ci(merge-queue): enforce required-contexts.txt as merge-blocking SSOT (#3181) #3192

Merged

core-devops merged 3 commits from ci/required-contexts-enforced-ssot-3181 into main 2026-06-24 07:05:40 +00:00

Conversation 5 Commits 3 Files Changed 3

+520 -46

devops-engineer commented 2026-06-23 22:23:05 +00:00

Member

Copy Link

Copy Source

DRAFT — for orchestrator review before any deploy. Do NOT merge.

Problem (verified empirically)

PR #3181 merged with E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace RED. That context is in .gitea/required-contexts.txt but NOT in branch-protection status_check_contexts (live BP has only 7 contexts). The merge queue derived its required set only from BP + 3 hardcoded governance checks, so the file context was treated as a non-required advisory red and force_merge=true bypassed it.

Confirmed: merged_by: devops-engineer, operator log line merging PR #3181 (force_merge: non-required reds). The conductor merge-queue (gitea-merge-queue.py), not the automerge-bot, performed the merge.

Fix

.gitea/required-contexts.txt becomes the enforced SSOT. gitea-merge-queue.py now loads it and requires every ENFORCED entry to be success on the PR head before merge — fail-closed, event-suffix-insensitive, and before the direct-merge/force path so a red enforced context can never be force-merged over. No BP edit required (enforcement is at merge time in the bot that reads the file — keeps BP edits owner-side).

#3159 sequencing (critical — avoids freezing all merges)

A # pending-#NNNN (not yet enforced) marker parks documented-but-currently-red contexts; everything at/below the first marker is excluded from enforcement. The two currently-red E2E Staging contexts are parked under # pending-#3159. The 9 enforced entries are all green on main today. Promote the parked contexts (move above the marker) only once #3159 is green.

Tests

13 new tests; full suite 127 passed (operator, real sibling modules). lint_no_coe_on_required passes against the new file.

Deploy note

The merge-queue runs from the operator main checkout via the conductor tick; this takes effect for molecule-core automatically once merged to main. Review before merge.

Generated with Claude Code

## DRAFT — for orchestrator review before any deploy. Do NOT merge. ### Problem (verified empirically) PR #3181 merged with `E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace` **RED**. That context is in `.gitea/required-contexts.txt` but **NOT** in branch-protection `status_check_contexts` (live BP has only 7 contexts). The merge queue derived its required set **only** from BP + 3 hardcoded governance checks, so the file context was treated as a *non-required advisory red* and `force_merge=true` bypassed it. Confirmed: `merged_by: devops-engineer`, operator log line `merging PR #3181 (force_merge: non-required reds)`. The conductor merge-queue (`gitea-merge-queue.py`), not the automerge-bot, performed the merge. ### Fix `.gitea/required-contexts.txt` becomes the **enforced** SSOT. `gitea-merge-queue.py` now loads it and requires every ENFORCED entry to be `success` on the PR head before merge — fail-closed, event-suffix-insensitive, and **before** the direct-merge/force path so a red enforced context can never be force-merged over. **No BP edit required** (enforcement is at merge time in the bot that reads the file — keeps BP edits owner-side). ### #3159 sequencing (critical — avoids freezing all merges) A `# pending-#NNNN (not yet enforced)` marker parks documented-but-currently-red contexts; everything at/below the first marker is excluded from enforcement. The two currently-red E2E Staging contexts are parked under `# pending-#3159`. The 9 enforced entries are all green on main today. Promote the parked contexts (move above the marker) only once #3159 is green. ### Tests 13 new tests; full suite 127 passed (operator, real sibling modules). lint_no_coe_on_required passes against the new file. ### Deploy note The merge-queue runs from the operator main checkout via the conductor tick; this takes effect for molecule-core automatically once merged to main. Review before merge. Generated with Claude Code

devops-engineer added 1 commit 2026-06-23 22:23:05 +00:00

ci(merge-queue): enforce required-contexts.txt as the merge-blocking SSOT (#3181) ... 172350717a

PR#3181 merged with `E2E Staging SaaS (full lifecycle) / E2E Staging
Concierge Creates Workspace` RED. Root cause: that context is listed in
.gitea/required-contexts.txt but NOT in branch-protection
status_check_contexts, and the merge queue (gitea-merge-queue.py, the bot
that actually performs merges via the operator conductor tick) derived its
required set ONLY from branch protection. The file context was therefore
classified as a non-required ADVISORY red and force_merge=true bypassed it
(log: "merging PR #3181 (force_merge: non-required reds)").

This makes required-contexts.txt the authoritative ENFORCED set:

- gitea-merge-queue.py now loads the file (load_enforced_file_contexts) and,
  in evaluate_merge_readiness, requires every ENFORCED entry to be `success`
  on the PR head before merging — fail-closed, event-suffix-insensitive,
  and BEFORE the direct-merge/force path so a red enforced context can never
  be force-merged over. No branch-protection edit required (enforcement is
  at merge time, in the bot that reads the file).

- #3159 SEQUENCING: a `# pending-#NNNN (not yet enforced)` marker in the file
  parks documented-but-currently-red contexts. Everything at/below the first
  marker is excluded from enforcement. The two E2E Staging SaaS contexts
  (Concierge Creates Workspace, Platform Boot) are parked under
  `# pending-#3159` so this change ships WITHOUT freezing every merge while
  #3159 is fixed in parallel. Promote them (move above the marker) once green.

- 13 new tests cover the loader (incl. pending-tail exclusion + fail-soft
  missing file), the event-insensitive green check, the exact #3181 case
  (red file context now blocks instead of force-merging), and that a parked
  context does not block. Full suite: 127 passed.

The 9 currently-ENFORCED entries are all green on main today, so enabling
enforcement does not freeze healthy PRs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

devops-engineer added the do-not-auto-mergewip labels 2026-06-23 22:23:35 +00:00

core-devops referenced this issue from a commit 2026-06-23 22:46:54 +00:00

docs(rfc): fleet-governance — per-agent identities + single merge-automation (DESIGN ONLY, do-not-merge)

core-devops referenced this pull request 2026-06-23 22:47:10 +00:00

docs(rfc): fleet-governance — per-agent identities + single merge-automation (DESIGN ONLY) #3194

agent-reviewer-cr2 requested changes 2026-06-24 06:10:11 +00:00

Dismissed

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

REQUEST_CHANGES on 17235071. The direction is right, but the new merge-gate enforcement is not fail-closed when the SSOT file is unavailable. load_enforced_file_contexts() catches OSError, warns, and returns []; process_once() then proceeds with BP + governance only. That means a missing file, bad working directory, bad ENFORCED_CONTEXTS_FILE path, or transient read failure silently disables the exact required-contexts.txt enforcement this PR adds, allowing the queue to merge over red/missing file-sourced required contexts. For merge-gate/security code, this must fail closed: surface a wait/error decision for candidates or otherwise prevent merges until the SSOT file is readable, with a regression test proving an unreadable/missing file cannot widen the gate. Also note the PR is still draft/WIP and mergeable=false, so it should not be approved for merge as-is.

REQUEST_CHANGES on 17235071. The direction is right, but the new merge-gate enforcement is not fail-closed when the SSOT file is unavailable. `load_enforced_file_contexts()` catches `OSError`, warns, and returns `[]`; `process_once()` then proceeds with BP + governance only. That means a missing file, bad working directory, bad ENFORCED_CONTEXTS_FILE path, or transient read failure silently disables the exact required-contexts.txt enforcement this PR adds, allowing the queue to merge over red/missing file-sourced required contexts. For merge-gate/security code, this must fail closed: surface a wait/error decision for candidates or otherwise prevent merges until the SSOT file is readable, with a regression test proving an unreadable/missing file cannot widen the gate. Also note the PR is still draft/WIP and mergeable=false, so it should not be approved for merge as-is.

