fix(reconciler): forward explicit repository through delete_branch anti-stomp preflight (Closes #733) #734
Merged
sysadmin
merged 1 commits from 2026-07-17 22:03:26 -05:00
fix/issue-733-delete-branch-repo-forwarding into master
Labels
Clear labels
allocator
anti-stomp
architecture
bug
chore
codex
concurrency
contamination
control-plane
dashboard
database
design
documentation
enhancement
gitea
glitchtip
important
incident
incident-bridge
integration
jenkins
labels
leases
mcp
mcp-health
mcp-menu
multi-project
mutating
nice-to-have
observability
portability
preflight
protected-branch
queue
read-only
reconnect
recovery
refactor
release
reliability
resumable-review
reviewer
roadmap
safety
security
self-hosted
sentry
stale-runtime
status:blocked
status:in-progress
status:pr-open
status:ready
terminal-lock
testing
tracker
type:bug
type:feature
type:feature
type:guardrail
visibility
workflow
workflow-hardening
workflow-hardening
Controller-owned work allocator
Prevent concurrent LLM session stomping
Architecture / structural design
OpenAI Codex client / workflow session surface
Concurrent session safety
Workflow or session contamination incident
MCP control-plane coordination and allocation authority
MCP operational dashboard/queue view
Internal coordination storage (SQLite/Postgres)
Design / investigation, no implementation
Docs / runbooks
New feature or improvement
Gitea MCP workflow
GlitchTip integration
Operational or process incident requiring durable audit trail
Sentry-to-Gitea incident bridging
Integration testing
Jenkins integration
Label taxonomy management
Lease adopt/release/expire lifecycle
MCP server / tooling
MCP namespace and runtime health
MCP menu surface
Work spanning multiple monitoring projects or Gitea repos
Mutating action; requires gating
Observability, metrics, traces, error reporting
Cross-platform / portability
Shared preflight gates before mutation
Protected branch / stable-branch policy concern
Work queue visibility and allocation
Read-only, no mutation
MCP client reconnect/reload recovery path
Recovery paths for stale/foreign leases
Code refactor / restructure
Release / versioning
Reliability / failure handling
Persist and resume prepared review verdicts across sessions
Reviewer workflow tooling
Roadmap / umbrella issue
Safety rails and fail-closed mutation guards
Security / trust boundary
Self-hosted infrastructure integration
Sentry error monitoring integration
Stale backend daemon / runtime-vs-master parity failures
Issue is blocked
Issue is being worked on
Issue has an open pull request
Issue is ready for work
Terminal review lock (#332) path
Tests / test coverage
Issue tracker hygiene / meta
Bug or defect
Feature or enhancement
Feature or enhancement
Safety gate or guardrail
Workflow state visibility for LLMs/operators
Cross-tool workflow
LLM workflow coordination hardening
LLM workflow coordination hardening
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Scaled-Tech-Consulting/Gitea-Tools#734
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
gitea_delete_branch accepted explicit org/repo but did not propagate them
through the anti-stomp preflight. During a deletion targeting
Scaled-Tech-Consulting/Gitea-Tools, preflight resolved the remote-wide prgs
default (Scaled-Tech-Consulting/Timesheet) and failed closed with wrong_repo
before any deletion — because verify_preflight_purity was called without
org/repo and the shared #604 anti-stomp resolution fell back to the REMOTES
default.
Fix (delete_branch only; REMOTES untouched):
Forward the explicit org/repo into verify_preflight_purity so the shared
#604 anti-stomp resolution validates the targeted repository instead of
the remote-wide default. Explicit Scaled-Tech-Consulting/Gitea-Tools now
propagates through role/workspace verification, verify_preflight_purity,
anti-stomp repository resolution, and the final native deletion request.
Add a workspace-derived repository-binding gate
(_delete_branch_repository_binding_block) that validates explicit
coordinates against the immutable, workspace-aligned repository identity.
Wrong, substituted, or unverified coordinates fail closed — independent of
the anti-stomp remote/repo guard, which by the #530 contract trusts explicit
caller intent. REMOTES defaults are never consulted as an authorization
scope.
Preserved: reconciler-only ownership of gitea.branch.delete; author/reviewer/
merger denial; protected and preservation/evidence gates; missing coordinates
still fail closed via the anti-stomp default resolution.
