Merge pull request #694 from navapbc/fix/c9e9-empty-net-diff-exemption

fix(review-gate): in-gate empty-net-diff exemption for clean merge commits (c9e9)

Author: JoeOakhartNava

plugins/dso/scripts/ci/fp-recovery-audit-sweep.sh

@@ -43,30 +43,31 @@ fi
 # shellcheck source=../lib/review-coverage-lib.sh
 source "$_FPA_LIB"
 
-# ── 0cd7 DD3: exempt-merge scaffolding (the audit had none before this story) ──
+# ── 0cd7 DD3 + c9e9: exempt-merge scaffolding (the audit had none before this) ──
 # A merged main PR whose content carries NO reviewable application code is NOT a
-# bypass — flagging it would be audit noise. Two diff-scoped exemptions, IDENTICAL
-# to the other two consumers (DD6 equivalence test):
-#   (a) a CLEAN merge commit (>=2 parents, empty combined diff) — its parents are
-#       reviewed independently;
+# bypass — flagging it would be audit noise. Two diff-scoped exemptions, computed by
+# the SAME shared predicates as the other two consumers (DD6 equivalence test) — NO
+# parallel implementation:
+#   (a) a genuinely-empty-net MERGE commit (shared rc_diff_is_empty_net: >=2 parents,
+#       diff-tree rc==0, empty combined diff) — its parents are reviewed independently;
 #   (b) a TICKETS_ONLY commit (shared rc_diff_is_tickets_only) — diff entirely in
 #       the ticket store.
+# Replaces the former INLINE clean-merge check, which duplicated the empty-net logic
+# (and masked diff-tree's rc inside the command substitution); the shared predicate
+# captures rc separately and is DD6-equivalent across consumers.
 # AUDIT ERROR POSTURE (distinct from coverage's fail-closed-BLOCK): this is a
 # non-blocking REPORTING tool, so it must POSITIVELY CONFIRM the exemption to skip a
-# PR. Any doubt — local commit not checked out, git error, rc_diff returns 2 — yields
-# NOT-exempt, so the PR is RECORDED for manual follow-up rather than silently dropped.
-# Requires the merge SHA to be present locally (CI: actions/checkout fetch-depth 0);
-# when it is not, the PR is (correctly) recorded.
+# PR. Any doubt — local commit not checked out, git error, predicate returns 2 —
+# yields NOT-exempt (the predicate returns non-zero), so the PR is RECORDED for manual
+# follow-up rather than silently dropped. Requires the merge SHA present locally
+# (CI: actions/checkout fetch-depth 0); when it is not, the PR is (correctly) recorded.
 _fpa_is_exempt_merge() {
-    local _s="${1:-}" _parents _cc
+    local _s="${1:-}"
     [[ -z "$_s" ]] && return 1
     git rev-parse --verify --quiet "${_s}^{commit}" >/dev/null 2>&1 || return 1  # not local -> record
-    # (a) clean merge: >=2 parents AND empty combined diff (positive-confirm only).
-    _parents="$(git rev-list --parents -n1 "$_s" 2>/dev/null)" || return 1
-    if [[ "$(printf '%s' "$_parents" | wc -w)" -ge 3 ]]; then
-        _cc="$(git diff-tree --cc --no-commit-id "$_s" 2>/dev/null)" || return 1
-        [[ -z "$_cc" ]] && return 0      # clean merge -> exempt
-        return 1                         # evil merge -> record
+    # (a) genuinely-empty-net merge (shared predicate; rc 0 = exempt, 1/2 = record).
+    if declare -F rc_diff_is_empty_net >/dev/null 2>&1 && rc_diff_is_empty_net "$_s"; then
+        return 0
     fi
     # (b) tickets-only (shared predicate; rc 0 = exempt, 1/2 = record).
     declare -F rc_diff_is_tickets_only >/dev/null 2>&1 || return 1

plugins/dso/scripts/ci/review-coverage-invariant.sh

@@ -115,7 +115,7 @@ if [[ -z "$_SHAS" ]]; then
     exit 0
 fi
 
-_total=0; _ledger_hits=0; _verified=0; _unreviewed=0; _errors=0; _exempt_tickets=0
+_total=0; _ledger_hits=0; _verified=0; _unreviewed=0; _errors=0; _exempt_tickets=0; _exempt_empty_net=0
 _violations=""
 
