fix(reconciler): forward explicit repository through delete_branch anti-stomp preflight #733

Closed
opened 2026-07-17 21:15:58 -05:00 by jcwalker3 · 0 comments
Owner

Problem

gitea_delete_branch accepts explicit organization and repository coordinates, but those coordinates are not propagated through the complete anti-stomp preflight path.

During a deletion targeting Scaled-Tech-Consulting/Gitea-Tools, preflight instead resolved the prgs remote’s default repository as Scaled-Tech-Consulting/Timesheet. The mismatch caused the mutation to fail closed before any branch deletion occurred.

Changing the global prgs default repository is not an acceptable fix because the remote serves multiple repositories and doing so could shift the failure to Timesheet or another project.

Diagnostic evidence

A diagnostics-enabled canary deletion of feat/pr-sync-status produced:

  • Tool: gitea_delete_branch
  • Profile: prgs-reconciler
  • Mutation stage: preflight_purity
  • Exception class: builtins.RuntimeError
  • Reason code: internal_error
  • Blocker: wrong_repo
  • Explicit target: Scaled-Tech-Consulting/Gitea-Tools
  • Incorrect resolved target: Scaled-Tech-Consulting/Timesheet
  • Result: success=false
  • Mutation performed: false
  • Retryable: false
  • Transport survived: true

Identity, role, permission, capability resolution, MCP parity, shell health, merge ancestry, and branch eligibility all passed before the mutation.

Expected behavior

When gitea_delete_branch receives explicit org and repo values, those exact coordinates must propagate through:

  1. gitea_delete_branch
  2. Role/workspace mutation verification
  3. verify_preflight_purity
  4. Anti-stomp repository resolution
  5. The final native deletion request

Preflight must validate the explicitly targeted repository rather than falling back to a remote-wide default.

Missing, inconsistent, unauthorized, or unproven coordinates must continue to fail closed.

Acceptance criteria

  • Forward explicit org and repo through every delete_branch preflight layer.

  • Do not modify or rely on REMOTES["prgs"]["repo"] as a workaround.

  • Preserve reconciler-only ownership of gitea.branch.delete.

  • Keep author, reviewer, and merger profiles denied.

  • Preserve protected-branch, preservation, merge-ancestry, lock, lease, repository-binding, and safe_to_delete gates.

  • Add a regression test where:

    • the configured prgs default repository is Scaled-Tech-Consulting/Timesheet;
    • the explicit deletion target is Scaled-Tech-Consulting/Gitea-Tools;
    • preflight validates Gitea-Tools and permits an otherwise eligible deletion.
  • Add negative tests proving:

    • wrong explicit coordinates fail closed;
    • missing coordinates fail closed;
    • repository substitution is rejected;
    • author, reviewer, and merger remain denied;
    • protected, preserved, open, or unmerged branches remain blocked.
  • Verify the task-capability and role-routing maps remain consistent.

  • Run focused anti-stomp, remote-repository guard, reconciler, branch-deletion, capability-routing, workspace, lock, lease, and mutation-diagnostics tests.

  • After merge and MCP restart, retry one revalidated canary deletion before processing the remaining branches.

Pending reconciliation

These merged remote branches remain pending:

  • feat/pr-sync-status
  • fix/issue-685-side-effect-free-resolver
  • issue-718-fix-merger-lease
  • feat/issue-727-pr-sync-status
  • fix/issue-714-session-context-immutability

Related work

  • #604 — common anti-stomp preflight
  • #723 — structured review-path role/preflight failures; related symptom but different scope
  • #729 — reconciler ownership of delete_branch
  • #732 — safe diagnostics for opaque mutation failures

Safety

No deletion, direct API fallback, CLI deletion, force operation, remote-default substitution, or external mutation occurred during diagnosis.

## Problem `gitea_delete_branch` accepts explicit organization and repository coordinates, but those coordinates are not propagated through the complete anti-stomp preflight path. During a deletion targeting `Scaled-Tech-Consulting/Gitea-Tools`, preflight instead resolved the `prgs` remote’s default repository as `Scaled-Tech-Consulting/Timesheet`. The mismatch caused the mutation to fail closed before any branch deletion occurred. Changing the global `prgs` default repository is not an acceptable fix because the remote serves multiple repositories and doing so could shift the failure to Timesheet or another project. ## Diagnostic evidence A diagnostics-enabled canary deletion of `feat/pr-sync-status` produced: * Tool: `gitea_delete_branch` * Profile: `prgs-reconciler` * Mutation stage: `preflight_purity` * Exception class: `builtins.RuntimeError` * Reason code: `internal_error` * Blocker: `wrong_repo` * Explicit target: `Scaled-Tech-Consulting/Gitea-Tools` * Incorrect resolved target: `Scaled-Tech-Consulting/Timesheet` * Result: `success=false` * Mutation performed: `false` * Retryable: `false` * Transport survived: `true` Identity, role, permission, capability resolution, MCP parity, shell health, merge ancestry, and branch eligibility all passed before the mutation. ## Expected behavior When `gitea_delete_branch` receives explicit `org` and `repo` values, those exact coordinates must propagate through: 1. `gitea_delete_branch` 2. Role/workspace mutation verification 3. `verify_preflight_purity` 4. Anti-stomp repository resolution 5. The final native deletion request Preflight must validate the explicitly targeted repository rather than falling back to a remote-wide default. Missing, inconsistent, unauthorized, or unproven coordinates must continue to fail closed. ## Acceptance criteria * Forward explicit `org` and `repo` through every `delete_branch` preflight layer. * Do not modify or rely on `REMOTES["prgs"]["repo"]` as a workaround. * Preserve reconciler-only ownership of `gitea.branch.delete`. * Keep author, reviewer, and merger profiles denied. * Preserve protected-branch, preservation, merge-ancestry, lock, lease, repository-binding, and `safe_to_delete` gates. * Add a regression test where: * the configured `prgs` default repository is `Scaled-Tech-Consulting/Timesheet`; * the explicit deletion target is `Scaled-Tech-Consulting/Gitea-Tools`; * preflight validates Gitea-Tools and permits an otherwise eligible deletion. * Add negative tests proving: * wrong explicit coordinates fail closed; * missing coordinates fail closed; * repository substitution is rejected; * author, reviewer, and merger remain denied; * protected, preserved, open, or unmerged branches remain blocked. * Verify the task-capability and role-routing maps remain consistent. * Run focused anti-stomp, remote-repository guard, reconciler, branch-deletion, capability-routing, workspace, lock, lease, and mutation-diagnostics tests. * After merge and MCP restart, retry one revalidated canary deletion before processing the remaining branches. ## Pending reconciliation These merged remote branches remain pending: * `feat/pr-sync-status` * `fix/issue-685-side-effect-free-resolver` * `issue-718-fix-merger-lease` * `feat/issue-727-pr-sync-status` * `fix/issue-714-session-context-immutability` ## Related work * #604 — common anti-stomp preflight * #723 — structured review-path role/preflight failures; related symptom but different scope * #729 — reconciler ownership of `delete_branch` * #732 — safe diagnostics for opaque mutation failures ## Safety No deletion, direct API fallback, CLI deletion, force operation, remote-default substitution, or external mutation occurred during diagnosis.
Sign in to join this conversation.
No labels
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#733