Skip to content

feat(commands): wire @gittensory explain to echo a review finding rationale (#2169)#4052

Merged
gittensory-orb[bot] merged 1 commit into
JSONbored:mainfrom
real-venus:feat/gittensory-explain-command
Jul 7, 2026
Merged

feat(commands): wire @gittensory explain to echo a review finding rationale (#2169)#4052
gittensory-orb[bot] merged 1 commit into
JSONbored:mainfrom
real-venus:feat/gittensory-explain-command

Conversation

@real-venus

Copy link
Copy Markdown
Contributor

Summary

Wires @gittensory explain <finding> so a contributor or maintainer can ask for more detail on a specific posted review finding. The explain verb was already registered as an argument-taking command (src/github/commands.ts) and documented in the command reference, but had no dispatch handler — this adds maybeProcessExplainCommand.

It mirrors the existing resolve command's lookup — classifyPrCommandRequestauthorizePrActionActornormalizeResolveFindingRefselectWarningsForResolve over the PR's current advisory — but instead of mutating anything it echoes the finding's already-generated, public-safe rationale via sanitizePublicComment. Per the issue's contributor scope it runs no model (echo only) and mutates nothing, so — like the read-only configuration command — it posts regardless of the agent action mode. A specific finding must be named: an absent argument (which normalizeResolveFindingRef reads as whole_pr) is a skip, not "explain everything"; an unknown id gets a public-safe not-found note rather than a silent no-op. Every disposition records a github_app.finding_explained / _denied / _skipped audit event.

Closes #2169. Part of #1960.

Scope

  • The PR title follows type(scope): short summary Conventional Commit format.
  • This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes. (One backend handler + its tests.)
  • This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
  • I linked a currently open issue this PR resolves (Closes #2169).

Validation

  • git diff --check — clean.
  • npm run typecheck — clean.
  • npm run test:coverage locally (full, unsharded) — no logic failures; codecov/patch predicted 100% of the changed lines AND branches (46/46 changed src/** statements + both sides of the finding.action conditional). The only failing suites locally are the known Windows spawn claude/codex/docker ENOENT env families, which pass on Linux CI.
  • New behavior has unit tests for every branch: known-id echo, deterministic-finding echo with a suggested action, unknown-id not-found note, missing-argument skip, malformed-id skip, unauthorized deny, bot-authored classifier skip, cached-PR-missing skip, and non-command decline.

If any required check was skipped, explain why:

  • test:workers / build:mcp / test:mcp-pack / ui:* / actionlint / npm audit were not run locally — this change is a self-contained backend queue-processor handler that touches no worker entrypoint, MCP package, UI, GitHub workflow, or dependency, so none of those surfaces are affected; CI covers them.

Safety

  • No secrets, wallet details, hotkeys, coldkeys, PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed — the echoed rationale is passed through sanitizePublicComment, the same public-safe filter every other command comment uses.
  • Public GitHub text stays sanitized and low-noise; the reply is a single > [!NOTE] card with the finding's stored title/detail/action.
  • No auth/cookie/CORS/GitHub App/session change beyond the standard command authorization (evaluateCommandAuthorization("explain") over the real repo permission); the unauthorized path has a negative-path test.
  • No API/OpenAPI/MCP surface change.
  • No UI change.
  • No docs/changelog change needed (the command reference already documents explain).

UI Evidence

N/A — backend-only change (no visible UI, frontend, docs, or extension surface).

Notes

…ationale (JSONbored#2169)

Add maybeProcessExplainCommand so a contributor/maintainer can ask for more
detail on a specific posted review finding. Mirrors the `resolve` command's
classify -> authorize -> normalizeResolveFindingRef -> selectWarningsForResolve
lookup over the PR's current advisory, but instead of mutating it echoes the
finding's already-generated, public-safe rationale via sanitizePublicComment.

