Skip to content

[Bug] Step 0.8 commit-body auto-close trap protection gap (direct-commit path) #151

Open
Open
[Bug] Step 0.8 commit-body auto-close trap protection gap (direct-commit path)#151
Labels
bugSomething isn't working
@kiki830621

Description

@kiki830621
kiki830621
opened on May 24, 2026

Problem

Original observation (from /spectra-discuss + /idd-close cluster session 2026-05-25):
#149 was auto-closed by commit body trap. My commit e5e05e1 contained literal text "closes #149" in the body explaining the side-effect fix. GitHub's context-blind parser auto-closed #149, bypassing /idd-close gate. Fixed by posting retroactive Closing Summary marked "(retroactive — auto-closed via commit-body trap)". Step 0.8 PR-only gate doesn't protect direct commits — noted as gap.
— Source: /idd-close cluster #148 #149 closing remediation, session 2026-05-25

Cross-link: surfaced during /idd-issue #150 Step 4.7 Linked-Context Sister Sweep (per IC_R011 canonical file-by-default §1.1, v2.72.0+).

GitHub auto-close 機制(closes/fixes/resolves keyword in commit / PR body)是 context-blind:不分辨 keyword 是「真的要 close」還是「在 prose 中引用 keyword 解釋」。當 commit body 為了 audit 紀錄需要寫 closes #N 時(例如 explain side-effect fix / 引用前次 commit message),GitHub 會把對應 issue auto-close,完全繞過 IDD /idd-close gate(checklist gate / PR gate / semantic gate / IC_R011 sister sweep / residue ack / distribution sync)。

Type

bug — protection gap

Expected

/idd-close gate 應該 100% cover「issue close 行為」:不論 close 來自 explicit /idd-close 呼叫、PR merge 含 close keyword、direct commit 含 close keyword,都應該 enforce IDD discipline。

Actual

  • Step 0.8 PR-only protection:現行 protection 只 hook 在 PR mode(idd-close Step 1.5 PR Gate Check / idd-create-pr 寫 body 時 strip close keyword)
  • Direct-commit path 漏網:當 commit 直接 push 到 default branch(無 PR)+ body 含 closes #N,GitHub 立即 close issue。沒有 plugin-side 攔截點。
  • 觀察證據(本 session 親身遇到):

Impact

  • IDD discipline 在 direct-commit workflow 失效(僅 PR workflow 完整)
  • Audit trail 可能漏 sister concerns / residue / distribution sync(這 4 個 gate 在 retroactive remediation 時容易被遺忘)
  • User 心智模型 friction:「我以為 /idd-close 是唯一 close path,結果 commit body 也會 close」

3 個 candidate path(待 diagnose)

Path 機制 代價
A: Client-side git hook pre-push hook scan commit bodies for closes/fixes/resolves #N → refuse OR force /idd-close invocation Per-user setup;不會 cover CI 直接 push 的情況
B: Retroactive detection + auto-remediation /idd-list 或 cron skill 偵測「issue closed without ## Closing Summary comment」→ AskUserQuestion 補救 需 daemon / hook;reactive 不是 preventive
C: Educational + documentation 在 SKILL.md / manifesto 明確警告「commit body 內 close keyword = 繞過 gate」,提供 audit-safe 寫法(refs #N 而非 closes #N) 純文檔,依賴 user discipline;最低成本但效果有限
D: GitHub API workaround GitHub Action(repo-side)監聽 issue close event → 若無對應 Closing Summary 則重新 open + 提示 Server-side enforcement;但需要 repo admin 部署,跨 repo 推廣困難

Inclination:C(low-cost preventive 文檔)+ B(retroactive safety net)組合;A 留給 power user opt-in;D 列為長期 enterprise option。

Sister Concerns(this issue 的 sister 也需追蹤)

Residue

NSQL §4.6 residue:
本 issue 涵蓋「commit/PR body keyword auto-close trap」這個 bug class,但涵蓋:

  • GitHub UI 點按 "Close issue" button 的直接 close(non-keyword path,不在本 issue scope)
  • 跨 repo close(closes owner/repo#N keyword)— 邊緣 case,待真實 evidence 才處理
  • retroactive remediation tooling(屬 separate issue,若 Path B 採用會自然 spawn)

(本 issue 屬 bug + protection-gap,routing 由 /idd-diagnose 決定;預期 verdict: Plan(Layer P:multi-file 改動 + 風險敏感 hook / git internals + 2+ valid approach)。)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions