add anti-slop PR quality screening

[ndycode]

Summary

• add anti-slop PR quality screening for main using a commit-pinned peakoss/anti-slop action
• keep Validation strict while leaving Docs Impact and Governance Review as explicit single-choice sections that follow anti-slop's non-strict radio-button semantics

What Changed

• added .github/workflows/anti-slop.yml on pull_request_target with metadata-only guardrails, hidden honeypot term blocking, and needs-human-review labeling/commenting behavior
• updated .github/pull_request_template.md and CONTRIBUTING.md so contributors preserve the visible template structure, avoid copying hidden trap text, and treat Docs Impact / Governance Review as pick-one sections
• hardened test/documentation.test.ts to parse the workflow YAML, assert the maintainer workflow contract, and cover the visible PR template sections
• declared yaml explicitly in devDependencies for the workflow contract test

Validation

• npm run lint
• npm run typecheck
• npm test
• npm test -- test/documentation.test.ts
• npm run build

Docs Impact

Pick one:

• No docs update needed
• Docs updated in this PR
• Follow-up docs work needed

Governance Review

Pick one:

• No CONTRIBUTING.md/SECURITY.md changes needed
• CONTRIBUTING.md and/or SECURITY.md reviewed or updated

Risk and Rollback

• Risk level: low
• Rollback plan: revert .github/workflows/anti-slop.yml, .github/pull_request_template.md, CONTRIBUTING.md, test/documentation.test.ts, package.json, and package-lock.json

Additional Notes

• strict-pr-template-sections intentionally remains Validation only. Per peakoss/anti-slop, non-strict multi-checkbox sections already require exactly one checked option, while strict sections require all checkboxes to be present and checked.
• the pinned peakoss/anti-slop@85daca1880e9e1af197fc06ea03349daf08f4202 source strips HTML comments before blocked-terms matching, so the hidden template comment only trips when copied into visible PR text.
• npm run typecheck, npm run build, and full npm test still hit untouched baseline failures from origin/main, including lib/storage.ts and test/storage.test.ts.
• this PR now covers the metadata-only pull_request_target guardrail, visible template structure checks, clearer single-choice guidance for the non-strict checklist sections, and the documented honeypot behavior.

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

this PR adds a pull_request_target-based anti-slop quality gate for PRs against main, replaces the flat governance checklist in the PR template with structured radio-button sections (Docs Impact / Governance Review), and hardens test/documentation.test.ts to act as a workflow contract test — asserting the SHA pin, trigger config, permissions, and every with: input of the anti-slop step.

key changes:

• .github/workflows/anti-slop.yml — new workflow; uses SHA-pinned peakoss/anti-slop@85daca... via pull_request_target with pull-requests: write + issues: write; strict-pr-template-sections: Validation only (by design — Docs Impact / Governance Review use non-strict single-choice semantics per anti-slop); HTML-comment honeypot term WORKTREE_LANTERN_1455 blocks raw-template copy-paste
• .github/pull_request_template.md — two new Pick one: radio sections; honeypot comment confined to HTML so it's stripped before blocked-term scanning; removes old flat governance checklist
• test/documentation.test.ts — full contract test added: asserts SHA pin, trigger types, concurrency, permissions, timeout, all with: inputs, honeypot visibility invariant (visiblePrBody strip check), and every new template section heading; yaml import now backed by explicit devDependency
• package.json / package-lock.json — yaml@^2.8.2 added to devDependencies
• CONTRIBUTING.md — two new steps explain template integrity requirements and needs-human-review label semantics

issues found:

• the parse() result is cast directly to AntiSlopWorkflowConfig without a null/truthy guard; a malformed or empty yaml file would cascade silently through optional chains rather than surfacing a clear parse error (style/test quality concern, no windows/token risk here)
• pull_request_target + write scopes is documented and SHA-pinned (covered in prior review threads), no new token leakage risk introduced

Confidence Score: 4/5

• safe to merge — no application code touched, no token leakage risk, SHA pin is in place; one minor test-quality gap in the yaml parse guard
• all previously flagged issues (yaml devDependency, honeypot visibility invariant, failure-pr-message and optional-pr-template-sections coverage) are resolved in this revision; the pull_request_target + write-permissions trade-off is documented and SHA-pinned; the only remaining gap is the unguarded parse cast in the contract test, which is a test-quality concern rather than a runtime or security bug
• .github/workflows/anti-slop.yml — pull_request_target + write permissions pattern; test/documentation.test.ts — unguarded yaml parse cast

