
||||
return {
|
||||
"proven": True,
|
||||
"block": False,
|
||||
"blocker_kind": None,
|
||||
"exact_next_action": "proceed",
|
||||
"reasons": [],
|
||||
"skipped": True,
|
||||
"skip_reason": "production guards not active (test isolation without force-on)",
|
||||
}
|
||||
|
||||
root_assess = assess_root_source_mutation(
|
||||
workspace_path=workspace_path,
|
||||
canonical_repo_root=canonical_repo_root,
|
||||
porcelain_status=porcelain_status,
|
||||
current_branch=current_branch,
|
||||
locked_issue_number=locked_issue_number,
|
||||
role_kind=role_kind,
|
||||
)
|
||||
if root_assess["block"]:
|
||||
return {**root_assess, "skipped": False}
|
||||
|
||||
scope_assess = assess_issue_scope_ownership(
|
||||
locked_issue_number=locked_issue_number,
|
||||
target_issue_number=target_issue_number,
|
||||
branch_name=current_branch,
|
||||
role_kind=role_kind,
|
||||
require_lock_for_author=require_author_lock,
|
||||
)
|
||||
if scope_assess["block"]:
|
||||
return {**scope_assess, "skipped": False}
|
||||
|
||||
return {
|
||||
"proven": True,
|
||||
"block": False,
|
||||
"blocker_kind": None,
|
||||
"exact_next_action": "proceed",
|
||||
"reasons": [],
|
||||
"skipped": False,
|
||||
"root": root_assess,
|
||||
"scope": scope_assess,
|
||||
}
|
||||
|
||||
|
||||
def raise_if_blocked(assessment: dict[str, Any]) -> None:
|
||||
"""Raise :class:`ProductionGuardError` when *assessment* blocks."""
|
||||
if not assessment or not assessment.get("block"):
|
||||
return
|
||||
kind = assessment.get("blocker_kind") or BLOCKER_PRODUCTION_GUARD
|
||||
reasons = list(assessment.get("reasons") or ["production guard violation"])
|
||||
message = (
|
||||
f"Workflow scope guard (#683) [{kind}]: {'; '.join(reasons)}. "
|
||||
f"exact_next_action: {assessment.get('exact_next_action') or _NEXT_ACTIONS.get(kind, '')}"
|
||||
)
|
||||
raise ProductionGuardError(
|
||||
message,
|
||||
blocker_kind=kind,
|
||||
exact_next_action=assessment.get("exact_next_action"),
|
||||
reasons=reasons,
|
||||
details={
|
||||
k: v
|
||||
for k, v in assessment.items()
|
||||
if k
|
||||
not in {
|
||||
"proven",
|
||||
"block",
|
||||
"blocker_kind",
|
||||
"exact_next_action",
|
||||
"reasons",
|
||||
}
|
||||
},
|
||||
)
|
||||
|
||||
|
||||
def block_response(
|
||||
assessment: dict[str, Any] | ProductionGuardError | None = None,
|
||||
*,
|
||||
blocker_kind: str | None = None,
|
||||
reasons: list[str] | None = None,
|
||||
exact_next_action: str | None = None,
|
||||
**extra: Any,
|
||||
) -> dict[str, Any]:
|
||||
"""Structured fail-closed tool response with typed blocker fields."""
