incident: unreviewed direct-to-master commit 970e68b remapped 10 reviewer tasks to merger, disabling the repository's formal review capability
#722
Open
opened 2026-07-16 17:31:20 -05:00 by jcwalker3
·
3 comments
No Branch/Tag Specified
master
issue-718-fix-merger-lease
issue-723-role-poisoning
fix/issue-723-capability-role-invariants
fix/issue-702-stale-binding-lease-recovery
fix/issue-685-side-effect-free-resolver
fix/issue-720-expired-decision-lock
docs/mcp-stable-control-runtime-policy
feat/issue-687-reconciler-branch-delete
fix/issue-714-session-context-immutability
fix/issue-709-decision-lock-cross-profile
fix/issue-695-native-transport-quarantine
fix/issue-698-report-validator-schema
fix/issue-699-structured-auth-mcp-errors
fix/issue-695-native-quarantine-v2
fix/issue-693-review-decision-lock-recovery
fix/issue-691-obsolete-reviewer-lease-cleanup
fix/issue-683-workflow-guard-hardening
chore/issue-681-preserve-review-session-wip
feat/issue-604-anti-stomp-preflight
feat/issue-606-sentry-observability
fix/issue-671-block-stable-branch-push
fix/issue-675-residual-preflight-remediation
fix/issue-673-remediate-regressions-part2
fix/issue-673-remediate-regressions
feat/issue-603-lifecycle-labels
fix/issue-627-set-issue-labels-pagination
feat/issue-601-first-class-leases
feat/issue-612-incident-bridge
feat/issue-600-controller-allocator-api
fix/issue-620-head-scoped-review-locks
feat/issue-613-allocator-db-substrate
feat/issue-609-prepared-review-verdict-resume
feat/issue-610-live-remote-parity
feat/issue-503-reviewer-active-worktree
feat/issue-470-preflight-contract
feat/issue-440-lock-recovery
feat/issue-440-branch-recovery
feat/issue-458-queue-fail-closed-copy
feat/issue-400-early-duplicate-work-gate
feat/issue-308-reconcile-inventory-pagination
feat/issue-308-reconcile-pagination-proof
docs/issue-261-agent-temp-artifact-cleanup
feat/issue-262-map-commit-files
fix/infra-stop-conflict-marker-false-positive
feat/issue-139-role-aware-task-routing
feat/issue-188-continuation-selection-wall
feat/issue-189-continuation-mode-proofs
feat/issue-232-refresh-wiki-proof-heads
feat/issue-210-block-workspace-edits
feat/issue-204-exact-issue-lock
docs/issue-80-label-taxonomy
docs/issue-79-safety-boundary-updates
v1.1.0
Labels
Clear labels
allocator
anti-stomp
architecture
bug
chore
codex
concurrency
contamination
control-plane
dashboard
database
design
documentation
enhancement
gitea
glitchtip
important
incident
incident-bridge
integration
jenkins
labels
leases
mcp
mcp-health
mcp-menu
multi-project
mutating
nice-to-have
observability
portability
preflight
protected-branch
queue
read-only
reconnect
recovery
refactor
release
reliability
resumable-review
reviewer
roadmap
safety
security
self-hosted
sentry
stale-runtime
status:blocked
status:in-progress
status:pr-open
status:ready
terminal-lock
testing
tracker
type:bug
type:feature
type:feature
type:guardrail
visibility
workflow
workflow-hardening
workflow-hardening
Controller-owned work allocator
Prevent concurrent LLM session stomping
Architecture / structural design
OpenAI Codex client / workflow session surface
Concurrent session safety
Workflow or session contamination incident
MCP control-plane coordination and allocation authority
MCP operational dashboard/queue view
Internal coordination storage (SQLite/Postgres)
Design / investigation, no implementation
Docs / runbooks
New feature or improvement
Gitea MCP workflow
GlitchTip integration
Operational or process incident requiring durable audit trail
Sentry-to-Gitea incident bridging
Integration testing
Jenkins integration
Label taxonomy management
Lease adopt/release/expire lifecycle
MCP server / tooling
MCP namespace and runtime health
MCP menu surface
Work spanning multiple monitoring projects or Gitea repos
Mutating action; requires gating
Observability, metrics, traces, error reporting
Cross-platform / portability
Shared preflight gates before mutation
Protected branch / stable-branch policy concern
Work queue visibility and allocation
Read-only, no mutation
MCP client reconnect/reload recovery path
Recovery paths for stale/foreign leases
Code refactor / restructure
Release / versioning
Reliability / failure handling
Persist and resume prepared review verdicts across sessions
Reviewer workflow tooling
Roadmap / umbrella issue
Safety rails and fail-closed mutation guards
Security / trust boundary
Self-hosted infrastructure integration
Sentry error monitoring integration
Stale backend daemon / runtime-vs-master parity failures
Issue is blocked
Issue is being worked on
Issue has an open pull request
Issue is ready for work
Terminal review lock (#332) path
Tests / test coverage
Issue tracker hygiene / meta
Bug or defect
Feature or enhancement
Feature or enhancement
Safety gate or guardrail
Workflow state visibility for LLMs/operators
Cross-tool workflow
LLM workflow coordination hardening
LLM workflow coordination hardening
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Scaled-Tech-Consulting/Gitea-Tools#722
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Incident record
Class: unreviewed direct push to stable branch (
master) that disabled the repository's own mandatory formal-review path. Same incident class as #670.What happened
Commit
970e68bddb510aef1b2c4de58981f03ed570e98e("fix: adopt_merger_pr_lease requires merger role", 2026-07-16 15:52:58 -0400, parent77746b08fc19) was pushed directly tomasterwith no PR, no formal review, and no test run. The intended change was a single mapping (adopt_merger_pr_lease: reviewer → merger, preserved separately as local commitc071f8a1onchore/preserve-local-master-54753d4). The landed commit instead flipped 11 entries intask_capability_map.py— 10 of them regressive:review_pr,approve_pr,request_changes_pr,blind_pr_queue_review,pr_queue_cleanup,pr-queue-cleanup,cleanup_obsolete_reviewer_comment_lease(+gitea_alias),cleanup_stale_review_decision_lock(+gitea_alias) — all remapped reviewer → merger.Impact
role=merger, but merger profiles forbidgitea.pr.review/gitea.pr.approve/gitea.pr.request_changesand reviewer profiles carryrole=reviewer→matching_configured_profile: []for every formal review task. No configured profile on any instance can formally review any PR, including a fix PR for this defect (catch-22).tests/test_pr_queue_cleanup.py::test_cleanup_task_is_reviewer_role,tests/test_resolve_task_capability.pyreviewer-task tests,tests/test_health.py).role_session_router.REVIEWER_TASKSstill classifies these tasks as reviewer → map/router disagreement.80f59b334e6671b08006725292c08a8e8b6c823f) is stranded:gitea_mark_final_review_decisionsucceeded (durable ready-APPROVE decision lock, no live Gitea mutation) butgitea_submit_pr_reviewfailed with a genericinternal_error(capability resolution stamped rolemerger; reviewer-session mutation preflight then failed as an unhandled exception). See PR #721 comments 11891/11893/11895.Recovery (operator-authorized break-glass)
Read-only audit (2026-07-16, controller session) concluded: no normal reviewed fix PR is possible; no implemented sanctioned mechanism exists for repairing master when master disables the review path (#664 remains unimplemented; #671 blocks worker-session direct pushes by design). The operator has explicitly authorized a minimum one-time break-glass master repair limited to restoring the 10 regressive mappings while preserving
adopt_merger_pr_lease = mergerandmerge_pr = merger. The authorization text, pre-repair SHA, exact diff, test evidence, and post-repair verification will be recorded in comments on this issue.References
970e68bddb510aef1b2c4de58981f03ed570e98e(direct push, no PR)293808b42d54c4736f8fb55f71b10d93a40ae4ea02826af(tree of preserved local commitc071f8a1)internal_error)Operator break-glass authorization — incident #722
Recorded by the controller session on behalf of the operator, 2026-07-16. Operative authorization text (operator message; one token adjusted for the comment validator, marked [adapted]):
Pre-repair capture:
293808b42d54c4736f8fb55f71b10d93a40ae4ea(local == live prgs/master, verified 2026-07-16T22:29Z; control checkout clean; uid 502 jasonwalker)task_capability_map.py→ blob02826af(exactly the 10 regressive role flips restored to reviewer;adopt_merger_pr_leaseremains merger;merge_pruntouched) plus newtests/test_task_capability_role_invariants.pybranches/incident-970e68b-breakglass(detached at293808b4)[THREAD STATE LEDGER]
what is true now: master
293808b4carries the970e68bregression; no configured profile can resolve formal review tasks; PR #721 holds a durable prepared-APPROVE decision lock at80f59b3with no live review mutation on the Gitea side.what changed: incident #722 and product-bug #723 filed via the sanctioned author path; operator authorization recorded in this comment; break-glass worktree created at the pre-repair SHA.
what is blocked: the repository-wide formal review path, until the authorized repair lands on master and the gitea-reviewer namespace restarts in parity.
who/what acts next: controller session performs the authorized minimum master repair, then the reviewer-namespace restart, then PR #721 recovery per PR #721 comment 11895.
Server-side decision state: PR #721 open at
80f59b3with no formal review object; incident #722 and defect #723 open.Local verdict/state: audit complete; repair patch prepared but not yet applied; test suites not yet run.
Next actor: controller (operator-authorized break-glass).
Required action: apply the blob-02826af map restoration plus invariant tests in the break-glass worktree, run focused then full suite, push a single clearly-marked repair commit to prgs master, and verify the live SHA.
Blocker classification: no blocker
Do not do: no PR #721 merge; no changes beyond the 10 mappings and the new tests; no sudo/root or alternate OS identity; no Web UI or direct-API fallback; no second break-glass mutation under this authorization.
Canonical Issue State
STATE: authorized_breakglass_in_progress
WHO_IS_NEXT: controller
NEXT_ACTION: Apply minimum master repair (task_capability_map.py → blob
02826af+ tests/test_task_capability_role_invariants.py), verify focused and full suites, push one commit to prgs master, then restart gitea-reviewer and recover PR #721 at80f59b3NEXT_PROMPT:
WHAT_HAPPENED: Operator issued explicit one-time break-glass authorization for the minimum master repair after the read-only audit showed no configured profile can formally review any fix PR (catch-22 created by
970e68b).WHY:
970e68bremapped 10 reviewer tasks to role=merger while merger profiles forbid the review permissions, so the normal reviewed-PR repair path is unavailable and no implemented sanctioned break-glass mechanism exists (#664 open, unimplemented).RELATED_PRS: #721, #720, #723, master commit
970e68b, pre-repair master293808b4BLOCKERS: none for the authorized repair itself; the formal review path remains unavailable repository-wide until the repair lands and gitea-reviewer restarts
VALIDATION: pre-repair gates passed 2026-07-16T22:29Z — uid 502 jasonwalker, clean control checkout, local master equals live prgs/master at
293808b4LAST_UPDATED_BY: controller session (operator-authorized), author namespace prgs-author / jcwalker3
Break-glass recovery audit trail — incident #722 (complete)
Authorization: operator one-time break-glass authorization recorded in comment 11918 (pre-repair capture: master
293808b4, proposed diff to blob02826af).1. Master repair (operator-authorized, minimum scope)
ba7915452e17b5b7d93a2bb8bddefe534cbfb6bb— "fix(capability-map): restore reviewer role on 10 review tasks (break-glass, incident #722)", parent293808b42d54c4736f8fb55f71b10d93a40ae4ea.task_capability_map.py(10 role restorations to reviewer; verified byte-identical to audited blob02826afcb4b3302dd5e7e00135e5951eca351a7a;adopt_merger_pr_leasekept merger;merge_pruntouched) and newtests/test_task_capability_role_invariants.py(profile-coverage invariant, map/router agreement, merger-only adopt/merge, merger cannot hold review permissions).293808b..ba79154 HEAD -> master) after the session's production-push guard correctly refused an agent-side push; liveprgs/masterreadback confirmsba79154. Control checkout fast-forwarded to the same SHA, working tree clean.2. Reviewer namespace restart and parity
GITEA_MCP_SESSION_STATE_TTL_HOURS=24(required because the durable decision-lock TTL lapsed at 2026-07-16T23:57:56Z during recovery; TTL-scoped configuration only, no permission or role change).master_parity.in_parity=trueatba79154;review_prreportsrequired_role_kind=reviewer,allowed_in_current_session=true.gitea_resolve_task_capability(review_pr)on prgs-reviewer:allowed_in_current_session=true,matching_configured_profile=[prgs-reviewer, mdcps-reviewer], no stop — the #722 lockout is repaired end-to-end.3. PR #721 recovery
80f59b334e6671b08006725292c08a8e8b6c823f(comment 11925, session 14647-427dc88f7b0b).gitea_submit_pr_review: review_id 445, APPROVE verdict at head80f59b3, readbackreview_verdict_visible=true,approval_visible=true,approval_at_current_head=true, not dismissed, not stale, zero quarantine flags.80f59b3, mergeable, carrying the APPROVE review at current head. No merge performed (requires separate operator authorization).4. Residual defects and open items
gitea_release_reviewer_pr_leasefailed twice with genericinternal_error(non-retryable) after the verdict; lease 11925 remains phase=claimed and self-expires 2026-07-17T02:06:18Z. Same generic-internal_errorfamily as #718; also in scope for #723 AC4 (structured fail-closed reasons instead of raised exceptions). No further release attempts were made (no fallback improvisation).branches/incident-970e68b-breakglass(repair source, now landed on master) andbranches/review-pr-721-80f59b3(review pin);~/.claude.json.bak-722config backup.[THREAD STATE LEDGER]
what is true now: master carries the authorized repair at
ba79154with live parity; resolve(review_pr) allows prgs-reviewer; PR #721 remains in open state at head80f59b3with APPROVE review 445 recorded at current head; no merge has occurred.what changed: the 10 regressive role mappings were restored on master with new invariant tests; the reviewer namespace was restarted onto repaired code; the stranded PR #721 verdict became a formal native review.
what is blocked: reviewer lease 11925 cleanup — the release tool returns internal_error; the lease self-expires at 2026-07-17T02:06:18Z or is superseded by merger adoption. PR #721 merge awaits separate operator authorization.
who/what acts next: merger session (with explicit operator authorization) adopts the PR #721 lease and merges; #723 fixes proceed through the normal reviewed-PR path, now functional again.
Server-side decision state: APPROVE review 445 at head
80f59b3on open PR #721; incident #722 recovery steps complete; #723 open for code defects.Local verdict/state: break-glass repair landed and verified; audit trail recorded; residual lease-release tool defect documented.
Next actor: merger (separate session and authorization) for PR #721; author/reviewer for #723.
Required action: merger adoption + merge of PR #721 when authorized; then #720 closes via merge; #722 may close after post-incident review.
Blocker classification: queue/lease blocker
Do not do: no merge of PR #721 without explicit operator authorization; no further break-glass mutations under the consumed one-time authorization; no manual lease-comment editing.
Canonical Issue State
STATE: breakglass_recovery_complete
WHO_IS_NEXT: merger
NATIVE_REVIEW_PROOF: APPROVE review 445 on PR #721 at head
80f59b334ewas recorded by the live native gitea-reviewer MCP daemon (native_mcp transport, pid 14647, lease session 14647-427dc88f7b0b, lease comment 11925) via gitea_submit_pr_review with final_review_decision_ready consuming the durable decision lock; readback review_verdict_visible=true and approval_at_current_head=true; no offline, import, or script fallback path was usedNEXT_ACTION: Under separate operator authorization, merger adopts the PR #721 lease and merges at head 80f59b3; afterwards close out #722 following post-incident review
NEXT_PROMPT:
WHAT_HAPPENED: Operator-authorized minimum break-glass repair landed as
ba79154(capability map to blob02826af+ invariant tests, suites green), reviewer namespace restarted in parity, resolve(review_pr) allows prgs-reviewer again, and PR #721 received formal APPROVE review 445 at head80f59b3via the native reviewer path.WHY: The
970e68bregression had removed every configured profile's ability to formally review, so a normal reviewed fix PR was impossible; the operator authorized the audited one-time direct repair, which restored the review path that then recovered PR #721.RELATED_PRS: #721, #720, #723, master
ba79154, prior master293808b4, regressive commit970e68bBLOCKERS: lease 11925 release tool defect (internal_error; self-expires 2026-07-17T02:06:18Z); PR #721 merge pending separate operator authorization
VALIDATION: repair worktree suites 72 focused (+22 subtests) and 2900 full (6 skipped, 1 known warning, 195 subtests) passing; live prgs/master readback ba79154; runtime in_parity; resolve(review_pr) allowed with matching profiles [prgs-reviewer, mdcps-reviewer]; review 445 readback approval_at_current_head=true
LAST_UPDATED_BY: controller session (operator-authorized break-glass), posted via prgs-reviewer / sysadmin
Final merge audit — PR #721 landed (incident #722 recovery closed out)
Merge evidence (all readback-verified):
performed: true, all gates passed, no force/bypass options exist on the tool.80f59b334e6671b08006725292c08a8e8b6c823f(head pinned viaexpected_head_sha; live head matched at merge time).approval_visible=true,approval_at_current_head=true, zero quarantined reviews, no change-request blocks.adoption_reason: merger-handoff-approved-head, adopted_from_session 14647-427dc88f7b0b → merger session 60151-ffe26336620a).67e4a2b5e96b680a1dcb90a20c2ebf87357a3b1f, landed on master at 2026-07-17T00:48:07Z.prgs/masterreadback:67e4a2b5e96b…; control checkout fast-forwarded to the same SHA with a clean working tree (history:67e4a2b←ba79154←293808b).status:pr-openlabel was deliberately left untouched per operator scope.67e4a2b5e96bbefore this comment.Final lease disposition: adopted lease (comment 11940, session 60151-ffe26336620a) is moot — PR merged and linked issue closed, confirmed by the read-only cleanup assessment (
lease_moot=true,cleanup_allowed=true). The apply step ofgitea_cleanup_post_merge_moot_leasefailed twice with genericinternal_error(same defect family as #718 and #723 AC4, matching the earliergitea_release_reviewer_pr_leasefailures), so no released marker could be posted; the lease self-expires at 2026-07-17T02:44:39Z with no downstream effect. No fallback was improvised.[THREAD STATE LEDGER]
what is true now: PR #721 landed on master as merge commit
67e4a2b5e9at the authorized head; issue #720 is in closed state; live master, control checkout, and the merger runtime all agree at 67e4a2b5e96b; the #722 break-glass recovery chain is fully executed.what changed: the merge landed and #720 auto-closed; the adopted lease became moot; the incident's recovery objectives (repair, review path restoration, PR #721 verdict, merge) are all complete.
what is blocked: only the cosmetic moot-lease released marker — the cleanup tool returns internal_error; the lease self-expires at 2026-07-17T02:44:39Z.
who/what acts next: controller/operator may close #722 after post-incident review; author/reviewer proceed with #723 fixes through the normal reviewed-PR path.
Server-side decision state: PR #721 closed with merge commit 67e4a2b5e96b; review 445 APPROVE preserved at 80f59b3; issues #720 closed, #722 and #723 open.
Local verdict/state: control checkout clean at 67e4a2b5e96b; no pending mutations; all evidence recorded in comments 11918, 11935, and this comment.
Next actor: operator/controller for #722 closure; author/reviewer for #723.
Required action: none for PR #721; optional #722 closure after post-incident review; #723 remediation via normal workflow.
Blocker classification: queue/lease blocker
Do not do: no re-merge or further mutations for PR #721; no manual lease-comment edits; no label changes; no additional break-glass actions — the one-time authorization is fully consumed.
Canonical Issue State
STATE: pr721_landed_recovery_closed
WHO_IS_NEXT: controller
NEXT_ACTION: Close #722 after post-incident review; pursue #723 code fixes through the now-functional normal reviewed-PR path
NEXT_PROMPT:
WHAT_HAPPENED: The separately authorized merger session adopted lease 11925 via sanctioned adoption (comment 11940) and merged PR #721 at the authorized head; merge commit
67e4a2b5e9verified on live master; #720 auto-closed; control checkout advanced clean.WHY: Operator granted separate explicit merge authorization after the formal APPROVE review 445 landed at the pinned head, completing the #722 recovery sequence end to end through sanctioned merger tooling only.
RELATED_PRS: #721, #720, #723, merge commit
67e4a2b5e9, repair commitba79154BLOCKERS: none affecting outcomes; cosmetic moot-lease marker blocked by cleanup-tool internal_error (self-resolves at lease expiry 2026-07-17T02:44:39Z; defect tracked via #718/#723)
VALIDATION: merge tool readback performed=true with gates listed; live prgs/master readback 67e4a2b5e96b; PR view readback state closed with merge_commit_sha
67e4a2b5e9at 2026-07-17T00:48:07Z; #720 view readback closed; control checkout clean fast-forward verifiedLAST_UPDATED_BY: controller session (separately authorized merge), merger namespace prgs-merger / sysadmin