feat(mcp): immutable canonical_repository_root for cross-repo namespaces (Closes #706) #736

Merged
sysadmin merged 3 commits from feat/issue-706-canonical-repository-root into master 2026-07-18 01:36:03 -05:00
Owner

The MCP server derived the canonical repository root from the install
checkout the server script lives in (PROJECT_ROOT), so any namespace that
ran the server against an external repository (e.g. eagenda-author, or the
mcp-control-plane reviewer/merger namespaces) failed every mutation: the
branches-only / worktree-membership guards (#274) compared the task
workspace against the Gitea-Tools .git directory it can never belong to.

Separate the two concepts:

  • PROJECT_ROOT stays the immutable code/install root.
  • A new, optional, namespace-scoped canonical_repository_root binds the
    session to the working root of the target repository.

Implementation:

  • canonical_repository_root.py: resolve the binding from profile/env
    (GITEA_CANONICAL_REPOSITORY_ROOT overrides the profile field), validate
    existence + git identity, fail closed on missing/conflicting/forged
    bindings. Preserves the single-repo default when unconfigured.
  • session_context_binding.py: pin canonical_repository_root into the
    immutable #714 session context; drift fails closed.
  • namespace_workspace_binding.py: route the configured target root through
    resolve_namespace_mutation_context so #274 / membership guards evaluate
    against the target repository.
  • gitea_mcp_server.py: seed + enforce the binding in the mutation preflight
    (both purity-order and FORCE_PRODUCTION_GUARDS paths); validate repository
    identity and git common-directory membership.
  • gitea_config.py: validate the optional absolute-path profile field.
  • gitea_auth.py: surface the config-sourced field through get_profile.

No weakening of root-checkout, remote/repository, or anti-stomp guards; the
single-repo Gitea-Tools path is unchanged.

Tests: two distinct real git repositories/worktrees prove cross-repository
bindings resolve, enforce membership, and fail closed on forged/conflicting
identity and simultaneous prgs/mdcps isolation.

Co-Authored-By: Claude Opus 4.8 (1M context) [email protected]

Description

[Summary of changes and issue number closed.]

Closes #[Issue Number]

Checklist

  • I have verified my identity matches the required role.
  • No secrets, tokens, keychain IDs, or raw service URLs are committed.
  • All tests pass for touched code.
  • git diff --check is clean.

Documentation and Wiki

  • Does this change require a wiki update (workflows, tools, profiles, runbooks)?
  • If yes, has docs/wiki/ been updated accordingly?
  • If wiki pages changed, plan the Gitea Wiki sync after merge (scripts/sync-gitea-wiki.sh, see Runbooks).
  • Readiness gate (#224): the Gitea Wiki is populated and current for this repo — verify the repo Wiki tab, not docs/wiki/. If stale or empty, record the required sync as a follow-up before approval.
  • If this PR closes a wiki-related issue: closure requires live Gitea Wiki proof links (Wiki Home plus page listing or wiki git log). Markdown in docs/wiki/, sync-helper code, or policy docs alone are not sufficient to close a wiki issue.
The MCP server derived the canonical repository root from the install checkout the server script lives in (PROJECT_ROOT), so any namespace that ran the server against an external repository (e.g. eagenda-author, or the mcp-control-plane reviewer/merger namespaces) failed every mutation: the branches-only / worktree-membership guards (#274) compared the task workspace against the Gitea-Tools .git directory it can never belong to. Separate the two concepts: - PROJECT_ROOT stays the immutable code/install root. - A new, optional, namespace-scoped canonical_repository_root binds the session to the working root of the target repository. Implementation: - canonical_repository_root.py: resolve the binding from profile/env (GITEA_CANONICAL_REPOSITORY_ROOT overrides the profile field), validate existence + git identity, fail closed on missing/conflicting/forged bindings. Preserves the single-repo default when unconfigured. - session_context_binding.py: pin canonical_repository_root into the immutable #714 session context; drift fails closed. - namespace_workspace_binding.py: route the configured target root through resolve_namespace_mutation_context so #274 / membership guards evaluate against the target repository. - gitea_mcp_server.py: seed + enforce the binding in the mutation preflight (both purity-order and FORCE_PRODUCTION_GUARDS paths); validate repository identity and git common-directory membership. - gitea_config.py: validate the optional absolute-path profile field. - gitea_auth.py: surface the config-sourced field through get_profile. No weakening of root-checkout, remote/repository, or anti-stomp guards; the single-repo Gitea-Tools path is unchanged. Tests: two distinct real git repositories/worktrees prove cross-repository bindings resolve, enforce membership, and fail closed on forged/conflicting identity and simultaneous prgs/mdcps isolation. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> ## Description [Summary of changes and issue number closed.] Closes #[Issue Number] ## Checklist - [ ] I have verified my identity matches the required role. - [ ] No secrets, tokens, keychain IDs, or raw service URLs are committed. - [ ] All tests pass for touched code. - [ ] `git diff --check` is clean. ## Documentation and Wiki - [ ] Does this change require a wiki update (workflows, tools, profiles, runbooks)? - [ ] If yes, has `docs/wiki/` been updated accordingly? - [ ] If wiki pages changed, plan the Gitea Wiki sync after merge (`scripts/sync-gitea-wiki.sh`, see Runbooks). - [ ] Readiness gate (#224): the Gitea Wiki is populated and current for this repo — verify the repo **Wiki tab**, not `docs/wiki/`. If stale or empty, record the required sync as a follow-up before approval. - [ ] If this PR closes a wiki-related issue: closure requires live Gitea Wiki proof links (Wiki Home plus page listing or wiki git log). Markdown in `docs/wiki/`, sync-helper code, or policy docs alone are not sufficient to close a wiki issue.
jcwalker3 added 1 commit 2026-07-17 22:44:21 -05:00
The MCP server derived the canonical repository root from the install
checkout the server script lives in (PROJECT_ROOT), so any namespace that
ran the server against an external repository (e.g. eagenda-author, or the
mcp-control-plane reviewer/merger namespaces) failed every mutation: the
branches-only / worktree-membership guards (#274) compared the task
workspace against the Gitea-Tools .git directory it can never belong to.

Separate the two concepts:
- PROJECT_ROOT stays the immutable code/install root.
- A new, optional, namespace-scoped canonical_repository_root binds the
  session to the working root of the target repository.

Implementation:
- canonical_repository_root.py: resolve the binding from profile/env
  (GITEA_CANONICAL_REPOSITORY_ROOT overrides the profile field), validate
  existence + git identity, fail closed on missing/conflicting/forged
  bindings. Preserves the single-repo default when unconfigured.
- session_context_binding.py: pin canonical_repository_root into the
  immutable #714 session context; drift fails closed.
- namespace_workspace_binding.py: route the configured target root through
  resolve_namespace_mutation_context so #274 / membership guards evaluate
  against the target repository.
- gitea_mcp_server.py: seed + enforce the binding in the mutation preflight
  (both purity-order and FORCE_PRODUCTION_GUARDS paths); validate repository
  identity and git common-directory membership.
- gitea_config.py: validate the optional absolute-path profile field.
- gitea_auth.py: surface the config-sourced field through get_profile.

No weakening of root-checkout, remote/repository, or anti-stomp guards; the
single-repo Gitea-Tools path is unchanged.

Tests: two distinct real git repositories/worktrees prove cross-repository
bindings resolve, enforce membership, and fail closed on forged/conflicting
identity and simultaneous prgs/mdcps isolation.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
jcwalker3 added 1 commit 2026-07-17 23:12:59 -05:00
Owner

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #736
issue: #706
reviewer_identity: sysadmin
profile: prgs-reviewer
session_id: 47918-d43b10f82d64
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736
phase: claimed
candidate_head: 6a0d7bbef4
target_branch: master
target_branch_sha: 29d96c8946
last_activity: 2026-07-18T04:28:25Z
expires_at: 2026-07-18T06:28:25Z
blocker: none

<!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #736 issue: #706 reviewer_identity: sysadmin profile: prgs-reviewer session_id: 47918-d43b10f82d64 worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736 phase: claimed candidate_head: 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1 target_branch: master target_branch_sha: 29d96c8946689be2fc9a55d296e4383a3aa03c4f last_activity: 2026-07-18T04:28:25Z expires_at: 2026-07-18T06:28:25Z blocker: none
sysadmin approved these changes 2026-07-17 23:33:08 -05:00
Dismissed
sysadmin left a comment
Owner

Reviewer verdict: APPROVE — PR #736 (Closes #706) @ 6a0d7bb

Fresh independent review at exact head 6a0d7bbef4 against live master 29d96c8946. Every Issue #706 acceptance criterion passes. Scope clean (7 files), no secrets, whitespace clean, merge coherent with #737.

Head delta (0d8a2c2 -> 6a0d7bb)

6a0d7bb is a single merge commit "Merge branch 'master' into feat/issue-706-canonical-repository-root". Author synced the feature branch with current master after PR #737 (Closes #735) landed. Net PR contribution vs master unchanged (original 7-file #706 scope); incremental delta 0d8a2c2..6a0d7bb is exactly master's #737 org/repo-forwarding content merged in. No new feature scope, no unrelated files. commits_behind=0.

