Prevent MCP session state from dirtying Git worktrees and provide sanctioned legacy-state recovery #716
Open
opened 2026-07-15 19:10:57 -05:00 by jcwalker3
·
1 comment
No Branch/Tag Specified
master
issue-718-fix-merger-lease
issue-723-role-poisoning
fix/issue-723-capability-role-invariants
fix/issue-702-stale-binding-lease-recovery
fix/issue-685-side-effect-free-resolver
fix/issue-720-expired-decision-lock
docs/mcp-stable-control-runtime-policy
feat/issue-687-reconciler-branch-delete
fix/issue-714-session-context-immutability
fix/issue-709-decision-lock-cross-profile
fix/issue-695-native-transport-quarantine
fix/issue-698-report-validator-schema
fix/issue-699-structured-auth-mcp-errors
fix/issue-695-native-quarantine-v2
fix/issue-693-review-decision-lock-recovery
fix/issue-691-obsolete-reviewer-lease-cleanup
fix/issue-683-workflow-guard-hardening
chore/issue-681-preserve-review-session-wip
feat/issue-604-anti-stomp-preflight
feat/issue-606-sentry-observability
fix/issue-671-block-stable-branch-push
fix/issue-675-residual-preflight-remediation
fix/issue-673-remediate-regressions-part2
fix/issue-673-remediate-regressions
feat/issue-603-lifecycle-labels
fix/issue-627-set-issue-labels-pagination
feat/issue-601-first-class-leases
feat/issue-612-incident-bridge
feat/issue-600-controller-allocator-api
fix/issue-620-head-scoped-review-locks
feat/issue-613-allocator-db-substrate
feat/issue-609-prepared-review-verdict-resume
feat/issue-610-live-remote-parity
feat/issue-503-reviewer-active-worktree
feat/issue-470-preflight-contract
feat/issue-440-lock-recovery
feat/issue-440-branch-recovery
feat/issue-458-queue-fail-closed-copy
feat/issue-400-early-duplicate-work-gate
feat/issue-308-reconcile-inventory-pagination
feat/issue-308-reconcile-pagination-proof
docs/issue-261-agent-temp-artifact-cleanup
feat/issue-262-map-commit-files
fix/infra-stop-conflict-marker-false-positive
feat/issue-139-role-aware-task-routing
feat/issue-188-continuation-selection-wall
feat/issue-189-continuation-mode-proofs
feat/issue-232-refresh-wiki-proof-heads
feat/issue-210-block-workspace-edits
feat/issue-204-exact-issue-lock
docs/issue-80-label-taxonomy
docs/issue-79-safety-boundary-updates
v1.1.0
Labels
Clear labels
allocator
anti-stomp
architecture
bug
chore
codex
concurrency
contamination
control-plane
dashboard
database
design
documentation
enhancement
gitea
glitchtip
important
incident
incident-bridge
integration
jenkins
labels
leases
mcp
mcp-health
mcp-menu
multi-project
mutating
nice-to-have
observability
portability
preflight
protected-branch
queue
read-only
reconnect
recovery
refactor
release
reliability
resumable-review
reviewer
roadmap
safety
security
self-hosted
sentry
stale-runtime
status:blocked
status:in-progress
status:pr-open
status:ready
terminal-lock
testing
tracker
type:bug
type:feature
type:feature
type:guardrail
visibility
workflow
workflow-hardening
workflow-hardening
Controller-owned work allocator
Prevent concurrent LLM session stomping
Architecture / structural design
OpenAI Codex client / workflow session surface
Concurrent session safety
Workflow or session contamination incident
MCP control-plane coordination and allocation authority
MCP operational dashboard/queue view
Internal coordination storage (SQLite/Postgres)
Design / investigation, no implementation
Docs / runbooks
New feature or improvement
Gitea MCP workflow
GlitchTip integration
Operational or process incident requiring durable audit trail
Sentry-to-Gitea incident bridging
Integration testing
Jenkins integration
Label taxonomy management
Lease adopt/release/expire lifecycle
MCP server / tooling
MCP namespace and runtime health
MCP menu surface
Work spanning multiple monitoring projects or Gitea repos
Mutating action; requires gating
Observability, metrics, traces, error reporting
Cross-platform / portability
Shared preflight gates before mutation
Protected branch / stable-branch policy concern
Work queue visibility and allocation
Read-only, no mutation
MCP client reconnect/reload recovery path
Recovery paths for stale/foreign leases
Code refactor / restructure
Release / versioning
Reliability / failure handling
Persist and resume prepared review verdicts across sessions
Reviewer workflow tooling
Roadmap / umbrella issue
Safety rails and fail-closed mutation guards
Security / trust boundary
Self-hosted infrastructure integration
Sentry error monitoring integration
Stale backend daemon / runtime-vs-master parity failures
Issue is blocked
Issue is being worked on
Issue has an open pull request
Issue is ready for work
Terminal review lock (#332) path
Tests / test coverage
Issue tracker hygiene / meta
Bug or defect
Feature or enhancement
Feature or enhancement
Safety gate or guardrail
Workflow state visibility for LLMs/operators
Cross-tool workflow
LLM workflow coordination hardening
LLM workflow coordination hardening
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Scaled-Tech-Consulting/Gitea-Tools#716
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Problem
Gitea-Tools previously allowed
GITEA_MCP_SESSION_STATE_DIRto point inside a Git control checkout.A confirmed example is:
/Users/jasonwalker/Development/Gitea-Tools/.mcp_session_701/The directory contains historical
prgs-reviewerworkflow and review-decision state for PR #701/review 431. It remains untracked in the control checkout and causes the canonical author workflow’s clean-checkout preflight to fail.The live daemon no longer considers this directory authoritative because Issue #695 moved the active session-state authority to:
~/.cache/gitea-tools/session-stateAs a result, the directory is trapped between two safeguards:
Normal MCP operation has therefore created residue that makes Gitea-Tools fail its own workflow preflight, with no sanctioned recovery path.
Confirmed evidence
master1eafb757a91e4606ed9f82413e4122ad6bcf94fd.mcp_session_701/prgs-reviewer6b675f5c834b41f9d74e8a54294ff44dddf28ae4has_lock=falsebecause it reads the new authoritative directory.cleanup_allowed=false.Required behavior
1. Safe session-state location
Gitea-Tools must never place runtime session state inside:
branches/worktree container;Use an appropriate platform state directory outside repositories. Audit-relevant state must not rely on a disposable cache location without an explicit retention design.
2. Startup validation
At daemon startup:
A sanctioned test-only temporary directory may be supported, but it must not become a production bypass.
3. Secure defaults and permissions
Provide a secure platform-appropriate default state directory.
Requirements:
4. Legacy-state discovery
Provide a native, read-only inventory operation that can discover legacy session-state directories outside the current authority.
It must report:
Discovery must not treat a dead PID as sufficient proof of staleness.
5. Sanctioned migration and quarantine
Provide a role-gated recovery operation for legacy state.
It must:
6. Forensic residue retirement
Provide a sanctioned path for retained evidence that no longer needs to remain inside a repository.
The operation must:
Do not solve this by adding
.mcp_session_*to.gitignoreor local Git excludes. Hiding runtime residue would weaken the clean-checkout guard.7. Clean-checkout integration
After sanctioned migration or quarantine:
Acceptance criteria
.mcp_session_701/can be relocated through the sanctioned process without validating review 431 or modifying PR #701..gitignoreor local-exclude workaround is used.Required tests
Include coverage for:
Scope boundaries
This issue must not:
Related work
Security impact
This is both a workflow-availability and audit-integrity defect. Session state must not dirty the repository it protects, but recovery must also preserve decision locks, quarantined approvals and forensic provenance. The system needs a native lifecycle-aware relocation path rather than manual deletion or Git ignore rules.
One-time controller-authorized forensic relocation
Kind: controller-authorized forensic relocation of orphaned legacy session state (Issue #716 operational recovery; does not implement the durable product fix).
Paths
/Users/jasonwalker/Development/Gitea-Tools/.mcp_session_701//Users/jasonwalker/Development/Gitea-Tools-Forensics/issue-716/pr701-session-state-20260715//Users/jasonwalker/Development/Gitea-Tools-Forensics/issue-716/relocation-manifest-pr701-20260715.txt(mode600)mv) on the same filesystemRelated identifiers
6b675f5c834b41f9d74e8a54294ff44dddf28ae4prgs-reviewersysadmin/ controller-authorized path; audit posted viaprgs-author(jcwalker3)Review 431 status
Review 431 remains quarantined. It provides no merge authorization. This relocation is not a validation of review 431 and does not re-authorize any historical approval.
Relocation results
700dirs; files non-world-readable)Authority and scope
~/.cache/gitea-tools/session-state(unchanged; not merged with legacy state).gitignore/ exclude workaroundControl-checkout before / after
master@1eafb757a91e4606ed9f82413e4122ad6bcf94fd; sole untracked entry.mcp_session_701/master@1eafb757a91e4606ed9f82413e4122ad6bcf94fd; genuinely clean (no tracked or untracked changes)Residual
Issue #716 remains required for the permanent product fix (prevent in-repo session state and provide sanctioned legacy recovery in product code). This comment records only the one-time forensic relocation.