Prevent implicit reviewer-to-author role pivot during blind PR queue workflows #175
Closed
opened 2026-07-05 13:20:21 -05:00 by jcwalker3
·
5 comments
No Branch/Tag Specified
master
fix/issue-709-decision-lock-cross-profile
fix/issue-695-native-transport-quarantine
fix/issue-698-report-validator-schema
fix/issue-702-stale-binding-lease-recovery
fix/issue-699-structured-auth-mcp-errors
fix/issue-695-native-quarantine-v2
fix/issue-693-review-decision-lock-recovery
fix/issue-691-obsolete-reviewer-lease-cleanup
feat/issue-687-reconciler-branch-delete
fix/issue-683-workflow-guard-hardening
chore/issue-681-preserve-review-session-wip
feat/issue-604-anti-stomp-preflight
feat/issue-606-sentry-observability
fix/issue-671-block-stable-branch-push
fix/issue-675-residual-preflight-remediation
fix/issue-673-remediate-regressions-part2
fix/issue-673-remediate-regressions
feat/issue-603-lifecycle-labels
fix/issue-627-set-issue-labels-pagination
feat/issue-601-first-class-leases
feat/issue-612-incident-bridge
feat/issue-600-controller-allocator-api
fix/issue-620-head-scoped-review-locks
feat/issue-613-allocator-db-substrate
docs/mcp-stable-control-runtime-policy
feat/issue-609-prepared-review-verdict-resume
feat/issue-610-live-remote-parity
feat/issue-503-reviewer-active-worktree
feat/issue-470-preflight-contract
feat/issue-440-lock-recovery
feat/issue-440-branch-recovery
feat/issue-458-queue-fail-closed-copy
feat/issue-400-early-duplicate-work-gate
feat/issue-308-reconcile-inventory-pagination
feat/issue-308-reconcile-pagination-proof
docs/issue-261-agent-temp-artifact-cleanup
feat/issue-262-map-commit-files
fix/infra-stop-conflict-marker-false-positive
feat/issue-139-role-aware-task-routing
feat/issue-188-continuation-selection-wall
feat/issue-189-continuation-mode-proofs
feat/issue-232-refresh-wiki-proof-heads
feat/issue-210-block-workspace-edits
feat/issue-204-exact-issue-lock
docs/issue-80-label-taxonomy
docs/issue-79-safety-boundary-updates
v1.1.0
Labels
Clear labels
allocator
anti-stomp
architecture
bug
chore
codex
concurrency
contamination
control-plane
dashboard
database
design
documentation
enhancement
gitea
glitchtip
important
incident
incident-bridge
integration
jenkins
labels
leases
mcp
mcp-health
mcp-menu
multi-project
mutating
nice-to-have
observability
portability
preflight
protected-branch
queue
read-only
reconnect
recovery
refactor
release
reliability
resumable-review
reviewer
roadmap
safety
security
self-hosted
sentry
stale-runtime
status:blocked
status:in-progress
status:pr-open
status:ready
terminal-lock
testing
tracker
type:bug
type:feature
type:feature
type:guardrail
visibility
workflow
workflow-hardening
workflow-hardening
Controller-owned work allocator
Prevent concurrent LLM session stomping
Architecture / structural design
OpenAI Codex client / workflow session surface
Concurrent session safety
Workflow or session contamination incident
MCP control-plane coordination and allocation authority
MCP operational dashboard/queue view
Internal coordination storage (SQLite/Postgres)
Design / investigation, no implementation
Docs / runbooks
New feature or improvement
Gitea MCP workflow
GlitchTip integration
Operational or process incident requiring durable audit trail
Sentry-to-Gitea incident bridging
Integration testing
Jenkins integration
Label taxonomy management
Lease adopt/release/expire lifecycle
MCP server / tooling
MCP namespace and runtime health
MCP menu surface
Work spanning multiple monitoring projects or Gitea repos
Mutating action; requires gating
Observability, metrics, traces, error reporting
Cross-platform / portability
Shared preflight gates before mutation
Protected branch / stable-branch policy concern
Work queue visibility and allocation
Read-only, no mutation
MCP client reconnect/reload recovery path
Recovery paths for stale/foreign leases
Code refactor / restructure
Release / versioning
Reliability / failure handling
Persist and resume prepared review verdicts across sessions
Reviewer workflow tooling
Roadmap / umbrella issue
Safety rails and fail-closed mutation guards
Security / trust boundary
Self-hosted infrastructure integration
Sentry error monitoring integration
Stale backend daemon / runtime-vs-master parity failures
Issue is blocked
Issue is being worked on
Issue has an open pull request
Issue is ready for work
Terminal review lock (#332) path
Tests / test coverage
Issue tracker hygiene / meta
Bug or defect
Feature or enhancement
Feature or enhancement
Safety gate or guardrail
Workflow state visibility for LLMs/operators
Cross-tool workflow
LLM workflow coordination hardening
LLM workflow coordination hardening
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Scaled-Tech-Consulting/Gitea-Tools#175
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Problem:
A blind PR queue review run started correctly under
gitea-reviewer, found no eligible PRs, then silently pivoted into author/implementer mode usinggitea-author. It selected issue #171, claimed it, implemented it, pushed a branch, and opened PR #174.That may have produced useful work, but it violates clean workflow boundaries. A reviewer queue task should not automatically become an author implementation task without explicit operator approval.