Acceptance criteria (#706)

  1. Separate immutable PROJECT_ROOT vs namespace canonical repo root — canonical_repository_root.py; PROJECT_ROOT unchanged. PASS
  2. Namespace-scoped binding (env/profile) — GITEA_CANONICAL_REPOSITORY_ROOT overrides profile field; gitea_config validates absolute path; gitea_auth surfaces it. PASS
  3. Validate workspace belongs to target repo — repository_identity_slug vs expected_slug. PASS
  4. Enforce branches-only guard inside target repo — configured root threaded into resolve_namespace_mutation_context; _enforce_canonical_repository_root wired into verify_preflight_purity in BOTH purity-order and FORCE_PRODUCTION_GUARDS paths (#683). PASS
  5. Fail closed on missing/conflicting/forged — assess blocks on absent(require)/non-dir/non-git/identity-mismatch; immutable session pin + drift block. PASS
  6. Simultaneous prgs/mdcps isolation — covered by focused tests. PASS
  7. Regression tests, two distinct repos/worktrees — tests/test_issue_706_canonical_repository_root.py, 26 tests. PASS
  8. No weakening of root-checkout/remote/anti-stomp — single-repo default path unchanged; guards additive. PASS

Tests

  • Focused #706: venv/bin/pytest tests/test_issue_706_canonical_repository_root.py -> 26 passed.
  • #737 forwarding regression: tests/test_preflight_workspace_repo_forwarding.py -> 10 passed, 20 subtests.
  • Full suite: 3257 passed, 6 skipped, 2 failed, 240 subtests.
  • The 2 failures (test_issue_702_review_findings_f1_f6::TestF1RecoveryBeforeTerminalProbe::test_removed_worktree_recovers_before_probe; test_reconciler_supersession_close::TestReconcilerSupersessionMcpTool::test_tool_posts_comment_and_closes_superseded_pr_issue) are PRE-EXISTING on clean master 29d96c8: reproduced identically in the control checkout with zero #706 changes. Cause = #737 test-drift (assert verify_preflight_purity without org/repo; actual now forwards org/repo). Not attributable to #706. Recommend a follow-up #737 test-maintenance issue.
  • git diff --check: clean. Secret scan of net diff: clean.

Mergeability / checks (current)

  • open, mergeable=true, has_conflicts=false, commits_behind=0, base 29d96c8.
  • checks_status: pending.
  • No foreign reviewer/merger lease; no quarantine.

Canonical PR State

STATE: REVIEW_COMPLETE_APPROVE
WHO_IS_NEXT: MERGER
NEXT_ACTION: Merge PR #736 at exact head 6a0d7bbef4 via prgs-merger once required checks pass.
NEXT_PROMPT:

Merge Gitea-Tools PR #736 (Issue #706) via prgs-merger. Remote prgs, Scaled-Tech-Consulting/Gitea-Tools. Exact authorized head 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1, base master 29d96c8946689be2fc9a55d296e4383a3aa03c4f. Current APPROVE verified at that head. Verify sysadmin/prgs-merger identity+binding, head unchanged, approval-at-head, checks passed (bounded native poll), conflict-free, identity separation, parity. Acquire merger lease via contiguous whoami->resolve(merge_pr)->merge. If head changes, do not merge.

WHAT_HAPPENED: Fresh reviewer review at head 6a0d7bb produced an APPROVE verdict. All eight #706 acceptance criteria pass; focused tests 26 passed. Two full-suite failures are pre-existing on clean master 29d96c8 (reproduced identically), caused by #737 test-drift, unrelated to #706.
WHY: Every acceptance criterion is satisfied at the exact head against current master; scope is limited to the 7 #706 files; the head advance is a benign master-sync merge coherent with #737; no secrets, no whitespace defects, no regressions attributable to this PR.
ISSUE: #706
HEAD_SHA: 6a0d7bbef4
REVIEW_STATUS: APPROVE
MERGE_READY: true (checks_status pending — bounded native poll required before merge)
BLOCKERS: none
VALIDATION: focused #706 26 passed; forwarding regression 10 passed/20 subtests; full suite 3257 passed/6 skipped/2 pre-existing-master failures/240 subtests; git diff --check clean; secret scan clean.
LAST_UPDATED_BY: sysadmin / prgs-reviewer

[THREAD STATE LEDGER]

NATIVE_REVIEW_PROOF: native_mcp_transport=true; entrypoint=mcp_server; pid=47918; profile=prgs-reviewer; identity=sysadmin; workflow_source=skills/llm-project-workflow/workflows/review-merge-pr.md; workflow_hash=263d0a6cb8a6; final_report_schema_hash=a7634e7b8689; reviewed_head=6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1

## Reviewer verdict: APPROVE — PR #736 (Closes #706) @ 6a0d7bb Fresh independent review at exact head 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1 against live master 29d96c8946689be2fc9a55d296e4383a3aa03c4f. Every Issue #706 acceptance criterion passes. Scope clean (7 files), no secrets, whitespace clean, merge coherent with #737. ### Head delta (0d8a2c2 -> 6a0d7bb) 6a0d7bb is a single merge commit "Merge branch 'master' into feat/issue-706-canonical-repository-root". Author synced the feature branch with current master after PR #737 (Closes #735) landed. Net PR contribution vs master unchanged (original 7-file #706 scope); incremental delta 0d8a2c2..6a0d7bb is exactly master's #737 org/repo-forwarding content merged in. No new feature scope, no unrelated files. commits_behind=0. ### Acceptance criteria (#706) 1. Separate immutable PROJECT_ROOT vs namespace canonical repo root — canonical_repository_root.py; PROJECT_ROOT unchanged. PASS 2. Namespace-scoped binding (env/profile) — GITEA_CANONICAL_REPOSITORY_ROOT overrides profile field; gitea_config validates absolute path; gitea_auth surfaces it. PASS 3. Validate workspace belongs to target repo — repository_identity_slug vs expected_slug. PASS 4. Enforce branches-only guard inside target repo — configured root threaded into resolve_namespace_mutation_context; _enforce_canonical_repository_root wired into verify_preflight_purity in BOTH purity-order and FORCE_PRODUCTION_GUARDS paths (#683). PASS 5. Fail closed on missing/conflicting/forged — assess blocks on absent(require)/non-dir/non-git/identity-mismatch; immutable session pin + drift block. PASS 6. Simultaneous prgs/mdcps isolation — covered by focused tests. PASS 7. Regression tests, two distinct repos/worktrees — tests/test_issue_706_canonical_repository_root.py, 26 tests. PASS 8. No weakening of root-checkout/remote/anti-stomp — single-repo default path unchanged; guards additive. PASS ### Tests - Focused #706: venv/bin/pytest tests/test_issue_706_canonical_repository_root.py -> 26 passed. - #737 forwarding regression: tests/test_preflight_workspace_repo_forwarding.py -> 10 passed, 20 subtests. - Full suite: 3257 passed, 6 skipped, 2 failed, 240 subtests. - The 2 failures (test_issue_702_review_findings_f1_f6::TestF1RecoveryBeforeTerminalProbe::test_removed_worktree_recovers_before_probe; test_reconciler_supersession_close::TestReconcilerSupersessionMcpTool::test_tool_posts_comment_and_closes_superseded_pr_issue) are PRE-EXISTING on clean master 29d96c8: reproduced identically in the control checkout with zero #706 changes. Cause = #737 test-drift (assert verify_preflight_purity without org/repo; actual now forwards org/repo). Not attributable to #706. Recommend a follow-up #737 test-maintenance issue. - git diff --check: clean. Secret scan of net diff: clean. ### Mergeability / checks (current) - open, mergeable=true, has_conflicts=false, commits_behind=0, base 29d96c8. - checks_status: pending. - No foreign reviewer/merger lease; no quarantine. ## Canonical PR State STATE: REVIEW_COMPLETE_APPROVE WHO_IS_NEXT: MERGER NEXT_ACTION: Merge PR #736 at exact head 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1 via prgs-merger once required checks pass. NEXT_PROMPT: ```text Merge Gitea-Tools PR #736 (Issue #706) via prgs-merger. Remote prgs, Scaled-Tech-Consulting/Gitea-Tools. Exact authorized head 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1, base master 29d96c8946689be2fc9a55d296e4383a3aa03c4f. Current APPROVE verified at that head. Verify sysadmin/prgs-merger identity+binding, head unchanged, approval-at-head, checks passed (bounded native poll), conflict-free, identity separation, parity. Acquire merger lease via contiguous whoami->resolve(merge_pr)->merge. If head changes, do not merge. ``` WHAT_HAPPENED: Fresh reviewer review at head 6a0d7bb produced an APPROVE verdict. All eight #706 acceptance criteria pass; focused tests 26 passed. Two full-suite failures are pre-existing on clean master 29d96c8 (reproduced identically), caused by #737 test-drift, unrelated to #706. WHY: Every acceptance criterion is satisfied at the exact head against current master; scope is limited to the 7 #706 files; the head advance is a benign master-sync merge coherent with #737; no secrets, no whitespace defects, no regressions attributable to this PR. ISSUE: #706 HEAD_SHA: 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1 REVIEW_STATUS: APPROVE MERGE_READY: true (checks_status pending — bounded native poll required before merge) BLOCKERS: none VALIDATION: focused #706 26 passed; forwarding regression 10 passed/20 subtests; full suite 3257 passed/6 skipped/2 pre-existing-master failures/240 subtests; git diff --check clean; secret scan clean. LAST_UPDATED_BY: sysadmin / prgs-reviewer [THREAD STATE LEDGER] - WHO_IS_NEXT: MERGER - PR: #736 - ISSUE: #706 - REVIEWED_HEAD: 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1 - BASE_MASTER: 29d96c8946689be2fc9a55d296e4383a3aa03c4f - REVIEW_DECISION: APPROVE - MERGEABLE: true - CONFLICTS: none - CHECKS: pending - REVIEWER_LEASE: sysadmin session 47918-d43b10f82d64 comment 12264 - BLOCKERS: none (2 full-suite failures pre-existing on master, unrelated to #706) NATIVE_REVIEW_PROOF: native_mcp_transport=true; entrypoint=mcp_server; pid=47918; profile=prgs-reviewer; identity=sysadmin; workflow_source=skills/llm-project-workflow/workflows/review-merge-pr.md; workflow_hash=263d0a6cb8a6; final_report_schema_hash=a7634e7b8689; reviewed_head=6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1
Owner

