feat(issues): generate contributor issue drafts from repo policy

[kiannidev]

Fixes #119

Summary

• Adds maintainer-authenticated contributor issue draft generation from repo focus policy readiness warnings, upstream registry drift, and wanted paths.
• Exposes POST /v1/repos/{owner}/{repo}/contributor-issue-drafts/generate with dry-run as the default, duplicate detection via HTML marker + normalized title, and optional explicit GitHub create with audit logging.
• Generated drafts follow the full issue body contract (background, requirements, boundaries, acceptance criteria, 97% testing requirements) and pass public text hygiene checks before proposal or create.

Scope

• The PR title follows type(scope): short summary Conventional Commit format, for example fix(api): restore profile access checks.
• This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
• This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
• I linked an issue, or this is small enough that the summary explains why an issue is not needed.

Validation

• git diff --check
• npm run actionlint
• npm run typecheck
• npm run test:coverage locally; global coverage stays at or above 97% for lines, statements, functions, and branches (aim for 98%+ branch coverage locally so CI variance does not fail near the threshold)
• npm run test:workers
• npm run build:mcp
• npm run test:mcp-pack
• npm run ui:openapi:check
• npm run ui:lint
• npm run ui:typecheck
• npm run ui:build
• npm audit --audit-level=moderate
• New or changed behavior has unit/integration tests for new branches, fallback paths, and sanitizer boundaries

If any required check was skipped, explain why:

• None skipped locally. Branch coverage landed at 97.00% exactly; additional branch tests were added to stay at the threshold.

Safety

• No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
• Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
• Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests.
• API/OpenAPI/MCP behavior is updated and tested where needed.
• UI changes use live API data or real empty/error/loading states, not production mock/demo fallbacks.
• Visible UI changes include a UI Evidence section below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository.
• Public docs/changelogs are updated where needed; changelogs are only edited for release-prep PRs.

UI Evidence

Not applicable — this PR is backend/API/OpenAPI only. No visible UI, frontend, docs, or extension changes.

State / title	JPG/PNG evidence
N/A — no visible UI changes	N/A

Notes

• New env var: optional GITTENSORY_CONTRIBUTOR_ISSUE_TOKEN for explicit create; falls back to existing drift/public tokens when unset.
• Explicit create requires create: true and dryRun: false; malformed JSON returns 400 invalid_json; invalid schema returns 400 invalid_contributor_issue_draft_request.
• Added route coverage tests for contributor-issue-drafts, focus-manifest, and onboarding-pack auth/error paths while restoring global branch coverage.
• OpenAPI UI spec updated for the new generate endpoint.

[gittensory]

Note

Gittensory Gate skipped

PR closed before full evaluation. No late first comment was created.

Signal	Result	Evidence	Action
Gate result	⚠️ Skipped	#462 is no longer open.	No action.

---

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

[JSONbored]

@kiannidev this should not merge in its current shape.

A few notes:

• The draft-generation direction matches #119, and the dry-run/default-create guard is the right posture.
• The branch is stacked on the focus-manifest work from #389 and overlaps it across .gittensory.yml, OpenAPI, route source, and focus-manifest tests.
• The generated public issue contract hardcodes Gittensory's own npm run test:ci and 97% coverage requirements. That is not safe as a generic contributor-issue draft for arbitrary repos.
• The focus-manifest GET/PUT surface included here still needs the repo-scoped session access fix before it is safe as a maintainer API.

Required changes:

• Rebase/narrow after the focus-manifest route decision, or remove the duplicated #389 surface from this PR.
• Do not generate repo-specific Gittensory validation requirements unless they come from that repo's configured policy.
• Carry over the repo-scoped session access fix for any repo-scoped route included here.

Validation expected:

• Rerun contributor issue draft tests, focus-manifest route tests if still touched, OpenAPI check, and full validation.

[kiannidev]

@JSONbored Thanks for the detailed review — addressed all three blockers.

Scope / #389 overlap

• Rebased onto current main and removed the stacked focus-manifest surface from this PR.
• Diff is now limited to the contributor draft service, generate route, OpenAPI entry, env token, and draft/route tests (7 files). No .gittensory.yml, focus-manifest GET/PUT routes, or focus-manifest test files.

Policy-driven validation text

• Removed hardcoded Gittensory npm run test:ci / 97% coverage from generated issue bodies.
• Added buildContributorIssueDraftTestingRequirements(manifest) so testing requirements come from manifest.testExpectations when present, with a generic fallback when the repo policy has none.
• Added tests for both the configured-policy and generic-fallback paths.

Repo-scoped session access

• POST /v1/repos/:owner/:repo/contributor-issue-drafts/generate now applies requireSessionRepoAccess for browser sessions and whitelists the path in canSessionAccessPath.
• Route tests cover allowed same-repo sessions, forbidden cross-repo sessions (403 forbidden_repo), static-token access, malformed JSON, and explicit-create guard.

Validation

• npm run typecheck
• npm run test:coverage (97.03% branches)
• npm run ui:openapi:check
• Contributor issue draft + route tests

Focus-manifest authorization remains in #389. Ready for another look.

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.

[JSONbored]

@kiannidev this is ready from my side now.

A few notes:

• The previous blockers are addressed: this branch is no longer carrying the #389 focus-manifest surface, validation text is policy-driven instead of hardcoded to Gittensory's local gates, and the route now has repo-scoped session access tests.
• The dry-run default, explicit-create guard, duplicate detection, public text hygiene checks, and audit behavior all fit #119.
• The API/OpenAPI/test coverage is focused enough for this scope.

No code changes requested.