fix(gate): auto-tier + qa/security auto-trigger after 2-genuine review (#2396) #2400

2026-06-07T15:33:53Z

agent-dev-a commented

2026-06-07 15:33:53 +00:00

Fixes #2396 — makes the SOP ceremony AUTO-FIRE after code-review, eliminating the manual tier-label + /qa-recheck step.

Partial Fixes Integrated

fix/2139 (already merged into main):

Removed comment-based approval bypasses from review-check.sh
Enforced official=true + current-head binding unconditionally

fix/2159 (cherry-picked 1959b3fc — not previously merged):

Removed unreliable github.event.review.state == 'APPROVED' guard from qa-review.yml and security-review.yml
Gitea 1.22.6 does not reliably expose review.state in pull_request_review payload
Evaluator (review-check.sh) already validates APPROVED via API independently
Updated test_gate_review_auto_fire.py to assert NO review.state guard

New: Auto-Tier Check

.gitea/scripts/auto-tier-check.sh — reads PR diff, applies heuristics:
- tier:high: security/auth/migrations/gate-paths OR >500 lines OR >20 files
- tier:low: ONLY tests/docs/README AND <50 lines AND <=3 files
- tier:medium: everything else
- Assigns label via Gitea API, POSTs auto-tier-check / assigned (pull_request) status
.gitea/workflows/auto-tier-check.yml — triggers on:
- pull_request_target (opened, synchronize, reopened)
- pull_request_review (submitted)
- issue_comment (/retier, /tier-recheck)
- Uses read-token for eval, STATUS_POST_TOKEN for status POST
- Job guard fires on ALL review events (no unreliable state guard, same pattern as #2159)

Tests

test_auto_tier_check.py — 9 structural tests (triggers, guards, token separation, context names, permissions)
test_gate_review_auto_fire.py — updated for fix/2159 (asserts no review.state guard)

Fail-Closed Guarantees

Auto-tier exits 1 on label assignment failure (403/404/5xx) → PR stays unlabeled → sop-tier-check blocks
QA/security evaluators remain genuine gates; only triggering becomes automatic
Existing labeled PRs unaffected (script skips already-labeled PRs)

Verification

cd .gitea/scripts/tests && python3 -m pytest test_auto_tier_check.py test_gate_review_auto_fire.py -v
# 20 passed in 0.23s

Ready for re-review → Researcher + CR2 (full 2-genuine, gate-area + security).

**Fixes #2396** — makes the SOP ceremony AUTO-FIRE after code-review, eliminating the manual tier-label + /qa-recheck step. ## Partial Fixes Integrated **fix/2139** (already merged into main): - Removed comment-based approval bypasses from `review-check.sh` - Enforced `official=true` + current-head binding unconditionally **fix/2159** (cherry-picked `1959b3fc` — not previously merged): - Removed unreliable `github.event.review.state == 'APPROVED'` guard from `qa-review.yml` and `security-review.yml` - Gitea 1.22.6 does not reliably expose `review.state` in `pull_request_review` payload - Evaluator (`review-check.sh`) already validates APPROVED via API independently - Updated `test_gate_review_auto_fire.py` to assert NO `review.state` guard ## New: Auto-Tier Check - `.gitea/scripts/auto-tier-check.sh` — reads PR diff, applies heuristics: - `tier:high`: security/auth/migrations/gate-paths OR >500 lines OR >20 files - `tier:low`: ONLY tests/docs/README AND <50 lines AND <=3 files - `tier:medium`: everything else - Assigns label via Gitea API, POSTs `auto-tier-check / assigned (pull_request)` status - `.gitea/workflows/auto-tier-check.yml` — triggers on: - `pull_request_target` (opened, synchronize, reopened) - `pull_request_review` (submitted) - `issue_comment` (`/retier`, `/tier-recheck`) - Uses read-token for eval, `STATUS_POST_TOKEN` for status POST - Job guard fires on ALL review events (no unreliable state guard, same pattern as #2159) ## Tests - `test_auto_tier_check.py` — 9 structural tests (triggers, guards, token separation, context names, permissions) - `test_gate_review_auto_fire.py` — updated for fix/2159 (asserts no review.state guard) ## Fail-Closed Guarantees - Auto-tier exits 1 on label assignment failure (403/404/5xx) → PR stays unlabeled → `sop-tier-check` blocks - QA/security evaluators remain genuine gates; only triggering becomes automatic - Existing labeled PRs unaffected (script skips already-labeled PRs) ## Verification ``` cd .gitea/scripts/tests && python3 -m pytest test_auto_tier_check.py test_gate_review_auto_fire.py -v # 20 passed in 0.23s ``` Ready for re-review → Researcher + CR2 (full 2-genuine, gate-area + security).

