Add fail-closed proofs for blind PR queue review workflow (Issue #173) #176
No Reviewers
Labels
Clear labels
allocator
anti-stomp
architecture
bug
chore
codex
concurrency
contamination
control-plane
dashboard
database
design
documentation
enhancement
gitea
glitchtip
important
incident
incident-bridge
integration
jenkins
labels
leases
mcp
mcp-health
mcp-menu
multi-project
mutating
nice-to-have
observability
portability
preflight
protected-branch
queue
read-only
reconnect
recovery
refactor
release
reliability
resumable-review
reviewer
roadmap
safety
security
self-hosted
sentry
stale-runtime
status:blocked
status:in-progress
status:pr-open
status:ready
terminal-lock
testing
tracker
type:bug
type:feature
type:feature
type:guardrail
visibility
workflow
workflow-hardening
workflow-hardening
Controller-owned work allocator
Prevent concurrent LLM session stomping
Architecture / structural design
OpenAI Codex client / workflow session surface
Concurrent session safety
Workflow or session contamination incident
MCP control-plane coordination and allocation authority
MCP operational dashboard/queue view
Internal coordination storage (SQLite/Postgres)
Design / investigation, no implementation
Docs / runbooks
New feature or improvement
Gitea MCP workflow
GlitchTip integration
Operational or process incident requiring durable audit trail
Sentry-to-Gitea incident bridging
Integration testing
Jenkins integration
Label taxonomy management
Lease adopt/release/expire lifecycle
MCP server / tooling
MCP namespace and runtime health
MCP menu surface
Work spanning multiple monitoring projects or Gitea repos
Mutating action; requires gating
Observability, metrics, traces, error reporting
Cross-platform / portability
Shared preflight gates before mutation
Protected branch / stable-branch policy concern
Work queue visibility and allocation
Read-only, no mutation
MCP client reconnect/reload recovery path
Recovery paths for stale/foreign leases
Code refactor / restructure
Release / versioning
Reliability / failure handling
Persist and resume prepared review verdicts across sessions
Reviewer workflow tooling
Roadmap / umbrella issue
Safety rails and fail-closed mutation guards
Security / trust boundary
Self-hosted infrastructure integration
Sentry error monitoring integration
Stale backend daemon / runtime-vs-master parity failures
Issue is blocked
Issue is being worked on
Issue has an open pull request
Issue is ready for work
Terminal review lock (#332) path
Tests / test coverage
Issue tracker hygiene / meta
Bug or defect
Feature or enhancement
Feature or enhancement
Safety gate or guardrail
Workflow state visibility for LLMs/operators
Cross-tool workflow
LLM workflow coordination hardening
LLM workflow coordination hardening
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Scaled-Tech-Consulting/Gitea-Tools#176
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
This PR addresses Gitea-Tools Issue #173 by adding the reviewer-side workflow proofs, tests, and harness assertions for blind PR queue reviews.
Changes:
review_proofs.py— pure, fail-closed proof helpers:verify_pinned_head_checkout: proves localHEADequals the pinned PR head SHA (full 40-hex, prefix/abbreviated matches rejected) and that the diff base is the PR base branch; any mismatch blocks review/merge.assess_inventory_completeness: an exhaustive "only PRs found" claim requires every configured repository listed with a stated state filter, proven pagination, and a reported total open-PR count.assess_validation_report: a validation result is unclaimable unless the exact command was stated and its output read; missing passed/failed/skipped counts, unjustified ignored paths, or unexplained deviation from the canonical command downgrade the report to "weak".assess_self_review_contamination: contamination must be evidence-backed; a same-session authorship claim without an evidence source (in either direction) yields "unknown" with a choose-another-PR-or-stop action — never an assumed verdict.build_final_report: distinguishes identity eligibility, author/reviewer distinctness, session contamination, validation-on-pinned-head, merge performed, and issue verification; grades "A" only when every proof is present, downgrades otherwise, and marks a merge performed without allowing proofs as a blocked violation.tests/test_review_proofs.py(35 tests) covering all seven Required-behavior-7 harness assertions from the issue, including: fetched-but-unchecked-out pinned head blocks merge; complete multi-repo inventory; unfinished pagination refuses the exhaustive claim; missing test counts flagged weak; contamination requires evidence; unread output cannot claim validation passed; ignored paths need explicit justification.skills/llm-project-workflow/SKILL.md§F andskills/llm-project-workflow/templates/review-pr.mdupdated to require the checkout proof, inventory proof, exact validation reporting, evidence-backed contamination assessment, and the distinguished final report.No review/merge safety gate is weakened; the MCP-level gates (mcp-control-plane #68/#76) remain authoritative for mutations.
Validation:
venv/bin/pytest tests/test_review_proofs.py -q: 35 passedvenv/bin/pytest tests/ --ignore=branches -q(canonical;branches/holds review worktrees that duplicate test module names and break collection): 681 tests, 0 failures, 0 errors, 6 skipped (exit 0; counts read from junitxml because a pre-existing suite quirk closes stdout mid-run — noted below)py_compileon both new files: passedgit diff --check(unstaged and staged): passedNote for reviewers: running the full suite prints no terminal output (stdout appears to be closed by a test mid-run) even though the run passes; junitxml confirms the counts. This quirk pre-exists this branch and may deserve its own issue.
Closes #173
I have checked out head SHA
ccc5ef79df, verified it matches local HEAD, and reviewed the diff against master. The changes successfully add fail-closed proof helpers to review_proofs.py and comprehensive tests to test_review_proofs.py, addressing all requirements of Issue #173. All targeted and full suite tests pass successfully.