Compare commits

..
Author SHA1 Message Date
sysadmin 576349d545 fix(guard): pin session-state authority and reject direct-import mutation (#695)
Close remaining AC1/AC2/AC6-8 gaps after REQUEST_CHANGES and the PR #701
recurrence: GITEA_ALLOW_DIRECT_MCP_IMPORT never authorizes mutations;
production transport bind pins GITEA_MCP_SESSION_STATE_DIR so redirected
dirs cannot forge independent decision locks; mark/submit fail closed
offline; quarantine continues to void contaminated merge eligibility.

Regression tests reproduce the PR #701 direct-import + state-dir override
sequence. Full suite: 2665 passed, 6 skipped.

Closes #695 (remediation on PR #696)
2026-07-13 21:48:28 -04:00
sysadmin ae6f0b74db fix(guard): close allow_test_bootstrap and basename entrypoint bypasses (#695)
Remove the public allow_test_bootstrap production seam so caller-controlled
flags cannot forge native mutation provenance. Bind provenance to the resolved
canonical entrypoint path plus a live stdio transport bind; basename-only
mcp_server.py stack frames and import-only launch no longer authorize
mutations. Test-mode install_test_native_runtime is pytest-only and cannot
reach production Gitea mutation endpoints. Add AC9 regressions for both
reviewer-found bypasses and related spoof vectors.

Refs: PR #696 REQUEST_CHANGES at 253269c; issue #695 comments 11002/11005.
2026-07-13 21:48:28 -04:00
sysadmin 553f745f23 feat(guard): native MCP transport binding and contaminated-review quarantine (Closes #695)
Bind mutation/credential paths to a process-local native MCP runtime so env
spoofing, direct imports, and offline helpers cannot reconstruct session gates
after native transport failure. Quarantine contaminated formal reviews under
controller authority and honor quarantine in review feedback, merge eligibility,
merge mutation, and canonical handoff validation. Add regression coverage for
the second (PR #694 / review 427) incident class.
2026-07-13 21:48:28 -04:00
sysadmin cc3ad0870a Merge pull request 'fix(validator): align final-report validator with canonical schema (Closes #698)' (#705) from fix/issue-698-report-validator-schema into master 2026-07-13 17:26:11 -05:00
19 changed files with 2415 additions and 87 deletions
+21
View File
@@ -386,6 +386,27 @@ def assess_canonical_comment(
if not related or related.lower() in {"none", "n/a", "-"}:
missing.append("RELATED_PRS")
# #695 AC7: untrusted / offline approval claims cannot certify merger handoff.
try:
import review_quarantine as _rq
for claim_reason in _rq.assess_untrusted_canonical_approval_claim(text):
extra.append(claim_reason)
except Exception:
# Fail closed on import/runtime errors for approval-shaped claims only.
lower = text.lower()
if (
"state:\napproved" in lower
or "who_is_next:\nmerger" in lower
or "merge_ready: true" in lower
or "merge_ready:\ntrue" in lower
or "ready-to-merge" in lower
):
extra.append(
"canonical approval/merge-ready claim could not be verified "
"for native review proof (#695 AC7; fail closed)"
)
allowed = not missing and not vague and not extra
correction = ""
if not allowed:
+80 -11
View File
@@ -1,23 +1,92 @@
# MCP daemon import and keychain guard (#558)
# MCP daemon import and native-transport guard (#558 / #695)
## Problem
During deadlock debugging, agents imported `gitea_mcp_server` / ran credential
helpers from a raw shell, bypassing preflight purity and role gates.
During deadlock debugging and the PR #694 incident (#695), agents imported
`gitea_mcp_server` or ran credential helpers from a raw shell / offline helper,
bypassing native MCP transport, preflight purity, and role gates. Contaminated
formal reviews then looked identical to native approvals.
## Rule
Mutation auth and keychain fill require a **sanctioned MCP daemon** process.
Mutation auth, keychain fill, and controller quarantine require a **production
native MCP transport runtime** established only by:
1. the **resolved absolute path** of the canonical entrypoint
(`mcp_server.py` / `gitea_mcp_server.py` next to `mcp_daemon_guard.py`), and
2. a live **transport bind** (`bind_native_mcp_transport(transport="stdio")`)
immediately before `mcp.run`.
Basename-only trust (a renamed file called `mcp_server.py`), caller-controlled
flags (there is **no** `allow_test_bootstrap`), environment variables, stack
frame spoofing, or import-only launch are insufficient.
| Context | Allowed |
|---------|---------|
| Official MCP entrypoint (`mcp_server.py` / `gitea_mcp_server` `__main__`) sets `GITEA_MCP_SANCTIONED_DAEMON=1` | yes |
| pytest | yes |
| `GITEA_ALLOW_DIRECT_MCP_IMPORT=1` (operator/tests only) | yes |
| bare `python -c 'import gitea_auth; get_auth_header(...)'` | **no** |
| keychain fill without daemon | **no** unless `GITEA_ALLOW_KEYCHAIN_CLI=1` |
| Official IDE-native MCP: resolved canonical entrypoint marks + binds stdio, holds process-local runtime token | yes |
| pytest (hermetic unit tests) via `is_pytest_runtime()` | yes for unit gates |
| `install_test_native_runtime()` under pytest (test-mode record) | unit-test transport gates only — **never** production Gitea mutations |
| `allow_test_bootstrap=True` (removed; must not exist) | **no** |
| Renamed runner basename `mcp_server.py` outside package root | **no** |
| Import/launch of real entrypoint without transport bind | **no** |
| `GITEA_MCP_SANCTIONED_DAEMON=1` alone (no process-local native runtime) | **no** (#695) |
| `GITEA_ALLOW_DIRECT_MCP_IMPORT=1` in LLM sessions | **no** — never set; never authorizes mutations (#695 AC1 / PR #701) |
| Override `GITEA_MCP_SESSION_STATE_DIR` mid-session | **no** — production bind pins state root; redirect cannot forge independent decision locks (#695 AC2 / PR #701) |
| `GITEA_ALLOW_KEYCHAIN_CLI=1` in LLM sessions | **no** — human operator only |
| bare `python -c 'import gitea_mcp_server; …'` or offline runners | **no** |
| keychain fill outside native/pytest | **no** |
Native runtime is **process-local**: a random token bound to the daemon PID and
transport phase. It is never reconstructed from environment variables,
session-state files, caller-controlled flags, or importing internals in a
fresh Python process.
## Contaminated review quarantine (#695 AC8)
Controller/reconciler/merger profiles may call
`gitea_quarantine_contaminated_review` with explicit confirmation:
```text
QUARANTINE CONTAMINATED REVIEW <review_id> PR <pr_number>
```
Quarantine records are durable under the MCP session-state root and are
**honored** by:
- `gitea_get_pr_review_feedback` (quarantined approvals do not authorize merge)
- `gitea_check_pr_eligibility` action=`merge`
- `gitea_merge_pr` (mutation)
- merger lease adoption paths that read `approval_at_current_head`
Forensic Gitea reviews and historical comments are **never deleted**.
## STOP after native MCP failure (AC10)
If the native MCP namespace dies (EOF, capability disconnect, session death):
1. **STOP.** State BLOCKED + DIAGNOSE.
2. Do **not** import `gitea_mcp_server` from a standalone process.
3. Do **not** run `offline_mcp_helper.py`, `offline_mcp_runner.py`,
`run_quarantine.py`, or any offline mutation helper.
4. Do **not** set direct-import, keychain-bypass, or raw-token environment
variables.
5. Reconnect / restart the official MCP daemon; resume only via native tools.
Any further native MCP failure is a hard stop. Do not construct another fallback.
## Canonical approval claims (AC7)
Comments that claim `approved` / `ready-to-merge` / `WHO_IS_NEXT: merger` /
`MERGE_READY: true` must include:
```text
NATIVE_REVIEW_PROOF: transport=native_mcp; …
```
Claims that cite offline/import helpers are rejected even if a proof line is
present.
## Operator note
LLM sessions must never set the allow-direct-import or allow-keychain-cli
overrides. Those are human-only escape hatches.
LLM sessions must never set allow-direct-import, allow-keychain-cli, or raw
token overrides. Those are human-only escape hatches outside agent workflows.
+418 -10
View File
@@ -1109,6 +1109,8 @@ import issue_lock_store # noqa: E402
import issue_lock_adoption # noqa: E402
import stacked_pr_support # noqa: E402
import merge_approval_gate # noqa: E402
import review_quarantine # noqa: E402 # #695 contaminated formal-review quarantine
import mcp_daemon_guard # noqa: E402 # #695 native transport provenance
import already_landed_reconcile # noqa: E402
import author_mutation_worktree # noqa: E402
import root_checkout_guard # noqa: E402
@@ -3055,6 +3057,51 @@ def gitea_check_pr_eligibility(
elif result["mergeable"] is None:
reasons.append("PR mergeability unknown")
# #695: merge eligibility must honor quarantine-aware formal review feedback.
# Contaminated approvals (e.g. review 427 on PR #694) must not make merge
# eligible even when Gitea still shows APPROVED / mergeable=true.
if action == "merge" and not reasons:
try:
feedback = gitea_get_pr_review_feedback(
pr_number=pr_number, remote=remote, host=host, org=org, repo=repo,
)
except Exception as exc: # noqa: BLE001 — fail closed, never leak secrets
feedback = {
"success": False,
"reasons": [
"PR review feedback unavailable for merge eligibility "
f"(fail closed, #695): {_redact(str(exc))}"
],
}
result["approval_visible"] = feedback.get("approval_visible")
result["approval_at_current_head"] = feedback.get("approval_at_current_head")
result["quarantined_approvals_at_current_head"] = feedback.get(
"quarantined_approvals_at_current_head"
)
result["stale_approval_block_reason"] = feedback.get(
"stale_approval_block_reason"
)
result["has_blocking_change_requests"] = feedback.get(
"has_blocking_change_requests"
)
if not feedback.get("success"):
reasons.append(
"PR review feedback unavailable for merge eligibility (fail closed, #695)"
)
reasons.extend(feedback.get("reasons") or [])
elif feedback.get("has_blocking_change_requests"):
reasons.append(
"undismissed REQUEST_CHANGES review blocks merge eligibility (fail closed)"
)
elif not feedback.get("approval_at_current_head"):
reasons.append(
feedback.get("stale_approval_block_reason")
or (
"no non-quarantined APPROVED review at current head; "
"merge eligibility denied (#695)"
)
)
result["eligible"] = len(reasons) == 0
if result["eligible"]:
reasons.append("all eligibility checks passed")
@@ -3258,6 +3305,18 @@ def _save_review_decision_lock(data):
payload["profile_identity"] = binding["profile_identity"]
if binding.get("remote") and not payload.get("remote"):
payload["remote"] = binding["remote"]
# #695 AC6: stamp native transport provenance on durable decision locks.
try:
payload.update(
{
k: v
for k, v in mcp_daemon_guard.mutation_provenance_fields().items()
if v is not None
}
)
except Exception:
payload.setdefault("transport", "untrusted")
payload.setdefault("native_mcp_transport", False)
persisted = mcp_session_state.save_state(
kind=mcp_session_state.KIND_DECISION_LOCK,
payload=payload,
@@ -3453,6 +3512,10 @@ def record_live_review_mutation(pr_number: int, action: str, review_id: int | No
"action": action,
"review_id": review_id,
"review_state": action,
# #695 AC6: audit records expose native session/transport provenance.
**mcp_daemon_guard.mutation_provenance_fields(),
"writer_pid": os.getpid(),
"session_pid": lock.get("session_pid") or os.getpid(),
}
if head_sha:
entry["head_sha"] = head_sha
@@ -3678,30 +3741,68 @@ def gitea_get_pr_review_feedback(
base = f"{repo_api_url(h, o, r)}/pulls/{pr_number}"
pr = api_request("GET", base, auth) or {}
raw_reviews = api_request("GET", f"{base}/reviews", auth) or []
if not isinstance(pr, dict):
return {
"success": False,
"pr_number": pr_number,
"feedback_not_attempted": True,
"reasons": ["PR payload unavailable for review feedback (fail closed)"],
}
if not isinstance(raw_reviews, list):
raw_reviews = []
current_head = (pr.get("head") or {}).get("sha")
reveal = _reveal_endpoints()
ordered = sorted(
raw_reviews,
(rv for rv in raw_reviews if isinstance(rv, dict)),
key=lambda rv: ((rv.get("submitted_at") or ""), rv.get("id") or 0),
)
reviews = []
latest_by_reviewer = {}
latest_reviewed_head = None
quarantined_review_ids: set[int] = set()
quarantined_at_head = 0
for rv in ordered:
state = (rv.get("state") or "").upper()
reviewer = (rv.get("user") or {}).get("login", "")
commit_id = rv.get("commit_id")
rid = rv.get("id")
try:
rid_int = int(rid) if rid is not None else None
except (TypeError, ValueError):
rid_int = None
q = review_quarantine.is_review_quarantined(
remote=remote,
org=o,
repo=r,
pr_number=pr_number,
review_id=rid_int,
reviewed_head_sha=commit_id or current_head,
)
entry = {
"reviewer": reviewer,
"verdict": state,
"body": _redact(rv.get("body") or ""),
"submitted_at": rv.get("submitted_at"),
"reviewed_head_sha": commit_id,
"review_id": rid_int,
"dismissed": bool(rv.get("dismissed")),
"stale": bool(rv.get("stale")) or bool(
commit_id and current_head and commit_id != current_head),
"quarantined": bool(q.get("quarantined")),
}
if q.get("quarantined"):
entry["quarantine_reasons"] = q.get("reasons") or []
if rid_int is not None:
quarantined_review_ids.add(rid_int)
if (
state == "APPROVED"
and not entry["dismissed"]
and current_head
and commit_id
and commit_id == current_head
):
quarantined_at_head += 1
if reveal:
entry["url"] = rv.get("html_url")
reviews.append(entry)
