[reconciler][auth] Route delete_branch capability to the reconciler role #729

Closed
opened 2026-07-17 18:21:01 -05:00 by jcwalker3 · 0 comments
Owner

Problem

Remote post-merge branch deletion is blocked because the capability resolver classifies delete_branch as an author-role task, while gitea.branch.delete is intentionally granted only to prgs-reconciler.

Current behavior

  • prgs-reconciler has gitea.branch.delete.
  • The resolver returns required_role_kind=author for delete_branch.
  • The reconciler passes the permission check but fails the role gate.
  • The author has the role classification but intentionally lacks deletion permission.
  • No configured profile can satisfy both gates.
  • All attempts fail closed with performed=false.

Expected behavior

  • delete_branch requires role_kind=reconciler.
  • gitea.branch.delete remains denied to author, reviewer, and merger.
  • Explicit organization/repository binding remains required.
  • Protected, open, unmerged, locked, leased, dirty, ambiguous, and non-ancestor branches remain fail-closed.

Acceptance criteria

  • Map delete_branch to the reconciler role.
  • Resolve delete_branch to prgs-reconciler.
  • Add tests proving reconciler authorization.
  • Add negative tests proving author, reviewer, and merger remain denied.
  • Preserve protected and unmerged branch rejection.
  • After the fix is merged and MCP restarted, reconcile the five pending eligible remote branches through the native reconciler tool.

Pending remote branches

  • feat/pr-sync-status
  • fix/issue-685-side-effect-free-resolver
  • issue-718-fix-merger-lease
  • feat/issue-727-pr-sync-status
  • fix/issue-714-session-context-immutability

Safety

Do not grant gitea.branch.delete to prgs-author. Do not use direct API, curl, CLI, database, raw POST, or Web UI fallback.

## Problem Remote post-merge branch deletion is blocked because the capability resolver classifies delete_branch as an author-role task, while gitea.branch.delete is intentionally granted only to prgs-reconciler. ## Current behavior - prgs-reconciler has gitea.branch.delete. - The resolver returns required_role_kind=author for delete_branch. - The reconciler passes the permission check but fails the role gate. - The author has the role classification but intentionally lacks deletion permission. - No configured profile can satisfy both gates. - All attempts fail closed with performed=false. ## Expected behavior - delete_branch requires role_kind=reconciler. - gitea.branch.delete remains denied to author, reviewer, and merger. - Explicit organization/repository binding remains required. - Protected, open, unmerged, locked, leased, dirty, ambiguous, and non-ancestor branches remain fail-closed. ## Acceptance criteria - Map delete_branch to the reconciler role. - Resolve delete_branch to prgs-reconciler. - Add tests proving reconciler authorization. - Add negative tests proving author, reviewer, and merger remain denied. - Preserve protected and unmerged branch rejection. - After the fix is merged and MCP restarted, reconcile the five pending eligible remote branches through the native reconciler tool. ## Pending remote branches - feat/pr-sync-status - fix/issue-685-side-effect-free-resolver - issue-718-fix-merger-lease - feat/issue-727-pr-sync-status - fix/issue-714-session-context-immutability ## Safety Do not grant gitea.branch.delete to prgs-author. Do not use direct API, curl, CLI, database, raw POST, or Web UI fallback.
jcwalker3 added reference fix/issue-729-delete-branch-reconciler-role 2026-07-17 18:57:11 -05:00
Sign in to join this conversation.
No labels
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#729