fix(mcp): complete canonical-root consumption for cross-repository namespaces (Closes #739) #740

Open
jcwalker3 wants to merge 1 commits from feat/issue-739-canonical-root-consumption into master
Owner

Closes #739

Head: 15a8a76e999729cbbd3a27f9339d8f682f67793d
Base: master @ a8d2087b4af3ae143b839c5c0c821e2a3ca7fd4f

Root cause

#706 introduced the immutable, configured canonical_repository_root and routed two consumers through it: the #274 filesystem guards and the session repository slug. Three consumption paths kept deriving repository identity from the Gitea-Tools installation checkout. Each was reproduced by an executable test against the production entry point before being changed.

F1 — runtime-context did not normalize its remote

gitea_whoami normalizes via _effective_remote before seeding the session context; gitea_get_runtime_context did not. _effective_remote (gitea_mcp_server.py:2349-2363) is the only place a profile's own configured remote is consulted, and it fires only when the caller left remote at its "dadeschools" default.

Before: on a prgs-hosted namespace whose first native call was the runtime-context path, the raw argument default flowed into the host lookup and into _seed_session_context. The session pinned remote="dadeschools" / host="gitea.dadeschools.net", _authenticated_username resolved identity against the wrong host, and because first-bind is first-write-wins (session_context_binding.py:218) a later correct gitea_whoami(remote="prgs") could not repair it — the mutation gate then reported remote drift against a binding that was wrong from the start.

After: remote = _effective_remote(remote) runs before any host lookup, identity resolution, or session seeding. Explicit remotes are untouched; a dadeschools-hosted profile still resolves to dadeschools. This is a production-path fix, not call-ordering advice.

F2 — delete-branch binding guard read the installation checkout

_delete_branch_repository_binding_block derived its expected slug from _workspace_repository_slug, which runs _local_git_remote_url with cwd=PROJECT_ROOT — always Gitea-Tools. The delete path never reaches _trusted_session_repository, which already had the canonical-root branch.

Before: for a namespace with a configured canonical root the guard was inverted — an explicit target naming the genuinely bound repository was rejected, and one naming Gitea-Tools was accepted.

After: the canonical-root branch is extracted as _canonical_repository_slug and shared by both call sites. A configured-but-unresolvable root fails closed rather than silently falling back to the installation identity. Unconfigured namespaces keep the install-derived default unchanged.

F3 — parity carried no target-repository dimension

gitea_assess_master_parity computes both HEADs from PROJECT_ROOT. This is intentional and is preserved — it detects that in-memory capability-gate code is stale relative to the on-disk Gitea-Tools checkout, exactly as master_parity_gate.py:1-21 documents. The defect was that it was the only dimension, so "in parity" read as a whole-system statement.

After: startup_head, current_head, in_parity, stale, restart_required, summary, reasons, and process_root keep their existing meaning and values, and only the server dimension gates mutations. Two separately labelled dimensions are added:

  • server_implementationinstallation_root, startup_head, current_head, stale, determinable
  • target_repositorycanonical_repository_root, source, repository_slug, checkout_head, tracking_ref, remote_tracking_head, determinable, stale, reasons

The target assessment makes no network call: the remote side is read from the existing remote-tracking ref, and a target that has never been fetched is reported indeterminate rather than guessed at. It deliberately does not honour GITEA_TEST_CURRENT_HEAD, which exists to pin the server's HEAD.

Proven intentional — no change made

  • Repository/remote guard. assess_workspace_repo_membership, assess_author_mutation_worktree, and the branches-only guard already validate against ctx["canonical_repo_root"]. The canonical target root resolves to its own slug, the installation root stays Gitea-Tools, explicit org/repo may confirm but never authorize a binding, and a Gitea-Tools-rooted namespace cannot reach another repository.
  • Configuration surface. A four-role repository-specific profile set with allowed_repositories limited to one repository, an absolute canonical root, and credential references only already passes config audit and bind-time validation; a wrong root fails closed; role separation holds in both directions.

Both are now covered by regression tests so a future change cannot quietly undo them.

