PLEASE STOP MERGING TO MAIN until proper CI, security checks and developer workflows are in place

[Michiel-VandeVelde]

I think we need to pause and address the current developer workflow before this gets alot worse.

i know this has been said alot of times in different issues, but this is so vital for the maintainability and security of this project. so writing this in the hopes @pewdiepie-archdaemon sees this..

Alot of AI-generated, low-quality PRs are being pushed or merged to main with very little real review. The project has hundreds of open PRs, and code is landing in main without much checks if it is in any way correct, safe, or maintainable.

This is so dangerous, Even if the intention is good, merging code without proper checks can introduces a constant stream of broken functionality, security issues, dependency problem etc but mostly changes that nobody fully understands!

At minimum, main should be protected and changes should only land through PRs that pass a real baseline:

• Required CI before merge
• Tests that must pass
• Formatting and lint checks
• A PR template requiring contributors to explain what changed, why it changed, and how it was tested
• Extra review for anything touching security by someone who knows what they are actually talking about

THIS IS A MINIMUM!

AI-generated code should not be banned outright per se, but it should not be merged unless the contributor can explain it, test it, and maintain it. Otherwise, it just becomes slop that adds risk, bloat... and creates more work for the people actually trying to keep the project stable and maintainable.

Right now the workflow is not feel safe enough for the amount of code being pushed.
I would not advice anyone to run this on baremetal.

[Michiel-VandeVelde]

there are alot of experienced developers wanting to help @pewdiepie-archdaemon , but please sort these things out first, have people in a call who can actually help with the process going further, let them make important issues that need to be addressed first The developer workflow, setting up CI/CD pipeliens.. and how this project can improve its maintainability and qode quality

[pewdiepie-archdaemon]

Hey everyone,

You're right, and thanks for saying it directly.

Quick context on the fast pace: when Odysseus went public a couple of days ago, the PR queue was already pointing at a bunch of real bugs that only became visible once people started running it — multi-user RAG collisions, memory-audit data loss, CalDAV write-back silently failing, a token-blocklist gap. Pushing through those quickly meant they got fixed before they hit anyone. That phase is mostly done.

The harder part is what you're seeing in the queue right now: hundreds of agent-generated PRs from LLM coding bots, most well-meant but without anyone actually running the app, matching the project's visual style, or thinking carefully about whether the change fits. I'm not a developer by trade, but even I can tell when a 1000-line PR was bundled together without a clear "why" or a test. Continuing to merge that volume into main was a mistake — you called it correctly.

What's changing, starting today:

• PRs target dev, not main. main is curated and tested. dev is staging.
• Visual changes require a screenshot of the change in the running app, plus an explicit "I ran it" checkbox in the PR template.
• Issue-first for tooling, CI, and major features — so we align on direction before someone writes 2000 lines.
• Triage role for trusted helpers so the slop queue can be cleaned by people who care about the project, without handing out merge access to main.

Slowing the merge cadence isn't slowing down on the project — it's the opposite. It's making room for real developers who want to contribute substantive, thoughtful work to actually be heard. There are a few of you in this thread already, and I genuinely appreciate every one of you who pushed back on the pattern.

Last thing: Odysseus is fundamentally a fun project I built for myself. Local-first, self-hosted, made with the assumption that I might be one of like five people who'd ever run it. The fact that there's a community here is wonderful and I want to keep it that way — slow, careful, low-ego, fun.

— Felix

[CoolJohn-lab]

This is why I am fully committed to this project. I knew you’d be chill about this sort of stuff. Nice one.

[Michiel-VandeVelde]

Hey @pewdiepie-archdaemon , could you maybe share this as an announcement in Discussions?

There have been a lot of duplicate issues, questions, and concerns around the current workflow. Having your update in Announcements would make it easier for people to find and hopefully reduce some of the repeated threads from people who missed it :)

[Gaudenz77]

I think we need to pause and address the current developer workflow before this gets alot worse.

i know this has been said alot of times in different issues, but this is so vital for the maintainability and security of this project. so writing this in the hopes @pewdiepie-archdaemon sees this..

Alot of AI-generated, low-quality PRs are being pushed or merged to main with very little real review. The project has hundreds of open PRs, and code is landing in main without much checks if it is in any way correct, safe, or maintainable.

This is so dangerous, Even if the intention is good, merging code without proper checks can introduces a constant stream of broken functionality, security issues, dependency problem etc but mostly changes that nobody fully understands!

At minimum, main should be protected and changes should only land through PRs that pass a real baseline:

• Required CI before merge
• Tests that must pass
• Formatting and lint checks
• A PR template requiring contributors to explain what changed, why it changed, and how it was tested
• Extra review for anything touching security by someone who knows what they are actually talking about

THIS IS A MINIMUM!

AI-generated code should not be banned outright per se, but it should not be merged unless the contributor can explain it, test it, and maintain it. Otherwise, it just becomes slop that adds risk, bloat... and creates more work for the people actually trying to keep the project stable and maintainable.

Right now the workflow is not feel safe enough for the amount of code being pushed.
I would not advice anyone to run this on baremetal.

explain it, test it, and maintain it. Thank for this minimal but highly critical input.