docs: add MUW-formatted review reply for latest PR#26
Open
Fearvox wants to merge 12 commits into
Open
Conversation
…lack mirror sync Adds two issue templates under .github/ISSUE_TEMPLATE/ for long-lived, auditable mirrors of in-flight upstream PRs: - pr_tracker.yml: general PR mirror (scope, evidence, decision log, closure) - security_tracker.yml: high-priority variant (CWE, severity, reachability, verification, disclosure hygiene) Both carry a `pr-mirror` label so the Linear evermind-dash project and the Slack #bots channel can subscribe by label. Bilingual EN + 中文.
…tream Runs every 6 hours via cron + manual workflow_dispatch. - Rebases fork main onto upstream/main (preserves fork-only commits like the issue templates) - Force-pushes with --force-with-lease for safety - Opens a tracking issue on conflict instead of failing silently Uses default GITHUB_TOKEN — no PAT needed since we only push to fork.
Triggers on issues.opened and issues.labeled. When pr-mirror label is
present, creates a corresponding Linear issue in the EverMind-Dash
project via Linear GraphQL API. Comments back on GitHub with the
EVE-id link.
Idempotency: skips if a '🔗 Linear:' marker comment already exists.
Priority: 'urgent' label -> Linear urgent (1); otherwise medium (3).
On API failure: applies 'sync-failed' label for triage.
Requires (configured separately):
Secret: LINEAR_API_KEY (Linear Personal API key, lin_api_*)
Vars: LINEAR_TEAM_ID (EverMind team UUID)
LINEAR_PROJECT_ID (EverMind-Dash project UUID)
…nnel Update the disclosure-hygiene checkbox to reference #p-evermind-dash (the actual Slack channel linked to the EverMind-Dash Linear project) instead of the placeholder #bots.
…ents Two compounding fixes to avoid creating multiple Linear issues from a single GitHub issue creation: 1. concurrency group keyed on issue.number with cancel-in-progress=false serializes runs per issue. Second run will see the first run's comment and skip via existing idempotency check. 2. Tighten 'labeled' event filter to only fire when the added label is pr-mirror itself, not any other label. Eliminates the four extra runs that gh issue create --label A --label B ... triggers (one issues.opened + four issues.labeled = 5 events for a 4-label create). Reproduction: gh issue create with 4 labels including pr-mirror was firing the workflow 5 times concurrently. Idempotency check has a ~5s race window before the first run posts its bot comment, so 2-3 runs created duplicate Linear issues before the rest skipped. Verified via Issue #4 sync producing both EVE-3 and EVE-4.
Adds the fork overnight patrol workflow, Linear-aware tracking issue creation, and docs guard support for coming-soon use-case placeholders. Verified with local script checks and passing Docs CI.
This was referenced May 14, 2026
There was a problem hiding this comment.
Pull request overview
VERDICT: BLOCK
VERDICT_SUMMARY: Adds a MUW review lane reply plus multiple new automation workflows/scripts, but introduces unsafe-by-default behaviors (force-push workflow without guards; Linear sync without missing-secret guard) and the included MUW reply contains incorrect evidence about the repo target. Next action: tighten workflow/script safeguards and correct the MUW reply so it matches this repo’s actual configuration/scope.
EVIDENCE:
- Critical: .github/workflows/sync-upstream.yml (lines 12-49) scheduled rebase + force-push of main has no explicit repo/branch guard.
- Moderate: .github/workflows/linear-sync.yml (lines 22-28, 69-75) calls Linear API without checking required secrets/vars exist, leading to noisy failures/labels.
- Moderate: .github/scripts/muw-review-lane.mjs (line 8) hard-coded DEFAULT_REPO risks posting/collecting against the wrong repo when --repo is omitted.
- Moderate: .github/scripts/muw-review-lane.mjs (lines 76-81) truncate() enforces a “byte” limit using character slicing, which can exceed limits for non-ASCII.
- Moderate: .github/MUW_REVIEW_REPLY.md (lines 5-9) claims DEFAULT_REPO is wrong because the repo remote is EverMind-AI/EverOS, but other PR changes clearly target Fearvox/EverOS.
This PR adds documentation and automation to support MUW-formatted reviews and fork maintenance (overnight watch, upstream sync, and Linear mirroring), but the PR metadata frames it as a docs-only change while introducing several operational workflows/scripts.
Changes:
- Add MUW “review lane” tooling and a ready-to-post MUW review reply document.
- Introduce fork automation workflows (overnight watch, upstream sync, Linear sync) plus tracker issue templates.