@@ -3709,7 +3810,11 @@ def gitea_get_pr_review_feedback(
# per-reviewer verdict — otherwise a drive-by comment on the
# current head would mask the staleness of an older undismissed
# REQUEST_CHANGES.
# #695: quarantined formal reviews never authorize merge and must not
# become the reviewer's latest active verdict for eligibility/merge.
if state in _VERDICT_STATES and state != "COMMENT":
if entry.get("quarantined"):
continue
latest_reviewed_head = commit_id or latest_reviewed_head
if reviewer:
latest_by_reviewer[reviewer] = entry
@@ -3725,7 +3830,21 @@ def gitea_get_pr_review_feedback(
approval_head = merge_approval_gate.assess_merge_approval_head(
current_head_sha=current_head,
latest_by_reviewer=latest_by_reviewer,
quarantined_review_ids=quarantined_review_ids,
)
stale_reason = approval_head["stale_approval_block_reason"]
# When the only approvals at head are quarantined, they were excluded from
# latest_by_reviewer; surface an explicit #695 void reason for eligibility/merge.
if (
not approval_head["approval_at_current_head"]
and quarantined_at_head
and not stale_reason
):
stale_reason = (
"contaminated/quarantined approval at current head is void for "
"merge authorization (#695); required next action: fresh native "
"MCP re-review after controller quarantine evidence is recorded"
)
return {
"success": True,
"pr_number": pr_number,
@@ -3738,7 +3857,14 @@ def gitea_get_pr_review_feedback(
"approval_visible": bool(approvals),
"approval_at_current_head": approval_head["approval_at_current_head"],
"latest_approved_head_sha": approval_head["latest_approved_head_sha"],
"stale_approval_block_reason": approval_head["stale_approval_block_reason"],
"stale_approval_block_reason": stale_reason,
"quarantined_review_ids": sorted(quarantined_review_ids),
"quarantined_approvals_at_current_head": (
max(
approval_head.get("quarantined_approvals_at_current_head") or 0,
quarantined_at_head,
)
),
"latest_reviewed_head_sha": latest_reviewed_head,
"review_feedback_stale": bool(
latest_reviewed_head and current_head
@@ -3747,6 +3873,7 @@ def gitea_get_pr_review_feedback(
e["reviewed_head_sha"] and current_head
and e["reviewed_head_sha"] != current_head
for e in blocking),
"native_runtime": mcp_daemon_guard.native_runtime_status(),
}
@@ -3926,6 +4053,15 @@ def _evaluate_pr_review_submission(
reasons.extend(review_workflow_load.recovery_handoff_without_replay())
return result
if live:
# #695 AC1/AC2: offline direct-import submit (PR #701 run_submit.py) fails closed.
try:
mcp_daemon_guard.assert_sanctioned_mutation_runtime(
"gitea_submit_pr_review"
)
mcp_daemon_guard.assert_no_direct_import_bypass("gitea_submit_pr_review")
except mcp_daemon_guard.UnsanctionedRuntimeError as exc:
reasons.append(str(exc))
return result
ns_gate = _live_namespace_health_gate("review_pr")
if ns_gate:
reasons.extend(ns_gate)
@@ -4113,6 +4249,16 @@ def gitea_mark_final_review_decision(
repo: str | None = None,
) -> dict:
"""Mark validation complete; the final review decision is ready to submit."""
# #695 AC1/AC2: direct import / redirected session state cannot mark final.
try:
mcp_daemon_guard.assert_sanctioned_mutation_runtime(
"gitea_mark_final_review_decision"
)
mcp_daemon_guard.assert_no_direct_import_bypass(
"gitea_mark_final_review_decision"
)
except mcp_daemon_guard.UnsanctionedRuntimeError as exc:
return {"marked_ready": False, "reasons": [str(exc)]}
action = (action or "").strip().lower()
lock = _load_review_decision_lock()
if lock is None:
@@ -5414,6 +5560,16 @@ def gitea_merge_pr(
result["pr_author"] = elig.get("pr_author")
result["head_sha"] = elig.get("head_sha")
result["mergeable"] = elig.get("mergeable")
# Surface #695 approval/quarantine fields from eligibility even on deny.
for _k in (
"approval_visible",
"approval_at_current_head",
"quarantined_approvals_at_current_head",
"stale_approval_block_reason",
"has_blocking_change_requests",
):
if _k in elig:
result[_k] = elig.get(_k)
if not elig.get("eligible"):
reasons.append("eligibility check for 'merge' failed (fail closed)")
reasons.extend(elig.get("reasons", []))
@@ -5521,16 +5677,31 @@ def gitea_merge_pr(
result["review_feedback_stale"] = feedback.get("review_feedback_stale")
result["has_blocking_change_requests"] = feedback.get(
"has_blocking_change_requests")
result["quarantined_review_ids"] = feedback.get("quarantined_review_ids") or []
result["quarantined_approvals_at_current_head"] = feedback.get(
"quarantined_approvals_at_current_head"
)
if feedback.get("has_blocking_change_requests"):
reasons.append(
"undismissed REQUEST_CHANGES review blocks merge (fail closed)"
)
return result
if not feedback.get("approval_visible"):
reasons.append(
"no visible APPROVED review on PR; verify review submission "
"completed before merge (fail closed)"
)
# #695: quarantined APPROVED reviews are not "visible" for merge auth.
if feedback.get("quarantined_approvals_at_current_head"):
reasons.append(
feedback.get("stale_approval_block_reason")
or (
"only contaminated/quarantined approval(s) at current head "
"(#695); merge authorization is void — fresh native MCP "
"re-review required after controller quarantine evidence"
)
)
else:
reasons.append(
"no visible APPROVED review on PR; verify review submission "
"completed before merge (fail closed)"
)
return result
if not feedback.get("approval_at_current_head"):
reasons.append(
@@ -12673,14 +12844,251 @@ def gitea_reclaim_expired_workflow_lease(
}
@mcp.tool()
def gitea_quarantine_contaminated_review(
pr_number: int,
review_id: int,
confirmation: str,
reason: str,
reviewed_head_sha: str,
incident_issue: int = 695,
forensic_comment_ids: list[int] | None = None,
remote: str = "dadeschools",
host: str | None = None,
org: str | None = None,
repo: str | None = None,
post_audit_comment: bool = True,
) -> dict:
"""Controller quarantine of a contaminated formal review (#695 AC8).
Writes a durable quarantine record that live feedback / eligibility /
merge gates honor by ``review_id``. Forensic Gitea review objects and
historical comments are retained (never deleted).
**Native transport only.** Untrusted local imports / offline scripts
cannot create quarantine records. Confirmation must equal exactly
``QUARANTINE CONTAMINATED REVIEW <review_id> PR <pr_number>``.
Restricted to reconciler / merger / controller profiles (not author or
the contaminated reviewer acting alone). Does not auto-apply to review
427 until an independent adversarial reviewer and controller deployment
of this tooling have completed.
"""
# Fail closed outside production native MCP before any mutation assessment.
# Test-mode bootstrap must never reach this production mutation endpoint (#695).
try:
mcp_daemon_guard.assert_production_mutation_runtime(
"gitea_quarantine_contaminated_review"
)
except mcp_daemon_guard.UnsanctionedRuntimeError as exc:
return {
"success": False,
"quarantined": False,
"reasons": [str(exc)],
"native_runtime": mcp_daemon_guard.native_runtime_status(),
}
assessment = review_quarantine.assess_quarantine_write(
confirmation=confirmation,
pr_number=pr_number,
review_id=review_id,
reason=reason,
native_required=True,
)
if not assessment.get("allowed"):
return {
"success": False,
"quarantined": False,
"reasons": assessment.get("reasons") or [],
"expected_confirmation": assessment.get("expected_confirmation"),
"native_runtime": mcp_daemon_guard.native_runtime_status(),
}
profile = get_profile()
profile_name = (profile.get("profile_name") or "").strip()
role = _actual_profile_role()
allowed_roles = {"reconciler", "merger"}
controller_named = "controller" in profile_name.lower()
if role not in allowed_roles and not controller_named:
return {
"success": False,
"quarantined": False,
"reasons": [
f"quarantine requires reconciler/merger/controller profile "
f"(active role={role!r}, profile={profile_name!r}); "
"author/reviewer-only sessions cannot quarantine (#695)"
],
"native_runtime": mcp_daemon_guard.native_runtime_status(),
}
comment_block = _profile_operation_gate("gitea.pr.comment")
if comment_block and post_audit_comment:
return {
"success": False,
"quarantined": False,
"reasons": comment_block,
"permission_report": _permission_block_report("gitea.pr.comment"),
}
read_block = _profile_operation_gate("gitea.read")
if read_block:
return {
"success": False,
"quarantined": False,
"reasons": read_block,
"permission_report": _permission_block_report("gitea.read"),
}
h, o, r = _resolve(remote, host, org, repo)
auth = _auth(h)
try:
identity = _authenticated_username(h) or profile.get("username") or ""
except Exception:
identity = profile.get("username") or ""
# Verify review exists (forensic retention — do not dismiss via Gitea API).
try:
reviews = (
api_request(
"GET",
f"{repo_api_url(h, o, r)}/pulls/{pr_number}/reviews",
auth,
)
or []
)
except Exception as exc: # noqa: BLE001
return {
"success": False,
"quarantined": False,
"reasons": [
f"could not list PR reviews before quarantine (fail closed): "
f"{_redact(str(exc))}"
],
}
match = None
for rv in reviews:
if int(rv.get("id") or 0) == int(review_id):
match = rv
break
if match is None:
return {
"success": False,
"quarantined": False,
"reasons": [
f"review_id {review_id} not found on PR #{pr_number} "
f"(fail closed; refuse quarantine of missing review)"
],
}
live_head = (match.get("commit_id") or "").strip().lower()
want_head = (reviewed_head_sha or "").strip().lower()
if want_head and live_head and want_head != live_head:
return {
"success": False,
"quarantined": False,
"reasons": [
f"reviewed_head_sha {want_head[:12]}… does not match review "
f"commit_id {live_head[:12]}… (fail closed, #695)"
],
}
record = review_quarantine.build_quarantine_record(
remote=remote,
org=o,
repo=r,
pr_number=pr_number,
review_id=review_id,
reviewed_head_sha=want_head or live_head,
reason=reason,
actor_username=identity,
profile_name=profile_name,
incident_issue=incident_issue,
forensic_comment_ids=forensic_comment_ids,
)
try:
written = review_quarantine.write_quarantine_record(record)
except mcp_daemon_guard.UnsanctionedRuntimeError as exc:
return {
"success": False,
"quarantined": False,
"reasons": [str(exc)],
"native_runtime": mcp_daemon_guard.native_runtime_status(),
}
except OSError as exc:
return {
"success": False,
"quarantined": False,
"reasons": [f"quarantine persist failed: {_redact(str(exc))}"],
}
audit_comment_id = None
if post_audit_comment:
body = review_quarantine.format_quarantine_audit_comment(record)
try:
with _audited(
"comment_pr",
host=h,
remote=remote,
org=o,
repo=r,
pr_number=pr_number,
request_metadata={"source": "quarantine_contaminated_review"},
):
posted = api_request(
"POST",
f"{repo_api_url(h, o, r)}/issues/{pr_number}/comments",
auth,
{"body": body},
)
if isinstance(posted, dict):
audit_comment_id = posted.get("id")
except Exception as exc: # noqa: BLE001
return {
"success": True,
"quarantined": True,
"review_id": review_id,
"pr_number": pr_number,
"path": written.get("path"),
"audit_comment_id": None,
"warnings": [
f"quarantine written but audit comment failed: "
f"{_redact(str(exc))}"
],
"record": {
k: v
for k, v in record.items()
if k != "native_provenance"
} | {
"native_provenance": record.get("native_provenance"),
},
"native_runtime": mcp_daemon_guard.native_runtime_status(),
}
return {
"success": True,
"quarantined": True,
"review_id": review_id,
"pr_number": pr_number,
"path": written.get("path"),
"audit_comment_id": audit_comment_id,
"retain_forensic_evidence": True,
"merge_authorization": "void",
"record": record,
"native_runtime": mcp_daemon_guard.native_runtime_status(),
"reasons": [
f"review_id {review_id} quarantined for PR #{pr_number}; "
"merge authorization void; forensic evidence retained (#695)"
],
}
# ── Entry point ───────────────────────────────────────────────────────────────
if __name__ == "__main__":
# #558: mark this process as the official MCP daemon before any tool
# dispatch so direct shell imports cannot reuse mutation/auth paths.
import mcp_daemon_guard
# #558 / #695: claim the resolved canonical entrypoint, then bind the live
# native MCP transport lifecycle before any tool dispatch. Env vars,
# basename-only stack frames, and import-only launch cannot reconstruct
# native transport; offline imports / standalone scripts fail closed.
mcp_daemon_guard.mark_sanctioned_daemon()
mcp_daemon_guard.bind_native_mcp_transport(transport="stdio")
# Lock this session's launch profile into the environment so child CLI
# processes (e.g. review_pr.py) can detect and refuse profile
# side-channel overrides (#199).
+460 -32
View File
@@ -1,67 +1,439 @@
"""Sanctioned MCP daemon guards for imports and credential access (#558).
"""Sanctioned MCP daemon guards for imports and credential access (#558 / #695).
Direct ``import gitea_mcp_server`` / ``import gitea_auth`` from a shell, plus
raw keychain dumps, bypass preflight purity and role gates. Mutation helpers
and keychain fallbacks therefore require an explicit sanctioned runtime.
Direct ``import gitea_mcp_server`` from a shell bypasses native MCP transport.
#558 introduced a daemon marker; #695 hardens it so:
Sanctioned contexts (any one):
- ``GITEA_MCP_SANCTIONED_DAEMON=1`` (set by the official MCP entrypoint)
- pytest (``PYTEST_CURRENT_TEST`` present)
- explicit operator opt-in ``GITEA_ALLOW_DIRECT_MCP_IMPORT=1`` (tests/tools only)
- Environment variables alone cannot reconstruct a native session
(``GITEA_MCP_SANCTIONED_DAEMON=1`` / ``GITEA_ALLOW_DIRECT_MCP_IMPORT=1`` are
insufficient for mutation gates).
- A process-local runtime record is established only by the resolved canonical
entrypoint path (not basename) **and** the actual native MCP transport
lifecycle (``bind_native_mcp_transport`` before ``mcp.run``). Merely
importing or launching the entrypoint offline does not grant mutation
authority.
- Public caller-controlled flags (including any former
``allow_test_bootstrap``) never establish trusted mutation provenance.
- Offline scripts that import internals fail closed on mutations.
- Pytest remains allowed for hermetic unit tests via ``is_pytest_runtime()``.
A separate test-only seam may establish a **test-mode** native record for
unit tests of transport gates; that record cannot authorize production
Gitea mutation endpoints.
Credential keychain fill additionally allows:
- ``GITEA_ALLOW_KEYCHAIN_CLI=1`` for operator-only non-MCP scripts that must
use git-credential (never the default for LLM shells).
Manual deletion of session-state files is never a recovery path.
