Workflow-load gate must establish reviewer session mode boundaries and classify pre-review commands #403

Closed
opened 2026-07-07 09:41:10 -05:00 by jcwalker3 · 1 comment
Owner

Evidence

The PR #374 review run read the canonical workflow file and router skill, but the session also performed broad local inspection and environment testing before producing a canonical-looking final review report. Reading workflows/review-merge-pr.md as a file left no session state and constrained nothing: the run demonstrates that "I read the workflow file" is narrative, not enforcement.

#389 / PR #392 add the mutation-time load gate (gitea_load_review_workflow records path/hash/schema in session state; gitea_submit_pr_review, gitea_mark_final_review_decision, gitea_merge_pr fail closed without proof). This issue covers what that gate does not yet do: the load event should also establish the session's mode boundaries, and the final report should carry the helper result rather than narrative citations.

Required behavior

  1. gitea_load_review_workflow (or a companion assessment) must, at load time, establish reviewer mode boundaries for the session:
    • no validation in the main checkout
    • no local config/profile/credential file inspection
    • no MCP repair or config exploration inside the review session
    • no unclassified pre-review commands — commands executed before the load call must be classified (read-only inventory / diagnostic / boundary violation), and a violation classification blocks downstream reviewer mutations
  2. Boundary state must live in the same session proof as the workflow hash, so a session cannot present a valid load proof while carrying unclassified or boundary-violating pre-review activity.
  3. Final reports must include the workflow-load helper result (path, hash, schema hash, boundary status) — narrative claims that files were viewed must not satisfy the validator.
  4. An explicit regression test must prove that local file viewing alone (no gitea_load_review_workflow call) fails both the mutation gate and the final-report validator.

Acceptance criteria

  • Load gate records boundary state alongside workflow/schema hashes in session proof.
  • A session with a boundary violation (main-checkout validation, config/profile inspection, MCP repair activity, or unclassified pre-review commands) cannot pass reviewer mutation gates even with a valid workflow hash.
  • Final-report validation requires the structured load-helper result; file-view narrative alone fails.
  • Tests cover: file-view-only session blocked; load-proof-plus-boundary-violation blocked; clean load-plus-boundaries passes; pre-load read-only inventory commands remain allowed (per #389 rule 4).
  • Runbook documents that the load call is the mode-boundary anchor: prompts are guidance, the MCP gate is the authority.

Scope relationships

  • #389 / PR #392 — mutation-time load gate this issue extends (do not duplicate its hash/session mechanics).
  • #398 — cwd/worktree proof for validation commands (report-layer; complementary to the session-layer boundary here).
  • #395 — proof-backed handoff claims (general claim-evidence rule; this issue adds the specific load-helper-result field).
  • #391 / PR #394 — final-report schema validator that should consume the load-helper result field.

Non-goals

  • No change to author/reviewer profile separation or capability mappings.
  • No replacement of #392's gate — extend its session state.
  • Read-only pre-load inventory (list/view PRs, whoami, capability resolve) stays allowed.
## Evidence The PR #374 review run read the canonical workflow file and router skill, but the session also performed broad local inspection and environment testing before producing a canonical-looking final review report. Reading `workflows/review-merge-pr.md` as a file left no session state and constrained nothing: the run demonstrates that "I read the workflow file" is narrative, not enforcement. #389 / PR #392 add the mutation-time load gate (`gitea_load_review_workflow` records path/hash/schema in session state; `gitea_submit_pr_review`, `gitea_mark_final_review_decision`, `gitea_merge_pr` fail closed without proof). This issue covers what that gate does **not** yet do: the load event should also establish the session's mode boundaries, and the final report should carry the helper result rather than narrative citations. ## Required behavior 1. `gitea_load_review_workflow` (or a companion assessment) must, at load time, establish reviewer mode boundaries for the session: * no validation in the main checkout * no local config/profile/credential file inspection * no MCP repair or config exploration inside the review session * no unclassified pre-review commands — commands executed before the load call must be classified (read-only inventory / diagnostic / boundary violation), and a violation classification blocks downstream reviewer mutations 2. Boundary state must live in the same session proof as the workflow hash, so a session cannot present a valid load proof while carrying unclassified or boundary-violating pre-review activity. 3. Final reports must include the workflow-load helper **result** (path, hash, schema hash, boundary status) — narrative claims that files were viewed must not satisfy the validator. 4. An explicit regression test must prove that local file viewing alone (no `gitea_load_review_workflow` call) fails both the mutation gate and the final-report validator. ## Acceptance criteria * Load gate records boundary state alongside workflow/schema hashes in session proof. * A session with a boundary violation (main-checkout validation, config/profile inspection, MCP repair activity, or unclassified pre-review commands) cannot pass reviewer mutation gates even with a valid workflow hash. * Final-report validation requires the structured load-helper result; file-view narrative alone fails. * Tests cover: file-view-only session blocked; load-proof-plus-boundary-violation blocked; clean load-plus-boundaries passes; pre-load read-only inventory commands remain allowed (per #389 rule 4). * Runbook documents that the load call is the mode-boundary anchor: prompts are guidance, the MCP gate is the authority. ## Scope relationships * #389 / PR #392 — mutation-time load gate this issue extends (do not duplicate its hash/session mechanics). * #398 — cwd/worktree proof for validation commands (report-layer; complementary to the session-layer boundary here). * #395 — proof-backed handoff claims (general claim-evidence rule; this issue adds the specific load-helper-result field). * #391 / PR #394 — final-report schema validator that should consume the load-helper result field. ## Non-goals * No change to author/reviewer profile separation or capability mappings. * No replacement of #392's gate — extend its session state. * Read-only pre-load inventory (list/view PRs, whoami, capability resolve) stays allowed.
jcwalker3 added the status:in-progress label 2026-07-07 10:51:18 -05:00
jcwalker3 removed the status:in-progress label 2026-07-07 10:52:35 -05:00
jcwalker3 added the status:in-progress label 2026-07-07 11:54:03 -05:00
Author
Owner

Issue claim heartbeat

<!-- gitea-issue-claim-heartbeat:v1 --> **Issue claim heartbeat** - kind: claim - issue: #403 - branch: feat/issue-403-workflow-load-boundaries - phase: claimed - profile: prgs-author - pr: none - blocker: none - next_action: create worktree and begin implementation
sysadmin removed the status:in-progress label 2026-07-08 10:42:51 -05:00
Sign in to join this conversation.
No labels
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#403