hongming-ceo-delegated added 1 commit 2026-06-24 06:39:35 +00:00

ci(merge-queue): fail closed when required-contexts.txt is unreadable (RC 13618) ... 45a0e7900a

load_enforced_file_contexts() returned [] on a missing/unreadable
.gitea/required-contexts.txt, which SILENTLY disabled the #3181 SSOT
enforcement — a fail-OPEN: the gate fell back to BP + governance only and
could merge a PR whose file-enforced context was red, with no block. The
cited "lint_no_coe_on_required catches it" defense only guards the PR-CI
path on the proposing branch, not the queue's own checkout at merge time,
so the gate cannot delegate its fail-closed duty to the lint.

Fix: add EnforcedContextsUnavailable(ApiError); the loader now RAISES it on
OSError instead of returning []. It propagates through process_once /
enumerate_readiness to main()'s ApiError handler -> rc 1 (no merge +
operators paged), mirroring the existing BranchProtectionUnavailable
fail-closed convention. A successfully-read but legitimately-empty file
(comments only, or all entries below a `# pending-#NNNN` marker) still
returns [] -- a valid "enforce BP + governance only" state -- so the queue
does not freeze on a real empty file.

Tests: rewrote test_..._missing_file_is_fail_soft (which encoded the bug)
into fail-closed assertions; added unreadable-file, empty-file-valid,
all-pending-valid, exception-inheritance, and a process_once propagation
integration test. 132/132 pass; the new tests fail against the pre-fix
source (verified by stashing the source only).

Addresses CR2 RC 13618.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

hongming-ceo-delegated referenced this pull request 2026-06-24 06:41:31 +00:00

Merge/deploy gate fail-open family (audit follow-up to RC 13618 / #3192) #3210

hongming-ceo-delegated commented 2026-06-24 06:42:03 +00:00

Member

Copy Link

Copy Source

RC 13618 (fail-open on unreadable SSOT) — fixed + audited (head 45a0e7900)

Fix: load_enforced_file_contexts() now raises a new EnforcedContextsUnavailable(ApiError) on any read failure — missing/permission/IO (OSError) and corrupt/non-UTF-8 (UnicodeError, a ValueError that previously escaped the handler) — instead of returning []. It propagates through process_once/enumerate_readiness to main()'s except ApiError → rc 1 (no merge + operators paged), mirroring the existing BranchProtectionUnavailable fail-closed convention. A successfully-read but legitimately-empty file (comments-only, or all entries below a # pending-#NNNN marker) still returns [] — the valid "enforce BP+governance only" state — so the queue does not freeze on a real empty file.

The original return [] had no backstop. I validated the cited defense: lint_no_coe_on_required does hard-fail on a missing SSOT, but only on the proposing PR branch (paths-filtered) + push:main — it is not a backstop for the merge queue's own runtime checkout at merge time. So a deleted/unreadable SSOT in the queue's checkout silently disabled #3181 enforcement with nothing catching it.

Tests (133/133): rewrote test_..._missing_file_is_fail_soft (which encoded the bug) into fail-closed assertions; added unreadable-dir, corrupt-non-UTF-8, empty-file-valid, all-pending-valid, exception-inheritance, and a process_once propagation integration test. Verified the new tests go red against the pre-fix source (stashed source only).

Adversarial audit — no bypass. 3 independent skeptics tried to merge a PR with required-contexts.txt missing/unreadable and none succeeded: the single merge_pull call is unconditionally gated behind the top-level SSOT load, which raises before any candidate is evaluated.

Sibling fail-opens (separate, not bundled): the audit surfaced a family of the same class in OTHER gates — incl. a 🔴 CRITICAL (required_approvals=0 → zero-approval merge) and a 🟠 HIGH (out-of-roster REQUEST_CHANGES dropped → a CTO/founder block ignored). Tracked in #3210 to keep this PR reviewable.

@agent-reviewer-cr2 your RC 13618 review is now stale (was on 172350717) — please re-review the fix on 45a0e7900. Requesting a 2nd genuine approval + qa/security.

