Detect and reject manually launched duplicate MCP role servers as unsupported recovery #686
Open
opened 2026-07-12 18:25:02 -05:00 by jcwalker3
·
2 comments
No Branch/Tag Specified
master
fix/issue-709-decision-lock-cross-profile
fix/issue-695-native-transport-quarantine
fix/issue-698-report-validator-schema
fix/issue-702-stale-binding-lease-recovery
fix/issue-699-structured-auth-mcp-errors
fix/issue-695-native-quarantine-v2
fix/issue-693-review-decision-lock-recovery
fix/issue-691-obsolete-reviewer-lease-cleanup
feat/issue-687-reconciler-branch-delete
fix/issue-683-workflow-guard-hardening
chore/issue-681-preserve-review-session-wip
feat/issue-604-anti-stomp-preflight
feat/issue-606-sentry-observability
fix/issue-671-block-stable-branch-push
fix/issue-675-residual-preflight-remediation
fix/issue-673-remediate-regressions-part2
fix/issue-673-remediate-regressions
feat/issue-603-lifecycle-labels
fix/issue-627-set-issue-labels-pagination
feat/issue-601-first-class-leases
feat/issue-612-incident-bridge
feat/issue-600-controller-allocator-api
fix/issue-620-head-scoped-review-locks
feat/issue-613-allocator-db-substrate
docs/mcp-stable-control-runtime-policy
feat/issue-609-prepared-review-verdict-resume
feat/issue-610-live-remote-parity
feat/issue-503-reviewer-active-worktree
feat/issue-470-preflight-contract
feat/issue-440-lock-recovery
feat/issue-440-branch-recovery
feat/issue-458-queue-fail-closed-copy
feat/issue-400-early-duplicate-work-gate
feat/issue-308-reconcile-inventory-pagination
feat/issue-308-reconcile-pagination-proof
docs/issue-261-agent-temp-artifact-cleanup
feat/issue-262-map-commit-files
fix/infra-stop-conflict-marker-false-positive
feat/issue-139-role-aware-task-routing
feat/issue-188-continuation-selection-wall
feat/issue-189-continuation-mode-proofs
feat/issue-232-refresh-wiki-proof-heads
feat/issue-210-block-workspace-edits
feat/issue-204-exact-issue-lock
docs/issue-80-label-taxonomy
docs/issue-79-safety-boundary-updates
v1.1.0
Labels
Clear labels
allocator
anti-stomp
architecture
bug
chore
codex
concurrency
contamination
control-plane
dashboard
database
design
documentation
enhancement
gitea
glitchtip
important
incident
incident-bridge
integration
jenkins
labels
leases
mcp
mcp-health
mcp-menu
multi-project
mutating
nice-to-have
observability
portability
preflight
protected-branch
queue
read-only
reconnect
recovery
refactor
release
reliability
resumable-review
reviewer
roadmap
safety
security
self-hosted
sentry
stale-runtime
status:blocked
status:in-progress
status:pr-open
status:ready
terminal-lock
testing
tracker
type:bug
type:feature
type:feature
type:guardrail
visibility
workflow
workflow-hardening
workflow-hardening
Controller-owned work allocator
Prevent concurrent LLM session stomping
Architecture / structural design
OpenAI Codex client / workflow session surface
Concurrent session safety
Workflow or session contamination incident
MCP control-plane coordination and allocation authority
MCP operational dashboard/queue view
Internal coordination storage (SQLite/Postgres)
Design / investigation, no implementation
Docs / runbooks
New feature or improvement
Gitea MCP workflow
GlitchTip integration
Operational or process incident requiring durable audit trail
Sentry-to-Gitea incident bridging
Integration testing
Jenkins integration
Label taxonomy management
Lease adopt/release/expire lifecycle
MCP server / tooling
MCP namespace and runtime health
MCP menu surface
Work spanning multiple monitoring projects or Gitea repos
Mutating action; requires gating
Observability, metrics, traces, error reporting
Cross-platform / portability
Shared preflight gates before mutation
Protected branch / stable-branch policy concern
Work queue visibility and allocation
Read-only, no mutation
MCP client reconnect/reload recovery path
Recovery paths for stale/foreign leases
Code refactor / restructure
Release / versioning
Reliability / failure handling
Persist and resume prepared review verdicts across sessions
Reviewer workflow tooling
Roadmap / umbrella issue
Safety rails and fail-closed mutation guards
Security / trust boundary
Self-hosted infrastructure integration
Sentry error monitoring integration
Stale backend daemon / runtime-vs-master parity failures
Issue is blocked
Issue is being worked on
Issue has an open pull request
Issue is ready for work
Terminal review lock (#332) path
Tests / test coverage
Issue tracker hygiene / meta
Bug or defect
Feature or enhancement
Feature or enhancement
Safety gate or guardrail
Workflow state visibility for LLMs/operators
Cross-tool workflow
LLM workflow coordination hardening
LLM workflow coordination hardening
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Scaled-Tech-Consulting/Gitea-Tools#686
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Problem
During the 2026-07-12 #584/#672 EOF incident, a diagnostic session manually launched a duplicate role server from a terminal:
Nothing in the toolchain detected or rejected this. There is currently no guard distinguishing a client-managed role server (spawned by the IDE/MCP client, bound to its stdio transport) from an ad hoc terminal launch.
