feat(pr-reviewer): fail closed on unresolved authors

[khaliqgant]

User description

Summary\n- Fail closed when REVIEW_AUTHORS is configured but the PR author cannot be resolved.\n- Keep unset allowlists open, and keep the non-member skip branch intact.\n- Restage the pr-reviewer bundle, runner, and persona artifacts so deployment uses the updated behavior.\n\n## Validation\n- npm run test:review\n- 4/4 focused reviewer tests passing\n\n## Notes\n- Bundle drift is confined to the restaged reviewer patch set and generated deployment artifacts.\n- Repo-wide npm test is still blocked by the separate linear-tsc lane, which is intentionally out of scope here.

---

Summary by cubic

Fail closed when REVIEW_AUTHORS is set but the PR author can’t be resolved, preventing unintended reviews. Also updates the persona/runner and adds a small esbuild-based test harness.

• New Features

  • Strict author allowlist: skip when the author is unresolved or not in REVIEW_AUTHORS; if unset, review all authors.
  • Persona updates: add optional REVIEW_AUTHORS and SKIP_LABELS (defaults to "no-agent-relay-review"), make SLACK_CHANNEL optional, declare github/slack integrations, set cloud: true.
  • Runner now accepts agents exported via defineAgent and forwards triggers/schedules/watch.

• Refactors

  • Restaged pr-reviewer bundle and deployment artifacts.
  • Added scripts/test.mjs, npm run test:review, focused allowlist tests, and dev dependency on esbuild for building test targets.

^{Written for commit 19491bc. Summary will update on new commits.}

---

CodeAnt-AI Description

Skip reviews when the PR author cannot be confirmed

What Changed

• When REVIEW_AUTHORS is set and the PR author cannot be resolved, the reviewer now skips the PR instead of proceeding.
• PRs from authors not listed in REVIEW_AUTHORS are skipped with a clear reason.
• The reviewer now exposes REVIEW_AUTHORS in its settings, makes the Slack channel optional, and keeps its GitHub/Slack connections declared for deployment.
• Added focused tests for allowed authors, blocked authors, unresolved authors, and the open-allowlist case.

Impact

✅ Fewer unintended PR reviews
✅ Clearer skip reasons for author-based review rules
✅ Safer review gating when author data is missing

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds author-based filtering to the PR reviewer agent via a fail-closed allowlist decision, introduces a test runner to validate the logic, bundles the agent with explicit trigger configuration and client-based messaging, and updates the persona and runner to support the new agent specification.

Changes

PR Reviewer Agent Update

Layer / File(s)	Summary
Author allowlist decision and test foundation review/agent.ts, tests/review-agent.test.mjs, package.json	reviewAuthorAllowlistDecision helper returns a skip reason when PR author is missing, unknown, or not in an allowlist set; integrates into shouldSkipReview for fail-closed filtering. Unit tests cover allowlisted, non-allowlisted, unresolved, and unrestricted scenarios. New test:review npm script runs the test suite.
Test runner infrastructure scripts/test.mjs	Compiles TypeScript sources with esbuild, discovers .test.mjs files under tests/, and executes them via Node's node --test. Includes filesystem traversal, directory filtering, and build artifact cleanup.
Agent bundle implementation and messaging review/.workforce/build/pr-reviewer/agent.bundle.mjs	Bundles agent using defineAgent with GitHub trigger events. Implements shouldSkipReview to load PR metadata, evaluate merged/closed state, match skip labels, and apply author allowlist gating. Routes review comments and Slack notifications through githubClient() and slackClient() instead of context objects. Extends readPr to capture PR state, merged flag, and labels. Exports the decision helper.
Persona configuration and runner compatibility review/.workforce/build/pr-reviewer/persona.json, review/.workforce/build/pr-reviewer/runner.mjs	Persona adds cloud flag, simplified integrations, new inputs REVIEW_AUTHORS and SKIP_LABELS, and simplified event wiring to onEvent: "./agent.ts". Runner detects and extracts triggers, schedules, and watch from defineAgent-style or legacy exports, passing agent spec to startRunner when present.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• AgentWorkforce/agents#1: Introduces the initial PR reviewer agent that this PR extends with author allowlist filtering.
• AgentWorkforce/agents#21: Implements the same reviewAuthorAllowlistDecision logic that this PR exports and tests.
• AgentWorkforce/agents#10: Adds the failReviewRun helper that this PR updates to use client-based GitHub/Slack routing.

Suggested labels

size:M, feature:review-agent

🐰 With author guards in place so firm,
Our reviewer knows just which way to turn,
Tests blaze the trail through code's terrain,
Each PR flows through the allowlist's lane,
Bundles bind the pieces, bright and clean! 🎀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: implementing a 'fail closed' behavior for unresolved PR authors in the review system.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The description is directly related to the changeset, detailing the fail-closed behavior for unresolved PR authors, persona updates, runner changes, test additions, and validation results.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/pr-reviewer-fail-closed

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request refactors the PR reviewer agent's author allowlist logic to fail closed when configured but the author cannot be resolved confidently. This logic is extracted into a new exported function reviewAuthorAllowlistDecision and unit-tested in tests/review-agent.test.mjs. Additionally, a custom test runner script scripts/test.mjs has been introduced to build TypeScript sources with esbuild and run Node.js tests, and a new test:review script has been added to package.json. The agent's persona configuration and runner have also been updated to support the new defineAgent structure and additional inputs (REVIEW_AUTHORS, SKIP_LABELS). There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[codeant-ai]

Suggestion: This script imports esbuild directly but esbuild is not declared in this package's direct dependencies/devDependencies. The test runner can fail with ERR_MODULE_NOT_FOUND in clean or non-hoisting installs (or after dependency graph changes), so add esbuild as an explicit devDependency to make this command reliable. [import error]

Severity Level: Major ⚠️

- ❌ `npm run test:review` can fail with module not found.
- ⚠️ Focused reviewer tests become unreliable across install environments.
- ⚠️ CI pipelines depending on `test:review` may intermittently break.

Steps of Reproduction ✅

1. Install this package in isolation using only its declared dependencies from
`package.json` at `/workspace/agents/package.json:14-23`, which do NOT list `esbuild`
under `dependencies` or `devDependencies`.

2. Run `npm run test:review` (script defined in `package.json:8-12` as `node
scripts/test.mjs tests/review-agent.test.mjs`), which executes the test runner at
`/workspace/agents/scripts/test.mjs:1-94`.

3. Node evaluates `scripts/test.mjs` and reaches the import `import { build } from
'esbuild';` at `scripts/test.mjs:6`, requiring that `esbuild` be resolvable from the root
`node_modules` based on this package's own dependency graph.

4. In an environment where `esbuild` is not hoisted to the root (e.g., non-hoisting
installs, or after `agentworkforce` stops depending on `@agentworkforce/deploy` which
currently pulls in `esbuild` transitively as shown in `package-lock.json:8-19`), the
module `esbuild` is absent from this package's direct dependency tree, causing
`ERR_MODULE_NOT_FOUND` on startup and making `npm run test:review` fail.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** scripts/test.mjs
**Line:** 6:6
**Comment:**
	*Import Error: This script imports `esbuild` directly but `esbuild` is not declared in this package's direct dependencies/devDependencies. The test runner can fail with `ERR_MODULE_NOT_FOUND` in clean or non-hoisting installs (or after dependency graph changes), so add `esbuild` as an explicit devDependency to make this command reliable.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

Suggestion: The allowlist decision treats any non-empty author as confidently resolved, but in check_run.completed flows author can come from sender.login (often a bot) when PR meta lookup fails, which is not the PR opener. That causes valid allowlisted PRs to be skipped as "not in REVIEW_AUTHORS" instead of being classified as unresolved. Update the decision/input so non-authoritative fallback identities are treated as unresolved when REVIEW_AUTHORS is set. [incorrect condition logic]

Severity Level: Major ⚠️

- ❌ Allowlisted PRs skipped on failing check_run.completed events.
- ⚠️ Reviews silently omitted despite author being explicitly allowlisted.

Steps of Reproduction ✅

1. Configure the pr-reviewer persona with `REVIEW_AUTHORS` containing the real PR opener
but not the CI bot, e.g. `REVIEW_AUTHORS=alice` and no entry for `github-actions`
(allowlist is parsed in `review/agent.ts:112-115` by `reviewAuthorAllowlist`).

2. Open a pull request authored by `alice` in a repo where this agent is installed so that
the PR is materialized and later receives CI check runs (PR parsing happens via `readPr`
in `review/agent.ts:2-35` which sets `author`).

3. Trigger a failing CI check that emits a `check_run.completed` webhook with a
non-success conclusion (so `ciFailed` in `review/agent.ts:49-51` returns true) where the
payload has `check_run.pull_requests[0]` populated but no `pull_request.user`, and the VFS
`meta.json` either fails to load or does not include an `author` field (so `loadPrMeta` in
`review/agent.ts:91-101` returns `undefined` or a meta without `author`).

4. When this `check_run.completed` event is delivered, the handler in
`review/agent.ts:10-39` calls `readPr`, which sets `pr.author` to
`p?.pull_request?.user?.login ?? p?.sender?.login ?? 'unknown'` (see
`review/agent.ts:25-31`); for `check_run.completed` without `pull_request.user`, this
becomes the CI bot login from `sender.login`. `shouldSkipReview` in
`review/agent.ts:48-80` then calls `resolveAuthorLogin(meta, pr)` (lines 86-88), which
falls back to `pr.author` because `meta?.author` is missing, and passes that bot login
into `reviewAuthorAllowlistDecision` at `review/agent.ts:117-121`. Since `allow.size > 0`
and `author` is a non-empty, non-`'unknown'` bot login, the code path at
`review/agent.ts:5-9` returns `{ reason: 'author @github-actions is not in REVIEW_AUTHORS'
}` instead of treating the author as unresolved. `shouldSkipReview` returns this skip
reason, so the handler logs `pr-reviewer skipped` and does not call `reviewAndFix`, even
though the real PR opener (`alice`) is allowlisted. This matches the reported issue that
non-authoritative fallback identities (e.g. CI bot `sender.login` in
`check_run.completed`) are treated as real authors, causing allowlisted PRs to be skipped
rather than classified as unresolved.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** review/agent.ts
**Line:** 183:188
**Comment:**
	*Incorrect Condition Logic: The allowlist decision treats any non-empty `author` as confidently resolved, but in `check_run.completed` flows `author` can come from `sender.login` (often a bot) when PR meta lookup fails, which is not the PR opener. That causes valid allowlisted PRs to be skipped as "not in REVIEW_AUTHORS" instead of being classified as unresolved. Update the decision/input so non-authoritative fallback identities are treated as unresolved when `REVIEW_AUTHORS` is set.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@review/.workforce/build/pr-reviewer/agent.bundle.mjs`:
- Around line 1000-1003: The resolveAuthorLogin function currently falls back to
pr.author which can be the check-run sender; change it to only use pr.author
when the payload actually represents a pull_request (e.g., when
pr.pull_request?.user?.login exists) so stale/missing meta.json won't treat a
check_run sender as the PR opener—update resolveAuthorLogin to derive from
meta.author first, and only if absent and pr.pull_request?.user?.login is
present use pr.author (otherwise leave unresolved/empty) so REVIEW_AUTHORS fails
closed for non-pull_request payloads.

In `@review/agent.ts`:
- Around line 128-137: The current logic claims to "fail open" when meta.json is
missing but resolveAuthorLogin falls back to 'unknown', causing
reviewAuthorAllowlistDecision to treat it as a non-author and skip; fix by
making the author resolution explicitly indicate missing meta (e.g., return
null/undefined instead of 'unknown') or update reviewAuthorAllowlistDecision to
treat a missing-meta sentinel as "fail open" (do not skip and do not notify),
and update the gate comment accordingly; specifically adjust resolveAuthorLogin
(used in review/agent.ts) and/or reviewAuthorAllowlistDecision to detect meta
absence from readPr and avoid silent skips for unknown author when meta.json
wasn't loaded.

In `@scripts/test.mjs`:
- Around line 6-30: The script scripts/test.mjs imports esbuild via "import {
build } from 'esbuild'" but esbuild is not declared in package.json; add
"esbuild" to package.json devDependencies (exact version matching
package-lock.json or a suitable pinned/dev version) and run npm install to
update lockfile so clean/pruned installs and npm run test:review won't fail.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3aeb990b-40b3-4b7a-9f89-f7f100537b3a

📥 Commits

Reviewing files that changed from the base of the PR and between 20e45a0 and 605997e.

📒 Files selected for processing (7)

• package.json
• review/.workforce/build/pr-reviewer/agent.bundle.mjs
• review/.workforce/build/pr-reviewer/persona.json
• review/.workforce/build/pr-reviewer/runner.mjs
• review/agent.ts
• scripts/test.mjs
• tests/review-agent.test.mjs

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find where pulls/{n}/meta.json is written/materialized and whether it precedes check_run.completed handling.
rg -nP 'meta\.json' -C3
rg -nP 'check_run\.completed|check_run' -C3 --type=ts

Repository: AgentWorkforce/agents

Length of output: 8617

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="review/agent.ts"

# Show implementations + nearby constants/comments
rg -n "function (resolveAuthorLogin|reviewAuthorAllowlistDecision|loadPrMeta)\b" "$FILE"
rg -n "'unknown'|unknown" "$FILE"
rg -n "REVIEW_AUTHORS" "$FILE"
rg -n "allowlist" "$FILE"

# Print focused line ranges (adjust if rg shows different line numbers)
python3 - <<'PY'
import re,sys,subprocess,os,math,json
FILE="review/agent.ts"
# parse rg output to get line numbers for key functions
keys=["resolveAuthorLogin","reviewAuthorAllowlistDecision","loadPrMeta","readPr"]
for k in keys:
    out=subprocess.check_output(["rg","-n",f"function {k}\\b",FILE],text=True).strip().splitlines()
    if not out: 
        continue
    ln=int(out[0].split(":")[0])
    lo=max(1,ln-20); hi=ln+60
    print(f"\n### {k} around lines {lo}-{hi}")
    subprocess.run(["sed","-n",f"{lo},{hi}p",FILE],check=False)
PY

Repository: AgentWorkforce/agents

Length of output: 15197

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE="review/agent.ts"
# Show full shouldSkipReview body and caller usage
rg -n "function shouldSkipReview|shouldSkipReview\\(" "$FILE"
echo "---- shouldSkipReview (80-170) ----"
sed -n '90,180p' "$FILE"
echo "---- caller handling skip result (170-260?) ----"
rg -n "notifySkip\\(|notify\\b|skip\\b.*notify" "$FILE"
sed -n '60,120p' "$FILE"

Repository: AgentWorkforce/agents

Length of output: 7485

---

Fix author allowlist “fail open” comment / behavior when meta.json is missing (esp. check_run.completed).

shouldSkipReview applies REVIEW_AUTHORS fail closed: if meta.json can’t be loaded, resolveAuthorLogin(meta, pr) falls back to readPr’s author (pull_request.user.login or sender.login or 'unknown'), and reviewAuthorAllowlistDecision skips when author === 'unknown' or not in the allowlist (silent: no notify). That can suppress re-reviews on check_run.completed when the payload doesn’t identify the real PR author.

The gate comment at review/agent.ts lines 104-106 (“those fail open when meta is missing”) is inaccurate for the author dimension; update the comment or adjust the fallback/decision to truly fail open when meta.json is unavailable.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@review/agent.ts` around lines 128 - 137, The current logic claims to "fail
open" when meta.json is missing but resolveAuthorLogin falls back to 'unknown',
causing reviewAuthorAllowlistDecision to treat it as a non-author and skip; fix
by making the author resolution explicitly indicate missing meta (e.g., return
null/undefined instead of 'unknown') or update reviewAuthorAllowlistDecision to
treat a missing-meta sentinel as "fail open" (do not skip and do not notify),
and update the gate comment accordingly; specifically adjust resolveAuthorLogin
(used in review/agent.ts) and/or reviewAuthorAllowlistDecision to detect meta
absence from readPr and avoid silent skips for unknown author when meta.json
wasn't loaded.

[agent-relay-code]

Reviewed PR #27 locally and made one focused hardening change: exported and tested the pure author/label normalization helpers used by the new review skip gate, so meta author shapes and defensive label parsing are now covered.

Regenerated the checked-in review/.workforce/build/pr-reviewer bundle from the local deploy generator so it matches the updated source.

Local verification passed:

• npm run test:review
• npm test
• npm run typecheck

[cubic-dev-ai]

1 issue found across 7 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="scripts/test.mjs">

<violation number="1" location="scripts/test.mjs:6">
P2: New test runner imports `esbuild` but the package is not declared in dependencies/devDependencies, making test execution environment-dependent.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P2: New test runner imports esbuild but the package is not declared in dependencies/devDependencies, making test execution environment-dependent.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At scripts/test.mjs, line 6:

<comment>New test runner imports `esbuild` but the package is not declared in dependencies/devDependencies, making test execution environment-dependent.</comment>

<file context>
@@ -0,0 +1,94 @@
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+import { build } from 'esbuild';
+
+const repoRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
</file context>

[agent-relay-code]

Reviewed PR #27 and fixed the issues I found.

Changed:

• Fixed readPr so check_run.completed events do not treat sender.login as the PR author. That would have let REVIEW_AUTHORS pass based on the check actor instead of the PR opener.
• Added tests covering check-run author handling and normal PR author parsing.
• Added direct esbuild dev dependency because scripts/test.mjs imports it directly.
• Regenerated the checked-in review deploy bundle.

Validated locally:

• npm run typecheck
• npm test
• npm run test:review

[agent-relay-code]

✅ pr-reviewer applied fixes — committed and pushed 19491bc to this PR. The notes below describe what changed.

Reviewed PR #27 and fixed the issues I found.

Changed:

• Fixed readPr so check_run.completed events do not treat sender.login as the PR author. That would have let REVIEW_AUTHORS pass based on the check actor instead of the PR opener.
• Added tests covering check-run author handling and normal PR author parsing.
• Added direct esbuild dev dependency because scripts/test.mjs imports it directly.
• Regenerated the checked-in review deploy bundle.

Validated locally:

• npm run typecheck
• npm test
• npm run test:review