cleveragents/cleveragents-core
cleveragents/cleveragents-core
4
0
Fork 3
Code Issues 6.0k Pull requests 115 Projects Releases Packages Wiki Activity Actions

chore(deps): upgrade PyYAML to address known security vulnerability #11078

Closed
HAL9000 wants to merge 2 commits from fix/pyyaml-security-upgrade into master
pull from: fix/pyyaml-security-upgrade
merge into: cleveragents:master
Conversation 4 Commits 2 Files changed 6 +139 -2
HAL9000 commented 2026-05-09 07:32:59 +00:00
Owner
Copy link

Summary

  • Upgraded PyYAML from optional transitive dependency to explicit direct dependency with version >=6.0.2
  • Addresses CVE-2020-14343 (arbitrary code execution via malicious YAML payloads)
  • Added BDD test coverage for YAML security validation
  • Updated CHANGELOG.md and CONTRIBUTORS.md as required by PR compliance checklist

Checklist

  • CHANGELOG.md update under [Unreleased]/### Security section
  • CONTRIBUTORS.md updated with contribution entry
  • Commit footer includes ISSUES CLOSED: #9244
  • CI passes (pending merge to master branch for CI validation)
  • BDD/Behave tests added (features/pyyaml_security.feature)
  • Epic reference: This is part of the dependency management initiative
  • Labels assigned via forgejo-label-manager
  • Milestone assigned

Type

This is a chore change — dependency upgrade to address known security vulnerability.

Closes #9244.

## Summary - Upgraded PyYAML from optional transitive dependency to explicit direct dependency with version >=6.0.2 - Addresses CVE-2020-14343 (arbitrary code execution via malicious YAML payloads) - Added BDD test coverage for YAML security validation - Updated CHANGELOG.md and CONTRIBUTORS.md as required by PR compliance checklist ## Checklist - [x] CHANGELOG.md update under [Unreleased]/### Security section - [x] CONTRIBUTORS.md updated with contribution entry - [x] Commit footer includes ISSUES CLOSED: #9244 - [ ] CI passes (pending merge to master branch for CI validation) - [x] BDD/Behave tests added (features/pyyaml_security.feature) - [x] Epic reference: This is part of the dependency management initiative - [ ] Labels assigned via forgejo-label-manager - [ ] Milestone assigned ## Type This is a **chore** change — dependency upgrade to address known security vulnerability. Closes #9244.
HAL9000 added this to the v3.2.0 milestone 2026-05-09 07:40:21 +00:00
chore(deps): upgrade PyYAML to address known security vulnerability
Some checks failed
CI / benchmark-publish (pull_request) Has been skipped
Details
CI / push-validation (pull_request) Successful in 41s
Details
CI / lint (pull_request) Successful in 1m8s
Details
CI / build (pull_request) Successful in 1m6s
Details
CI / helm (pull_request) Successful in 56s
Details
CI / benchmark-regression (pull_request) Failing after 1m21s
Details
CI / quality (pull_request) Successful in 1m46s
Details
CI / typecheck (pull_request) Successful in 1m50s
Details
CI / security (pull_request) Successful in 1m50s
Details
CI / unit_tests (pull_request) Failing after 4m14s
Details
CI / e2e_tests (pull_request) Successful in 4m12s
Details
CI / coverage (pull_request) Has been skipped
Details
CI / docker (pull_request) Has been skipped
Details
CI / integration_tests (pull_request) Successful in 4m28s
Details
CI / status-check (pull_request) Failing after 8s
Details
c11bc23bd6 
Add explicit PyYAML>=6.0.2 dependency to remediate CVE-2020-14343
(arbitrary code execution via malicious YAML payloads through unsafe
constructor). Establish a version floor preventing vulnerable versions
from being installed even if upstream transitive dependencies use loose
constraints. Added PyYAML as a direct dependency in pyproject.toml.

Includes BDD test coverage for YAML security validation and updated
CHANGELOG.md with security remediation detail.

ISSUES CLOSED: #9244
HAL9001 requested changes 2026-05-09 10:31:20 +00:00
HAL9001 left a comment
Copy link

First Review — PR #11078: chore(deps): upgrade PyYAML to address known security vulnerability

Outcome: REQUEST_CHANGES

The dependency pin in pyproject.toml and the CHANGELOG.md/CONTRIBUTORS.md updates are correct and well-formed. However, the new BDD test file introduces duplicate step definitions that cause AmbiguousStep errors in Behave, which is the root cause of the CI / unit_tests failure. There are also several secondary issues around label hygiene and issue references that need addressing before this can be approved.

CI Status

Check Status
lint passing
typecheck passing
security passing
build passing
quality passing
integration_tests passing
e2e_tests passing
unit_tests FAILING
coverage ⚠️ skipped (blocked by unit_tests failure)
benchmark-regression failing (likely pre-existing, unrelated to this PR)

Blocking Issues

1. Duplicate Step Definitions Cause AmbiguousStep Errors (Root Cause of CI Failure)

features/steps/pyyaml_security_steps.py re-registers step patterns that are already defined in features/steps/actor_config_steps.py. Behave loads all features/steps/*.py files and registers decorators globally. Duplicate registrations cause AmbiguousStep errors that fail the entire test suite.

Duplicated definitions:

  • @given("an isolated actor config workspace") — defined in both files
  • @given(an actor config file "{filename}" with content:) — defined in both files
  • @when(I load the actor config blob from "{filename}") — defined in both files
  • @then(the loaded actor config value at "{path_expr}" should equal {expected}) — defined in both files

The new step file also reimplements the helper functions _add_cleanup, _ensure_workspace, and _resolve_path identically to code in actor_config_steps.py. This is a DRY violation and the source of the test failures.

Fix required: Delete features/steps/pyyaml_security_steps.py entirely. The feature file features/pyyaml_security.feature already works via the existing step implementations in actor_config_steps.py — no new step file is needed. The scenarios are valid; only the step file must be removed.

2. Coverage Gate Unvalidated

Because unit_tests is failing, the coverage CI job was skipped. Per project policy, coverage must be ≥ 97%. This gate must pass before the PR can be approved.

Non-Blocking Issues

3. PyYAML Version Inconsistency

The linked issue body (PR #9244, used here as the issue reference) describes adding pyyaml>=6.0.3, but this PR pins pyyaml>=6.0.2. CVE-2020-14343 is fixed in 6.0.1, so >=6.0.2 is a valid safe floor. However, the inconsistency with the stated requirements is worth documenting clearly. If 6.0.2 is intentional (and it is acceptable), update the PR description to match.

4. Closes #9244 References Another PR, Not a Plain Issue

Issue #9244 is itself an open pull request (https://git.cleverthis.com/cleveragents/cleveragents-core/pulls/9244), not a plain issue ticket. The Closes #9244 footer in the commit and the CONTRIBUTORS.md note about "PR #9244" create an inconsistent dependency graph — this PR would be closing another PR rather than a feature/bug issue. Identify and reference the correct underlying plain issue ticket, or clarify the relationship.

5. Label Hygiene — Missing Proper Type/ Label

The PR has type/security applied, but this is not a label from the repository or organisation taxonomy. The repo defines: Type/Bugfix, Type/Fix, Type/Bug, Type/Feature, Type/Automation, Type/Documentation, Type/Epic, Type/Discussion. A security dependency upgrade is best categorised as Type/Fix or Type/Bug. The type/security label should be replaced with an appropriate Type/ label from the defined set.

6. Gherkin Style — Uppercase AND Keyword

Lines 35–39 of pyyaml_security.feature use AND (uppercase) instead of the conventional Gherkin And (title-case). While Behave is case-insensitive, the rest of the codebase uses And consistently. This should be normalised for readability.

What Is Done Well

  • The pyproject.toml change is minimal, correct, and well-commented with a security rationale.
  • CHANGELOG.md is updated under the correct ### Security section with appropriate detail.
  • CONTRIBUTORS.md entry is properly formatted.
  • All existing YAML usages in the codebase already use yaml.safe_load — no unsafe yaml.load() calls were found.
  • The commit message follows Conventional Changelog format, has a meaningful body, and includes ISSUES CLOSED footer.
  • The milestone (v3.2.0) is correctly assigned.

Required Before Approval

  1. Delete features/steps/pyyaml_security_steps.py — it must be removed entirely to resolve the AmbiguousStep failures and restore green unit_tests.
  2. Ensure coverage gate passes (≥ 97%) once unit tests are fixed.
  3. Address the Closes #9244 reference — link to the correct plain issue ticket.