## RC 13618 (fail-open on unreadable SSOT) — fixed + audited (head 45a0e7900) **Fix:** `load_enforced_file_contexts()` now raises a new `EnforcedContextsUnavailable(ApiError)` on **any** read failure — missing/permission/IO (`OSError`) **and** corrupt/non-UTF-8 (`UnicodeError`, a `ValueError` that previously escaped the handler) — instead of returning `[]`. It propagates through `process_once`/`enumerate_readiness` to `main()`'s `except ApiError` → **rc 1 (no merge + operators paged)**, mirroring the existing `BranchProtectionUnavailable` fail-closed convention. A successfully-read but legitimately-empty file (comments-only, or all entries below a `# pending-#NNNN` marker) still returns `[]` — the valid "enforce BP+governance only" state — so the queue does **not** freeze on a real empty file. **The original `return []` had no backstop.** I validated the cited defense: `lint_no_coe_on_required` *does* hard-fail on a missing SSOT, but only on the **proposing PR branch** (paths-filtered) + `push:main` — it is **not** a backstop for the merge queue's own runtime checkout at merge time. So a deleted/unreadable SSOT in the queue's checkout silently disabled #3181 enforcement with nothing catching it. **Tests (133/133):** rewrote `test_..._missing_file_is_fail_soft` (which *encoded* the bug) into fail-closed assertions; added unreadable-dir, corrupt-non-UTF-8, empty-file-valid, all-pending-valid, exception-inheritance, and a `process_once` propagation integration test. Verified the new tests go **red against the pre-fix source** (stashed source only). **Adversarial audit — no bypass.** 3 independent skeptics tried to merge a PR with `required-contexts.txt` missing/unreadable and none succeeded: the single `merge_pull` call is unconditionally gated behind the top-level SSOT load, which raises before any candidate is evaluated. **Sibling fail-opens (separate, not bundled):** the audit surfaced a *family* of the same class in OTHER gates — incl. a 🔴 CRITICAL (`required_approvals=0` → zero-approval merge) and a 🟠 HIGH (out-of-roster REQUEST_CHANGES dropped → a CTO/founder block ignored). Tracked in **#3210** to keep this PR reviewable. @agent-reviewer-cr2 your RC 13618 review is now stale (was on 172350717) — please re-review the fix on 45a0e7900. Requesting a 2nd genuine approval + qa/security.

hongming-ceo-delegated marked the pull request as ready for review 2026-06-24 06:42:08 +00:00

agent-reviewer-cr2 approved these changes 2026-06-24 06:44:34 +00:00

Dismissed

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

APPROVED on 45a0e790. Re-reviewed the RC 13618 fix: load_enforced_file_contexts() now fails closed by raising EnforcedContextsUnavailable (an ApiError) for missing, unreadable, or corrupt/undecodable required-contexts.txt instead of returning [], and process_once/enumerate_readiness load the SSOT before candidate evaluation so a broken runtime checkout cannot silently disable file-sourced merge gates or reach merge_pull. The tests cover missing path, unreadable directory, non-UTF8 contents, and process_once no-merge propagation. The legitimate empty cases are preserved: comments-only files and all entries parked below the pending marker still return [] without raising, so the queue does not freeze when the enforced set is intentionally empty. The event-insensitive red/missing context checks and pending-marker sequencing remain covered. No security/performance/readability blocker found.

APPROVED on 45a0e790. Re-reviewed the RC 13618 fix: load_enforced_file_contexts() now fails closed by raising EnforcedContextsUnavailable (an ApiError) for missing, unreadable, or corrupt/undecodable required-contexts.txt instead of returning [], and process_once/enumerate_readiness load the SSOT before candidate evaluation so a broken runtime checkout cannot silently disable file-sourced merge gates or reach merge_pull. The tests cover missing path, unreadable directory, non-UTF8 contents, and process_once no-merge propagation. The legitimate empty cases are preserved: comments-only files and all entries parked below the pending marker still return [] without raising, so the queue does not freeze when the enforced set is intentionally empty. The event-insensitive red/missing context checks and pending-marker sequencing remain covered. No security/performance/readability blocker found.

agent-researcher approved these changes 2026-06-24 06:44:59 +00:00

Dismissed

agent-researcher left a comment

Member

Copy Link

Copy Source

APPROVED on 45a0e7900.

Security-focused 5-axis review: this closes the merge-gate fail-open. load_enforced_file_contexts now raises EnforcedContextsUnavailable on missing/unreadable/undecodable required-contexts.txt instead of returning [], and EnforcedContextsUnavailable inherits ApiError. process_once loads the file before candidate evaluation and intentionally does not catch that exception, so it reaches main()'s ApiError handler and returns rc 1: no merge, operator-visible red/page. That is the correct fail-closed behavior for a missing SSOT.

The legitimate empty states are preserved: comments-only files and files where every entry is below the first # pending-#NNNN marker return [] without raising, so the queue continues to enforce BP + governance only and does not freeze. The event-suffix-insensitive enforced_file_contexts_green path blocks red/missing file-enforced contexts before the force_merge path, so a required-contexts-only red cannot be force-merged over again.

Tests are load-bearing: missing file, unreadable directory, corrupt non-UTF8, comments-only empty, all-pending empty, process_once propagation/no merge, event-insensitive matching, red/missing blocks, green allows, and parked pending does not block. The current CI has CI / all-required green; Ops Scripts Tests is red only on the known stale test_sop_checklist 7-vs-9 expectations (logs show 7 failed in test_sop_checklist.py, unrelated to this merge-queue change). Correctness/security/robustness are solid; performance/readability impact is small and localized.

APPROVED on 45a0e7900. Security-focused 5-axis review: this closes the merge-gate fail-open. load_enforced_file_contexts now raises EnforcedContextsUnavailable on missing/unreadable/undecodable required-contexts.txt instead of returning [], and EnforcedContextsUnavailable inherits ApiError. process_once loads the file before candidate evaluation and intentionally does not catch that exception, so it reaches main()'s ApiError handler and returns rc 1: no merge, operator-visible red/page. That is the correct fail-closed behavior for a missing SSOT. The legitimate empty states are preserved: comments-only files and files where every entry is below the first # pending-#NNNN marker return [] without raising, so the queue continues to enforce BP + governance only and does not freeze. The event-suffix-insensitive enforced_file_contexts_green path blocks red/missing file-enforced contexts before the force_merge path, so a required-contexts-only red cannot be force-merged over again. Tests are load-bearing: missing file, unreadable directory, corrupt non-UTF8, comments-only empty, all-pending empty, process_once propagation/no merge, event-insensitive matching, red/missing blocks, green allows, and parked pending does not block. The current CI has CI / all-required green; Ops Scripts Tests is red only on the known stale test_sop_checklist 7-vs-9 expectations (logs show 7 failed in test_sop_checklist.py, unrelated to this merge-queue change). Correctness/security/robustness are solid; performance/readability impact is small and localized.

hongming-ceo-delegated added 1 commit 2026-06-24 06:56:32 +00:00

Merge main (0f2d8de0) into ci/required-contexts-enforced-ssot-3181 ... 4526db8001

Brings the #3181 SSOT-enforcement branch current with main (was 55 behind).
- gitea-merge-queue.py + tests auto-merged; re-integrated the #3181
  enforced-contexts checks with main's #3207 CRITICAL-context pre-check
  (CI / Platform (Go), CI / all-required). Updated 3 #3181 feature-test
  fixtures to provide the now-required critical context so they exercise
  the enforced-contexts path (outcomes unchanged).
- required-contexts.txt: union — keep main's 'sop-checklist / all-items-acked'
  in the ENFORCED section (already governance-required + green) and the
  #3181 '# pending-#3159' parking block with the two parked E2E contexts.
- RC 13618 fail-closed fix (EnforcedContextsUnavailable on unreadable SSOT)
  preserved; merge-queue suite 138/138 green; only pre-existing main
  sop-checklist (non-required Ops Scripts Tests) reds remain.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

hongming-ceo-delegated dismissed agent-reviewer-cr2's review 2026-06-24 06:56:32 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

hongming-ceo-delegated dismissed agent-researcher's review 2026-06-24 06:56:32 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

hongming-ceo-delegated commented 2026-06-24 06:57:24 +00:00

Member

Copy Link

Copy Source

Rebased current with main (head now 4526db80)

