Harden issue-filing final reports: Controller Handoff, full SHAs, and exact mutation capability proof #191
Closed
opened 2026-07-05 14:42:56 -05:00 by jcwalker3
·
4 comments
No Branch/Tag Specified
master
fix/issue-709-decision-lock-cross-profile
fix/issue-695-native-transport-quarantine
fix/issue-698-report-validator-schema
fix/issue-702-stale-binding-lease-recovery
fix/issue-699-structured-auth-mcp-errors
fix/issue-695-native-quarantine-v2
fix/issue-693-review-decision-lock-recovery
fix/issue-691-obsolete-reviewer-lease-cleanup
feat/issue-687-reconciler-branch-delete
fix/issue-683-workflow-guard-hardening
chore/issue-681-preserve-review-session-wip
feat/issue-604-anti-stomp-preflight
feat/issue-606-sentry-observability
fix/issue-671-block-stable-branch-push
fix/issue-675-residual-preflight-remediation
fix/issue-673-remediate-regressions-part2
fix/issue-673-remediate-regressions
feat/issue-603-lifecycle-labels
fix/issue-627-set-issue-labels-pagination
feat/issue-601-first-class-leases
feat/issue-612-incident-bridge
feat/issue-600-controller-allocator-api
fix/issue-620-head-scoped-review-locks
feat/issue-613-allocator-db-substrate
docs/mcp-stable-control-runtime-policy
feat/issue-609-prepared-review-verdict-resume
feat/issue-610-live-remote-parity
feat/issue-503-reviewer-active-worktree
feat/issue-470-preflight-contract
feat/issue-440-lock-recovery
feat/issue-440-branch-recovery
feat/issue-458-queue-fail-closed-copy
feat/issue-400-early-duplicate-work-gate
feat/issue-308-reconcile-inventory-pagination
feat/issue-308-reconcile-pagination-proof
docs/issue-261-agent-temp-artifact-cleanup
feat/issue-262-map-commit-files
fix/infra-stop-conflict-marker-false-positive
feat/issue-139-role-aware-task-routing
feat/issue-188-continuation-selection-wall
feat/issue-189-continuation-mode-proofs
feat/issue-232-refresh-wiki-proof-heads
feat/issue-210-block-workspace-edits
feat/issue-204-exact-issue-lock
docs/issue-80-label-taxonomy
docs/issue-79-safety-boundary-updates
v1.1.0
Labels
Clear labels
allocator
anti-stomp
architecture
bug
chore
codex
concurrency
contamination
control-plane
dashboard
database
design
documentation
enhancement
gitea
glitchtip
important
incident
incident-bridge
integration
jenkins
labels
leases
mcp
mcp-health
mcp-menu
multi-project
mutating
nice-to-have
observability
portability
preflight
protected-branch
queue
read-only
reconnect
recovery
refactor
release
reliability
resumable-review
reviewer
roadmap
safety
security
self-hosted
sentry
stale-runtime
status:blocked
status:in-progress
status:pr-open
status:ready
terminal-lock
testing
tracker
type:bug
type:feature
type:feature
type:guardrail
visibility
workflow
workflow-hardening
workflow-hardening
Controller-owned work allocator
Prevent concurrent LLM session stomping
Architecture / structural design
OpenAI Codex client / workflow session surface
Concurrent session safety
Workflow or session contamination incident
MCP control-plane coordination and allocation authority
MCP operational dashboard/queue view
Internal coordination storage (SQLite/Postgres)
Design / investigation, no implementation
Docs / runbooks
New feature or improvement
Gitea MCP workflow
GlitchTip integration
Operational or process incident requiring durable audit trail
Sentry-to-Gitea incident bridging
Integration testing
Jenkins integration
Label taxonomy management
Lease adopt/release/expire lifecycle
MCP server / tooling
MCP namespace and runtime health
MCP menu surface
Work spanning multiple monitoring projects or Gitea repos
Mutating action; requires gating
Observability, metrics, traces, error reporting
Cross-platform / portability
Shared preflight gates before mutation
Protected branch / stable-branch policy concern
Work queue visibility and allocation
Read-only, no mutation
MCP client reconnect/reload recovery path
Recovery paths for stale/foreign leases
Code refactor / restructure
Release / versioning
Reliability / failure handling
Persist and resume prepared review verdicts across sessions
Reviewer workflow tooling
Roadmap / umbrella issue
Safety rails and fail-closed mutation guards
Security / trust boundary
Self-hosted infrastructure integration
Sentry error monitoring integration
Stale backend daemon / runtime-vs-master parity failures
Issue is blocked
Issue is being worked on
Issue has an open pull request
Issue is ready for work
Terminal review lock (#332) path
Tests / test coverage
Issue tracker hygiene / meta
Bug or defect
Feature or enhancement
Feature or enhancement
Safety gate or guardrail
Workflow state visibility for LLMs/operators
Cross-tool workflow
LLM workflow coordination hardening
LLM workflow coordination hardening
No labels
bug
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Scaled-Tech-Consulting/Gitea-Tools#191
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Problem:
The creation of Gitea-Tools issue #188/189 was a strong issue-filing run. It correctly performed a duplicate check, explained why a new issue was needed instead of expanding #183, avoided premature
status:in-progress, and created only one issue.However, a few issue-filing/reporting details should be made mandatory so future runs are consistently A-level.
Required behavior:
Every issue-filing task must include a
Controller Handoffsection.Required fields:
Issue-filing reports must include the exact issue number and title.
Example:
Implement fail-closed continuation mode for issues already represented by open PRsWhen old/new commit references are used as evidence, reports must include full 40-character SHAs, not abbreviated SHAs.
Example requirement:
<40-char SHA><40-char SHA>Every mutation must have exact capability proof.
Examples:
create_issuecomment_issuecomment_prIf only one mutation is performed, the report should explicitly say:
Only mutation: issue creationOnly mutations: issue creation + commentDuplicate-check evidence must be summarized:
Tests / harness assertions:
Controller Handoffis downgradedAcceptance criteria:
An issue-filing run earns an A only when it proves duplicate-search decision quality, exact mutation capability, full evidence identifiers, no unintended mutations, and includes a compact Controller Handoff.
Positive Author-Run Reporting Example
Evidence:
Claude implemented Gitea-Tools issue #179 and opened PR #193 as
jcwalker3 / prgs-author.Positive behavior observed:
Controller Handoff.feat/issue-179-reviewer-proof-tightening4a83a8e215342c7c18c9f2b117515e1b4a5a310f601c60872 passed712 passed, 6 skipped in 8.41sgit diff --check prgs/master...HEAD: cleanpython3 -m py_compile $(git ls-files '*.py'): OKgit diff --cached | grep -inE "password|api[_-]?key|authorization|bearer|BEGIN (RSA|EC|OPENSSH)|https?://"comment_issuepush_branchcreate_prmark_issueand used comment claim instead.Remaining improvement notes:
Use this run as a positive baseline for author-side final reports under #191.
Evidence: Grok author run (issue #150 → PR #190) — author-side reporting gaps
A Grok author run selected Gitea-Tools issue #150, created branch
feat/issue-150-add-integration-discoverability-coverage, and opened PR #190. The run was safe: it usedjcwalker3 / prgs-author, checked both configured repos, inventoried open PRs before issue selection, selected one issue, did not review/approve/request changes/merge, and stopped after opening the PR.Observed workflow gaps (extending this issue's required behaviors from issue-filing runs to author implementation runs):
Missing Controller Handoff. The final report did not include a compact
Controller Handoffblock (this issue's requirement 1).Unproven label mutation — internal contradiction. The report says
mark_issueresolved unknown and therefore a comment claim was used, but later saysstatus:in-progresswas set viagitea_set_issue_labels. If a label mutation is performed, the workflow must prove exact capability for label mutation;comment_issuecapability is not enough (this issue's requirement 4 / label-specific assertion). Ifmark_issueis unknown, the workflow must not use label mutation unlessgitea_set_issue_labelsor an equivalent capability is explicitly resolved.Missing PR head SHA. The report gives the branch name but not the final head commit SHA for PR #190 (this issue's requirement 3: full 40-char identifiers).
Incomplete validation counts. Targeted result was exact (
23 passed), but the broader "full relevant" suite was reported only asexit 0— no pass/skip/fail counts. Every claimed suite needs exact counts.Ambiguous sweep result. Sweep command was
git diff | grep -iE 'token|secret|password|key|credential|http' || echo "SWEEP_CLEAN", and the report acknowledges matches (expectedhttp://andkeychain:test strings) that were manually judged benign — yet called the sweep "clean". Sweeps must distinguish: no matches / matches reviewed and benign (enumerated or allowlisted) / unreviewed matches / real findings.Additional tests/harness assertions this evidence motivates:
exit 0is downgradedAcceptance criterion (author-run analogue of this issue's): an author issue run earns an "A" only when it proves exact capability for every mutation (including label changes), includes PR number + branch + exact head SHA, reports exact validation counts for every claimed suite, reports secret/provenance sweep results with the four-way match taxonomy, and ends with a Controller Handoff.
Cross-references: #183 (author-run reporting hardening — its gaps 1/4/5 overlap the handoff/sweep/head-SHA items here; the label-mutation capability contradiction and the sweep match-taxonomy are new evidence beyond #183);
review_proofs.assess_sweep_evidence(merged via PR #193's branch, pending review) already requires exact method+scope and could be extended with the benign-match enumeration taxonomy when this issue is implemented. The unresolvedmark_issueresolver gap itself remains tracked in #183.Positive Author-Run Reporting Example (Codex)
Evidence:
Codex was explicitly forced into author/implementer mode and successfully avoided PR review behavior.
Positive behavior observed:
jcwalker3 / prgs-author.Scaled-Tech-Consulting/Gitea-ToolsScaled-Tech-Consulting/mcp-control-planeAdd role-boundary proofs for reviewer queue workflows (Issue #175)feat/issue-175-role-pivot-wall574a9ea7c109d04de170b7004d2b8f2b9e2f30cfpython3 -m py_compile review_proofs.py tests/test_review_proofs.py: passedpython3 -m py_compile $(git ls-files '*.py'): passedpytest tests/test_review_proofs.py:49 passedpytest tests/test_review_proofs.py tests/test_pr_queue_inventory.py:65 passed689 passed, 6 skippedgit diff --check prgs/master...HEAD: passedgit diff prgs/master...HEAD | grep -iE 'token|secret|password|key|credential|http|Authorization:|Bearer |BEGIN (RSA|OPENSSH|PRIVATE) KEY' || trueRemaining A-level improvements:
::git-create-branchunless they are part of a formal trace.Use this as a positive example that the author-only prompt can prevent Codex from drifting into PR review work.
Claimed and implemented on
feat/issue-191-issue-filing-reports.Approach:
assess_issue_filing_final_reportcomposes handoff, issue reference, SHA evidence, mutation capability/scope, and duplicate-search summary checks. Issue-filing handoff role fields added toassess_controller_handoff.Tests: 5 unit tests covering A-grade report, missing handoff, abbreviated SHA, missing capability proof, and label-specific proof. All pass.
PR opened for review.