Fix PR status routing for security owner review

[brokemac79]

Summary

Fixes #263.

This changes PR status label routing so securityReview.status: needs_attention is not always treated as contributor-facing work.

When the durable review has:

• sufficient/override/not-applicable proof,
• a correct patch,
• no P0-P2 review findings, and
• a recommended merge-risk option of accept_risk,

ClawSweeper now routes the PR to the existing status: 👀 ready for maintainer look label instead of status: ⏳ waiting on author.

Security reviews that recommend fix_before_merge, or security reviews with no structured recommended accept_risk option, still route as unresolved contributor work. That preserves the safer default for real author-remediable security defects.

Validation

• pnpm run build:all
• node --test --test-name-pattern "ClawSweeper PR status" test/clawsweeper.test.ts
• pnpm exec oxfmt --check src/clawsweeper.ts test/clawsweeper.test.ts
• pnpm run check:active-surface
• pnpm run check:limits
• pnpm run lint:src
• pnpm run lint:scripts

I also attempted the full node --test test/clawsweeper.test.ts locally, but this Windows desktop environment hits unrelated existing subprocess assumptions around Codex proof checks and /usr/bin/git. The focused status-label tests pass after build:all.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 6, 2026, 1:01 AM ET / 05:01 UTC.

Summary
The PR changes ClawSweeper PR status routing so security reviews marked needs_attention can route to ready for maintainer look when the recommended merge-risk option is accept_risk, and adds focused status-label tests.

Reproducibility: yes. from source inspection: current main's hasUnresolvedContributorWork treats every securityReview.status === needs_attention as unresolved contributor work, and prStatusLabelKind maps that to waiting_on_author before ready_for_maintainer_look.

Review metrics: 2 noteworthy metrics.

• Patch surface: 2 files changed, 63 additions, 2 deletions. The change is small, but it touches live ClawSweeper status-label automation.
• Routing cases added: 3 cases covered. The test codifies accept_risk, fix_before_merge, and ambiguous security-review behavior before merge.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted live output or a terminal screenshot/log showing a real or dry-run ClawSweeper status-label sync changing the security-owner acceptance case to ready for maintainer look.

Proof guidance:

• [P1] Needs real behavior proof before merge: Only build, lint, and focused test validation is described; add redacted terminal output, copied live output, or a screenshot/log from a real or dry-run status-label sync, then update the PR body to trigger re-review or ask a maintainer to comment @clawsweeper re-review.

Risk before merge

• [P1] This PR changes status-label automation; without real or dry-run label-sync proof, the markdown parsing plus apply-side label path has not been demonstrated after the fix.
• [P1] The PR body reports focused tests and checks, but external PR review still needs contributor-provided real behavior proof before merge.

Maintainer options:

1. Prove the label-sync path (recommended)
   Before merge, the contributor should add redacted terminal output, copied live output, or a screenshot/log showing a real or dry-run ClawSweeper status-label sync for the security-owner acceptance case.
2. Accept focused test-only evidence
   A maintainer could intentionally accept the automation risk based on the narrow diff and focused tests, but that would waive the normal external PR real-behavior proof gate.

Next step before merge

• [P1] The remaining blocker is contributor-provided real behavior proof, not a code repair ClawSweeper can make on the branch.

Security
Cleared: The diff changes internal status-label routing and focused tests only; no new secret handling, dependency, workflow, permission, or supply-chain concern was found.

Review details

Best possible solution:

Land the focused routing fix after the contributor adds redacted live or dry-run output showing a durable report with needs_attention plus recommended accept_risk now receives ready for maintainer look instead of waiting on author.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: current main's hasUnresolvedContributorWork treats every securityReview.status === needs_attention as unresolved contributor work, and prStatusLabelKind maps that to waiting_on_author before ready_for_maintainer_look.

Is this the best way to solve the issue?

Yes, likely: using the existing recommended merge-risk option category is a narrow maintainable fix that keeps author-remediable security findings waiting on the author while routing explicit owner acceptance to maintainer look.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 413ef258a1ef.

Label changes

Label changes:

• add P2: The PR addresses a normal-priority ClawSweeper automation routing bug with limited blast radius to PR status labels.
• add merge-risk: 🚨 automation: Merging this PR changes how ClawSweeper derives PR workflow status labels from durable review reports.
• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: Only build, lint, and focused test validation is described; add redacted terminal output, copied live output, or a screenshot/log from a real or dry-run status-label sync, then update the PR body to trigger re-review or ask a maintainer to comment @clawsweeper re-review.

Label justifications:

• P2: The PR addresses a normal-priority ClawSweeper automation routing bug with limited blast radius to PR status labels.
• merge-risk: 🚨 automation: Merging this PR changes how ClawSweeper derives PR workflow status labels from durable review reports.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: Only build, lint, and focused test validation is described; add redacted terminal output, copied live output, or a screenshot/log from a real or dry-run status-label sync, then update the PR body to trigger re-review or ask a maintainer to comment @clawsweeper re-review.

Evidence reviewed

What I checked:

• Current main source reproduces the misrouting: On current main, hasUnresolvedContributorWork treats every securityReview.status === needs_attention as unresolved contributor work, and prStatusLabelKind maps unresolved work to waiting_on_author before ready_for_maintainer_look can apply. (src/clawsweeper.ts:8896, 413ef258a1ef)
• PR diff uses existing structured merge-risk semantics: Commit 7256492 adds recommendedMergeRiskOptionCategory and securityReviewNeedsContributorWork, then feeds mergeRiskOptionsFromReport into prStatusLabelKindFromReport so an explicit recommended accept_risk option is treated as maintainer-owned rather than contributor work. (src/clawsweeper.ts:8896, 7256492ad862)
• Focused tests cover the intended routing split: The added test checks accept_risk routes to ready for maintainer look, while fix_before_merge and missing structured recommendations still route to waiting on author. (test/clawsweeper.test.ts:15623, 7256492ad862)
• Linked issue context matches this fix: The PR body links PR status label misroutes security-owner review as waiting on author #263, whose report identifies the same current-main source path and asks that security-owner acceptance not be labeled as waiting on the author.
• History provenance for routing owner: git blame shows the current PR status-routing helpers and unconditional security needs_attention gate were introduced in commit 1ff140f by Tak Hoffman. (src/clawsweeper.ts:8886, 1ff140ff45c6)
• Repository policy was read and applied: AGENTS.md requires conservative, evidence-backed, automation-safe review and forbids repository mutation during this review; the checkout was inspected read-only. (AGENTS.md:1, 413ef258a1ef)

Likely related people:

• Tak Hoffman: git blame ties the current status-routing helpers and unconditional security needs_attention gate to commit 1ff140f. (role: introduced behavior; confidence: high; commits: 1ff140ff45c6; files: src/clawsweeper.ts)
• Dallin Romney: Recent commits touch adjacent ClawSweeper proof, review, and Mantis automation paths in the same central files. (role: recent adjacent contributor; confidence: medium; commits: 36b64f4609cb, c5ce402a7369; files: src/clawsweeper.ts, test/clawsweeper.test.ts)
• brokemac79: Separate from opening this PR, brokemac79 has prior merged history on proof-nudge automation in the same review system surface. (role: recent adjacent contributor; confidence: medium; commits: 9b08258b9c64; files: src/clawsweeper.ts, test/clawsweeper.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.