Accept acquired merger-lease provenance and add owner finalization #742

Closed
opened 2026-07-18 08:23:36 -05:00 by jcwalker3 · 0 comments
Owner

Problem

A merger session that obtains lease proof through the sanctioned native tool gitea_acquire_merger_pr_lease (added for #718 by PR #725) is then rejected by the merge authorization gate as holding an unsanctioned lease. The merger therefore cannot merge with the very lease the merger-native path just issued, and it has no way to terminally finalize that lease when the merge does not happen.

Confirmed production failure

PR #740 acquired a native merger lease:

  • session 33780-7168cbeeba58
  • marker comment 12354
  • provenance source gitea_acquire_merger_pr_lease

gitea_merge_pr then refused the merge, reporting the acquired lease as lacking sanctioned provenance. No merge or workaround was performed; the lease is being left to expire naturally.

Code-backed root cause

  1. merger_lease_adoption.SANCTIONED_PROVENANCE_SOURCES contains SOURCE_ACQUIRE_MERGER (merger_lease_adoption.py:24-29), so the membership check at merger_lease_adoption.py:128 passes.
  2. is_sanctioned_session_lease() then branches only for SOURCE_ADOPT and for {SOURCE_ACQUIRE, SOURCE_HEARTBEAT} and falls through to return False for SOURCE_ACQUIRE_MERGER (merger_lease_adoption.py:130-136).
  3. reviewer_pr_lease.assess_mutation_lease_gate() calls that predicate and appends the "in-session lease lacks sanctioned provenance; manual _SESSION_LEASE seeding is not canonical proof" reason (reviewer_pr_lease.py:624-629), which gitea_merge_pr consumes through _reviewer_pr_lease_gate and fails closed on.
  4. describe_session_lease_proof() has no branch for SOURCE_ACQUIRE_MERGER (merger_lease_adoption.py:168-179), so a correctly acquired merger lease is reported as lease_proof_kind="unsanctioned", which is factually wrong in merge reports and audits.
  5. There is no merger-role owner-session release or abandonment operation. gitea_release_reviewer_pr_lease is a reviewer-role path (task="review_pr") and must not be repurposed for merger sessions. A failed merger lease therefore has no terminal finalization and can only expire.

Expected behavior

A. Acquired merger provenance

  • A lease whose provenance source is gitea_acquire_merger_pr_lease is recognized as sanctioned, but only when every expected integrity check passes: exact session ownership, merger profile/role, repository, PR number, candidate head, comment marker, and holder identity.
  • describe_session_lease_proof() reports an explicit sanctioned acquired-merger kind.
  • gitea_merge_pr accepts a valid freshly acquired merger lease.
  • Manually seeded, forged, incomplete, mismatched, and unknown-provenance leases continue to fail closed.
  • Reviewer-acquire, reviewer-heartbeat, and merger-adoption paths are unchanged.

B. Merger owner-session finalization

Add a sanctioned native operation that lets a merger terminally release or abandon its own comment-backed merger lease when the merge does not occur. It must:

  • be merger-role only, with an explicit capability-map task and required permission;
  • verify exact session ownership and reject foreign-session release;
  • verify repository, PR, candidate head, profile, identity, marker, and token fingerprint;
  • append a terminal released/abandoned marker and never edit or delete ledger history;
  • reject reviewer-profile use;
  • be idempotent for an already-terminal lease;
  • preserve the PR, its approval, the decision lock, the branch, and the worktree;
  • give non-retryable merge failures a documented safe finalization path.

gitea_release_reviewer_pr_lease must not be repurposed for merger sessions.

Acceptance criteria

  1. Acquired merger provenance is sanctioned when all integrity checks pass.
  2. Its proof description is explicit and correct.
  3. A valid acquired merger lease passes the merge authorization gate.
  4. Manual _SESSION_LEASE seeding remains rejected.
  5. Unknown provenance remains rejected.
  6. Profile, role, session, head, and repository mismatches fail closed.
  7. A merger can terminally release its own acquired lease.
  8. A merger cannot release another session's lease.
  9. A reviewer cannot invoke merger release.
  10. Terminal finalization is append-only and idempotent.
  11. A failed merge followed by owner finalization leaves no active lease.
  12. Existing adoption and reviewer-lease behavior does not regress.

