Skip to content

fix(settings): accept [bot]-suffixed logins in contributorBlacklist#6233

Merged
loopover-orb[bot] merged 1 commit into
JSONbored:mainfrom
jaytbarimbao-collab:fix-blacklist-bot-login-6190-v2
Jul 15, 2026
Merged

fix(settings): accept [bot]-suffixed logins in contributorBlacklist#6233
loopover-orb[bot] merged 1 commit into
JSONbored:mainfrom
jaytbarimbao-collab:fix-blacklist-bot-login-6190-v2

Conversation

@jaytbarimbao-collab

Copy link
Copy Markdown
Contributor

Summary

contributor-blacklist's GITHUB_LOGIN pattern rejected any login ending in [bot], so a maintainer configuring settings.contributorBlacklist: [{login: "evilbot[bot]"}] had it silently dropped with a generic "not a valid GitHub login" warning. Bot accounts are a documented abuse vector (PROTECTED_AUTOCLOSE_AUTHORS in agent-actions.ts), and the sibling auto-close-exempt.ts already deliberately accepts the same trailing [bot] App-actor shape for exemptions — so blacklisting one should work too.

Change

Extend GITHUB_LOGIN with the same optional (?:\[bot\])? suffix auto-close-exempt.ts uses. The implementation lives in the @loopover/engine copy (src/settings/contributor-blacklist.ts is a re-export shim after #6201), so the single edit covers both surfaces. auto-close-exempt.ts is left unchanged — it's the reference pattern.

Enforcement + tests

Regression tests in both suites assert a something[bot] login is (a) kept by normalizeContributorBlacklist and (b) actually matched end-to-end by isAuthorBlacklisted/findBlacklistEntry (case-insensitively), while malformed bot-ish logins (bare [bot], doubled suffix, wrong-case, mid-string brackets) are still dropped. Both blacklist suites (33 tests) + tsc green.

Closes #6190

contributor-blacklist's GITHUB_LOGIN pattern rejected any login ending in
[bot], so a maintainer configuring
settings.contributorBlacklist: [{login: "evilbot[bot]"}] got it silently
dropped with a generic 'not a valid GitHub login' warning — even though
bot accounts are a documented abuse vector and the sibling
auto-close-exempt.ts already accepts the same [bot] App-actor shape for
exemptions.

Extend GITHUB_LOGIN with the same optional (?:\[bot\])? suffix
auto-close-exempt.ts uses. The implementation lives in the
@loopover/engine copy (the src/ file is now a re-export shim after JSONbored#6201),
so the single edit covers both surfaces. Malformed bot-ish logins (bare
[bot], doubled suffix, wrong-case, mid-string brackets) are still dropped.
Regression tests in both suites assert a blacklisted something[bot] author
is actually matched by isAuthorBlacklisted.

Closes JSONbored#6190
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@codecov

codecov Bot commented Jul 15, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.35%. Comparing base (2af2da3) to head (fc1138d).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #6233   +/-   ##
=======================================
  Coverage   95.35%   95.35%           
=======================================
  Files         598      598           
  Lines       47102    47102           
  Branches    14988    14988           
=======================================
  Hits        44913    44913           
  Misses       1464     1464           
  Partials      725      725           
Flag Coverage Δ
shard-1 44.02% <100.00%> (ø)
shard-2 36.67% <100.00%> (+0.01%) ⬆️
shard-3 32.44% <100.00%> (+0.21%) ⬆️
shard-4 34.28% <100.00%> (-0.13%) ⬇️
shard-5 31.04% <100.00%> (-0.58%) ⬇️
shard-6 45.17% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...pover-engine/src/settings/contributor-blacklist.ts 100.00% <100.00%> (ø)

@loopover-orb loopover-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 15, 2026
@loopover-orb

loopover-orb Bot commented Jul 15, 2026

Copy link
Copy Markdown

Tip

✅ LoopOver review result - approve/merge recommended

Review updated: 2026-07-15 23:39:37 UTC

3 files · 1 AI reviewer · no blockers · readiness 77/100 · CI green · clean

✅ Suggested Action - Approve/Merge

  • safe to merge

Review summary
This is a narrowly-scoped regex fix: `GITHUB_LOGIN` in `contributor-blacklist.ts` gains the same optional `(?:\[bot\])?` suffix already used in `auto-close-exempt.ts`, so bot logins like `dependabot[bot]` are no longer silently dropped from the blacklist. The change is a single-line diff mirroring a proven sibling pattern, and the added tests exercise both normalization and end-to-end matching (`isAuthorBlacklisted`/`findBlacklistEntry`) plus the negative cases (bare `[bot]`, doubled suffix, wrong case, mid-string brackets) that confirm the anchor/case-sensitivity still holds. Closes a linked issue (#6190) with a minimal, well-targeted surface.

Nits — 3 non-blocking
  • The `GITHUB_LOGIN` regex is now duplicated verbatim between `contributor-blacklist.ts` and `auto-close-exempt.ts`; since the PR description explicitly treats the latter as the reference pattern, consider a follow-up to extract a single shared constant/module rather than keeping two copies in sync by convention.
  • The regex comment in `contributor-blacklist.ts:8-11` is fairly long inline — could reference `auto-close-exempt.ts` by file+line instead of restating the full rationale, to reduce drift risk if one comment is updated and the other isn't.
  • Consider hoisting `GITHUB_LOGIN` into a shared settings util imported by both `contributor-blacklist.ts` and `auto-close-exempt.ts` to guarantee the two never diverge silently in the future.

Decision drivers

  • ✅ Code review — No blockers (1 reviewer)
  • ✅ Gate result — Passing (No configured blocker found.)
Context & advisory signals — never blocks the verdict
Signal Result Evidence
Linked issue ✅ Linked #6190
Related work ⚠️ 2 scoped overlaps Top overlaps are listed below; lower-confidence bulk is hidden.
Change scope ❌ 8/20 High review scope from cached public metadata (1 linked issue).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 130 registered-repo PR(s), 67 merged, 4 issue(s).
Contributor context ✅ Confirmed Gittensor contributor jaytbarimbao-collab; Gittensor profile; 130 PR(s), 4 issue(s).
Improvement ✅ Minor risk: clean · value: minor · LLM: minor
Linked issue satisfaction

Addressed
The diff extends GITHUB_LOGIN with the same (?:\[bot\])? suffix as auto-close-exempt.ts, leaves that file untouched, and adds regression tests in both suites verifying a [bot]-suffixed login is accepted by normalization and actually matched end-to-end by isAuthorBlacklisted/findBlacklistEntry, including negative cases for malformed variants.

Review context
Contributor next steps
  • Start here: Review top overlaps.
  • Then work through the remaining 3 steps in the Signals table above.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
🧪 Chat with LoopOver

Ask LoopOver a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @loopover ask &lt;question&gt; answers contribution-quality Q&A with source citations and freshness.
  • @loopover chat &lt;question&gt; answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @loopover mention with a real question is routed to the closest matching read-only command automatically — no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/loopover-commands

🧪 Experimental — new and may change.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by LoopOver, a quiet PR intelligence layer for OSS maintainers.

  • Re-run LoopOver review

@loopover-orb loopover-orb Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LoopOver approves — the gate is satisfied and CI is green.

@loopover-orb loopover-orb Bot merged commit e9977ad into JSONbored:main Jul 15, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(settings): contributorBlacklist login pattern rejects GitHub bot logins ending in [bot]

1 participant