 # cca8 (linear-history cutover, DD3): the clean-merge exemption (_is_clean_merge)
@@ -150,6 +150,18 @@ while IFS= read -r _sha; do
         _exempt_tickets=$(( _exempt_tickets + 1 ))
         continue
     fi
+    # Genuinely-empty-net merge exemption (c9e9): a >=2-parent merge whose COMBINED
+    # net diff is genuinely empty (e.g. a clean staged->main 2-parent merge / clean
+    # octopus) carries no reviewable content, yet no MERGED PR covers it (A3b excludes
+    # the sub-PR whose merge_commit_sha IS this SHA) — a false UNREVIEWED wedge.
+    # Computed by the shared rc_diff_is_empty_net (review-coverage-lib.sh) so all three
+    # consumers agree (DD6). Only rc 0 (proven empty-net) exempts; rc 1 (non-empty /
+    # non-merge) OR rc 2 (uncomputable) falls through to the normal coverage path,
+    # which itself fails closed — so an error here can never launder an unreviewed SHA.
+    if rc_diff_is_empty_net "$_sha"; then
+        _exempt_empty_net=$(( _exempt_empty_net + 1 ))
+        continue
+    fi
     # Perf prefilter: a ledger HIT (proven reviewed in a prior run) skips
     # re-verification. This is a ledger hit, NOT reachability-to-main.
     if _ledger_has "$_sha"; then
@@ -177,7 +189,7 @@ while IFS= read -r _sha; do
     esac
 done <<< "$_SHAS"
 
-echo "review-coverage-invariant: ${_total} SHA(s) in ${_BASE_REF}..${_HEAD} — verified=${_verified} exempt_tickets=${_exempt_tickets} ledger_hits=${_ledger_hits} unreviewed=${_unreviewed} errors=${_errors}"
+echo "review-coverage-invariant: ${_total} SHA(s) in ${_BASE_REF}..${_HEAD} — verified=${_verified} exempt_tickets=${_exempt_tickets} exempt_empty_net=${_exempt_empty_net} ledger_hits=${_ledger_hits} unreviewed=${_unreviewed} errors=${_errors}"
 
 # 3ebb DD1: resolve the per-SHA tallies through the tristate lattice. A genuine
 # unreviewed SHA is FAIL (1, the safe bottom — never retried/downgraded); a