- Adjust the docs workflow’s banner-link validation to skip “Coming soon” entries without a primary link.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/fork-playground/overnight-watch.md | Documents the fork overnight-watch patrol behavior and manual invocation. |
| AGENTS.md | Adds reviewer-agent guidelines and points to Copilot instructions. |
| .github/workflows/sync-upstream.yml | Scheduled/manual upstream sync via rebase + force-push to fork main. |
| .github/workflows/overnight-watch.yml | Scheduled/manual overnight watch runner wiring for the fork. |
| .github/workflows/linear-sync.yml | Mirrors pr-mirror issues into Linear with an idempotency marker. |
| .github/workflows/docs.yml | Tweaks validation to allow “Coming soon” cells without primary links. |
| .github/scripts/overnight-watch.mjs | Implements drift/workflow/PR monitoring and optional issue + Linear mirroring. |
| .github/scripts/muw-review-lane.mjs | Collects PR evidence/prompt bundle and posts MUW verdict comments with markers. |
| .github/MUW_REVIEW_REPLY.md | Adds a MUW-formatted review reply template/content for the “latest PR”. |
| .github/MUW_REVIEW_LANE.md | Documents how to use the MUW review lane scripts. |
| .github/ISSUE_TEMPLATE/security_tracker.yml | Adds a security tracker issue template (with escalation fields). |
| .github/ISSUE_TEMPLATE/pr_tracker.yml | Adds a PR tracker issue template for mirroring/triage. |
| .github/copilot-instructions.md | Defines MUW review-contract instructions for review agents. |
Comment on lines
+5
to
+9
| 1) Severity: High | ||
| - File/path: `.github/scripts/muw-review-lane.mjs` | ||
| - Evidence: `DEFAULT_REPO` is set to `Fearvox/EverOS` even though this repository remote is `EverMind-AI/EverOS`. | ||
| - Why it matters: Running the script without `--repo` can collect/post to the wrong project, creating data leakage risk and invalid review artifacts. | ||
| - Fix guidance: Change default to `EverMind-AI/EverOS` (or require explicit `--repo`) and add a guard that confirms current git remote matches the target repo before posting. |
Comment on lines
+1
to
+3
| VERDICT: FLAG | ||
| VERDICT_SUMMARY: The PR adds a comprehensive MUW review lane, tracker templates, and automation wiring, but one default target points to the wrong repository and makes the core script unsafe by default. Workflow-level verification evidence is not attached in this branch, so rollout should be held until that default is corrected and one end-to-end dry run is captured. | ||
| EVIDENCE: |
Comment on lines
+8
to
+10
| const DEFAULT_REPO = process.env.GH_REPO || "Fearvox/EverOS"; | ||
| const DEFAULT_PATCH_BYTES = 120_000; | ||
| const MARKER = "muw-review-lane:v1"; |
Comment on lines
+76
to
+81
| function truncate(value, maxBytes) { | ||
| const text = redact(value); | ||
| const bytes = Buffer.byteLength(text, "utf8"); | ||
| if (bytes <= maxBytes) return text; | ||
| return `${text.slice(0, maxBytes)}\n\n[TRUNCATED: ${bytes - maxBytes} bytes omitted]`; | ||
| } |
Comment on lines
+22
to
+28
| - name: Mirror GitHub issue to Linear | ||
| uses: actions/github-script@v7 | ||
| env: | ||
| LINEAR_API_KEY: ${{ secrets.LINEAR_API_KEY }} | ||
| LINEAR_TEAM_ID: ${{ vars.LINEAR_TEAM_ID }} | ||
| LINEAR_PROJECT_ID: ${{ vars.LINEAR_PROJECT_ID }} | ||
| with: |
Comment on lines
+12
to
+49
| jobs: | ||
| sync: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Configure git | ||
| run: | | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | ||
|
|
||
| - name: Add upstream remote | ||
| run: git remote add upstream https://github.com/EverMind-AI/EverOS.git | ||
|
|
||
| - name: Fetch upstream | ||
| run: git fetch upstream | ||
|
|
||
| - name: Rebase fork main onto upstream/main | ||
| id: rebase | ||
| run: | | ||
| git checkout main | ||
| set +e | ||
| git rebase upstream/main | ||
| rc=$? | ||
| if [ $rc -ne 0 ]; then | ||
| git rebase --abort | ||
| echo "conflict=true" >> "$GITHUB_OUTPUT" | ||
| exit $rc | ||
| fi | ||
| echo "conflict=false" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Push to fork main | ||
| if: steps.rebase.outputs.conflict == 'false' | ||
| run: git push origin main --force-with-lease | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Description
.github/MUW_REVIEW_REPLY.md, a reviewer-ready MUW reply containingVERDICT,VERDICT_SUMMARY, andEVIDENCEthat lists the issues, impact, and fix guidance for the PR under review.Testing
git status --short,git rev-parse --abbrev-ref HEAD,git log --oneline --decorate --max-count=5,git diff --stat upstream/main...HEAD, andnl -ba .github/MUW_REVIEW_REPLY.md | sed -n '1,200p', all of which completed successfully.Codex Task