Files changed

  • gitea_mcp_server.py — F1 normalization; new _canonical_repository_slug helper; _trusted_session_repository refactored onto it with identical semantics; delete-branch guard consumes it; parity tool reports two labelled dimensions.
  • master_parity_gate.py — additive assess_target_repository_parity, _git_capture, DEFAULT_TARGET_TRACKING_REF. No existing symbol modified.
  • tests/test_cross_repo_canonical_consumption.py — new, 31 cases across groups A–E using real git repositories and no network.

Tests

  • New file: 31 passed, 31 subtests passed. Red before the fix (13 failed / 20 passed), green after.
  • Targeted regression (#706, #706-F1, #714, #733, parity, delete-branch capability, namespace binding, workspace-guard alignment): 120 passed, 36 subtests passed.
  • Full suite on this branch: 3298 passed, 6 skipped, 271 subtests passed.
  • Full suite on clean baseline a8d2087: 3267 passed, 6 skipped, 240 subtests passed. Delta is exactly the 31 new cases.
  • Two failures — test_issue_702_review_findings_f1_f6::test_removed_worktree_recovers_before_probe and test_reconciler_supersession_close::test_tool_posts_comment_and_closes_superseded_pr_issue — reproduce identically on unmodified a8d2087 and are pre-existing, not attributable to this change.
  • git diff --check clean.

Remaining limitations

  • Other install-derived identity paths are untouched and out of scope: _resolve, _enforce_remote_repo_guard, the anti-stomp org/repo fill, and the git-operation call sites that pass PROJECT_ROOT directly (branch cleanup, merge, ownership). A cross-repository namespace exercising those will still resolve against the installation checkout. They are not on the author/reviewer/merger/reconciler critical path this change unblocks and warrant a separate scoped issue.
  • _validate_canonical_repository_root runs only on the v2-contexts config shape; the v1 and v2-environments loaders read the field without validating it.
  • Target-repository staleness depends on an already-fetched remote-tracking ref; this assessment never fetches.
  • No client launcher file, profiles.json, or credential was read or modified, and no branch was deleted by any test.

Author work unit only — not reviewed, not approved, not merged.