"""
from __future__ import annotations
import hashlib
import inspect
import os
import secrets
import time
from pathlib import Path
from typing import Any
SANCTIONED_DAEMON_ENV = "GITEA_MCP_SANCTIONED_DAEMON"
ALLOW_DIRECT_IMPORT_ENV = "GITEA_ALLOW_DIRECT_MCP_IMPORT"
ALLOW_KEYCHAIN_CLI_ENV = "GITEA_ALLOW_KEYCHAIN_CLI"
# Test-only: force provenance failure even under pytest (#695 regressions).
FORCE_PROVENANCE_FAIL_ENV = "GITEA_TEST_FORCE_UNSANCTIONED"
# Process-local native runtime (never persisted, never read from env alone).
_NATIVE_RUNTIME: dict[str, Any] | None = None
# Production transport identifiers accepted by bind_native_mcp_transport.
_PRODUCTION_TRANSPORTS = frozenset({"stdio"})
_RUNTIME_MODE_PRODUCTION = "production"
_RUNTIME_MODE_TEST = "test"
_PHASE_ENTRYPOINT_CLAIMED = "entrypoint_claimed"
_PHASE_TRANSPORT_BOUND = "transport_bound"
# Default session-state root (mirrors mcp_session_state; kept local to avoid
# import cycles). Used only to pin authority at transport bind (#695 AC2).
_DEFAULT_SESSION_STATE_DIR = os.path.expanduser("~/.cache/gitea-tools/session-state")
SESSION_STATE_DIR_ENV = "GITEA_MCP_SESSION_STATE_DIR"
class UnsanctionedRuntimeError(RuntimeError):
"""Raised when mutation/credential code runs outside a sanctioned MCP daemon."""
"""Raised when mutation/credential code runs outside a native MCP daemon."""
def is_pytest_runtime() -> bool:
if os.environ.get("GITEA_TEST_FORCE_UNSANCTIONED") == "1":
if (os.environ.get(FORCE_PROVENANCE_FAIL_ENV) or "").strip() in {
"1",
"true",
"yes",
}:
return False
import sys
if "pytest" in sys.modules:
return True
return bool((os.environ.get("PYTEST_CURRENT_TEST") or "").strip())
def _package_root() -> Path:
"""Directory that contains the canonical MCP entrypoint modules."""
return Path(__file__).resolve().parent
def canonical_entrypoint_paths() -> frozenset[str]:
"""Resolved absolute paths of official entrypoints (not basenames)."""
root = _package_root()
return frozenset(
{
str((root / "mcp_server.py").resolve()),
str((root / "gitea_mcp_server.py").resolve()),
}
)
def _resolve_path(path: str | None) -> str | None:
if not path:
return None
try:
return str(Path(path).resolve())
except (OSError, RuntimeError, ValueError):
return None
def _caller_official_entrypoint_path() -> str | None:
"""Return the resolved canonical entrypoint path in the call stack, or None.
Basename-only matches (e.g. an attacker file named ``mcp_server.py``
elsewhere) are rejected. The path must equal one of
:func:`canonical_entrypoint_paths`.
"""
canonical = canonical_entrypoint_paths()
for frame in inspect.stack()[1:20]:
resolved = _resolve_path(frame.filename)
if resolved and resolved in canonical:
return resolved
return None
def _caller_is_official_entrypoint() -> bool:
"""True when invoked from a resolved canonical entrypoint path (#695)."""
return _caller_official_entrypoint_path() is not None
def _new_runtime_token() -> tuple[str, str]:
token = secrets.token_hex(32)
fingerprint = hashlib.sha256(token.encode()).hexdigest()[:16]
return token, fingerprint
def mark_sanctioned_daemon() -> dict[str, Any]:
"""Claim the official entrypoint for this process (#695).
This alone does **not** authorize mutations. Callers must subsequently
bind the native MCP transport via :func:`bind_native_mcp_transport`.
Only a stack frame whose **resolved absolute path** is the canonical
``mcp_server.py`` or ``gitea_mcp_server.py`` next to this module may
claim the entrypoint. Basename spoofing is rejected.
There is no public ``allow_test_bootstrap`` argument: caller-controlled
flags must never establish trusted mutation provenance. Hermetic tests
use :func:`install_test_native_runtime` (pytest-only, test mode).
"""
global _NATIVE_RUNTIME
if is_pytest_runtime():
# Under pytest, production mark is a no-op for transport authority.
# Tests that need a native-transport record use install_test_native_runtime.
return native_runtime_status()
entrypoint_path = _caller_official_entrypoint_path()
if entrypoint_path is None:
raise UnsanctionedRuntimeError(
"mark_sanctioned_daemon rejected: not called from the resolved "
"canonical MCP entrypoint path (#695). Basename-only names "
"(e.g. a renamed runner called mcp_server.py) are insufficient. "
"Offline import / standalone scripts cannot reconstruct native "
"transport. Stop after native MCP failure; do not run offline "
"mutation helpers."
)
token, fingerprint = _new_runtime_token()
_NATIVE_RUNTIME = {
"token": token,
"token_fingerprint": fingerprint,
"pid": os.getpid(),
"started_at": time.time(),
"entrypoint": "mcp_server",
"entrypoint_path": entrypoint_path,
"phase": _PHASE_ENTRYPOINT_CLAIMED,
"transport": None,
"mode": _RUNTIME_MODE_PRODUCTION,
}
# Legacy signal for older probes; alone does not authorize mutations.
os.environ[SANCTIONED_DAEMON_ENV] = "1"
return native_runtime_status()
def bind_native_mcp_transport(*, transport: str) -> dict[str, Any]:
"""Bind the live native MCP transport lifecycle (#695).
Must be called from the resolved canonical entrypoint immediately before
the real MCP server transport loop (e.g. ``mcp.run(transport=\"stdio\")``).
Requires a prior successful :func:`mark_sanctioned_daemon` claim in this
process. Import-only or offline launch without this bind leaves
:func:`is_native_mcp_transport` false.
"""
global _NATIVE_RUNTIME
transport_name = (transport or "").strip().lower()
if transport_name not in _PRODUCTION_TRANSPORTS:
raise UnsanctionedRuntimeError(
f"bind_native_mcp_transport rejected: transport {transport!r} is "
f"not a production MCP transport (#695). Allowed: "
f"{sorted(_PRODUCTION_TRANSPORTS)}."
)
entrypoint_path = _caller_official_entrypoint_path()
if entrypoint_path is None:
raise UnsanctionedRuntimeError(
"bind_native_mcp_transport rejected: not called from the resolved "
"canonical MCP entrypoint path (#695)."
)
if _NATIVE_RUNTIME is None or int(_NATIVE_RUNTIME.get("pid") or -1) != os.getpid():
raise UnsanctionedRuntimeError(
"bind_native_mcp_transport rejected: no entrypoint claim in this "
"process (#695). Call mark_sanctioned_daemon() from the official "
"entrypoint first."
)
if _NATIVE_RUNTIME.get("mode") != _RUNTIME_MODE_PRODUCTION:
raise UnsanctionedRuntimeError(
"bind_native_mcp_transport rejected: runtime mode is not "
"production (#695)."
)
claimed = (_NATIVE_RUNTIME.get("entrypoint_path") or "").strip()
if claimed and claimed != entrypoint_path:
raise UnsanctionedRuntimeError(
"bind_native_mcp_transport rejected: entrypoint path mismatch "
"between mark and bind (#695)."
)
# Pin session-state root for this server lifetime (#695 AC2 / PR #701).
# Changing GITEA_MCP_SESSION_STATE_DIR after bind must not manufacture a
# second authority domain for decision locks / workflow proofs.
raw_state = (os.environ.get(SESSION_STATE_DIR_ENV) or "").strip()
if not raw_state:
raw_state = _DEFAULT_SESSION_STATE_DIR
try:
pinned_state = str(Path(raw_state).resolve())
except (OSError, RuntimeError, ValueError):
pinned_state = raw_state
_NATIVE_RUNTIME["phase"] = _PHASE_TRANSPORT_BOUND
_NATIVE_RUNTIME["transport"] = transport_name
_NATIVE_RUNTIME["entrypoint_path"] = entrypoint_path
_NATIVE_RUNTIME["bound_at"] = time.time()
_NATIVE_RUNTIME["session_state_dir"] = pinned_state
os.environ[SANCTIONED_DAEMON_ENV] = "1"
return native_runtime_status()
def install_test_native_runtime() -> dict[str, Any]:
"""Pytest-only seam for hermetic native-transport unit tests (#695).
Establishes a **test-mode** process-local record so unit tests can exercise
gates that require ``is_native_mcp_transport()``. This record:
- is rejected outside pytest (including a fresh offline interpreter);
- never uses production mode;
- cannot authorize production Gitea mutation endpoints
(:func:`assert_production_mutation_runtime` / production path of
:func:`assert_sanctioned_mutation_runtime` when not under pytest).
There is no public caller-controlled flag that forges production native
transport.
"""
global _NATIVE_RUNTIME
if not is_pytest_runtime():
raise UnsanctionedRuntimeError(
"install_test_native_runtime rejected: test-mode native runtime "
"is only available under pytest (#695). allow_test_bootstrap and "
"similar caller-controlled flags do not exist and cannot authorize "
"a fresh offline interpreter."
)
token, fingerprint = _new_runtime_token()
_NATIVE_RUNTIME = {
"token": token,
"token_fingerprint": fingerprint,
"pid": os.getpid(),
"started_at": time.time(),
"entrypoint": "test_bootstrap",
"entrypoint_path": None,
"phase": _PHASE_TRANSPORT_BOUND,
"transport": "test",
"mode": _RUNTIME_MODE_TEST,
"bound_at": time.time(),
}
return native_runtime_status()
def clear_native_runtime_for_tests() -> None:
"""Test helper: drop native runtime (does not clear env)."""
global _NATIVE_RUNTIME
_NATIVE_RUNTIME = None
def pinned_session_state_dir() -> str | None:
"""Session-state root pinned for this production transport lifetime (#695 AC2).
When production native transport is bound, durable session proofs must use
this directory only. Env overrides of ``GITEA_MCP_SESSION_STATE_DIR`` after
bind are ignored so redirected dirs (e.g. ``.mcp_session_701``) cannot
manufacture independent decision-lock authority (PR #701 recurrence).
"""
if not is_production_native_mcp_transport():
return None
pinned = (_NATIVE_RUNTIME or {}).get("session_state_dir")
text = (str(pinned) if pinned is not None else "").strip()
return text or None
def direct_import_env_enabled() -> bool:
"""True when the legacy direct-import opt-in env is set (never authorizes)."""
return (os.environ.get(ALLOW_DIRECT_IMPORT_ENV) or "").strip().lower() in {
"1",
"true",
"yes",
}
def assert_no_direct_import_bypass(context: str = "mutation") -> None:
"""Fail closed when GITEA_ALLOW_DIRECT_MCP_IMPORT is used for mutations (#695 AC1).
The env flag is never a sanctioned recovery path for LLM/agent sessions.
Under pytest hermetic tests this is a no-op so unit tests can set the flag
to prove it does not grant authority.
"""
if is_pytest_runtime():
return
if not direct_import_env_enabled():
return
raise UnsanctionedRuntimeError(
f"{ALLOW_DIRECT_IMPORT_ENV} does not authorize {context} (#695 AC1). "
"Direct import of gitea_mcp_server mutation tools is forbidden. "
"Stop after native MCP failure; reconnect the official MCP daemon. "
"Do not set direct-import flags, offline runners, or redirected "
f"{SESSION_STATE_DIR_ENV} directories to reconstruct gates."
)
def is_native_mcp_transport() -> bool:
"""True when this process holds a transport-bound native runtime (#695)."""
if (os.environ.get(FORCE_PROVENANCE_FAIL_ENV) or "").strip() in {
"1",
"true",
"yes",
}:
return False
if _NATIVE_RUNTIME is None:
return False
if int(_NATIVE_RUNTIME.get("pid") or -1) != os.getpid():
return False
if not (_NATIVE_RUNTIME.get("token") or "").strip():
return False
if _NATIVE_RUNTIME.get("phase") != _PHASE_TRANSPORT_BOUND:
return False
if not (_NATIVE_RUNTIME.get("transport") or "").strip():
return False
return True
def is_production_native_mcp_transport() -> bool:
"""True only for production-mode, transport-bound native runtime."""
if not is_native_mcp_transport():
return False
return (_NATIVE_RUNTIME or {}).get("mode") == _RUNTIME_MODE_PRODUCTION
def is_sanctioned_mcp_daemon() -> bool:
if (os.environ.get(SANCTIONED_DAEMON_ENV) or "").strip() in {"1", "true", "yes"}:
return True
if (os.environ.get(ALLOW_DIRECT_IMPORT_ENV) or "").strip() in {"1", "true", "yes"}:
"""Backward-compatible name; #695 requires native transport, not env alone."""
if is_production_native_mcp_transport():
return True
if is_pytest_runtime():
return True
# Explicit direct-import override is for non-LLM operator/test tools only.
# It is deliberately ignored when a native runtime is expected for mutations
# under LLM sessions (tests use pytest path). Env alone never grants native.
return False
def mark_sanctioned_daemon() -> None:
"""Call from the official MCP server entrypoint before serving tools."""
os.environ[SANCTIONED_DAEMON_ENV] = "1"
def assert_production_mutation_runtime(context: str = "mutation") -> None:
"""Fail closed unless production native MCP transport is bound (#695).
Test-mode bootstrap records and pytest-only hermetic allowances do **not**
satisfy this gate. Use for production Gitea mutation endpoints that must
never be reachable via test bootstrap.
"""
if is_production_native_mcp_transport():
return
mode = (_NATIVE_RUNTIME or {}).get("mode")
if mode == _RUNTIME_MODE_TEST:
raise UnsanctionedRuntimeError(
f"Test-mode native runtime cannot authorize production {context} "
"(#695). install_test_native_runtime / former allow_test_bootstrap "
"must never reach real Gitea mutation endpoints."
)
assert_sanctioned_mutation_runtime(context)
def assert_sanctioned_mutation_runtime(context: str = "mutation") -> None:
"""Fail closed when server mutation code is used outside the MCP daemon."""
if is_sanctioned_mcp_daemon():
"""Fail closed when mutation code runs outside native MCP transport (#695).
Under pytest, hermetic unit tests are allowed (profile/permission tests).
Outside pytest, requires production-mode transport-bound native runtime.
Test-mode records do not authorize non-pytest production mutations.
``GITEA_ALLOW_DIRECT_MCP_IMPORT`` never authorizes mutations (#695 AC1).
"""
if is_pytest_runtime():
return
# AC1: direct-import env is never a mutation recovery path (PR #701).
assert_no_direct_import_bypass(context)
if is_production_native_mcp_transport():
return
mode = (_NATIVE_RUNTIME or {}).get("mode")
if mode == _RUNTIME_MODE_TEST:
raise UnsanctionedRuntimeError(
f"Test-mode native runtime cannot authorize production {context} "
"(#695). Test bootstrap cannot reach production mutation endpoints."
