ops forgejo issue create silently no-ops on a redirecting repo (POST->GET downgrade reads as success) #160

New issue

Open

opened 2026-05-30 17:57:07 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-30 17:57:07 +00:00

Owner

Copy link

Summary

coily ops forgejo issue create silently creates nothing when --repo names a repo that 302-redirects (e.g. the pre-split org name coilysiren/<repo> now living under coilyco-flight-deck/<repo>). The redirect downgrades the POST to a GET, so the issues-list endpoint answers HTTP 200 with a JSON array of existing issues. coily treats the 2xx as success and prints the array, looking exactly like a successful create while nothing was created.

A create verb that silently no-ops is a real hazard - the operator (or an agent) believes the issue was filed and moves on.

Reproduction

Observed 2026-05-30 on kai-server while filing infra issues:

coily ops forgejo issue create --repo coilysiren/infrastructure --title "..." --body-file /tmp/x.md
# -> POST https://forgejo.coilysiren.me/api/v1/repos/coilysiren/infrastructure/issues returned HTTP 200: [ {issue}, {issue}, ... ]
# No issue created. The array is the existing issue LIST (newest #183), not a created object.

Retargeting the same call at the canonical owner worked and returned the created issue:

coily ops forgejo issue create --repo coilyco-flight-deck/infrastructure --title "..." --body-file /tmp/x.md
# -> https://forgejo.coilysiren.me/coilyco-flight-deck/infrastructure/issues/185  #185  [open]  ...

Root cause

Forgejo issues a 302 (not 307/308) for the moved repo. HTTP clients downgrade POST->GET on 302 by default. The POST body is dropped and the request lands on GET /repos/{owner}/{repo}/issues (list), which returns 200 + array. coily's create path keys success off the 2xx status without asserting the response is a created-issue object.

Fixes (any/all)

1. Assert the response shape on create. A successful issue create is HTTP 201 with a single object carrying a number. Treat 200, or an array body, or a missing number, as failure - exit non-zero with a clear message naming the redirect.
2. Do not follow cross-host/cross-owner redirects on write verbs, or follow them as 308 (method-preserving) only. A redirected write should error loudly, not silently degrade.
3. Surface the redirect. If the API responds with a 3xx (or the final URL owner != requested owner), print "repo X redirects to Y - retarget --repo at Y" instead of swallowing it.

Fix (1) alone closes the silent-failure hazard; (2)/(3) improve the message.

Impact

Any coily forgejo write verb (issue/label/milestone/release create, issue edit/comment/close) routed at a redirecting repo name is suspect, not just issue create. Worth auditing the whole ops forgejo write surface for the same 2xx-means-success assumption.

Found during the 2026-05-30 kai-server crash investigation while filing follow-up issues.

## Summary `coily ops forgejo issue create` silently creates nothing when `--repo` names a repo that 302-redirects (e.g. the pre-split org name `coilysiren/<repo>` now living under `coilyco-flight-deck/<repo>`). The redirect downgrades the POST to a GET, so the issues-list endpoint answers `HTTP 200` with a JSON array of existing issues. coily treats the 2xx as success and prints the array, looking exactly like a successful create while nothing was created. A create verb that silently no-ops is a real hazard - the operator (or an agent) believes the issue was filed and moves on. ## Reproduction Observed 2026-05-30 on kai-server while filing infra issues: ``` coily ops forgejo issue create --repo coilysiren/infrastructure --title "..." --body-file /tmp/x.md # -> POST https://forgejo.coilysiren.me/api/v1/repos/coilysiren/infrastructure/issues returned HTTP 200: [ {issue}, {issue}, ... ] # No issue created. The array is the existing issue LIST (newest #183), not a created object. ``` Retargeting the same call at the canonical owner worked and returned the created issue: ``` coily ops forgejo issue create --repo coilyco-flight-deck/infrastructure --title "..." --body-file /tmp/x.md # -> https://forgejo.coilysiren.me/coilyco-flight-deck/infrastructure/issues/185 #185 [open] ... ``` ## Root cause Forgejo issues a 302 (not 307/308) for the moved repo. HTTP clients downgrade POST->GET on 302 by default. The POST body is dropped and the request lands on `GET /repos/{owner}/{repo}/issues` (list), which returns 200 + array. coily's create path keys success off the 2xx status without asserting the response is a created-issue object. ## Fixes (any/all) 1. **Assert the response shape on create.** A successful issue create is HTTP 201 with a single object carrying a `number`. Treat 200, or an array body, or a missing `number`, as failure - exit non-zero with a clear message naming the redirect. 2. **Do not follow cross-host/cross-owner redirects on write verbs**, or follow them as 308 (method-preserving) only. A redirected write should error loudly, not silently degrade. 3. **Surface the redirect.** If the API responds with a 3xx (or the final URL owner != requested owner), print "repo X redirects to Y - retarget --repo at Y" instead of swallowing it. Fix (1) alone closes the silent-failure hazard; (2)/(3) improve the message. ## Impact Any coily forgejo write verb (issue/label/milestone/release create, issue edit/comment/close) routed at a redirecting repo name is suspect, not just `issue create`. Worth auditing the whole `ops forgejo` write surface for the same 2xx-means-success assumption. Found during the 2026-05-30 kai-server crash investigation while filing follow-up issues.

coilysiren referenced this issue 2026-05-31 06:19:18 +00:00

coily assumes single-org coilysiren/* in several places (dispatch guard, create redirect) - accept canonical owners post org-split #162

coilysiren added the

P3

label 2026-05-31 06:59:39 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dispatch/issue-306

args-file-mcporter

claude/coily-docker-image-FF2Rw

claude/busy-almeida-0168e4

v2.50.0

v2.49.1

v2.49.0

v2.48.0

v2.47.0

v2.46.0

v2.45.0

v2.44.1

v2.44.0

v2.43.2

v2.43.1

v2.43.0

v2.42.0

v2.41.0

v2.40.2

v2.40.1

v2.40.0

v2.39.0

v2.37.2

v2.38.0

v2.23.0

v2.37.1

v2.37.0

v2.36.0

v2.35.0

v2.34.0

v2.33.0

v2.32.0

v2.31.0

v2.30.0

v2.29.2

v2.29.1

v2.29.0

v2.28.0

v2.27.0

v2.26.0

v2.25.0

v2.24.0

v2.22.0

v2.21.0

v2.20.0

v2.19.0

v2.18.1

v2.18.0

v2.17.0

v2.16.0

v2.15.2

v2.15.1

v2.15.0

v2.14.0

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.1

v2.7.0

v2.6.0

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.0

v2.0.1

v2.0.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.0

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.8

v1.8.7

v1.8.6

v1.8.5

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.123

v1.5.122

v1.5.121

v1.5.120

v1.5.119

v1.5.118

v1.5.117

v1.5.116

v1.5.115

v1.5.114

v1.5.113

v1.5.112

v1.5.111

v1.5.110

v1.5.109

v1.5.108

v1.5.107

v1.5.106

v1.5.105

v1.5.104

v1.5.103

v1.5.102

v1.5.101

v1.5.100

v1.5.99

v1.5.98

v1.5.97

v1.5.96

v1.5.95

v1.5.94

v1.5.93

v1.5.92

v1.5.91

v1.5.90

v1.5.89

v1.5.88

v1.5.87

v1.5.86

v1.5.85

v1.5.84

v1.5.83

v1.5.82

v1.5.81

v1.5.80

v1.5.79

v1.5.78

v1.5.77

v1.5.76

v1.5.75

v1.5.74

v1.5.73

v1.5.72

v1.5.71

v1.5.70

v1.5.69

v1.5.68

v1.5.67

v1.5.66

v1.5.65

v1.5.64

v1.5.63

v1.5.62

v1.5.61

v1.5.60

v1.5.59

v1.5.58

v1.5.57

v1.5.56

v1.5.55

v1.5.54

v1.5.53

v1.5.52

v1.5.51

v1.5.50

v1.5.49

v1.5.48

v1.5.47

v1.5.46

v1.5.45

v1.5.44

v1.5.43

v1.5.42

v1.5.41

v1.5.40

v1.5.39

v1.5.38

v1.5.37

v1.5.36

v1.5.35

v1.5.34

v1.5.33

v1.5.32

v1.5.31

v1.5.30

v1.5.29

v1.5.28

v1.5.27

v1.5.26

v1.5.25

v1.5.24

v1.5.23

v1.5.22

v1.5.21

v1.5.20

v1.5.19

v1.5.18

v1.5.17

v1.5.16

v1.5.15

v1.5.14

v1.5.13

v1.5.12

v1.5.11

v1.5.10

v1.5.9

v1.5.8

v1.5.7

v1.5.6

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.1

v1.4.0

v1.3.0

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.0

v0.0.38

v0.0.37

v0.0.36

v0.0.35

v0.0.34

v0.0.33

v0.0.32

v0.0.31

v0.0.30

v0.0.29

v0.0.28

v0.0.27

v0.0.26

v0.0.25

v0.0.24

v0.0.23

v0.0.22

v0.0.21

v0.0.20

v0.0.19

v0.0.18

v0.0.17

v0.0.16

v0.0.15

v0.0.14

v0.0.13

v0.0.12

v0.0.11

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

tools-latest

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-bridge/coily#160

No description provided.