kin: auto-commit after pipeline

2026-03-17 23:31:24 +02:00 · 2026-03-17 23:31:24 +02:00 · 24996b3974
commit 24996b3974
parent 95ba853b49
4 changed files with 77 additions and 11 deletions
--- a/agents/runner.py
+++ b/agents/runner.py
@ -259,10 +259,9 @@ def _run_claude(
        "--output-format", "json",
        "--model", model,
    ]
-    if allow_write:
-        cmd.append("--dangerously-skip-permissions")
-
    is_noninteractive = noninteractive or os.environ.get("KIN_NONINTERACTIVE") == "1"
+    if allow_write or noninteractive:
+        cmd.append("--dangerously-skip-permissions")
    if timeout is None:
        env_timeout = os.environ.get("KIN_AGENT_TIMEOUT")
        if env_timeout:
@ -824,6 +823,7 @@ def _is_test_failure(result: dict) -> bool:
 # Roles that trigger auto-test when project.auto_test_enabled is set
 _AUTO_TEST_ROLES = {"backend_dev", "frontend_dev"}
 _WORKTREE_ROLES = {"backend_dev", "frontend_dev", "debugger"}
+_DEV_GUARD_ROLES = {"backend_dev", "frontend_dev", "debugger"}


 def _detect_test_command(project_path: str) -> str | None:
@ -1632,6 +1632,7 @@ def run_pipeline(
                    dry_run=False,
                    allow_write=True,
                    noninteractive=noninteractive,
+                    working_dir_override=worktree_path,
                )
                allow_write = True  # subsequent steps also with allow_write
                total_cost += retry.get("cost_usd") or 0
@ -1712,6 +1713,21 @@ def run_pipeline(
                        "total_duration_seconds": total_duration,
                        "pipeline_id": pipeline["id"] if pipeline else None,
                    }
+                # Fix D: suspicious guard — empty merged_files means agent made no changes
+                if not merge_result.get("merged_files"):
+                    result["suspicious"] = True
+                    result["suspicious_reason"] = "agent reported success but no file changes detected"
+                    _logger.warning("KIN-117: suspicious step %s — no merged files after worktree merge", role)
+                    try:
+                        if pipeline:
+                            models.write_log(
+                                conn, pipeline["id"],
+                                f"Step {i+1}/{len(steps)} suspicious: {role} reported success but merged no files",
+                                level="WARN",
+                                extra={"role": role},
+                            )
+                    except Exception:
+                        pass
                cleanup_worktree(worktree_path, p_path)
            except Exception:
                pass  # Worktree errors must never block pipeline
@ -2028,6 +2044,20 @@ def run_pipeline(
            if p_path.is_dir():
                changed_files = _get_changed_files(str(p_path))

+        # Fix D: retroactive suspicious guard — if no files changed after pipeline,
+        # mark successful dev-agent steps as suspicious (agent may have not written files)
+        if changed_files is not None and not changed_files:
+            for _r in results:
+                if (_r.get("role") in _DEV_GUARD_ROLES
+                        and _r.get("success")
+                        and not _r.get("suspicious")):
+                    _r["suspicious"] = True
+                    _r["suspicious_reason"] = "agent reported success but no file changes detected"
+                    _logger.warning(
+                        "KIN-117: suspicious step %s — no file changes after pipeline",
+                        _r.get("role"),
+                    )
+
        last_role = steps[-1].get("role", "") if steps else ""
        # For dept pipelines: if last step is a _head, check the last worker in its sub-pipeline
        effective_last_role = _last_sub_role if (_is_department_head(last_role) and _last_sub_role) else last_role