)
env_spoof = (os.environ.get(SANCTIONED_DAEMON_ENV) or "").strip() in {
"1",
"true",
"yes",
}
extra = ""
if env_spoof:
extra = (
f" Note: {SANCTIONED_DAEMON_ENV} alone is not sufficient (#695); "
"native transport requires the official MCP entrypoint and a live "
"transport bind."
)
phase = (_NATIVE_RUNTIME or {}).get("phase")
if phase == _PHASE_ENTRYPOINT_CLAIMED:
extra = (
(extra + " ") if extra else " "
) + (
"Entrypoint was claimed but native MCP transport was never bound "
"(#695); offline launch/import of the real entrypoint does not "
"grant mutation authority."
)
raise UnsanctionedRuntimeError(
f"Unsanctioned runtime blocked {context} (#558). "
"Do not import gitea_mcp_server / call mutation helpers from a raw "
"shell or ad-hoc script. Use the official MCP daemon entrypoint "
f"(sets {SANCTIONED_DAEMON_ENV}=1), or run under pytest. "
f"Operator-only override: {ALLOW_DIRECT_IMPORT_ENV}=1 (not for LLM sessions)."
f"Unsanctioned / non-native runtime blocked {context} (#695). "
"Do not import gitea_mcp_server or call mutation helpers from a raw "
"shell, offline runner, or ad-hoc script after native MCP failure. "
"Stop and reconnect the official MCP daemon (mcp_server.py) over "
"native transport. "
f"Do not set {ALLOW_DIRECT_IMPORT_ENV}, override "
f"{SESSION_STATE_DIR_ENV}, or use raw token env vars in LLM "
f"sessions.{extra}"
)
@@ -69,21 +441,77 @@ def assert_keychain_access_allowed() -> None:
"""Fail closed for git-credential keychain fill outside sanctioned contexts."""
if is_sanctioned_mcp_daemon():
return
# Operator-only keychain CLI remains available outside LLM mutation path.
if (os.environ.get(ALLOW_KEYCHAIN_CLI_ENV) or "").strip() in {"1", "true", "yes"}:
return
if not is_pytest_runtime():
# Still block pure env spoof of SANCTIONED_DAEMON for keychain when
# FORCE is set for tests.
if (os.environ.get(FORCE_PROVENANCE_FAIL_ENV) or "").strip() in {
"1",
"true",
"yes",
}:
pass
else:
return
raise UnsanctionedRuntimeError(
"Unsanctioned keychain/credential fill blocked (#558). "
"Unsanctioned keychain/credential fill blocked (#558/#695). "
"Token extraction via git-credential is only allowed inside the "
f"official MCP daemon ({SANCTIONED_DAEMON_ENV}=1), pytest, or with "
f"explicit operator opt-in {ALLOW_KEYCHAIN_CLI_ENV}=1."
f"official native MCP daemon or with explicit operator opt-in "
f"{ALLOW_KEYCHAIN_CLI_ENV}=1 (never for offline mutation runners)."
)
def runtime_status() -> dict[str, Any]:
def native_runtime_status() -> dict[str, Any]:
"""LLM-safe native runtime status (no raw token)."""
rt = _NATIVE_RUNTIME or {}
return {
"sanctioned_daemon": is_sanctioned_mcp_daemon(),
"native_mcp_transport": is_native_mcp_transport(),
"production_native_mcp_transport": is_production_native_mcp_transport(),
"pytest": is_pytest_runtime(),
"pid": rt.get("pid"),
"token_fingerprint": rt.get("token_fingerprint"),
"started_at": rt.get("started_at"),
"entrypoint": rt.get("entrypoint"),
"entrypoint_path": rt.get("entrypoint_path"),
"phase": rt.get("phase"),
"transport": rt.get("transport"),
"mode": rt.get("mode"),
"session_state_dir": pinned_session_state_dir() or rt.get("session_state_dir"),
"session_state_dir_pinned": pinned_session_state_dir() is not None,
"direct_import_env_set": direct_import_env_enabled(),
"env_sanctioned_alone_insufficient": True,
"sanctioned_env": SANCTIONED_DAEMON_ENV,
"allow_direct_import_env": ALLOW_DIRECT_IMPORT_ENV,
"session_state_dir_env": SESSION_STATE_DIR_ENV,
"allow_keychain_cli_env": ALLOW_KEYCHAIN_CLI_ENV,
}
def runtime_status() -> dict[str, Any]:
"""Backward-compatible status payload."""
status = native_runtime_status()
status["sanctioned_daemon"] = is_sanctioned_mcp_daemon()
return status
def mutation_provenance_fields() -> dict[str, Any]:
"""Fields to attach to live mutation / review audit records (#695 AC6)."""
st = native_runtime_status()
transport = "native_mcp" if st["native_mcp_transport"] else "untrusted"
if st.get("mode") == _RUNTIME_MODE_TEST and st["native_mcp_transport"]:
transport = "test_native_mcp"
return {
"transport": transport,
"native_mcp_transport": bool(st["native_mcp_transport"]),
"production_native_mcp_transport": bool(
st.get("production_native_mcp_transport")
),
"native_runtime_pid": st.get("pid"),
"native_token_fingerprint": st.get("token_fingerprint"),
"entrypoint": st.get("entrypoint"),
"phase": st.get("phase"),
"mode": st.get("mode"),
"session_state_dir": st.get("session_state_dir"),
"session_state_dir_pinned": bool(st.get("session_state_dir_pinned")),
}
+5 -3
View File
@@ -41,15 +41,17 @@ def check_conflict_markers():
check_conflict_markers()
# #558: official entrypoint marks the process as the sanctioned MCP daemon
# before loading mutation modules (blocks raw shell import bypasses).
# #558 / #695: claim the official entrypoint before loading mutation modules.
# This alone does NOT authorize mutations — gitea_mcp_server binds the live
# native MCP transport (stdio) immediately before mcp.run. Import-only or
# offline launch without that bind fails closed on mutations.
try:
import mcp_daemon_guard
mcp_daemon_guard.mark_sanctioned_daemon()
except Exception:
# Guard import failures must not hide conflict-marker infra_stop above;
# gitea_mcp_server main also marks sanctioned when run as __main__.
# gitea_mcp_server main also marks + binds when run as __main__.
pass
# Execute the actual server logic via exec in this namespace.
+50
View File
@@ -44,6 +44,34 @@ SESSION_PROFILE_LOCK_ENV = "GITEA_SESSION_PROFILE_LOCK"
def default_state_dir() -> str:
"""Resolve the durable session-state root.
When production native MCP transport is bound (#695 AC2), the directory
pinned at transport bind is authoritative: later overrides of
``GITEA_MCP_SESSION_STATE_DIR`` cannot manufacture a second authority
domain (PR #701 recurrence: ``.mcp_session_701`` evasion of cross-PR
decision locks).
"""
try:
import mcp_daemon_guard
pinned = mcp_daemon_guard.pinned_session_state_dir()
if pinned:
return pinned
except Exception:
# Fail open to env/default only when guard is unavailable (e.g. partial
# import during bootstrap). Mutation gates still fail closed separately.
pass
raw = (os.environ.get(STATE_DIR_ENV) or DEFAULT_STATE_DIR).strip()
return raw or DEFAULT_STATE_DIR
def env_session_state_dir_unpinned() -> str:
"""Raw env/default session-state dir ignoring production transport pin.
Intended for diagnostics and tests that assert pin behavior — not for
mutation-sensitive durable proofs under a bound native daemon.
"""
raw = (os.environ.get(STATE_DIR_ENV) or DEFAULT_STATE_DIR).strip()
return raw or DEFAULT_STATE_DIR
@@ -362,6 +390,26 @@ def save_state(
body["org"] = key_org
if key_repo is not None:
body["repo"] = key_repo
# Stamp session-state authority used for this write (#695 AC2 / AC6).
body.setdefault("session_state_dir", root)
try:
import mcp_daemon_guard
prov = mcp_daemon_guard.mutation_provenance_fields()
body.setdefault(
"native_token_fingerprint", prov.get("native_token_fingerprint")
)
body.setdefault(
"native_mcp_transport", bool(prov.get("native_mcp_transport"))
)
body.setdefault(
"production_native_mcp_transport",
bool(prov.get("production_native_mcp_transport")),
)
body.setdefault("transport", prov.get("transport"))
except Exception:
body.setdefault("native_mcp_transport", False)
body.setdefault("transport", "untrusted")
envelope = {
"kind": kind,
@@ -373,6 +421,8 @@ def save_state(
"recorded_at": body["recorded_at"],
"updated_at": body["updated_at"],
"writer_pid": body["writer_pid"],
"session_state_dir": body.get("session_state_dir"),
"transport": body.get("transport"),
"payload": body,
}
_write_json(path, envelope)
+43 -9
View File
@@ -1,7 +1,8 @@
"""Merge approval must pin the current PR head SHA (#471).
"""Merge approval must pin the current PR head SHA (#471 / #695).
Formal APPROVED reviews that predate the live PR head must not satisfy
``gitea_merge_pr`` eligibility. Pure assessment helpers are isolated here
``gitea_merge_pr`` eligibility. Contaminated / quarantined approvals (#695)
must not authorize merge either. Pure assessment helpers are isolated here
for hermetic unit tests apart from MCP HTTP calls.
"""
@@ -12,6 +13,7 @@ def assess_merge_approval_head(
*,
current_head_sha: str | None,
latest_by_reviewer: dict,
quarantined_review_ids: set | None = None,
) -> dict:
"""Return whether a visible approval applies to the live PR head.
@@ -19,18 +21,43 @@ def assess_merge_approval_head(
current_head_sha: Current PR head commit SHA.
latest_by_reviewer: Map of reviewer login → review entry dicts with
``verdict``, ``dismissed``, and ``reviewed_head_sha`` keys.
Optional ``review_id`` / ``id`` used for quarantine checks (#695).
quarantined_review_ids: Optional set of review IDs that must not count
toward merge authorization (#695).
Returns:
dict with ``approval_at_current_head``, ``latest_approved_head_sha``,
and ``stale_approval_block_reason`` (set when merge must fail closed).
"""
current = (current_head_sha or "").strip()
approved_entries = [
entry
for entry in (latest_by_reviewer or {}).values()
if (entry.get("verdict") or "").upper() == "APPROVED"
and not entry.get("dismissed")
]
blocked_ids = {int(x) for x in (quarantined_review_ids or set()) if x is not None}
def _rid(entry: dict):
raw = entry.get("review_id", entry.get("id"))
try:
return int(raw) if raw is not None else None
except (TypeError, ValueError):
return None
approved_entries = []
quarantined_at_head = []
for entry in (latest_by_reviewer or {}).values():
if (entry.get("verdict") or "").upper() != "APPROVED":
continue
if entry.get("dismissed"):
continue
rid = _rid(entry)
head = (entry.get("reviewed_head_sha") or "").strip()
if rid is not None and rid in blocked_ids:
if current and head == current:
quarantined_at_head.append(entry)
continue
if entry.get("quarantined"):
if current and head == current:
quarantined_at_head.append(entry)
continue
approved_entries.append(entry)
at_current = any(
(entry.get("reviewed_head_sha") or "").strip() == current
for entry in approved_entries
@@ -47,7 +74,13 @@ def assess_merge_approval_head(
)[-1]
latest_approved = (latest_entry.get("reviewed_head_sha") or "").strip() or None
reason = None
if approved_entries and not at_current:
if quarantined_at_head and not at_current:
reason = (
"contaminated/quarantined approval at current head is void for "
"merge authorization (#695); required next action: fresh native "
"MCP re-review after controller quarantine evidence is recorded"
)
elif approved_entries and not at_current:
reason = (
f"stale approval: approved SHA '{latest_approved}' does not match "
f"current live PR head SHA '{current or '(unknown)'}' (fail closed); "
@@ -58,4 +91,5 @@ def assess_merge_approval_head(
"approval_at_current_head": at_current,
"latest_approved_head_sha": latest_approved,
"stale_approval_block_reason": reason,
"quarantined_approvals_at_current_head": len(quarantined_at_head),
}
+351
View File
@@ -0,0 +1,351 @@
"""Controller quarantine of contaminated formal reviews (#695).
Quarantine records are durable under the MCP session-state root and are only
writable when the caller holds a **native** MCP transport runtime. Untrusted
local scripts that import this module cannot establish a valid quarantine
(writes fail closed). Live server-side gates (eligibility, merge, feedback)
honor quarantine by review_id + PR + head.
Forensic evidence (Gitea review objects, lease comments) is never deleted.
"""
from __future__ import annotations
import json
import os
from datetime import datetime, timezone
from typing import Any
import mcp_daemon_guard
import mcp_session_state
KIND_QUARANTINE = "review_quarantine"
CONFIRMATION_PREFIX = "QUARANTINE CONTAMINATED REVIEW"
def _now() -> str:
return datetime.now(timezone.utc).isoformat()
def quarantine_state_path(
*,
remote: str,
org: str,
repo: str,
pr_number: int,
review_id: int,
) -> str:
# Dedicated subdir under session state root (mode 0o700).
root = os.path.join(mcp_session_state.default_state_dir(), "quarantine")
os.makedirs(root, mode=0o700, exist_ok=True)
# Explicit multi-segment key so remote/org/repo/pr/review cannot collide.
segs = [
KIND_QUARANTINE,
mcp_session_state._sanitize_segment(remote),
mcp_session_state._sanitize_segment(org),
mcp_session_state._sanitize_segment(repo),
f"pr{int(pr_number)}",
f"rev{int(review_id)}",
]
return os.path.join(root, "-".join(segs) + ".json")
def build_quarantine_record(
*,
remote: str,
org: str,
repo: str,
pr_number: int,
review_id: int,
reviewed_head_sha: str,
reason: str,
actor_username: str | None,
profile_name: str | None,
incident_issue: int | None = None,
forensic_comment_ids: list[int] | None = None,
) -> dict[str, Any]:
provenance = mcp_daemon_guard.mutation_provenance_fields()
return {
"kind": KIND_QUARANTINE,
"issue_ref": "#695",
"remote": remote,
"org": org,
"repo": repo,
"pr_number": int(pr_number),
"review_id": int(review_id),
"reviewed_head_sha": (reviewed_head_sha or "").strip().lower(),
"reason": (reason or "").strip(),
"actor_username": actor_username,
"profile_name": profile_name,
"incident_issue": incident_issue,
"forensic_comment_ids": list(forensic_comment_ids or []),
"created_at": _now(),
"native_provenance": provenance,
"merge_authorization": "void",
"retain_forensic_evidence": True,
}
def assess_quarantine_write(
*,
confirmation: str,
pr_number: int,
review_id: int,
reason: str,
native_required: bool = True,
) -> dict[str, Any]:
"""Pure assessment of whether a quarantine write may proceed."""
reasons: list[str] = []
expected = f"{CONFIRMATION_PREFIX} {int(review_id)} PR {int(pr_number)}"
if (confirmation or "").strip() != expected:
reasons.append(
f"confirmation must equal exactly '{expected}' (fail closed, #695)"
)
if not (reason or "").strip():
reasons.append("quarantine reason is required (fail closed, #695)")
if native_required and not mcp_daemon_guard.is_native_mcp_transport():
if not mcp_daemon_guard.is_pytest_runtime():
reasons.append(
"quarantine write requires native MCP transport; untrusted "
"local code cannot create quarantine records (#695)"
)
return {
"allowed": not reasons,
"expected_confirmation": expected,
"reasons": reasons,
}
def write_quarantine_record(record: dict[str, Any]) -> dict[str, Any]:
"""Persist quarantine record; fail closed outside native/pytest runtime."""
if not mcp_daemon_guard.is_native_mcp_transport():
if not mcp_daemon_guard.is_pytest_runtime():
raise mcp_daemon_guard.UnsanctionedRuntimeError(
"quarantine write blocked: non-native runtime (#695)"
)
path = quarantine_state_path(
remote=str(record["remote"]),
org=str(record["org"]),
repo=str(record["repo"]),
pr_number=int(record["pr_number"]),
review_id=int(record["review_id"]),
)
# Refuse overwriting with weaker provenance from untrusted caller by
# requiring native fields present.
if not (record.get("native_provenance") or {}).get("native_mcp_transport"):
if not mcp_daemon_guard.is_pytest_runtime():
raise mcp_daemon_guard.UnsanctionedRuntimeError(
"quarantine record missing native provenance (#695)"
)
tmp = path + ".tmp"
data = json.dumps(record, indent=2, sort_keys=True)
with open(tmp, "w", encoding="utf-8") as fh:
fh.write(data)
fh.flush()
os.fsync(fh.fileno())
os.replace(tmp, path)
os.chmod(path, 0o600)
return {"path": path, "written": True, "record": record}
def load_quarantine_record(
*,
remote: str,
org: str,
repo: str,
pr_number: int,
review_id: int,
) -> dict[str, Any] | None:
path = quarantine_state_path(
remote=remote,
org=org,
repo=repo,
pr_number=pr_number,
review_id=review_id,
)
if not os.path.isfile(path):
return None
try:
with open(path, encoding="utf-8") as fh:
data = json.load(fh)
except (OSError, json.JSONDecodeError):
return None
if not isinstance(data, dict):
return None
return data
def is_review_quarantined(
*,
remote: str,
org: str,
repo: str,
pr_number: int,
review_id: int | None,
reviewed_head_sha: str | None = None,
) -> dict[str, Any]:
"""Whether a formal review is quarantined for merge authorization (#695)."""
if review_id is None:
return {"quarantined": False, "record": None, "reasons": []}
rec = load_quarantine_record(
remote=remote,
org=org,
repo=repo,
pr_number=pr_number,
review_id=int(review_id),
)
if not rec:
return {"quarantined": False, "record": None, "reasons": []}
reasons = [
f"formal review_id {review_id} on PR #{pr_number} is quarantined "
f"(#695; incident issue {rec.get('incident_issue')}); "
"merge authorization is void; forensic evidence retained"
]
want_head = (reviewed_head_sha or "").strip().lower()
rec_head = (rec.get("reviewed_head_sha") or "").strip().lower()
if want_head and rec_head and want_head != rec_head:
# Still quarantined by review_id; note head mismatch for operators.
reasons.append(
f"quarantine head {rec_head[:12]}… differs from assessed head "
f"{want_head[:12]}… (still void by review_id)"
)
return {"quarantined": True, "record": rec, "reasons": reasons}
def filter_approvals_for_merge(
*,
remote: str,
org: str,
repo: str,
pr_number: int,
current_head_sha: str | None,
reviews: list[dict],
) -> dict[str, Any]:
"""Split reviews into merge-usable vs quarantined contaminated approvals."""
current = (current_head_sha or "").strip().lower()
usable: list[dict] = []
quarantined: list[dict] = []
for rev in reviews or []:
if not isinstance(rev, dict):
continue
verdict = (rev.get("verdict") or rev.get("state") or "").upper()
if verdict not in {"APPROVED", "APPROVE"}:
continue
if rev.get("dismissed"):
continue
rid = rev.get("review_id") or rev.get("id")
head = (
rev.get("reviewed_head_sha")
or rev.get("commit_id")
or rev.get("head_sha")
or ""
).strip().lower()
q = is_review_quarantined(
remote=remote,
org=org,
repo=repo,
pr_number=pr_number,
review_id=int(rid) if rid is not None else None,
reviewed_head_sha=head or current,
)
entry = {**rev, "review_id": rid, "reviewed_head_sha": head}
if q["quarantined"]:
entry["quarantined"] = True
entry["quarantine_reasons"] = q["reasons"]
quarantined.append(entry)
else:
entry["quarantined"] = False
usable.append(entry)
usable_at_head = [
e
for e in usable
if current and (e.get("reviewed_head_sha") or "") == current
]
return {
"usable_approvals": usable,
"usable_approvals_at_current_head": usable_at_head,
"quarantined_approvals": quarantined,
"approval_visible_for_merge": bool(usable_at_head),
"has_quarantined_approval_at_head": any(
current
and (e.get("reviewed_head_sha") or "") == current
for e in quarantined
),
}
def format_quarantine_audit_comment(record: dict[str, Any]) -> str:
"""Append-only forensic audit comment body (does not delete evidence)."""
lines = [
"## Contaminated formal review quarantine (#695)",
"",
"Status: **QUARANTINED — merge authorization VOID**",
"",
f"- review_id: `{record.get('review_id')}`",
f"- pr: `#{record.get('pr_number')}`",
f"- reviewed_head_sha: `{record.get('reviewed_head_sha')}`",
f"- actor: `{record.get('actor_username')}`",
f"- profile: `{record.get('profile_name')}`",
f"- incident_issue: `#{record.get('incident_issue')}`",
f"- reason: {record.get('reason')}",
f"- created_at: `{record.get('created_at')}`",
f"- native_transport: "
f"`{(record.get('native_provenance') or {}).get('native_mcp_transport')}`",
f"- native_token_fingerprint: "
f"`{(record.get('native_provenance') or {}).get('native_token_fingerprint')}`",
f"- forensic_comment_ids retained: "
f"`{record.get('forensic_comment_ids')}`",
"",
"This record does **not** delete Gitea reviews or historical comments. "
"Fresh native-MCP re-review is required before merge.",
]
return "\n".join(lines)
def assess_untrusted_canonical_approval_claim(body: str) -> list[str]:
"""Reasons to reject canonical comments that claim approved/merge-ready.
Used when the comment asserts approval without native review proof (#695 AC7).
False "official workflow" claims that cite offline/import paths are always
rejected even when a NATIVE_REVIEW_PROOF line is present.
"""
text = body or ""
lower = text.lower()
claims_approved = (
"state:\napproved" in lower
or "state: approved" in lower
or "who_is_next:\nmerger" in lower
or "who_is_next: merger" in lower
or "merge_ready: true" in lower
or "merge_ready:\ntrue" in lower
or "ready-to-merge" in lower
)
if not claims_approved:
return []
# Reject explicit offline/import "official workflow" spoofing (#695 AC9).
offline_spoof = (
"offline_mcp" in lower
or "offline import" in lower
or "direct import" in lower
or "import gitea_mcp_server" in lower
or "run_quarantine.py" in lower
or "offline_mcp_helper" in lower
or "offline_mcp_runner" in lower
)
has_proof = (
"NATIVE_REVIEW_PROOF:" in text
or "native_review_proof:" in lower
)
if offline_spoof:
return [
"canonical approval claim cites offline/import/helper path; "
"NATIVE_REVIEW_PROOF rejected (#695 AC7/AC9); stop after native "
"MCP failure — do not construct offline mutation fallbacks"
]
if has_proof:
return []
return [
"canonical comment claims approved/merge-ready state without "
"NATIVE_REVIEW_PROOF from a native MCP review mutation (#695 AC7); "
"contaminated or untrusted approvals cannot certify merger handoff"
]
@@ -14,6 +14,8 @@ before any PR mutation. Final report schema:
**BLOCKED + DIAGNOSE (universal default):** If at any point you cannot perform a required step (skill not available, terminal broken, capability missing, wrong profile, guard blocks, worktree misbound, instructions unavailable, preflight fails, etc.), STOP. Clearly state BLOCKED. Use the standard [`../templates/blocked-diagnose-report.md`](../templates/blocked-diagnose-report.md) template. Only safe non-mutating recovery. Report using the template. Do not continue or use any fallback (temp scripts, direct API, etc.) unless controller authorizes. All blocker classes listed in llm-project-workflow/SKILL.md must trigger this.
**Native MCP failure is a hard stop (#695):** If the native MCP namespace dies (EOF, capability disconnect, session death), STOP. Do **not** import `gitea_mcp_server` from a standalone process, do **not** run offline helpers (`offline_mcp_helper.py`, `offline_mcp_runner.py`, `run_quarantine.py`), and do **not** set direct-import / keychain-bypass / raw-token environment variables. Reconnect the official MCP daemon only. Contaminated approvals must be controller-quarantined; they never authorize merge.
**Default task prompt:**
> Review the next eligible open PR in this project. Merge it only if every
@@ -14,6 +14,8 @@ before any issue implementation mutation. Final report schema:
**BLOCKED + DIAGNOSE (universal default):** If at any point you cannot perform a required step (skill not available, terminal broken, capability missing, wrong profile, guard blocks, worktree misbound, instructions unavailable, preflight fails, etc.), STOP. Clearly state BLOCKED. Use the standard [`../templates/blocked-diagnose-report.md`](../templates/blocked-diagnose-report.md) template. Only safe non-mutating recovery. Report using the template. Do not continue or use any fallback (temp scripts, direct API, etc.) unless controller authorizes. All blocker classes listed in llm-project-workflow/SKILL.md must trigger this.
**Native MCP failure is a hard stop (#695):** Do not import MCP server internals, run offline mutation helpers, or set credential-bypass env vars after a native transport failure. Reconnect the official daemon only.
**Default task prompt:**
> Find the next eligible issue in this project, work on it only if all gates
+10
View File
@@ -72,6 +72,16 @@ TASK_CAPABILITY_MAP: dict[str, dict[str, str]] = {
"permission": "gitea.pr.merge",
"role": "merger",
},
# #695 AC8: controller quarantine of contaminated formal reviews.
# Apply path posts an append-only forensic audit comment (pr.comment).
"quarantine_contaminated_review": {
"permission": "gitea.pr.comment",
"role": "reconciler",
},
"gitea_quarantine_contaminated_review": {
"permission": "gitea.pr.comment",
"role": "reconciler",
},
"adopt_merger_pr_lease": {
"permission": "gitea.pr.comment",
"role": "reviewer",
+11
View File
@@ -58,6 +58,17 @@ def _reset_mutation_authority(monkeypatch):
_fallback: str = state_dir,
_env_key: str = mcp_session_state.STATE_DIR_ENV,
) -> str:
# #695 AC2: when production native transport has pinned a session
# state root, that pin is authoritative even under test isolation
# (PR #701 redirected-state regression).
try:
import mcp_daemon_guard
pinned = mcp_daemon_guard.pinned_session_state_dir()
if pinned:
return pinned
except Exception:
pass
raw = (os.environ.get(_env_key) or "").strip()
return raw or _fallback
+9 -5
View File
@@ -329,13 +329,17 @@ class TestGatedToolAudit(_AuditWiringBase):
@patch("mcp_server.api_request")
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
def test_merge_success_audited(self, _auth, mock_api):
# user, pr, feedback pr+reviews, merge POST, readback.
# user, pr, eligibility feedback pr+reviews (#695), gate-7 feedback
# pr+reviews, merge POST, readback.
approval = [{
"id": 1, "user": {"login": "reviewer-bot"}, "state": "APPROVED",
"commit_id": "abc123", "submitted_at": "2026-07-06T10:00:00Z",
"dismissed": False,
}]
mock_api.side_effect = [
{"login": "merger-bot"}, self._pr("author-bot"),
self._pr("author-bot"),
[{"id": 1, "user": {"login": "reviewer-bot"}, "state": "APPROVED",
"commit_id": "abc123", "submitted_at": "2026-07-06T10:00:00Z",
"dismissed": False}],
self._pr("author-bot"), approval, # eligibility merge feedback
self._pr("author-bot"), approval, # gate 7 feedback
{}, {"merged_commit_sha": "c1"},
]
env = self._env(GITEA_PROFILE_NAME="gitea-merger",
@@ -94,6 +94,7 @@ REVIEW_STATUS: approved / approval_at_current_head
MERGE_READY: true
BLOCKERS: none
VALIDATION: pytest passed; reviewer approved at head {FULL_SHA}
NATIVE_REVIEW_PROOF: transport=native_mcp; entrypoint=mcp_server; token_fingerprint=testharmless
LAST_UPDATED_BY: prgs-reviewer
"""
@@ -0,0 +1,848 @@
"""Regression tests for Issue #695 — second incident (PR #694 / review 427).
Reproduces offline import, env-only runtime spoof, exposed-token invocation,
direct imports, basename entrypoint spoof, allow_test_bootstrap forgery,
standalone quarantine attempts, and false “official workflow” canonical claims.
Gates must fail closed.
"""
from __future__ import annotations
import os
import subprocess
import sys
import tempfile
import textwrap
import unittest
from pathlib import Path
from unittest.mock import patch
import mcp_daemon_guard
import merge_approval_gate
import review_quarantine
import canonical_comment_validator as ccv
HEAD_694 = "1844e298809373be19a526fd39b7d8b0669eb5bd"
HEAD_OTHER = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
REPO_ROOT = Path(__file__).resolve().parent.parent
def _run_offline_snippet(snippet: str, *, env_extra: dict[str, str] | None = None) -> subprocess.CompletedProcess:
"""Execute snippet in a fresh interpreter (no pytest modules)."""
env = os.environ.copy()
env.pop("PYTEST_CURRENT_TEST", None)
env.pop(mcp_daemon_guard.FORCE_PROVENANCE_FAIL_ENV, None)
env["PYTHONPATH"] = str(REPO_ROOT) + os.pathsep + env.get("PYTHONPATH", "")
if env_extra:
env.update(env_extra)
return subprocess.run(
[sys.executable, "-c", snippet],
capture_output=True,
text=True,
cwd=str(REPO_ROOT),
env=env,
timeout=30,
check=False,
)
class TestNativeTransportBinding(unittest.TestCase):
def tearDown(self) -> None:
mcp_daemon_guard.clear_native_runtime_for_tests()
os.environ.pop(mcp_daemon_guard.FORCE_PROVENANCE_FAIL_ENV, None)
os.environ.pop(mcp_daemon_guard.SANCTIONED_DAEMON_ENV, None)
os.environ.pop(mcp_daemon_guard.ALLOW_DIRECT_IMPORT_ENV, None)
def test_env_alone_does_not_establish_native_transport(self):
mcp_daemon_guard.clear_native_runtime_for_tests()
os.environ[mcp_daemon_guard.SANCTIONED_DAEMON_ENV] = "1"
os.environ[mcp_daemon_guard.ALLOW_DIRECT_IMPORT_ENV] = "1"
os.environ[mcp_daemon_guard.FORCE_PROVENANCE_FAIL_ENV] = "1"
self.assertFalse(mcp_daemon_guard.is_native_mcp_transport())
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError) as ctx:
mcp_daemon_guard.assert_sanctioned_mutation_runtime("offline_import")
msg = str(ctx.exception)
self.assertIn("#695", msg)
# FORCE disables pytest allowance; direct-import env is rejected first
# (AC1). Without ALLOW_DIRECT, env-alone also yields "not sufficient".
lowered = msg.lower()
self.assertTrue(
"direct" in lowered
or "not sufficient" in lowered
or "allow_direct" in lowered
or "gitea_allow_direct" in lowered,
msg,
)
def test_direct_import_mark_rejected_outside_entrypoint(self):
mcp_daemon_guard.clear_native_runtime_for_tests()
os.environ[mcp_daemon_guard.FORCE_PROVENANCE_FAIL_ENV] = "1"
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError) as ctx:
mcp_daemon_guard.mark_sanctioned_daemon()
self.assertIn("canonical", str(ctx.exception).lower())
self.assertFalse(mcp_daemon_guard.is_native_mcp_transport())
def test_locally_generated_runtime_key_without_entrypoint_rejected(self):
"""Spoofing process-local fields via mark outside entrypoint fails."""
mcp_daemon_guard.clear_native_runtime_for_tests()
os.environ[mcp_daemon_guard.FORCE_PROVENANCE_FAIL_ENV] = "1"
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
mcp_daemon_guard.mark_sanctioned_daemon()
def test_test_native_runtime_for_hermetic_tests_not_production(self):
mcp_daemon_guard.clear_native_runtime_for_tests()
st = mcp_daemon_guard.install_test_native_runtime()
self.assertTrue(st["native_mcp_transport"])
self.assertTrue(mcp_daemon_guard.is_native_mcp_transport())
self.assertFalse(mcp_daemon_guard.is_production_native_mcp_transport())
mcp_daemon_guard.assert_sanctioned_mutation_runtime("test-bootstrap")
fields = mcp_daemon_guard.mutation_provenance_fields()
self.assertEqual(fields["transport"], "test_native_mcp")
self.assertTrue(fields["native_mcp_transport"])
self.assertFalse(fields["production_native_mcp_transport"])
self.assertIsNotNone(fields["native_token_fingerprint"])
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError) as ctx:
mcp_daemon_guard.assert_production_mutation_runtime("prod-endpoint")
self.assertIn("Test-mode", str(ctx.exception))
def test_no_allow_test_bootstrap_parameter_on_mark(self):
import inspect
sig = inspect.signature(mcp_daemon_guard.mark_sanctioned_daemon)
self.assertNotIn("allow_test_bootstrap", sig.parameters)
def test_exposed_token_env_never_grants_native(self):
"""Raw / exposed token env vars must never reconstruct native transport."""
mcp_daemon_guard.clear_native_runtime_for_tests()
os.environ[mcp_daemon_guard.FORCE_PROVENANCE_FAIL_ENV] = "1"
for key in (
"GITEA_TOKEN",
"GITEA_ACCESS_TOKEN",
"GITHUB_TOKEN",
"GITEA_MCP_TOKEN",
"GITEA_RAW_TOKEN",
):
os.environ[key] = "exposed-token-value-must-not-authorize"
try:
self.assertFalse(mcp_daemon_guard.is_native_mcp_transport())
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
mcp_daemon_guard.assert_sanctioned_mutation_runtime("exposed-token")
finally:
for key in (
"GITEA_TOKEN",
"GITEA_ACCESS_TOKEN",
"GITHUB_TOKEN",
"GITEA_MCP_TOKEN",
"GITEA_RAW_TOKEN",
):
os.environ.pop(key, None)
class TestAC9BypassRegressions(unittest.TestCase):
"""AC9: empirically reproduced offline bypasses must fail closed (#695)."""
def tearDown(self) -> None:
mcp_daemon_guard.clear_native_runtime_for_tests()
os.environ.pop(mcp_daemon_guard.FORCE_PROVENANCE_FAIL_ENV, None)
def test_allow_test_bootstrap_cannot_authorize_fresh_offline_interpreter(self):
"""Finding 1: former allow_test_bootstrap forge is gone and rejected offline."""
snippet = textwrap.dedent(
"""
import inspect
import mcp_daemon_guard as g
sig = inspect.signature(g.mark_sanctioned_daemon)
assert "allow_test_bootstrap" not in sig.parameters, "bootstrap flag must not exist"
try:
g.mark_sanctioned_daemon(allow_test_bootstrap=True)
except TypeError:
pass
else:
raise SystemExit("mark_sanctioned_daemon accepted allow_test_bootstrap")
try:
g.install_test_native_runtime()
except g.UnsanctionedRuntimeError as exc:
assert "pytest" in str(exc).lower() or "#695" in str(exc)
else:
raise SystemExit("install_test_native_runtime authorized offline interpreter")
assert g.is_native_mcp_transport() is False
try:
g.assert_sanctioned_mutation_runtime("offline-bootstrap")
except g.UnsanctionedRuntimeError:
pass
else:
raise SystemExit("mutation runtime authorized after offline bootstrap attempt")
print("OK")
"""
)
proc = _run_offline_snippet(snippet)
self.assertEqual(proc.returncode, 0, proc.stdout + proc.stderr)
self.assertIn("OK", proc.stdout)
def test_renamed_runner_named_mcp_server_py_rejected(self):
"""Finding 2: basename-only entrypoint trust is insufficient."""
with tempfile.TemporaryDirectory() as tmp:
attacker = Path(tmp) / "mcp_server.py"
attacker.write_text(
textwrap.dedent(
"""
import mcp_daemon_guard as g
try:
g.mark_sanctioned_daemon()
except g.UnsanctionedRuntimeError as exc:
print("REJECTED:" + str(exc))
raise SystemExit(0)
print("AUTHORIZED")
raise SystemExit(1)
"""
),
encoding="utf-8",
)
env = os.environ.copy()
env.pop("PYTEST_CURRENT_TEST", None)
env["PYTHONPATH"] = str(REPO_ROOT) + os.pathsep + env.get("PYTHONPATH", "")
proc = subprocess.run(
[sys.executable, str(attacker)],
capture_output=True,
text=True,
cwd=tmp,
env=env,
timeout=30,
check=False,
)
self.assertEqual(proc.returncode, 0, proc.stdout + proc.stderr)
self.assertIn("REJECTED:", proc.stdout)
self.assertIn("canonical", proc.stdout.lower())
self.assertNotIn("AUTHORIZED", proc.stdout)
def test_direct_launch_import_canonical_entrypoint_without_transport_rejected(self):
"""Merely importing/launching real entrypoint offline must not authorize."""
snippet = textwrap.dedent(
f"""
import importlib.util
import mcp_daemon_guard as g
# Simulate claim-only phase (no transport bind).
g.clear_native_runtime_for_tests()
# Direct mark from non-entrypoint must fail.
try:
g.mark_sanctioned_daemon()
except g.UnsanctionedRuntimeError:
pass
assert g.is_native_mcp_transport() is False
# Even if someone forges entrypoint_claimed without transport bind:
g._NATIVE_RUNTIME = {{
"token": "x" * 64,
"token_fingerprint": "deadbeefdeadbeef",
"pid": __import__("os").getpid(),
"started_at": 0,
"entrypoint": "mcp_server",
"entrypoint_path": {str(REPO_ROOT / "mcp_server.py")!r},
"phase": "entrypoint_claimed",
"transport": None,
"mode": "production",
}}
assert g.is_native_mcp_transport() is False
try:
g.assert_sanctioned_mutation_runtime("import-only")
except g.UnsanctionedRuntimeError as exc:
assert "transport" in str(exc).lower() or "entrypoint" in str(exc).lower() or "#695" in str(exc)
else:
raise SystemExit("import-only claim authorized mutation")
print("OK")
"""
)
proc = _run_offline_snippet(snippet)
self.assertEqual(proc.returncode, 0, proc.stdout + proc.stderr)
self.assertIn("OK", proc.stdout)
def test_spoofed_pytest_env_stack_path_rejected(self):
"""Spoofed pytest/env/call-stack/path evidence must not authorize offline."""
snippet = textwrap.dedent(
f"""
import os
import mcp_daemon_guard as g
os.environ["PYTEST_CURRENT_TEST"] = "spoofed::test"
os.environ[g.SANCTIONED_DAEMON_ENV] = "1"
os.environ[g.ALLOW_DIRECT_IMPORT_ENV] = "1"
# Fresh interpreter has no pytest module; PYTEST_CURRENT_TEST alone
# might still trip is_pytest_runtime — force-unsanctioned is not set.
# But install_test_native_runtime requires real pytest path; if
# PYTEST_CURRENT_TEST alone grants is_pytest_runtime, production
# mutation still requires production transport outside true pytest.
if g.is_pytest_runtime():
# Env-only pytest spoof: test install may succeed, but production
# mutation gate must still reject test mode.
g.install_test_native_runtime()
assert g.is_production_native_mcp_transport() is False
try:
g.assert_production_mutation_runtime("spoofed-pytest")
except g.UnsanctionedRuntimeError:
pass
else:
raise SystemExit("production mutation accepted test-mode under spoofed pytest env")
else:
try:
g.install_test_native_runtime()
except g.UnsanctionedRuntimeError:
pass
else:
raise SystemExit("test install without pytest evidence")
# Basename path spoof via inspect is covered elsewhere; env alone:
g.clear_native_runtime_for_tests()
os.environ.pop("PYTEST_CURRENT_TEST", None)
assert g.is_native_mcp_transport() is False
try:
g.assert_sanctioned_mutation_runtime("env-path-spoof")
except g.UnsanctionedRuntimeError:
pass
else:
raise SystemExit("env/path spoof authorized mutation")
print("OK")
"""
)
proc = _run_offline_snippet(snippet)
self.assertEqual(proc.returncode, 0, proc.stdout + proc.stderr)
self.assertIn("OK", proc.stdout)
def test_test_bootstrap_cannot_reach_production_mutation_endpoints(self):
"""Under pytest, test-mode runtime cannot satisfy production mutation gate."""
mcp_daemon_guard.clear_native_runtime_for_tests()
mcp_daemon_guard.install_test_native_runtime()
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError) as ctx:
mcp_daemon_guard.assert_production_mutation_runtime(
"gitea_quarantine_contaminated_review"
)
msg = str(ctx.exception)
self.assertIn("Test-mode", msg)
self.assertIn("#695", msg)
# Offline: install_test_native_runtime must not authorize production mutations.
snippet = textwrap.dedent(
"""
import mcp_daemon_guard as g
try:
g.install_test_native_runtime()
except g.UnsanctionedRuntimeError:
pass
assert g.is_production_native_mcp_transport() is False
try:
g.assert_production_mutation_runtime("gitea_quarantine_contaminated_review")
except g.UnsanctionedRuntimeError:
pass
else:
raise SystemExit("production mutation authorized offline")
try:
g.assert_sanctioned_mutation_runtime("gitea_mutation")
except g.UnsanctionedRuntimeError:
pass
else:
raise SystemExit("sanctioned mutation authorized offline")
print("OK")
"""
)
proc = _run_offline_snippet(snippet)
self.assertEqual(proc.returncode, 0, proc.stdout + proc.stderr)
self.assertIn("OK", proc.stdout)
def test_legitimate_native_transport_bind_succeeds(self):
"""Canonical entrypoint path + stdio bind establishes production native."""
mcp_daemon_guard.clear_native_runtime_for_tests()
# Simulate production path under force-unsanctioned (no pytest allowance)
# by calling internal claim/bind with patched caller path.
canonical = str((REPO_ROOT / "mcp_server.py").resolve())
def _fake_caller():
return canonical
with patch.object(
mcp_daemon_guard, "_caller_official_entrypoint_path", side_effect=_fake_caller
):
# Force non-pytest path for mark/bind logic.
with patch.object(mcp_daemon_guard, "is_pytest_runtime", return_value=False):
st1 = mcp_daemon_guard.mark_sanctioned_daemon()
self.assertFalse(st1["native_mcp_transport"])
self.assertEqual(st1["phase"], "entrypoint_claimed")
st2 = mcp_daemon_guard.bind_native_mcp_transport(transport="stdio")
self.assertTrue(st2["native_mcp_transport"])
self.assertTrue(st2["production_native_mcp_transport"])
self.assertEqual(st2["transport"], "stdio")
self.assertEqual(st2["mode"], "production")
mcp_daemon_guard.assert_sanctioned_mutation_runtime("native-ide")
mcp_daemon_guard.assert_production_mutation_runtime("native-ide")
fields = mcp_daemon_guard.mutation_provenance_fields()
self.assertEqual(fields["transport"], "native_mcp")
self.assertTrue(fields["production_native_mcp_transport"])
def test_canonical_entrypoint_paths_are_resolved_absolute(self):
paths = mcp_daemon_guard.canonical_entrypoint_paths()
self.assertTrue(any(p.endswith("mcp_server.py") for p in paths))
for p in paths:
self.assertTrue(os.path.isabs(p), p)
self.assertEqual(p, str(Path(p).resolve()))
class TestQuarantineWriteNativeOnly(unittest.TestCase):
def setUp(self) -> None:
self._tmp = tempfile.TemporaryDirectory()
self.addCleanup(self._tmp.cleanup)
mcp_daemon_guard.clear_native_runtime_for_tests()
def tearDown(self) -> None:
mcp_daemon_guard.clear_native_runtime_for_tests()
os.environ.pop(mcp_daemon_guard.FORCE_PROVENANCE_FAIL_ENV, None)
def test_standalone_quarantine_write_blocked_when_unsanctioned(self):
os.environ[mcp_daemon_guard.FORCE_PROVENANCE_FAIL_ENV] = "1"
assessment = review_quarantine.assess_quarantine_write(
confirmation="QUARANTINE CONTAMINATED REVIEW 427 PR 694",
pr_number=694,
review_id=427,
reason="contaminated offline approval",
native_required=True,
)
self.assertFalse(assessment["allowed"])
self.assertTrue(
any("native MCP transport" in r for r in assessment["reasons"])
)
record = review_quarantine.build_quarantine_record(
remote="prgs",
org="Scaled-Tech-Consulting",
repo="Gitea-Tools",
pr_number=694,
review_id=427,
reviewed_head_sha=HEAD_694,
reason="contaminated",
actor_username="sysadmin",
profile_name="prgs-merger",
incident_issue=695,
forensic_comment_ids=[10883, 10886],
)
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
# Force non-pytest and non-native for write path.
with patch.object(mcp_daemon_guard, "is_pytest_runtime", return_value=False):
with patch.object(
mcp_daemon_guard, "is_native_mcp_transport", return_value=False
):
review_quarantine.write_quarantine_record(record)
def test_confirmation_must_match_exactly(self):
assessment = review_quarantine.assess_quarantine_write(
confirmation="quarantine 427",
pr_number=694,
review_id=427,
reason="x",
native_required=False,
)
self.assertFalse(assessment["allowed"])
self.assertIn("confirmation must equal exactly", assessment["reasons"][0])
def test_quarantine_honored_by_merge_approval_gate(self):
"""Contaminated review 427 at head must not authorize merge (#695)."""
