Prevent repository .env files from injecting MCP runtime workspace bindings #704
Open
opened 2026-07-13 14:53:25 -05:00 by jcwalker3
·
1 comment
No Branch/Tag Specified
master
fix/issue-709-decision-lock-cross-profile
fix/issue-695-native-transport-quarantine
fix/issue-698-report-validator-schema
fix/issue-702-stale-binding-lease-recovery
fix/issue-699-structured-auth-mcp-errors
fix/issue-695-native-quarantine-v2
fix/issue-693-review-decision-lock-recovery
fix/issue-691-obsolete-reviewer-lease-cleanup
feat/issue-687-reconciler-branch-delete
fix/issue-683-workflow-guard-hardening
chore/issue-681-preserve-review-session-wip
feat/issue-604-anti-stomp-preflight
feat/issue-606-sentry-observability
fix/issue-671-block-stable-branch-push
fix/issue-675-residual-preflight-remediation
fix/issue-673-remediate-regressions-part2
fix/issue-673-remediate-regressions
feat/issue-603-lifecycle-labels
fix/issue-627-set-issue-labels-pagination
feat/issue-601-first-class-leases
feat/issue-612-incident-bridge
feat/issue-600-controller-allocator-api
fix/issue-620-head-scoped-review-locks
feat/issue-613-allocator-db-substrate
docs/mcp-stable-control-runtime-policy
feat/issue-609-prepared-review-verdict-resume
feat/issue-610-live-remote-parity
feat/issue-503-reviewer-active-worktree
feat/issue-470-preflight-contract
feat/issue-440-lock-recovery
feat/issue-440-branch-recovery
feat/issue-458-queue-fail-closed-copy
feat/issue-400-early-duplicate-work-gate
feat/issue-308-reconcile-inventory-pagination
feat/issue-308-reconcile-pagination-proof
docs/issue-261-agent-temp-artifact-cleanup
feat/issue-262-map-commit-files
fix/infra-stop-conflict-marker-false-positive
feat/issue-139-role-aware-task-routing
feat/issue-188-continuation-selection-wall
feat/issue-189-continuation-mode-proofs
feat/issue-232-refresh-wiki-proof-heads
feat/issue-210-block-workspace-edits
feat/issue-204-exact-issue-lock
docs/issue-80-label-taxonomy
docs/issue-79-safety-boundary-updates
v1.1.0
Labels
Clear labels
allocator
anti-stomp
architecture
bug
chore
codex
concurrency
contamination
control-plane
dashboard
database
design
documentation
enhancement
gitea
glitchtip
important
incident
incident-bridge
integration
jenkins
labels
leases
mcp
mcp-health
mcp-menu
multi-project
mutating
nice-to-have
observability
portability
preflight
protected-branch
queue
read-only
reconnect
recovery
refactor
release
reliability
resumable-review
reviewer
roadmap
safety
security
self-hosted
sentry
stale-runtime
status:blocked
status:in-progress
status:pr-open
status:ready
terminal-lock
testing
tracker
type:bug
type:feature
type:feature
type:guardrail
visibility
workflow
workflow-hardening
workflow-hardening
Controller-owned work allocator
Prevent concurrent LLM session stomping
Architecture / structural design
OpenAI Codex client / workflow session surface
Concurrent session safety
Workflow or session contamination incident
MCP control-plane coordination and allocation authority
MCP operational dashboard/queue view
Internal coordination storage (SQLite/Postgres)
Design / investigation, no implementation
Docs / runbooks
New feature or improvement
Gitea MCP workflow
GlitchTip integration
Operational or process incident requiring durable audit trail
Sentry-to-Gitea incident bridging
Integration testing
Jenkins integration
Label taxonomy management
Lease adopt/release/expire lifecycle
MCP server / tooling
MCP namespace and runtime health
MCP menu surface
Work spanning multiple monitoring projects or Gitea repos
Mutating action; requires gating
Observability, metrics, traces, error reporting
Cross-platform / portability
Shared preflight gates before mutation
Protected branch / stable-branch policy concern
Work queue visibility and allocation
Read-only, no mutation
MCP client reconnect/reload recovery path
Recovery paths for stale/foreign leases
Code refactor / restructure
Release / versioning
Reliability / failure handling
Persist and resume prepared review verdicts across sessions
Reviewer workflow tooling
Roadmap / umbrella issue
Safety rails and fail-closed mutation guards
Security / trust boundary
Self-hosted infrastructure integration
Sentry error monitoring integration
Stale backend daemon / runtime-vs-master parity failures
Issue is blocked
Issue is being worked on
Issue has an open pull request
Issue is ready for work
Terminal review lock (#332) path
Tests / test coverage
Issue tracker hygiene / meta
Bug or defect
Feature or enhancement
Feature or enhancement
Safety gate or guardrail
Workflow state visibility for LLMs/operators
Cross-tool workflow
LLM workflow coordination hardening
LLM workflow coordination hardening
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Scaled-Tech-Consulting/Gitea-Tools#704
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Observed reproduction:
Acceptance criteria:
CTH: Controller Decision — #704 vs #702/#703 scope & dependency (pre-review)
Status: dependency_decision_recorded; #704 is follow-up_hardening_not_merge_gate_for_703_or_701
Next owner: reviewer (PR #703 formal review), then author for #704 implementation
Current blocker: none for this decision
Decision: See explicit answers below (do not silently defer any #702 AC into #704).
Proof: Issue #702 body ACs; PR #703 body (AC2/AC3 recovery only); Issue #704 body ACs 1–11; comments 11191 (#702) and 11193 (#703).
Next action: Formal PR #703 review judges only #702 ACs; #704 remains separate preventative workstream; PR #701 review may resume after clean runtime + #702/#703 path, not after #704 merge.
Ready-to-paste prompt: see NEXT_PROMPT.
Explicit answers (authoritative for this thread)
1) Dotenv-injection behavior already inside #702 / PR #703 acceptance criteria
Inside #702 / PR #703 (must not be deferred to #704):
GITEA_ACTIVE_WORKTREEon auto-reconnect /gitea_resolve_task_capability, regardless of how the value enteredos.environ(parent IDE, prior session, or post-import dotenv injection that already became env state).provably_stale_missing_path,superseded_by_session_lease); demote missing-path env bindings inresolve_namespace_workspace(verify_paths=…); surfaceunverified_inheritedfor managed reconnect (no silent rewrite).Not inside #702 ACs (belongs to #704 only):
.env/load_dotenvfrom populating or overridingGITEA_ACTIVE_WORKTREEor role-specificGITEA_*_WORKTREEat import.gitea_authdoes not mutate workspace-binding state from repository files.”Rationale: #702’s written ACs are recovery + lease durability. Comments 11191/11193 document dotenv as the operational root-cause source and explicitly call load-path guard follow-up hardening, not a rewrite of #702’s acceptance surface.
2) Must PR #703 change to satisfy #702?
No — not solely because #704 exists, and not solely for dotenv load-path prevention.
3) Remaining hardening exclusive to #704
All of #704 AC1–AC10 preventative/source controls, especially:
.envcannot populate/override workspace-binding vars.4) Must #704 merge before PR #701 review can safely resume?
No.
review-pr-654/ staleGITEA_ACTIVE_WORKTREE)Operator must still avoid reintroducing
GITEA_ACTIVE_WORKTREEvia.envuntil #704 lands; that is hygiene + #704 work, not a hard merge gate on #701.Canonical Issue State
STATE:
dependency-decision-recorded; follow-up-hardening; does-not-block-pr-703; does-not-gate-pr-701-review-merge-order
WHO_IS_NEXT:
reviewer
NEXT_ACTION:
Formal leased review of PR #703 against #702 ACs only; implement #704 separately; do not expand #703 scope to dotenv load-path guard unless a #702 AC fails without it (it should not).
NEXT_PROMPT:
WHAT_HAPPENED:
Pre-review dependency analysis of #704 against #702 ACs, PR #703, and comments 11191/11193. Boundary recorded so #702 acceptance cannot be silently deferred into #704.
WHY:
#704 AC11 requires an explicit block-vs-follow-up statement; #702 ACs must remain enforceable on PR #703.
RELATED_PRS:
PR #703 (Closes #702); PR #701 (#699; resume gate is #702/#703 + clean runtime, not #704).
BLOCKERS:
none for this decision
VALIDATION:
LAST_UPDATED_BY:
controller dependency decision (jcwalker3 / prgs-author)