fix(canvas): add aria-hidden to TestConnectionButton spinner SVG

The spinner SVG inside the test-connection button is decorative — it
visualizes loading state alongside the text label. Add aria-hidden="true"
so screen readers ignore it and use only the visible text as the accessible
button name.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/scripts/gitea-merge-queue.py

@@ -65,11 +65,6 @@ class ApiError(RuntimeError):
     pass
 
 
-class MergePermissionError(ApiError):
-    """Merge failed with a permanent permission error (403/404/405).
-    The queue should skip this PR and move to the next one."""
-
-
 @dataclasses.dataclass(frozen=True)
 class MergeDecision:
     ready: bool
@@ -153,38 +148,15 @@ def latest_statuses_by_context(statuses: list[dict]) -> dict[str, dict]:
     return latest
 
 
-def _is_tier_low_pending_ok(
-    latest_statuses: dict[str, dict],
-    context: str,
-    pr_labels: set[str],
-) -> bool:
-    """Return True if tier:low PR can tolerate sop-checklist pending state.
-
-    Per sop-checklist-config.yaml tier_failure_mode, tier:low uses soft-fail:
-    sop-checklist posts state=pending when acks are satisfied (missing
-    manager/ceo acks are informational only). The queue should accept
-    pending instead of waiting for success.
-    """
-    if "tier:low" not in pr_labels:
-        return False
-    if "sop-checklist" not in context:
-        return False
-    status = latest_statuses.get(context) or {}
-    return status_state(status) == "pending"
-
-
 def required_contexts_green(
     latest_statuses: dict[str, dict],
     contexts: list[str],
-    pr_labels: set[str] | None = None,
 ) -> tuple[bool, list[str]]:
     missing_or_bad: list[str] = []
     for context in contexts:
         status = latest_statuses.get(context)
         state = status_state(status or {})
         if state != "success":
-            if pr_labels and _is_tier_low_pending_ok(latest_statuses, context, pr_labels):
-                continue  # tier:low soft-fail: accept pending sop-checklist
             missing_or_bad.append(f"{context}={state or 'missing'}")
     return not missing_or_bad, missing_or_bad
 
@@ -237,7 +209,6 @@ def evaluate_merge_readiness(
     pr_status: dict,
     required_contexts: list[str],
     pr_has_current_base: bool,
-    pr_labels: set[str] | None = None,
 ) -> MergeDecision:
     # Check push-required contexts explicitly instead of combined state.
     # Combined state can be "failure" due to non-blocking jobs
@@ -257,7 +228,7 @@ def evaluate_merge_readiness(
     # The required_contexts list is the authoritative gate — it includes only
     # the checks that actually block merges.
     latest = latest_statuses_by_context(pr_status.get("statuses") or [])
-    ok, missing_or_bad = required_contexts_green(latest, required_contexts, pr_labels)
+    ok, missing_or_bad = required_contexts_green(latest, required_contexts)
     if not ok:
         return MergeDecision(False, "wait", "required contexts not green: " + ", ".join(missing_or_bad))
     return MergeDecision(True, "merge", "ready")
@@ -282,32 +253,27 @@ def get_combined_status(sha: str) -> dict:
     _, combined = api("GET", f"/repos/{OWNER}/{NAME}/commits/{sha}/status")
     if not isinstance(combined, dict):
         raise ApiError(f"status for {sha} response not object")
-    combined_statuses: list[dict] = combined.get("statuses") or []
+    # Fetch full statuses list; 200 covers >99% of real-world runs.
+    # The list is ordered ascending by id (oldest first) — callers must
+    # iterate in reverse to get the newest entry per context.
+    # Best-effort: large repos (main with 550+ statuses) may time out.
+    # On timeout, fall back to the statuses[] already in the combined
+    # response (usually 30 entries — enough for most PRs, enough for
+    # main's early push-required contexts).
     try:
-        _, all_statuses_raw = api(
+        _, all_statuses = api(
             "GET",
             f"/repos/{OWNER}/{NAME}/commits/{sha}/statuses",
             query={"limit": "50"},
         )
-        if isinstance(all_statuses_raw, list):
-            all_statuses: list[dict] = list(all_statuses_raw)
-        else:
-            all_statuses = []
+        if isinstance(all_statuses, list):
+            combined["statuses"] = all_statuses
     except (ApiError, urllib.error.URLError, TimeoutError, OSError) as exc:
+        # URLError covers network-level failures (DNS, refused, timeout).
+        # TimeoutError and OSError cover socket-level timeouts.
         sys.stderr.write(f"::warning::could not fetch full statuses list for {sha[:8]}: {exc}\n")
-        all_statuses = []
-    # Build latest per context: process combined (ascending→reverse=newest
-    # first), then fill gaps from all_statuses (already newest-first).
-    latest: dict[str, dict] = {}
-    for status in reversed(sorted(combined_statuses, key=lambda s: s.get("id") or 0)):
-        ctx = status.get("context")
-        if isinstance(ctx, str) and ctx not in latest:
-            latest[ctx] = status
-    for status in all_statuses:
-        ctx = status.get("context")
-        if isinstance(ctx, str) and ctx not in latest:
-            latest[ctx] = status
-    combined["statuses"] = list(latest.values())
+        # Fall back to the statuses[] already in the combined response.
+        pass
     return combined
 
 
@@ -348,30 +314,6 @@ def post_comment(pr_number: int, body: str, *, dry_run: bool) -> None:
     api("POST", f"/repos/{OWNER}/{NAME}/issues/{pr_number}/comments", body={"body": body})
 
 
-def add_hold_label(pr_number: int, dry_run: bool) -> bool:
-    """Apply the merge-queue-hold label to a PR. Returns True if the label
-    was added (or was already present)."""
-    if not HOLD_LABEL:
-        return False
-    print(f"::notice::adding `{HOLD_LABEL}` to PR #{pr_number}")
-    if dry_run:
-        return True
-    try:
-        api(
-            "POST",
-            f"/repos/{OWNER}/{NAME}/issues/{pr_number}/labels",
-            body={"labels": [HOLD_LABEL]},
-        )
-        return True
-    except ApiError as exc:
-        # 404 = PR already closed/deleted; 422 = label already present (Gitea
-        # returns 422 for duplicate label assignment — not a real error).
-        if "404" in str(exc) or "422" in str(exc):
-            return True
-        sys.stderr.write(f"::warning::could not add hold label to PR #{pr_number}: {exc}\n")
-        return False
-
-
 def update_pull(pr_number: int, *, dry_run: bool) -> None:
     print(f"::notice::updating PR #{pr_number} with base branch via style={UPDATE_STYLE}")
     if dry_run:
@@ -396,16 +338,7 @@ def merge_pull(pr_number: int, *, dry_run: bool) -> None:
     print(f"::notice::merging PR #{pr_number}")
     if dry_run:
         return
-    try:
-        api("POST", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}/merge", body=payload, expect_json=False)
-    except ApiError as exc:
-        # Re-raise permission-like errors so process_once can skip this PR.
-        # 403 = no push access, 404 = repo/pr not found, 405 = not allowed.
-        msg = str(exc)
-        for code in ("403", "404", "405"):
-            if code in msg:
-                raise MergePermissionError(msg) from exc
-        raise  # re-raise other ApiErrors unchanged
+    api("POST", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}/merge", body=payload, expect_json=False)
 
 
 def process_once(*, dry_run: bool = False) -> int:
@@ -447,13 +380,11 @@ def process_once(*, dry_run: bool = False) -> int:
     commits = get_pull_commits(pr_number)
     current_base = pr_has_current_base(pr, commits, main_sha)
     pr_status = get_combined_status(head_sha)
-    pr_labels = label_names(pr)
     decision = evaluate_merge_readiness(
         main_status=main_status,
         pr_status=pr_status,
         required_contexts=contexts,
         pr_has_current_base=current_base,
-        pr_labels=pr_labels,
     )
 
     print(f"::notice::PR #{pr_number} decision={decision.action}: {decision.reason}")
@@ -468,24 +399,6 @@ def process_once(*, dry_run: bool = False) -> int:
             dry_run=dry_run,
         )
         return 0
-    if decision.action == "wait":
-        # Required contexts are not green. Auto-hold so the queue stops cycling
-        # on this PR and processes the next. Holds are removed manually once the
-        # blocker (e.g. qa/sec gate, missing SOP_TIER_CHECK_TOKEN) is resolved.
-        # Distinguish "not all required status checks successful" 405 (merge
-        # attempted → add hold + comment) from permanent permission errors.
-        add_hold_label(pr_number, dry_run=dry_run)
-        post_comment(
-            pr_number,
-            (
-                f"merge-queue: auto-held — required contexts not green: "
-                f"{decision.reason}. "
-                "Remove the `merge-queue-hold` label and re-label `merge-queue` "
-                "to restart queue processing once the blocker is resolved."
-            ),
-            dry_run=dry_run,
-        )
-        return 0
     if decision.ready:
         latest_main_sha = get_branch_head(WATCH_BRANCH)
         if latest_main_sha != main_sha:
@@ -494,42 +407,7 @@ def process_once(*, dry_run: bool = False) -> int:
                 "deferring to next tick"
             )
             return 0
-        try:
-            merge_pull(pr_number, dry_run=dry_run)
-        except MergePermissionError as exc:
-            # Permanent merge failure (HTTP 403/404/405). Distinguish the
-            # Gitea-internal "status check gate" 405 (merge attempted, gate
-            # blocked) from a genuine permission error.
-            msg_lower = str(exc).lower()
-            is_status_check_failure = "not all required status checks successful" in msg_lower
-            sys.stderr.write(f"::error::merge permission error for PR #{pr_number}: {exc}\n")
-            if is_status_check_failure:
-                # Merge API returned 405 because a required status check (e.g.
-                # qa-review, security-review) was still failing at merge time.
-                # Auto-hold so the queue stops cycling and processes the next PR.
-                add_hold_label(pr_number, dry_run=dry_run)
-                post_comment(
-                    pr_number,
-                    (
-                        "merge-queue: merge attempt blocked by Gitea's required-status-check "
-                        "gate (HTTP 405 'not all required status checks successful'). "
-                        "Auto-held — remove `merge-queue-hold` and re-label `merge-queue` "
-                        "once the blocking checks pass."
-                    ),
-                    dry_run=dry_run,
-                )
-            else:
-                post_comment(
-                    pr_number,
-                    (
-                        "merge-queue: merge failed with HTTP 405 'User not allowed to merge PR'. "
-                        "No available token has Can-merge permission on this repo. "
-                        "Fix: grant Can-merge to a token, or add a maintain/admin collaborator. "
-                        "Skipping to next queued PR on next tick."
-                    ),
-                    dry_run=dry_run,
-                )
-            return 0
+        merge_pull(pr_number, dry_run=dry_run)
         return 0
     return 0
 

.gitea/scripts/tests/test_gitea_merge_queue.py

@@ -118,92 +118,3 @@ def test_merge_decision_updates_stale_pr_before_merge():
 
     assert decision.ready is False
     assert decision.action == "update"
-
-
-def test_MergePermissionError_inherits_from_ApiError():
-    assert issubclass(mq.MergePermissionError, mq.ApiError)
-
-
-def test_MergePermissionError_message_preserved():
-    exc = mq.MergePermissionError("POST /merge -> HTTP 405: User not allowed")
-    assert "405" in str(exc)
-    assert "User not allowed" in str(exc)
-
-
-def test_merge_decision_waits_when_required_contexts_not_green():
-    """When a required context (e.g. CI / all-required) is not success, the
-    decision is 'wait' — the queue can then auto-hold on this."""
-    required = [
-        "CI / all-required (pull_request)",
-        "sop-checklist / all-items-acked (pull_request)",
-    ]
-    decision = mq.evaluate_merge_readiness(
-        main_status={
-            "state": "success",
-            "statuses": [{"context": "CI / all-required (push)", "status": "success"}],
-        },
-        pr_status={
-            "state": "failure",
-            "statuses": [
-                {"context": "CI / all-required (pull_request)", "status": "failure"},
-                {"context": "sop-checklist / all-items-acked (pull_request)", "status": "success"},
-            ],
-        },
-        required_contexts=required,
-        pr_has_current_base=True,
-        pr_labels=None,
-    )
-    assert decision.ready is False
-    assert decision.action == "wait"
-    assert "CI / all-required" in decision.reason
-
-
-def test_tier_low_sop_checklist_pending_is_accepted():
-    """tier:low PRs get soft-fail on sop-checklist: pending is OK."""
-    required = ["sop-checklist / all-items-acked (pull_request)"]
-    statuses = {
-        "sop-checklist / all-items-acked (pull_request)": {
-            "status": "pending",
-        }
-    }
-    ok, missing = mq.required_contexts_green(
-        statuses, required, pr_labels={"tier:low"}
-    )
-    assert ok is True
-    assert missing == []
-
-
-def test_tier_low_sop_checklist_failure_is_not_accepted():
-    """tier:low soft-fail only covers pending, not actual failure."""
-    required = ["sop-checklist / all-items-acked (pull_request)"]
-    statuses = {
-        "sop-checklist / all-items-acked (pull_request)": {
-            "status": "failure",
-        }
-    }
-    ok, missing = mq.required_contexts_green(
-        statuses, required, pr_labels={"tier:low"}
-    )
-    assert ok is False
-
-
-def test_is_tier_low_pending_ok_true():
-    statuses = {
-        "sop-checklist / all-items-acked (pull_request)": {"status": "pending"}
-    }
-    assert mq._is_tier_low_pending_ok(
-        statuses,
-        "sop-checklist / all-items-acked (pull_request)",
-        {"tier:low"},
-    ) is True
-
-
-def test_is_tier_low_pending_ok_not_tier_low():
-    statuses = {
-        "sop-checklist / all-items-acked (pull_request)": {"status": "pending"}
-    }
-    assert mq._is_tier_low_pending_ok(
-        statuses,
-        "sop-checklist / all-items-acked (pull_request)",
-        set(),
-    ) is False

.gitea/workflows/qa-review.yml

@@ -89,7 +89,6 @@ on:
 permissions:
   contents: read
   pull-requests: read
-  secrets: read  # required for SOP_TIER_CHECK_TOKEN team-membership probe
 
 jobs:
   # bp-exempt: PR review bot signal; required merge state is enforced by CI / all-required.

.gitea/workflows/security-review.yml

@@ -16,7 +16,6 @@ on:
 permissions:
   contents: read
   pull-requests: read
-  secrets: read  # required for SOP_TIER_CHECK_TOKEN team-membership probe
 
 jobs:
   # bp-exempt: PR security review bot signal; required merge state is enforced by CI / all-required.

canvas/src/components/settings/OrgTokensTab.tsx

@@ -160,14 +160,14 @@ export function OrgTokensTab() {
             </code>
             <button
               onClick={handleCopy}
-              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors"
+              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
             >
               {copied ? 'Copied' : 'Copy'}
             </button>
           </div>
           <button
             onClick={() => setNewToken(null)}
-            className="text-[9px] text-good/60 hover:text-good transition-colors"
+            className="text-[9px] text-good/60 hover:text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
           >
             Dismiss
           </button>
@@ -219,7 +219,7 @@ export function OrgTokensTab() {
               </div>
               <button
                 onClick={() => setRevokeTarget(t)}
-                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 shrink-0"
+                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 shrink-0 focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1"
               >
                 Revoke
               </button>

canvas/src/components/settings/TokensTab.tsx

@@ -107,14 +107,14 @@ export function TokensTab({ workspaceId }: TokensTabProps) {
             </code>
             <button
               onClick={handleCopy}
-              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors"
+              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
             >
               {copied ? 'Copied' : 'Copy'}
             </button>
           </div>
           <button
             onClick={() => setNewToken(null)}
-            className="text-[9px] text-good/60 hover:text-good transition-colors"
+            className="text-[9px] text-good/60 hover:text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
           >
             Dismiss
           </button>
@@ -159,7 +159,7 @@ export function TokensTab({ workspaceId }: TokensTabProps) {
               </div>
               <button
                 onClick={() => setRevokeTarget(t)}
-                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1"
+                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1"
               >
                 Revoke
               </button>

canvas/src/components/ui/TestConnectionButton.tsx

@@ -85,7 +85,7 @@ export function TestConnectionButton({
 
 function Spinner() {
   return (
-    <svg className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+    <svg aria-hidden="true" className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
       <path d="M12 2v4M12 18v4M4.93 4.93l2.83 2.83M16.24 16.24l2.83 2.83M2 12h4M18 12h4M4.93 19.07l2.83-2.83M16.24 7.76l2.83-2.83" />
     </svg>
   );

canvas/src/styles/settings-panel.css

@@ -649,6 +649,10 @@
   border-radius: 6px;
   cursor: pointer;
 }
+.delete-dialog__cancel-btn:focus-visible {
+  outline: var(--focus-ring);
+  outline-offset: var(--focus-ring-offset);
+}
 
 .delete-dialog__confirm-btn {
   background: var(--status-invalid);
@@ -658,6 +662,10 @@
   border-radius: 6px;
   cursor: pointer;
 }
+.delete-dialog__confirm-btn:focus-visible {
+  outline: var(--focus-ring);
+  outline-offset: var(--focus-ring-offset);
+}
 
 .delete-dialog__confirm-btn:disabled { opacity: 0.4; cursor: not-allowed; }