|
||||
if isinstance(assessment, ProductionGuardError):
|
||||
kind = assessment.blocker_kind
|
||||
reason_list = list(assessment.reasons)
|
||||
next_action = assessment.exact_next_action
|
||||
extra = {**assessment.details, **extra}
|
||||
elif isinstance(assessment, dict) and assessment.get("block"):
|
||||
kind = assessment.get("blocker_kind") or BLOCKER_PRODUCTION_GUARD
|
||||
reason_list = list(assessment.get("reasons") or [])
|
||||
next_action = assessment.get("exact_next_action") or _NEXT_ACTIONS.get(
|
||||
kind, _NEXT_ACTIONS[BLOCKER_PRODUCTION_GUARD]
|
||||
)
|
||||
else:
|
||||
kind = (blocker_kind or BLOCKER_PRODUCTION_GUARD).strip()
|
||||
if kind not in BLOCKER_KINDS:
|
||||
kind = BLOCKER_PRODUCTION_GUARD
|
||||
reason_list = list(reasons or ["production guard violation"])
|
||||
next_action = exact_next_action or _NEXT_ACTIONS[kind]
|
||||
|
||||
if kind not in BLOCKER_KINDS:
|
||||
kind = BLOCKER_PRODUCTION_GUARD
|
||||
if not reason_list:
|
||||
reason_list = ["production guard violation"]
|
||||
next_action = (next_action or "").strip() or _NEXT_ACTIONS[kind]
|
||||
|
||||
out: dict[str, Any] = {
|
||||
"success": False,
|
||||
"performed": False,
|
||||
"blocker_kind": kind,
|
||||
"exact_next_action": next_action,
|
||||
"reasons": reason_list,
|
||||
}
|
||||
for key, value in extra.items():
|
||||
if key not in out and value is not None:
|
||||
out[key] = value
|
||||
return out
|
||||
|
||||
|
||||
def format_production_guard_error(assessment: dict[str, Any]) -> str:
|
||||
"""Single RuntimeError string carrying kind + exact next action."""
|
||||
kind = assessment.get("blocker_kind") or BLOCKER_PRODUCTION_GUARD
|
||||
reasons = "; ".join(assessment.get("reasons") or ["production guard violation"])
|
||||
next_action = assessment.get("exact_next_action") or _NEXT_ACTIONS.get(
|
||||
kind, _NEXT_ACTIONS[BLOCKER_PRODUCTION_GUARD]
|
||||
)
|
||||
return (
|
||||
f"Workflow scope guard (#683) [{kind}]: {reasons}. "
|
||||
f"exact_next_action: {next_action}"
|
||||
)
|
||||
|
||||
|
||||
# ── durable failure recording ────────────────────────────────────────────────
|
||||
|
||||
|
||||
def record_workflow_failure(
|
||||
*,
|
||||
kind: str,
|
||||
detail: str,
|
||||
issue_number: int | None = None,
|
||||
task: str | None = None,
|
||||
sink: Any | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Record a workflow/tool failure before source edits continue (#683 AC8).
|
||||
|
||||
*sink* may be a callable ``sink(record)`` (e.g. tests) or omitted for the
|
||||
in-process ledger only. Returns the durable record.
|
||||
"""
|
||||
record = {
|
||||
"kind": (kind or "workflow_failure").strip() or "workflow_failure",
|
||||
"detail": (detail or "").strip(),
|
||||
"issue_number": issue_number,
|
||||
"task": task,
|
||||
"pid": os.getpid(),
|
||||
}
|
||||
with _ledger_lock:
|
||||
_failure_ledger.append(dict(record))
|
||||
if callable(sink):
|
||||
sink(record)
|
||||
return record
|
||||
|
||||
|
||||
def clear_workflow_failure_ledger() -> None:
|
||||
"""Test helper: reset the in-process failure ledger."""
|
||||
with _ledger_lock:
|
||||
_failure_ledger.clear()
|
||||
|
||||
|
||||
def workflow_failure_ledger() -> list[dict[str, Any]]:
|
||||
"""Copy of durable in-process failure records."""
|
||||
with _ledger_lock:
|
||||
return [dict(r) for r in _failure_ledger]
|
||||
|
||||
|
||||
def assess_durable_failure_recorded(
|
||||
*,
|
||||
require_record: bool,
|
||||
pending_source_mutation: bool,
|
||||
) -> dict[str, Any]:
|
||||
"""Block source mutation when a workflow failure was not recorded first."""
