[worktree-20260606-211401] fix(coverage): narrow A3b self-merge guard to genuine merge nodes (bug 374f)

[joeoakhart]

Commits

• feat(enforce-flip): swap merge-pipeline-checks -> review-gate; review-gate enforce
• fix(coverage): narrow A3b self-merge guard to genuine merge nodes (bug 374f)
• chore: bump version to v1.17.143

---

Auto-generated by merge-to-main-pr.sh from git log --no-merges origin/main..HEAD.

Summary by CodeRabbit

• New Features

  • Review gate now operates in enforce mode, actively blocking merges when violations are detected (previously in warn mode).

• Bug Fixes

  • Improved edge-case handling in review coverage detection to correctly distinguish between rebase/squash commits and genuine merge nodes.

• Chores

  • Updated required status checks configuration to use review-gate instead of previous check.
  • Plugin version bumped to 1.17.143.
  • Added and updated test coverage for review gate and required checks logic.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 91e9d930-6b07-4a0f-957c-01d0b7f10fa5

📥 Commits

Reviewing files that changed from the base of the PR and between 0e636a3 and 530f088.

📒 Files selected for processing (11)

• .github/required-checks.txt
• .github/workflows/review-gate.yml
• plugins/dso/.claude-plugin/plugin.json
• plugins/dso/scripts/lib/review-coverage-lib.sh
• plugins/dso/scripts/promote-ruleset-required.sh
• plugins/dso/scripts/update-required-checks-manifest.sh
• plugins/dso/scripts/verify-session-provenance.sh
• tests/scripts/test-promote-ruleset-required.sh
• tests/scripts/test-rc-a3b-should-exclude.sh
• tests/scripts/test-review-coverage-invariant.sh
• tests/scripts/test-validate-required-checks.sh

---

Walkthrough

This PR migrates the merge-gate mechanism from merge-pipeline-checks to review-gate in enforce mode, introducing a topology-aware self-merge exclusion predicate that allows rebase/squash-merged PR tips while excluding true merges. Configuration, coverage library, provenance scripts, workflow mode, and tests are updated cohesively.

Changes

Merge-gate transition with topology-aware self-merge handling

Layer / File(s)	Summary
Topology-aware self-merge exclusion predicate plugins/dso/scripts/lib/review-coverage-lib.sh, tests/scripts/test-rc-a3b-should-exclude.sh	rc_a3b_should_exclude function keeps covering PRs matching the SHA under review only when the SHA has exactly one parent (rebase/squash), excluding true merges and unknown topologies in fail-closed mode. Unit test verifies 1-parent keep vs. 2-parent exclude behavior.
Coverage library integration of topology predicate plugins/dso/scripts/lib/review-coverage-lib.sh	rc_sha_is_reviewed updated to defer self-merge exclusion from Python extraction to Bash filtering. Python emits mcs_match flag per covering PR; Bash loop calls rc_a3b_should_exclude to decide whether to skip, replacing blanket exclusion on exact SHA match.
Provenance verification script topology-aware filtering plugins/dso/scripts/verify-session-provenance.sh	Python extraction emits mcs_match alongside covering PR numbers; G3 verification loop parses new tab-delimited format and calls rc_a3b_should_exclude instead of blanket filtering on merge_commit_sha match. Changes which covering PRs are eligible for provenance classification.
Required-checks configuration migration to review-gate .github/required-checks.txt, plugins/dso/scripts/promote-ruleset-required.sh, plugins/dso/scripts/update-required-checks-manifest.sh	Replaces merge-pipeline-checks with review-gate as the required check-context. Ownership comment documents that merge-pipeline-checks is retained in ci.yml but removed from MAIN ruleset. Promotion and manifest-update scripts stage and maintain review-gate instead.
Review-gate workflow mode flip to enforce .github/workflows/review-gate.yml	Rollout documentation updated to reflect MODE=enforce (previously warn). DSO_REVIEW_GATE_MODE environment variable changed from warn to enforce so review-gate.sh runs in fail-closed mode when sub-check violations occur.
Test coverage for new predicate and configuration changes tests/scripts/test-promote-ruleset-required.sh, tests/scripts/test-rc-a3b-should-exclude.sh, tests/scripts/test-review-coverage-invariant.sh, tests/scripts/test-validate-required-checks.sh	Unit test validates topology-based exclusion decisions across mcs_match values and commit parent counts. Coverage-invariant tests T14 and T15 verify 1-parent tips are allowed and evil merges are blocked (bug 374f). Configuration tests assert review-gate is added and merge-pipeline-checks is not re-added by the update script.
Plugin manifest version bump plugins/dso/.claude-plugin/plugin.json	Version incremented from 1.17.142 to 1.17.143.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• navapbc/digital-service-orchestra#259: Both modify verify-session-provenance.sh to change self/near-self covering PR filtering logic around merge_commit_sha to prevent llm-review bypass.
• navapbc/digital-service-orchestra#648: Both modify plugins/dso/scripts/lib/review-coverage-lib.sh and alter rc_sha_is_reviewed() covering-PR matching behavior, though this PR adds topology-aware exclusion while the other changes retry/backoff logic.
• navapbc/digital-service-orchestra#438: Both update required-checks tooling by modifying promote-ruleset-required.sh and update-required-checks-manifest.sh to change which check-contexts are treated as required/staged per ruleset.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: fixing a bug in the A3b self-merge guard to narrow its scope to genuine merge nodes, rather than incorrectly excluding rebase-merged tips.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch staged-e90a943c6116-1780846417

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}