Harden blind PR queue review workflow: require checked-out pinned head, complete inventory, and evidence-backed eligibility #173
Closed
opened 2026-07-05 13:14:12 -05:00 by jcwalker3
·
6 comments
No Branch/Tag Specified
master
fix/issue-709-decision-lock-cross-profile
fix/issue-695-native-transport-quarantine
fix/issue-698-report-validator-schema
fix/issue-702-stale-binding-lease-recovery
fix/issue-699-structured-auth-mcp-errors
fix/issue-695-native-quarantine-v2
fix/issue-693-review-decision-lock-recovery
fix/issue-691-obsolete-reviewer-lease-cleanup
feat/issue-687-reconciler-branch-delete
fix/issue-683-workflow-guard-hardening
chore/issue-681-preserve-review-session-wip
feat/issue-604-anti-stomp-preflight
feat/issue-606-sentry-observability
fix/issue-671-block-stable-branch-push
fix/issue-675-residual-preflight-remediation
fix/issue-673-remediate-regressions-part2
fix/issue-673-remediate-regressions
feat/issue-603-lifecycle-labels
fix/issue-627-set-issue-labels-pagination
feat/issue-601-first-class-leases
feat/issue-612-incident-bridge
feat/issue-600-controller-allocator-api
fix/issue-620-head-scoped-review-locks
feat/issue-613-allocator-db-substrate
docs/mcp-stable-control-runtime-policy
feat/issue-609-prepared-review-verdict-resume
feat/issue-610-live-remote-parity
feat/issue-503-reviewer-active-worktree
feat/issue-470-preflight-contract
feat/issue-440-lock-recovery
feat/issue-440-branch-recovery
feat/issue-458-queue-fail-closed-copy
feat/issue-400-early-duplicate-work-gate
feat/issue-308-reconcile-inventory-pagination
feat/issue-308-reconcile-pagination-proof
docs/issue-261-agent-temp-artifact-cleanup
feat/issue-262-map-commit-files
fix/infra-stop-conflict-marker-false-positive
feat/issue-139-role-aware-task-routing
feat/issue-188-continuation-selection-wall
feat/issue-189-continuation-mode-proofs
feat/issue-232-refresh-wiki-proof-heads
feat/issue-210-block-workspace-edits
feat/issue-204-exact-issue-lock
docs/issue-80-label-taxonomy
docs/issue-79-safety-boundary-updates
v1.1.0
Labels
Clear labels
allocator
anti-stomp
architecture
bug
chore
codex
concurrency
contamination
control-plane
dashboard
database
design
documentation
enhancement
gitea
glitchtip
important
incident
incident-bridge
integration
jenkins
labels
leases
mcp
mcp-health
mcp-menu
multi-project
mutating
nice-to-have
observability
portability
preflight
protected-branch
queue
read-only
reconnect
recovery
refactor
release
reliability
resumable-review
reviewer
roadmap
safety
security
self-hosted
sentry
stale-runtime
status:blocked
status:in-progress
status:pr-open
status:ready
terminal-lock
testing
tracker
type:bug
type:feature
type:feature
type:guardrail
visibility
workflow
workflow-hardening
workflow-hardening
Controller-owned work allocator
Prevent concurrent LLM session stomping
Architecture / structural design
OpenAI Codex client / workflow session surface
Concurrent session safety
Workflow or session contamination incident
MCP control-plane coordination and allocation authority
MCP operational dashboard/queue view
Internal coordination storage (SQLite/Postgres)
Design / investigation, no implementation
Docs / runbooks
New feature or improvement
Gitea MCP workflow
GlitchTip integration
Operational or process incident requiring durable audit trail
Sentry-to-Gitea incident bridging
Integration testing
Jenkins integration
Label taxonomy management
Lease adopt/release/expire lifecycle
MCP server / tooling
MCP namespace and runtime health
MCP menu surface
Work spanning multiple monitoring projects or Gitea repos
Mutating action; requires gating
Observability, metrics, traces, error reporting
Cross-platform / portability
Shared preflight gates before mutation
Protected branch / stable-branch policy concern
Work queue visibility and allocation
Read-only, no mutation
MCP client reconnect/reload recovery path
Recovery paths for stale/foreign leases
Code refactor / restructure
Release / versioning
Reliability / failure handling
Persist and resume prepared review verdicts across sessions
Reviewer workflow tooling
Roadmap / umbrella issue
Safety rails and fail-closed mutation guards
Security / trust boundary
Self-hosted infrastructure integration
Sentry error monitoring integration
Stale backend daemon / runtime-vs-master parity failures
Issue is blocked
Issue is being worked on
Issue has an open pull request
Issue is ready for work
Terminal review lock (#332) path
Tests / test coverage
Issue tracker hygiene / meta
Bug or defect
Feature or enhancement
Feature or enhancement
Safety gate or guardrail
Workflow state visibility for LLMs/operators
Cross-tool workflow
LLM workflow coordination hardening
LLM workflow coordination hardening
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Scaled-Tech-Consulting/Gitea-Tools#173
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Problem:
A blind PR queue review run successfully used the reviewer namespace and merged Gitea-Tools PR #172, but the process only deserves a C+/B- because several review-quality gaps remain.
Observed gaps:
Pinned SHA vs local HEAD was not proven.
The agent fetched PR #172 and pinned
FETCH_HEADas0fdc8f582026b72a229d59a172c0a63ac4aaeaf9, but the command log does not clearly show that the local checkoutHEADwas switched to that SHA before diff review and validation. It later ran diffs/tests againstHEAD, which may have been the wrong branch.Open PR inventory may have been incomplete.
The report listed only:
But recent operator context expected additional open PRs unless already merged/closed. The report did not prove pagination, filters, repo coverage, or that only one open PR existed per repo.
Test reporting was not strong enough.
The default pytest collection failed due to duplicate import/worktree issues under
branches/. The agent then usedvenv/bin/pytest tests/ --ignore=branches, but did not provide a clear final pass count or document why that command is the canonical/acceptable validation command.Self-review contamination claim was not evidence-backed.
The agent marked mcp-control-plane PR #73 ineligible because it was supposedly authored in the same session under
prgs-author. That may be true, but the report did not show enough evidence to distinguish:jcwalker3, which is normally eligible forsysadmin / prgs-reviewerBackground/wait behavior was messy.
The run used scheduled/background-style waiting while trying to complete validation. The final report should only claim validation after the command has completed and the output has been read.
Required behavior:
Before reviewing or validating a selected PR, the workflow must explicitly prove:
HEAD == selected PR head SHAIf
HEADdoes not match the pinned PR head, stop before review/merge.Queue inventory must prove completeness:
Validation reporting must include exact commands and exact results:
Self-review contamination must be evidence-backed:
Final reports must distinguish:
Add tests or harness assertions for:
Acceptance criteria:
Related:
Additional evidence: Gemini review/merge of PR #174 (improved, still short of A)
Gemini reviewed and merged PR #174 as
sysadmin / prgs-reviewer(merged 2026-07-05T13:28:03-05:00, merge commitae7a39049553f219e466e6e08e38bed9894b9295). Improvement over the PR #172 run documented in this issue's body: it checked out the pinned PR head and claimed localHEADmatched the reviewed SHA before validation — addressing observed gap 1.Remaining gaps in this run:
gitea-authorandgitea-reviewernamespaces during a reviewer task (same pattern as #175).gitea_activate_profileeven though static-profile workflows should reconnect to the correct namespace instead of switching in-place.3ff3affa6435199c7d35aec836bce357fa72d4bfdiffered from the author-run-reported SHA3ff3aff8a4020c6a51d95ee2be979c6b659c25f4; the reviewer did not explicitly reconcile handoff SHA vs live head SHA.Operator-side reconciliation of item 5 (live check, read-only):
git ls-remoteshowsrefs/heads/feat/issue-171-redact-raw-urls=3ff3affa6435199c7d35aec836bce357fa72d4bf— Gemini reviewed the true live head. The author-reported full SHA3ff3aff8a4…does not exist on the remote; both share only the 7-char prefix3ff3aff, so the author run appears to have misreported an expanded full SHA from a short one. Verdict: reviewer validated the right code, but only by luck of reviewing live state — a handoff-vs-live SHA reconciliation step would have caught and documented the author-side misreport instead of leaving it ambiguous. This incident is now the canonical motivating example for the reconciliation requirement below.Scope addenda for this issue:
gitea_activate_profile, recommending reconnection to the correct namespace instead.gitea-reviewerunless author-namespace usage is explicitly justified in the report (role-boundary wall proper is #175).Updated acceptance bar: a blind PR review earns an A only when it proves complete queue inventory, uses clean reviewer-only role boundaries, validates the exact pinned live PR head, reports exact aggregate test counts, and reconciles any handoff-vs-live SHA mismatch before merge.
Additional evidence: A- review/merge run (mcp-control-plane PR #73) — best run so far, four gaps from A
Third graded blind-review run in this record; grade trend C+/B- (PR #172) → B (PR #174) → A- (PR #73). Merge verified live: PR #73 merged 2026-07-05T13:32:50-05:00, merge commit
5e486652e192a6caa7e874353eae549f6ed865cc.What went well (A- baseline behaviors, now the expected floor):
sysadmin / prgs-reviewer; no author-role pivot (contrast with the #175 evidence runs).HEADverified to matchb5caab87ad7154748431729be4f4020dc08e843f— required behavior 1 of this issue, satisfied.421 passed, 13 skipped— required behavior 4, satisfied.Remaining gaps for a full A:
0 open(required behavior 3 — still the most common miss across all graded runs).REQUEST_CHANGESfixes — "suite green" is not a review.REQUEST_CHANGESexisted (at6717c33e…) but the report did not list the old blockers and map each to its fix in the new diff.Scope addendum for this issue: add to required reporting — when prior request-changes reviews exist, enumerate each prior blocker and the exact diff element resolving it; high-risk PRs require per-gate findings, not just aggregate test results.
Cross-reference: PR #73 merging activates the mcp-control-plane #76 decision rule — each acceptance-matrix wall must now be verified as implemented-with-tests or explicitly tracked out-of-scope. The PR body claims walls for identity, capability, checkout-proof, merge authorization, duplicate search, and report validation; #76 remains the open tracker for verifying those claims against the matrix.
Required acceptance case: stop cleanly when live PR state changes during review (positive example)
First fully-positive stale-state evidence in this record — a concurrent reviewer race handled correctly. Add as a required acceptance case.
Evidence:
A reviewer session for mcp-control-plane PR #73 authenticated correctly as
sysadmin / prgs-reviewer, pinned PR headb5caab87ad7154748431729be4f4020dc08e843f, checked out that exact SHA locally, and ran validation successfully:173 passed421 passed, 13 skippedpy_compile: passedgit diff --check: passedBefore submitting a review or merge, the agent rechecked live PR state and found the PR had changed:
closedmerged_at:2026-07-05T13:32:50-05:00merge_commit_sha:5e486652e192a6caa7e874353eae549f6ed865cc(Consistent with this tracker's prior comment: PR #73 was merged by the A- graded reviewer run at exactly that timestamp — this session lost the race and detected it.)
Correct behavior observed:
Required behavior (add to this issue's requirements):
Tests/harness assertions to add:
Acceptance criterion: a blind PR review earns an A when it detects live PR state changes before mutation and stops without posting stale approval/merge actions.
Cross-reference: this is the workflow-level counterpart of mcp-control-plane #76 wall 4 ("live PR state must be re-read immediately before approval/merge") — this run proves the behavior is achievable and should be the tested norm. Note the merged #73 implementation itself claims this gate; this evidence predates/validates it at the workflow level.
Scope addendum: identity-first execution and complete configured-repo inventory
Title for this addendum: Require identity-first execution and complete configured-repo inventory in blind PR queue reviews
Problem:
A reviewer run safely stopped after finding no open PRs in
Scaled-Tech-Consulting/mcp-control-plane, but the blind PR review harness/prompt still showed quality gaps that should be made explicit and testable.Observed behavior:
gitea_list_prsbeforegitea_whoami.sysadmin / prgs-reviewer.Scaled-Tech-Consulting/mcp-control-plane.0open PRs there.Scaled-Tech-Consulting/Gitea-Tools.Problems to harden:
0open PRs in one repo must not be reported as the whole queue being fully reviewed and merged.0open PRs must not be reported asno follow-up, because open issues may still remain.Required behavior:
whoamiScaled-Tech-Consulting/Gitea-ToolsScaled-Tech-Consulting/mcp-control-planequeue fully reviewed and mergedunless:no follow-upunless issue inventory was also requested and checked. Otherwise say:No open PRs found in the checked repo.Issue backlog was not checked.Tests / harness assertions to add:
gitea_whoamimust precedegitea_list_prs.no follow-upclaim is blocked unless issue backlog was checked.Acceptance criteria addendum:
Required acceptance case: all configured repositories before claiming no open PRs
Section title: Blind PR queue review must check all configured repositories before claiming no open PRs
Evidence:
A reviewer run authenticated correctly as
sysadmin / prgs-reviewerand checkedScaled-Tech-Consulting/mcp-control-plane. It found zero open PRs there and stopped.However, at the same time, Gitea-Tools PR #176 was open:
Scaled-Tech-Consulting/Gitea-ToolsAdd fail-closed proofs for blind PR queue review workflow (Issue #173)jcwalker3feat/issue-173-reviewer-workflow-proofsmasterObserved incorrect behavior:
mcp-control-planehad zero open PRs.Scaled-Tech-Consulting/Gitea-Tools.Required behavior:
Scaled-Tech-Consulting/Gitea-ToolsScaled-Tech-Consulting/mcp-control-planeOnly <repo> was checked.Other configured repositories were not inventoried.This is not a complete blind queue review.no eligible open PRsqueue emptyqueue fully reviewedno follow-upmcp-control-planehas zero open PRs andGitea-Toolshas PR #176 open, the blind queue workflow must find PR #176.Acceptance criteria addendum:
Scoped single-repo inventory is safe only when the operator explicitly scopes the task
Evidence:
Codex authenticated correctly as
sysadmin / prgs-reviewerand checked only:Scaled-Tech-Consulting/mcp-control-planeIt found:
gitea_list_prs(state=open)returned[]0At the same time, Gitea-Tools PR #176 remained open:
Scaled-Tech-Consulting/Gitea-ToolsAdd fail-closed proofs for blind PR queue review workflow (Issue #173)jcwalker3feat/issue-173-reviewer-workflow-proofsmasterPositive behavior:
Codex correctly scoped its conclusion by saying:
“This conclusion applies only to
Scaled-Tech-Consulting/mcp-control-plane.”Remaining workflow gap:
If the operator asked for a blind/open-PR queue review, the workflow still failed to check all configured repositories and missed open PR #176.
Required behavior:
If the task is explicitly scoped to one repo, a single-repo inventory is acceptable, but the final report must clearly say it is scoped.
If the task is blind or general, such as:
then the workflow must inventory all configured repositories before stopping:
Scaled-Tech-Consulting/Gitea-ToolsScaled-Tech-Consulting/mcp-control-planeThe workflow must classify the task scope before inventory:
Add tests/harness assertions:
mcp-control-planetask may stop after checking only that repoAcceptance criteria: