Add role/session router so reviewer tasks cannot run inside author-bound Codex sessions #206

Closed
opened 2026-07-05 15:24:26 -05:00 by jcwalker3 · 1 comment
Owner

Problem

Codex/LLM agents are getting stuck in whichever MCP role they were launched with. When a reviewer task is given to an author-bound session, the agent cannot perform review mutations and either stops, drifts into author-side work, creates issues, or attempts unsafe profile/CLI fallback.

Observed failure

The agent authenticated as jcwalker3 / prgs-author, verified that create_issue and comment_issue were allowed, and created issue #201. But the operator concern was reviewer execution. This shows the agent was still operating in author mode instead of being routed into a reviewer-capable session.

Root cause

Role is process/session-bound in static-profile mode. A reviewer task requires a reviewer MCP namespace/session from the start, such as sysadmin / prgs-reviewer. It cannot be safely converted from an author session after launch.

Required wall

Reviewer tasks must be routed only to a reviewer-capable MCP namespace/session before any work begins.

Required behavior

  • If the task type is review, approve, request changes, merge, or blind PR queue review, the launcher/router must select a reviewer MCP profile before execution.
  • If the active profile is prgs-author, the agent must stop immediately and must not create issues, branches, commits, PRs, comments, or fallback work unless the operator explicitly changes the task to author work.
  • Static-profile sessions must not attempt in-place role switching.
  • CLI/profile environment fallback must be blocked.
  • The report must say: "Wrong role/session for reviewer task. Launch reviewer MCP namespace."

Acceptance criteria

  • Add a pre-task role router that classifies task type before tool use.
  • Add tests where a reviewer task starts under prgs-author; expected result: terminal stop with no issue creation or author mutation.
  • Add tests where a reviewer task starts under prgs-reviewer; expected result: reviewer inventory may proceed.
  • Add tests where an author task starts under prgs-reviewer; expected result: terminal stop or route to author session.
  • Add tests where Codex tries to handle reviewer failure by creating a process issue; expected result: blocked unless the task was explicitly changed to issue-authoring.
  • Add tests where static-profile mode attempts gitea_activate_profile; expected result: blocked, not CLI fallback.
  • Final handoff must include task_type, required_role, active_role, and route_result.

Suggested implementation

Create a role_session_router or pre_task_role_gate that runs before identity, inventory, issue creation, branch work, or review work. The gate should return one of:

  • allowed_current_session
  • wrong_role_stop
  • route_to_author_session
  • route_to_reviewer_session
  • ambiguous_task_stop

No downstream tool calls should run unless the route result is allowed_current_session.

Related

  • #139 — MCP-layer role/capability resolver and runtime context (partially shipped as gitea_resolve_task_capability / gitea_get_runtime_context); this issue adds the agent/session-side pre-task router that consumes those signals before any tool use.
  • #175 — reviewer→author role-pivot wall; #197 — hard-stop purity after reviewer capability denial; #199 — block CLI reviewer fallback after profile-switch failure. This router is the upstream gate those walls enforce downstream.
  • mcp-control-plane #77 (exact mutation capability walls).
### Problem Codex/LLM agents are getting stuck in whichever MCP role they were launched with. When a reviewer task is given to an author-bound session, the agent cannot perform review mutations and either stops, drifts into author-side work, creates issues, or attempts unsafe profile/CLI fallback. ### Observed failure The agent authenticated as `jcwalker3 / prgs-author`, verified that `create_issue` and `comment_issue` were allowed, and created issue #201. But the operator concern was reviewer execution. This shows the agent was still operating in author mode instead of being routed into a reviewer-capable session. ### Root cause Role is process/session-bound in static-profile mode. A reviewer task requires a reviewer MCP namespace/session from the start, such as `sysadmin / prgs-reviewer`. It cannot be safely converted from an author session after launch. ### Required wall Reviewer tasks must be routed only to a reviewer-capable MCP namespace/session before any work begins. ### Required behavior * If the task type is review, approve, request changes, merge, or blind PR queue review, the launcher/router must select a reviewer MCP profile before execution. * If the active profile is `prgs-author`, the agent must stop immediately and must not create issues, branches, commits, PRs, comments, or fallback work unless the operator explicitly changes the task to author work. * Static-profile sessions must not attempt in-place role switching. * CLI/profile environment fallback must be blocked. * The report must say: "Wrong role/session for reviewer task. Launch reviewer MCP namespace." ### Acceptance criteria * Add a pre-task role router that classifies task type before tool use. * Add tests where a reviewer task starts under `prgs-author`; expected result: terminal stop with no issue creation or author mutation. * Add tests where a reviewer task starts under `prgs-reviewer`; expected result: reviewer inventory may proceed. * Add tests where an author task starts under `prgs-reviewer`; expected result: terminal stop or route to author session. * Add tests where Codex tries to handle reviewer failure by creating a process issue; expected result: blocked unless the task was explicitly changed to issue-authoring. * Add tests where static-profile mode attempts `gitea_activate_profile`; expected result: blocked, not CLI fallback. * Final handoff must include `task_type`, `required_role`, `active_role`, and `route_result`. ### Suggested implementation Create a `role_session_router` or `pre_task_role_gate` that runs before identity, inventory, issue creation, branch work, or review work. The gate should return one of: * `allowed_current_session` * `wrong_role_stop` * `route_to_author_session` * `route_to_reviewer_session` * `ambiguous_task_stop` No downstream tool calls should run unless the route result is `allowed_current_session`. ### Related * #139 — MCP-layer role/capability resolver and runtime context (partially shipped as `gitea_resolve_task_capability` / `gitea_get_runtime_context`); this issue adds the agent/session-side pre-task router that consumes those signals before any tool use. * #175 — reviewer→author role-pivot wall; #197 — hard-stop purity after reviewer capability denial; #199 — block CLI reviewer fallback after profile-switch failure. This router is the upstream gate those walls enforce downstream. * mcp-control-plane #77 (exact mutation capability walls).
jcwalker3 added the status:in-progress label 2026-07-05 16:10:25 -05:00
Author
Owner

Additional observed failure:

A reviewer task for PR #203 was started under jcwalker3 / prgs-author. The agent correctly denied reviewer capability and made no mutations or CLI/profile fallback. However, after detecting the role wall, it continued with read-only review analysis:

  • verified PR head with ls-remote;
  • checked base ancestry;
  • inspected PR body linkage;
  • concluded blocker 5 was unresolved.

This is safer than mutation, but still violates terminal stop purity. A reviewer task under an author-bound session must stop before review analysis, even read-only analysis, unless the operator explicitly changes the task to an author-side audit.

Required behavior:

  • reviewer task + author profile = wrong_role_stop;
  • no PR blocker analysis;
  • no read-only head/base validation;
  • no ls-remote fact pinning;
  • no comments, reviews, merges, or issue mutations;
  • output only identity, denied capability, required reviewer namespace, and mutation confirmation.

Acceptance test:
Given task type review_pr, target PR #203, and active profile prgs-author, the workflow must stop before PR analysis and return wrong_role_stop.

Additional observed failure: A reviewer task for PR #203 was started under `jcwalker3 / prgs-author`. The agent correctly denied reviewer capability and made no mutations or CLI/profile fallback. However, after detecting the role wall, it continued with read-only review analysis: * verified PR head with `ls-remote`; * checked base ancestry; * inspected PR body linkage; * concluded blocker 5 was unresolved. This is safer than mutation, but still violates terminal stop purity. A reviewer task under an author-bound session must stop before review analysis, even read-only analysis, unless the operator explicitly changes the task to an author-side audit. Required behavior: * reviewer task + author profile = `wrong_role_stop`; * no PR blocker analysis; * no read-only head/base validation; * no `ls-remote` fact pinning; * no comments, reviews, merges, or issue mutations; * output only identity, denied capability, required reviewer namespace, and mutation confirmation. Acceptance test: Given task type `review_pr`, target PR #203, and active profile `prgs-author`, the workflow must stop before PR analysis and return `wrong_role_stop`.
sysadmin removed the status:in-progress label 2026-07-05 16:20:31 -05:00
Sign in to join this conversation.
No labels
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#206