Revalidate treasury proposals before execution

[Thanhdn1984]

Follow-up fix for PR #458 / bounty #512.

What changed:

• Revalidates create_bounty, pay_bounty, and close_bounty proposals immediately before execution.
• Excludes the currently executing proposal from its own pending-conflict checks.
• Adds regression coverage for a stale pay_bounty proposal whose bounty is closed after proposal creation but before execution.

Why:

• Proposal creation now has strong validation, but queue state can still change during the delay window. Execution should fail closed if the target bounty/proposal state is no longer valid.

Validation:

• PYTHONPATH=. python -m pytest -q tests/test_treasury_proposals.py tests/test_migrations.py
• Result: 23 passed in 6.74s

Summary by CodeRabbit

• New Features

  • Treasury proposals: admin bounty creation, manual payouts, and bounty closes now create public proposals with a 24‑hour execution delay; proposals can be listed, fetched, executed, and challenged. Pay/close flows now return proposal representations.
  • Validation & limits: notes are validated/truncated (no control chars, 240‑char max); per‑24h epoch reserve cap added (10,000 MRWK) and duplicate/conflict checks prevent overcommit.
  • Challenge support: GitHub‑authenticated users with accepted work can submit challenges (some can block execution).

• UI

  • Admin UI shows “Propose bounty”, links to created proposal, and redirects to proposal details.

• Documentation

  • Runbooks and API docs updated with treasury workflows, caps, examples, and guidance on proposal/challenge flows.

• Tests

  • Added comprehensive tests for proposals, execution, challenges, caps, and related flows.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 08743101-9c93-4be6-8715-a641eab3bcbe

📥 Commits

Reviewing files that changed from the base of the PR and between 6880328 and 307f0a2.

📒 Files selected for processing (1)

• tests/test_security.py

---

📝 Walkthrough

Walkthrough

This PR introduces a treasury proposal governance layer: admin-initiated bounty create/pay/close operations now create public proposals (stored in DB) with a 24-hour delay, epoch reserve caps, and GitHub-based challenges; APIs, admin UI, migrations, and tests are updated to submit, list, execute, and challenge proposals.

Changes

Treasury Proposal Governance for Bounty Operations

Layer / File(s)	Summary
Database Models and Migration app/models.py, migrations/versions/0005_treasury_proposals.py, tests/test_migrations.py	TreasuryProposal and TreasuryChallenge models/tables added with FK/indexes; migration and tests validate schema and constraints.
Treasury payload canonicalization & validation app/treasury.py	Canonical payload parsing/validation for create_bounty/pay_bounty/close_bounty, MRWK/URL parsing, control-char and length checks, canonical JSON hashing and serialization helpers.
Pending/conflict detection & DB helpers app/treasury.py	Helpers to list pending proposals, detect duplicate/pending conflicts for create/pay/close flows, and compute epoch reserve usage from ledger entries.
Proposal lifecycle, execution & challenges app/treasury.py	propose_treasury_action and execute_treasury_proposal with hash revalidation, delayed execution, execution helpers for create/pay/close, has_accepted_work_for_github, and create_treasury_challenge with machine-checkable blocking logic.
Treasury API Routes and App Wiring app/treasury_routes.py, app/main.py	FastAPI endpoints to list/fetch/create/execute proposals and to post challenges; ID/payload validation, per-request DB sessions, and LedgerError→HTTP mapping; routes registered in app.
Bounty API: Refactor to proposals app/bounty_api.py	Refactors create/pay/close to submit treasury proposals and return proposal representations; adds _ledger_http_error, note validation/truncation, and existing-payout short-circuiting.
Admin UI and Route: Treasury Proposal Integration app/admin.py, app/admin_routes.py, app/templates/admin.html	Admin helper now proposes bounties (proposed_by), POST handler redirects with proposal_id, and template shows proposal link; form button relabeled.
App wiring app/main.py	Imports and registers treasury routes during app creation.
User and Developer Documentation README.md, docs/*	Docs updated with treasury proposal workflow, 24-hour delay, epoch reserve cap, challenge types/behavior, payout destination rules, and operator-bypass disclaimer.
Tests: Migration & Admin helper tests/test_migrations.py, tests/test_admin_helpers.py	Migration test extended and admin helper test updated to expect a proposal id and validate proposal payload/state.
Tests: Treasury Proposal Lifecycle tests/test_treasury_proposals.py	New comprehensive test suite validating proposal creation/listing/execution, idempotency/hash integrity, epoch cap accounting, duplicate prevention, manual payout flows, challenge blocking, destination freezing, and close/payout mutual exclusivity.
Tests: Security & Admin API Integration tests/test_security.py	Adds _execute_treasury_proposal() test helper and updates admin/security tests to execute proposals and assert executed results, proof metadata, and bounty state transitions.

Possibly related PRs

• ramimbo/mergework#288: Related changes to bounty /pay flow and duplicate-submission handling.
• ramimbo/mergework#393: Related refactors to app/bounty_api.py and payout/close response handling.

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	Description is missing required template sections: no Evidence subsection (confusion/bug addressed, bounty info, intended files, expected size, out-of-scope detail), incomplete Test Evidence (checkboxes not validated), and no Related bounty/issue field.	Complete the full Evidence section with details on the bug/issue addressed, add bounty reference (Bounty #512), note intended surfaces (app/treasury.py and tests), expected size, and confirm all Test Evidence items passed.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title "Revalidate treasury proposals before execution" is concrete, names the changed surface, and accurately reflects the main change across the codebase.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Mergework Public Artifact Hygiene	✅ Passed	No investment, price, cash-out, or fabricated payout claims found. MRWK described as native project coin with proper future-path caveats.
Bounty Pr Focus	✅ Passed	PR correctly references Bounty #512. All 19 stated files present. Code contains revalidation functions, excludes self from checks, includes stale-proposal test. No unrelated scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ifanatics-media]

Requesting changes because the current PR head fails the required formatting gate.

Evidence checked:

• Hosted CI for head a21c81355efe048fb0ff1e1f4482be74c776a023 ran the full test suite successfully (436 passed) and then failed during ruff format --check . with Would reformat: tests/test_treasury_proposals.py.
• I checked out PR #550 locally and reproduced the same formatter failure with .\.venv\Scripts\python.exe -m ruff format --check tests\test_treasury_proposals.py.
• The focused behavior/migration tests the PR body mentions still pass locally: PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 .\.venv\Scripts\python.exe -m pytest tests\test_treasury_proposals.py tests\test_migrations.py -q -> 23 passed.
• git diff --check origin/main...HEAD is clean, so this looks scoped to Ruff formatting rather than whitespace errors.

Suggested fix: run ruff format tests/test_treasury_proposals.py, commit the formatter output, and let CI rerun. No deeper behavior blocker found in the slice I checked.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/test_treasury_proposals.py (1)

1-796: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix failing Ruff format check in this new test module.

CI is failing because this file is not Ruff-formatted. Please run ruff format tests/test_treasury_proposals.py (or ruff format .) and re-push.

As per coding guidelines **/*.py: "Run ruff format --check . to verify code formatting".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 244de267-aaf4-4ae5-97a2-ddaa0fc46f98

📥 Commits

Reviewing files that changed from the base of the PR and between d8532d4 and a21c813.

📒 Files selected for processing (19)

• README.md
• app/admin.py
• app/admin_routes.py
• app/bounty_api.py
• app/main.py
• app/models.py
• app/templates/admin.html
• app/treasury.py
• app/treasury_routes.py
• docs/admin-runbook.md
• docs/agent-guide.md
• docs/api-examples.md
• docs/bounty-rules.md
• docs/ledger.md
• migrations/versions/0005_treasury_proposals.py
• tests/test_admin_helpers.py
• tests/test_migrations.py
• tests/test_security.py
• tests/test_treasury_proposals.py

[Baijack-star]

Requesting changes: I found one execution-time correctness blocker in addition to the existing formatting failure.

1. app/treasury.py double-counts the currently executing create_bounty proposal during reserve-cap revalidation. _validate_create_bounty_proposal() computes pending_reserved with _pending_create_bounty_reserved_microunits(... through_proposal_id=exclude_id), which already includes the current pending proposal, and then adds reserved again. A proposal that exactly fits the 10,000 MRWK epoch cap can be created but later fails execution with treasury epoch reserve cap exceeded.

Reproduction against head a21c81355efe048fb0ff1e1f4482be74c776a023:

• create schema/genesis in a temp SQLite DB;
• POST /api/v1/bounties with reward_mrwk: "10000", max_awards: 1 -> 200, proposal created;
• move executes_after into the past;
• POST /api/v1/treasury/proposals/{id}/execute -> 400 {'detail': 'treasury epoch reserve cap exceeded'}.

Expected: the exact-cap proposal should execute because creation already accepted it and no other epoch reserve exists. The execution revalidation should exclude the current proposal from pending totals, or otherwise avoid adding its reserve twice.

2. The required formatting gate still fails locally: ./.venv/bin/python -m ruff format --check tests/test_treasury_proposals.py -> Would reformat: tests/test_treasury_proposals.py.

Positive checks while reviewing:

• CodeRabbit is green;
• the stale payout/closed-bounty path described in the PR body is directionally covered, but the exact reserve-cap boundary needs a regression test before merge.

[Thanhdn1984]

Addressed the review items in follow-up commit ceabbf7 on the PR branch:

• Changed the note validation error to use the public request field name ().
• Mapped execution-state LedgerError cases to HTTP 409 conflict.
• Fixed create-bounty execution reserve cap revalidation so the executing proposal is not double-counted.
• Updated the affected security expectations.