Regression matrix (tests/test_issue_733_delete_branch_repo_forwarding.py):
Timesheet-default + explicit Gitea-Tools permits an eligible deletion and
forwards the coordinates; wrong/substituted/unverified coordinates fail closed;
author/reviewer/merger remain denied; protected and preservation branches
remain blocked; anti-stomp resolution marks explicit coordinates authoritative
and fails closed on the remote-wide default for omitted coordinates; the
task-capability and role-routing maps stay consistent.
Co-Authored-By: Claude Opus 4.8 [email protected]
Claude-Session: https://claude.ai/code/session_01UVDxVKANhuGYzZgayDU3QS
Description
[Summary of changes and issue number closed.]
Closes #[Issue Number]
Checklist
git diff --checkis clean.Documentation and Wiki
docs/wiki/been updated accordingly?scripts/sync-gitea-wiki.sh, see Runbooks).docs/wiki/. If stale or empty, record the required sync as a follow-up before approval.docs/wiki/, sync-helper code, or policy docs alone are not sufficient to close a wiki issue.repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #734
issue: #733
reviewer_identity: sysadmin
profile: prgs-reviewer
session_id: 25889-a397bf9bfa66
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr734-3990fc6
phase: claimed
candidate_head:
3990fc684ftarget_branch: master
target_branch_sha:
daf60266d0last_activity: 2026-07-18T02:55:59Z
expires_at: 2026-07-18T04:55:59Z
blocker: none
Canonical PR State
STATE:
Approved at head
3990fc684f— approval_at_current_head.WHO_IS_NEXT:
merger
NEXT_ACTION:
Merge PR #734 into master via the prgs-merger sanctioned workflow at head
3990fc6.NEXT_PROMPT:
WHY:
Independent reviewer (sysadmin) confirmed the two-file diff implements Issue #733: gitea_delete_branch forwards explicit org and repo into verify_preflight_purity so the shared #604 anti-stomp resolution validates the targeted repository, and a new workspace-derived binding gate rejects wrong, substituted, or unverified coordinates. Scope is delete_branch only; the global prgs default repository is untouched; reconciler-only ownership and author/reviewer/merger denial preserved; protected and preservation gates intact and ordered before the new check; safe_to_delete and ancestry gates in the cleanup path untouched.
ISSUE:
733
HEAD_SHA:
3990fc684fREVIEW_STATUS:
approve
MERGE_READY:
yes — mergeable, base master at
daf60266d0, no conflicts.NATIVE_REVIEW_PROOF:
Native gitea_submit_pr_review approve mutation via the prgs-reviewer namespace (sysadmin) at head 3990fc684f78e8bda20bf9215aa6c3aa5513f11a; reviewer lease 12217, session 25889-a397bf9bfa66. Not an offline or import path.
BLOCKERS:
none — no blocker.
VALIDATION:
231 focused tests passed at head
3990fc6(test_issue_733_delete_branch_repo_forwarding 14 tests / 5 subtests; anti_stomp_preflight; remote_repo_guard; delete_branch_capability; reconciler; resolve_task_capability; task_capability_role_invariants; namespace_workspace_binding; workspace_mutation_consistency; mutation_error_diagnostics; issue_lock_store; lease_lifecycle; pr_work_lease). git diff --check clean. Two files changed (+467/-1): gitea_mcp_server.py and tests/test_issue_733_delete_branch_repo_forwarding.py.LAST_UPDATED_BY:
prgs-reviewer (sysadmin)
adopted_at: 2026-07-18T03:03:00Z
adopted_by_identity: sysadmin
adopted_by_profile: prgs-merger
adopted_from_session_id: 25889-a397bf9bfa66
adopted_from_profile: prgs-reviewer
adopted_from_reviewer_identity: sysadmin
adopted_from_comment_id: 12217
adoption_reason: merger-handoff-approved-head
repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #734
issue: #733
reviewer_identity: sysadmin
profile: prgs-merger
session_id: 25909-e49a4cfb8a6d
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/merger-pr734-3990fc6
phase: adopted
candidate_head:
3990fc684ftarget_branch: master
target_branch_sha:
daf60266d0last_activity: 2026-07-18T03:03:00Z
expires_at: 2026-07-18T05:03:00Z
blocker: none
Stale #332 review-decision lock cleanup (#594)
Status: APPLIED
sysadminprgs-merger2026-07-18T03:03:27.602637+00:00approveon PR fix(reconciler): forward explicit repository through delete_branch anti-stomp preflight (Closes #733) (#734)closed(merged=True)11d1d2e99fe890c1d8ca07a7de93473c12d852551prgs-reviewerManual deletion of session-state files is not the workflow.
This path only clears a lock when the referenced PR is merged/closed.