Add fail-closed branch-identity proofs for author commit/push workflow (Issue #177) #181

Merged
sysadmin merged 1 commits from feat/issue-177-branch-drift-proofs into master 2026-07-05 15:13:24 -05:00
Owner

This PR addresses Gitea-Tools Issue #177 by adding author-side branch-identity proofs — the counterpart of the #173 reviewer proofs — so branch drift and accidental protected-branch commits are blocked by fail-closed gates instead of repaired after detection.

Changes:

  1. New author_proofs.py — pure, fail-closed helpers:
    • verify_branch_for_commit: current branch must equal the intended feature branch and may never be a protected branch (master, main, develop, development, dev); missing state fails closed.
    • detect_branch_drift: any branch or HEAD change between validation time and commit time — including an external branch switch in a shared worktree, treated as an expected event to detect — blocks the commit until reconciled.
    • verify_push_target: a push requires local branch, remote target branch, and intended issue branch to all match, none protected.
    • assess_protected_branch_commit: an accidental protected-branch commit must never be pushed, requires repair, and the repair must be reported — pushing the accident or silently continuing is a violation.
    • build_commit_push_report: final-report block carrying the branch proof before commit and before push; any failed proof, drift, or violation makes the status "blocked".
  2. New tests/test_author_proofs.py (27 tests) covering the issue's Required-behavior-5 harness assertions: commit attempted on master is blocked; branch drift between validation and commit is blocked; push target mismatch is blocked; shared-worktree branch switch is detected; the repair path cannot silently continue without reporting.
  3. skills/llm-project-workflow/SKILL.md §E and skills/llm-project-workflow/templates/start-issue.md now require recording the validation-time branch/HEAD, the branch proof before commit, the branch proof before push, and non-silent accident repair (steps renumbered accordingly).

No review, merge, permission, identity, redaction, or reconciliation gate is weakened.

Process note: this PR was implemented in an isolated worktree (branches/feat-issue-177-branch-drift-proofs) per SKILL.md §B — the main checkout was on another session's branch (feat/issue-178-...) throughout, which is exactly the shared-worktree hazard this issue addresses; the new proofs were also applied live before this PR's own commit and push.

Validation (worktree HEAD 941ada38c2b95067294c18eb86f18b4437e6c822, base master @ 64dc334):

  • venv/bin/pytest tests/test_author_proofs.py -q: 27 passed
  • venv/bin/pytest tests/ --ignore=branches -q (canonical form): 708 tests, 0 failures, 0 errors, 6 skipped, exit 0 (counts read from junitxml due to the pre-existing stdout-capture quirk tracked in #178)
  • py_compile on both new files: passed
  • git diff --check (working tree and staged): passed
  • Secret/provenance sweep over the staged diff: clean; only doc-text phrases ("secret scan"), no URLs or credentials

Closes #177

Co-Authored-By: Claude Fable 5 [email protected]

This PR addresses Gitea-Tools Issue #177 by adding author-side branch-identity proofs — the counterpart of the #173 reviewer proofs — so branch drift and accidental protected-branch commits are blocked by fail-closed gates instead of repaired after detection. Changes: 1. New `author_proofs.py` — pure, fail-closed helpers: - `verify_branch_for_commit`: current branch must equal the intended feature branch and may never be a protected branch (`master`, `main`, `develop`, `development`, `dev`); missing state fails closed. - `detect_branch_drift`: any branch or HEAD change between validation time and commit time — including an external branch switch in a shared worktree, treated as an expected event to detect — blocks the commit until reconciled. - `verify_push_target`: a push requires local branch, remote target branch, and intended issue branch to all match, none protected. - `assess_protected_branch_commit`: an accidental protected-branch commit must never be pushed, requires repair, and the repair must be reported — pushing the accident or silently continuing is a violation. - `build_commit_push_report`: final-report block carrying the branch proof before commit and before push; any failed proof, drift, or violation makes the status "blocked". 2. New `tests/test_author_proofs.py` (27 tests) covering the issue's Required-behavior-5 harness assertions: commit attempted on `master` is blocked; branch drift between validation and commit is blocked; push target mismatch is blocked; shared-worktree branch switch is detected; the repair path cannot silently continue without reporting. 3. `skills/llm-project-workflow/SKILL.md` §E and `skills/llm-project-workflow/templates/start-issue.md` now require recording the validation-time branch/HEAD, the branch proof before commit, the branch proof before push, and non-silent accident repair (steps renumbered accordingly). No review, merge, permission, identity, redaction, or reconciliation gate is weakened. Process note: this PR was implemented in an isolated worktree (`branches/feat-issue-177-branch-drift-proofs`) per SKILL.md §B — the main checkout was on another session's branch (`feat/issue-178-...`) throughout, which is exactly the shared-worktree hazard this issue addresses; the new proofs were also applied live before this PR's own commit and push. Validation (worktree HEAD `941ada38c2b95067294c18eb86f18b4437e6c822`, base `master` @ `64dc334`): - `venv/bin/pytest tests/test_author_proofs.py -q`: 27 passed - `venv/bin/pytest tests/ --ignore=branches -q` (canonical form): 708 tests, 0 failures, 0 errors, 6 skipped, exit 0 (counts read from junitxml due to the pre-existing stdout-capture quirk tracked in #178) - `py_compile` on both new files: passed - `git diff --check` (working tree and staged): passed - Secret/provenance sweep over the staged diff: clean; only doc-text phrases ("secret scan"), no URLs or credentials Closes #177 Co-Authored-By: Claude Fable 5 <[email protected]>
jcwalker3 added 1 commit 2026-07-05 14:17:04 -05:00
Adds author_proofs.py, the author-side counterpart of review_proofs.py
(#173), turning the branch-drift incident from PR #176 into fail-closed
gates:

- verify_branch_for_commit: the current branch must equal the intended
  feature branch and may never be a protected branch (master, main,
  develop, development, dev); missing state fails closed.
- detect_branch_drift: any branch or HEAD change between validation time
  and commit time — including an external branch switch in a shared
  worktree, which is treated as an expected event to detect — blocks the
  commit until reconciled.
- verify_push_target: a push requires the local branch, remote target
  branch, and intended issue branch to all match, none protected.
- assess_protected_branch_commit: an accidental protected-branch commit
  must never be pushed, requires repair, and the repair must be reported;
  pushing the accident or silently continuing is a violation.
- build_commit_push_report: final-report block carrying the branch proof
  before commit and before push; any failed proof, drift, or violation
  makes the status blocked.

tests/test_author_proofs.py (27 tests) covers the issue's harness
assertions: commit on master blocked; drift between validation and commit
blocked; push target mismatch blocked; shared-worktree branch switch
detected; repair path cannot silently continue without reporting.

SKILL.md section E and templates/start-issue.md now require recording the
validation-time branch/HEAD, the branch proof before commit, the branch
proof before push, and non-silent accident repair. No review/merge/
permission gate is weakened.

Closes #177

Co-Authored-By: Claude Fable 5 <[email protected]>
sysadmin reviewed 2026-07-05 15:01:35 -05:00
sysadmin left a comment
Owner

Blind reviewer run (profile prgs-reviewer, identity sysadmin, distinct from author jcwalker3). Reviewed only pinned head SHA 941ada38c2b95067294c18eb86f18b4437e6c822 in a detached scratch worktree; live-state recheck immediately before this verdict confirmed the head SHA, base (master), open state, and mergeability are unchanged.

Scope: changed files exactly match the PR description and Issue #177 — new author_proofs.py, new tests/test_author_proofs.py, and the SKILL.md §E / start-issue.md workflow wiring. No unrelated edits, no runtime gate touched; helpers are pure and strictly additive, so no review/merge/permission/identity gate is weakened.

Coverage vs #177: Required behaviors 1–4 implemented fail-closed (protected-branch block, validation→commit drift including external shared-worktree switches, push-target triple match, non-silent accident repair), and all five Required-behavior-5 harness assertions have direct tests. Acceptance criteria met: build_commit_push_report carries the commit and push proofs and blocks on any failure, and SKILL.md now requires the proofs in the final report.

Validation at pinned SHA (exact results):

  • venv/bin/python -m pytest tests/test_author_proofs.py -q → 27 passed
  • PYTHONPATH=. venv/bin/python -m pytest tests/ --ignore=branches -q → 702 passed, 6 skipped, 0 failures (count differs from the PR body's 708 because master has advanced; suite is green at the current merge-base)
  • python -m py_compile author_proofs.py tests/test_author_proofs.py → OK
  • git diff --check <merge-base>..HEAD → clean
  • Secret/provenance sweep: git diff <merge-base>..HEAD | grep -inE "password|api[_-]?key|authorization|bearer|token|secret|BEGIN (RSA|EC|OPENSSH|PRIVATE)|https?://" → only doc-text phrases ("secret scan"), no credentials or endpoints

Non-blocking note: Required behavior 1's "worktree path matches the intended issue/branch worktree when applicable" has no corresponding helper; the implemented branch/HEAD identity proofs cover the incident class, and the qualifier makes this optional, but a follow-up verify_worktree_path would close it fully.

APPROVE. Merge not performed: this session's MCP profile is prgs-author (merge forbidden), and the gated gitea_merge_pr MCP path is the only allowed merge route — approve-and-stop per capability rules.

Blind reviewer run (profile `prgs-reviewer`, identity `sysadmin`, distinct from author `jcwalker3`). Reviewed only pinned head SHA `941ada38c2b95067294c18eb86f18b4437e6c822` in a detached scratch worktree; live-state recheck immediately before this verdict confirmed the head SHA, base (`master`), open state, and mergeability are unchanged. Scope: changed files exactly match the PR description and Issue #177 — new `author_proofs.py`, new `tests/test_author_proofs.py`, and the SKILL.md §E / start-issue.md workflow wiring. No unrelated edits, no runtime gate touched; helpers are pure and strictly additive, so no review/merge/permission/identity gate is weakened. Coverage vs #177: Required behaviors 1–4 implemented fail-closed (protected-branch block, validation→commit drift including external shared-worktree switches, push-target triple match, non-silent accident repair), and all five Required-behavior-5 harness assertions have direct tests. Acceptance criteria met: `build_commit_push_report` carries the commit and push proofs and blocks on any failure, and SKILL.md now requires the proofs in the final report. Validation at pinned SHA (exact results): - `venv/bin/python -m pytest tests/test_author_proofs.py -q` → 27 passed - `PYTHONPATH=. venv/bin/python -m pytest tests/ --ignore=branches -q` → 702 passed, 6 skipped, 0 failures (count differs from the PR body's 708 because master has advanced; suite is green at the current merge-base) - `python -m py_compile author_proofs.py tests/test_author_proofs.py` → OK - `git diff --check <merge-base>..HEAD` → clean - Secret/provenance sweep: `git diff <merge-base>..HEAD | grep -inE "password|api[_-]?key|authorization|bearer|token|secret|BEGIN (RSA|EC|OPENSSH|PRIVATE)|https?://"` → only doc-text phrases ("secret scan"), no credentials or endpoints Non-blocking note: Required behavior 1's "worktree path matches the intended issue/branch worktree when applicable" has no corresponding helper; the implemented branch/HEAD identity proofs cover the incident class, and the qualifier makes this optional, but a follow-up `verify_worktree_path` would close it fully. APPROVE. Merge not performed: this session's MCP profile is `prgs-author` (merge forbidden), and the gated `gitea_merge_pr` MCP path is the only allowed merge route — approve-and-stop per capability rules.
sysadmin reviewed 2026-07-05 15:13:22 -05:00
sysadmin left a comment
Owner

Blind review (sysadmin / prgs-reviewer)

Pinned head: 941ada38c2b95067294c18eb86f18b4437e6c822
Live head recheck: matches pinned SHA; PR open and mergeable.

Scope (#177)

Adds pure fail-closed author_proofs.py helpers for branch identity at commit/push time, 27 harness tests covering all issue #177 assertions, and wires requirements into llm-project-workflow skill docs. No unrelated files; no review/merge/permission gate changes.

Validation (reviewer rerun)

  • python3 -m py_compile author_proofs.py tests/test_author_proofs.py — passed
  • pytest tests/test_author_proofs.py27 passed
  • pytest tests/ --ignore=branches708 passed, 6 skipped, 0 failures
  • git diff --check prgs/master...HEAD — clean
  • Secret sweep (git diff prgs/master...HEAD | grep -iE ...) — only benign doc phrase secret scan in SKILL.md

Notes

  • Worktree path proof from issue req #1 is still prompt/skill-level (§B); branch/HEAD drift detection covers shared-checkout switches. Acceptable for this issue scope.
  • Branch is behind current master but API reports mergeable; no conflicts at review time.

Approved.

## Blind review (sysadmin / prgs-reviewer) **Pinned head:** `941ada38c2b95067294c18eb86f18b4437e6c822` **Live head recheck:** matches pinned SHA; PR open and mergeable. ### Scope (#177) Adds pure fail-closed `author_proofs.py` helpers for branch identity at commit/push time, 27 harness tests covering all issue #177 assertions, and wires requirements into llm-project-workflow skill docs. No unrelated files; no review/merge/permission gate changes. ### Validation (reviewer rerun) - `python3 -m py_compile author_proofs.py tests/test_author_proofs.py` — passed - `pytest tests/test_author_proofs.py` — **27 passed** - `pytest tests/ --ignore=branches` — **708 passed, 6 skipped, 0 failures** - `git diff --check prgs/master...HEAD` — clean - Secret sweep (`git diff prgs/master...HEAD | grep -iE ...`) — only benign doc phrase `secret scan` in SKILL.md ### Notes - Worktree *path* proof from issue req #1 is still prompt/skill-level (§B); branch/HEAD drift detection covers shared-checkout switches. Acceptable for this issue scope. - Branch is behind current `master` but API reports mergeable; no conflicts at review time. Approved.
sysadmin merged commit 2b6a60a189 into master 2026-07-05 15:13:24 -05:00
Sign in to join this conversation.
No Reviewers
No labels
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#181