Closes #739 Head: `15a8a76e999729cbbd3a27f9339d8f682f67793d` Base: `master` @ `a8d2087b4af3ae143b839c5c0c821e2a3ca7fd4f` ## Root cause #706 introduced the immutable, configured `canonical_repository_root` and routed two consumers through it: the #274 filesystem guards and the session repository slug. Three consumption paths kept deriving repository identity from the Gitea-Tools *installation* checkout. Each was reproduced by an executable test against the production entry point before being changed. ### F1 — runtime-context did not normalize its remote `gitea_whoami` normalizes via `_effective_remote` before seeding the session context; `gitea_get_runtime_context` did not. `_effective_remote` (`gitea_mcp_server.py:2349-2363`) is the only place a profile's own configured remote is consulted, and it fires only when the caller left `remote` at its `"dadeschools"` default. **Before:** on a prgs-hosted namespace whose first native call was the runtime-context path, the raw argument default flowed into the host lookup and into `_seed_session_context`. The session pinned `remote="dadeschools"` / `host="gitea.dadeschools.net"`, `_authenticated_username` resolved identity against the wrong host, and because first-bind is first-write-wins (`session_context_binding.py:218`) a later correct `gitea_whoami(remote="prgs")` could not repair it — the mutation gate then reported remote drift against a binding that was wrong from the start. **After:** `remote = _effective_remote(remote)` runs before any host lookup, identity resolution, or session seeding. Explicit remotes are untouched; a dadeschools-hosted profile still resolves to `dadeschools`. This is a production-path fix, not call-ordering advice. ### F2 — delete-branch binding guard read the installation checkout `_delete_branch_repository_binding_block` derived its expected slug from `_workspace_repository_slug`, which runs `_local_git_remote_url` with `cwd=PROJECT_ROOT` — always Gitea-Tools. The delete path never reaches `_trusted_session_repository`, which already had the canonical-root branch. **Before:** for a namespace with a configured canonical root the guard was inverted — an explicit target naming the genuinely bound repository was rejected, and one naming Gitea-Tools was accepted. **After:** the canonical-root branch is extracted as `_canonical_repository_slug` and shared by both call sites. A configured-but-unresolvable root fails closed rather than silently falling back to the installation identity. Unconfigured namespaces keep the install-derived default unchanged. ### F3 — parity carried no target-repository dimension `gitea_assess_master_parity` computes both HEADs from `PROJECT_ROOT`. **This is intentional and is preserved** — it detects that in-memory capability-gate code is stale relative to the on-disk Gitea-Tools checkout, exactly as `master_parity_gate.py:1-21` documents. The defect was that it was the only dimension, so "in parity" read as a whole-system statement. **After:** `startup_head`, `current_head`, `in_parity`, `stale`, `restart_required`, `summary`, `reasons`, and `process_root` keep their existing meaning and values, and only the server dimension gates mutations. Two separately labelled dimensions are added: - `server_implementation` — `installation_root`, `startup_head`, `current_head`, `stale`, `determinable` - `target_repository` — `canonical_repository_root`, `source`, `repository_slug`, `checkout_head`, `tracking_ref`, `remote_tracking_head`, `determinable`, `stale`, `reasons` The target assessment makes no network call: the remote side is read from the existing remote-tracking ref, and a target that has never been fetched is reported indeterminate rather than guessed at. It deliberately does not honour `GITEA_TEST_CURRENT_HEAD`, which exists to pin the server's HEAD. ## Proven intentional — no change made - **Repository/remote guard.** `assess_workspace_repo_membership`, `assess_author_mutation_worktree`, and the branches-only guard already validate against `ctx["canonical_repo_root"]`. The canonical target root resolves to its own slug, the installation root stays Gitea-Tools, explicit `org`/`repo` may confirm but never authorize a binding, and a Gitea-Tools-rooted namespace cannot reach another repository. - **Configuration surface.** A four-role repository-specific profile set with `allowed_repositories` limited to one repository, an absolute canonical root, and credential references only already passes config audit and bind-time validation; a wrong root fails closed; role separation holds in both directions. Both are now covered by regression tests so a future change cannot quietly undo them. ## Files changed - `gitea_mcp_server.py` — F1 normalization; new `_canonical_repository_slug` helper; `_trusted_session_repository` refactored onto it with identical semantics; delete-branch guard consumes it; parity tool reports two labelled dimensions. - `master_parity_gate.py` — additive `assess_target_repository_parity`, `_git_capture`, `DEFAULT_TARGET_TRACKING_REF`. No existing symbol modified. - `tests/test_cross_repo_canonical_consumption.py` — new, 31 cases across groups A–E using real git repositories and no network. ## Tests - New file: 31 passed, 31 subtests passed. Red before the fix (13 failed / 20 passed), green after. - Targeted regression (#706, #706-F1, #714, #733, parity, delete-branch capability, namespace binding, workspace-guard alignment): 120 passed, 36 subtests passed. - Full suite on this branch: **3298 passed, 6 skipped, 271 subtests passed**. - Full suite on clean baseline `a8d2087`: **3267 passed, 6 skipped, 240 subtests passed**. Delta is exactly the 31 new cases. - Two failures — `test_issue_702_review_findings_f1_f6::test_removed_worktree_recovers_before_probe` and `test_reconciler_supersession_close::test_tool_posts_comment_and_closes_superseded_pr_issue` — reproduce identically on unmodified `a8d2087` and are pre-existing, not attributable to this change. - `git diff --check` clean. ## Remaining limitations - Other install-derived identity paths are untouched and out of scope: `_resolve`, `_enforce_remote_repo_guard`, the anti-stomp org/repo fill, and the git-operation call sites that pass `PROJECT_ROOT` directly (branch cleanup, merge, ownership). A cross-repository namespace exercising those will still resolve against the installation checkout. They are not on the author/reviewer/merger/reconciler critical path this change unblocks and warrant a separate scoped issue. - `_validate_canonical_repository_root` runs only on the v2-contexts config shape; the v1 and v2-environments loaders read the field without validating it. - Target-repository staleness depends on an already-fetched remote-tracking ref; this assessment never fetches. - No client launcher file, `profiles.json`, or credential was read or modified, and no branch was deleted by any test. Author work unit only — not reviewed, not approved, not merged.
jcwalker3 added 1 commit 2026-07-18 02:45:53 -05:00
#706 routed the #274 filesystem guards and the session repository slug through
the configured canonical_repository_root. Three consumption paths were left
deriving from the Gitea-Tools installation checkout.