plugins/dso/scripts/lib/review-coverage-lib.sh

@@ -143,6 +143,71 @@ rc_diff_is_tickets_only() {
     return 0
 }
 
+# ── c9e9: shared COMBINED-DIFF-EMPTY MERGE exemption predicate ───────────────
+# rc_diff_is_empty_net <sha>
+#
+#   A commit is EXEMPT from per-SHA review coverage IFF it is a MERGE commit that
+#   adds NO content of its OWN beyond its parents — i.e. its combined diff
+#   (`git diff-tree --cc`) is empty (a clean 2-parent staged->main merge, a clean
+#   octopus). NOTE: "combined-diff-empty" is NOT the same as "no net change over
+#   main": a clean --no-ff feature merge (feature adds X, main adds Y, no overlap)
+#   has an empty --cc yet introduces X relative to its first parent. The exemption
+#   is sound anyway because it covers ONLY the merge commit's own (zero) content —
+#   the merge's content-bearing PARENTS are independently enumerated by the
+#   base..head coverage/provenance walk and must EACH be proven reviewed (guarded
+#   by T13 / t15b). So this predicate must NEVER be read as "the merge carries no
+#   reachable new code"; it asserts only "the merge commit itself resolves no
+#   conflicts and introduces no own content". Such a merge carries no reviewable
+#   content of its own, yet it fail-closes the coverage invariant and the
+#   provenance walk because no MERGED PR covers it (A3b excludes the sub-PR whose
+#   merge_commit_sha IS that SHA) — a false wedge (bug c9e9). This is the ONE shared
+#   helper sourced by the coverage consumers (review-coverage-invariant.sh,
+#   verify-session-provenance.sh, fp-recovery-audit-sweep.sh) so they compute the
+#   IDENTICAL exemption (DD6 equivalence test guards divergence).
+#
+#   SAFETY CRUX — rc-vs-emptiness disambiguation (preserve EXACTLY): emptiness ALONE
+#   never proves "genuinely empty". `git diff-tree --cc --no-commit-id --name-only`
+#   ALSO emits empty output when the SHA is uncomputable (bad sha, rc=128). So the
+#   exit code MUST be captured SEPARATELY from emptiness and checked === 0 before
+#   trusting the empty list. NEVER place diff-tree in a pipe that masks its rc.
+#     - merge commit, diff-tree rc==0, EMPTY file list   -> 0 EXEMPT (genuinely empty)
+#     - merge commit, diff-tree rc==0, NON-empty list     -> 1 NOT exempt (content/
+#       conflict-resolution/evil merge — has net change)
+#     - non-merge / single-parent SHA                     -> 1 NOT exempt (a single-
+#       parent content commit must be proven-reviewed like any SHA)
+#     - diff-tree rc!=0 (uncomputable / bad sha)          -> 2 ERROR — caller MUST
+#       fail closed (emptiness + rc!=0 = uncomputable, NEVER "genuinely empty")
+#
+#   FAIL-OPEN VECTORS this closes by construction: (1) inferring "empty" from a bad
+#   SHA's empty output (rc check blocks it); (2) exempting a content/evil merge that
+#   resolves conflicts with its own changes (non-empty list blocks it); (3) exempting
+#   a single-parent commit whose first-parent diff happens to be reported empty
+#   (the >=2-parent gate blocks it). Mirrors rc_diff_is_tickets_only's contract and
+#   the I-1 guard's discipline (emptiness is never silently read as exempt).
+#
+#   Returns: 0 EXEMPT (>=2-parent merge, diff-tree rc==0, empty combined diff)
+#            1 NOT exempt (non-merge, OR rc==0 with a non-empty combined diff)
+#            2 ERROR (diff-tree rc!=0 / bad sha) — caller MUST fail closed
+rc_diff_is_empty_net() {
+    local _sha="${1:-}" _files _rc _nparents
+    [[ -z "$_sha" ]] && return 2
+    # (a) Must be a merge commit: >=2 parents. `rev-list --parents -n1` prints the
+    # SHA followed by each parent SHA, so >=3 whitespace-separated words == >=2
+    # parents. A bad SHA makes rev-list fail -> ERROR (fail closed).
+    _nparents="$(git rev-list --parents -n1 "$_sha" 2>/dev/null)" || return 2
+    [[ -z "$_nparents" ]] && return 2
+    [[ "$(printf '%s' "$_nparents" | wc -w)" -ge 3 ]] || return 1   # not a merge -> NOT exempt
+    # (b)+(c) Combined diff over a merge. core.quotepath=false for literal paths,
+    # consistent with rc_diff_is_tickets_only. CRITICAL: capture rc SEPARATELY (own
+    # statement, NOT through a pipe) so an uncomputable diff is distinguishable from
+    # a genuinely-empty one.
+    _files="$(git -c core.quotepath=false diff-tree --cc --no-commit-id --name-only "$_sha" 2>/dev/null)"
+    _rc=$?
+    [[ $_rc -ne 0 ]] && return 2            # uncomputable / bad sha -> ERROR (fail closed)
+    [[ -z "$_files" ]] && return 0          # genuinely-empty net merge -> EXEMPT
+    return 1                                # non-empty combined diff -> NOT exempt
+}
+
 # rc_review_check_verdict  (check-runs JSON on STDIN)
 #   SINGLE SOURCE OF TRUTH for the poison-on-failure "did the review pass" verdict
 #   over a SHA's check-runs. Any failure-class conclusion (failure/cancelled/

plugins/dso/scripts/verify-session-provenance.sh

@@ -423,6 +423,26 @@ while IFS=' ' read -r sha subject; do
         continue
     fi
 
+    # Genuinely-empty-net merge exemption (c9e9). A >=2-parent merge whose COMBINED
+    # net diff is genuinely empty (e.g. a clean staged->main 2-parent merge / clean
+    # octopus) carries no reviewable application code, so provenance must NOT flag it
+    # unprovenanced — no MERGED PR covers it (A3b excludes the sub-PR whose
+    # merge_commit_sha IS this SHA). This transitively fixes the dispatcher's
+    # empty-net-diff guard, which consumes unprovenanced-shas.txt. Computed by the
+    # shared rc_diff_is_empty_net (review-coverage-lib.sh) so this gate agrees with the
+    # coverage invariant and the fp-recovery sweep (DD6). The helper uses bare `git`
+    # (cwd), so invoke it cd'd into GIT_REPO_PATH. Only rc 0 (proven empty-net)
+    # exempts; rc 1 (non-empty/non-merge) OR rc 2 (uncomputable) falls through to the
+    # normal covering-PR provenance path (which itself flags unprovenanced on doubt) —
+    # so an error here can never launder a SHA.
+    if declare -F rc_diff_is_empty_net >/dev/null 2>&1 \
+       && ( cd "$GIT_REPO_PATH" 2>/dev/null && rc_diff_is_empty_net "$sha" ); then
+        echo "commit $sha status=EMPTY_NET_MERGE; exempt (genuinely-empty net merge diff)"
+        _covered_shas+=("$sha")
+        _cache_set "$sha" "provenanced" || true
+        continue
+    fi
+
     # Identity-based admin exemption (ADR-0022): handled in the G3 covering-PR loop
     # below — a covering PR merged by a designated bypass-actor (server-set
     # merged_by ∈ set) counts as reviewed-equivalent there, so an admin web-UI

