Skip to content

fix(review): keep priority propagation strict#4491

Closed
JSONbored wants to merge 2 commits into
mainfrom
codex/fix-reward-label-propagation-vulnerability
Closed

fix(review): keep priority propagation strict#4491
JSONbored wants to merge 2 commits into
mainfrom
codex/fix-reward-label-propagation-vulnerability

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • Prevent a reward-label integrity issue where an external contributor could farm a reward-bearing gittensor:priority label by citing an unrelated open maintainer-authored issue in PR text.
  • Preserve the intended strict author-or-assignee gate for reward mappings while keeping the repo's bundled manifest and public config aligned.

Description

  • Remove the public trustMaintainerAuthoredIssueForReward opt-in from the gittensor:priority mapping in .gittensory.yml and the bundled focus manifest in src/config/gittensory-repo-focus-manifest.ts so reward labels require direct issue authorship or assignment.
  • Update the explanatory comment in the focus manifest to document that the public config intentionally keeps priority strict to avoid closing-keyword farming.
  • Add an assertion to test/unit/gittensory-focus-manifest.test.ts to ensure the bundled mapping does not enable trustMaintainerAuthoredIssueForReward.

Testing

  • Ran git diff --check and the manifest drift verifier npm run manifest:drift-check, both succeeded.
  • Ran npx vitest run test/unit/gittensory-focus-manifest.test.ts test/unit/linked-issue-label-propagation-fetch.test.ts, all unit tests executed for these files passed.
  • Attempting the full local gate (npm run test:ci) could not fully complete due to unrelated infra checks: cf-typegen:check flagged stale generated worker types and npm audit --audit-level=moderate returned a 403 from the npm audit endpoint, so the full CI sweep was not completed in this environment.

Codex Task

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@loopover-orb loopover-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 9, 2026
@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.12%. Comparing base (63d5a0f) to head (994f99f).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4491   +/-   ##
=======================================
  Coverage   94.12%   94.12%           
=======================================
  Files         430      430           
  Lines       38181    38181           
  Branches    13922    13922           
=======================================
  Hits        35939    35939           
  Misses       1585     1585           
  Partials      657      657           
Files with missing lines Coverage Δ
src/config/gittensory-repo-focus-manifest.ts 100.00% <ø> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@loopover-orb

loopover-orb Bot commented Jul 9, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-10 07:17:44 UTC

3 files · 1 AI reviewer · 2 blockers · readiness 93/100 · CI green · unstable

⏸️ Suggested Action - Manual Review

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.

Review summary
AI review is unavailable for this PR head. Gittensory is holding this PR for manual review until the configured AI provider returns a usable public review summary.

Nits — 1 non-blocking
  • Code changes lack test evidence — Add focused regression tests or explain why existing coverage is sufficient.

Concerns raised — review before merging

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
Signal Result Evidence
Code review ❌ 2 blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 48 registered-repo PR(s), 40 merged, 334 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 48 PR(s), 334 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 48 PR(s), 334 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@loopover-orb loopover-orb Bot added the manual-review Gittensor contributor context label Jul 9, 2026
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
gittensory-ui 994f99f Commit Preview URL

Branch Preview URL
Jul 10 2026, 07:00 AM

@JSONbored

Copy link
Copy Markdown
Owner Author

Closing — this reverts 304e88c (2026-07-09, same day), which fixed a confirmed-live bug: metagraphed PR #4554 had issue #3947 carrying both gittensor:bug and gittensor:priority, but only bug ever propagated, because GitHub silently refuses to assign a contributor lacking push/triage access — and our issues are almost always maintainer-authored for open pickup, rarely formally assigned. Without trustMaintainerAuthoredIssueForReward, the priority reward label can structurally never reach the external contributors it exists to reward.

The farming concern in the new comment (a PR author citing an unrelated open maintainer issue to grab the label) is worth taking seriously, but the maintainer's hand-picking already happened when the issue was labeled gittensor:priority in the first place — that's the same trust boundary bug/feature already use via trustMaintainerAuthoredIssue, just not yet extended to priority until 304e88c. Reverting this also conflicts with the standing policy that registry-enrichment issues are always labeled priority for open pickup — this flag is load-bearing for that to actually reach a contributor.

If there's a real farming vector distinct from bug/feature's existing trust model, that needs a narrower guard (e.g. gate on issue age, or require the PR to reference the issue via a real closing keyword rather than just citing it) — not a blanket revert back to the broken state.

@JSONbored JSONbored closed this Jul 10, 2026
@JSONbored
JSONbored deleted the codex/fix-reward-label-propagation-vulnerability branch July 19, 2026 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant