Retrospective of 22.06-10.07 merges showed one recurring miss class: local
logic verified, integration property never checked (#361, #353, #452, #172,
#435). This lands four gates so each of those classes fails BEFORE the
:develop image is pushed:
1. Image boot-smoke in the publish job (develop.yml + scripts/ci/image-smoke.sh):
the exact image watchtower pulls is booted against postgres/redis services
before the push — /api/health (startup migrator, #361-boot/#353), auth/setup,
client dist served, hashed assets immutable + brotli (#452).
2. migration-order gate now also runs on push (test.yml): direct pushes used to
bypass the PR-only gate; base = event.before, zero-SHA skips, force-push
fails closed.
3. External-MCP tool allowlist fails closed (#172 class): corrupt stored value
now reads as [] (deny-all) with an error log instead of null (allow-all);
[] round-trips as jsonb [] via jsonbBind({preserveEmpty}) and means deny-all
in the toolset filter. The settings form sends null for an empty tag field
so existing "unrestricted" servers are not silently narrowed.
4. Property tests for the silent-degradation classes: converter fixpoint
through the live server path (mcp e2e), and CollabSession cache-key
stability under per-call fresh tokens (#435/#439 lesson) incl. a negative
control with the token cache disabled.
Closes#476
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>