It runs no model (echo only, per JSONbored#2169's contributor scope) and mutates nothing,
so — like the read-only `configuration` command — it posts regardless of the
agent action mode. A specific finding must be named: an absent argument (which
normalizeResolveFindingRef reads as whole_pr) is a skip, not "explain everything";
an unknown id gets a public-safe not-found note rather than a silent no-op. Every
disposition records a github_app.finding_explained[_denied|_skipped] audit event.

Part of JSONbored#1960.
@real-venus real-venus requested a review from JSONbored as a code owner July 7, 2026 14:59
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@gittensory-orb gittensory-orb Bot added the gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 1.25x multiplier. label Jul 7, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 7, 2026

Copy link
Copy Markdown

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review result - approve/merge recommended

Review updated: 2026-07-07 15:10:05 UTC

2 files · 1 AI reviewer · no blockers · readiness 100/100 · CI green · clean

✅ Suggested Action - Approve/Merge

  • safe to merge

Review summary
Adds maybeProcessExplainCommand, a read-only dispatch handler for `@​gittensory explain <finding>` that mirrors the existing resolve command's lookup chain (classifyPrCommandRequest → authorizePrActionActor → normalizeResolveFindingRef → selectWarningsForResolve) but only echoes an already-generated finding's public-safe rationale via sanitizePublicComment instead of mutating state. The control flow correctly distinguishes a missing argument (skip, not 'explain everything') from an unknown finding id (public not-found note), and every disposition is audited. Test coverage is thorough — authorized echo, action-bearing finding, not-found, missing/malformed argument, denial, bot-author skip, missing cached PR, and non-claiming of unrelated comments are all exercised against the real dispatch path in processGitHubWebhook.

Nits — 5 non-blocking
  • src/queue/processors.ts: the `finding.publicText ?? finding.detail` nullish-coalesce only has its `detail`-fallback arm exercised by the new tests (both seeded findings omit `publicText`) — add one case with `publicText` set so both arms of that branch are covered.
  • src/queue/processors.ts:10704 reuses `selectWarningsForResolve` (a resolve-named helper) for the explain path; consider a neutral name like `selectWarningsForRef` since it's now shared by a non-mutating command too.
  • The doc comment at src/queue/processors.ts:10669 embeds the issue number (2169) inline — harmless as a comment reference, not a real magic-number/constant concern in the executed code.
  • test/unit/queue.test.ts secret-scanner hits (lines ~23340-23496) are `GITHUB_APP_PRIVATE_KEY: await generatePrivateKeyPem()` test fixtures, not real leaked credentials — false positive, no action needed.
  • Add a test where the finding carries `publicText` distinct from `detail` to lock in that the public-safe text (not internal detail) is what gets echoed, since that's the whole point of using `publicText` over `detail`.
Signal Result Evidence
Code review ✅ No blockers 1 reviewer
Linked issue ✅ Linked #2169
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (1 linked issue).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 113 registered-repo PR(s), 67 merged, 0 issue(s).
Contributor context ✅ Confirmed Gittensor contributor real-venus; Gittensor profile; 113 PR(s), 0 issue(s).
Gate result ✅ Passing No configured blocker found.
Review context
  • Author: real-venus
  • Role context: outside_contributor
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: TypeScript, JavaScript, MDX, Rust, Svelte, Swift
  • Official Gittensor activity: 113 PR(s), 0 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Keep the PR focused and include validation evidence before maintainer review.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.58%. Comparing base (1dc6e0a) to head (1b34dff).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4052   +/-   ##
=======================================
  Coverage   93.57%   93.58%           
=======================================
  Files         378      378           
  Lines       35487    35532   +45     
  Branches    13017    13028   +11     
=======================================
+ Hits        33207    33252   +45     
  Misses       1618     1618           
  Partials      662      662           
Files with missing lines Coverage Δ
src/queue/processors.ts 94.95% <100.00%> (+0.07%) ⬆️
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gittensory approves — the gate is satisfied and CI is green.

@gittensory-orb gittensory-orb Bot merged commit 0979321 into JSONbored:main Jul 7, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 1.25x multiplier.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(commands): @gittensory explain <finding> command — parse + classify + echo a finding's rationale (dispatch scaffold)

1 participant