References

  • PR #740 (evidence only; not to be mutated by this work)
  • #718 — merger lease acquisition path
  • #725 — PR that added gitea_acquire_merger_pr_lease
  • #535 / #536 / #537 — sanctioned lease provenance and adoption model
  • #601 — canonical adopt/release/expire/abandon lease lifecycle
## Problem A merger session that obtains lease proof through the sanctioned native tool `gitea_acquire_merger_pr_lease` (added for #718 by PR #725) is then rejected by the merge authorization gate as holding an *unsanctioned* lease. The merger therefore cannot merge with the very lease the merger-native path just issued, and it has no way to terminally finalize that lease when the merge does not happen. ### Confirmed production failure PR #740 acquired a native merger lease: * session `33780-7168cbeeba58` * marker comment `12354` * provenance source `gitea_acquire_merger_pr_lease` `gitea_merge_pr` then refused the merge, reporting the acquired lease as lacking sanctioned provenance. No merge or workaround was performed; the lease is being left to expire naturally. ### Code-backed root cause 1. `merger_lease_adoption.SANCTIONED_PROVENANCE_SOURCES` contains `SOURCE_ACQUIRE_MERGER` (`merger_lease_adoption.py:24-29`), so the membership check at `merger_lease_adoption.py:128` passes. 2. `is_sanctioned_session_lease()` then branches only for `SOURCE_ADOPT` and for `{SOURCE_ACQUIRE, SOURCE_HEARTBEAT}` and falls through to `return False` for `SOURCE_ACQUIRE_MERGER` (`merger_lease_adoption.py:130-136`). 3. `reviewer_pr_lease.assess_mutation_lease_gate()` calls that predicate and appends the "in-session lease lacks sanctioned provenance; manual `_SESSION_LEASE` seeding is not canonical proof" reason (`reviewer_pr_lease.py:624-629`), which `gitea_merge_pr` consumes through `_reviewer_pr_lease_gate` and fails closed on. 4. `describe_session_lease_proof()` has no branch for `SOURCE_ACQUIRE_MERGER` (`merger_lease_adoption.py:168-179`), so a correctly acquired merger lease is reported as `lease_proof_kind="unsanctioned"`, which is factually wrong in merge reports and audits. 5. There is no merger-role owner-session release or abandonment operation. `gitea_release_reviewer_pr_lease` is a reviewer-role path (`task="review_pr"`) and must not be repurposed for merger sessions. A failed merger lease therefore has no terminal finalization and can only expire. ## Expected behavior ### A. Acquired merger provenance * A lease whose provenance source is `gitea_acquire_merger_pr_lease` is recognized as sanctioned, but only when every expected integrity check passes: exact session ownership, merger profile/role, repository, PR number, candidate head, comment marker, and holder identity. * `describe_session_lease_proof()` reports an explicit sanctioned acquired-merger kind. * `gitea_merge_pr` accepts a valid freshly acquired merger lease. * Manually seeded, forged, incomplete, mismatched, and unknown-provenance leases continue to fail closed. * Reviewer-acquire, reviewer-heartbeat, and merger-adoption paths are unchanged. ### B. Merger owner-session finalization Add a sanctioned native operation that lets a merger terminally release or abandon its own comment-backed merger lease when the merge does not occur. It must: * be merger-role only, with an explicit capability-map task and required permission; * verify exact session ownership and reject foreign-session release; * verify repository, PR, candidate head, profile, identity, marker, and token fingerprint; * append a terminal released/abandoned marker and never edit or delete ledger history; * reject reviewer-profile use; * be idempotent for an already-terminal lease; * preserve the PR, its approval, the decision lock, the branch, and the worktree; * give non-retryable merge failures a documented safe finalization path. `gitea_release_reviewer_pr_lease` must not be repurposed for merger sessions. ## Acceptance criteria 1. Acquired merger provenance is sanctioned when all integrity checks pass. 2. Its proof description is explicit and correct. 3. A valid acquired merger lease passes the merge authorization gate. 4. Manual `_SESSION_LEASE` seeding remains rejected. 5. Unknown provenance remains rejected. 6. Profile, role, session, head, and repository mismatches fail closed. 7. A merger can terminally release its own acquired lease. 8. A merger cannot release another session's lease. 9. A reviewer cannot invoke merger release. 10. Terminal finalization is append-only and idempotent. 11. A failed merge followed by owner finalization leaves no active lease. 12. Existing adoption and reviewer-lease behavior does not regress. ## References * PR #740 (evidence only; not to be mutated by this work) * #718 — merger lease acquisition path * #725 — PR that added `gitea_acquire_merger_pr_lease` * #535 / #536 / #537 — sanctioned lease provenance and adoption model * #601 — canonical adopt/release/expire/abandon lease lifecycle
jcwalker3 added the status:readytype:bug labels 2026-07-18 08:23:37 -05:00
jcwalker3 added status:pr-open and removed status:ready labels 2026-07-18 08:37:59 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#742