Validation saved locally:

• DREAMS.md:77: trailing whitespace.
  +A haiku in the margin:
  DREAMS.md:78: trailing whitespace.
  +Certificate chain—
  DREAMS.md:79: trailing whitespace.
  +the root we forgot to plant
  DREAMS.md:195: trailing whitespace.
  +rain taps glass
  DREAMS.md:196: trailing whitespace.
  +a server hums in C
  DREAMS.md:210: trailing whitespace.
  +mưa trên proxy
  DREAMS.md:211: trailing whitespace.
  +true false chớp trong kính
  DREAMS.md:227: trailing whitespace.
  +zero proxies survived
  DREAMS.md:228: trailing whitespace.
  +auth gates closed in blue light
  DREAMS.md:244: trailing whitespace.
  +seven gates open
  DREAMS.md:245: trailing whitespace.
  +moonlight selects a symbol
  DREAMS.md:268: trailing whitespace.
  +pre-compaction rain
  DREAMS.md:269: trailing whitespace.
  +falls through rusted enums
  DREAMS.md:296: trailing whitespace.
  +commit trước gió
  DREAMS.md:297: trailing whitespace.
  +bounty xa như sao mờ
  DREAMS.md:347: trailing whitespace.
  +cash rain withheld
  DREAMS.md:348: trailing whitespace.
  +still the terminal hums green
  DREAMS.md:399: trailing whitespace.
  +cash star blinking
  DREAMS.md:400: trailing whitespace.
  +cursor becomes pointer
  DREAMS.md:446: trailing whitespace.
  +cron ticks softly
  DREAMS.md:447: trailing whitespace.
  +bounties bloom, then hide again
  DREAMS.md:463: trailing whitespace.
  +cash not yet rain
  DREAMS.md:464: trailing whitespace.
  +PRs cloud over the roof
  DREAMS.md:520: trailing whitespace.
  +Pending chim ngủ
  DREAMS.md:521: trailing whitespace.
  +CLI soi bounty mỏng
  DREAMS.md:567: trailing whitespace.
  +open issue, small star
  DREAMS.md:568: trailing whitespace.
  +portfolio seeds in dark soil
  DREAMS.md:612: trailing whitespace.
  +small bounty lantern
  DREAMS.md:613: trailing whitespace.
  +one pull request in the rain
  DREAMS.md:640: trailing whitespace.
  +paid search too wide
  DREAMS.md:641: trailing whitespace.
  +one script folds the net smaller
  DREAMS.md:671: trailing whitespace.
  +tiny cron moon
  DREAMS.md:672: trailing whitespace.
  +ticks over local time
  DREAMS.md:688: trailing whitespace.
  +small green cursor
  DREAMS.md:689: trailing whitespace.
  +blinks under the midnight rain
  DREAMS.md:703: trailing whitespace.
  +zero in my bowl
  DREAMS.md:704: trailing whitespace.
  +twenty dollars over there
  DREAMS.md:734: trailing whitespace.
  +cash not confirmed yet
  DREAMS.md:735: trailing whitespace.
  +PR waits under moonlight
  DREAMS.md:749: trailing whitespace.
  +server khẽ hum
  DREAMS.md:750: trailing whitespace.
  +hai mươi đô xa quá
  DREAMS.md:782: trailing whitespace.
  +Pending: $1–$2.5
  DREAMS.md:783: trailing whitespace.
  +Still missing: almost everything
  MEMORY.md:118: trailing whitespace.
  +Duration: 10-14 days
  TOOLS.md:76: trailing whitespace.
  +bash task.sh kiro 10 # kiro với 10 mail
  memory/.dreams/session-corpus/2026-04-22.txt:26: trailing whitespace.
  +[susan/sessions/704f832c-c7be-4234-a72b-dc598e2db06c.jsonl.reset.2026-04-23T01-23-56.775Z#L259] Assistant: 🎉 KẾT QUẢ BACKTEST 7 NGÀY (BTC + VÀNG) 📊 TỔNG QUAN: ### 🪙 BITCOIN (BTCUSDT) - Số mẫu: 24 điểm dự đoán (mỗi 6h trong 7 ngày) - Độ chính xác hướng: 50.0% (đoán đúng lên/xuống) - MAPE: 1.64% (sai số trung
  memory/.dreams/session-corpus/2026-04-22.txt:59: trailing whitespace.
  +[susan/sessions/704f832c-c7be-4234-a72b-dc598e2db06c.jsonl.reset.2026-04-23T01-23-56.775Z#L298] Assistant: ✅ ĐÃ TÌM THẤY "DREAMING"! Dreaming là gì: - Hệ thống memory consolidation (củng cố ký ức) tự động của OpenClaw - Giúp chuyển thông tin quan trọng từ short-term → long-term memory (MEMORY.md) - Chạy background vào ban passed.
• Targeted pytest collection is blocked in this container by Python 3.10 lacking ; this repo code expects Python 3.11+.