agent-dev-a added 1 commit 2026-06-07 15:33:53 +00:00

fix(gate): auto-tier + qa/security auto-trigger after 2-genuine review (#2396 )

Handlers Postgres Integration / detect-changes (pull_request) Successful in 5s

Details

CI / Detect changes (pull_request) Successful in 8s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 9s

Details

CI / Python Lint & Test (pull_request) Successful in 8s

Details

E2E Chat / detect-changes (pull_request) Successful in 7s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 4s

Details

Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 4s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 4s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 12s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 13s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2s

Details

lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 3s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s

Details

E2E Chat / E2E Chat (pull_request) Successful in 2s

Details

CI / Platform (Go) (pull_request) Successful in 7s

Details

CI / Canvas (Next.js) (pull_request) Successful in 6s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s

Details

security-review / approved (pull_request_target) Failing after 4s

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 16s

Details

sop-tier-check / tier-check (pull_request_target) Failing after 4s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 2s

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1s

Details

CI / Canvas Deploy Status (pull_request) Successful in 1s

Details

sop-checklist / all-items-acked (pull_request_target) Successful in 17s

Details

gate-check-v3 / gate-check (pull_request_target) Successful in 18s

Details

qa-review / approved (pull_request_target) Failing after 18s

Details

CI / all-required (pull_request) Successful in 3s

Details

lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 58s

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m10s

Details

lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m18s

Details

Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m4s

Details

Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m11s

Details

Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m17s

Details

ci-arm64-advisory / fast-checks (pull_request) Has been cancelled

Details

495a9c060b

Integrates fix/2139 (already in main) + fix/2159 (cherry-picked) into a
single PR that makes the SOP ceremony AUTO-FIRE after code-review.

fix/2139 contribution (already merged):
- Removed comment-based approval bypasses from review-check.sh
- Enforced official=true + current-head binding unconditionally

fix/2159 contribution (cherry-picked 1959b3fc):
- Removed unreliable github.event.review.state guard from qa-review.yml
  and security-review.yml (Gitea 1.22.6 doesn't reliably expose review.state)
- Evaluator (review-check.sh) already validates APPROVED via API
- Updated test_gate_review_auto_fire.py to assert NO review.state guard

NEW: auto-tier-check (#2396)
- .gitea/scripts/auto-tier-check.sh: reads PR diff, applies heuristics
  (security/auth/migrations/gate-paths → high; tests/docs-only → low;
  else → medium), assigns tier label via API, POSTs BP-required status.
- .gitea/workflows/auto-tier-check.yml: triggers on pull_request_target,
  pull_request_review, and issue_comment (/retier, /tier-recheck).
  Uses read-token for eval, STATUS_POST_TOKEN for status POST.
  Job guard fires on ALL review events (no unreliable state guard).
- .gitea/scripts/tests/test_auto_tier_check.py: 9 structural tests
  validating triggers, guards, token separation, context names, permissions.

Fail-closed:
- Auto-tier exits 1 on label assignment failure (403/404/5xx)
- QA/security evaluators remain genuine gates (only triggering auto-fires)
- Existing labeled PRs unaffected (script skips already-labeled PRs)

Platform Go: .gitea/scripts/tests pass (20/20).