F1 — gitea_get_runtime_context did not normalize its `remote` argument, while
gitea_whoami did. On a prgs-hosted namespace whose first native call was the
runtime-context path, the 'dadeschools' argument default was pinned: identity
resolved against the wrong host, and because first-bind is first-write-wins a
later correct gitea_whoami(remote="prgs") could not repair the binding. It now
calls _effective_remote before any host lookup, identity resolution, or session
seeding. Explicit remotes pass through untouched and a dadeschools-hosted
profile still resolves to dadeschools.

F2 — _delete_branch_repository_binding_block derived its expected slug from
_workspace_repository_slug, which reads _local_git_remote_url in PROJECT_ROOT
(always Gitea-Tools). For a cross-repository namespace this inverted the guard:
the genuinely bound target was rejected and Gitea-Tools was accepted. The
canonical-root branch already present in _trusted_session_repository is
extracted as _canonical_repository_slug and shared by both call sites. A
configured-but-unresolvable root now fails closed instead of falling back to
the installation identity; unconfigured namespaces keep the install-derived
default unchanged.

F3 — gitea_assess_master_parity measures Gitea-Tools server implementation
parity only. That is intentional and is preserved: startup_head, current_head,
in_parity, stale, and restart_required keep their existing meaning and values,
and only the server dimension gates mutations. Two separately labelled
dimensions are added — server_implementation (installation root and commit) and
target_repository (canonical root, repository slug, checkout head, last-known
remote master head, staleness) — so cross-repository commissioning evidence can
distinguish them. The target assessment makes no network call: the remote side
is read from the existing remote-tracking ref, and an unfetched target is
reported indeterminate rather than guessed at.

Verified intentional and left unchanged: the #274 workspace-membership,
author-mutation-worktree, and branches-only guards already validate against the
configured canonical root; explicit org/repo may confirm but never authorize a
binding; and the four-role repository-specific configuration surface already
passes audit and bind-time validation with a wrong root failing closed.

Tests: 31 new cases in tests/test_cross_repo_canonical_consumption.py using
real git repositories and no network. Full suite 3298 passed / 6 skipped
against a clean-baseline 3267; the 2 failures
(test_issue_702_review_findings_f1_f6, test_reconciler_supersession_close)
reproduce identically on unmodified master a8d2087 and are pre-existing.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Claude-Session: https://claude.ai/code/session_013jUxaLVLkPHuTQwAzFzztW
Author
Owner

Follow-up scope is tracked in #741, "Eliminate remaining PROJECT_ROOT coupling in cross-repository MCP operations."

PR #740 fixes the three confirmed defects scoped to #739: first-call effective-remote binding, canonical-root-aware reconciler branch validation, and separate target-repository parity evidence.

PR #740 does not claim that every cross-repository mutation path is commissioned. Client configuration installation and unattended mcp-control-plane operation remain blocked until the mutation-critical paths identified in #741—particularly author, merge, remote-guard, anti-stomp, and cleanup consumers—are verified or corrected, independently reviewed and merged, loaded through a daemon restart, and proven by repository-correct commissioning.

This follow-up does not expand PR #740's diff or acceptance scope.

Canonical Issue State

STATE: PR #740 is open at head 15a8a76e99 against base master a8d2087b4a, carrying no review verdict yet.
WHO_IS_NEXT: REVIEWER
NEXT_ACTION: A leased prgs-reviewer session performs a fresh native review of PR #740 at head 15a8a76e99 and records a formal verdict.
NEXT_PROMPT:

Perform a fresh native formal review of Scaled-Tech-Consulting/Gitea-Tools PR #740 on the prgs remote, at head 15a8a76e999729cbbd3a27f9339d8f682f67793d.

Use the prgs-reviewer namespace only. Verify UID 502 non-root, runtime parity, and identity jcwalker3 / prgs-reviewer / reviewer. Load the canonical router and review workflow. Acquire the reviewer PR lease. Resolve the required capability immediately before each mutating reviewer call.

Assess against issue #739 acceptance criteria 1-7. Confirm specifically:
- gitea_get_runtime_context normalizes remote before any host lookup, identity resolution, or session seeding, and explicit remotes plus dadeschools-hosted profiles are unaffected;
- _canonical_repository_slug preserves _trusted_session_repository semantics exactly, and a configured-but-unresolvable canonical root fails the delete-branch guard closed rather than falling back to the installation identity;
- gitea_assess_master_parity keeps startup_head, current_head, in_parity, stale, and restart_required byte-identical in meaning and value, with target_repository additive only and non-gating;
- the 31 new tests genuinely fail on a8d2087 and pass on the PR head;
- the two suite failures reproduce on unmodified master and are therefore pre-existing.

Record a formal verdict. Do not merge.

WHAT_HAPPENED: Issue #739 was filed after executable reproduction of three canonical-root consumption defects left by #706/#736. PR #740 implements the fixes and adds tests/test_cross_repo_canonical_consumption.py. Residual installation-root coupling found during that work was filed separately as #741 rather than expanding this PR.
WHY: #706 routed only the #274 filesystem guards and the session repository slug through the configured canonical root. Paths reached through _local_git_remote_url, which runs in PROJECT_ROOT, continued to report the Gitea-Tools installation checkout. #740 corrects the three consumers on the author, reviewer, merger, and reconciler critical path; #741 tracks the remainder so this diff stays scoped.
RELATED_PRS: #740 (this PR, open); #736 (merged, introduced canonical_repository_root for #706)
BLOCKERS: None for review. Commissioning of the four mcp-control-plane namespace profiles remains gated on #741 plus merge of #740 and a subsequent daemon restart, as recorded in #741.
VALIDATION: New tests 31 passed with 31 subtests, red before the fix at 13 failed / 20 passed. Targeted regression across #706, #706-F1, #714, #733, parity, delete-branch capability, namespace binding, and workspace-guard alignment: 120 passed, 36 subtests. Full suite on the PR head 3298 passed, 6 skipped, 271 subtests; clean baseline a8d2087 3267 passed, 6 skipped, 240 subtests. The two failures, test_issue_702_review_findings_f1_f6::test_removed_worktree_recovers_before_probe and test_reconciler_supersession_close::test_tool_posts_comment_and_closes_superseded_pr_issue, reproduce identically on unmodified a8d2087. git diff --check reports no whitespace errors.
LAST_UPDATED_BY: jcwalker3 / prgs-author

Follow-up scope is tracked in #741, "Eliminate remaining PROJECT_ROOT coupling in cross-repository MCP operations." PR #740 fixes the three confirmed defects scoped to #739: first-call effective-remote binding, canonical-root-aware reconciler branch validation, and separate target-repository parity evidence. PR #740 does not claim that every cross-repository mutation path is commissioned. Client configuration installation and unattended `mcp-control-plane` operation remain blocked until the mutation-critical paths identified in #741—particularly author, merge, remote-guard, anti-stomp, and cleanup consumers—are verified or corrected, independently reviewed and merged, loaded through a daemon restart, and proven by repository-correct commissioning. This follow-up does not expand PR #740's diff or acceptance scope. ## Canonical Issue State STATE: PR #740 is open at head 15a8a76e999729cbbd3a27f9339d8f682f67793d against base master a8d2087b4af3ae143b839c5c0c821e2a3ca7fd4f, carrying no review verdict yet. WHO_IS_NEXT: REVIEWER NEXT_ACTION: A leased prgs-reviewer session performs a fresh native review of PR #740 at head 15a8a76e999729cbbd3a27f9339d8f682f67793d and records a formal verdict. NEXT_PROMPT: ```text Perform a fresh native formal review of Scaled-Tech-Consulting/Gitea-Tools PR #740 on the prgs remote, at head 15a8a76e999729cbbd3a27f9339d8f682f67793d. Use the prgs-reviewer namespace only. Verify UID 502 non-root, runtime parity, and identity jcwalker3 / prgs-reviewer / reviewer. Load the canonical router and review workflow. Acquire the reviewer PR lease. Resolve the required capability immediately before each mutating reviewer call. Assess against issue #739 acceptance criteria 1-7. Confirm specifically: - gitea_get_runtime_context normalizes remote before any host lookup, identity resolution, or session seeding, and explicit remotes plus dadeschools-hosted profiles are unaffected; - _canonical_repository_slug preserves _trusted_session_repository semantics exactly, and a configured-but-unresolvable canonical root fails the delete-branch guard closed rather than falling back to the installation identity; - gitea_assess_master_parity keeps startup_head, current_head, in_parity, stale, and restart_required byte-identical in meaning and value, with target_repository additive only and non-gating; - the 31 new tests genuinely fail on a8d2087 and pass on the PR head; - the two suite failures reproduce on unmodified master and are therefore pre-existing. Record a formal verdict. Do not merge. ``` WHAT_HAPPENED: Issue #739 was filed after executable reproduction of three canonical-root consumption defects left by #706/#736. PR #740 implements the fixes and adds tests/test_cross_repo_canonical_consumption.py. Residual installation-root coupling found during that work was filed separately as #741 rather than expanding this PR. WHY: #706 routed only the #274 filesystem guards and the session repository slug through the configured canonical root. Paths reached through _local_git_remote_url, which runs in PROJECT_ROOT, continued to report the Gitea-Tools installation checkout. #740 corrects the three consumers on the author, reviewer, merger, and reconciler critical path; #741 tracks the remainder so this diff stays scoped. RELATED_PRS: #740 (this PR, open); #736 (merged, introduced canonical_repository_root for #706) BLOCKERS: None for review. Commissioning of the four mcp-control-plane namespace profiles remains gated on #741 plus merge of #740 and a subsequent daemon restart, as recorded in #741. VALIDATION: New tests 31 passed with 31 subtests, red before the fix at 13 failed / 20 passed. Targeted regression across #706, #706-F1, #714, #733, parity, delete-branch capability, namespace binding, and workspace-guard alignment: 120 passed, 36 subtests. Full suite on the PR head 3298 passed, 6 skipped, 271 subtests; clean baseline a8d2087 3267 passed, 6 skipped, 240 subtests. The two failures, test_issue_702_review_findings_f1_f6::test_removed_worktree_recovers_before_probe and test_reconciler_supersession_close::test_tool_posts_comment_and_closes_superseded_pr_issue, reproduce identically on unmodified a8d2087. git diff --check reports no whitespace errors. LAST_UPDATED_BY: jcwalker3 / prgs-author
Owner

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #740
issue: #739
reviewer_identity: sysadmin
profile: prgs-reviewer
session_id: 96831-394b583efa4b
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/review-pr-740-grok
phase: claimed
candidate_head: 15a8a76e99
target_branch: master
target_branch_sha: a8d2087b4a
last_activity: 2026-07-18T08:13:10Z
expires_at: 2026-07-18T10:13:10Z
blocker: none

<!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #740 issue: #739 reviewer_identity: sysadmin profile: prgs-reviewer session_id: 96831-394b583efa4b worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/review-pr-740-grok phase: claimed candidate_head: 15a8a76e999729cbbd3a27f9339d8f682f67793d target_branch: master target_branch_sha: a8d2087b4af3ae143b839c5c0c821e2a3ca7fd4f last_activity: 2026-07-18T08:13:10Z expires_at: 2026-07-18T10:13:10Z blocker: none
Owner

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #740
issue: #739
reviewer_identity: sysadmin
profile: prgs-reviewer
session_id: 96831-394b583efa4b
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/review-pr-740-grok
phase: validating
candidate_head: 15a8a76e99
target_branch: master
target_branch_sha: a8d2087b4a
last_activity: 2026-07-18T08:13:58Z
expires_at: 2026-07-18T10:13:58Z
blocker: none

<!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #740 issue: #739 reviewer_identity: sysadmin profile: prgs-reviewer session_id: 96831-394b583efa4b worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/review-pr-740-grok phase: validating candidate_head: 15a8a76e999729cbbd3a27f9339d8f682f67793d target_branch: master target_branch_sha: a8d2087b4af3ae143b839c5c0c821e2a3ca7fd4f last_activity: 2026-07-18T08:13:58Z expires_at: 2026-07-18T10:13:58Z blocker: none
sysadmin approved these changes 2026-07-18 03:16:46 -05:00
sysadmin left a comment
Owner

Independent Review — APPROVE PR #740

Pinned head: 15a8a76e999729cbbd3a27f9339d8f682f67793d
Base: master @ a8d2087b4af3ae143b839c5c0c821e2a3ca7fd4f
Author: jcwalker3 (reviewer sysadmin — not self-review)

Scope

Exactly three files (no credential/config/launcher/memory changes):

  • gitea_mcp_server.py
  • master_parity_gate.py
  • tests/test_cross_repo_canonical_consumption.py (31 new tests)

git diff --check clean. Secret sweep: only test env token names/placeholders and negative assertions.

