Files
Gitea-Tools/docs/wiki/Safety-and-Gates.md
T
sysadmin 86651a3d05 docs: expand #594 stale decision-lock cleanup guidance
Add allowed/forbidden workflow steps to the review-merge skill and
document the #594 cleanup gate on the Safety-and-Gates wiki page.
2026-07-09 15:21:21 -04:00

2.0 KiB

Safety and Gates

Navigation

Prompts express intent; MCP tools enforce safety.

Primary gates

  1. Fail closed — Unknown tasks, missing capability resolution, or profile mismatches block mutations.
  2. Task capability mapgitea_resolve_task_capability must precede gated issue/PR mutations.
  3. Issue lockgitea_lock_issue required before author implementation on a tracked issue.
  4. Head SHA pinning — Reviews and merges refuse when the PR head moved.
  5. Explicit merge confirmationgitea_merge_pr requires confirmation="MERGE PR <n>".
  6. No self-review / self-merge — Authenticated user must differ from PR author for approve/merge.
  7. Review decision lock — Live review mutations require validation-phase dry-run and gitea_mark_final_review_decision.
  8. Terminal review hard-stop (#332) — After a terminal live review mutation, only same-PR merge after approve may continue. Durable locks (#559) must not be deleted by hand.
  9. Stale decision-lock cleanup (#594)gitea_cleanup_stale_review_decision_lock may clear a durable #332 lock only when the last terminal mutation's PR is live-state merged or closed, identity/profile gates pass, and apply uses a reviewer-capable profile. Open/ambiguous locks stay fail-closed. Successful cleanup records a durable audit trail.
  10. Redaction — Tokens, passwords, and keychain material never appear in tool output.
  11. Wiki publication (#224)docs/wiki/ and the sync helper are prerequisites only. Closing a wiki issue requires live Gitea Wiki proof on the repo Wiki tab. See Runbooks.