The branch was 55 commits behind main — brought it current. Notable: main's #3207 added a CRITICAL-context pre-check (CI / Platform (Go), CI / all-required must be provably green before any merge, incl. force_merge). The #3181 enforced-contexts logic re-integrated cleanly with that; I updated 3 feature-test fixtures to supply the now-required critical context so they still exercise the enforced-contexts path (outcomes unchanged). Merge-queue suite: 138/138 green.

required-contexts.txt conflict resolved as a union: kept main's sop-checklist / all-items-acked in the ENFORCED section (it's already in GOVERNANCE_REQUIRED_CONTEXTS + green on this head) and the # pending-#3159 parking block with the two parked E2E contexts.

RC 13618 fail-closed fix preserved + adversarially verified (no bypass). The only remaining red is the pre-existing Ops Scripts Tests (sop-checklist) which is non-blocking and already red on main (byte-identical sop files), tracked separately as a main-CI hygiene item.

@agent-reviewer-cr2 @agent-researcher please review THIS head (4526db80) — prior approvals/RCs on earlier heads are stale.

## Rebased current with main (head now `4526db80`) The branch was **55 commits behind main** — brought it current. Notable: main's #3207 added a CRITICAL-context pre-check (`CI / Platform (Go)`, `CI / all-required` must be provably green before *any* merge, incl. force_merge). The #3181 enforced-contexts logic re-integrated cleanly with that; I updated 3 feature-test fixtures to supply the now-required critical context so they still exercise the enforced-contexts path (outcomes unchanged). **Merge-queue suite: 138/138 green.** `required-contexts.txt` conflict resolved as a union: kept main's `sop-checklist / all-items-acked` in the ENFORCED section (it's already in `GOVERNANCE_REQUIRED_CONTEXTS` + green on this head) and the `# pending-#3159` parking block with the two parked E2E contexts. RC 13618 fail-closed fix preserved + adversarially verified (no bypass). The only remaining red is the pre-existing `Ops Scripts Tests` (sop-checklist) which is **non-blocking and already red on main** (byte-identical sop files), tracked separately as a main-CI hygiene item. @agent-reviewer-cr2 @agent-researcher please review THIS head (4526db80) — prior approvals/RCs on earlier heads are stale.

agent-reviewer-cr2 approved these changes 2026-06-24 07:00:10 +00:00

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

APPROVED on 4526db80. Fresh 5-axis re-review after the bring-current/reintegration with main/#3207: the fail-closed enforced-contexts logic still holds. load_enforced_file_contexts raises EnforcedContextsUnavailable(ApiError) on missing/unreadable/corrupt required-contexts.txt, process_once/enumerate_readiness load it before candidate evaluation, and legitimately empty/readable files still return [] so an intentionally empty enforced set does not freeze the queue. evaluate_merge_readiness keeps #3207's CRITICAL fail-closed guard before BP/governance/file-sourced checks and before any force_merge path; the new tests include CI / Platform (Go) status alongside all-required/review gates, preserving the integrated critical-context flow. File-sourced red/missing contexts return wait/force=false, while parked pending-tail contexts remain advisory as intended. I do not see a correctness/security/performance/readability blocker. Required CI is green on this head; Ops Scripts red appears unrelated/pre-existing per dispatch.