Observed behavior:
sysadmin / prgs-reviewerandjcwalker3 / prgs-authorin the same run.Required behavior:
Tests / harness assertions:
Acceptance criteria:
Related:
Additional evidence: second independent run with the same failure class (Grok, issue #170 / PR #172 run)
The issue body documents the #171/PR #174 pivot. A separate Grok run exhibits the same role-boundary and namespace-confusion pattern, confirming this is systemic, not a one-off:
Run summary: a blind PR queue workflow called both
gitea-reviewer/gitea_whoamiandgitea-author/gitea_whoami, selectedjcwalker3 / prgs-authoras the active role in its final report, then pivoted into author implementation: claimed issue #170, created branchfeat/issue-170-add-missing-166-req5-tests, pushed commit0fdc8f5, opened PR #172.Problems observed:
jcwalker3, without evidence that the current reviewer runtime/session authored or touched that branch.sysadmin / prgs-reviewersession should normally be eligible to review PRs authored byjcwalker3, unless same-session contamination is proven.tests/test_clear_provenance.py, which is not a diff-level secret scan.Scope addenda for this issue (beyond current body):
jcwalker3; current reviewer issysadmin; current LLM/session contaminated by prior author work.Cross-references: this run is the same one whose author-side gaps produced mcp-control-plane #77 and whose review-side merge (PR #172, by the subsequent blind reviewer run) produced #173. This comment adds its role-boundary dimension to the record.
Evidence from a Grok author run (issue #178 → branch
feat/issue-178-fix-test-suite-stdout-capture→ PR #180, headff4ab500df8447f4409b3e9cc262520e8076d806), relevant to this issue:jcwalker3 / prgs-author, inventoried both configured repositories, performed no review/approve/merge, and stopped after PR creation. No reviewer→author pivot occurred, so the role-boundary wall this issue specifies was respected (though still by convention, not enforcement).The full gap set from that run (missing Controller Handoff, unknown-capability claim proof, inexact sweep evidence, missing PR head SHA) is consolidated in #183; this issue remains the role-boundary wall on top of it.
Scoped inventory now reports sibling repo PRs, but blind review must continue to eligible PR selection
Evidence (operator-triaged reviewer run):
A reviewer run authenticated as
sysadmin / prgs-reviewer, checked both configured repositories, and produced a Controller Handoff.Inventory result:
Scaled-Tech-Consulting/mcp-control-plane: 0 open PRsScaled-Tech-Consulting/Gitea-Tools: 2 open PRsAdd fail-closed branch-identity proofs for author commit/push workflow (Issue #177)test: isolate CLI output capture with monkeypatch/redirect to fix stdout corruption in full suite (Issue #178)Positive behavior:
Controller HandoffRemaining workflow gap:
The run selected no PR because the target repo
mcp-control-planehad zero open PRs, even though open PRs existed in the configured queue. For an explicitly scoped mcp-control-plane check, this is correct. For a blind/open-queue review task, the workflow should continue to select an eligible PR from Gitea-Tools instead of stopping. This refines Required behavior 2 of this issue: "no eligible PRs exist" must mean across all configured repositories, not "the first-inspected repo is empty".Required behavior (additive to this issue's list):
Scope: single-repo inventoryScope: multi-repo blind queue reviewAdditional tests/harness assertions:
Acceptance criteria (additive):
Cross-references:
review_proofs.assess_inventory_completeness(#173, merged in PR #176) already proves multi-repo listing completeness — the scope classification and continue-to-selection rule above sit on top of it; #183 gap 1 covers the Controller Handoff presence requirement this extends with theScope:line.Claimed for author implementation under
jcwalker3 / prgs-author.Branch:
feat/issue-175-role-pivot-wallWorktree:
branches/feat-issue-175-role-pivot-wallScope: add fail-closed role-boundary proof coverage for blind PR queue workflows so a reviewer queue task cannot silently pivot into author implementation without explicit operator authorization. I will keep this scoped to proof helpers/tests/docs for #175, avoid review/merge actions, and stop after opening a PR.
Claim note:
gitea_resolve_task_capability(task='mark_issue')failed closed as unknown in the current live controller, so I am not applying thestatus:in-progresslabel via that path; this claim uses the explicitly allowedgitea.issue.commentcapability.Selection & Autonomy Gap in Reviewer Queue Workflows
Observed behavior:
A reviewer session correctly identified that the best next action was to review open Gitea-Tools PRs, but then asked the operator how to proceed instead of selecting the next eligible PR itself.
Problem:
When the task is “continue the queue” and the active role is
sysadmin / prgs-reviewer, the workflow should not ask the operator to choose between eligible PRs. It should apply the selection rules, pick exactly one eligible PR, and proceed.Required behavior:
Acceptance criteria:
A reviewer queue run earns an A only when it inventories the queue, selects exactly one eligible PR using deterministic rules, proceeds with review, or stops with evidence. It must not punt selection back to the operator when enough information exists to proceed.