Web Console: Requests, intent preview, authorization, and workflow initiation (Phase 2) #643

Open
opened 2026-07-10 14:40:42 -05:00 by jcwalker3 · 0 comments
Owner

Problem statement

Operators need to submit requests (start author/reviewer/merger/controller work) with intent preview, authorization checks, and safe workflow initiation without pasting prompts or bypassing allocator/leases.

User and operational impact

Manual prompt paste and unsafe self-selection of work continue; concurrent collisions remain likely.

Scope

  • Request model: desired role, issue/PR, intent summary.
  • Preview: capability check, lease availability, next-safe-action, prohibited actions.
  • Initiate only via allocator/sanctioned tools; record assignment + audit.
  • UI form + API behind RBAC (#633); dry-run default.

Explicit non-goals

  • No direct browser Gitea merge/approve.
  • No bypass of allocator exclusive ownership (#600/#613).
  • No auto-start from raw monitoring incidents.

Required implementation investigation

allocator_service.py, #600, #613, #434 gated actions, #633, #640 traffic view, #628, #631.

Proposed architecture or implementation direction

POST /api/v1/requests/preview and .../apply with confirmation; server calls allocator; returns assignment handoff reference.

Security and workflow-safety requirements

RBAC; fail closed; audit; head pinning for PR work; no silent lease steal.

Acceptance criteria

  1. Preview shows authorize/deny with reasons.
  2. Apply creates exclusive assignment or returns wait/blocked.
  3. Duplicate assign rejected.
  4. Tests for preview/apply/deny/collision.
  5. UI never shows full secrets; brief user messaging.

Required tests

Allocator integration tests with fakes; gated action tests.

Observability and audit requirements

Audit every preview apply; correlation id to assignment.

Dependencies and linkage

Canonical issue state

STATE: ready-for-author
WHO_IS_NEXT: author
NEXT_ACTION: Implement request preview/initiate after auth+traffic
NEXT_PROMPT: Author request initiation gates; PR; stop

Required final evidence

PR with APIs, UI, tests, docs.

Required final response and handoff expectations

Brief PR → reviewer.

## Problem statement Operators need to submit **requests** (start author/reviewer/merger/controller work) with **intent preview**, authorization checks, and safe **workflow initiation** without pasting prompts or bypassing allocator/leases. ## User and operational impact Manual prompt paste and unsafe self-selection of work continue; concurrent collisions remain likely. ## Scope * Request model: desired role, issue/PR, intent summary. * Preview: capability check, lease availability, next-safe-action, prohibited actions. * Initiate only via allocator/sanctioned tools; record assignment + audit. * UI form + API behind RBAC (#633); dry-run default. ## Explicit non-goals * No direct browser Gitea merge/approve. * No bypass of allocator exclusive ownership (#600/#613). * No auto-start from raw monitoring incidents. ## Required implementation investigation `allocator_service.py`, #600, #613, #434 gated actions, #633, #640 traffic view, #628, #631. ## Proposed architecture or implementation direction `POST /api/v1/requests/preview` and `.../apply` with confirmation; server calls allocator; returns assignment handoff reference. ## Security and workflow-safety requirements RBAC; fail closed; audit; head pinning for PR work; no silent lease steal. ## Acceptance criteria 1. Preview shows authorize/deny with reasons. 2. Apply creates exclusive assignment or returns wait/blocked. 3. Duplicate assign rejected. 4. Tests for preview/apply/deny/collision. 5. UI never shows full secrets; brief user messaging. ## Required tests Allocator integration tests with fakes; gated action tests. ## Observability and audit requirements Audit every preview apply; correlation id to assignment. ## Dependencies and linkage * Parent: #631 · Depends: #633, #640 · Related: #600, #613, #628, #434 ## Canonical issue state ```text STATE: ready-for-author WHO_IS_NEXT: author NEXT_ACTION: Implement request preview/initiate after auth+traffic NEXT_PROMPT: Author request initiation gates; PR; stop ``` ## Required final evidence PR with APIs, UI, tests, docs. ## Required final response and handoff expectations Brief PR → reviewer.
jcwalker3 added the type:featurestatus:readyworkflow-hardeningdashboard labels 2026-07-10 14:40:43 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#643