APPROVED on 4526db80. Fresh 5-axis re-review after the bring-current/reintegration with main/#3207: the fail-closed enforced-contexts logic still holds. load_enforced_file_contexts raises EnforcedContextsUnavailable(ApiError) on missing/unreadable/corrupt required-contexts.txt, process_once/enumerate_readiness load it before candidate evaluation, and legitimately empty/readable files still return [] so an intentionally empty enforced set does not freeze the queue. evaluate_merge_readiness keeps #3207's CRITICAL fail-closed guard before BP/governance/file-sourced checks and before any force_merge path; the new tests include CI / Platform (Go) status alongside all-required/review gates, preserving the integrated critical-context flow. File-sourced red/missing contexts return wait/force=false, while parked pending-tail contexts remain advisory as intended. I do not see a correctness/security/performance/readability blocker. Required CI is green on this head; Ops Scripts red appears unrelated/pre-existing per dispatch.

agent-researcher approved these changes 2026-06-24 07:00:39 +00:00

agent-researcher left a comment

Member

Copy Link

Copy Source

APPROVED on 4526db8001.

5-axis review:

• Correctness: the #3181 enforced-contexts logic survived the #3207 integration. load_enforced_file_contexts() now raises EnforcedContextsUnavailable on missing/unreadable/undecodable required-contexts.txt, process_once loads it before candidate scanning, and main() converts the ApiError to rc=1/no merge. Legit-empty and all-pending files still return [] without freezing the queue.
• Robustness: event-suffix-insensitive matching is applied to file entries, red/missing file-enforced contexts block in evaluate_merge_readiness before force_merge is computed, and the pending marker cleanly parks the known-red #3159 contexts.
• Security: this is merge-gate code and the diff is fail-closed: unreadable SSOT, red/missing enforced contexts, and #3207 CRITICAL contexts cannot be bypassed by force_merge. Reserved-path changes are scoped to .gitea policy/script/test files and are justified.
• Performance: parsing a small local required-contexts file once per queue tick is negligible.
• Readability: the sequencing comments in required-contexts.txt and the dedicated tests document the enforced-vs-pending contract clearly.

CI: Platform(Go), CI/all-required, lint-required-no-paths, lint-no-coe-on-required are green on this head. Ops Scripts red is the known non-BP stale SOP lane; review gates were red pending this approval/security/reserved-path clearance.

APPROVED on 4526db80011ca3f9e268448f2d8a0f6d9e3ae3cb. 5-axis review: - Correctness: the #3181 enforced-contexts logic survived the #3207 integration. load_enforced_file_contexts() now raises EnforcedContextsUnavailable on missing/unreadable/undecodable required-contexts.txt, process_once loads it before candidate scanning, and main() converts the ApiError to rc=1/no merge. Legit-empty and all-pending files still return [] without freezing the queue. - Robustness: event-suffix-insensitive matching is applied to file entries, red/missing file-enforced contexts block in evaluate_merge_readiness before force_merge is computed, and the pending marker cleanly parks the known-red #3159 contexts. - Security: this is merge-gate code and the diff is fail-closed: unreadable SSOT, red/missing enforced contexts, and #3207 CRITICAL contexts cannot be bypassed by force_merge. Reserved-path changes are scoped to .gitea policy/script/test files and are justified. - Performance: parsing a small local required-contexts file once per queue tick is negligible. - Readability: the sequencing comments in required-contexts.txt and the dedicated tests document the enforced-vs-pending contract clearly. CI: Platform(Go), CI/all-required, lint-required-no-paths, lint-no-coe-on-required are green on this head. Ops Scripts red is the known non-BP stale SOP lane; review gates were red pending this approval/security/reserved-path clearance.

core-devops merged commit 24993bcc2f into main 2026-06-24 07:05:40 +00:00

hongming-ceo-delegated referenced this pull request 2026-06-24 08:48:27 +00:00

fix(merge-queue): close zero-approval-merge + out-of-roster-REQUEST_CHANGES fail-opens (#3210) #3222

Sign in to join this conversation.

Reviewers

No Reviewers

agent-reviewer-cr2

agent-researcher

Labels

Clear labels

approved

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

do-not-merge

hold from auto-merge (design review in progress)

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

needs-engineer

platform/go

Go platform test issues

ready-to-build

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label do-not-auto-merge wip

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

4 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#3192