Important Files Changed

Filename	Overview
.github/workflows/anti-slop.yml	new workflow using pull_request_target + SHA-pinned action to label/comment on low-quality PRs; security trade-off documented; strict-pr-template-sections covers Validation only (by design per PR description), Docs Impact / Governance Review rely on require-pr-template enforcement alone
.github/pull_request_template.md	replaced flat governance checklist with two radio-button sections; honeypot HTML comment added; visible/hidden separation tested at lines 546–547 in documentation.test.ts
test/documentation.test.ts	workflow contract tests added: asserts SHA pin, trigger types, permissions, concurrency, every with: input, and honeypot visibility invariant; failure-pr-message and optional-pr-template-sections are now covered; no gaps in the interface relative to what the workflow actually sets
CONTRIBUTING.md	two lines added explaining template structure requirement and needs-human-review label meaning; assertions in documentation.test.ts validate both strings are present
package.json	yaml added explicitly to devDependencies at ^2.8.2, resolving the transitive-dep fragility flagged in previous review round
package-lock.json	lock file updated to record yaml@2.8.2 as an explicit devDependency; no other dependency changes

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[PR opened/synced/edited against main] --> B{pull_request_target trigger}
    B --> C[anti-slop action runs\npeakoss/anti-slop@85daca...]
    C --> D{require-pr-template\nchecks template presence}
    D -->|missing| E[failure count +1]
    D -->|present| F{strict section check\nValidation — all boxes must be checked}
    F -->|incomplete| E
    F -->|ok| G{blocked-terms scan\non visible body only\nHTML comments stripped}
    G -->|WORKTREE_LANTERN_1455 found| E
    G -->|clean| H{non-strict sections\nDocs Impact / Governance Review\ncheck one-checked constraint}
    H -->|violation| E
    H -->|ok| I[no failures]
    E --> J{failure count >= max-failures 4?}
    J -->|yes| K[add needs-human-review label\npost failure-pr-message comment]
    J -->|no| I
    I --> L[workflow passes — PR proceeds normally]
    K --> M[maintainer review required before merge]

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: test/documentation.test.ts
Line: 483

Comment:
**unguarded cast hides parse failures**

`parse(antiSlop) as AntiSlopWorkflowConfig` will silently succeed even if the yaml file is malformed or empty — `parse()` can return `null`, `undefined`, or a primitive, and the cast won't catch it. if the file is accidentally emptied or has a syntax error, every subsequent `?.` chain produces `undefined` and the first `.toBeDefined()` assertion fails with a confusing "received undefined" message rather than a clear parse error.

a minimal guard makes failures obvious:

```suggestion
		const antiSlopConfig = parse(antiSlop) as AntiSlopWorkflowConfig;
		expect(antiSlopConfig, "anti-slop.yml failed to parse as a YAML object").toBeTruthy();
```

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: 2393d9c}

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• skip-review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3ed7570f-c992-4499-9caf-5f25449d79a3

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

walkthrough

adds a new github actions workflow .github/workflows/anti-slop.yml for automated pr quality screening and updates the pr template to include "docs impact" and "governance review" sections. contributing.md is updated to require preserving the visible pr template and to note automated checks that may add a needs-human-review label. tests were extended to parse and validate the new workflow and template.

changes

Cohort / File(s)	Summary
pr template & contributing .github/pull_request_template.md, CONTRIBUTING.md	replaces the previous "Docs and Governance Checklist" with "Docs Impact" and "Governance Review". adds visible-template preservation requirements and documents that anti-slop may add a needs-human-review label.
anti-slop workflow .github/workflows/anti-slop.yml	new workflow "Anti Slop" triggered on pull_request_target for main. runs peakoss/anti-slop@v0.2.1 with inputs (require-pr-template, strict-pr-template-sections=Validation, optional-pr-template-sections=Additional Notes, blocked-terms=WORKTREE_LANTERN_1455, max-failures=4, failure-add-pr-labels=needs-human-review, etc.).
tests & deps test/documentation.test.ts, package.json	adds yaml devDependency and extends test/documentation.test.ts to parse .github/workflows/anti-slop.yml, assert the action step exists and is pinned to a specific ref, validate on/permissions/inputs, and assert pr template sections present/absent. also filters external links in markdown helper.

sequence diagram(s)

(skip)

estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

review notes

• missing regression test: add a test that simulates a failing anti-slop run and asserts the needs-human-review label is applied. reference tests at test/documentation.test.ts:1 for where to extend assertions.
• pinned action ref risk: tests assert a hardcoded action ref. confirm peakoss/anti-slop pinned commit remains stable or update tests when bumping. see test/documentation.test.ts:1.
• windows edge cases: yaml parsing was added via yaml in package.json. ensure test/documentation.test.ts:1 handles windows CRLF and path differences; add an explicit windows CRLF regression test.
• concurrency risk: workflow does not include concurrency controls. concurrent prs may race when adding labels. consider adding concurrency or idempotent label logic in .github/workflows/anti-slop.yml.
• test brittleness: test/documentation.test.ts:1 asserts exact action ref and specific input strings (e.g., WORKTREE_LANTERN_1455). these assertions will require updates when the action or policy changes.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	title clearly summarizes the main change: adding anti-slop PR quality screening; follows conventional commits format with lowercase imperative and is 34 chars.
Description check	✅ Passed	PR description follows the template structure with all required sections present and substantive content addressing the changes made.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch git-plan/22-anti-slop-pr-screening

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds an “anti-slop” PR quality screening workflow (via pull_request_target) and updates repo templates/docs/tests to enforce PR template structure and route failed screenings to needs-human-review.

Changes:

• Added .github/workflows/anti-slop.yml using a commit-pinned peakoss/anti-slop action with labeling/commenting behavior on failure.
• Restructured the PR template into “Docs Impact” and “Governance Review” sections and added a hidden honeypot blocked term.
• Updated CONTRIBUTING.md and test/documentation.test.ts to document and contract-test the new workflow + template requirements.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/anti-slop.yml	Introduces the PR screening workflow with pinned action and failure handling.
.github/pull_request_template.md	Updates template sections and embeds the honeypot blocked term.
CONTRIBUTING.md	Documents new expectations around template usage and the resulting label.
test/documentation.test.ts	Adds assertions to ensure the workflow/template constraints remain present and pinned.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cubic-dev-ai]

No issues found across 4 files

[cubic-dev-ai]

2 issues found across 3 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="test/documentation.test.ts">

<violation number="1" location="test/documentation.test.ts:496">
P2: Using `toMatchObject` for workflow permissions allows extra permission scopes to be added without failing the contract test.</violation>

<violation number="2" location="test/documentation.test.ts:512">
P2: The workflow contract test asserts `close-pr: false` but does not assert `lock-pr: false`, so a lock behavior regression can slip through.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/pull_request_template.md:
- Around line 19-28: The two checklist sections "## Docs Impact" and "##
Governance Review" currently present mutually exclusive options without forcing
a single selection; update each section header block to require a single choice
by adding a short explicit instruction like "Select exactly one of the options
below" (or "Pick one:"), and make the options remain checkboxes but include that
enforcement text directly beneath the headings so authors must choose one;
target the "## Docs Impact" and "## Governance Review" blocks in
.github/pull_request_template.md and ensure the wording is clear and unambiguous
to satisfy tests that only validate headings (e.g., add the single-choice
directive line immediately after each heading).

In @.github/workflows/anti-slop.yml:
- Around line 3-6: Add a short inline guardrail comment above the "on:
pull_request_target" declaration in .github/workflows/anti-slop.yml stating that
this workflow must remain metadata-only (no checkouts, no running untrusted PR
code, and no third-party actions that execute PR-supplied content) to avoid
token exposure and cache poisoning; reference the existing test at
test/documentation.test.ts:476 for context and explicitly warn future editors
not to add actions/checkout or any "uses:" or "run:" steps that would execute PR
code.

In `@test/documentation.test.ts`:
- Around line 81-88: The test model in test/documentation.test.ts currently
omits the optional "lock-pr" field so the contract/assertion (around the current
assertion block near lines 512-513) only checks "close-pr"; update the model to
add "lock-pr"?: boolean in the with object schema and modify the corresponding
assertion in the contract test to explicitly assert that "lock-pr" is false for
the maintainer workflow; ensure the new assertion is deterministic (use the same
vitest assertion style used elsewhere in this file) so future flips to
lock-pr:true will fail the test and force explicit review.
- Around line 514-523: The test currently only checks anti-slop sections of the
PR template; update the assertions in test/documentation.test.ts (the block
where prBody = read(prTemplate)) to also assert the required visible headers are
present by adding expects for "## Summary", "## What Changed", "## Risk and
Rollback", and "## Additional Notes" (and any other visible section names from
CONTRIBUTING.md) and ensure it still asserts absence/presence of the anti-slop
sections; locate the prBody usage and augment the expect(prBody).toContain(...)
/ .not.toContain(...) checks accordingly so the test will fail if any required
visible section is removed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 73d70b86-965a-4d18-970e-f3823e70b490

📥 Commits

Reviewing files that changed from the base of the PR and between 57b2591 and 27a3fa5.

📒 Files selected for processing (4)

• .github/pull_request_template.md
• .github/workflows/anti-slop.yml
• CONTRIBUTING.md
• test/documentation.test.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: Greptile Review

🧰 Additional context used

📓 Path-based instructions (1)

test/**

⚙️ CodeRabbit configuration file

tests must stay deterministic and use vitest. demand regression cases that reproduce concurrency bugs, token refresh races, and windows filesystem behavior. reject changes that mock real secrets or skip assertions.

Files:

• test/documentation.test.ts

🪛 LanguageTool

CONTRIBUTING.md

[uncategorized] ~62-~62: The official name of this software platform is spelled with a capital “H”.
Context: ...the PR description. 5. Keep the visible .github/pull_request_template.md section struc...

(GITHUB)

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/anti-slop.yml">

<violation number="1" location=".github/workflows/anti-slop.yml:25">
P1: This change drops strict enforcement for `Docs Impact` and `Governance Review`, weakening PR-quality screening and breaking the documentation test contract.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="test/documentation.test.ts">

<violation number="1" location="test/documentation.test.ts:505">
P2: This assertion weakens the anti-slop contract by dropping Docs Impact/Governance Review from strict section enforcement.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[ndycode]

Follow-up after reviewing the current thread set on 87121aa and 63311bb:

• fixed the remaining small in-scope items in the branch: metadata-only pull_request_target guardrail comment, explicit Pick one: wording for Docs Impact / Governance Review, stronger PR-template contract assertions, clearer missing-step diagnostics, and documented honeypot behavior
• re-ran npm test -- test/documentation.test.ts after each follow-up; it is currently passing on the branch
• verified against the pinned peakoss/anti-slop@85daca1880e9e1af197fc06ea03349daf08f4202 source that blocked-terms strips HTML comments before matching (src/checks/description-checks.ts), so the hidden template comment does not trip on normal PRs unless it is copied into visible PR text
• intentionally not restoring strict-pr-template-sections: Validation,Docs Impact,Governance Review: the action README documents that non-strict multi-checkbox template sections already require exactly one checked option, while strict sections require all checkboxes to be present and checked. Making Docs Impact / Governance Review strict again would reintroduce the false-failure bug this follow-up fixed
• the earlier yaml dependency comment is already addressed in the branch via explicit devDependencies

Bot reruns are still in progress, so I have not treated the currently open bot threads as settled yet.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/documentation.test.ts`:
- Around line 82-90: Add deterministic regression assertions in
documentation.test.ts to cover the anti-slop workflow inputs 'max-failures' and
'exempt-draft-prs' so they cannot silently drift: locate the test that
loads/parses .github/workflows/anti-slop.yml (the existing assertions around the
inputs object) and add vitest expect(...) checks that the parsed inputs include
'max-failures' and 'exempt-draft-prs' with the expected values (or
existence/boolean type as appropriate), using the same parsing helpers used for
the other keys and avoiding mocking secrets; ensure the new expects follow the
pattern used for the other properties like "github-token" and
"require-pr-template".
- Around line 535-537: The test uses prBody but only checks a single generic
"Pick one:" which can pass if one of the two sections loses its instruction;
update the assertions in test/documentation.test.ts to verify the "Pick one:"
instruction is present for both sections by either asserting that "Pick one:"
appears twice in prBody (count occurrences) or by asserting each section
contains its own instruction (e.g., check that "## Docs Impact" is followed by
"Pick one:" and that "## Governance Review" is followed by "Pick one:"); refer
to the prBody variable and the section headers "## Docs Impact" and "##
Governance Review" when adding the stronger assertions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6821d348-e2be-473b-a512-eab476698ee3

📥 Commits

Reviewing files that changed from the base of the PR and between 27a3fa5 and cd7b89f.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• .github/pull_request_template.md
• .github/workflows/anti-slop.yml
• package.json
• test/documentation.test.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Greptile Review

🧰 Additional context used

📓 Path-based instructions (1)

test/**

⚙️ CodeRabbit configuration file

tests must stay deterministic and use vitest. demand regression cases that reproduce concurrency bugs, token refresh races, and windows filesystem behavior. reject changes that mock real secrets or skip assertions.

Files:

• test/documentation.test.ts

🔇 Additional comments (6)

package.json (1)

115-116: looks good: yaml dependency matches the new test contract usage.

this change is consistent with test/documentation.test.ts:13 and test/documentation.test.ts:474.

.github/pull_request_template.md (2)

1-1: honeypot comment placement is correct.

it stays hidden in the template source while remaining verifiable via test/documentation.test.ts:527.

---

19-32: single-choice wording is now clear in both sections.

the explicit prompt maps cleanly to the template checks in test/documentation.test.ts:535-538.

.github/workflows/anti-slop.yml (1)

3-6: workflow hardening looks solid for this privileged trigger.

metadata-only guardrails, sha pinning, and narrow permissions align with the contract enforced in test/documentation.test.ts:482-506 and test/documentation.test.ts:507-525.

Also applies to: 10-14, 21-42

test/documentation.test.ts (2)

13-13: good direction on typed yaml contract checks.

the yaml parsing plus local interface keeps this test deterministic and readable in vitest.

Also applies to: 64-94

---

553-554: nice addition on contributing contract coverage.

these checks anchor the maintainer workflow expectation in docs (needs-human-review and template usage).