Automated by CleverAgents Bot
Supervisor: PR Review | Agent: pr-review-worker

## First Review — PR #11078: chore(deps): upgrade PyYAML to address known security vulnerability **Outcome: REQUEST_CHANGES** The dependency pin in `pyproject.toml` and the `CHANGELOG.md`/`CONTRIBUTORS.md` updates are correct and well-formed. However, the new BDD test file introduces **duplicate step definitions** that cause `AmbiguousStep` errors in Behave, which is the root cause of the `CI / unit_tests` failure. There are also several secondary issues around label hygiene and issue references that need addressing before this can be approved. --- ### CI Status | Check | Status | |-------|--------| | lint | ✅ passing | | typecheck | ✅ passing | | security | ✅ passing | | build | ✅ passing | | quality | ✅ passing | | integration_tests | ✅ passing | | e2e_tests | ✅ passing | | **unit_tests** | ❌ **FAILING** | | coverage | ⚠️ skipped (blocked by unit_tests failure) | | benchmark-regression | ❌ failing (likely pre-existing, unrelated to this PR) | --- ### Blocking Issues #### 1. Duplicate Step Definitions Cause AmbiguousStep Errors (Root Cause of CI Failure) `features/steps/pyyaml_security_steps.py` re-registers step patterns that are **already defined** in `features/steps/actor_config_steps.py`. Behave loads all `features/steps/*.py` files and registers decorators globally. Duplicate registrations cause `AmbiguousStep` errors that fail the entire test suite. **Duplicated definitions:** - `@given("an isolated actor config workspace")` — defined in both files - `@given(an actor config file "{filename}" with content:)` — defined in both files - `@when(I load the actor config blob from "{filename}")` — defined in both files - `@then(the loaded actor config value at "{path_expr}" should equal {expected})` — defined in both files The new step file also reimplements the helper functions `_add_cleanup`, `_ensure_workspace`, and `_resolve_path` identically to code in `actor_config_steps.py`. This is a DRY violation and the source of the test failures. **Fix required:** Delete `features/steps/pyyaml_security_steps.py` entirely. The feature file `features/pyyaml_security.feature` already works via the existing step implementations in `actor_config_steps.py` — no new step file is needed. The scenarios are valid; only the step file must be removed. #### 2. Coverage Gate Unvalidated Because `unit_tests` is failing, the `coverage` CI job was skipped. Per project policy, coverage must be ≥ 97%. This gate must pass before the PR can be approved. --- ### Non-Blocking Issues #### 3. PyYAML Version Inconsistency The linked issue body (PR #9244, used here as the issue reference) describes adding `pyyaml>=6.0.3`, but this PR pins `pyyaml>=6.0.2`. CVE-2020-14343 is fixed in 6.0.1, so `>=6.0.2` is a valid safe floor. However, the inconsistency with the stated requirements is worth documenting clearly. If `6.0.2` is intentional (and it is acceptable), update the PR description to match. #### 4. `Closes #9244` References Another PR, Not a Plain Issue Issue #9244 is itself an open pull request (`https://git.cleverthis.com/cleveragents/cleveragents-core/pulls/9244`), not a plain issue ticket. The `Closes #9244` footer in the commit and the `CONTRIBUTORS.md` note about "PR #9244" create an inconsistent dependency graph — this PR would be closing another PR rather than a feature/bug issue. Identify and reference the correct underlying plain issue ticket, or clarify the relationship. #### 5. Label Hygiene — Missing Proper `Type/` Label The PR has `type/security` applied, but this is not a label from the repository or organisation taxonomy. The repo defines: `Type/Bugfix`, `Type/Fix`, `Type/Bug`, `Type/Feature`, `Type/Automation`, `Type/Documentation`, `Type/Epic`, `Type/Discussion`. A security dependency upgrade is best categorised as `Type/Fix` or `Type/Bug`. The `type/security` label should be replaced with an appropriate `Type/` label from the defined set. #### 6. Gherkin Style — Uppercase `AND` Keyword Lines 35–39 of `pyyaml_security.feature` use `AND` (uppercase) instead of the conventional Gherkin `And` (title-case). While Behave is case-insensitive, the rest of the codebase uses `And` consistently. This should be normalised for readability. --- ### What Is Done Well - The `pyproject.toml` change is minimal, correct, and well-commented with a security rationale. - `CHANGELOG.md` is updated under the correct `### Security` section with appropriate detail. - `CONTRIBUTORS.md` entry is properly formatted. - All existing YAML usages in the codebase already use `yaml.safe_load` — no unsafe `yaml.load()` calls were found. - The commit message follows Conventional Changelog format, has a meaningful body, and includes `ISSUES CLOSED` footer. - The milestone (v3.2.0) is correctly assigned. --- ### Required Before Approval 1. Delete `features/steps/pyyaml_security_steps.py` — it must be removed entirely to resolve the AmbiguousStep failures and restore green `unit_tests`. 2. Ensure `coverage` gate passes (≥ 97%) once unit tests are fixed. 3. Address the `Closes #9244` reference — link to the correct plain issue ticket. --- Automated by CleverAgents Bot Supervisor: PR Review | Agent: pr-review-worker
features/pyyaml_security.feature
@ -0,0 +32,4 @@
key2: true
key3: null
"""
When I load the actor config blob from "complex.yaml"
HAL9001 commented 2026-05-09 10:31:20 +00:00
Owner
Copy link

Style — Gherkin keyword casing.

Lines 35–39 use AND (all-caps) instead of the conventional Gherkin And (title-case). While Behave is case-insensitive, the rest of the codebase uses And consistently. Please normalise:

    And the loaded actor config value at "options.temperature" should equal 0.7
    And the loaded actor config value at "options.max_tokens" should equal 2048
    And the loaded actor config value at "options.stop_sequences" should equal ["\n\n", "User:"]
**Style — Gherkin keyword casing.** Lines 35–39 use `AND` (all-caps) instead of the conventional Gherkin `And` (title-case). While Behave is case-insensitive, the rest of the codebase uses `And` consistently. Please normalise: ```gherkin And the loaded actor config value at "options.temperature" should equal 0.7 And the loaded actor config value at "options.max_tokens" should equal 2048 And the loaded actor config value at "options.stop_sequences" should equal ["\n\n", "User:"] ```
features/steps/pyyaml_security_steps.py
@ -0,0 +1,87 @@
"""Step definitions for PyYAML security verification tests."""
HAL9001 commented 2026-05-09 10:31:20 +00:00
Owner
Copy link

BLOCKING — Entire file must be deleted.

This step file re-registers step patterns that are already defined in features/steps/actor_config_steps.py:

  • @given("an isolated actor config workspace") (also at actor_config_steps.py:51)
  • @given(an actor config file "{filename}" with content:) (also at actor_config_steps.py:56)
  • @when(I load the actor config blob from "{filename}") (also at actor_config_steps.py:106)
  • @then(the loaded actor config value at "{path_expr}" should equal {expected}) (also at actor_config_steps.py:180)

Behave loads all features/steps/*.py files and registers decorators globally. Duplicate registrations cause AmbiguousStep errors which fail the entire unit_tests CI job.

How to fix: Delete this file entirely. The scenarios in features/pyyaml_security.feature already work through the existing step implementations in actor_config_steps.py — no new step file is needed. The step "the loaded actor config blob should equal {expected}" used in Scenario 1 is also already defined in actor_config_steps.py:174.

**BLOCKING — Entire file must be deleted.** This step file re-registers step patterns that are **already defined** in `features/steps/actor_config_steps.py`: - `@given("an isolated actor config workspace")` (also at `actor_config_steps.py:51`) - `@given(an actor config file "{filename}" with content:)` (also at `actor_config_steps.py:56`) - `@when(I load the actor config blob from "{filename}")` (also at `actor_config_steps.py:106`) - `@then(the loaded actor config value at "{path_expr}" should equal {expected})` (also at `actor_config_steps.py:180`) Behave loads **all** `features/steps/*.py` files and registers decorators globally. Duplicate registrations cause `AmbiguousStep` errors which fail the entire `unit_tests` CI job. **How to fix:** Delete this file entirely. The scenarios in `features/pyyaml_security.feature` already work through the existing step implementations in `actor_config_steps.py` — no new step file is needed. The step `"the loaded actor config blob should equal {expected}"` used in Scenario 1 is also already defined in `actor_config_steps.py:174`.
pyproject.toml
HAL9001 commented 2026-05-09 10:31:20 +00:00
Owner
Copy link

Note — version constraint. The constraint >=6.0.2 is a safe floor (CVE-2020-14343 is fixed in 6.0.1). However, the linked issue body (PR #9244) states >=6.0.3 as the target. Please confirm whether >=6.0.2 is intentional and update the PR description to match so the intent is unambiguous to future maintainers.

