From 5c829c60c98c0a1c2c60cd7f9b6f0d7d03fba30e Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Wed, 27 May 2026 14:36:38 +0000
Subject: [PATCH 1/2] fix(ci): distinguish all-403 token-provisioning failures
 in review-check.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When the Gitea token owner is not a member of the qa/security team,
every team-membership probe returns 403. Previously the final error
message said "none are in team", which misled ops into verifying the
team roster when the real issue was token provisioning (Bug C).

Add tracking for all-403 vs mixed-response scenarios. When every
candidate returns 403, emit an explicit error naming the root cause
and the remediation (add token owner to team or switch tokens).

No behavior change — still fail-closed; only the diagnostic message
is improved.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/scripts/review-check.sh | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.gitea/scripts/review-check.sh b/.gitea/scripts/review-check.sh
index a63c983ee..86b78febd 100755
--- a/.gitea/scripts/review-check.sh
+++ b/.gitea/scripts/review-check.sh
@@ -296,7 +296,15 @@ fi
 #   403     → token owner is not in this team (Gitea 1.22.6 'Must be a team
 #             member' constraint — see follow-up issue for token-provisioning)
 #   404     → not a member
+# Track whether every candidate returned 403 (token owner not in team).
+# When this happens the root cause is a token-provisioning issue, not a
+# reviewer-eligibility issue — surface it clearly so ops don't waste time
+# verifying team roster (Bug C / RFC#324 follow-up).
+_ALL_CANDIDATES_403="yes"
+_CANDIDATE_COUNT=0
+
 for U in $CANDIDATES; do
+  _CANDIDATE_COUNT=$((_CANDIDATE_COUNT + 1))
   CODE=$(curl -sS -o "$TEAM_PROBE_TMP" -w '%{http_code}' \
     -K "$CURL_AUTH_FILE" "${API}/teams/${TEAM_ID}/members/${U}")
   debug "probe ${U} in team ${TEAM} (id=${TEAM_ID}) → HTTP ${CODE}"
@@ -317,14 +325,20 @@ for U in $CANDIDATES; do
       continue
       ;;
     404)
+      _ALL_CANDIDATES_403="no"
       debug "${U} not a member of ${TEAM}"
       ;;
     *)
+      _ALL_CANDIDATES_403="no"
       echo "::warning::team-probe for ${U} in ${TEAM} returned unexpected HTTP ${CODE}"
       cat "$TEAM_PROBE_TMP" >&2
       ;;
   esac
 done
 
-echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (candidates: $(echo "$CANDIDATES" | tr '\n' ',' | sed 's/,$//') — none are in team)"
+if [ "$_ALL_CANDIDATES_403" = "yes" ] && [ "$_CANDIDATE_COUNT" -gt 0 ]; then
+  echo "::error::${TEAM}-review FAILED — every candidate returned 403 (token owner is not a member of the ${TEAM} team). This is a TOKEN PROVISIONING issue, not a reviewer-eligibility issue. Add the token owner to the '${TEAM}' Gitea team (id=${TEAM_ID}) or use a token whose owner is already in that team."
+else
+  echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (candidates: $(echo "$CANDIDATES" | tr '\n' ',' | sed 's/,$//') — none are in team)"
+fi
 exit 1
-- 
2.52.0


From 99b7d21a480d0f52504dc0a29aa0cf31e414a90f Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Wed, 27 May 2026 14:44:14 +0000
Subject: [PATCH 2/2] docs(sop-checklist): sync issue_comment trigger comment
 with workflow reality
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The sop-checklist.yml workflow subscribes only to issue_comment:[created]
(consolidated in PR #1345 / issue #1280 to reduce runner-slot occupancy).
The script header still claimed [created, edited, deleted], which could
mislead future maintainers into thinking edited/deleted events are handled.

No behavior change — comment-only.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/scripts/sop-checklist.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitea/scripts/sop-checklist.py b/.gitea/scripts/sop-checklist.py
index 28573cf4a..26c68cbf1 100644
--- a/.gitea/scripts/sop-checklist.py
+++ b/.gitea/scripts/sop-checklist.py
@@ -6,8 +6,8 @@
 # RFC#351 Step 2 of 6 (implementation MVP).
 #
 # Invoked by .gitea/workflows/sop-checklist.yml on:
-#   - pull_request_target: [opened, edited, synchronize, reopened]
-#   - issue_comment:       [created, edited, deleted]
+#   - pull_request_target: [opened, edited, synchronize, reopened, labeled, unlabeled]
+#   - issue_comment:       [created]  # edited/deleted omitted (Gitea 1.22.6 job-parsing quirk)
 #
 # Flow:
 #   1. Load .gitea/sop-checklist-config.yaml (from BASE ref — trusted).
-- 
2.52.0