tests/scripts/test-rc-diff-is-empty-net.sh

@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+# tests/scripts/test-rc-diff-is-empty-net.sh — c9e9 unit test
+#
+# Drives the PRODUCTION rc_diff_is_empty_net (review-coverage-lib.sh) over REAL git
+# fixtures. This is the SHARED "genuinely-empty net diff" exemption helper, a sibling
+# of rc_diff_is_tickets_only, recognizing a review-exempt class distinct from the
+# I-1 empty-file-list fail-closed case: a 2+-parent MERGE whose combined (--cc) diff
+# is EMPTY (rc==0, zero file entries) carries no net change to review.
+#
+# SAFETY CRUX (preserve exactly): rc==0 is MANDATORY. Emptiness alone NEVER implies
+# "genuinely empty" — an uncomputable diff-tree (bad sha, rc!=0) also produces empty
+# output and MUST be ERROR (2), so every caller fails closed on doubt.
+#
+#   E1 clean 2-parent empty-net merge          -> EXEMPT (0)
+#   E2 clean octopus (3-parent) empty-net merge -> EXEMPT (0)
+#   E3 evil 2-parent merge (own content in merge) -> NOT exempt (1)
+#       NOTE: a CLEAN auto-merge of disjoint, non-conflicting changes has an EMPTY
+#       --cc combined diff by definition (--cc only shows paths differing from ALL
+#       parents), so it is correctly empty-net/EXEMPT — the not-exempt cases are the
+#       merges that introduce OWN content: conflict-resolution (E4) and evil (E3/E6).
+#   E4 conflict-resolution merge (own content)  -> NOT exempt (1)
+#   E5 single-parent content commit             -> NOT exempt (1)   (not a merge)
+#   E6 evil octopus (own content in merge)      -> NOT exempt (1)
+#   E7 bogus / unknown SHA                       -> ERROR (2)        (fail closed)
+
+set -uo pipefail
+export GIT_CONFIG_GLOBAL=/dev/null GIT_CONFIG_SYSTEM=/dev/null GIT_TERMINAL_PROMPT=0
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+LIB="$REPO_ROOT/plugins/dso/scripts/lib/review-coverage-lib.sh"   # shim-exempt: test sources the lib under test
+
+PASS=0; FAIL=0
+_pass() { echo "PASS: $1"; PASS=$((PASS+1)); }
+_fail() { echo "FAIL: $1 ($2)"; FAIL=$((FAIL+1)); }
+
+_W="$(mktemp -d "${TMPDIR:-/tmp}/dso-emptynet.XXXXXX")"; trap 'rm -rf "$_W"' EXIT
+R="$_W/repo"; mkdir -p "$R"
+(
+  cd "$R" || exit 1
+  git init -q -b main
+  git config user.email t@e.st; git config user.name t; git config commit.gpgsign false
+  echo base > README.md; git add README.md; git commit -q -m base
+  base_sha="$(git rev-parse HEAD)"
+
+  # E1 clean 2-parent empty-net merge: a side branch whose change is identical to
+  # what main already has (so the merge introduces NO net change in the combined diff).
+  git checkout -q -b e1side "$base_sha"
+  echo shared > shared.txt; git add shared.txt; git commit -q -m e1-side
+  git checkout -q main
+  echo shared > shared.txt; git add shared.txt; git commit -q -m e1-main
+  git merge -q --no-ff -m "e1 empty-net merge" e1side || true
+  git rev-parse HEAD > "$_W/E1"
+  e1_after="$(git rev-parse HEAD)"
+
+  # E2 clean octopus (3-parent) empty-net merge. Two side branches that each add a
+  # file ALSO added identically on main before the merge -> combined --cc diff empty.
+  git checkout -q -b e2a "$e1_after"
+  echo o1 > oct1.txt; git add oct1.txt; git commit -q -m e2a
+  git checkout -q -b e2b "$e1_after"
+  echo o2 > oct2.txt; git add oct2.txt; git commit -q -m e2b
+  git checkout -q main
+  echo o1 > oct1.txt; echo o2 > oct2.txt; git add oct1.txt oct2.txt; git commit -q -m e2-main
+  git merge -q --no-ff -m "e2 octopus empty-net" e2a e2b || true
+  git rev-parse HEAD > "$_W/E2"
+  e2_after="$(git rev-parse HEAD)"
+
+  # E3 evil 2-parent merge: a 2-parent merge whose merge commit carries OWN content
+  # (a file no parent has) -> --cc combined diff is NON-empty (differs from both
+  # parents). A clean auto-merge of disjoint changes would be empty-net by --cc
+  # semantics, so the not-exempt case must introduce content IN the merge itself.
+  git checkout -q -b e3side "$e2_after"
+  echo c3 > content3.txt; git add content3.txt; git commit -q -m e3-side
+  git checkout -q main
+  echo unrel > unrel3.txt; git add unrel3.txt; git commit -q -m e3-main
+  git merge -q --no-ff --no-commit e3side >/dev/null 2>&1 || true
+  echo evil3 > evil3.txt; git add -A
+  git commit -q -m "e3 evil 2-parent merge"
+  git rev-parse HEAD > "$_W/E3"
+  e3_after="$(git rev-parse HEAD)"
+
+  # E4 conflict-resolution merge with OWN content: both sides edit the same line
+  # differently; the merge commit carries a resolution -> non-empty combined diff.
+  echo line > conflict.txt; git add conflict.txt; git commit -q -m e4-seed
+  e4_seed="$(git rev-parse HEAD)"
+  git checkout -q -b e4side "$e4_seed"
+  echo sideval > conflict.txt; git add conflict.txt; git commit -q -m e4-side
+  git checkout -q main
+  echo mainval > conflict.txt; git add conflict.txt; git commit -q -m e4-main
+  git merge -q --no-ff -m "e4 conflict merge" e4side >/dev/null 2>&1 || {
+    echo resolved > conflict.txt; git add conflict.txt
+    git commit -q --no-edit
+  }
+  git rev-parse HEAD > "$_W/E4"
+  e4_after="$(git rev-parse HEAD)"
+
+  # E5 single-parent content commit (not a merge).
+  echo e5 > five.txt; git add five.txt; git commit -q -m e5-single
+  git rev-parse HEAD > "$_W/E5"
+  e5_after="$(git rev-parse HEAD)"
+
+  # E6 evil octopus: octopus merge that carries OWN content (a file no parent has)
+  # -> combined diff non-empty.
+  git checkout -q -b e6a "$e5_after"
+  echo a6 > e6a.txt; git add e6a.txt; git commit -q -m e6a
+  git checkout -q -b e6b "$e5_after"
+  echo b6 > e6b.txt; git add e6b.txt; git commit -q -m e6b
+  git checkout -q main
+  git merge -q --no-ff --no-commit e6a e6b >/dev/null 2>&1 || true
+  echo evil > evil6.txt; git add -A
+  git commit -q -m "e6 evil octopus"
+  git rev-parse HEAD > "$_W/E6"
+) || { echo "FIXTURE SETUP FAILED"; exit 1; }
+
+# shellcheck source=/dev/null
+source "$LIB"
+
+_verdict() { # _verdict <sha> ; echoes rc
+  ( cd "$R" && rc_diff_is_empty_net "$1" >/dev/null 2>&1; echo $? )
+}
+
+_assert() { # _assert <name> <got> <want>
+    if [[ "$2" == "$3" ]]; then _pass "$1"; else _fail "$1" "rc=$2 want $3"; fi
+}
+_assert "E1 clean 2-parent empty-net merge -> exempt"   "$(_verdict "$(cat "$_W/E1")")" 0
+_assert "E2 clean octopus empty-net merge -> exempt"    "$(_verdict "$(cat "$_W/E2")")" 0
+_assert "E3 content merge -> not exempt"                "$(_verdict "$(cat "$_W/E3")")" 1
+_assert "E4 conflict-resolution merge -> not exempt"    "$(_verdict "$(cat "$_W/E4")")" 1
+_assert "E5 single-parent content commit -> not exempt" "$(_verdict "$(cat "$_W/E5")")" 1
+_assert "E6 evil octopus -> not exempt"                 "$(_verdict "$(cat "$_W/E6")")" 1
+_assert "E7 bogus SHA -> error (fail closed)"           "$(_verdict "deadbeefdeadbeefdeadbeefdeadbeefdeadbeef")" 2
+
+echo ""
+echo "=== test-rc-diff-is-empty-net.sh: PASS=$PASS FAIL=$FAIL ==="
+[[ $FAIL -eq 0 ]]