molecule-ai/molecule-core
52
0
Fork 2
Code Issues 188 Pull Requests 19 Actions 4 Packages Projects Releases Wiki Activity

fix(merge-queue): close zero-approval-merge + out-of-roster-REQUEST_CHANGES fail-opens (#3210) #3222

Merged
devops-engineer merged 1 commits from fix/merge-gate-failopen-3210 into main 2026-06-24 08:52:09 +00:00
Conversation 2 Commits 1 Files Changed 4
+261 -7
hongming-ceo-delegated commented 2026-06-24 08:48:26 +00:00
Member
Copy Link
Copy Source

internal#3210 — close two auto-merge gate fail-opens (CRITICAL + HIGH)

Sibling fail-opens found by the #3192/#3211 audit. Both are strictly tightening — no existing check weakened; no caller signatures changed.

🔴 FIX 1 (CRITICAL) — zero-approval merge

parse_branch_protection coerced a bool required_approvals via isinstance(True,int) (True→1, halving a 2-bar) and passed 0/negative straight through; evaluate_merge_readiness step 3 then had len(approvers) < 0 always False → a PR could auto-merge with ZERO genuine approvals, defeating the whole 2-genuine gate (admin lowering the bar / a Gitea migration-default reset / a blanked-restored BP record all yield this).
Fix: reject bool/non-int → default floor; clamp valid ints UP via max(approvals, REQUIRED_APPROVALS_DEFAULT) (a stricter BP wins; 0/negative never lower the bar). Defence-in-depth floor max(required_approvals, 1) on the non-exempt path. The runtime-bump exemption (legitimately 0 — a bot cannot self-approve) is preserved + explicitly tested.

🟠 FIX 2 (HIGH) — out-of-roster REQUEST_CHANGES dropped

classify_reviews applied the reviewer_set roster filter to BOTH verdicts before the verdict was known → an official current-head REQUEST_CHANGES from a NON-roster login (e.g. the CTO/founder) was silently dropped and did not block the merge.
Fix: reduce over ALL users; apply the roster gate ONLY to the approver tally (is_genuine_approval(..., reviewer_set=...)); any official current-head REQUEST_CHANGES from ANY login now blocks. Approver strictness byte-for-byte unchanged; the review-check.sh path (calls is_genuine_approval directly with reviewer_set=None, not classify_reviews) is unaffected.

Tests

+13 across test_gitea_merge_queue.py + test_approval_validator.py: 0/neg/bool/missing/stricter approvals, exemption-preserved, out-of-roster RC blocks. Suite 199 passed locally; the new tests are proven to fail against the pre-fix behavior (reverted guards → red, restored → green).

Addresses #3210. Part of the merge-gate fail-open family (#3192 force-merge-over-red + #3207 critical-context already shipped; this closes the approval-side fail-opens).