result = merge_approval_gate.assess_merge_approval_head(
current_head_sha=HEAD_694,
latest_by_reviewer={
"sysadmin": {
"verdict": "APPROVED",
"dismissed": False,
"reviewed_head_sha": HEAD_694,
"review_id": 427,
"submitted_at": "2026-07-13T07:20:00Z",
}
},
quarantined_review_ids={427},
)
self.assertFalse(result["approval_at_current_head"])
self.assertIn("quarantined", result["stale_approval_block_reason"])
self.assertEqual(result["quarantined_approvals_at_current_head"], 1)
def test_filter_approvals_for_merge_splits_quarantined(self):
with patch(
"review_quarantine.mcp_session_state.default_state_dir",
return_value=self._tmp.name,
):
mcp_daemon_guard.install_test_native_runtime()
record = review_quarantine.build_quarantine_record(
remote="prgs",
org="org",
repo="repo",
pr_number=694,
review_id=427,
reviewed_head_sha=HEAD_694,
reason="offline import contaminated approval",
actor_username="sysadmin",
profile_name="prgs-merger",
incident_issue=695,
)
# Force native provenance bit for write path under test bootstrap.
record["native_provenance"] = {
**record["native_provenance"],
"native_mcp_transport": True,
}
review_quarantine.write_quarantine_record(record)
filtered = review_quarantine.filter_approvals_for_merge(
remote="prgs",
org="org",
repo="repo",
pr_number=694,
current_head_sha=HEAD_694,
reviews=[
{
"verdict": "APPROVED",
"review_id": 427,
"reviewed_head_sha": HEAD_694,
"reviewer": "sysadmin",
},
{
"verdict": "APPROVED",
"review_id": 999,
"reviewed_head_sha": HEAD_694,
"reviewer": "fresh-reviewer",
},
],
)
self.assertTrue(filtered["has_quarantined_approval_at_head"])
self.assertEqual(len(filtered["quarantined_approvals"]), 1)
self.assertEqual(filtered["quarantined_approvals"][0]["review_id"], 427)
self.assertEqual(len(filtered["usable_approvals_at_current_head"]), 1)
self.assertEqual(
filtered["usable_approvals_at_current_head"][0]["review_id"], 999
)
self.assertTrue(filtered["approval_visible_for_merge"])
class TestCanonicalHandoffValidation(unittest.TestCase):
def test_false_official_workflow_offline_claim_rejected(self):
body = f"""## Canonical PR State
STATE: approved
WHO_IS_NEXT: merger
NEXT_ACTION: Merge PR #694 immediately after offline helper success
NEXT_PROMPT:
```text
Merger: land PR #694; offline_mcp_runner completed official workflow.
```
WHAT_HAPPENED: offline import of gitea_mcp_server submitted APPROVED review 427
WHY: claimed official workflow via direct import after native EOF
ISSUE: #693
HEAD_SHA: {HEAD_694}
REVIEW_STATUS: approved / approval_at_current_head
MERGE_READY: true
BLOCKERS: none
VALIDATION: offline_mcp_helper.py + offline_mcp_runner.py; import gitea_mcp_server
NATIVE_REVIEW_PROOF: transport=offline_mcp; spoofed
LAST_UPDATED_BY: contaminated-session
"""
result = ccv.assess_canonical_comment(body, context="pr_comment")
self.assertFalse(result["allowed"])
joined = " ".join(result.get("extra_reasons") or [])
self.assertIn("#695", joined)
self.assertIn("offline", joined.lower())
def test_merge_ready_without_native_proof_rejected(self):
body = f"""## Canonical PR State
STATE: ready-to-merge
WHO_IS_NEXT: merger
NEXT_ACTION: Merge PR after confirming approval_at_current_head
NEXT_PROMPT:
```text
Merge PR #694 for issue #693 after live mergeable check passes.
```
WHAT_HAPPENED: Reviewer approved at current head
WHY: All gates passed and head SHA is current
ISSUE: #693
HEAD_SHA: {HEAD_694}
REVIEW_STATUS: approved / approval_at_current_head
MERGE_READY: true
BLOCKERS: none
VALIDATION: pytest passed; reviewer approved at head {HEAD_694}
LAST_UPDATED_BY: prgs-reviewer
"""
result = ccv.assess_canonical_comment(body, context="pr_comment")
self.assertFalse(result["allowed"])
joined = " ".join(result.get("extra_reasons") or [])
self.assertIn("NATIVE_REVIEW_PROOF", joined)
def test_merge_ready_with_native_proof_allowed(self):
body = f"""## Canonical PR State
STATE: ready-to-merge
WHO_IS_NEXT: merger
NEXT_ACTION: Merge PR after confirming approval_at_current_head
NEXT_PROMPT:
```text
Merge PR #500 for issue #496 after live mergeable check passes.
```
WHAT_HAPPENED: Reviewer approved at current head via native MCP
WHY: All gates passed and head SHA is current
ISSUE: #496
HEAD_SHA: {HEAD_694}
REVIEW_STATUS: approved / approval_at_current_head
MERGE_READY: true
BLOCKERS: none
VALIDATION: pytest passed; reviewer approved at head {HEAD_694}
NATIVE_REVIEW_PROOF: transport=native_mcp; entrypoint=mcp_server; token_fingerprint=abc123
LAST_UPDATED_BY: prgs-reviewer
"""
result = ccv.assess_canonical_comment(body, context="pr_comment")
self.assertTrue(result["allowed"], result)
class TestFeedbackQuarantineIntegration(unittest.TestCase):
"""gitea_get_pr_review_feedback must void quarantined review 427 at head."""
def setUp(self) -> None:
self._tmp = tempfile.TemporaryDirectory()
self.addCleanup(self._tmp.cleanup)
mcp_daemon_guard.clear_native_runtime_for_tests()
mcp_daemon_guard.install_test_native_runtime()
def tearDown(self) -> None:
mcp_daemon_guard.clear_native_runtime_for_tests()
def test_feedback_excludes_quarantined_approval_from_merge_auth(self):
import mcp_server
with patch(
"review_quarantine.mcp_session_state.default_state_dir",
return_value=self._tmp.name,
):
record = review_quarantine.build_quarantine_record(
remote="prgs",
org="Scaled-Tech-Consulting",
repo="Gitea-Tools",
pr_number=694,
review_id=427,
reviewed_head_sha=HEAD_694,
reason="contaminated offline approval (incident #695)",
actor_username="controller",
profile_name="prgs-merger",
incident_issue=695,
forensic_comment_ids=[10883, 10886],
)
record["native_provenance"]["native_mcp_transport"] = True
review_quarantine.write_quarantine_record(record)
def _api(method, url, auth=None, payload=None):
if url.endswith("/pulls/694") and method == "GET":
return {
"number": 694,
"state": "open",
"head": {"sha": HEAD_694},
"user": {"login": "jcwalker3"},
}
if url.endswith("/reviews"):
return [
{
"id": 427,
"user": {"login": "sysadmin"},
"state": "APPROVED",
"body": "contaminated",
"submitted_at": "2026-07-13T07:20:00Z",
"commit_id": HEAD_694,
"dismissed": False,
"stale": False,
}
]
return {}
with patch("mcp_server.api_request", side_effect=_api):
with patch(
"mcp_server.get_auth_header", return_value="Basic dGVzdA=="
):
with patch(
"mcp_server.get_profile",
return_value={
"profile_name": "prgs-merger",
"allowed_operations": ["gitea.read", "gitea.pr.merge"],
"forbidden_operations": [],
"base_url": None,
},
):
result = mcp_server.gitea_get_pr_review_feedback(
pr_number=694,
remote="prgs",
org="Scaled-Tech-Consulting",
repo="Gitea-Tools",
)
self.assertTrue(result.get("success"), result)
self.assertFalse(result.get("approval_at_current_head"))
self.assertFalse(result.get("approval_visible"))
self.assertIn(427, result.get("quarantined_review_ids") or [])
self.assertGreaterEqual(
result.get("quarantined_approvals_at_current_head") or 0, 1
)
self.assertIn("quarantined", (result.get("stale_approval_block_reason") or ""))
class TestDocsStopAfterNativeFailure(unittest.TestCase):
def test_daemon_guard_doc_requires_stop(self):
root = Path(__file__).resolve().parent.parent
doc = (root / "docs" / "mcp-daemon-import-guard.md").read_text(encoding="utf-8")
self.assertIn("#695", doc)
self.assertIn("STOP after native MCP failure", doc)
self.assertIn("offline_mcp_runner", doc)
self.assertIn("run_quarantine.py", doc)
self.assertIn("GITEA_ALLOW_DIRECT_MCP_IMPORT", doc)
class TestPR701DirectImportSessionOverrideSequence(unittest.TestCase):
"""AC9 regression: exact PR #701 contaminated-approval sequence must fail closed.
Observed attack:
- GITEA_ALLOW_DIRECT_MCP_IMPORT=1
- import mutation tools from gitea_mcp_server
- GITEA_MCP_SESSION_STATE_DIR=.mcp_session_701 (cross-PR lock evasion)
- mark_final + submit_pr_review
"""
def tearDown(self) -> None:
mcp_daemon_guard.clear_native_runtime_for_tests()
os.environ.pop(mcp_daemon_guard.FORCE_PROVENANCE_FAIL_ENV, None)
os.environ.pop(mcp_daemon_guard.SANCTIONED_DAEMON_ENV, None)
os.environ.pop(mcp_daemon_guard.ALLOW_DIRECT_IMPORT_ENV, None)
os.environ.pop(mcp_daemon_guard.SESSION_STATE_DIR_ENV, None)
def test_offline_run_submit_sequence_fails_closed(self):
"""Fresh interpreter: direct import + state-dir override cannot mark/submit."""
with tempfile.TemporaryDirectory() as tmp:
redirect = str(Path(tmp) / ".mcp_session_701")
snippet = textwrap.dedent(
f"""
import os
import sys
os.environ["GITEA_ALLOW_DIRECT_MCP_IMPORT"] = "1"
os.environ["GITEA_MCP_SESSION_STATE_DIR"] = {redirect!r}
os.environ["GITEA_MCP_PROFILE"] = "prgs-reviewer"
# No pytest modules in this subprocess.
import mcp_daemon_guard as g
assert g.is_native_mcp_transport() is False
assert g.is_production_native_mcp_transport() is False
try:
g.assert_sanctioned_mutation_runtime("run_submit_mark")
except g.UnsanctionedRuntimeError as exc:
msg = str(exc)
assert "GITEA_ALLOW_DIRECT_MCP_IMPORT" in msg or "#695" in msg
else:
raise SystemExit("direct-import env authorized mutation runtime")
try:
g.mark_sanctioned_daemon()
except g.UnsanctionedRuntimeError:
pass
else:
raise SystemExit("mark_sanctioned_daemon authorized offline import")
# Simulate decision-lock write into redirected dir only — must not
# establish native authority.
import mcp_session_state as ss
wrote = ss.save_state(
kind=ss.KIND_DECISION_LOCK,
payload={{
"final_review_decision_ready": True,
"ready_pr_number": 701,
"ready_action": "approve",
"ready_expected_head_sha": "6b675f5c834b41f9d74e8a54294ff44dddf28ae4",
"session_profile": "prgs-reviewer",
"session_profile_lock": "prgs-reviewer",
"remote": "prgs",
}},
profile_identity="prgs-reviewer",
state_dir={redirect!r},
)
assert wrote is not None
assert g.is_native_mcp_transport() is False
try:
g.assert_no_direct_import_bypass("gitea_submit_pr_review")
except g.UnsanctionedRuntimeError:
pass
else:
raise SystemExit("direct-import bypass accepted for submit")
print("OK")
"""
)
proc = _run_offline_snippet(snippet)
self.assertEqual(proc.returncode, 0, proc.stdout + proc.stderr)
self.assertIn("OK", proc.stdout)
def test_session_state_dir_pin_ignores_post_bind_redirect(self):
"""AC2: after production bind, env STATE_DIR override is ignored."""
