Clarify and enforce reviewer-vs-merger role boundaries #483

Closed
opened 2026-07-08 00:50:49 -05:00 by jcwalker3 · 0 comments
Owner

Problem

Recent controller reports show Task: merge_pr being executed under the active profile prgs-reviewer. While the MCP capability gate allows this, the workflow language often specifies that review and merge should happen in separate sessions/profiles unless explicitly authorized. This ambiguity can allow reviewer sessions to perform merges when the intended controller policy requires a separate merger handoff.

Acceptance Criteria

  1. Define Canonical Role Policy: Clear boundaries for:
    • reviewer
    • merger
    • author
    • controller/reconciler
  2. Reviewer Merge Decision: Decide whether prgs-reviewer is allowed to merge.
  3. Explicit Reviewer-Merge Authorization: If reviewer profiles may merge, require explicit operator authorization in the prompt/report.
  4. Block Reviewer-Merge Capability: If reviewer profiles may not merge, block merge_pr capability for reviewer profiles.
  5. Merge Preflight Proof Fields: Add the following validation fields to merge preflight:
    • active profile
    • role kind
    • merge capability source
    • explicit operator authorization
  6. Update Report Templates: Ensure templates do not state Role: reviewer for a merge without explaining why the merge is allowed.
  7. Comprehensive Tests: Add tests proving:
    • reviewer-only profile cannot merge if policy forbids it.
    • merger profile can merge with expected_head_sha and confirmation.
    • merge reports include explicit role/capability proof.
  8. Update Menu/Runbook Prompts: Require separate merger handoff after approval unless the workflow explicitly allows same-session merge.
## Problem Recent controller reports show `Task: merge_pr` being executed under the active profile `prgs-reviewer`. While the MCP capability gate allows this, the workflow language often specifies that review and merge should happen in separate sessions/profiles unless explicitly authorized. This ambiguity can allow reviewer sessions to perform merges when the intended controller policy requires a separate merger handoff. ## Acceptance Criteria 1. **Define Canonical Role Policy:** Clear boundaries for: - `reviewer` - `merger` - `author` - `controller/reconciler` 2. **Reviewer Merge Decision:** Decide whether `prgs-reviewer` is allowed to merge. 3. **Explicit Reviewer-Merge Authorization:** If reviewer profiles may merge, require explicit operator authorization in the prompt/report. 4. **Block Reviewer-Merge Capability:** If reviewer profiles may not merge, block `merge_pr` capability for reviewer profiles. 5. **Merge Preflight Proof Fields:** Add the following validation fields to merge preflight: - `active profile` - `role kind` - `merge capability source` - `explicit operator authorization` 6. **Update Report Templates:** Ensure templates do not state `Role: reviewer` for a merge without explaining why the merge is allowed. 7. **Comprehensive Tests:** Add tests proving: - reviewer-only profile cannot merge if policy forbids it. - merger profile can merge with expected_head_sha and confirmation. - merge reports include explicit role/capability proof. 8. **Update Menu/Runbook Prompts:** Require separate merger handoff after approval unless the workflow explicitly allows same-session merge.
Sign in to join this conversation.
No labels
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#483