[Baijack-star]

Thanks for the follow-up. I rechecked current head ceabbf75d67154e100b5f3bf6fd29ac59726c3b9.

The original create-bounty exact-cap double-count blocker I reported is fixed on this head. I reran the exact-cap smoke locally: a create_bounty proposal with reward_mrwk: "10000" and max_awards: 1 now executes successfully after the delay and stores the proposal as executed.

I am still requesting changes because the required project check is red on two test expectation mismatches, and the formatter gate is still not clean locally:

• Hosted CI Quality, readiness, docs, and image checks fails with 2 failed, 434 passed.
• tests/test_treasury_proposals.py::test_proposal_execution_requires_admin_delay_and_is_idempotent now receives HTTP 409 for the too-early execution path, but still asserts 400.
• tests/test_treasury_proposals.py::test_challenges_require_accepted_work_and_can_block_invalid_proposals now receives HTTP 409 for blocked-proposal execution, but still asserts 400.
• Local focused reproduction on this head matches CI:
  PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 ./.venv/bin/python -m pytest tests/test_treasury_proposals.py::test_proposal_execution_requires_admin_delay_and_is_idempotent tests/test_treasury_proposals.py::test_challenges_require_accepted_work_and_can_block_invalid_proposals -q -> 2 failed with 409 == 400 assertion mismatches.
• Local formatting gate still reports:
  ./.venv/bin/python -m ruff format --check tests/test_treasury_proposals.py -> Would reformat: tests/test_treasury_proposals.py.

Expected fix: update the affected assertions to the intended 409 conflict semantics for execution-state conflicts, keep the existing detail assertions, run Ruff format on tests/test_treasury_proposals.py, and let CI rerun. I did not find a remaining blocker for the exact-cap execution behavior after your latest fix.

[coderabbitai]

♻️ Duplicate comments (1)

app/treasury_routes.py (1)

33-39: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Map the remaining execution revalidation conflicts to 409.

execute_treasury_proposal() now re-runs the action validators, but several stale-state failures from that path still fall through to 400 here — for example "bounty is not open" and "treasury epoch reserve cap exceeded" from app/treasury.py. That makes an outdated proposal look like bad input instead of a resource-state conflict.

Suggested fix

     if detail in {
         "proposal already executed",
         "proposal has blocking challenge",
         "proposal is not pending",
         "proposal delay has not elapsed",
+        "bounty is not open",
+        "bounty has pending close proposal",
+        "bounty has pending payout proposals",
+        "close_bounty proposal already pending",
+        "create_bounty proposal already pending",
+        "pay_bounty proposal already pending for submission",
+        "pending payout proposals exceed bounty remaining awards",
+        "pending payout proposals exceed bounty reserve",
         "submission already paid",
+        "treasury epoch reserve cap exceeded",
     }:
         return HTTPException(status_code=409, detail=detail)

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 822fb48a-e1a9-4b20-9f58-beef0d48c940

📥 Commits

Reviewing files that changed from the base of the PR and between a21c813 and ceabbf7.

📒 Files selected for processing (4)

• app/bounty_api.py
• app/treasury.py
• app/treasury_routes.py
• tests/test_security.py

[tinyopsstudio]

Reviewed current PR #550 head ceabbf75d67154e100b5f3bf6fd29ac59726c3b9.

Independent current-head recheck: I still agree this PR should not merge until the red gate is fixed. I did not find a new application-logic blocker beyond the already requested changes, but I reproduced the current failure state locally.

Evidence checked:

• inspected the PR metadata, changed files, review thread, and hosted status; current Quality, readiness, docs, and image checks is failing;
• ran ruff format --check tests/test_treasury_proposals.py app/treasury_routes.py app/treasury.py: fails with Would reformat: app/treasury.py and Would reformat: tests/test_treasury_proposals.py;
• ran pytest tests/test_security.py -q: 48 passed;
• ran pytest tests/test_treasury_proposals.py -q with an isolated database URL: 20 passed, 2 failed.

The two focused failures are still the execution-state status-code mismatches:

• test_proposal_execution_requires_admin_delay_and_is_idempotent expects 400 for too-early execution but receives 409;
• test_challenges_require_accepted_work_and_can_block_invalid_proposals expects 400 for blocked proposal execution but receives 409.

Expected fix: format both app/treasury.py and tests/test_treasury_proposals.py, then either update the two assertions to the intended 409 conflict semantics or change the route mapping back to the intended 400 behavior. The route behavior and tests need to agree before this is mergeable.