#739 fixes verified

  1. F1 — gitea_get_runtime_context normalizes remote via _effective_remote before host/identity/session seed; cannot pin dadeschools on prgs first-call.
  2. F2 — _canonical_repository_slug for delete-branch + trusted session identity; unresolvable configured root fails closed; explicit coordinates cannot override wrong binding.
  3. F3 — server_implementation and target_repository labelled dimensions; existing server parity fields unchanged; missing/stale target refs not reported healthy.

#741 deferred scope

Issue #741 accurately owns remaining PROJECT_ROOT/_local_git_remote_url/_resolve/anti-stomp/merge/cleanup consumers; PR does not claim them fixed.

Validation (worktree branches/review-pr-740-grok @ 15a8a76)

  • 31 new tests: 31 passed, 31 subtests
  • Related #706/#714/#733/parity/delete-branch/namespace: 175 passed, 36 subtests
  • Full suite: 3298 passed, 6 skipped, 271 subtests
  • Same 2 failures reproduce on clean baseline a8d2087 (pre-merge baseline-proven)
  • git diff --check: clean

Mutation boundaries

  1. resolve task=acquire_reviewer_pr_lease → gitea_acquire_reviewer_pr_lease
  2. resolve task=review_pr → gitea_heartbeat_reviewer_pr_lease
  3. resolve task=review_pr → gitea_mark_final_review_decision + gitea_submit_pr_review(action=approve)

Decision: APPROVE. No merge. No cleanup.

Canonical PR State

STATE:
approved

WHO_IS_NEXT:
merger

NEXT_ACTION:
Separate merger session merges PR #740 only if live head remains 15a8a76e99.

NEXT_PROMPT:

Merge PR #740 for Scaled-Tech-Consulting/Gitea-Tools at head 15a8a76e999729cbbd3a27f9339d8f682f67793d (issue #739). Reviewer approved via native MCP. Use gitea-merger / prgs-merger. Re-pin live head, adopt or acquire merger lease, then MERGE PR 740 only if head unchanged. Do not re-review. Do not cleanup until post-merge workflow.

WHAT_HAPPENED:
Independent reviewer sysadmin/prgs-reviewer approved after full independent validation on detached worktree branches/review-pr-740-grok.

WHY:
F1/F2/F3 meet #739 acceptance criteria; tests green; scope limited to three files; #741 accurately defers remaining PROJECT_ROOT work.

ISSUE:
#739

BASE:
master

HEAD:
feat/issue-739-canonical-root-consumption

HEAD_SHA:
15a8a76e99

REVIEW_STATUS:
approved

MERGE_READY:
yes — approved at current head; merger must re-pin head before merge

BLOCKERS:
none

VALIDATION:
31 new + 175 related + full suite 3298 passed / 6 skipped; 2 baseline-proven failures on a8d2087; git diff --check clean

NATIVE_REVIEW_PROOF:
native MCP gitea_submit_pr_review approve via gitea-reviewer namespace; profile prgs-reviewer; identity sysadmin; expected_head_sha 15a8a76e999729cbbd3a27f9339d8f682f67793d; lease session 96831-394b583efa4b; worktree branches/review-pr-740-grok

LAST_UPDATED_BY:
sysadmin / prgs-reviewer / 2026-07-18


Review Metadata:

  • LLM-Agent-SHA: llm-008d0b511bec
  • LLM-Role: reviewer
  • Authenticated-Gitea-User: sysadmin
  • MCP-Profile: prgs-reviewer
  • Eligibility: passed

Workflow-load helper result:

  • workflow_source: skills/llm-project-workflow/workflows/review-merge-pr.md
  • workflow_hash: 263d0a6cb8a6
  • final_report_schema_hash: a7634e7b8689
  • boundary_status: clean
## Independent Review — APPROVE PR #740 Pinned head: `15a8a76e999729cbbd3a27f9339d8f682f67793d` Base: `master` @ `a8d2087b4af3ae143b839c5c0c821e2a3ca7fd4f` Author: jcwalker3 (reviewer sysadmin — not self-review) ### Scope Exactly three files (no credential/config/launcher/memory changes): - gitea_mcp_server.py - master_parity_gate.py - tests/test_cross_repo_canonical_consumption.py (31 new tests) git diff --check clean. Secret sweep: only test env token names/placeholders and negative assertions. ### #739 fixes verified 1. F1 — gitea_get_runtime_context normalizes remote via _effective_remote before host/identity/session seed; cannot pin dadeschools on prgs first-call. 2. F2 — _canonical_repository_slug for delete-branch + trusted session identity; unresolvable configured root fails closed; explicit coordinates cannot override wrong binding. 3. F3 — server_implementation and target_repository labelled dimensions; existing server parity fields unchanged; missing/stale target refs not reported healthy. ### #741 deferred scope Issue #741 accurately owns remaining PROJECT_ROOT/_local_git_remote_url/_resolve/anti-stomp/merge/cleanup consumers; PR does not claim them fixed. ### Validation (worktree branches/review-pr-740-grok @ 15a8a76) - 31 new tests: 31 passed, 31 subtests - Related #706/#714/#733/parity/delete-branch/namespace: 175 passed, 36 subtests - Full suite: 3298 passed, 6 skipped, 271 subtests - Same 2 failures reproduce on clean baseline a8d2087 (pre-merge baseline-proven) - git diff --check: clean ### Mutation boundaries 1. resolve task=acquire_reviewer_pr_lease → gitea_acquire_reviewer_pr_lease 2. resolve task=review_pr → gitea_heartbeat_reviewer_pr_lease 3. resolve task=review_pr → gitea_mark_final_review_decision + gitea_submit_pr_review(action=approve) Decision: APPROVE. No merge. No cleanup. ## Canonical PR State STATE: approved WHO_IS_NEXT: merger NEXT_ACTION: Separate merger session merges PR #740 only if live head remains 15a8a76e999729cbbd3a27f9339d8f682f67793d. NEXT_PROMPT: ```text Merge PR #740 for Scaled-Tech-Consulting/Gitea-Tools at head 15a8a76e999729cbbd3a27f9339d8f682f67793d (issue #739). Reviewer approved via native MCP. Use gitea-merger / prgs-merger. Re-pin live head, adopt or acquire merger lease, then MERGE PR 740 only if head unchanged. Do not re-review. Do not cleanup until post-merge workflow. ``` WHAT_HAPPENED: Independent reviewer sysadmin/prgs-reviewer approved after full independent validation on detached worktree branches/review-pr-740-grok. WHY: F1/F2/F3 meet #739 acceptance criteria; tests green; scope limited to three files; #741 accurately defers remaining PROJECT_ROOT work. ISSUE: #739 BASE: master HEAD: feat/issue-739-canonical-root-consumption HEAD_SHA: 15a8a76e999729cbbd3a27f9339d8f682f67793d REVIEW_STATUS: approved MERGE_READY: yes — approved at current head; merger must re-pin head before merge BLOCKERS: none VALIDATION: 31 new + 175 related + full suite 3298 passed / 6 skipped; 2 baseline-proven failures on a8d2087; git diff --check clean NATIVE_REVIEW_PROOF: native MCP gitea_submit_pr_review approve via gitea-reviewer namespace; profile prgs-reviewer; identity sysadmin; expected_head_sha 15a8a76e999729cbbd3a27f9339d8f682f67793d; lease session 96831-394b583efa4b; worktree branches/review-pr-740-grok LAST_UPDATED_BY: sysadmin / prgs-reviewer / 2026-07-18 --- Review Metadata: - LLM-Agent-SHA: llm-008d0b511bec - LLM-Role: reviewer - Authenticated-Gitea-User: sysadmin - MCP-Profile: prgs-reviewer - Eligibility: passed Workflow-load helper result: - workflow_source: skills/llm-project-workflow/workflows/review-merge-pr.md - workflow_hash: 263d0a6cb8a6 - final_report_schema_hash: a7634e7b8689 - boundary_status: clean
You are not authorized to merge this pull request.
This pull request can be merged automatically.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin feat/issue-739-canonical-root-consumption:feat/issue-739-canonical-root-consumption
git checkout feat/issue-739-canonical-root-consumption
Sign in to join this conversation.
No Reviewers
No labels
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#740