feat(guard): block direct stable-branch pushes from MCP workflow sessions (Closes #671) #677
Merged
sysadmin
merged 1 commits from 2026-07-11 20:05:45 -05:00
fix/issue-671-block-stable-branch-push into master
Labels
Clear labels
allocator
anti-stomp
architecture
bug
chore
codex
concurrency
contamination
control-plane
dashboard
database
design
documentation
enhancement
gitea
glitchtip
important
incident
incident-bridge
integration
jenkins
labels
leases
mcp
mcp-health
mcp-menu
multi-project
mutating
nice-to-have
observability
portability
preflight
protected-branch
queue
read-only
reconnect
recovery
refactor
release
reliability
resumable-review
reviewer
roadmap
safety
security
self-hosted
sentry
stale-runtime
status:blocked
status:in-progress
status:pr-open
status:ready
terminal-lock
testing
tracker
type:bug
type:feature
type:feature
type:guardrail
visibility
workflow
workflow-hardening
workflow-hardening
Controller-owned work allocator
Prevent concurrent LLM session stomping
Architecture / structural design
OpenAI Codex client / workflow session surface
Concurrent session safety
Workflow or session contamination incident
MCP control-plane coordination and allocation authority
MCP operational dashboard/queue view
Internal coordination storage (SQLite/Postgres)
Design / investigation, no implementation
Docs / runbooks
New feature or improvement
Gitea MCP workflow
GlitchTip integration
Operational or process incident requiring durable audit trail
Sentry-to-Gitea incident bridging
Integration testing
Jenkins integration
Label taxonomy management
Lease adopt/release/expire lifecycle
MCP server / tooling
MCP namespace and runtime health
MCP menu surface
Work spanning multiple monitoring projects or Gitea repos
Mutating action; requires gating
Observability, metrics, traces, error reporting
Cross-platform / portability
Shared preflight gates before mutation
Protected branch / stable-branch policy concern
Work queue visibility and allocation
Read-only, no mutation
MCP client reconnect/reload recovery path
Recovery paths for stale/foreign leases
Code refactor / restructure
Release / versioning
Reliability / failure handling
Persist and resume prepared review verdicts across sessions
Reviewer workflow tooling
Roadmap / umbrella issue
Safety rails and fail-closed mutation guards
Security / trust boundary
Self-hosted infrastructure integration
Sentry error monitoring integration
Stale backend daemon / runtime-vs-master parity failures
Issue is blocked
Issue is being worked on
Issue has an open pull request
Issue is ready for work
Terminal review lock (#332) path
Tests / test coverage
Issue tracker hygiene / meta
Bug or defect
Feature or enhancement
Feature or enhancement
Safety gate or guardrail
Workflow state visibility for LLMs/operators
Cross-tool workflow
LLM workflow coordination hardening
LLM workflow coordination hardening
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Scaled-Tech-Consulting/Gitea-Tools#677
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Summary
Closes #671. Prevention hardening for the #670 incident (a bare direct-to-master commit
2fa97c26and a PR #654 mergergit push prgs masterattempt). Worker sessions must never publish stable branches directly; stable branches advance only through sanctioned Gitea merge tooling or an explicitly authorized reconciler path.This is the #670 AC5 hardening. It does not decide accept/revert of
2fa97c26(controller owns that on #670).What changed
New pure module
stable_branch_push_guard.py(mirrorsauthor_proofs/root_checkout_guard— no git/network/state calls):classify_push_command— detects shellgit push <remote> master/main/dev/develop/developmentvariants: refspecs (HEAD:master,+refs/heads/x:refs/heads/master),--force,--delete/:master, and--dry-run/-nno-op probes (a dry-run still proves intent and contaminates).assess_root_checkout_local_commit— detects control-checkout commits not carried by an issue feature branch (branches/worktrees exempt).redact_command— strips URL userinfo and token assignments before anything is logged/stored.build_contamination_record+assess_contamination_gate— durable marker shape and fail-closed gate (reconciler-exempt;comment_issue/lock_issuestay allowed so a contaminated worker can post its audit comment and hand off).Server wiring (
gitea_mcp_server.py,mcp_session_state.py):KIND_STABLE_BRANCH_CONTAMINATIONdurable session marker, keyed per profile identity._enforce_stable_branch_contamination_gatewired intoverify_preflight_purity, so review/merge/close/completion mutations fail closed while contaminated.gitea_record_stable_branch_push_attempt— classify a proposed push and mark on detection.gitea_audit_stable_branch_contamination— reconciler-only inspect/clear; a worker session can never self-clear.Docs —
skills/llm-project-workflow/SKILL.md: universal rule, a covered blocker class, and a dedicated "Stable Branch Push Protection" section documenting that worker sessions must never push stable branches directly.Non-goals honored
gitea_merge_pr/ Gitea API merge is not a push and is never blocked.git fetch/git pull --ff-onlyof master into the control checkout stays allowed.Validation
AC5 coverage: no-op dry-run push, real direct push, sanctioned Gitea merge, fetch-only, root-checkout local commit; plus feature-branch push allowed, gate block/reconciler-exempt, and redaction.
LLM Handoff Metadata
5933d87647repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #677
issue: #671
reviewer_identity: sysadmin
profile: prgs-reviewer
session_id: 4979-b6d4f1861a70
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/review-pr-677
phase: claimed
candidate_head:
5933d87647target_branch: master
target_branch_sha:
bee24e2b10last_activity: 2026-07-12T00:27:36Z
expires_at: 2026-07-12T02:27:36Z
blocker: none
Review verdict: APPROVE
PR #677 fully satisfies Issue #671 (block direct stable-branch pushes from MCP workflow sessions — #670 AC5 hardening). Reviewed at head
5933d87647656643a67a50331c4c7b06ea751dadin an isolated worktree; all validation green against currentprgs/masterbaseline (bee24e2).Scope
6 files, all additive (+1295 / -0). No unrelated changes.
git diff --checkclean.stable_branch_push_guard.py(new pure module),gitea_mcp_server.py,mcp_session_state.py,skills/llm-project-workflow/SKILL.md, and two test files.Acceptance criteria — all met
classify_push_commandcoversgit push <remote> master, refspecs (HEAD:master,+refs/heads/x:refs/heads/master),--force/--force-with-lease, delete (--delete,:master),--dry-run/-nno-op probes (dry-run stillproves_intent), and compound commands. Stable set =author_proofs.PROTECTED_BRANCHESso the two guards cannot drift.assess_root_checkout_local_commit;branches/worktrees exempt; control-checkout HEAD advanced pastprgs/masterflagged; missing state reportedunknown(positive-evidence only).KIND_STABLE_BRANCH_CONTAMINATION, keyed per profile identity; command summary redacted viaredact_command(URL userinfo,TOKEN=/PASSWORD=, bearer) — secrets never persist._enforce_stable_branch_contamination_gatewired intoverify_preflight_purity; gated set covers review/merge/close/submit/complete;comment_issue/lock_issuestay allowed for audit handoff; reconciler exempt.Non-goals honored
Sanctioned
gitea_merge_pr/ API merge not blocked (not a push);git fetch/pull --ff-onlyallowed; feature-branch pushes allowed — all asserted by tests. Reconciler-only clear enforced (role != "reconciler"→ refused; worker cannot self-clear).Canonical PR State
STATE: reviewed-approved
WHO_IS_NEXT: merger
NEXT_ACTION: Merger merges PR #677 via sanctioned Gitea path on explicit operator authorization, then closes #671.
NEXT_PROMPT:
WHAT_HAPPENED: Reviewer approved PR #677 at head
5933d87in isolated worktree branches/review-pr-677; full suite 2596 passed / 6 skipped; scope additive-only and matches #671.WHY: All six acceptance criteria (detection, root-checkout detection, contamination marker, fail-closed gate, tests, docs) are satisfied; redaction and reconciler-only clear verified; non-goals honored; no unrelated changes.
ISSUE: 671
HEAD_SHA:
5933d87647REVIEW_STATUS: APPROVED
MERGE_READY: yes (pending merger action + explicit operator authorization)
BLOCKERS: none
VALIDATION: git diff --check clean; test_stable_branch_push_guard.py 37 passed; test_stable_branch_contamination_server.py 14 passed; preflight/session/purity/contamination subset 60 passed; full suite 2596 passed / 6 skipped
LAST_UPDATED_BY: sysadmin (prgs-reviewer)
[THREAD STATE LEDGER]
adopted_at: 2026-07-12T00:36:39Z
adopted_by_identity: sysadmin
adopted_by_profile: prgs-merger
adopted_from_session_id: 4979-b6d4f1861a70
adopted_from_profile: prgs-reviewer
adopted_from_reviewer_identity: sysadmin
adopted_from_comment_id: 10407
adoption_reason: merger-handoff-approved-head
repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #677
issue: #671
reviewer_identity: sysadmin
profile: prgs-merger
session_id: 22311-a6609e26ac4e
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/review-pr-677
phase: adopted
candidate_head:
5933d87647target_branch: master
target_branch_sha:
bee24e2b10last_activity: 2026-07-12T00:36:39Z
expires_at: 2026-07-12T02:36:39Z
blocker: none
adopted_at: 2026-07-12T01:05:20Z
adopted_by_identity: sysadmin
adopted_by_profile: prgs-merger
adopted_from_session_id: 22311-a6609e26ac4e
adopted_from_profile: prgs-merger
adopted_from_reviewer_identity: sysadmin
adopted_from_comment_id: 10413
adoption_reason: merger-handoff-approved-head
repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #677
issue: #671
reviewer_identity: sysadmin
profile: prgs-merger
session_id: 46876-408426bdff6d
worktree: branches/review-pr-677
phase: adopted
candidate_head:
5933d87647target_branch: master
target_branch_sha:
bee24e2b10last_activity: 2026-07-12T01:05:20Z
expires_at: 2026-07-12T03:05:20Z
blocker: none