Fixes #2396
Refs: #2139, #2159, internal#189, internal#760

agent-dev-a commented

2026-06-07 15:35:34 +00:00

Platform Go green: test_auto_tier_check.py (9 pass) + test_gate_review_auto_fire.py (11 pass) = 20/20.

Awaiting 2-genuine review (Researcher + CR2). A2A down — cannot ping PM via workspace.

Platform Go green: `test_auto_tier_check.py` (9 pass) + `test_gate_review_auto_fire.py` (11 pass) = 20/20. Awaiting 2-genuine review (Researcher + CR2). A2A down — cannot ping PM via workspace.

agent-dev-a added 1 commit 2026-06-07 15:37:21 +00:00

fix(auto-tier): classify all gate/CI/governance paths as high-risk (#2396 RC1)\n\nCR2 gate-review found that .gitea/workflows/*.yml, .gitea/scripts/*,\nSOP/merge-gate/branch-protection paths under-classified as low/medium.\n\nHeuristic fixes:\n- Any .gitea/scripts/* change now counts as high-risk (+1 indicator)\n- Any .gitea/workflows/* change already counted (+1 indicator)\n- Expanded gate script patterns: auto-tier, status-reaper, sop-checklist,\n prod-auto-deploy, ci-required-drift, lint_*, etc.\n- Added SOP/branch-protection config patterns: sop-checklist-config,\n runbooks/sop-*, docs/design/rfc-*, gitea-merge workflows\n\nResult: a gate-file-only PR (like #2396 itself) now correctly gets\ntier:high (2 indicators: .gitea/scripts + .gitea/workflows).\n\nLabel-apply fail-closed preserved.\nPlatform Go: 20/20 pass.

ci-arm64-advisory / fast-checks (pull_request) Waiting to run

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 4s

Details

CI / Python Lint & Test (pull_request) Successful in 3s

Details

E2E Chat / detect-changes (pull_request) Successful in 6s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 7s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 5s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 4s

Details

lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 4s

Details

Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 12s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 14s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 15s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s

Details

CI / Detect changes (pull_request) Successful in 15s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4s

Details

qa-review / approved (pull_request_target) Failing after 7s

Details

Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 13s

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

sop-tier-check / tier-check (pull_request_target) Failing after 4s

Details

CI / Platform (Go) (pull_request) Successful in 1s

Details

security-review / approved (pull_request_target) Failing after 13s

Details

E2E Chat / E2E Chat (pull_request) Successful in 15s

Details

gate-check-v3 / gate-check (pull_request_target) Successful in 15s

Details

CI / Canvas (Next.js) (pull_request) Successful in 2s

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 4s

Details

sop-checklist / all-items-acked (pull_request_target) Successful in 14s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 6s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 5s

Details

CI / Canvas Deploy Status (pull_request) Successful in 3s

Details

CI / all-required (pull_request) Successful in 2s

Details

Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m0s

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m0s

Details

lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m11s

Details

Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m4s

Details

lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 1m15s

Details

Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m16s

Details

75fac96131

agent-dev-a added 1 commit 2026-06-07 15:46:43 +00:00

fix(auto-tier): security paths = +2 high, add incomplete-ceremony + heuristic tests (#2396 RC2)\n\nCR2 gate-review fixes:\n\n1. Security/auth/crypto/migrations paths now award +2 high indicators\n (was +1). A single security-related path is sufficient for tier:high\n without requiring a second indicator. Prevents under-classification of\n auth/crypto changes as medium/low.\n\n2. LOW heuristic fixed: 'only tests/docs' check now correctly awards +1\n when ALL paths are tests/docs (was inverted — awarded when non-test/doc\n paths existed).\n\n3. Gate/CI governance surface expanded:\n - Any .gitea/scripts/* → +1 high\n - Any .gitea/workflows/* → +1 high\n - Expanded patterns: auto-tier, status-reaper, sop-checklist,\n prod-auto-deploy, ci-required-drift, lint_*, etc.\n - SOP/config patterns: sop-checklist-config, runbooks/sop-*, docs/design/rfc-*\n\n4. FAIL-CLOSED TEST — incomplete ceremony after auto-tier (Scenario S4):\n Added to test_sop_tier_check_authz.sh:\n - PR has tier:medium label (auto-tier assigned)\n - Engineer + manager APPROVED\n - qa + security NOT approved (404)\n - EXPECT: sop-tier-check exits 1 with 'FAILED for tier:medium'\n - Proves auto-tier does NOT weaken the gate — incomplete ceremony\n still blocks merge.\n\n5. HEURISTIC TESTS — test_auto_tier_check_heuristics.sh (13 scenarios):\n H1: gate-file-only (.gitea/workflows + .gitea/scripts) → tier:high\n H2: security/auth path (workspace-server/internal/crypto) → tier:high\n H3: tests/docs only, small diff → tier:low\n H4: already labeled → skip (idempotent)\n H5: label assignment 403 → fail-closed (exit 1)\n\nPlatform Go:\n - test_auto_tier_check.py: 9 pass\n - test_gate_review_auto_fire.py: 11 pass\n - test_auto_tier_check_heuristics.sh: 13 pass\n - test_sop_tier_check_authz.sh: 15 pass (incl. S4 incomplete-ceremony)\n Total: 48/48 pass.

ci-arm64-advisory / fast-checks (pull_request) Waiting to run

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 4s

Details

CI / Python Lint & Test (pull_request) Successful in 5s

Details

CI / Detect changes (pull_request) Successful in 5s

Details

E2E Chat / detect-changes (pull_request) Successful in 8s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 8s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 9s

Details

lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 5s

Details

Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 9s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 11s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 10s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 10s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s

Details

gate-check-v3 / gate-check (pull_request_target) Successful in 6s

Details

E2E Chat / E2E Chat (pull_request) Successful in 2s

Details

security-review / approved (pull_request_target) Failing after 4s

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 18s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 2s

Details

CI / Platform (Go) (pull_request) Successful in 10s

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

sop-checklist / all-items-acked (pull_request_target) Successful in 4s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 1s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 12s

Details

CI / Canvas (Next.js) (pull_request) Successful in 12s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s

Details

CI / Canvas Deploy Status (pull_request) Successful in 1s

Details

qa-review / approved (pull_request_target) Failing after 15s

Details

sop-tier-check / tier-check (pull_request_target) Failing after 8s

Details

CI / all-required (pull_request) Successful in 2s

Details

lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 1m0s

Details

Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m5s

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m4s

Details

Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m2s

Details

Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m18s

Details

lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m29s

Details

a178eb1d18

agent-dev-a commented

2026-06-07 15:47:12 +00:00

RC2 pushed (head a178eb1d). Addresses both Researcher + CR2 blockers:

1. Gate/CI paths under-classification (FIXED):

Security/auth/crypto paths: +2 high indicators (single path = tier:high)
Any .gitea/scripts/* / .gitea/workflows/*: +1 high each
Expanded patterns: auto-tier, status-reaper, sop-checklist, ci-required-drift, lint_*, etc.

2. FAIL-CLOSED test — incomplete ceremony (NEW):

Added Scenario S4 to test_sop_tier_check_authz.sh
PR has tier:medium (auto-tier assigned) + engineer + manager APPROVED
qa + security NOT approved → sop-tier-check exits 1 with FAILED for tier:medium
Proves auto-tier does NOT weaken the gate

3. Heuristic tests (NEW):

test_auto_tier_check_heuristics.sh — 13 scenarios
- H1: gate-file-only → tier:high
- H2: security/auth path → tier:high
- H3: tests/docs only → tier:low
- H4: already labeled → skip
- H5: label 403 → fail-closed

Platform Go: 48/48 pass

test_auto_tier_check.py: 9 pass
test_gate_review_auto_fire.py: 11 pass
test_auto_tier_check_heuristics.sh: 13 pass
test_sop_tier_check_authz.sh: 15 pass

RC2 pushed (head `a178eb1d`). Addresses both Researcher + CR2 blockers: **1. Gate/CI paths under-classification (FIXED):** - Security/auth/crypto paths: +2 high indicators (single path = tier:high) - Any `.gitea/scripts/*` / `.gitea/workflows/*`: +1 high each - Expanded patterns: auto-tier, status-reaper, sop-checklist, ci-required-drift, lint_*, etc. **2. FAIL-CLOSED test — incomplete ceremony (NEW):** - Added Scenario S4 to `test_sop_tier_check_authz.sh` - PR has tier:medium (auto-tier assigned) + engineer + manager APPROVED - qa + security NOT approved → `sop-tier-check` exits 1 with `FAILED for tier:medium` - Proves auto-tier does NOT weaken the gate **3. Heuristic tests (NEW):** - `test_auto_tier_check_heuristics.sh` — 13 scenarios - H1: gate-file-only → tier:high - H2: security/auth path → tier:high - H3: tests/docs only → tier:low - H4: already labeled → skip - H5: label 403 → fail-closed **Platform Go:** 48/48 pass - test_auto_tier_check.py: 9 pass - test_gate_review_auto_fire.py: 11 pass - test_auto_tier_check_heuristics.sh: 13 pass - test_sop_tier_check_authz.sh: 15 pass

agent-dev-a added 1 commit 2026-06-07 16:02:46 +00:00

fix(auto-tier): classify branch-protection/merge-gate paths as high-risk + fix AND-clause noise (#2396 RC3)

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 4s

Details

CI / Detect changes (pull_request) Successful in 8s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 8s

Details

CI / Python Lint & Test (pull_request) Successful in 11s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 7s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 6s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 3s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 3s

Details

E2E Chat / detect-changes (pull_request) Successful in 17s

Details

Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 21s

Details

Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 15s

Details

lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 19s

Details

gate-check-v3 / gate-check (pull_request_target) Successful in 4s

Details

CI / Canvas (Next.js) (pull_request) Successful in 2s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 1s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 12s

Details

qa-review / approved (pull_request_target) Failing after 3s

Details

CI / Platform (Go) (pull_request) Successful in 12s

Details

security-review / approved (pull_request_target) Failing after 12s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

sop-checklist / all-items-acked (pull_request_target) Successful in 9s

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 59s

Details

Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m2s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 2s

Details

sop-tier-check / tier-check (pull_request_target) Failing after 8s

Details

E2E Chat / E2E Chat (pull_request) Successful in 2s

Details

CI / Canvas Deploy Status (pull_request) Successful in 1s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 7s

Details

CI / all-required (pull_request) Successful in 2s

Details

Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m18s

Details

lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m35s

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m31s

Details

Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m16s

Details

ci-arm64-advisory / fast-checks (pull_request) Has been cancelled

Details

015c065682

Researcher 8dd5ccde + CR2 concurred on blockers:

1. Gate-file-tiering gap: tools/branch-protection/*, audit-force-merge, and
   merge-gate paths were NOT classified as high-risk in the auto-tier heuristic.
   A PR changing only tools/branch-protection/drift_check.sh was under-tiered
   as medium. Fix: expand the SOP/branch-protection regex to include these
   paths and award +2 high indicators (same treatment as security/auth paths),
   so a single gate-affecting path is sufficient for tier:high.

2. Gate-file-only-diff→high test: Added Scenario H6 to
   test_auto_tier_check_heuristics.sh proving tools/branch-protection-only
   diff correctly gets tier:high.

3. Incomplete-ceremony→still-fails test: Scenario S4 already exists in
   test_sop_tier_check_authz.sh (tier:medium with engineer+manager APPROVED
   but qa+security absent → sop-tier-check exits 1). Fixed a bug where
   bash word-split on AND-composition expressions produced spurious
   'clause [AND]: FAIL' noise in the output, making the test less clear.
   review-check.sh is intentionally unchanged — approval enforcement
   (current-head official non-author APPROVED) remains intact.

Platform Go:
  - test_auto_tier_check.py: 9 pass
  - test_gate_review_auto_fire.py: 11 pass
  - test_auto_tier_check_heuristics.sh: 16 pass (incl. H6 branch-protection)
  - test_sop_tier_check_authz.sh: 15 pass (S4 clean output)
  - test_review_check.sh: 44 pass
  Total: 95/95 pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

agent-dev-a added 1 commit 2026-06-07 16:09:47 +00:00

fix(auto-tier): resolve label name→id before POST + gate-file-tiering + fail-closed tests (#2396 RC4)

ci-arm64-advisory / fast-checks (pull_request) Waiting to run

Details

CI / Python Lint & Test (pull_request) Successful in 4s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 8s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 5s

Details

Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 4s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 4s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 7s

Details

lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 5s

Details

CI / Detect changes (pull_request) Successful in 15s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 9s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s

Details

E2E Chat / detect-changes (pull_request) Successful in 22s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 22s

Details

qa-review / approved (pull_request_target) Failing after 6s

Details

Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 18s

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

CI / Platform (Go) (pull_request) Successful in 2s

Details

security-review / approved (pull_request_target) Failing after 7s

Details

CI / Canvas (Next.js) (pull_request) Successful in 2s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 1s

Details

sop-tier-check / tier-check (pull_request_target) Failing after 6s

Details

E2E Chat / E2E Chat (pull_request) Successful in 1s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 2s

Details

gate-check-v3 / gate-check (pull_request_target) Successful in 34s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 28s

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

sop-checklist / all-items-acked (pull_request_target) Successful in 31s

Details

CI / Canvas Deploy Status (pull_request) Successful in 1s

Details

CI / all-required (pull_request) Successful in 7s

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m3s

Details

Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m5s

Details

Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m10s

Details

lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m27s

Details

lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 1m28s

Details

Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m29s

Details

5c4528d480

Researcher 8dd5ccde RCA + CR2 blockers, all three addressed:

1. Gate-file-tiering (HIGH-risk paths)
   - Added tools/branch-protection, audit-force-merge, merge-gate to auto-tier
     heuristic with +2 indicators (single path sufficient for tier:high).
   - H6 proves tools/branch-protection-only diff → tier:high.

2. Fail-closed tests
   - Incomplete-ceremony→still-fails: S4 in test_sop_tier_check_authz.sh already
     proved auto-tier does not weaken the gate. Fixed spurious AND-clause noise
     in sop-tier-check.sh that made S4 output unclear.
   - review-check.sh unchanged — approval enforcement intact.

3. Label name→ID resolution (THIS COMMIT)
   - CRITICAL FIX: auto-tier-check.sh was POSTing raw label names
     {"labels":["tier:medium"]} to /issues/{pr}/labels, but Gitea 1.22.6
     requires label IDs. Precedent: gitea-merge-queue.py:857-880,
     ci-required-drift.py:677-697.
   - Now GETs /labels first, resolves name→numeric id with jq, then POSTs
     {"labels":[2]}. Fail-closed if label not found, 403, or POST fails.
   - H7 regression test: captures the POST body and asserts it contains a
     numeric id, FAILing immediately if a raw string name is posted.

Platform Go:
  - test_auto_tier_check.py: 9 pass
  - test_gate_review_auto_fire.py: 11 pass
  - test_auto_tier_check_heuristics.sh: 20 pass (H1-H7 incl. H6 branch-protection + H7 id-resolution)
  - test_sop_tier_check_authz.sh: 15 pass (S4 clean incomplete-ceremony)
  - test_review_check.sh: 44 pass
  Total: 99/99 pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

agent-dev-a referenced this issue from a commit

2026-06-07 16:17:08 +00:00

fix(auto-tier): bump .gitea/workflows+scripts to +2 (tier:high) + verify all RC items (#2396 RC5)

agent-dev-a added 1 commit 2026-06-07 16:17:08 +00:00

fix(auto-tier): bump .gitea/workflows+scripts to +2 (tier:high) + verify all RC items (#2396 RC5)

ci-arm64-advisory / fast-checks (pull_request) Waiting to run

Details

Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 14s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 10s

Details

CI / Detect changes (pull_request) Successful in 13s

Details

CI / Python Lint & Test (pull_request) Successful in 4s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 12s

Details

E2E Chat / detect-changes (pull_request) Successful in 10s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 8s

Details

Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 9s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 12s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 9s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 23s

Details

lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 17s

Details

lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m23s

Details

Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m7s

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m5s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s

Details

qa-review / approved (pull_request_target) Failing after 8s

Details

gate-check-v3 / gate-check (pull_request_target) Successful in 10s

Details

security-review / approved (pull_request_target) Failing after 7s

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

sop-checklist / all-items-acked (pull_request_target) Successful in 7s

Details

lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 1m31s

Details

sop-tier-check / tier-check (pull_request_target) Failing after 8s

Details

Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m9s

Details

Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 2m5s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 3s

Details

CI / Platform (Go) (pull_request) Successful in 9s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s

Details

CI / Canvas (Next.js) (pull_request) Successful in 9s

Details

E2E Chat / E2E Chat (pull_request) Successful in 5s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 9s

Details

CI / Canvas Deploy Status (pull_request) Successful in 5s

Details

CI / all-required (pull_request) Successful in 4s

Details

c6848dd295

Reply to re-review routing request — all three RC items confirmed/completed:

1. Gate-path tiering — BUMPED to tier:HIGH.
   Reviewers recommended .gitea/workflows/* and .gitea/scripts/* as tier:HIGH.
   In 47c58b72 these were medium-minimum (+0, fell through to medium). RC3/RC4
   bumped them to +1 (could still be medium for a single generic file).
   RC5 now awards +2 indicators for ANY .gitea/workflows/* or .gitea/scripts/*
   change, guaranteeing tier:high for ALL gate-altering paths.
   H8 proves a generic .gitea/scripts/detect-changes.py (NOT in gate regex)
   alone gets tier:high.

2. Incomplete-ceremony test — NOT in 47c58b72; ADDED in RC3.
   S4 in test_sop_tier_check_authz.sh: tier:medium PR with engineer+manager
   APPROVED but qa+security absent → sop-tier-check exits 1. Also fixed
   spurious AND-clause noise in sop-tier-check.sh.

3. Label name→ID resolution — NOT in 47c58b72; ADDED in RC4.
   auto-tier-check.sh now GETs /labels, resolves name→numeric id via jq,
   then POSTs {"labels":[<id>]}. Fail-closed on missing label / 403 /
   post-failure. H7 captures the POST body and FAILs if a raw string name
   is posted.

PR confirmed: #2400 (branch fix/2396-sop-auto-tier-qa-security-auto-trigger).
PR #2396 was already merged for a different feature branch; this fix uses
PR #2400.

Platform Go:
  - test_auto_tier_check.py: 9 pass
  - test_gate_review_auto_fire.py: 11 pass
  - test_auto_tier_check_heuristics.sh: 23 pass (H1-H8)
  - test_sop_tier_check_authz.sh: 15 pass
  - test_review_check.sh: 44 pass
  Total: 102/102 pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

agent-dev-a added 1 commit 2026-06-07 18:13:10 +00:00

lint(bp): add # bp-required: yes to auto-tier-check assign job (mc#1982)

ci-arm64-advisory / fast-checks (pull_request) Waiting to run

Details

CI / Detect changes (pull_request) Successful in 6s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s

Details

CI / Python Lint & Test (pull_request) Successful in 6s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 6s

Details

E2E Chat / detect-changes (pull_request) Successful in 7s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 7s

