Add fail-closed branch-identity proofs for author commit/push workflow (Issue #177) #181
No Reviewers
Labels
Clear labels
allocator
anti-stomp
architecture
bug
chore
codex
concurrency
contamination
control-plane
dashboard
database
design
documentation
enhancement
gitea
glitchtip
important
incident
incident-bridge
integration
jenkins
labels
leases
mcp
mcp-health
mcp-menu
multi-project
mutating
nice-to-have
observability
portability
preflight
protected-branch
queue
read-only
reconnect
recovery
refactor
release
reliability
resumable-review
reviewer
roadmap
safety
security
self-hosted
sentry
stale-runtime
status:blocked
status:in-progress
status:pr-open
status:ready
terminal-lock
testing
tracker
type:bug
type:feature
type:feature
type:guardrail
visibility
workflow
workflow-hardening
workflow-hardening
Controller-owned work allocator
Prevent concurrent LLM session stomping
Architecture / structural design
OpenAI Codex client / workflow session surface
Concurrent session safety
Workflow or session contamination incident
MCP control-plane coordination and allocation authority
MCP operational dashboard/queue view
Internal coordination storage (SQLite/Postgres)
Design / investigation, no implementation
Docs / runbooks
New feature or improvement
Gitea MCP workflow
GlitchTip integration
Operational or process incident requiring durable audit trail
Sentry-to-Gitea incident bridging
Integration testing
Jenkins integration
Label taxonomy management
Lease adopt/release/expire lifecycle
MCP server / tooling
MCP namespace and runtime health
MCP menu surface
Work spanning multiple monitoring projects or Gitea repos
Mutating action; requires gating
Observability, metrics, traces, error reporting
Cross-platform / portability
Shared preflight gates before mutation
Protected branch / stable-branch policy concern
Work queue visibility and allocation
Read-only, no mutation
MCP client reconnect/reload recovery path
Recovery paths for stale/foreign leases
Code refactor / restructure
Release / versioning
Reliability / failure handling
Persist and resume prepared review verdicts across sessions
Reviewer workflow tooling
Roadmap / umbrella issue
Safety rails and fail-closed mutation guards
Security / trust boundary
Self-hosted infrastructure integration
Sentry error monitoring integration
Stale backend daemon / runtime-vs-master parity failures
Issue is blocked
Issue is being worked on
Issue has an open pull request
Issue is ready for work
Terminal review lock (#332) path
Tests / test coverage
Issue tracker hygiene / meta
Bug or defect
Feature or enhancement
Feature or enhancement
Safety gate or guardrail
Workflow state visibility for LLMs/operators
Cross-tool workflow
LLM workflow coordination hardening
LLM workflow coordination hardening
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Scaled-Tech-Consulting/Gitea-Tools#181
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
This PR addresses Gitea-Tools Issue #177 by adding author-side branch-identity proofs — the counterpart of the #173 reviewer proofs — so branch drift and accidental protected-branch commits are blocked by fail-closed gates instead of repaired after detection.
Changes:
author_proofs.py— pure, fail-closed helpers:verify_branch_for_commit: current branch must equal the intended feature branch and may never be a protected branch (master,main,develop,development,dev); missing state fails closed.detect_branch_drift: any branch or HEAD change between validation time and commit time — including an external branch switch in a shared worktree, treated as an expected event to detect — blocks the commit until reconciled.verify_push_target: a push requires local branch, remote target branch, and intended issue branch to all match, none protected.assess_protected_branch_commit: an accidental protected-branch commit must never be pushed, requires repair, and the repair must be reported — pushing the accident or silently continuing is a violation.build_commit_push_report: final-report block carrying the branch proof before commit and before push; any failed proof, drift, or violation makes the status "blocked".tests/test_author_proofs.py(27 tests) covering the issue's Required-behavior-5 harness assertions: commit attempted onmasteris blocked; branch drift between validation and commit is blocked; push target mismatch is blocked; shared-worktree branch switch is detected; the repair path cannot silently continue without reporting.skills/llm-project-workflow/SKILL.md§E andskills/llm-project-workflow/templates/start-issue.mdnow require recording the validation-time branch/HEAD, the branch proof before commit, the branch proof before push, and non-silent accident repair (steps renumbered accordingly).No review, merge, permission, identity, redaction, or reconciliation gate is weakened.