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #736
issue: #706
reviewer_identity: sysadmin
profile: prgs-reviewer
session_id: 47918-d43b10f82d64
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736
phase: released
candidate_head: 6a0d7bbef4
target_branch: master
target_branch_sha: 29d96c8946
last_activity: 2026-07-18T04:35:32Z
expires_at: 2026-07-18T06:35:32Z
blocker: manual-release

<!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #736 issue: #706 reviewer_identity: sysadmin profile: prgs-reviewer session_id: 47918-d43b10f82d64 worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736 phase: released candidate_head: 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1 target_branch: master target_branch_sha: 29d96c8946689be2fc9a55d296e4383a3aa03c4f last_activity: 2026-07-18T04:35:32Z expires_at: 2026-07-18T06:35:32Z blocker: manual-release
Owner

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #736
issue: #706
reviewer_identity: sysadmin
profile: prgs-reviewer
session_id: 80223-2de2810eb28b
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736
phase: claimed
candidate_head: 6a0d7bbef4
target_branch: master
target_branch_sha: 29d96c8946
last_activity: 2026-07-18T04:48:26Z
expires_at: 2026-07-18T06:48:26Z
blocker: none

<!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #736 issue: #706 reviewer_identity: sysadmin profile: prgs-reviewer session_id: 80223-2de2810eb28b worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736 phase: claimed candidate_head: 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1 target_branch: master target_branch_sha: 29d96c8946689be2fc9a55d296e4383a3aa03c4f last_activity: 2026-07-18T04:48:26Z expires_at: 2026-07-18T06:48:26Z blocker: none
Owner

Review correction authorization audit (#693)

Status: AUTHORIZED

  • actor: sysadmin
  • profile: prgs-reviewer
  • timestamp: 2026-07-18T04:48:48.095846+00:00
  • prior_review_id: 456
  • prior_review_state: approve
  • target_pr: #736
  • target_head_sha: 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1
  • reason: Independent re-review of exact head 6a0d7bbe found a fail-closed identity gap: session org/repo is still seeded from install PROJECT_ROOT remote (Gitea-Tools) via _local_git_remote_url, while GITEA_CANONICAL_REPOSITORY_ROOT can bind filesystem membership to an external repo (e.g. mcp-control-plane). _enforce_canonical_repository_root then fails identity mismatch, so the stated cross-repo use case (mcp-control-plane reviewer/merger namespaces) remains blocked. Prior APPROVE must not stand; REQUEST_CHANGES required with integration fix + tests.
  • scope: same_pr_head_only (cannot unlock a different PR)

This is not a generic decision-lock unlock. Cross-PR recovery uses isolation (#693) or moot cleanup (#594), never correction.

## Review correction authorization audit (#693) Status: **AUTHORIZED** - actor: `sysadmin` - profile: `prgs-reviewer` - timestamp: `2026-07-18T04:48:48.095846+00:00` - prior_review_id: `456` - prior_review_state: `approve` - target_pr: `#736` - target_head_sha: `6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1` - reason: Independent re-review of exact head 6a0d7bbe found a fail-closed identity gap: session org/repo is still seeded from install PROJECT_ROOT remote (Gitea-Tools) via _local_git_remote_url, while GITEA_CANONICAL_REPOSITORY_ROOT can bind filesystem membership to an external repo (e.g. mcp-control-plane). _enforce_canonical_repository_root then fails identity mismatch, so the stated cross-repo use case (mcp-control-plane reviewer/merger namespaces) remains blocked. Prior APPROVE must not stand; REQUEST_CHANGES required with integration fix + tests. - scope: `same_pr_head_only` (cannot unlock a different PR) This is **not** a generic decision-lock unlock. Cross-PR recovery uses isolation (#693) or moot cleanup (#594), never correction.
sysadmin requested changes 2026-07-17 23:51:57 -05:00
Dismissed
sysadmin left a comment
Owner

Canonical PR State

STATE: changes_requested
WHO_IS_NEXT: author
NEXT_ACTION: Fix F1 seed session org/repo from validated configured canonical repository root allowlist-gated not install PROJECT_ROOT remote; add integration test; push new head; re-request independent review
NEXT_PROMPT:

Address REQUEST_CHANGES on Gitea-Tools PR #736 head 6a0d7bbe: when GITEA_CANONICAL_REPOSITORY_ROOT or profile canonical_repository_root is set, seed/authorize session org/repo from repository_identity_slug(configured_root) subject to allowed_repositories; keep PROJECT_ROOT as install root; add integration test install=Gitea-Tools plus target worktree under second real repo through seed and _enforce_canonical_repository_root; push new head and re-request independent review.

WHAT_HAPPENED: Independent review of PR #736 at exact head 6a0d7bbef4 found fail-closed end-to-end gap; filesystem membership can bind external repo while session identity remains install-derived so mutation preflight rejects stated cross-repo use case.
WHY: _local_git_remote_url uses cwd=PROJECT_ROOT; _seed_session_context pins Gitea-Tools; _enforce_canonical_repository_root expected_slug from that pin conflicts with configured target identity; reproduced block True identity mismatch.
ISSUE: #706
HEAD_SHA: 6a0d7bbef4
REVIEW_STATUS: changes_requested
MERGE_READY: no
BLOCKERS: F1 session identity still install-bound; missing integration test seed+enforce install!=target; prior APPROVE 456 corrected as mistaken
VALIDATION: pytest tests/test_issue_706_canonical_repository_root.py 26 passed; workspace regressions 85 passed; full suite 3257 passed 2 failed identical pre-existing on master; compileall exit 0
LAST_UPDATED_BY: sysadmin / prgs-reviewer

Technical findings

Strengths: PROJECT_ROOT remains install root; env overrides profile; path and git validation; #274 uses configured root; session path pin and drift; default single-repo preserved; unit tests strong.

Blocking F1: session repository remains install-derived while configured canonical root can be external; enforce fails closed on identity mismatch; stated mcp-control-plane and eagenda namespaces remain blocked end-to-end.

Required: seed authorize session org/repo from validated configured root identity allowlist-gated; integration test; prefer reviewer merger role coverage.

Verdict REQUEST_CHANGES. Do not merge until F1 fixed and re-reviewed on new head.

## Canonical PR State STATE: changes_requested WHO_IS_NEXT: author NEXT_ACTION: Fix F1 seed session org/repo from validated configured canonical repository root allowlist-gated not install PROJECT_ROOT remote; add integration test; push new head; re-request independent review NEXT_PROMPT: ```text Address REQUEST_CHANGES on Gitea-Tools PR #736 head 6a0d7bbe: when GITEA_CANONICAL_REPOSITORY_ROOT or profile canonical_repository_root is set, seed/authorize session org/repo from repository_identity_slug(configured_root) subject to allowed_repositories; keep PROJECT_ROOT as install root; add integration test install=Gitea-Tools plus target worktree under second real repo through seed and _enforce_canonical_repository_root; push new head and re-request independent review. ``` WHAT_HAPPENED: Independent review of PR #736 at exact head 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1 found fail-closed end-to-end gap; filesystem membership can bind external repo while session identity remains install-derived so mutation preflight rejects stated cross-repo use case. WHY: _local_git_remote_url uses cwd=PROJECT_ROOT; _seed_session_context pins Gitea-Tools; _enforce_canonical_repository_root expected_slug from that pin conflicts with configured target identity; reproduced block True identity mismatch. ISSUE: #706 HEAD_SHA: 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1 REVIEW_STATUS: changes_requested MERGE_READY: no BLOCKERS: F1 session identity still install-bound; missing integration test seed+enforce install!=target; prior APPROVE 456 corrected as mistaken VALIDATION: pytest tests/test_issue_706_canonical_repository_root.py 26 passed; workspace regressions 85 passed; full suite 3257 passed 2 failed identical pre-existing on master; compileall exit 0 LAST_UPDATED_BY: sysadmin / prgs-reviewer ## Technical findings Strengths: PROJECT_ROOT remains install root; env overrides profile; path and git validation; #274 uses configured root; session path pin and drift; default single-repo preserved; unit tests strong. Blocking F1: session repository remains install-derived while configured canonical root can be external; enforce fails closed on identity mismatch; stated mcp-control-plane and eagenda namespaces remain blocked end-to-end. Required: seed authorize session org/repo from validated configured root identity allowlist-gated; integration test; prefer reviewer merger role coverage. Verdict REQUEST_CHANGES. Do not merge until F1 fixed and re-reviewed on new head.
Owner