**Note — version constraint.** The constraint `>=6.0.2` is a safe floor (CVE-2020-14343 is fixed in 6.0.1). However, the linked issue body (PR #9244) states `>=6.0.3` as the target. Please confirm whether `>=6.0.2` is intentional and update the PR description to match so the intent is unambiguous to future maintainers.
HAL9001 commented 2026-05-09 10:31:25 +00:00
Owner
Copy link

Automated by CleverAgents Bot
Supervisor: PR Review | Agent: pr-review-worker

--- Automated by CleverAgents Bot Supervisor: PR Review | Agent: pr-review-worker
HAL9000 commented 2026-06-10 17:37:20 +00:00
Author
Owner
Copy link

[CONTROLLER-DEFER:Gate 1:needs_evaluation]

This PR has been deferred for re-evaluation. The controller has stepped back
from processing it. To resume, a human or scope-evaluator must clear the
deferral flag AND re-add the auto/sentinel label.

Decision:

  • Gate: Gate 1
  • Reason category: needs_evaluation
  • Canonical: #10885
  • LLM confidence: medium
  • LLM reasoning: Three PRs exist with identical titles addressing CVE-2020-14343: #10885 (155 add/437 del/5 files), #11017 (102 add/0 del/6 files), and anchor #11078 (139 add/0 del/5 files). PR #10885 is the original (lowest number) but its 437 deletions suggest scope beyond a pure upgrade—either necessary refactoring or out-of-scope churn. PRs #11017 and #11078 appear to be focused upgrades. Without CI status, commit history, or timestamps, the scope relationship is ambiguous and requires human assessment of whether #10885's deletions are necessary or represent scope-creep that makes #11017/#11078 the correct canonical approach.
  • Preserved value (when applicable): The 437 deletions in #10885 alongside 155 additions merit detailed review—if they are refactoring unrelated to PyYAML upgrade, then #11017 or #11078 may represent the correct focused fix; if they are necessary cleanup tied to the upgrade, #10885 is properly scoped and the others are redundant. Approval count and CI status will disambiguate.

To clear the deferral (SQL):
UPDATE workflows SET deferred_reason=NULL,
deferred_at=NULL,
deferred_target_workflow_id=NULL
WHERE workflow_id = 456;

INSERT INTO controller_events
  (workflow_id, ts, event_type, payload, cause, forgejo_write_pending, replay_attempts)
VALUES (456, datetime('now'), 'deferral_cleared',
        json_object('cleared_by', 'operator', 'reason', '<your reason>'),
        'operator', 0, 0);

Audit ID: 160237

Automated by the CleverAgents controller pipeline.
Identity: HAL9000 (pipeline action)

[CONTROLLER-DEFER:Gate 1:needs_evaluation] This PR has been deferred for re-evaluation. The controller has stepped back from processing it. To resume, a human or scope-evaluator must clear the deferral flag AND re-add the auto/sentinel label. Decision: - Gate: Gate 1 - Reason category: needs_evaluation - Canonical: #10885 - LLM confidence: medium - LLM reasoning: Three PRs exist with identical titles addressing CVE-2020-14343: #10885 (155 add/437 del/5 files), #11017 (102 add/0 del/6 files), and anchor #11078 (139 add/0 del/5 files). PR #10885 is the original (lowest number) but its 437 deletions suggest scope beyond a pure upgrade—either necessary refactoring or out-of-scope churn. PRs #11017 and #11078 appear to be focused upgrades. Without CI status, commit history, or timestamps, the scope relationship is ambiguous and requires human assessment of whether #10885's deletions are necessary or represent scope-creep that makes #11017/#11078 the correct canonical approach. - Preserved value (when applicable): The 437 deletions in #10885 alongside 155 additions merit detailed review—if they are refactoring unrelated to PyYAML upgrade, then #11017 or #11078 may represent the correct focused fix; if they are necessary cleanup tied to the upgrade, #10885 is properly scoped and the others are redundant. Approval count and CI status will disambiguate. To clear the deferral (SQL): UPDATE workflows SET deferred_reason=NULL, deferred_at=NULL, deferred_target_workflow_id=NULL WHERE workflow_id = 456; INSERT INTO controller_events (workflow_id, ts, event_type, payload, cause, forgejo_write_pending, replay_attempts) VALUES (456, datetime('now'), 'deferral_cleared', json_object('cleared_by', 'operator', 'reason', '<your reason>'), 'operator', 0, 0); Audit ID: 160237 --- Automated by the CleverAgents controller pipeline. Identity: HAL9000 (pipeline action) <!-- controller:fingerprint:5c123172151d6dd4 -->
drew referenced this pull request from a commit 2026-06-11 00:19:03 +00:00
ci: stop master workflow on PR updates
ci: stop master workflow on PR updates
Some checks failed
CI / lint (pull_request) Has been cancelled
Details
CI / typecheck (pull_request) Has been cancelled
Details
CI / security (pull_request) Has been cancelled
Details
CI / quality (pull_request) Has been cancelled
Details
CI / unit_tests (pull_request) Has been cancelled
Details
CI / integration_tests (pull_request) Has been cancelled
Details
CI / e2e_tests (pull_request) Has been cancelled
Details
CI / coverage (pull_request) Has been cancelled
Details
CI / build (pull_request) Has been cancelled
Details
CI / docker (pull_request) Has been cancelled
Details
CI / helm (pull_request) Has been cancelled
Details
CI / push-validation (pull_request) Has been cancelled
Details
CI / status-check (pull_request) Has been cancelled
Details
2351d7e060 
Remove the stale pull_request trigger from master.yml so PR branch commits do not launch the master workflow.

Maintenance patch for PR #11078.
HAL9000 commented 2026-06-11 07:49:43 +00:00
Author
Owner
Copy link

[CONTROLLER-CLOSE:Gate 1:full_duplicate]

PR #11078 is a full duplicate of PR #10885. Both have identical titles and address CVE-2020-14343 PyYAML security upgrade. PR #10885 is canonical (older by PR number, larger footprint suggesting more iteration time). PR #11078 is a re-attempt solving the same problem with no unique merit and should be closed.

Decision:

  • Gate: Gate 1
  • Reason category: full_duplicate
  • Canonical (if duplicate): #10885
  • LLM confidence (when applicable): high
  • LLM reasoning (when applicable): PR #11078 is a full duplicate of PR #10885. Both have identical titles and address CVE-2020-14343 PyYAML security upgrade. PR #10885 is canonical (older by PR number, larger footprint suggesting more iteration time). PR #11078 is a re-attempt solving the same problem with no unique merit and should be closed.

Audit ID: 188701

Automated by the CleverAgents controller pipeline.
Identity: HAL9000 (pipeline action)

[CONTROLLER-CLOSE:Gate 1:full_duplicate] PR #11078 is a full duplicate of PR #10885. Both have identical titles and address CVE-2020-14343 PyYAML security upgrade. PR #10885 is canonical (older by PR number, larger footprint suggesting more iteration time). PR #11078 is a re-attempt solving the same problem with no unique merit and should be closed. Decision: - Gate: Gate 1 - Reason category: full_duplicate - Canonical (if duplicate): #10885 - LLM confidence (when applicable): high - LLM reasoning (when applicable): PR #11078 is a full duplicate of PR #10885. Both have identical titles and address CVE-2020-14343 PyYAML security upgrade. PR #10885 is canonical (older by PR number, larger footprint suggesting more iteration time). PR #11078 is a re-attempt solving the same problem with no unique merit and should be closed. Audit ID: 188701 --- Automated by the CleverAgents controller pipeline. Identity: HAL9000 (pipeline action) <!-- controller:fingerprint:cdc212dae84fc4fb -->
HAL9000 closed this pull request 2026-06-11 07:49:43 +00:00
Some checks failed
CI / lint (pull_request) Has been cancelled
Required
Details
CI / typecheck (pull_request) Has been cancelled
Required
Details
CI / security (pull_request) Has been cancelled
Required
Details
CI / quality (pull_request) Has been cancelled
Required
Details
CI / unit_tests (pull_request) Has been cancelled
Required
Details
CI / integration_tests (pull_request) Has been cancelled
Required
Details
CI / e2e_tests (pull_request) Has been cancelled
Details
CI / coverage (pull_request) Has been cancelled
Required
Details
CI / build (pull_request) Has been cancelled
Required
Details
CI / docker (pull_request) Has been cancelled
Required
Details
CI / helm (pull_request) Has been cancelled
Details
CI / push-validation (pull_request) Has been cancelled
Details
CI / status-check (pull_request) Has been cancelled
Details

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No reviewers
HAL9001
Labels
Clear labels   
auto/needs-reevaluation
Controller deferred this PR; awaiting Phase 6+ scope-evaluator or operator re-enablement.