|
||||
if not require_record or not pending_source_mutation:
|
||||
return {
|
||||
"proven": True,
|
||||
"block": False,
|
||||
"blocker_kind": None,
|
||||
"exact_next_action": "proceed",
|
||||
"reasons": [],
|
||||
}
|
||||
with _ledger_lock:
|
||||
has_record = bool(_failure_ledger)
|
||||
if has_record:
|
||||
return {
|
||||
"proven": True,
|
||||
"block": False,
|
||||
"blocker_kind": None,
|
||||
"exact_next_action": "proceed",
|
||||
"reasons": [],
|
||||
}
|
||||
return {
|
||||
"proven": False,
|
||||
"block": True,
|
||||
"blocker_kind": BLOCKER_UNRECORDED_FAILURE,
|
||||
"exact_next_action": _NEXT_ACTIONS[BLOCKER_UNRECORDED_FAILURE],
|
||||
"reasons": [
|
||||
"workflow/tool failure triggered a need for source changes but no "
|
||||
"durable failure record exists yet"
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
def porcelain_preserves_python_paths(porcelain_status: str) -> bool:
|
||||
"""Regression helper: dirty ``*.py`` lines must remain visible (#683)."""
|
||||
text = porcelain_status or ""
|
||||
for line in text.splitlines():
|
||||
stripped = line.strip()
|
||||
if stripped.endswith(".py") or ".py " in stripped or stripped.endswith(".py"):
|
||||
# Any py path present proves no silent strip of all *.py lines.
|
||||
if " M " in f" {stripped}" or stripped[:1] in "MADRCTU" or len(line) >= 4:
|
||||
return True
|
||||
# Empty porcelain is fine; integrity means we did not strip when present.
|
||||
return ".py" not in text
|
||||
|
||||
|
||||
def assert_no_pytest_porcelain_filter(source_text: str) -> list[str]:
|
||||
"""Static check: production reader must not strip ``*.py`` under pytest."""
|
||||
findings: list[str] = []
|
||||
lowered = source_text or ""
|
||||
if "endswith(\".py\")" in lowered or "endswith('.py')" in lowered:
|
||||
if "pytest" in lowered and "porcelain" in lowered.lower():
|
||||
findings.append(
|
||||
"production porcelain reader must not filter *.py under pytest "
|
||||
"(rejected 300a4ca pattern)"
|
||||
)
|
||||
if "if \"pytest\" in sys.modules" in lowered and "porcelain" in lowered.lower():
|
||||
if ".py" in lowered and ("join" in lowered or "endswith" in lowered):
|
||||
findings.append(
|
||||
"test-mode porcelain filtering of source files is forbidden (#683)"
|
||||
)
|
||||
return findings
|
||||
|
||||
|
||||
def _scope_ok(
|
||||
locked: int | None,
|
||||
target: int | None,
|
||||
branch_issue: int | None,
|
||||
) -> dict[str, Any]:
|
||||
return {
|
||||
"proven": True,
|
||||
"block": False,
|
||||
"blocker_kind": None,
|
||||
"exact_next_action": "proceed",
|
||||
"reasons": [],
|
||||
"locked_issue_number": locked,
|
||||
"target_issue_number": target,
|
||||
"branch_issue_number": branch_issue,
|
||||
}
|
||||
@@ -35,7 +35,7 @@ from datetime import datetime, timezone
|
||||
from typing import Any
|
||||
|
||||
from merged_cleanup_reconcile import branch_worktree_folder, read_local_worktree_state
|
||||
from reviewer_worktree import parse_dirty_tracked_files
|
||||
from reviewer_worktree import parse_dirty_tracked_files, REVIEW_WORKTREE_RE
|
||||
|
||||
PROTECTED_BRANCHES = frozenset({"master", "main", "dev"})
|
||||
DEFAULT_TTL_HOURS = float(os.environ.get("GITEA_WORKTREE_TTL_HOURS", "24") or 24)
|
||||
@@ -508,10 +508,8 @@ DISPOSITIONS = frozenset({
|
||||
"unsafe_unknown",
|
||||
})
|
||||
|
||||
REVIEW_WORKTREE_RE = re.compile(
|
||||
r"branches/(?:review-pr\d+|merge-simulation-pr\d+|review-[\w-]+)",
|
||||
re.IGNORECASE,
|
||||
)
|
||||
|
||||
|
||||
|
||||
|
||||
def normalize_path(path: str) -> str:
|
||||
|
||||
Reference in New Issue
Block a user