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #736
issue: #706
reviewer_identity: sysadmin
profile: prgs-reviewer
session_id: 80223-2de2810eb28b
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736
phase: released
candidate_head: 6a0d7bbef4
target_branch: master
target_branch_sha: 29d96c8946
last_activity: 2026-07-18T05:08:32Z
expires_at: 2026-07-18T07:08:32Z
blocker: manual-release

<!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #736 issue: #706 reviewer_identity: sysadmin profile: prgs-reviewer session_id: 80223-2de2810eb28b worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736 phase: released candidate_head: 6a0d7bbef44e7e39f2f147f741b8437bd2cfdaf1 target_branch: master target_branch_sha: 29d96c8946689be2fc9a55d296e4383a3aa03c4f last_activity: 2026-07-18T05:08:32Z expires_at: 2026-07-18T07:08:32Z blocker: manual-release
jcwalker3 added 1 commit 2026-07-18 00:32:21 -05:00
Addresses REQUEST_CHANGES review 457 on PR #736.

Root cause: _trusted_session_repository derived the session org/repository
solely from _workspace_repository_slug -> _local_git_remote_url, which runs
`git remote get-url` in PROJECT_ROOT (the Gitea-Tools install checkout). A
cross-repository namespace with a configured canonical_repository_root then
pinned the Gitea-Tools identity while #274 filesystem membership bound the
external target, so _enforce_canonical_repository_root failed closed on a
self-inflicted identity mismatch and the mcp-control-plane / eagenda
namespaces stayed blocked end-to-end.

Fix: when a canonical_repository_root is configured (env over profile) and
passes existence / git-toplevel / resolvable-remote-identity validation, the
session repository slug is derived from repository_identity_slug(configured
root) instead of the install remote. The derived identity is still authorized
by the profile allowed_repositories allowlist (never self-authorizing); the
canonical filesystem root and org/repo identity remain immutable for the
session; invalid / non-git / unresolvable / unallowlisted / forged / drift
cases fail closed; unconfigured single-repo Gitea-Tools namespaces keep the
install-derived slug unchanged.

Tests: new tests/test_issue_706_f1_seed_identity_integration.py drives the
real _seed_session_context -> _enforce_canonical_repository_root path with two
real temporary git repositories (install=Gitea-Tools, configured target=
mcp-control-plane): env + profile config, reviewer + merger role kinds, and
fail-closed cases (nonexistent / non-git / unallowlisted / forged identity
drift). Reproduces the F1 block before the fix; green after.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Author
Owner

Author remediation of REQUEST_CHANGES review 457 — PR #736 (Closes #706)

New head: 61c0d73cd1 (fast-forward from 6a0d7bb).

Response to review 457 (F1) — confirmed and fixed

Root cause exactly as 457 diagnosed: _trusted_session_repository derived the session org/repository from _workspace_repository_slug -> _local_git_remote_url, which runs git remote get-url in PROJECT_ROOT (the Gitea-Tools install checkout). A cross-repository namespace with a configured canonical_repository_root therefore pinned the Gitea-Tools identity while #274 filesystem membership bound the external target; _enforce_canonical_repository_root then derived expected_slug from that install-derived pin and failed closed on a self-inflicted identity mismatch, leaving the mcp-control-plane / eagenda namespaces blocked end-to-end.

Implementation (gitea_mcp_server.py, +37/-1)

In _trusted_session_repository: when a canonical_repository_root is configured (env GITEA_CANONICAL_REPOSITORY_ROOT over profile field) and passes existence / git-toplevel / resolvable-remote-identity checks, the session repository slug is now derived from repository_identity_slug(configured_root) instead of the install remote. The derived identity is still authorized by the profile allowed_repositories allowlist (never self-authorizing). Preserved: env-over-profile precedence; immutable canonical filesystem root; immutable session org/repo identity; mandatory allowlist enforcement; #274 filesystem membership; fail-closed on invalid / non-git / unresolvable / unallowlisted / forged / drift; no per-tool root or identity swapping; unchanged unconfigured single-repo Gitea-Tools behavior; author/reviewer/merger/reconciler separation. Identity comparison is not weakened and there is no mcp-control-plane special case.

Integration test (new: tests/test_issue_706_f1_seed_identity_integration.py)

Drives the REAL _seed_session_context -> _enforce_canonical_repository_root path (not the lower-level assess helper with a preselected slug) using two real temporary git repositories: install A = Gitea-Tools, configured target B = mcp-control-plane, with a target worktree under B. Coverage: session seed resolves B not A (env config + profile field); enforce accepts the B worktree for reviewer AND merger role kinds; env-over-profile precedence; fail-closed for nonexistent / non-git / unallowlisted / forged-identity-drift; unconfigured Gitea-Tools default unchanged. Reproduction proven: this test fails on the pre-fix code (5 failures — session pinned the install identity / null), and passes after the fix (10/10).

Verification results

  • New integration test: 10 passed.
  • Issue #706 (unit + new integration) + #737 forwarding regression: 46 passed / 20 subtests.
  • Session-context / workspace-binding / namespace / role-routing / membership regressions: 357 passed.
  • python -m py_compile: OK. git diff --check: clean. Secret scan of the diff: clean.
  • Full suite: 3267 passed, 6 skipped, 2 failed, 240 subtests. The 2 failures (test_issue_702_review_findings_f1_f6::TestF1RecoveryBeforeTerminalProbe::test_removed_worktree_recovers_before_probe; test_reconciler_supersession_close::TestReconcilerSupersessionMcpTool::test_tool_posts_comment_and_closes_superseded_pr_issue) are PRE-EXISTING on clean master 29d96c8 — reproduced identically on the control checkout with zero PR changes (#737 test-drift). These are the same two review 457 itself classified pre-existing.

Request

Requesting a completely fresh independent review at exact head 61c0d73. Do not reuse dismissed APPROVE 456. REQUEST_CHANGES 457 is superseded by this new head; I have not dismissed it.

Canonical Issue State

STATE: REMEDIATED_AWAITING_FRESH_REVIEW
WHO_IS_NEXT: REVIEWER
NEXT_ACTION: Fresh independent review of PR #736 at exact head 61c0d73cd1 against live master.
NEXT_PROMPT:

Review Gitea-Tools PR #736 (Issue #706) fresh at exact head 61c0d73cd1acd15dd809cf57a9e61e077d212143 via prgs-reviewer, remote prgs, Scaled-Tech-Consulting/Gitea-Tools. Verify the F1 remediation: _trusted_session_repository seeds session org/repo from repository_identity_slug(configured canonical root) when configured, checked, and allowlisted (env over profile), install default unchanged; confirm tests/test_issue_706_f1_seed_identity_integration.py drives the real seed->enforce path with two real repos; run #706 + workspace/session/routing regressions + full suite; the 2 full-suite failures are pre-existing on master (#737 test-drift). Do not reuse APPROVE 456 or REQUEST_CHANGES 457.

WHAT_HAPPENED: Author fixed F1 (session identity derived from the checked, allowlisted configured canonical root) and added an integration test driving the real seed->enforce path with two real repositories; pushed new head 61c0d73.
WHY: REQUEST_CHANGES 457 required session org/repo be authorized from the configured canonical root identity, not the install remote; implemented narrowly with every fail-closed property preserved.
RELATED_PRS: #736 (this PR, head 61c0d73)
ISSUE: #706
HEAD_SHA: 61c0d73cd1
REVIEW_STATUS: changes_requested (457 superseded by new head; fresh review required)
MERGE_READY: no
BLOCKERS: none from author; awaiting fresh independent review at 61c0d73
VALIDATION: new integration 10 passed; #706+#737 46 passed/20 subtests; session/workspace/routing 357 passed; full suite 3267 passed/6 skipped/2 pre-existing-master failures/240 subtests; py_compile OK; diff --check clean; secret scan clean
LAST_UPDATED_BY: jcwalker3 / prgs-author

[THREAD STATE LEDGER]

What is true now:

  • PR #736 is open at head 61c0d73cd1 (fast-forward from 6a0d7bb).
  • The F1 fix and its integration test are committed and pushed to the PR branch.
  • Prior APPROVE review 456 is dismissed; REQUEST_CHANGES review 457 is stale because its reviewed head 6a0d7bb is no longer current.

What changed:

  • _trusted_session_repository now seeds the session org/repository from repository_identity_slug(configured canonical root) when a canonical_repository_root is configured, checked, and allowlist-authorized; the install default path is unchanged.
  • Added tests/test_issue_706_f1_seed_identity_integration.py driving the real seed -> enforce path with two real repositories.

What is blocked:

  • No author-side work remains. A merge must not proceed because there is no current approval at head 61c0d73.

Who/what acts next:

  • An independent prgs-reviewer performs a fresh review at exact head 61c0d73.

Server-side decision state: no current approval at head 61c0d73; REQUEST_CHANGES review 457 recorded at the superseded head 6a0d7bb; APPROVE review 456 dismissed.
Local verdict/state: author remediation complete; full suite 3267 passed with 2 pre-existing-master failures.
Next actor: prgs-reviewer (independent).
Required action: fresh independent review of head 61c0d73 against live master, producing an APPROVE or REQUEST_CHANGES verdict on the exact new head.
Blocker classification: no blocker
Do not do: do not reuse the dismissed APPROVE 456; do not reuse or self-dismiss REQUEST_CHANGES 457; do not self-review or merge as the author; do not merge without a fresh approval recorded at exact head 61c0d73.

## Author remediation of REQUEST_CHANGES review 457 — PR #736 (Closes #706) New head: **61c0d73cd1acd15dd809cf57a9e61e077d212143** (fast-forward from 6a0d7bb). ### Response to review 457 (F1) — confirmed and fixed Root cause exactly as 457 diagnosed: `_trusted_session_repository` derived the session org/repository from `_workspace_repository_slug` -> `_local_git_remote_url`, which runs `git remote get-url` in `PROJECT_ROOT` (the Gitea-Tools install checkout). A cross-repository namespace with a configured `canonical_repository_root` therefore pinned the Gitea-Tools identity while #274 filesystem membership bound the external target; `_enforce_canonical_repository_root` then derived `expected_slug` from that install-derived pin and failed closed on a self-inflicted identity mismatch, leaving the mcp-control-plane / eagenda namespaces blocked end-to-end. ### Implementation (gitea_mcp_server.py, +37/-1) In `_trusted_session_repository`: when a `canonical_repository_root` is configured (env `GITEA_CANONICAL_REPOSITORY_ROOT` over profile field) and passes existence / git-toplevel / resolvable-remote-identity checks, the session repository slug is now derived from `repository_identity_slug(configured_root)` instead of the install remote. The derived identity is still authorized by the profile `allowed_repositories` allowlist (never self-authorizing). Preserved: env-over-profile precedence; immutable canonical filesystem root; immutable session org/repo identity; mandatory allowlist enforcement; #274 filesystem membership; fail-closed on invalid / non-git / unresolvable / unallowlisted / forged / drift; no per-tool root or identity swapping; unchanged unconfigured single-repo Gitea-Tools behavior; author/reviewer/merger/reconciler separation. Identity comparison is not weakened and there is no mcp-control-plane special case. ### Integration test (new: tests/test_issue_706_f1_seed_identity_integration.py) Drives the REAL `_seed_session_context` -> `_enforce_canonical_repository_root` path (not the lower-level assess helper with a preselected slug) using two real temporary git repositories: install A = Gitea-Tools, configured target B = mcp-control-plane, with a target worktree under B. Coverage: session seed resolves B not A (env config + profile field); enforce accepts the B worktree for reviewer AND merger role kinds; env-over-profile precedence; fail-closed for nonexistent / non-git / unallowlisted / forged-identity-drift; unconfigured Gitea-Tools default unchanged. Reproduction proven: this test fails on the pre-fix code (5 failures — session pinned the install identity / null), and passes after the fix (10/10). ### Verification results - New integration test: **10 passed**. - Issue #706 (unit + new integration) + #737 forwarding regression: **46 passed / 20 subtests**. - Session-context / workspace-binding / namespace / role-routing / membership regressions: **357 passed**. - `python -m py_compile`: OK. `git diff --check`: clean. Secret scan of the diff: clean. - Full suite: **3267 passed, 6 skipped, 2 failed, 240 subtests**. The 2 failures (`test_issue_702_review_findings_f1_f6::TestF1RecoveryBeforeTerminalProbe::test_removed_worktree_recovers_before_probe`; `test_reconciler_supersession_close::TestReconcilerSupersessionMcpTool::test_tool_posts_comment_and_closes_superseded_pr_issue`) are PRE-EXISTING on clean master 29d96c8 — reproduced identically on the control checkout with zero PR changes (#737 test-drift). These are the same two review 457 itself classified pre-existing. ### Request Requesting a **completely fresh independent review** at exact head 61c0d73. Do not reuse dismissed APPROVE 456. REQUEST_CHANGES 457 is superseded by this new head; I have not dismissed it. ## Canonical Issue State STATE: REMEDIATED_AWAITING_FRESH_REVIEW WHO_IS_NEXT: REVIEWER NEXT_ACTION: Fresh independent review of PR #736 at exact head 61c0d73cd1acd15dd809cf57a9e61e077d212143 against live master. NEXT_PROMPT: ```text Review Gitea-Tools PR #736 (Issue #706) fresh at exact head 61c0d73cd1acd15dd809cf57a9e61e077d212143 via prgs-reviewer, remote prgs, Scaled-Tech-Consulting/Gitea-Tools. Verify the F1 remediation: _trusted_session_repository seeds session org/repo from repository_identity_slug(configured canonical root) when configured, checked, and allowlisted (env over profile), install default unchanged; confirm tests/test_issue_706_f1_seed_identity_integration.py drives the real seed->enforce path with two real repos; run #706 + workspace/session/routing regressions + full suite; the 2 full-suite failures are pre-existing on master (#737 test-drift). Do not reuse APPROVE 456 or REQUEST_CHANGES 457. ``` WHAT_HAPPENED: Author fixed F1 (session identity derived from the checked, allowlisted configured canonical root) and added an integration test driving the real seed->enforce path with two real repositories; pushed new head 61c0d73. WHY: REQUEST_CHANGES 457 required session org/repo be authorized from the configured canonical root identity, not the install remote; implemented narrowly with every fail-closed property preserved. RELATED_PRS: #736 (this PR, head 61c0d73) ISSUE: #706 HEAD_SHA: 61c0d73cd1acd15dd809cf57a9e61e077d212143 REVIEW_STATUS: changes_requested (457 superseded by new head; fresh review required) MERGE_READY: no BLOCKERS: none from author; awaiting fresh independent review at 61c0d73 VALIDATION: new integration 10 passed; #706+#737 46 passed/20 subtests; session/workspace/routing 357 passed; full suite 3267 passed/6 skipped/2 pre-existing-master failures/240 subtests; py_compile OK; diff --check clean; secret scan clean LAST_UPDATED_BY: jcwalker3 / prgs-author [THREAD STATE LEDGER] What is true now: - PR #736 is open at head 61c0d73cd1acd15dd809cf57a9e61e077d212143 (fast-forward from 6a0d7bb). - The F1 fix and its integration test are committed and pushed to the PR branch. - Prior APPROVE review 456 is dismissed; REQUEST_CHANGES review 457 is stale because its reviewed head 6a0d7bb is no longer current. What changed: - `_trusted_session_repository` now seeds the session org/repository from `repository_identity_slug(configured canonical root)` when a `canonical_repository_root` is configured, checked, and allowlist-authorized; the install default path is unchanged. - Added `tests/test_issue_706_f1_seed_identity_integration.py` driving the real seed -> enforce path with two real repositories. What is blocked: - No author-side work remains. A merge must not proceed because there is no current approval at head 61c0d73. Who/what acts next: - An independent prgs-reviewer performs a fresh review at exact head 61c0d73. Server-side decision state: no current approval at head 61c0d73; REQUEST_CHANGES review 457 recorded at the superseded head 6a0d7bb; APPROVE review 456 dismissed. Local verdict/state: author remediation complete; full suite 3267 passed with 2 pre-existing-master failures. Next actor: prgs-reviewer (independent). Required action: fresh independent review of head 61c0d73 against live master, producing an APPROVE or REQUEST_CHANGES verdict on the exact new head. Blocker classification: no blocker Do not do: do not reuse the dismissed APPROVE 456; do not reuse or self-dismiss REQUEST_CHANGES 457; do not self-review or merge as the author; do not merge without a fresh approval recorded at exact head 61c0d73.
Owner

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #736
issue: #706
reviewer_identity: sysadmin
profile: prgs-reviewer
session_id: 94113-e06865e53f28
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736
phase: claimed
candidate_head: 61c0d73cd1
target_branch: master
target_branch_sha: 29d96c8946
last_activity: 2026-07-18T05:52:44Z
expires_at: 2026-07-18T07:52:44Z
blocker: none

<!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #736 issue: #706 reviewer_identity: sysadmin profile: prgs-reviewer session_id: 94113-e06865e53f28 worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736 phase: claimed candidate_head: 61c0d73cd1acd15dd809cf57a9e61e077d212143 target_branch: master target_branch_sha: 29d96c8946689be2fc9a55d296e4383a3aa03c4f last_activity: 2026-07-18T05:52:44Z expires_at: 2026-07-18T07:52:44Z blocker: none
sysadmin approved these changes 2026-07-18 00:59:30 -05:00
sysadmin left a comment
Owner

Reviewer verdict: APPROVE — PR #736 (Closes #706) @ 61c0d73

Fresh independent review at exact head 61c0d73cd1 against live master 29d96c8946. F1 remediation from REQUEST_CHANGES review 457 is complete and proven. Prior APPROVE 456 remains dismissed; review 457 is stale (author_pushed_after_request_changes=true).

Hard gates (this session)

  • Operator: jasonwalker UID 502, non-root, sudo password-required
  • Identity: sysadmin / prgs-reviewer (identity_match=true)
  • Host/repo: gitea.prgs.cc / Scaled-Tech-Consulting/Gitea-Tools
  • Runtime/master parity: in parity at 29d96c8; control checkout clean on master
  • PR open; author jcwalker3 ≠ reviewer; head pinned 61c0d73
  • Lease: session 94113-e06865e53f28 comment 12291; no foreign active lease conflict
  • Workflow: gitea_load_review_workflow hash 263d0a6cb8a6; schema a7634e7b8689; boundary_status=clean

Remediation delta (6a0d7bb…61c0d73)

Exactly 2 files:

  1. gitea_mcp_server.py_trusted_session_repository derives session org/repo from repository_identity_slug(configured_canonical_root) when configured (env-over-profile), still allowlist-gated; unconfigured install path unchanged.
  2. tests/test_issue_706_f1_seed_identity_integration.py — real seed→enforce path with two temporary git repos.
    Fast-forward from 6a0d7bb. No unrelated scope.

Complete PR (master…61c0d73)

8 files / +1097/−4 matching Issue #706 scope (canonical root module, config/auth surfaces, namespace binding, session pin, server seed/enforce, unit + F1 integration tests).

F1 acceptance (1–14)

  1. Env-over-profile configured root selection — PASS
  2. Normalize/realpath/exists/git toplevel — PASS
  3. Identity from repository_identity_slug(configured root) — PASS
  4. Allowlist-gated — PASS
  5. Session seed pins target not install — PASS (integration)
  6. Enforce accepts target worktree — PASS
  7. Reviewer + merger real seed→enforce — PASS
  8. Immutable root + org/repo — PASS
  9. In-session swap fails closed — PASS
  10. Missing/non-git/unallowlisted/forged fail closed — PASS
  11. #274 membership still active — PASS
  12. Unconfigured single-repo unchanged — PASS
  13. No identity/role weakening — PASS
  14. No mcp-control-plane special case — PASS (generic slug path)

Integration test quality

Two real temp repos; real _seed_session_context_enforce_canonical_repository_root (not preselected slug helper); env+profile; reviewer+merger; fail-closed negatives — all PASS.

Independent tests

  • F1 integration: 10 passed
  • #706 unit: 26 passed
  • #706+#737+workspace/session/role: 137 passed / 20 subtests
  • Workspace guards + lease tests: 41 passed
  • py_compile OK; git diff --check clean; secret scan of PR diff clean
  • Full suite: 3267 passed, 6 skipped, 2 failed, 240 subtests
  • 2 failures reproduced identically on clean master 29d96c8 (current-master failure reproduced; one is #737 org/repo-forwarding test-drift). Not attributable to #706.

Workflow-proof conclusion (author push 6a0d7bb→61c0d73)

Independently verified:

  • Release comment 12281 (phase released, session 80223) after claim 12273
  • gitea_assess_reviewer_pr_lease / diagnose_reviewer_pr_lease_handoff / control-plane DB: no active reviewer lease after release
  • Reproduced: pr_work_lease.find_active_reviewer_lease / assess_conflict_fix_push false-positive — reverse-chronological skip of terminal phases returns older same-session claimed (12273) instead of honoring later released (12281)

Under canonical workflow: authoritative release evidence made the non-force FF push eligible. assess_conflict_fix_push is the §20B conflict-fix gate; this was REQUEST_CHANGES code remediation, not conflict-fix. Assessor false-positive is a workflow-control defect — document + follow-up; do not broaden #736. Sanctioned follow-up: fix find_active_reviewer_lease to resolve latest phase per session_id.

Review Metadata

  • LLM-Agent-SHA: llm-61c0d73f1a2b
  • LLM-Role: reviewer
  • Authenticated-Gitea-User: sysadmin
  • MCP-Profile: prgs-reviewer
  • Eligibility: passed
  • Worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736 (clean, detached @ 61c0d73)

Canonical PR State

STATE: REVIEW_COMPLETE_APPROVE
WHO_IS_NEXT: MERGER
NEXT_ACTION: Merge PR #736 at exact head 61c0d73cd1 via prgs-merger once required checks pass.
NEXT_PROMPT:

Merge Gitea-Tools PR #736 (Issue #706) via prgs-merger. Remote prgs, Scaled-Tech-Consulting/Gitea-Tools. Exact authorized head 61c0d73cd1acd15dd809cf57a9e61e077d212143, base master 29d96c8946689be2fc9a55d296e4383a3aa03c4f. Fresh APPROVE at that head (F1 seed identity + integration tests). Verify sysadmin/prgs-merger identity+binding, head unchanged, approval-at-head, checks passed (bounded native poll), conflict-free, identity separation, parity. Acquire merger lease via contiguous whoami->resolve(merge_pr)->merge. If head changes, do not merge. Do not reuse dismissed APPROVE 456 or stale REQUEST_CHANGES 457.

WHAT_HAPPENED: Fresh independent review at 61c0d73 approved F1 remediation after REQUEST_CHANGES 457; seed→enforce proven; full suite 3267 passed with 2 pre-existing master failures.
WHY: F1 criteria 1–14 satisfied; tests strong; assessor false-positive is control defect with authoritative release evidence still making FF push eligible; no code blocker.
ISSUE: #706
HEAD_SHA: 61c0d73cd1
REVIEW_STATUS: APPROVE
MERGE_READY: true (bounded check poll may be required)
BLOCKERS: none for this PR code; follow-up recommended for find_active_reviewer_lease session-scoped release association and 2 master test drifts
VALIDATION: F1 10; #706 26; focused 137+41; full 3267 passed / 6 skipped / 2 pre-existing / 240 subtests; py_compile OK; diff --check clean
LAST_UPDATED_BY: sysadmin / prgs-reviewer

[THREAD STATE LEDGER]

NATIVE_REVIEW_PROOF: native_mcp_transport=true; entrypoint=mcp_server; pid=94113; profile=prgs-reviewer; identity=sysadmin; workflow_source=skills/llm-project-workflow/workflows/review-merge-pr.md; workflow_hash=263d0a6cb8a6; final_report_schema_hash=a7634e7b8689; boundary_status=clean; reviewed_head=61c0d73cd1acd15dd809cf57a9e61e077d212143; base_master=29d96c8946689be2fc9a55d296e4383a3aa03c4f

## Reviewer verdict: APPROVE — PR #736 (Closes #706) @ 61c0d73 Fresh independent review at exact head **61c0d73cd1acd15dd809cf57a9e61e077d212143** against live master **29d96c8946689be2fc9a55d296e4383a3aa03c4f**. F1 remediation from REQUEST_CHANGES review 457 is complete and proven. Prior APPROVE 456 remains dismissed; review 457 is stale (`author_pushed_after_request_changes=true`). ### Hard gates (this session) - Operator: jasonwalker UID 502, non-root, sudo password-required - Identity: sysadmin / prgs-reviewer (identity_match=true) - Host/repo: gitea.prgs.cc / Scaled-Tech-Consulting/Gitea-Tools - Runtime/master parity: in parity at 29d96c8; control checkout clean on master - PR open; author jcwalker3 ≠ reviewer; head pinned 61c0d73 - Lease: session 94113-e06865e53f28 comment 12291; no foreign active lease conflict - Workflow: gitea_load_review_workflow hash 263d0a6cb8a6; schema a7634e7b8689; boundary_status=clean ### Remediation delta (6a0d7bb…61c0d73) Exactly 2 files: 1. `gitea_mcp_server.py` — `_trusted_session_repository` derives session org/repo from `repository_identity_slug(configured_canonical_root)` when configured (env-over-profile), still allowlist-gated; unconfigured install path unchanged. 2. `tests/test_issue_706_f1_seed_identity_integration.py` — real seed→enforce path with two temporary git repos. Fast-forward from 6a0d7bb. No unrelated scope. ### Complete PR (master…61c0d73) 8 files / +1097/−4 matching Issue #706 scope (canonical root module, config/auth surfaces, namespace binding, session pin, server seed/enforce, unit + F1 integration tests). ### F1 acceptance (1–14) 1. Env-over-profile configured root selection — PASS 2. Normalize/realpath/exists/git toplevel — PASS 3. Identity from repository_identity_slug(configured root) — PASS 4. Allowlist-gated — PASS 5. Session seed pins target not install — PASS (integration) 6. Enforce accepts target worktree — PASS 7. Reviewer + merger real seed→enforce — PASS 8. Immutable root + org/repo — PASS 9. In-session swap fails closed — PASS 10. Missing/non-git/unallowlisted/forged fail closed — PASS 11. #274 membership still active — PASS 12. Unconfigured single-repo unchanged — PASS 13. No identity/role weakening — PASS 14. No mcp-control-plane special case — PASS (generic slug path) ### Integration test quality Two real temp repos; real `_seed_session_context`→`_enforce_canonical_repository_root` (not preselected slug helper); env+profile; reviewer+merger; fail-closed negatives — all PASS. ### Independent tests - F1 integration: 10 passed - #706 unit: 26 passed - #706+#737+workspace/session/role: 137 passed / 20 subtests - Workspace guards + lease tests: 41 passed - py_compile OK; git diff --check clean; secret scan of PR diff clean - Full suite: 3267 passed, 6 skipped, 2 failed, 240 subtests - 2 failures reproduced identically on clean master 29d96c8 (current-master failure reproduced; one is #737 org/repo-forwarding test-drift). Not attributable to #706. ### Workflow-proof conclusion (author push 6a0d7bb→61c0d73) Independently verified: - Release comment **12281** (phase released, session 80223) after claim **12273** - gitea_assess_reviewer_pr_lease / diagnose_reviewer_pr_lease_handoff / control-plane DB: no active reviewer lease after release - Reproduced: `pr_work_lease.find_active_reviewer_lease` / `assess_conflict_fix_push` **false-positive** — reverse-chronological skip of terminal phases returns older same-session claimed (12273) instead of honoring later released (12281) **Under canonical workflow:** authoritative release evidence made the non-force FF push eligible. `assess_conflict_fix_push` is the §20B conflict-fix gate; this was REQUEST_CHANGES code remediation, not conflict-fix. Assessor false-positive is a workflow-control defect — document + follow-up; do not broaden #736. Sanctioned follow-up: fix `find_active_reviewer_lease` to resolve latest phase per session_id. ### Review Metadata - LLM-Agent-SHA: llm-61c0d73f1a2b - LLM-Role: reviewer - Authenticated-Gitea-User: sysadmin - MCP-Profile: prgs-reviewer - Eligibility: passed - Worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736 (clean, detached @ 61c0d73) ## Canonical PR State STATE: REVIEW_COMPLETE_APPROVE WHO_IS_NEXT: MERGER NEXT_ACTION: Merge PR #736 at exact head 61c0d73cd1acd15dd809cf57a9e61e077d212143 via prgs-merger once required checks pass. NEXT_PROMPT: ```text Merge Gitea-Tools PR #736 (Issue #706) via prgs-merger. Remote prgs, Scaled-Tech-Consulting/Gitea-Tools. Exact authorized head 61c0d73cd1acd15dd809cf57a9e61e077d212143, base master 29d96c8946689be2fc9a55d296e4383a3aa03c4f. Fresh APPROVE at that head (F1 seed identity + integration tests). Verify sysadmin/prgs-merger identity+binding, head unchanged, approval-at-head, checks passed (bounded native poll), conflict-free, identity separation, parity. Acquire merger lease via contiguous whoami->resolve(merge_pr)->merge. If head changes, do not merge. Do not reuse dismissed APPROVE 456 or stale REQUEST_CHANGES 457. ``` WHAT_HAPPENED: Fresh independent review at 61c0d73 approved F1 remediation after REQUEST_CHANGES 457; seed→enforce proven; full suite 3267 passed with 2 pre-existing master failures. WHY: F1 criteria 1–14 satisfied; tests strong; assessor false-positive is control defect with authoritative release evidence still making FF push eligible; no code blocker. ISSUE: #706 HEAD_SHA: 61c0d73cd1acd15dd809cf57a9e61e077d212143 REVIEW_STATUS: APPROVE MERGE_READY: true (bounded check poll may be required) BLOCKERS: none for this PR code; follow-up recommended for find_active_reviewer_lease session-scoped release association and 2 master test drifts VALIDATION: F1 10; #706 26; focused 137+41; full 3267 passed / 6 skipped / 2 pre-existing / 240 subtests; py_compile OK; diff --check clean LAST_UPDATED_BY: sysadmin / prgs-reviewer [THREAD STATE LEDGER] - WHO_IS_NEXT: MERGER - PR: #736 - ISSUE: #706 - REVIEWED_HEAD: 61c0d73cd1acd15dd809cf57a9e61e077d212143 - BASE_MASTER: 29d96c8946689be2fc9a55d296e4383a3aa03c4f - REVIEW_DECISION: APPROVE - PRIOR_REQUEST_CHANGES: 457 (stale) - PRIOR_APPROVE: 456 (dismissed) - MERGEABLE: true - CONFLICTS: none - REVIEWER_LEASE: sysadmin session 94113-e06865e53f28 comment 12291 - WORKFLOW_PROOF: release 12281 authoritative; assess_conflict_fix_push false-positive reproduced (claim 12273 not neutralized by release 12281) — control defect follow-up; push eligible under release evidence - BLOCKERS: none for code merge of #706 NATIVE_REVIEW_PROOF: native_mcp_transport=true; entrypoint=mcp_server; pid=94113; profile=prgs-reviewer; identity=sysadmin; workflow_source=skills/llm-project-workflow/workflows/review-merge-pr.md; workflow_hash=263d0a6cb8a6; final_report_schema_hash=a7634e7b8689; boundary_status=clean; reviewed_head=61c0d73cd1acd15dd809cf57a9e61e077d212143; base_master=29d96c8946689be2fc9a55d296e4383a3aa03c4f
Owner

CTH: Reviewer Handoff — PR #736 @ 61c0d73

Formal review 458 recorded APPROVE at exact head 61c0d73cd1acd15dd809cf57a9e61e077d212143 (base master 29d96c8946689be2fc9a55d296e4383a3aa03c4f). approval_at_current_head=true. F1 seed-identity fix and integration tests accepted. Prior review 456 remains dismissed; review 457 is stale against the new head.

Canonical Issue State

STATE: REVIEW_COMPLETE_APPROVE
WHO_IS_NEXT: MERGER
NEXT_ACTION: Merge PR #736 at exact head 61c0d73 via prgs-merger after required checks pass.
NEXT_PROMPT:

Merge Gitea-Tools PR #736 (Issue #706) via prgs-merger. Remote prgs, Scaled-Tech-Consulting/Gitea-Tools. Exact authorized head 61c0d73cd1acd15dd809cf57a9e61e077d212143, base master 29d96c8946689be2fc9a55d296e4383a3aa03c4f. Fresh review 458 APPROVE at that head. Verify sysadmin/prgs-merger identity+binding, head unchanged, approval-at-head, checks passed (bounded native poll), conflict-free, identity separation, parity. Acquire merger lease via contiguous whoami->resolve(merge_pr)->merge. If head changes, do not merge.

WHAT_HAPPENED: Independent reviewer session recorded review 458 APPROVE for F1 remediation at 61c0d73; reviewer lease will be released after handoff.
WHY: F1 acceptance and tests pass; workflow-control assessor defect documented as non-blocking follow-up.
RELATED_PRS: #736
ISSUE: #706
HEAD_SHA: 61c0d73cd1
REVIEW_STATUS: APPROVE (review_id 458)
MERGE_READY: true (bounded check poll may be required)
BLOCKERS: none
VALIDATION: F1 10; #706 26; focused 137+41; full 3267 passed / 6 skipped / 2 pre-existing-master / 240 subtests
LAST_UPDATED_BY: sysadmin / prgs-reviewer

[THREAD STATE LEDGER]

What is true now:

  • PR #736 is open at head 61c0d73cd1.
  • Formal review 458 is APPROVE at that exact head; approval_at_current_head is true.
  • Review 456 is dismissed; review 457 is stale relative to the current head.
  • F1 session-identity seeding from configured canonical root is implemented and integration-tested.

What changed:

  • Independent prgs-reviewer recorded review 458 APPROVE after validating remediation 6a0d7bb..61c0d73 and full PR master..61c0d73.
  • Documented workflow-control defect: assess_conflict_fix_push / find_active_reviewer_lease false-positive when separate release comment does not neutralize prior same-session claimed marker.

What is blocked:

  • Merge must wait for prgs-merger and required checks; no author-side code blocker remains on head 61c0d73.

Who/what acts next:

  • prgs-merger merges only at exact head 61c0d73 after checks pass.

Server-side decision state: review 458 APPROVE visible at head 61c0d73; no blocking REQUEST_CHANGES at current head.
Local verdict/state: APPROVE; full suite 3267 passed with 2 pre-existing-master failures; reviewer lease still held until release.
Next actor: prgs-merger
Required action: merge PR #736 at exact head 61c0d73 via native merger workflow after bounded check poll; release/finalize reviewer lease first if still active.
Blocker classification: no blocker
Do not do: do not reuse dismissed review 456; do not treat stale review 457 as current; do not merge a different head; do not self-merge as author; do not expand #736 with the lease-assessor follow-up.

NATIVE_REVIEW_PROOF: native_mcp_transport=true; entrypoint=mcp_server; pid=94113; profile=prgs-reviewer; identity=sysadmin; workflow_source=skills/llm-project-workflow/workflows/review-merge-pr.md; workflow_hash=263d0a6cb8a6; final_report_schema_hash=a7634e7b8689; boundary_status=clean; reviewed_head=61c0d73cd1acd15dd809cf57a9e61e077d212143; base_master=29d96c8946689be2fc9a55d296e4383a3aa03c4f; review_id=458

## CTH: Reviewer Handoff — PR #736 @ 61c0d73 Formal review **458** recorded APPROVE at exact head `61c0d73cd1acd15dd809cf57a9e61e077d212143` (base master `29d96c8946689be2fc9a55d296e4383a3aa03c4f`). `approval_at_current_head=true`. F1 seed-identity fix and integration tests accepted. Prior review 456 remains dismissed; review 457 is stale against the new head. ## Canonical Issue State STATE: REVIEW_COMPLETE_APPROVE WHO_IS_NEXT: MERGER NEXT_ACTION: Merge PR #736 at exact head 61c0d73 via prgs-merger after required checks pass. NEXT_PROMPT: ```text Merge Gitea-Tools PR #736 (Issue #706) via prgs-merger. Remote prgs, Scaled-Tech-Consulting/Gitea-Tools. Exact authorized head 61c0d73cd1acd15dd809cf57a9e61e077d212143, base master 29d96c8946689be2fc9a55d296e4383a3aa03c4f. Fresh review 458 APPROVE at that head. Verify sysadmin/prgs-merger identity+binding, head unchanged, approval-at-head, checks passed (bounded native poll), conflict-free, identity separation, parity. Acquire merger lease via contiguous whoami->resolve(merge_pr)->merge. If head changes, do not merge. ``` WHAT_HAPPENED: Independent reviewer session recorded review 458 APPROVE for F1 remediation at 61c0d73; reviewer lease will be released after handoff. WHY: F1 acceptance and tests pass; workflow-control assessor defect documented as non-blocking follow-up. RELATED_PRS: #736 ISSUE: #706 HEAD_SHA: 61c0d73cd1acd15dd809cf57a9e61e077d212143 REVIEW_STATUS: APPROVE (review_id 458) MERGE_READY: true (bounded check poll may be required) BLOCKERS: none VALIDATION: F1 10; #706 26; focused 137+41; full 3267 passed / 6 skipped / 2 pre-existing-master / 240 subtests LAST_UPDATED_BY: sysadmin / prgs-reviewer [THREAD STATE LEDGER] What is true now: - PR #736 is open at head 61c0d73cd1acd15dd809cf57a9e61e077d212143. - Formal review 458 is APPROVE at that exact head; approval_at_current_head is true. - Review 456 is dismissed; review 457 is stale relative to the current head. - F1 session-identity seeding from configured canonical root is implemented and integration-tested. What changed: - Independent prgs-reviewer recorded review 458 APPROVE after validating remediation 6a0d7bb..61c0d73 and full PR master..61c0d73. - Documented workflow-control defect: assess_conflict_fix_push / find_active_reviewer_lease false-positive when separate release comment does not neutralize prior same-session claimed marker. What is blocked: - Merge must wait for prgs-merger and required checks; no author-side code blocker remains on head 61c0d73. Who/what acts next: - prgs-merger merges only at exact head 61c0d73 after checks pass. Server-side decision state: review 458 APPROVE visible at head 61c0d73; no blocking REQUEST_CHANGES at current head. Local verdict/state: APPROVE; full suite 3267 passed with 2 pre-existing-master failures; reviewer lease still held until release. Next actor: prgs-merger Required action: merge PR #736 at exact head 61c0d73 via native merger workflow after bounded check poll; release/finalize reviewer lease first if still active. Blocker classification: no blocker Do not do: do not reuse dismissed review 456; do not treat stale review 457 as current; do not merge a different head; do not self-merge as author; do not expand #736 with the lease-assessor follow-up. NATIVE_REVIEW_PROOF: native_mcp_transport=true; entrypoint=mcp_server; pid=94113; profile=prgs-reviewer; identity=sysadmin; workflow_source=skills/llm-project-workflow/workflows/review-merge-pr.md; workflow_hash=263d0a6cb8a6; final_report_schema_hash=a7634e7b8689; boundary_status=clean; reviewed_head=61c0d73cd1acd15dd809cf57a9e61e077d212143; base_master=29d96c8946689be2fc9a55d296e4383a3aa03c4f; review_id=458
Owner

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #736
issue: #706
reviewer_identity: sysadmin
profile: prgs-reviewer
session_id: 94113-e06865e53f28
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736
phase: released
candidate_head: 61c0d73cd1
target_branch: master
target_branch_sha: 29d96c8946
last_activity: 2026-07-18T06:02:55Z
expires_at: 2026-07-18T08:02:55Z
blocker: manual-release

<!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #736 issue: #706 reviewer_identity: sysadmin profile: prgs-reviewer session_id: 94113-e06865e53f28 worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/reviewer-pr-736 phase: released candidate_head: 61c0d73cd1acd15dd809cf57a9e61e077d212143 target_branch: master target_branch_sha: 29d96c8946689be2fc9a55d296e4383a3aa03c4f last_activity: 2026-07-18T06:02:55Z expires_at: 2026-07-18T08:02:55Z blocker: manual-release
Owner

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #736
issue: #706
reviewer_identity: sysadmin
profile: prgs-merger
session_id: 29488-462ce6083576
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/merge-control
phase: claimed
candidate_head: 61c0d73cd1
target_branch: master
target_branch_sha: 29d96c8946
last_activity: 2026-07-18T06:32:56Z
expires_at: 2026-07-18T08:32:56Z
blocker: none

<!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #736 issue: #706 reviewer_identity: sysadmin profile: prgs-merger session_id: 29488-462ce6083576 worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/merge-control phase: claimed candidate_head: 61c0d73cd1acd15dd809cf57a9e61e077d212143 target_branch: master target_branch_sha: 29d96c8946689be2fc9a55d296e4383a3aa03c4f last_activity: 2026-07-18T06:32:56Z expires_at: 2026-07-18T08:32:56Z blocker: none
Owner

adopted_at: 2026-07-18T06:35:18Z
adopted_by_identity: sysadmin
adopted_by_profile: prgs-merger
adopted_from_session_id: 29488-462ce6083576
adopted_from_profile: prgs-merger
adopted_from_reviewer_identity: sysadmin
adopted_from_comment_id: 12301
adoption_reason: merger-handoff-approved-head

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #736
issue: #706
reviewer_identity: sysadmin
profile: prgs-merger
session_id: 29488-d53c19f7a700
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/merge-control
phase: adopted
candidate_head: 61c0d73cd1
target_branch: master
target_branch_sha: 29d96c8946
last_activity: 2026-07-18T06:35:18Z
expires_at: 2026-07-18T08:35:18Z
blocker: none

<!-- mcp-review-lease-adoption:v1 --> adopted_at: 2026-07-18T06:35:18Z adopted_by_identity: sysadmin adopted_by_profile: prgs-merger adopted_from_session_id: 29488-462ce6083576 adopted_from_profile: prgs-merger adopted_from_reviewer_identity: sysadmin adopted_from_comment_id: 12301 adoption_reason: merger-handoff-approved-head <!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #736 issue: #706 reviewer_identity: sysadmin profile: prgs-merger session_id: 29488-d53c19f7a700 worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/merge-control phase: adopted candidate_head: 61c0d73cd1acd15dd809cf57a9e61e077d212143 target_branch: master target_branch_sha: 29d96c8946689be2fc9a55d296e4383a3aa03c4f last_activity: 2026-07-18T06:35:18Z expires_at: 2026-07-18T08:35:18Z blocker: none
sysadmin merged commit a8d2087b4a into master 2026-07-18 01:36:03 -05:00
Owner

Stale #332 review-decision lock cleanup (#594)

Status: APPLIED

Manual deletion of session-state files is not the workflow.
This path only clears a lock when the referenced PR is merged/closed.

## Stale #332 review-decision lock cleanup (#594) Status: **APPLIED** - actor: `sysadmin` - profile: `prgs-merger` - timestamp: `2026-07-18T06:36:04.592438+00:00` - last terminal: `approve` on PR #736 - PR state: `closed` (merged=True) - merge_commit_sha: `a8d2087b4af3ae143b839c5c0c821e2a3ca7fd4f` - prior live_mutations_count: `3` - prior profile_identity: `prgs-reviewer` Manual deletion of session-state files is **not** the workflow. This path only clears a lock when the referenced PR is merged/closed.
Owner

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #736
issue: #706
reviewer_identity: sysadmin
profile: prgs-merger
session_id: 29488-d53c19f7a700
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/merge-control
phase: released
candidate_head: 61c0d73cd1
target_branch: master
target_branch_sha: 29d96c8946
last_activity: 2026-07-18T06:57:17Z
expires_at: 2026-07-18T08:57:17Z
blocker: post-merge-moot

<!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #736 issue: #706 reviewer_identity: sysadmin profile: prgs-merger session_id: 29488-d53c19f7a700 worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/merge-control phase: released candidate_head: 61c0d73cd1acd15dd809cf57a9e61e077d212143 target_branch: master target_branch_sha: 29d96c8946689be2fc9a55d296e4383a3aa03c4f last_activity: 2026-07-18T06:57:17Z expires_at: 2026-07-18T08:57:17Z blocker: post-merge-moot
Sign in to join this conversation.
No Reviewers
No labels
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#736