Skip to content

feat: implement issue #677 — canary #668 increment 3: opt-in human confirmation at ring1→stable (require_confirmation, dev-lead)#678

Merged
don-petry merged 5 commits into
mainfrom
dev-lead/issue-677-20260712-1500
Jul 12, 2026
Merged

feat: implement issue #677 — canary #668 increment 3: opt-in human confirmation at ring1→stable (require_confirmation, dev-lead)#678
don-petry merged 5 commits into
mainfrom
dev-lead/issue-677-20260712-1500

Conversation

@don-petry

@don-petry don-petry commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Closes #677

Implemented by dev-lead agent. Please review.

Summary by CodeRabbit

  • New Features
    • Added a human confirmation step for selected canary promotion boundaries.
    • Rollouts can now pause in an “Awaiting Confirmation” state and require explicit confirmation before advancing.
    • Added confirmation support to the promotion command and updated rollout dashboard guidance.
    • Introduced dedicated confirmation issue tracking for pending approvals.
  • Configuration
    • Enabled confirmation for the dev-lead transition from ring 1 to stable.
  • Tests
    • Added coverage for confirmation-gated evaluations, promotions, issue syncing, and evidence diff rendering.

…nfirmation at ring1→stable (require_confirmation, dev-lead)
@don-petry don-petry requested a review from a team as a code owner July 12, 2026 15:23
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The canary rollout adds an AWAITING_CONFIRMATION state for the dev-lead ring1->stable transition, with --confirm CLI and workflow dispatch support. Confirmation issues, dashboard text, and tests cover the new promotion lifecycle.

Changes

Canary confirmation flow

Layer / File(s) Summary
Confirmation state and ring configuration
standards/canary-rings.json, scripts/canary-rollout.sh
The dev-lead transition requires confirmation, and qualifying PROMOTE results become AWAITING_CONFIRMATION.
Promotion confirmation command
scripts/canary-rollout.sh, .github/workflows/canary-rollout.yml
promote --confirm advances awaiting transitions, while workflow dispatch input confirm conditionally passes --confirm.
Confirmation issue synchronization
scripts/canary-rollout.sh
Confirmation issue bodies, dashboard documentation, labels, and open/close synchronization are added for awaiting agents.
Confirmation flow coverage
tests/canary_rollout.bats
Tests cover configuration, evaluation, promotion, blocked gates, issue rendering, and confirmation issue lifecycle behavior.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Scheduler
  participant CanaryRollout
  participant GitHubIssues
  participant Human
  Scheduler->>CanaryRollout: evaluate rollout
  CanaryRollout->>CanaryRollout: set AWAITING_CONFIRMATION
  CanaryRollout->>GitHubIssues: open canary-confirm issue
  Human->>CanaryRollout: promote agent --confirm
  CanaryRollout->>GitHubIssues: advance ring transition
Loading

Possibly related PRs

  • petry-projects/.github#672: Both changes modify _frontier_state in scripts/canary-rollout.sh to alter rollout verdict gating logic.

Suggested labels: needs-human-review

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 70.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is specific and accurately reflects the main change: opt-in human confirmation for the ring1→stable canary transition.
Linked Issues check ✅ Passed The changes implement the requested ring1→stable require_confirmation flow for dev-lead and the confirm-gated promotion path.
Out of Scope Changes check ✅ Passed The workflow, script, config, and tests all support the same canary confirmation feature; no unrelated changes are evident.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev-lead/issue-677-20260712-1500

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request implements Layer 3 of the canary rollout human confirmation feature, introducing an opt-in "AWAITING_CONFIRMATION" state at ring boundaries (configured for the "dev-lead" agent's "ring1->stable" transition). This state halts automated promotion even when reliability checks pass, requiring a manual "--confirm" flag to proceed. It also includes automated creation, updating, and closing of GitHub confirmation issues to facilitate human review. Feedback on the changes suggests handling the edge case where there is no prior stable release to prevent broken comparison URLs in the generated confirmation issue.

Comment thread scripts/canary-rollout.sh
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@don-petry don-petry enabled auto-merge (squash) July 12, 2026 15:28
@don-petry don-petry disabled auto-merge July 12, 2026 15:29
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@don-petry don-petry enabled auto-merge (squash) July 12, 2026 15:34
@don-petry don-petry disabled auto-merge July 12, 2026 15:34
@don-petry don-petry enabled auto-merge (squash) July 12, 2026 15:37

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/canary-rollout.sh`:
- Around line 639-641: Update the confirmation notice in the
AWAITING_CONFIRMATION branch to use the existing $transition variable for the
go/no-go boundary instead of the hardcoded ring1->stable text. Keep the
surrounding confirmation handling and reliability message unchanged.
- Around line 1005-1015: Update the stale confirm-issue close branch in the
rollout status logic to assign the dashboard blocker variable `blk` to the
closed issue identifier and state, matching the existing blocker-close behavior.
Ensure agents leaving AWAITING_CONFIRMATION show the closed canary-confirm issue
in the fleet-status job summary, including dry-run handling as appropriate.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fbe77a13-9295-4a2d-b939-33cc7540f3a6

📥 Commits

Reviewing files that changed from the base of the PR and between 349477d and a30bf01.

📒 Files selected for processing (4)
  • .github/workflows/canary-rollout.yml
  • scripts/canary-rollout.sh
  • standards/canary-rings.json
  • tests/canary_rollout.bats

Comment thread scripts/canary-rollout.sh
Comment thread scripts/canary-rollout.sh
@don-petry don-petry disabled auto-merge July 12, 2026 15:43
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 12, 2026
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-reviews (applied)

Changes committed and pushed.

@don-petry don-petry enabled auto-merge (squash) July 12, 2026 15:47
@don-petry don-petry disabled auto-merge July 12, 2026 15:47
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — waiting on PR blockers (intent: fix-reviews)

PR: #678
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-07-12T16:21:26Z

@don-petry don-petry enabled auto-merge (squash) July 12, 2026 15:51

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 983a19c1ae264866730bbd22ea95372341b47e89
Review mode: triage-approved (single reviewer)

Summary

Implements #668 increment 3 (Layer 3): opt-in human confirmation at a require_confirmation ring boundary. When reliability is otherwise PROMOTE and the frontier transition sets require_confirmation, the state overlays to AWAITING_CONFIRMATION; the scheduled sweep never auto-advances it, and only a deliberate 'promote --confirm' dispatch clears it. --confirm cannot bypass a BLOCKED gate (verified by test). sync-issues upserts an evidence-carrying canary-confirm issue (marker-keyed, needs-human) and auto-closes it when the hold clears. Config enables it for dev-lead ring1->stable only; default-absent keeps all other agents byte-identical. 8 new bats tests cover the state overlay, hold-without-confirm, confirm-advance, no-bypass-of-BLOCKED, issue body rendering (incl. empty-prior fallback), and issue open/close lifecycle.

Linked issue analysis

Closes #677 (open; body empty — spec carried in the title: 'canary #668 increment 3: opt-in human confirmation at ring1→stable (require_confirmation, dev-lead)'). The PR substantively delivers exactly that: the require_confirmation knob in standards/canary-rings.json (dev-lead ring1->stable), the AWAITING_CONFIRMATION overlay + --confirm flag in scripts/canary-rollout.sh, the confirm workflow input in canary-rollout.yml, and the canary-confirm issue lifecycle.

Findings

No blocking findings.

  • Security: the new 'confirm' workflow input is a boolean passed via env and string-compared ('[ "$CONFIRM" = "true" ]') — no injection surface; mirrors the existing OVERRIDE pattern. The feature is safety-additive (adds a human gate; --confirm provably cannot advance a BLOCKED state — cmd_promote only honours it when state=AWAITING_CONFIRMATION, which is only ever set from a reliability-clean PROMOTE verdict, and a dedicated test asserts the no-bypass property).
  • Prior review findings all resolved at this SHA: gemini's empty-prior diff-link concern (fallback '(no prior stable release)' + test), CodeRabbit's hardcoded-transition notice (now uses $transition) and stale-blk dashboard column (now set to '#N (confirm closed)'). All 3 review threads resolved; CodeRabbit dismissed its changes-requested review and approved.
  • Verified helper dependencies (_gate_knob, _issue_find, _gh_issue_create, _suspect_guidance) exist at the head SHA and the reused _sync_stub fixture sets SYNC_RINGS.
  • Secret scan: run_secret_scanning MCP tool unavailable in this run; gitleaks CI check is green.
  • Note: modifies .github/workflows/canary-rollout.yml, which is org automation but NOT one of the protected thin-caller stubs — change is within allowed scope.

CI status

All code-validation checks green: ShellCheck, Lint, CodeQL, Analyze (actions), Secret scan (gitleaks), Agent Security Scan, agent-shield, SonarCloud (quality gate passed, 0 new issues), CodeRabbit, npm audit; ecosystem audits skipped (not applicable). The only non-green entries are 'dev-lead / dispatch' and 'dev-lead / ci-relay' — the dev-lead agent's own pull_request_review-triggered relay jobs, concurrency-cancelled after 0 steps by successive review events; they do not validate the PR's code.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@don-petry don-petry disabled auto-merge July 12, 2026 16:35
@sonarqubecloud

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
scripts/canary-rollout.sh (3)

983-1003: 🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift

Reset confirmation evidence when the candidate changes.

The documented contract says canary-confirm issues auto-close on candidate changes, but this path keys the issue only by agent and updates it whenever the state remains AWAITING_CONFIRMATION. A replacement candidate can therefore inherit the previous issue’s approval context. Compare the current candidate SHA with the issue evidence, close the stale issue, and create a fresh confirmation issue when they differ.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/canary-rollout.sh` around lines 983 - 1003, Update the
AWAITING_CONFIRMATION handling around cnum and _confirm_body to compare the
current candidate SHA with the candidate recorded in the existing confirmation
issue evidence. When they differ, close the stale issue, clear cnum and related
issue state, and create a fresh canary-confirm issue; otherwise retain the
existing update behavior.

984-986: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Fail closed when confirmation evidence cannot be rendered.

|| true converts any _confirm_body failure into an empty body, after which the script still creates or updates a needs-human issue. That can leave reviewers with no candidate diff or run evidence while the synchronization appears successful. Preserve the failure and skip the issue mutation, or provide an explicit fallback that clearly indicates the evidence is unavailable.

Proposed fix
-      cbody="$(_confirm_body "$agent" "$transition" "$cand" "$prior" "$host" "$_s" "$_t" || true)"
+      if ! cbody="$(_confirm_body "$agent" "$transition" "$cand" "$prior" "$host" "$_s" "$_t")"; then
+        echo "::warning::could not render confirmation issue for $agent"
+        continue
+      fi
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/canary-rollout.sh` around lines 984 - 986, Update the confirmation
flow around _confirm_body so rendering failures are not converted into an empty
cbody. Preserve the command failure, then skip the needs-human issue creation or
update when evidence cannot be produced, or set an explicit unavailable-evidence
fallback that clearly informs reviewers; do not perform the issue mutation as
though synchronization succeeded.

622-630: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Prevent --override from bypassing AWAITING_CONFIRMATION.

Line [624] enables advancement for every state before the confirmation-specific check, so promote <agent> --override can advance an awaiting frontier without --confirm. The new gate should require --confirm exclusively for AWAITING_CONFIRMATION.

Proposed fix
   local advance=false
   [ "$state" = "PROMOTE" ] && advance=true
-  [ "$override" = true ] && advance=true
+  if [ "$state" != "AWAITING_CONFIRMATION" ] && [ "$override" = true ]; then
+    advance=true
+  fi
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/canary-rollout.sh` around lines 622 - 630, The advance decision logic
must not let --override promote an AWAITING_CONFIRMATION frontier. Update the
checks initializing advance so override applies only to states other than
AWAITING_CONFIRMATION, while retaining the dedicated --confirm requirement in
the AWAITING_CONFIRMATION branch and existing PROMOTE/BLOCKED behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@scripts/canary-rollout.sh`:
- Around line 983-1003: Update the AWAITING_CONFIRMATION handling around cnum
and _confirm_body to compare the current candidate SHA with the candidate
recorded in the existing confirmation issue evidence. When they differ, close
the stale issue, clear cnum and related issue state, and create a fresh
canary-confirm issue; otherwise retain the existing update behavior.
- Around line 984-986: Update the confirmation flow around _confirm_body so
rendering failures are not converted into an empty cbody. Preserve the command
failure, then skip the needs-human issue creation or update when evidence cannot
be produced, or set an explicit unavailable-evidence fallback that clearly
informs reviewers; do not perform the issue mutation as though synchronization
succeeded.
- Around line 622-630: The advance decision logic must not let --override
promote an AWAITING_CONFIRMATION frontier. Update the checks initializing
advance so override applies only to states other than AWAITING_CONFIRMATION,
while retaining the dedicated --confirm requirement in the AWAITING_CONFIRMATION
branch and existing PROMOTE/BLOCKED behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 71dfc202-344a-433f-b546-c5e62019e24b

📥 Commits

Reviewing files that changed from the base of the PR and between a30bf01 and 7b91edf.

📒 Files selected for processing (1)
  • scripts/canary-rollout.sh

@don-petry don-petry merged commit 5209dd7 into main Jul 12, 2026
23 of 27 checks passed
@don-petry don-petry deleted the dev-lead/issue-677-20260712-1500 branch July 12, 2026 16:40
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

don-petry added a commit that referenced this pull request Jul 12, 2026
…I gap from #613/#624) (#685)

* ci: add canary-rollout-tests.yml — run the engine's bats suite (closes CI gap from #613/#624 relocation)

The canary-rollout engine + tests/canary_rollout.bats were relocated into .github
by #613/#624 but no CI runner came with them, so the 149+ test suite has been
unenforced ever since — every #668 increment (#672/#676/#678/#684) merged without
its tests actually running in CI. This workflow runs shellcheck + the full bats
suite on any PR touching the engine, its pure core, the suite, or this workflow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01J4z5uYVjwdyQjh2wFZxkut

* chore: dev-lead update (review-changes) [skip ci-relay]

* chore: dev-lead update (review-changes) [skip ci-relay]

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

canary #668 increment 3: opt-in human confirmation at ring1→stable (require_confirmation, dev-lead)

2 participants