mcp_daemon_guard.clear_native_runtime_for_tests()
import mcp_session_state
with tempfile.TemporaryDirectory() as tmp:
legitimate = str(Path(tmp) / "legitimate-state")
rogue = str(Path(tmp) / ".mcp_session_701")
os.makedirs(legitimate, mode=0o700, exist_ok=True)
os.makedirs(rogue, mode=0o700, exist_ok=True)
os.environ[mcp_daemon_guard.SESSION_STATE_DIR_ENV] = legitimate
canonical = str((REPO_ROOT / "mcp_server.py").resolve())
def _fake_caller():
return canonical
with patch.object(
mcp_daemon_guard,
"_caller_official_entrypoint_path",
side_effect=_fake_caller,
):
with patch.object(
mcp_daemon_guard, "is_pytest_runtime", return_value=False
):
mcp_daemon_guard.mark_sanctioned_daemon()
mcp_daemon_guard.bind_native_mcp_transport(transport="stdio")
pinned = mcp_daemon_guard.pinned_session_state_dir()
self.assertEqual(pinned, str(Path(legitimate).resolve()))
# Attacker redirects env after bind (PR #701).
os.environ[mcp_daemon_guard.SESSION_STATE_DIR_ENV] = rogue
self.assertEqual(
mcp_daemon_guard.pinned_session_state_dir(),
str(Path(legitimate).resolve()),
)
self.assertEqual(
mcp_session_state.default_state_dir(),
str(Path(legitimate).resolve()),
)
self.assertNotEqual(
mcp_session_state.default_state_dir(),
str(Path(rogue).resolve()),
)
# Unpinned env view still sees rogue (diagnostics only).
unpinned = mcp_session_state.env_session_state_dir_unpinned()
self.assertTrue(
unpinned == rogue
or Path(unpinned).resolve() == Path(rogue).resolve(),
unpinned,
)
def test_direct_import_env_does_not_authorize_under_force_unsanctioned(self):
mcp_daemon_guard.clear_native_runtime_for_tests()
os.environ[mcp_daemon_guard.ALLOW_DIRECT_IMPORT_ENV] = "1"
os.environ[mcp_daemon_guard.FORCE_PROVENANCE_FAIL_ENV] = "1"
self.assertTrue(mcp_daemon_guard.direct_import_env_enabled())
# Under pytest, assert_no_direct_import_bypass is a no-op; FORCE path
# still blocks is_native / assert_sanctioned via force-unsanctioned.
self.assertFalse(mcp_daemon_guard.is_native_mcp_transport())
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
mcp_daemon_guard.assert_sanctioned_mutation_runtime("direct-import")
def test_quarantine_voids_merge_approval_for_contaminated_review(self):
"""AC6AC8: quarantined APPROVED does not satisfy merge approval head."""
entry = {
"verdict": "APPROVED",
"dismissed": False,
"reviewed_head_sha": "6b675f5c834b41f9d74e8a54294ff44dddf28ae4",
"review_id": 431,
"submitted_at": "2026-07-13T23:52:34Z",
"quarantined": True,
}
result = merge_approval_gate.assess_merge_approval_head(
current_head_sha="6b675f5c834b41f9d74e8a54294ff44dddf28ae4",
latest_by_reviewer={"sysadmin": entry},
quarantined_review_ids={431},
)
self.assertFalse(result["approval_at_current_head"])
self.assertEqual(result["quarantined_approvals_at_current_head"], 1)
self.assertIn("quarantined", (result["stale_approval_block_reason"] or ""))
if __name__ == "__main__":
unittest.main()
+37 -4
View File
@@ -1,4 +1,4 @@
"""Tests for sanctioned MCP daemon guards (#558)."""
"""Tests for sanctioned MCP daemon guards (#558 / #695)."""
from __future__ import annotations
@@ -11,6 +11,10 @@ import gitea_auth
class TestMcpDaemonGuard(unittest.TestCase):
def tearDown(self) -> None:
mcp_daemon_guard.clear_native_runtime_for_tests()
os.environ.pop(mcp_daemon_guard.FORCE_PROVENANCE_FAIL_ENV, None)
def test_unsanctioned_blocks_mutation_runtime(self):
env = {k: v for k, v in os.environ.items() if k not in {
mcp_daemon_guard.SANCTIONED_DAEMON_ENV,
@@ -26,11 +30,35 @@ class TestMcpDaemonGuard(unittest.TestCase):
# Running under pytest already sets PYTEST_CURRENT_TEST.
mcp_daemon_guard.assert_sanctioned_mutation_runtime("pytest")
def test_mark_sanctioned_allows(self):
env = {k: v for k, v in os.environ.items() if k != "PYTEST_CURRENT_TEST"}
def test_test_native_runtime_install_under_pytest(self):
mcp_daemon_guard.clear_native_runtime_for_tests()
mcp_daemon_guard.install_test_native_runtime()
self.assertTrue(mcp_daemon_guard.is_native_mcp_transport())
self.assertFalse(mcp_daemon_guard.is_production_native_mcp_transport())
# Hermetic unit path still passes under pytest.
mcp_daemon_guard.assert_sanctioned_mutation_runtime("daemon")
# Production mutation gate rejects test-mode records.
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError) as ctx:
mcp_daemon_guard.assert_production_mutation_runtime("gitea_mutation")
self.assertIn("Test-mode", str(ctx.exception))
def test_env_alone_insufficient_when_force_unsanctioned(self):
mcp_daemon_guard.clear_native_runtime_for_tests()
env = {
k: v
for k, v in os.environ.items()
if k not in {
mcp_daemon_guard.SANCTIONED_DAEMON_ENV,
mcp_daemon_guard.ALLOW_DIRECT_IMPORT_ENV,
"PYTEST_CURRENT_TEST",
}
}
env[mcp_daemon_guard.SANCTIONED_DAEMON_ENV] = "1"
env["GITEA_TEST_FORCE_UNSANCTIONED"] = "1"
with patch.dict(os.environ, env, clear=True):
mcp_daemon_guard.assert_sanctioned_mutation_runtime("daemon")
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError) as ctx:
mcp_daemon_guard.assert_sanctioned_mutation_runtime("env-spoof")
self.assertIn("not sufficient", str(ctx.exception))
def test_keychain_blocked_without_sanction(self):
env = {
@@ -65,6 +93,11 @@ class TestMcpDaemonGuard(unittest.TestCase):
with self.assertRaises(mcp_daemon_guard.UnsanctionedRuntimeError):
gitea_auth.get_auth_header("gitea.prgs.cc")
def test_no_allow_test_bootstrap_public_parameter(self):
"""Production mark must not accept allow_test_bootstrap (#695)."""
sig = __import__("inspect").signature(mcp_daemon_guard.mark_sanctioned_daemon)
self.assertNotIn("allow_test_bootstrap", sig.parameters)
if __name__ == "__main__":
unittest.main()
+33 -12
View File
@@ -836,16 +836,24 @@ class TestMergePR(unittest.TestCase):
)
def _feedback_reads(self, author="author-bot", sha="abc123"):
"""PR + reviews GETs for gitea_get_pr_review_feedback during merge."""
"""PR + reviews GETs for one gitea_get_pr_review_feedback call."""
return [self._pr(author, sha=sha), _visible_approval_reviews(sha=sha)]
def _eligibility_merge_reads(self, author="author-bot", sha="abc123"):
"""Eligibility user/PR plus #695 merge-approval feedback PR+reviews."""
return [
{"login": "merger-bot"},
self._pr(author, sha=sha),
*self._feedback_reads(author=author, sha=sha),
]
# -- success --------------------------------------------------------------
@patch("mcp_server.api_request")
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
def test_merge_succeeds_when_all_gates_pass(self, _auth, mock_api):
mock_api.side_effect = [
{"login": "merger-bot"}, self._pr("author-bot"),
*self._eligibility_merge_reads(),
*self._feedback_reads(),
{}, # merge POST
{"merged_commit_sha": "mergecommit99"}, # read-back
@@ -864,7 +872,7 @@ class TestMergePR(unittest.TestCase):
self.assertEqual(r["merge_method"], "squash")
self.assertEqual(r["merge_commit"], "mergecommit99")
# 5th call is the merge POST with the requested method/title/message.
merge_call = mock_api.call_args_list[4]
merge_call = mock_api.call_args_list[6]
self.assertEqual(merge_call.args[0], "POST")
self.assertTrue(merge_call.args[1].endswith("/pulls/8/merge"))
payload = merge_call.args[3]
@@ -877,7 +885,7 @@ class TestMergePR(unittest.TestCase):
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
def test_expected_changed_files_match_allows(self, _auth, mock_api):
mock_api.side_effect = [
{"login": "merger-bot"}, self._pr("author-bot"),
*self._eligibility_merge_reads(),
[{"filename": "a.py"}, {"filename": "b.py"}], # files
*self._feedback_reads(),
{}, # merge POST
@@ -899,7 +907,7 @@ class TestMergePR(unittest.TestCase):
def test_readback_failure_reports_skipped_cleanup(self, _auth, mock_api):
"""Merge OK + read-back GET failure => explicit cleanup skip, not silence."""
mock_api.side_effect = [
{"login": "merger-bot"}, self._pr("author-bot"),
*self._eligibility_merge_reads(),
*self._feedback_reads(),
{}, # merge POST
RuntimeError("HTTP 502: Gitea upstream unavailable"), # read-back fails
@@ -919,7 +927,7 @@ class TestMergePR(unittest.TestCase):
self.assertEqual(r["cleanup_status"], "skipped (merge read-back failed)")
# No tracker-cleanup API traffic after the failed read-back:
# user, PR (eligibility), feedback PR+reviews, merge POST, read-back.
self.assertEqual(mock_api.call_count, 6)
self.assertEqual(mock_api.call_count, 8)
for c in mock_api.call_args_list:
self.assertNotEqual(c.args[0], "DELETE")
@@ -930,7 +938,7 @@ class TestMergePR(unittest.TestCase):
def test_cleanup_exception_surfaced_and_redacted(self, _auth, mock_api, _cleanup):
"""Unexpected cleanup exception => merge still succeeds; error surfaced redacted."""
mock_api.side_effect = [
{"login": "merger-bot"}, self._pr("author-bot"),
*self._eligibility_merge_reads(),
*self._feedback_reads(),
{}, # merge POST
{"merged_commit_sha": "c9"}, # read-back OK
@@ -1142,8 +1150,10 @@ class TestMergePR(unittest.TestCase):
@patch("mcp_server.api_request")
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
def test_head_sha_mismatch_blocks(self, _auth, mock_api):
# Eligibility (#695) needs approval feedback before head-gate runs.
mock_api.side_effect = [
{"login": "merger-bot"}, self._pr("author-bot", sha="abc123")]
*self._eligibility_merge_reads(sha="abc123"),
]
env = {"GITEA_PROFILE_NAME": "gitea-merger",
"GITEA_ALLOWED_OPERATIONS": "read,merge"}
with patch.dict(os.environ, env, clear=True):
@@ -1162,7 +1172,7 @@ class TestMergePR(unittest.TestCase):
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
def test_changed_files_mismatch_blocks(self, _auth, mock_api):
mock_api.side_effect = [
{"login": "merger-bot"}, self._pr("author-bot"),
*self._eligibility_merge_reads(),
[{"filename": "a.py"}, {"filename": "c.py"}], # actual files
]
env = {"GITEA_PROFILE_NAME": "gitea-merger",
@@ -1193,7 +1203,7 @@ class TestMergePR(unittest.TestCase):
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
def test_output_redacts_secrets(self, _auth, mock_api):
mock_api.side_effect = [
{"login": "merger-bot"}, self._pr("author-bot"),
*self._eligibility_merge_reads(),
*self._feedback_reads(),
{}, {"merged_commit_sha": "c1"},
]
@@ -1213,7 +1223,7 @@ class TestMergePR(unittest.TestCase):
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
def test_merge_error_message_redacts_credential(self, _auth, mock_api):
mock_api.side_effect = [
{"login": "merger-bot"}, self._pr("author-bot"),
*self._eligibility_merge_reads(),
*self._feedback_reads(),
RuntimeError("HTTP 500: token abc-secret-xyz rejected"),
]
@@ -1234,6 +1244,7 @@ class TestMergePR(unittest.TestCase):
def test_merge_blocked_on_stale_approval_head(self, _auth, mock_api):
old_sha = "8b61c4b41f1b49b271ed3b99657431cf06eeda3e"
new_sha = "3e4b721d60e97147ba0704773cf57cd0d42cbe31"
# #695: eligibility itself now fails closed on stale approval head.
mock_api.side_effect = [
{"login": "merger-bot"}, self._pr("author-bot", sha=new_sha),
self._pr("author-bot", sha=new_sha),
@@ -1256,6 +1267,7 @@ class TestMergePR(unittest.TestCase):
@patch("mcp_server.api_request")
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
def test_merge_blocked_without_visible_approval(self, _auth, mock_api):
# #695: eligibility denies merge when no non-quarantined APPROVED review.
mock_api.side_effect = [
{"login": "merger-bot"}, self._pr("author-bot"),
self._pr("author-bot"),
@@ -1270,12 +1282,21 @@ class TestMergePR(unittest.TestCase):
)
self.assertFalse(r["performed"])
self.assertFalse(r.get("approval_visible"))
self.assertTrue(any("no visible APPROVED review" in x for x in r["reasons"]))
self.assertTrue(
any(
"no non-quarantined APPROVED review" in x
or "no visible APPROVED review" in x
or "merge eligibility denied" in x
for x in r["reasons"]
),
msg=r["reasons"],
)
self._assert_no_merge_call(mock_api)
@patch("mcp_server.api_request")
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
def test_merge_blocked_on_request_changes(self, _auth, mock_api):
# #695: eligibility denies merge on undismissed REQUEST_CHANGES.
mock_api.side_effect = [
{"login": "merger-bot"}, self._pr("author-bot"),
self._pr("author-bot"),
+20
View File
@@ -54,6 +54,26 @@ class TestMergeApprovalGate(unittest.TestCase):
self.assertFalse(result["approval_at_current_head"])
self.assertIsNone(result["latest_approved_head_sha"])
def test_quarantined_approval_void_for_merge(self):
"""#695: contaminated formal review at head must not authorize merge."""
result = assess_merge_approval_head(
current_head_sha=HEAD_NEW,
latest_by_reviewer={
"sysadmin": {
"verdict": "APPROVED",
"dismissed": False,
"reviewed_head_sha": HEAD_NEW,
"review_id": 427,
"submitted_at": "2026-07-13T07:20:00Z",
}
},
quarantined_review_ids={427},
)
self.assertFalse(result["approval_at_current_head"])
self.assertEqual(result["quarantined_approvals_at_current_head"], 1)
self.assertIn("quarantined", result["stale_approval_block_reason"])
self.assertIn("#695", result["stale_approval_block_reason"])
if __name__ == "__main__":
unittest.main()
+14 -1
View File
@@ -206,7 +206,20 @@ class TestEligibilityNormalizesOperations(unittest.TestCase):
def test_namespaced_profile_ops_allow_legacy_action(self, _auth, mock_api):
# JSON-config profiles carry canonical namespaced ops; the raw action
# "merge" must still match them after normalization.
mock_api.side_effect = [{"login": "merger-bot"}, self._pr("author-bot")]
# #695: merge eligibility also loads quarantine-aware review feedback.
mock_api.side_effect = [
{"login": "merger-bot"},
self._pr("author-bot"),
self._pr("author-bot"),
[{
"id": 1,
"user": {"login": "reviewer-bot"},
"state": "APPROVED",
"commit_id": "abc123",
"submitted_at": "2026-07-06T10:00:00Z",
"dismissed": False,
}],
]
env = {"GITEA_PROFILE_NAME": "gitea-merger",
"GITEA_ALLOWED_OPERATIONS": "gitea.read,gitea.pr.merge"}
with patch.dict(os.environ, env, clear=True):