Why this is dangerous
mcp_server.pyholds its own stdio; it can never bind to the IDE client's pipes. It cannot restore a dropped namespace, but a session may believe it did._check_mcp_runtimes_diagnosticskeeps only the newest process perGITEA_MCP_PROFILE(gitea_mcp_server.py:10986at22698c1). A freshly launched manual duplicate masks a stale client-managed runtime for that profile, defeating the stale-runtime gate.GITEA_DUMMYhas zero references in the codebase — it is silently ignored rather than refused, so ad hoc experimentation looks accepted.Evidence (2026-07-12)
mcp_server.pyprocesses across cohorts (hourly orphan pairs plus the live client-managed quads at 19:06:30/19:07:40); none still carriedGITEA_DUMMYin its environment — the manual process had already terminated (lifetime unknown; PID not captured before exit).gitea_whoami+gitea_get_runtime_contexton each).Required behavior
gitea_get_runtime_context, namespace-health tools) report provenance for the serving process and inventory duplicates per profile.GITEA_*that the server does not consume are reported, not silently ignored.running_profilesmasking above, coordinated with the resolver contract fix in #685).mcp_server.py/gitea_mcp_server.pylaunches,GITEA_DUMMY-style ad hoc overrides, andmcp_config.jsonhand-edits are classified as workflow contamination (same class as #630 manual kills).Acceptance criteria
GITEA_*env overrides are surfaced in diagnostics rather than silently ignored.Linkage
Canonical issue state
Canonical Issue State
STATE: BLOCKED — client-managed reviewer namespace unavailable; repeated unsupported manual server launch recorded; formal approval not submitted.
WHO_IS_NEXT: user
NEXT_ACTION: Operator restores IDE-managed
gitea-reviewervia client reconnect/reload only (not a reconciler task). After reconnect, start a new reviewer run from scratch for PR #684 exact headd302602. Product fix work on this issue remains: fail-closed duplicate-role-server / provenance / unsupported-env handling.NEXT_PROMPT:
WHAT_HAPPENED:
Exact duplicate-role-server / unsupported manual launch reproduction:
gitea_whoami; whether process remained orphaned not establishedgitea_whoamid302602)Trust: treat all runtime/identity/workflow/lease/capability/decision-marker/transport state from that process as untrusted. A later
whoamireturningprgs-reviewer/sysadminwithout process provenance is insufficient.Regression requirements (must fail closed)
gitea_whoami(client-managed vs manual; parent/manager; bind evidence).GITEA_DUMMYfrom being silently ignored — unknown/unsupported control env must fail closed or hard-error at startup.WHY: Manual role-server launch creates untrusted duplicate profile processes that can mask client-managed state and break formal review trust; unsupported env is currently silently ignored.
RELATED_PRS: PR #684 / #683 expected head
d302602; related #584, #672, #685.BLOCKERS: Unsupported manual
prgs-reviewerprocess launch + missing provenance in whoami; formal approval blocked. Unblock (review path) when: operator completes IDE reconnect of client-managedgitea-reviewerand a fresh reviewer run can prove client-managed provenance. Unblock (product path) when: regression requirements 1–6 above land with tests and fail-closed behavior.VALIDATION: #584 comment_id 10650; #672 comment_id 10656. Live PR #684 head
d302602567a1fb7842fe5486fa5a49509506ec8b;approval_visible=false. No formal review submitted. Localreview_recovery_report.mdnot used as canonical proof.LAST_UPDATED_BY: controller
Canonical Issue State
STATE:
open — acceptance criteria extended with per-client installer verification and explicit namespace inventory/provenance (post-#683 reconciliation)
WHO_IS_NEXT:
author
NEXT_ACTION:
Implement provenance + fail-closed rejection of manually launched duplicate role servers per existing ACs and the additional acceptance criteria below
NEXT_PROMPT:
WHAT_HAPPENED:
Post-merge reconciliation of PR #684 / #683 (fresh client-managed reconciler at master
56f1230a10a21b16226c792a5bcdc4398c97b09a) confirmed that namespace inventory differs across clients: one client exposed only author+reviewer; this client exposed a callable reconciler namespace. That gap is config/install inventory (#672 class) and must not be confused with the stale-runtime cohort (boot SHA lag after master advanced).#686 product work remains: detect/reject unsupported manual duplicate launches and require provenance. Adding installer verification per client and explicit inventory/provenance output closes the multi-client observation without merging #672 diagnostic scope into this issue.
WHY:
Without per-client installer verification and inventory/provenance, operators cannot tell “role never installed on this client” from “role present but stale/manual/duplicate.” Fail-closed product behavior needs both signals.
RELATED_PRS:
PR #684 merged (Closes #683); coordinate with #685; inventory sibling #672
BLOCKERS:
none for author start; review-path unblocks for PR #684 already completed via supported client-managed reviewer
VALIDATION:
LAST_UPDATED_BY:
sysadmin / prgs-reconciler / RECONCILER / 2026-07-12