Process note: this PR was implemented in an isolated worktree (
branches/feat-issue-177-branch-drift-proofs) per SKILL.md §B — the main checkout was on another session's branch (feat/issue-178-...) throughout, which is exactly the shared-worktree hazard this issue addresses; the new proofs were also applied live before this PR's own commit and push.Validation (worktree HEAD
941ada38c2b95067294c18eb86f18b4437e6c822, basemaster@64dc334):venv/bin/pytest tests/test_author_proofs.py -q: 27 passedvenv/bin/pytest tests/ --ignore=branches -q(canonical form): 708 tests, 0 failures, 0 errors, 6 skipped, exit 0 (counts read from junitxml due to the pre-existing stdout-capture quirk tracked in #178)py_compileon both new files: passedgit diff --check(working tree and staged): passedCloses #177
Co-Authored-By: Claude Fable 5 [email protected]
Blind reviewer run (profile
prgs-reviewer, identitysysadmin, distinct from authorjcwalker3). Reviewed only pinned head SHA941ada38c2b95067294c18eb86f18b4437e6c822in a detached scratch worktree; live-state recheck immediately before this verdict confirmed the head SHA, base (master), open state, and mergeability are unchanged.Scope: changed files exactly match the PR description and Issue #177 — new
author_proofs.py, newtests/test_author_proofs.py, and the SKILL.md §E / start-issue.md workflow wiring. No unrelated edits, no runtime gate touched; helpers are pure and strictly additive, so no review/merge/permission/identity gate is weakened.Coverage vs #177: Required behaviors 1–4 implemented fail-closed (protected-branch block, validation→commit drift including external shared-worktree switches, push-target triple match, non-silent accident repair), and all five Required-behavior-5 harness assertions have direct tests. Acceptance criteria met:
build_commit_push_reportcarries the commit and push proofs and blocks on any failure, and SKILL.md now requires the proofs in the final report.Validation at pinned SHA (exact results):
venv/bin/python -m pytest tests/test_author_proofs.py -q→ 27 passedPYTHONPATH=. venv/bin/python -m pytest tests/ --ignore=branches -q→ 702 passed, 6 skipped, 0 failures (count differs from the PR body's 708 because master has advanced; suite is green at the current merge-base)python -m py_compile author_proofs.py tests/test_author_proofs.py→ OKgit diff --check <merge-base>..HEAD→ cleangit diff <merge-base>..HEAD | grep -inE "password|api[_-]?key|authorization|bearer|token|secret|BEGIN (RSA|EC|OPENSSH|PRIVATE)|https?://"→ only doc-text phrases ("secret scan"), no credentials or endpointsNon-blocking note: Required behavior 1's "worktree path matches the intended issue/branch worktree when applicable" has no corresponding helper; the implemented branch/HEAD identity proofs cover the incident class, and the qualifier makes this optional, but a follow-up
verify_worktree_pathwould close it fully.APPROVE. Merge not performed: this session's MCP profile is
prgs-author(merge forbidden), and the gatedgitea_merge_prMCP path is the only allowed merge route — approve-and-stop per capability rules.Blind review (sysadmin / prgs-reviewer)
Pinned head:
941ada38c2b95067294c18eb86f18b4437e6c822Live head recheck: matches pinned SHA; PR open and mergeable.
Scope (#177)
Adds pure fail-closed
author_proofs.pyhelpers for branch identity at commit/push time, 27 harness tests covering all issue #177 assertions, and wires requirements into llm-project-workflow skill docs. No unrelated files; no review/merge/permission gate changes.Validation (reviewer rerun)
python3 -m py_compile author_proofs.py tests/test_author_proofs.py— passedpytest tests/test_author_proofs.py— 27 passedpytest tests/ --ignore=branches— 708 passed, 6 skipped, 0 failuresgit diff --check prgs/master...HEAD— cleangit diff prgs/master...HEAD | grep -iE ...) — only benign doc phrasesecret scanin SKILL.mdNotes
masterbut API reports mergeable; no conflicts at review time.Approved.