fix: exclude official orgs from publisher abuse

[Patrick-Erichsen]

Summary

• Exclude official org publishers from publisher-abuse collection, finalization, dashboard/detail state, and stale ban actions.
• Keep the UI derived from filtered backend dashboard/detail state, with shared backend exclusion helpers and an official-row policy lookup for stale/inactive official orgs.
• Adjust finalization cohort stats for stale official score rows and add regression coverage plus spec updates for the intended behavior.

Autoreview

• Ran codex review --uncommitted; accepted and fixed two P2 findings:
  • stale official score rows could still affect cohort mean/stddev
  • inactive official org rows could fail open through active-only official checks
• Final codex review --uncommitted pass exited 0 with no accepted/actionable findings reported.

Tests

• bunx vitest run convex/publisherAbuse.test.ts convex/lib/officialPublishers.test.ts
• bun run format:check -- convex/lib/officialPublishers.ts convex/lib/officialPublishers.test.ts convex/schema.ts convex/publisherAbuse.ts convex/publisherAbuse.test.ts specs/official-publishers.md specs/security-moderation.md && git diff --check
• bunx tsc --noEmit --pretty false
• bun run ci:static
• bun run ci:unit
• bunx tsc --noEmit --pretty false && bunx tsc -p convex/tsconfig.json --noEmit --pretty false

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clawhub	Ready	Preview, Comment	Jun 5, 2026 10:55pm

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 5, 2026, 6:52 PM ET / 22:52 UTC.

Summary
The branch excludes official org publishers from publisher-abuse scoring, finalization, dashboard/detail visibility, and stale ban actions, adding an official-row helper, a score index, regression tests, and spec notes.

Reproducibility: yes. Source inspection of current main shows publisher-abuse collection scores every active publisher and direct ban handling lacks an official-row guard; I did not execute tests because this review is read-only.

Review metrics: 3 noteworthy metrics.

• Diff Size: 7 files, +801/-29. The code change is moderate, but most growth is regression tests around the moderation edge cases.
• Convex Schema: 1 index added. The new by_run_and_owner_key index matters for deploy/index readiness and finalization query behavior.
• Official-Org Regression Cases: 4 cases added. Tests now exercise collection, stale score finalization, dashboard/detail hiding, and ban blocking for official org publishers.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Resolve the dirty merge state or rebase onto current main.
• [P2] Confirm maintainer acceptance of the official-org publisher-abuse exemption before merge.

Risk before merge

• [P1] GitHub reports mergeable_state: dirty, so the branch needs conflict resolution or a rebase before it can merge.
• [P1] The change intentionally removes official org publishers from the publisher-abuse review/enforcement path; if official status is misapplied or an official org is compromised, this signal will no longer catch that publisher.

Maintainer options:

1. Accept Official-Org Exemption
   If maintainers agree official org publishers should be outside this abuse signal, resolve the dirty merge state and land the backend-enforced exclusion with the included tests.
2. Add A Compensating Review Path
   If maintainers still want official-org abuse visibility, keep this exclusion but add or document a separate staff review path for compromised or misconfigured official orgs before merge.
3. Pause For Policy Review
   If the official-org exemption is not settled, pause this PR until the moderation policy is approved or narrowed.

Next step before merge

• [P2] Maintainer handling is needed because the PR is collaborator-authored, currently dirty, and changes moderation policy rather than presenting a narrow automation repair.

Security
Cleared: No supply-chain or secret-handling changes were found; the moderation-policy exemption is backend-enforced against admin-managed official publisher rows and is tracked as merge risk rather than a concrete security defect.

Review details

Best possible solution:

Resolve the dirty merge state, have maintainers explicitly accept the official-org moderation exemption, then land the backend-enforced exclusion with the regression tests and spec notes intact.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection of current main shows publisher-abuse collection scores every active publisher and direct ban handling lacks an official-row guard; I did not execute tests because this review is read-only.

Is this the best way to solve the issue?

Yes, if maintainers accept the policy. The implementation is narrow and backend-enforced across collection, finalization, dashboard/detail, and action paths, but the PR still needs conflict resolution before merge.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 94ded18decd0.

Label changes

Label changes:

• add P2: This is a bounded moderation correctness improvement with regression coverage, not an emergency runtime outage.
• add merge-risk: 🚨 other: Merging intentionally changes abuse-enforcement policy for official org publishers, which requires maintainer acceptance beyond green tests.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The external contributor proof gate is not applicable because this is collaborator-authored; the PR body lists targeted tests and CI commands instead of live runtime proof.

Label justifications:

• P2: This is a bounded moderation correctness improvement with regression coverage, not an emergency runtime outage.
• merge-risk: 🚨 other: Merging intentionally changes abuse-enforcement policy for official org publishers, which requires maintainer acceptance beyond green tests.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The external contributor proof gate is not applicable because this is collaborator-authored; the PR body lists targeted tests and CI commands instead of live runtime proof.

Evidence reviewed

What I checked:

• Live PR state: GitHub API reports the PR is open, unmerged, authored by a collaborator, head 604e8c4, base 94ded18, and mergeable_state is dirty. (604e8c4e8393)
• Collection and finalization exclusion: The PR skips official org publishers during collection, recomputes finalization cohort stats without excluded official score rows, skips excluded scores while ranking/nominating, and preserves ranks for non-excluded scores. (convex/publisherAbuse.ts:397, 604e8c4e8393)
• Backend exclusion helpers: The PR centralizes official-org exclusion through hasOfficialPublisherRow, uses it for stale/inactive official rows, and blocks direct ban actions for excluded nominations. (convex/publisherAbuse.ts:718, 604e8c4e8393)
• Dashboard/detail filtering: The PR filters official-org publisher abuse review items from score-rank, last-scored, recent-resolved, and detail paths through the backend visibility check. (convex/publisherAbuse.ts:1122, 604e8c4e8393)
• Regression coverage: Regression tests cover direct ban rejection for official org nominations, dashboard/detail hiding, collection exclusion, and stale official score-row finalization behavior. (convex/publisherAbuse.test.ts:508, 604e8c4e8393)
• Spec intent updated: The PR records the intended policy that official org publishers are excluded from bulk publisher-abuse scoring, nomination queues, and stale nomination actions. (specs/official-publishers.md:25, 604e8c4e8393)

Likely related people:

• Patrick-Erichsen: Current main blame attributes the official publisher helper/schema and release-root copy of publisher-abuse code to Patrick Erichsen, and commit 94ded18 recently touched org deletion/schema behavior adjacent to official publisher state. (role: recent adjacent contributor; confidence: high; commits: 8e3858a31da8, 94ded18decd0; files: convex/lib/officialPublishers.ts, convex/schema.ts, specs/official-publishers.md)
• Jesse Merhi: Git history shows Jesse Merhi authored the publisher abuse dry-run and dashboard commits that introduced the central scoring/review surface this PR changes. (role: feature history owner; confidence: medium; commits: 8a2c0c06fd17, 3fbe27560e4c; files: convex/publisherAbuse.ts, convex/publisherAbuse.test.ts, convex/schema.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.