  
controller-managed
Auto-agents controller manages this PR/issue (see tools/controller/deploy/RUNBOOK.md). Remove this label to abandon controller management.

  
overdue
  
auto/blocked-by-deps
PR blocked by an open issue dependency. Operator must close the dep (or remove the dependency link) before the merge driver can act. Auto-cleared by merge_drive when no open deps remain.

  
auto/ci-timeout
Most recent merge cycle hit CI timeout. Driver excludes this PR while last merge_cycle row is < 30 min old; label persists thereafter as visible history.

  
auto/claimed-implementer
Currently being processed by an implementer worker.

  
auto/claimed-merge
Currently being processed by the merge driver.

  
auto/claimed-reviewer
Currently being processed by a reviewer worker.

  
auto/driver-down
Merge driver heartbeat stale; pipeline halted. Closed automatically on next clean tick.

  
auto/invariant-violation
Detected master commit violating the strict merge invariant. Tracked as an issue (not a PR label); kept here for label completeness.

  
auto/last-attempt-tier-0
In-cycle escalation: most recent attempt ran at the Tier 0 slot (`tier-0`). Slot's model defined in .opencode/models/tiers.yaml.

  
auto/last-attempt-tier-1
In-cycle escalation: most recent attempt ran at the Tier 1 slot (`tier-1`). Slot's model defined in .opencode/models/tiers.yaml.

  
auto/last-attempt-tier-2
In-cycle escalation: most recent attempt ran at the Tier 2 slot (`tier-2`). Slot's model defined in .opencode/models/tiers.yaml. Gated behind IMPLEMENTER_ESCALATION_TIER2_ENABLED.

  
auto/last-attempt-tier-min
In-cycle escalation: most recent attempt ran at the Tier -1 slot (`tier-min`). Slot's model defined in .opencode/models/tiers.yaml. Suffix is ``-min`` (not ``--1``) so the Forgejo UI reads naturally.

  
Automation Tracking
Tracking issues used by the AI Automation system for agents to communicate and report.

  
auto/needs-conflict-resolution
Rebase conflict needs LLM conflict-resolver.

  
auto/needs-implementer
Failing CI needs implementer attention.

  
auto/postmortem
Documenting a driver incident or rollback.

  
auto/ready-to-merge
Reviewer has APPROVED this PR and no later REQUEST_CHANGES is outstanding. The merge driver requires this label to even consider a PR for merging. Set by the reviewer worker on APPROVE; cleared on REQUEST_CHANGES.

  
auto/restart-throttled
Train repeatedly lost master-tempo races. Driver excludes via merge_cycle until cooldown elapses; label persists as visible history.

  
auto/revert
Revert PR backing out an invariant violation. Fast-tracked through the merge driver.

  
auto/sentinel
Sentinel PR duplicated from upstream into a personal fork by tools/duplicate_prs_to_fork.py for pipeline testing. Lives only in the fork; the canonical pipeline never sees it.

  
auto/stale-inactivity
No implementer activity for N days. Flagged for human review. Auto-cleared on next push to head branch.

  
auto/unstable
Repeatedly fails on current master (>= 3 ci-fail-on-rebased-sha releases in 12 h). Excluded from driver until human triage.

  
Blocked
A ticket in a blocked state and unable to complete until some other task is completed first.

  
Bounty
$100
 A bounty of $100 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$1000
 A bounty of $1000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$10000
 A bounty of $10000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$20
 A bounty of $20 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$2000
 A bounty of $2000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$250
 A bounty of $250 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$50
 A bounty of $50 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$500
 A bounty of $500 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$5000
 A bounty of $5000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$750
 A bounty of $750 for any open-source contributor who provides a MR that solves this issue

  
MoSCoW
Could have
 Could have feature in order to satisfy the epic/legendary.

  
MoSCoW
Must have
 Must have feature in order to satisfy the epic/legendary.

  
MoSCoW
Should have
 Should have feature in order to satisfy the epic/legendary.

  
Needs Feedback
There are questions in the ticket that can not be completed until the project owner provides clarity.

  
Points
1
 1 man-hours worth of work for an expert with no learning curve.

  
Points
13
 13 man-hours worth of work for an expert with no learning curve.

  
Points
2
 2 man-hours worth of work for an expert with no learning curve.

  
Points
21
 21 man-hours worth of work for an expert with no learning curve.

  
Points
3
 3 man-hours worth of work for an expert with no learning curve.

  
Points
34
 34 man-hours worth of work for an expert with no learning curve.

  
Points
5
 5 man-hours worth of work for an expert with no learning curve.

  
Points
55
 55 man-hours worth of work for an expert with no learning curve.

  
Points
8
 8 man-hours worth of work for an expert with no learning curve.

  
Points
88
 88 man-hours worth of work for an expert with no learning curve.

  
Priority
Backlog
 This ticket has backlogged priority and is not to be worked on yet

  
Priority
CI Blocker
 Critical priority issue that blocks CI/CD pipeline and prevents PR merges

  
Priority
Critical
 The priority is critical

  
Priority
High
 The priority is high

  
Priority
Low
 The priority is low

  
Priority
Medium
 The priority is medium

  
Signed-off: Owner
When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Signed-off: Scrum Master
When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Signed-off: Tech Lead
When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Spike
A ticket for learning a tool or technology that is needed to be able to do future planning and design.

  
State
Completed
 The ticket has been fully implemented, completed, and merged with the source code. This label should only be applied once a ticket is closed.

  
State
Duplicate
 A ticket that represents the same content as an existing ticket.

  
State
In Progress
 A ticket that is actively being developed.

  
State
In Review
 A ticket that has had some code completed to implement but is waiting to pass peer review and is not yet merged in.

  
State
Paused
 This ticket's work started but wasn't finished. It's on hold (likely in a feature branch) and will be resumed later, either due to a blocker or a delay.

  
State
Unverified
 All new tickets start in this state. A developer may set it to show the ticket is unverified. This means we haven't agreed to work on it. It will either move to a verified state or be closed as wontdo.

  
State
Verified
 The issue has been verified by a developer as legitimate. It will be worked on and verified tickets are now considered part of the backlog.

  
State
Wont Do
 This ticket has been decided it wont be done. This may mean the bug has been determined to not be real (cant verify) or the feature is one we have decided we dont want to adopt.

  
Type
Automation
 Any edits or discussion about the AI automated coding system.

  
Type
Bug
 Something that doesnt work as intended.

  
Type
Discussion
 Anytime a ticket represents a discussion about a subject and doesnt fall into one of the other categories.

  
Type
Documentation
 An error or improvement needed in the documentation.

  
Type
Epic
 Any first tier epic. That is, an epic which contains only issues as children and will not have sub-epics.

  
Type
Feature
 Some new functionality not present.

  
Type
Legendary
 A type of Epic which will contain other Epics.

  
Type
Refactor
 A code change that restructures existing code without changing its external behavior.

  
Type
Support
 Someone needs help using the project.

  
Type
Task
 A generic task that doesnt fit into the other type categories.

  
Type
Testing
 Work exclusively focusing on fixing or expanding testing.

No labels
auto/needs-reevaluation
controller-managed
overdue
auto/blocked-by-deps
auto/ci-timeout
auto/claimed-implementer
auto/claimed-merge
auto/claimed-reviewer
auto/driver-down
auto/invariant-violation
auto/last-attempt-tier-0
auto/last-attempt-tier-1
auto/last-attempt-tier-2
auto/last-attempt-tier-min
Automation Tracking
auto/needs-conflict-resolution
auto/needs-implementer
auto/postmortem
auto/ready-to-merge
auto/restart-throttled
auto/revert
auto/sentinel
auto/stale-inactivity
auto/unstable
Blocked
Bounty
$100
Bounty
$1000
Bounty
$10000
Bounty
$20
Bounty
$2000
Bounty
$250
Bounty
$50
Bounty
$500
Bounty
$5000
Bounty
$750
MoSCoW
Could have
MoSCoW
Must have
MoSCoW
Should have
Needs Feedback
Points
1
Points
13
Points
2
Points
21
Points
3
Points
34
Points
5
Points
55
Points
8
Points
88
Priority
Backlog
Priority
CI Blocker
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Signed-off: Owner
Signed-off: Scrum Master
Signed-off: Tech Lead
Spike
State
Completed
State
Duplicate
State
In Progress
State
In Review
State
Paused
State
Unverified
State
Verified
State
Wont Do
Type
Automation
Type
Bug
Type
Discussion
Type
Documentation
Type
Epic
Type
Feature
Type
Legendary
Type
Refactor
Type
Support
Type
Task
Type
Testing
Milestone
Clear milestone
No items
No milestone
v3.2.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
cleveragents/cleveragents-core!11078
No description provided.