diff --git a/docs/dev-loop-spec.md b/docs/dev-loop-spec.md index 226b511..48283f9 100644 --- a/docs/dev-loop-spec.md +++ b/docs/dev-loop-spec.md @@ -231,6 +231,8 @@ These are statically checked by `~/.openclaw/workspace/scripts/test/check-invari | S6 | Active WIP does not cause early exit (only sets ACTIVE_WIP flag) | | S7 | SPAWN:impl guarded by `ACTIVE_WIP == 0` check | | S8 | No merge calls in any worker template | +| S9 | Zero close-PR API calls in dispatch script (`state=closed` does not appear) | +| S10 | No close-PR API calls in any worker template; every worker template contains `NEVER close a PR` | --- @@ -263,9 +265,20 @@ Each worker receives a precise task description with substituted values: Workers **always** remove the WIP label on completion and reply `NO_REPLY`. +### Worker Absolute Constraints + +Every worker template begins with an `⛔ ABSOLUTE CONSTRAINTS` section containing these rules: + +- **NEVER close a PR.** Never call `PATCH /pulls/{id}` with `state=closed`. Closing a PR requires human action. "Duplicate", "superseded", or "already done" are never a worker's call. +- **NEVER merge a PR.** Never call the merge API. Merging requires human approval. +- **NEVER use the gitea-aweiker token.** All API calls use the gitea-rodin token only. +- **NEVER act on a PR with active REQUEST_CHANGES.** Fix the findings first. + +The first two constraints are statically enforced by `check-invariants.sh`: S1 and S9 cover the dispatch script (no merge, no close); S8 covers worker templates (no merge calls); S10 covers worker templates (no close calls, with NEVER-close text verified present in each). The remaining two constraints (token usage and REQUEST_CHANGES gate) are enforced by runtime logic. + --- -## 9. Fixes for Issues #144 and #145 +## 9. Fixes for Issues #144, #145, and #157 **Issue #144** (autonomous merge): The dispatch script contains no merge API calls anywhere. The `~/.openclaw/workspace/scripts/test/check-invariants.sh` @@ -276,3 +289,13 @@ Rule 2 is the **first** rule evaluated per PR. It cannot be skipped, reasoned pa or bypassed. It is checked before CI, before self-review, before handoff. The check uses latest-per-reviewer state, so a reviewer who re-approved after REQUEST_CHANGES is correctly handled. + +**Issue #157** (autonomous PR close): +Worker templates were missing an explicit constraint against closing PRs. The dispatch +script never had a close call, but workers could reason their way into calling +`PATCH /pulls/{id}` with `state=closed`. All worker templates now include +`NEVER close a PR` in their ABSOLUTE CONSTRAINTS section. Invariant S9 verifies +the dispatch script contains no close calls. Invariant S10 verifies +worker templates contain no close calls and each contains the NEVER-close text. + +Regression tests in `dispatch.bats` statically verify all of these constraints.