Details

CI / Platform (Go) (pull_request) Successful in 2s

Details

CI / Canvas (Next.js) (pull_request) Successful in 3s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 4s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 6s

Details

Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 7s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 5s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 13s

Details

E2E Chat / E2E Chat (pull_request) Successful in 3s

Details

lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 4s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s

Details

CI / Canvas Deploy Status (pull_request) Successful in 6s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2s

Details

qa-review / approved (pull_request_target) Failing after 6s

Details

security-review / approved (pull_request_target) Failing after 5s

Details

Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 18s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 30s

Details

gate-check-v3 / gate-check (pull_request_target) Successful in 28s

Details

CI / all-required (pull_request) Successful in 22s

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 57s

Details

lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m12s

Details

Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m6s

Details

lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 1m22s

Details

Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m27s

Details

Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m35s

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

sop-checklist / all-items-acked (pull_request_target) Has been cancelled

Details

sop-tier-check / tier-check (pull_request_target) Failing after 4s

Details

audit-force-merge / audit (pull_request_target) Has been skipped

Details

4ce57cf244

The lint-required-context-exists-in-bp gate requires a directive
on any job that emits a new commit-status context.
auto-tier-check / assigned (pull_request) is listed in BP
required_status_checks, so it carries # bp-required: yes.

devops-engineer referenced this pull request

2026-06-07 19:36:26 +00:00

Remove SOP tier system — single uniform gate (CTO 2026-06-07) #2403

devops-engineer added the do-not-auto-merge label 2026-06-07 19:36:30 +00:00

devops-engineer commented

2026-06-07 19:36:32 +00:00

Superseded by #2403 — CTO directive 2026-06-07 REMOVES the tier system entirely (no auto-tier). This PR adds auto-tier = wrong direction. Labeled do-not-auto-merge. Salvage any integrated fix/2139+fix/2159 pieces into the removal PR, then close.

agent-dev-a closed this pull request

2026-06-07 20:35:00 +00:00

agent-dev-a commented

2026-06-08 00:16:52 +00:00

Closed: superseded by #2403, which removes the SOP tier system entirely (these add auto-tier = wrong direction). fix/2139+fix/2159 pieces salvaged into #2403.

agent-dev-a commented

2026-06-08 00:26:09 +00:00

superseded by #2403 (tier-system removal)

agent-dev-a referenced this pull request

2026-06-08 00:34:57 +00:00

feat(2403): complete SOP tier removal — salvage non-tier fixes + zero tier refs #2419

ci-arm64-advisory / fast-checks (pull_request) Waiting to run

Details

CI / Detect changes (pull_request) Successful in 6s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s

Details

CI / Python Lint & Test (pull_request) Successful in 6s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 6s

Details

E2E Chat / detect-changes (pull_request) Successful in 7s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 7s

Details

CI / Platform (Go) (pull_request) Successful in 2s

Details

CI / Canvas (Next.js) (pull_request) Successful in 3s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 4s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 6s

Details

Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 7s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2s

Required

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 5s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 13s

Details

E2E Chat / E2E Chat (pull_request) Successful in 3s

Details

lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 4s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s

Details

CI / Canvas Deploy Status (pull_request) Successful in 6s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2s

Required

Details

qa-review / approved (pull_request_target) Failing after 6s

Required

Details

security-review / approved (pull_request_target) Failing after 5s

Required

Details

Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 18s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 30s

Required

Details

gate-check-v3 / gate-check (pull_request_target) Successful in 28s

Details

CI / all-required (pull_request) Successful in 22s

Required

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 57s

Details

lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m12s

Details

Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m6s

Details

lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 1m22s

Details

Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m27s

Details

Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m35s

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

sop-checklist / all-items-acked (pull_request_target) Has been cancelled

Details

sop-tier-check / tier-check (pull_request_target) Failing after 4s

Details

audit-force-merge / audit (pull_request_target) Has been skipped

Details

reserved-path-review / reserved-path-review (pull_request_target)

Required

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2400