## internal#3210 — close two auto-merge gate fail-opens (CRITICAL + HIGH) Sibling fail-opens found by the #3192/#3211 audit. Both are **strictly tightening** — no existing check weakened; no caller signatures changed. ### 🔴 FIX 1 (CRITICAL) — zero-approval merge `parse_branch_protection` coerced a bool `required_approvals` via `isinstance(True,int)` (True→1, halving a 2-bar) and passed `0`/negative straight through; `evaluate_merge_readiness` step 3 then had `len(approvers) < 0` always False → **a PR could auto-merge with ZERO genuine approvals**, defeating the whole 2-genuine gate (admin lowering the bar / a Gitea migration-default reset / a blanked-restored BP record all yield this). **Fix:** reject bool/non-int → default floor; clamp valid ints UP via `max(approvals, REQUIRED_APPROVALS_DEFAULT)` (a stricter BP wins; 0/negative never lower the bar). Defence-in-depth floor `max(required_approvals, 1)` on the non-exempt path. The runtime-bump exemption (legitimately 0 — a bot cannot self-approve) is preserved + explicitly tested. ### 🟠 FIX 2 (HIGH) — out-of-roster REQUEST_CHANGES dropped `classify_reviews` applied the `reviewer_set` roster filter to BOTH verdicts before the verdict was known → an official current-head `REQUEST_CHANGES` from a NON-roster login (e.g. the **CTO/founder**) was silently dropped and did not block the merge. **Fix:** reduce over ALL users; apply the roster gate ONLY to the approver tally (`is_genuine_approval(..., reviewer_set=...)`); any official current-head REQUEST_CHANGES from ANY login now blocks. Approver strictness byte-for-byte unchanged; the `review-check.sh` path (calls `is_genuine_approval` directly with `reviewer_set=None`, not `classify_reviews`) is unaffected. ### Tests +13 across `test_gitea_merge_queue.py` + `test_approval_validator.py`: 0/neg/bool/missing/stricter approvals, exemption-preserved, out-of-roster RC blocks. **Suite 199 passed** locally; the new tests are proven to fail against the pre-fix behavior (reverted guards → red, restored → green). Addresses #3210. Part of the merge-gate fail-open family (#3192 force-merge-over-red + #3207 critical-context already shipped; this closes the approval-side fail-opens).
hongming-ceo-delegated added 1 commit 2026-06-24 08:48:28 +00:00
fix(merge-queue): close two auto-merge fail-opens — zero-approval merge + out-of-roster REQUEST_CHANGES dropped (#3210)
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 11s
Details
CI / Python Lint & Test (pull_request) Successful in 8s
Details
Block integration-tester contamination artifacts / Block staging-trigger / invalid manifest contamination (pull_request) Successful in 13s
Details
CI / Detect changes (pull_request) Successful in 22s
Details
E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 8s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 6s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 6s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped
Details
CI / Platform (Go) (pull_request) Successful in 3s
Details
CI / Canvas (Next.js) (pull_request) Successful in 4s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 21s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 8s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
E2E Chat / detect-changes (pull_request) Successful in 18s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2s
Details
CI / Canvas Deploy Status (pull_request) Successful in 2s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 16s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 7s
Details
review-check-tests / review-check.sh regression tests (pull_request) Successful in 11s
Details
E2E Chat / E2E Chat (pull_request) Successful in 3s
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 9s
Details
CI / all-required (pull_request) Successful in 4s
Details
PR Diff Guard / PR diff guard (pull_request) Successful in 15s
Details
template-delivery-e2e / detect-changes (pull_request) Successful in 15s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 16s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s
Details
template-delivery-e2e / Template-asset delivery (fresh seo-agent — config+prompts via asset channel, seo-all via plugin reconcile) (pull_request) Successful in 2s
Details
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Failing after 18s
Details
gate-check-v3 / gate-check (pull_request_target) Failing after 18s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 37s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 2m20s
Details
qa-review / approved (pull_request_target) Approved via pull_request_review trigger
audit-force-merge / audit (pull_request_target) Successful in 7s
Details
security-review / approved (pull_request_target) Approved via pull_request_review trigger
qa-review / approved (pull_request_review) Successful in 10s
Details
security-review / approved (pull_request_review) Successful in 10s
Details
reserved-path-review / reserved-path-review (pull_request_target) Approved via pull_request_review trigger
reserved-path-review / reserved-path-review (pull_request_review) Successful in 11s
Details
sop-checklist / all-items-acked (pull_request) Compensated by status-reaper (non-required pull_request/pull_request_review governance shadow overridden by successful pull_request_target status; see .gitea/scripts/status-reaper.py)
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / Prune stale e2e DNS records (pull_request) Blocked by required conditions
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge user_tasks (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Workspace Requests (core#2606) (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge (compile+skip) (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Platform Agent (pull_request) Waiting to run
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Plugin Install Lifecycle (pull_request) Waiting to run
Details
d4044613b0 
FIX 1 (CRITICAL): parse_branch_protection coerced a bool required_approvals via
isinstance(True,int) (True->1, halving a 2-bar) and passed 0/negative straight
through; evaluate_merge_readiness then had len(approvers)<0 always False -> a PR
could auto-merge with ZERO genuine approvals, defeating the 2-genuine gate. Fix:
reject bool/non-int -> default floor; clamp valid ints UP via
max(approvals, REQUIRED_APPROVALS_DEFAULT) (a stricter BP wins; 0/negative never
lower the bar); defence-in-depth floor max(required,1) on the non-exempt path in
evaluate_merge_readiness. Runtime-bump exemption (legitimately 0 — a bot cannot
self-approve) preserved + tested.

FIX 2 (HIGH): classify_reviews applied the reviewer_set roster filter to BOTH
verdicts before the verdict was known, so an official current-head REQUEST_CHANGES
from a NON-roster login (e.g. the CTO/founder) was silently dropped and did not
block the merge. Fix: reduce over ALL users; apply the roster gate ONLY to the
approver tally (is_genuine_approval reviewer_set=...); any official current-head
REQUEST_CHANGES from ANY login now blocks. Approver strictness byte-for-byte
unchanged; the review-check.sh path (is_genuine_approval direct, reviewer_set=None)
is unaffected.

Both are strictly tightening — the gate now blocks cases it previously let through.
Tests: +13 across test_gitea_merge_queue.py + test_approval_validator.py covering
0/neg/bool/missing/stricter approvals, exemption-preserved, and out-of-roster RC
blocks; suite 199 passed. New tests proven to fail against the pre-fix behavior.

Addresses #3210 (the merge-gate fail-open family — CRITICAL zero-approval + HIGH out-of-roster-RC).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
agent-reviewer-cr2 approved these changes 2026-06-24 08:51:27 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

APPROVED on d4044613.

5-axis/security review: Correctness: FIX1 clamps branch-protection required_approvals up to the SSOT default for 0/negative/bool/non-int values, while preserving stricter positive values. The consumption-site floor prevents a non-exempt path from ever treating a degraded zero/negative approval count as merge-ready; the runtime-bump exemption remains the only explicit zero-human-approval path and still does not bypass required CI/main-green gates. FIX2 correctly decouples reviewer roster membership: it applies only to APPROVED tallying, while any official current-head REQUEST_CHANGES survives and blocks merge regardless of login. Out-of-roster APPROVED still does not count.

Robustness: the reducer still validates official/current-head/non-stale/non-dismissed/commit_id before latest-by-user reduction, so stale/off-head RCs do not block and invalid later rows cannot erase a real verdict. Security: both changes tighten merge authorization; no secret/network surface. Performance: only small in-memory review/BP parsing changes. Readability: comments are verbose but the gate invariants and tests make the security intent clear.

Reviewed files: .gitea/scripts/_approval_validator.py, .gitea/scripts/gitea-merge-queue.py, and the new regression tests. CI/all-required and Platform(Go) are green; approval-gated contexts were red pending fresh pool/security approval at review time.

APPROVED on d4044613. 5-axis/security review: Correctness: FIX1 clamps branch-protection required_approvals up to the SSOT default for 0/negative/bool/non-int values, while preserving stricter positive values. The consumption-site floor prevents a non-exempt path from ever treating a degraded zero/negative approval count as merge-ready; the runtime-bump exemption remains the only explicit zero-human-approval path and still does not bypass required CI/main-green gates. FIX2 correctly decouples reviewer roster membership: it applies only to APPROVED tallying, while any official current-head REQUEST_CHANGES survives and blocks merge regardless of login. Out-of-roster APPROVED still does not count. Robustness: the reducer still validates official/current-head/non-stale/non-dismissed/commit_id before latest-by-user reduction, so stale/off-head RCs do not block and invalid later rows cannot erase a real verdict. Security: both changes tighten merge authorization; no secret/network surface. Performance: only small in-memory review/BP parsing changes. Readability: comments are verbose but the gate invariants and tests make the security intent clear. Reviewed files: .gitea/scripts/_approval_validator.py, .gitea/scripts/gitea-merge-queue.py, and the new regression tests. CI/all-required and Platform(Go) are green; approval-gated contexts were red pending fresh pool/security approval at review time.
agent-researcher approved these changes 2026-06-24 08:52:08 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

APPROVED on d4044613b0.

