incident: bare direct-to-master commit 2fa97c26 landed with no PR #670

Open
opened 2026-07-10 16:17:06 -05:00 by jcwalker3 · 3 comments
Owner

During the PR #654 post-merge audit, reconciler confirmed that PR #654 itself merged cleanly via Gitea API and did not introduce unauthorized code. However, the audit found a separate pre-existing direct-to-master commit:

  • Commit: 2fa97c26
  • Full SHA: 2fa97c26fbda555a1a83930ca5fdcea9d8e47b50
  • Subject: fix(mcp): load dotenv relative to project root
  • File touched: gitea_auth.py
  • Change size: +3/-2
  • Position: single-parent commit off prior master after #629 merge 5ab5fe8
  • Relationship to PR #654: pre-existing first parent of PR #654 merge; not caused by PR #654
  • PR wrapper: none found
  • Review record: none found
  • Landing path: bare direct-to-master commit

Context

PR #654 merge audit determined:

  • PR #654 merge commit ec903b0d619e7a27d24aed272a890f4e5d381411 was a valid Gitea-API merge.
  • Direct git push prgs master during the #654 merger run was a no-op and did not change remote master.
  • Net change from 2fa97c2..ec903b0 contained only the reviewed #603 lifecycle-label files.
  • The real unauthorized-path concern is the earlier direct-to-master commit 2fa97c26.

Problem

Stable branch commits must land through sanctioned issue → branch → PR → review → merge workflow. A direct single-parent commit on prgs/master bypasses review, issue linkage, PR audit, merge authorization, and allocator visibility.

Impact

  • Breaks durable provenance for the dotenv fix.
  • Makes future audits harder because the commit is present on master without a PR.
  • Sets an unsafe precedent for direct stable-branch mutation.
  • May hide workflow/tooling gaps that allowed direct push or local master publication.

Recommended disposition

Do not revert immediately. The dotenv fix appears intentional and may be required for runtime behavior. Instead, controller should decide one of:

  1. Accept as-is with retroactive documentation and audit comment.
  2. Create a retroactive documentation PR or issue comment linking the commit to this incident.
  3. Add guardrails/tests to prevent future direct pushes to master.
  4. If later found unsafe, create a separate revert/repair issue.

Acceptance criteria

  1. Confirm 2fa97c26 is present on prgs/master.
  2. Confirm no PR or review record exists for 2fa97c26.
  3. Confirm changed file(s) and diff summary.
  4. Document why no immediate revert is recommended, or create a revert issue if controller decides otherwise.
  5. Add or link a workflow-hardening issue that prevents direct pushes to stable branches from MCP workflow sessions.
  6. Leave a durable audit trail explaining that PR #654 was not the source of this commit.

Local audit proof (controller session)

  • prgs/master at create time: ec903b0d619e7a27d24aed272a890f4e5d381411
  • 2fa97c26 is ancestor of prgs/master: yes
  • Parents of 2fa97c26: single parent 5ab5fe8583c07134d55dadf09381aecb67df246e (#629 merge)
  • Diff: gitea_auth.py | 5 +++--
  • No open/closed issue title/body match found for 2fa97c26, bare direct-to-master, or this dotenv landing-path incident among recent issues (duplicate-check at create).

Explicit non-actions

  • No revert of 2fa97c26
  • No force-push / history rewrite
  • No master mutation from this issue-create session
During the PR #654 post-merge audit, reconciler confirmed that PR #654 itself merged cleanly via Gitea API and did not introduce unauthorized code. However, the audit found a separate pre-existing direct-to-master commit: * Commit: `2fa97c26` * Full SHA: `2fa97c26fbda555a1a83930ca5fdcea9d8e47b50` * Subject: `fix(mcp): load dotenv relative to project root` * File touched: `gitea_auth.py` * Change size: `+3/-2` * Position: single-parent commit off prior master after #629 merge `5ab5fe8` * Relationship to PR #654: pre-existing first parent of PR #654 merge; not caused by PR #654 * PR wrapper: none found * Review record: none found * Landing path: bare direct-to-master commit ## Context PR #654 merge audit determined: * PR #654 merge commit `ec903b0d619e7a27d24aed272a890f4e5d381411` was a valid Gitea-API merge. * Direct `git push prgs master` during the #654 merger run was a no-op and did not change remote master. * Net change from `2fa97c2..ec903b0` contained only the reviewed #603 lifecycle-label files. * The real unauthorized-path concern is the earlier direct-to-master commit `2fa97c26`. ## Problem Stable branch commits must land through sanctioned issue → branch → PR → review → merge workflow. A direct single-parent commit on `prgs/master` bypasses review, issue linkage, PR audit, merge authorization, and allocator visibility. ## Impact * Breaks durable provenance for the dotenv fix. * Makes future audits harder because the commit is present on master without a PR. * Sets an unsafe precedent for direct stable-branch mutation. * May hide workflow/tooling gaps that allowed direct push or local master publication. ## Recommended disposition Do not revert immediately. The dotenv fix appears intentional and may be required for runtime behavior. Instead, controller should decide one of: 1. Accept as-is with retroactive documentation and audit comment. 2. Create a retroactive documentation PR or issue comment linking the commit to this incident. 3. Add guardrails/tests to prevent future direct pushes to `master`. 4. If later found unsafe, create a separate revert/repair issue. ## Acceptance criteria 1. Confirm `2fa97c26` is present on `prgs/master`. 2. Confirm no PR or review record exists for `2fa97c26`. 3. Confirm changed file(s) and diff summary. 4. Document why no immediate revert is recommended, or create a revert issue if controller decides otherwise. 5. Add or link a workflow-hardening issue that prevents direct pushes to stable branches from MCP workflow sessions. 6. Leave a durable audit trail explaining that PR #654 was not the source of this commit. ## Local audit proof (controller session) * `prgs/master` at create time: `ec903b0d619e7a27d24aed272a890f4e5d381411` * `2fa97c26` is ancestor of `prgs/master`: yes * Parents of `2fa97c26`: single parent `5ab5fe8583c07134d55dadf09381aecb67df246e` (#629 merge) * Diff: `gitea_auth.py | 5 +++--` * No open/closed issue title/body match found for `2fa97c26`, `bare direct-to-master`, or this dotenv landing-path incident among recent issues (duplicate-check at create). ## Explicit non-actions * No revert of `2fa97c26` * No force-push / history rewrite * No master mutation from this issue-create session
Author
Owner

Canonical Issue State

STATE:
ready-for-controller

WHO_IS_NEXT:
controller

NEXT_ACTION:
Disposition of commit 2fa97c26 remains controller decision; preventive hardening is tracked in #671

NEXT_PROMPT:

CONTROLLER prgs Scaled-Tech-Consulting/Gitea-Tools: Incident #670 (bare direct-to-master 2fa97c26).
Preventive workflow-hardening issue created: #671 Block direct pushes to stable branches from MCP workflow sessions.
#671 covers detection of git push to master, root-checkout local commits, session contamination, and fail-closed review/merge/close after contamination.
Decide disposition of 2fa97c26 (accept/document vs later revert issue). Do not force-push history from worker sessions.
Author implements #671 separately with issue lease.

WHAT_HAPPENED:
Created linked hardening issue #671 to satisfy #670 AC5 (prevent future direct stable-branch pushes from MCP sessions).

WHY:
Separate incident disposition from product guardrail implementation.

RELATED_ISSUES:
#671 (hardening) · #630 (related contamination class) · PR #654 audit context

RELATED_PRS:
none this session

BLOCKERS:
none for issue create

VALIDATION:
#671 is not a duplicate of #670 (incident vs guardrail)

LAST_UPDATED_BY:
jcwalker3 / prgs-author / author / 2026-07-10

## Canonical Issue State STATE: ready-for-controller WHO_IS_NEXT: controller NEXT_ACTION: Disposition of commit 2fa97c26 remains controller decision; preventive hardening is tracked in #671 NEXT_PROMPT: ```text CONTROLLER prgs Scaled-Tech-Consulting/Gitea-Tools: Incident #670 (bare direct-to-master 2fa97c26). Preventive workflow-hardening issue created: #671 Block direct pushes to stable branches from MCP workflow sessions. #671 covers detection of git push to master, root-checkout local commits, session contamination, and fail-closed review/merge/close after contamination. Decide disposition of 2fa97c26 (accept/document vs later revert issue). Do not force-push history from worker sessions. Author implements #671 separately with issue lease. ``` WHAT_HAPPENED: Created linked hardening issue #671 to satisfy #670 AC5 (prevent future direct stable-branch pushes from MCP sessions). WHY: Separate incident disposition from product guardrail implementation. RELATED_ISSUES: #671 (hardening) · #630 (related contamination class) · PR #654 audit context RELATED_PRS: none this session BLOCKERS: none for issue create VALIDATION: #671 is not a duplicate of #670 (incident vs guardrail) LAST_UPDATED_BY: jcwalker3 / prgs-author / author / 2026-07-10
Author
Owner

Canonical Issue State

STATE:
controller-disposed-accept-as-is

WHO_IS_NEXT:
author

NEXT_ACTION:
Claim and implement #671 through the normal issue → branches/ worktree → PR → independent review → merge workflow.

NEXT_PROMPT:

AUTHOR prgs Scaled-Tech-Consulting/Gitea-Tools: claim and implement #671, Block direct pushes to stable branches from MCP workflow sessions. Preserve #670 as the incident evidence and do not revert or rewrite commit 2fa97c26.

WHAT_HAPPENED:
Controller disposition accepts commit 2fa97c26fbda555a1a83930ca5fdcea9d8e47b50 as-is on master. No immediate revert, force-push, history rewrite, or retroactive claim of review authorization is approved. The direct-to-master landing remains a valid documented workflow violation. Preventive hardening is linked at #671, whose body records the 2fa97c26 evidence and prevention requirements.

WHY:
The commit is a small, intentional dotenv path-resolution fix limited to gitea_auth.py (+3/-2), is already incorporated into current master, and has no current evidence of functional harm. Reverting stable-branch history would add risk without a demonstrated corrective benefit. Accepting the code does not waive the missing PR/review provenance or the requirement to prevent recurrence.

RELATED_PRS:
No PR or formal review record exists for 2fa97c26; PR #654 is audit context only and was not the source of this commit.

RELATED_ISSUES:
#671 — Block direct pushes to stable branches from MCP workflow sessions.

BLOCKERS:
None for recording this disposition. Prevention remains pending implementation in #671.

VALIDATION:
Live Issue #670 and #671 state inspected. #671 is open and explicitly links #670 and 2fa97c26. Author identity and comment_issue capability were verified immediately before this comment with fresh runtime parity at bee24e2b102dbdc201932d2e5397a7d9e3be5fc5.

LAST_UPDATED_BY:
jcwalker3 / prgs-author / controller-author / 2026-07-11

## Canonical Issue State STATE: controller-disposed-accept-as-is WHO_IS_NEXT: author NEXT_ACTION: Claim and implement #671 through the normal issue → branches/ worktree → PR → independent review → merge workflow. NEXT_PROMPT: ```text AUTHOR prgs Scaled-Tech-Consulting/Gitea-Tools: claim and implement #671, Block direct pushes to stable branches from MCP workflow sessions. Preserve #670 as the incident evidence and do not revert or rewrite commit 2fa97c26. ``` WHAT_HAPPENED: Controller disposition accepts commit `2fa97c26fbda555a1a83930ca5fdcea9d8e47b50` as-is on `master`. No immediate revert, force-push, history rewrite, or retroactive claim of review authorization is approved. The direct-to-master landing remains a valid documented workflow violation. Preventive hardening is linked at #671, whose body records the `2fa97c26` evidence and prevention requirements. WHY: The commit is a small, intentional dotenv path-resolution fix limited to `gitea_auth.py` (`+3/-2`), is already incorporated into current `master`, and has no current evidence of functional harm. Reverting stable-branch history would add risk without a demonstrated corrective benefit. Accepting the code does not waive the missing PR/review provenance or the requirement to prevent recurrence. RELATED_PRS: No PR or formal review record exists for `2fa97c26`; PR #654 is audit context only and was not the source of this commit. RELATED_ISSUES: #671 — Block direct pushes to stable branches from MCP workflow sessions. BLOCKERS: None for recording this disposition. Prevention remains pending implementation in #671. VALIDATION: Live Issue #670 and #671 state inspected. #671 is open and explicitly links #670 and `2fa97c26`. Author identity and `comment_issue` capability were verified immediately before this comment with fresh runtime parity at `bee24e2b102dbdc201932d2e5397a7d9e3be5fc5`. LAST_UPDATED_BY: jcwalker3 / prgs-author / controller-author / 2026-07-11
Author
Owner

Controller disposition

Disposition: accept 2fa97c26 as-is with durable audit; no immediate revert recommended.

Rationale:

  • 2fa97c26 is already present on prgs/master.
  • The commit is limited to the dotenv loading fix in gitea_auth.py.
  • No current evidence shows functional harm from the commit.
  • A revert is not recommended at this time because it may break the intended runtime behavior.
  • The workflow violation remains valid: this was a bare direct-to-master commit with no PR/review wrapper.

Linked prevention work:

  • Direct stable-branch push prevention is tracked by Issue #671: Block direct pushes to stable branches from MCP workflow sessions.
  • #671 is the durable prevention path for blocking or detecting future git push <remote> master / protected-branch push attempts from MCP workflow sessions.

Decision:

  • Leave 2fa97c26 on master.
  • Do not rewrite history.
  • Do not force-push.
  • Do not revert unless new live evidence shows the dotenv fix is unsafe.
  • Keep #670 as the incident/audit record.
  • Continue prevention work through #671.

Canonical handoff

  • Current status: disposition recorded; incident remains documented.
  • Next actor: controller/author for #671, when allocator assigns it.
  • Next action: implement or review the direct-push prevention hardening in #671.
  • Blockers: none for #670 disposition after this comment.
  • Safety statement: no revert, force-push, history rewrite, master mutation, branch mutation, PR mutation, or file mutation is authorized by this disposition.

Canonical Issue State

STATE: disposition-recorded
WHO_IS_NEXT: author
NEXT_ACTION: Implement/review the direct stable-branch push prevention hardening tracked by #671; keep #670 as the durable incident/audit record.
NEXT_PROMPT:

Author: implement Issue #671 (Block direct pushes to stable branches from MCP workflow sessions) under a branches/ worktree. Link #670 as the incident evidence, satisfy #670 AC5, open a PR, stop for reviewer. No self-merge. Do not revert, force-push, or rewrite history for 2fa97c26.

WHAT_HAPPENED: Controller reviewed the #670 incident (bare direct-to-master commit 2fa97c26, dotenv fix in gitea_auth.py, no PR/review wrapper) and accepted the commit as-is with durable audit. No revert recommended.
WHY: The dotenv fix is intentional and may be required for runtime behavior; no evidence of functional harm exists, and a revert risks breaking intended runtime behavior. The workflow violation is still recorded and prevention is delegated to #671.
RELATED_PRS: none (no PR wrapper exists for 2fa97c26; prevention hardening tracked by Issue #671).
BLOCKERS: none for the #670 disposition.
VALIDATION: Confirmed 2fa97c26 present on prgs/master (#670 body: ancestor of ec903b0d, single parent 5ab5fe8, diff gitea_auth.py); confirmed no PR/review record; confirmed hardening Issue #671 exists and already cites #670 / 2fa97c26 (no duplicate created).
LAST_UPDATED_BY: jcwalker3 (prgs-author, controller)

[THREAD STATE LEDGER]

What is true now: 2fa97c26 is present on prgs/master (dotenv fix in gitea_auth.py, single-parent bare direct-to-master commit, no PR/review wrapper). Issue #670 remains open as the incident/audit record. Hardening Issue #671 is open and already cites #670 / 2fa97c26.
What changed: Controller disposition recorded — accept 2fa97c26 as-is with durable audit; no immediate revert.
What is blocked: Nothing is blocked on the #670 disposition. Prevention work continues under #671.
Who/what acts next: author — implement/review #671 when the allocator assigns it.
Server-side decision state: #670 open (incident/audit record retained); no server-side PR or merge state exists for 2fa97c26 (no PR wrapper).
Local verdict/state: disposition-recorded — accept-as-is, no revert.
Required action: Implement/review the direct stable-branch push prevention hardening in #671; keep #670 as the durable incident/audit record.
Blocker classification: no blocker
Do not do: No revert of 2fa97c26, no force-push, no history rewrite, no master/branch/PR/file mutation is authorized by this disposition; do not create a duplicate hardening issue (prevention is #671).
LAST_UPDATED_BY: jcwalker3 (prgs-author, controller)

## Controller disposition Disposition: **accept `2fa97c26` as-is with durable audit; no immediate revert recommended.** Rationale: * `2fa97c26` is already present on `prgs/master`. * The commit is limited to the dotenv loading fix in `gitea_auth.py`. * No current evidence shows functional harm from the commit. * A revert is not recommended at this time because it may break the intended runtime behavior. * The workflow violation remains valid: this was a bare direct-to-master commit with no PR/review wrapper. Linked prevention work: * Direct stable-branch push prevention is tracked by Issue #671: **Block direct pushes to stable branches from MCP workflow sessions**. * #671 is the durable prevention path for blocking or detecting future `git push <remote> master` / protected-branch push attempts from MCP workflow sessions. Decision: * Leave `2fa97c26` on master. * Do not rewrite history. * Do not force-push. * Do not revert unless new live evidence shows the dotenv fix is unsafe. * Keep #670 as the incident/audit record. * Continue prevention work through #671. ### Canonical handoff * Current status: disposition recorded; incident remains documented. * Next actor: controller/author for #671, when allocator assigns it. * Next action: implement or review the direct-push prevention hardening in #671. * Blockers: none for #670 disposition after this comment. * Safety statement: no revert, force-push, history rewrite, master mutation, branch mutation, PR mutation, or file mutation is authorized by this disposition. ## Canonical Issue State STATE: disposition-recorded WHO_IS_NEXT: author NEXT_ACTION: Implement/review the direct stable-branch push prevention hardening tracked by #671; keep #670 as the durable incident/audit record. NEXT_PROMPT: ```text Author: implement Issue #671 (Block direct pushes to stable branches from MCP workflow sessions) under a branches/ worktree. Link #670 as the incident evidence, satisfy #670 AC5, open a PR, stop for reviewer. No self-merge. Do not revert, force-push, or rewrite history for 2fa97c26. ``` WHAT_HAPPENED: Controller reviewed the #670 incident (bare direct-to-master commit `2fa97c26`, dotenv fix in `gitea_auth.py`, no PR/review wrapper) and accepted the commit as-is with durable audit. No revert recommended. WHY: The dotenv fix is intentional and may be required for runtime behavior; no evidence of functional harm exists, and a revert risks breaking intended runtime behavior. The workflow violation is still recorded and prevention is delegated to #671. RELATED_PRS: none (no PR wrapper exists for `2fa97c26`; prevention hardening tracked by Issue #671). BLOCKERS: none for the #670 disposition. VALIDATION: Confirmed `2fa97c26` present on `prgs/master` (#670 body: ancestor of `ec903b0d`, single parent `5ab5fe8`, diff `gitea_auth.py`); confirmed no PR/review record; confirmed hardening Issue #671 exists and already cites #670 / `2fa97c26` (no duplicate created). LAST_UPDATED_BY: jcwalker3 (prgs-author, controller) [THREAD STATE LEDGER] What is true now: `2fa97c26` is present on `prgs/master` (dotenv fix in `gitea_auth.py`, single-parent bare direct-to-master commit, no PR/review wrapper). Issue #670 remains open as the incident/audit record. Hardening Issue #671 is open and already cites #670 / `2fa97c26`. What changed: Controller disposition recorded — accept `2fa97c26` as-is with durable audit; no immediate revert. What is blocked: Nothing is blocked on the #670 disposition. Prevention work continues under #671. Who/what acts next: author — implement/review #671 when the allocator assigns it. Server-side decision state: #670 open (incident/audit record retained); no server-side PR or merge state exists for `2fa97c26` (no PR wrapper). Local verdict/state: disposition-recorded — accept-as-is, no revert. Required action: Implement/review the direct stable-branch push prevention hardening in #671; keep #670 as the durable incident/audit record. Blocker classification: no blocker Do not do: No revert of `2fa97c26`, no force-push, no history rewrite, no master/branch/PR/file mutation is authorized by this disposition; do not create a duplicate hardening issue (prevention is #671). LAST_UPDATED_BY: jcwalker3 (prgs-author, controller)
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#670