Harden author-run reporting and mutation capability proof per #183 #187
Labels
Clear labels
allocator
anti-stomp
architecture
bug
chore
codex
concurrency
contamination
control-plane
dashboard
database
design
documentation
enhancement
gitea
glitchtip
important
incident
incident-bridge
integration
jenkins
labels
leases
mcp
mcp-health
mcp-menu
multi-project
mutating
nice-to-have
observability
portability
preflight
protected-branch
queue
read-only
reconnect
recovery
refactor
release
reliability
resumable-review
reviewer
roadmap
safety
security
self-hosted
sentry
stale-runtime
status:blocked
status:in-progress
status:pr-open
status:ready
terminal-lock
testing
tracker
type:bug
type:feature
type:feature
type:guardrail
visibility
workflow
workflow-hardening
workflow-hardening
Controller-owned work allocator
Prevent concurrent LLM session stomping
Architecture / structural design
OpenAI Codex client / workflow session surface
Concurrent session safety
Workflow or session contamination incident
MCP control-plane coordination and allocation authority
MCP operational dashboard/queue view
Internal coordination storage (SQLite/Postgres)
Design / investigation, no implementation
Docs / runbooks
New feature or improvement
Gitea MCP workflow
GlitchTip integration
Operational or process incident requiring durable audit trail
Sentry-to-Gitea incident bridging
Integration testing
Jenkins integration
Label taxonomy management
Lease adopt/release/expire lifecycle
MCP server / tooling
MCP namespace and runtime health
MCP menu surface
Work spanning multiple monitoring projects or Gitea repos
Mutating action; requires gating
Observability, metrics, traces, error reporting
Cross-platform / portability
Shared preflight gates before mutation
Protected branch / stable-branch policy concern
Work queue visibility and allocation
Read-only, no mutation
MCP client reconnect/reload recovery path
Recovery paths for stale/foreign leases
Code refactor / restructure
Release / versioning
Reliability / failure handling
Persist and resume prepared review verdicts across sessions
Reviewer workflow tooling
Roadmap / umbrella issue
Safety rails and fail-closed mutation guards
Security / trust boundary
Self-hosted infrastructure integration
Sentry error monitoring integration
Stale backend daemon / runtime-vs-master parity failures
Issue is blocked
Issue is being worked on
Issue has an open pull request
Issue is ready for work
Terminal review lock (#332) path
Tests / test coverage
Issue tracker hygiene / meta
Bug or defect
Feature or enhancement
Feature or enhancement
Safety gate or guardrail
Workflow state visibility for LLMs/operators
Cross-tool workflow
LLM workflow coordination hardening
LLM workflow coordination hardening
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Scaled-Tech-Consulting/Gitea-Tools#187
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Implements Gitea-Tools Issue #183:
mark_issueto capability map (TASK_MAPingitea_resolve_task_capability) so exact capability proof is resolved for issue claims.assess_controller_handoffand integrated intobuild_final_report(downgrades missing or incomplete handoff).assess_capability_proof,assess_secret_sweep, andassess_author_pr_reportproof helpers toreview_proofs.pyto evaluate capability resolution, exact secret sweep, and author PR reports.tests/test_review_proofs.py(TestAuthorReporting, TestValidationReporting stdout-capture, and TestFinalReport capability/sweep downgrades) covering all harness assertions from the issue.skills/llm-project-workflow/SKILL.mdandskills/llm-project-workflow/templates/review-pr.mdto require exact-titled Controller Handoff, exact sweep command/method, and PR head SHA in reports.All validation checks passed successfully. Scoped to author profile. No review/merge/manual issue close was performed.
Validation
python3 -m py_compile review_proofs.py tests/test_review_proofs.py-> Passed./venv/bin/python -m pytest tests/test_review_proofs.py -q --tb=no-> Passed (56 passed)./venv/bin/python -m pytest tests/test_review_proofs.py tests/test_pr_queue_inventory.py -q --tb=no-> Passed (72 passed)PYTHONPATH=. ./venv/bin/pytest tests/ --ignore=branches -vv -s-> Passed (696 passed, 6 skipped)git diff --check prgs/master...HEAD-> Passed (clean)Secret/Provenance Sweep
git diff prgs/master...HEAD | grep -iE 'token|secret|password|key|credential|http' || trueCloses #183
dfcbca7355tocbaed49761Review decision: REQUEST_CHANGES
Pinned head:
cbaed497616769895b435cc8e040a2069d31f081Reviewer:
sysadmin / prgs-reviewerTarget repo:
Scaled-Tech-Consulting/Gitea-ToolsValidation run on the pinned checkout:
/Users/jasonwalker/Development/Gitea-Tools/venv/bin/python -m pytest tests/test_review_proofs.py tests/test_resolve_task_capability.py tests/test_mcp_server.py -q --tb=short->223 passed in 0.48s/Users/jasonwalker/Development/Gitea-Tools/venv/bin/python -m pytest tests/ --ignore=branches -q --tb=short->744 passed, 6 skipped in 7.13spython3 -m py_compile $(git ls-files '*.py')-> passedgit diff --check refs/remotes/prgs/master...HEAD-> cleangit diff refs/remotes/prgs/master...HEAD | grep -inE 'password|token|secret|api[_-]?key|authorization|bearer|BEGIN (RSA|EC|OPENSSH)|https?://' || true-> only intentional proof-helper/test strings, no credential values or production endpoints.Blocker:
mark_issueis added toTASK_MAP, but it is mapped togitea.issue.write. The active configured author capabilities used by this workflow are concrete operations such asgitea.issue.comment,gitea.issue.create, andgitea.issue.close;gitea.issue.writeis not one of the proven allowed operations. That meansmark_issuestill does not provide the exact allowed capability proof that #183 requires for issue claims. Please map it to an actually allowed, normalized operation for the claim/label mutation, or update the configured operation model and tests sogitea_resolve_task_capability(task='mark_issue')proves allowed underprgs-authorrather than just being present in the task map.No merge attempted.
cbaed49761toce8df2f49eAuthor update — ready for re-review
Identity:
jcwalker3 / prgs-authorNew head SHA:
ce8df2f49ea2a78ad695ea46d66333d0da01c3e5Base: current
prgs/master(5b9fcae)Blockers addressed
mark_issue/claim_issuenow map togitea.issue.comment(notgitea.issue.write), sogitea_resolve_task_capability(task='mark_issue')proves allowed underprgs-author.test_resolve_mark_issue_author_profile_allowed.master; merged author-reporting changes with master's #179 proof params inbuild_final_report.Validation
pytest tests/test_review_proofs.py tests/test_resolve_task_capability.py -qpytest -qpython3 -m py_compile(changed files)git diff --check prgs/master...HEADBranch is mergeable. Prior
REQUEST_CHANGESwas pinned tocbaed497; please re-review at the new head.ce8df2f49eto5229dedb03Approved! Harden author run reporting and mutation capability proof gates resolved and tests passing cleanly.