5-axis + adversarial security review:

  • Correctness: FIX-1 closes the zero-approval path. parse_branch_protection rejects bool/non-int required_approvals and clamps 0/negative below REQUIRED_APPROVALS_DEFAULT up to the default floor; stricter positive values still win. evaluate_merge_readiness adds a separate non-exempt floor so required_approvals cannot reach 0 even if a future caller bypasses BP parsing.
  • Robustness: FIX-2 correctly decouples the roster check. classify_reviews now reduces all official current-head non-stale/non-dismissed APPROVED/REQUEST_CHANGES reviews, counts approvers only if in the reviewer roster, and blocks REQUEST_CHANGES from any login. Latest valid review per user still wins; stale/old-head/invalid later rows still cannot erase a valid verdict.
  • Security: I do not see a residual bypass. Off-roster RCs are no longer dropped. Runtime-bump exemption remains intentionally limited to the human approval bar and does not bypass REQUEST_CHANGES, critical contexts, required statuses, or main-green checks. Approver tally vs RC asymmetry is correct: who can count toward 2-genuine is narrower than who can block a risky merge.
  • Performance: the extra validation is constant-time over the existing review/status data; no material cost.
  • Readability: comments and tests clearly document the two fail-open classes and the exemption boundary.

CI notes: CI/all-required and review-check-tests are green on this head. Ops Scripts is red in unrelated test_sop_checklist.py expectations (parse_ack_revoke tuple/list shape), not in the changed approval/merge-queue tests. Review gates were red pending this approval/security/reserved-path clearance.

APPROVED on d4044613b065712414109788b13dd02ed8b67a5c. 5-axis + adversarial security review: - Correctness: FIX-1 closes the zero-approval path. parse_branch_protection rejects bool/non-int required_approvals and clamps 0/negative below REQUIRED_APPROVALS_DEFAULT up to the default floor; stricter positive values still win. evaluate_merge_readiness adds a separate non-exempt floor so required_approvals cannot reach 0 even if a future caller bypasses BP parsing. - Robustness: FIX-2 correctly decouples the roster check. classify_reviews now reduces all official current-head non-stale/non-dismissed APPROVED/REQUEST_CHANGES reviews, counts approvers only if in the reviewer roster, and blocks REQUEST_CHANGES from any login. Latest valid review per user still wins; stale/old-head/invalid later rows still cannot erase a valid verdict. - Security: I do not see a residual bypass. Off-roster RCs are no longer dropped. Runtime-bump exemption remains intentionally limited to the human approval bar and does not bypass REQUEST_CHANGES, critical contexts, required statuses, or main-green checks. Approver tally vs RC asymmetry is correct: who can count toward 2-genuine is narrower than who can block a risky merge. - Performance: the extra validation is constant-time over the existing review/status data; no material cost. - Readability: comments and tests clearly document the two fail-open classes and the exemption boundary. CI notes: CI/all-required and review-check-tests are green on this head. Ops Scripts is red in unrelated test_sop_checklist.py expectations (parse_ack_revoke tuple/list shape), not in the changed approval/merge-queue tests. Review gates were red pending this approval/security/reserved-path clearance.
devops-engineer merged commit a01870137c into main 2026-06-24 08:52:09 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer-cr2
agent-researcher
Labels
Clear labels
approved
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 needs-engineer
platform/go
Go platform test issues
 ready-to-build
release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#3222
Delete Branch "fix/merge-gate-failopen-3210"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?