Ai reviewer

[sam0x17]

Description

Adds an AI-powered PR review pipeline driven by openai/codex-action, with two distinct personas and parallel local-mode skills for both Claude Code and Codex CLI.

The two personas

• Skeptic (.github/ai-review/skeptic.md) — security-only review. Static analysis only; never compiles or runs PR code. Outputs one of VERDICT: [SAFE], [VULNERABLE], or [MALICIOUS]. Includes contributor-risk tiering based on account age, contribution graph, prior PR cadence (karma-farming detection), and Gittensor association. Sandbox: read-only.
• Auditor (.github/ai-review/auditor.md) — domain review, only runs after the Skeptic clears the PR. Applies .github/copilot-instructions.md in full. May compile, test, and (when the PR is not from a fork) push auto-fix commits for lint failures, missing spec_version bumps, and stale Cargo.lock. Outputs VERDICT: 👍 / 👎. Sandbox: workspace-write.

Both personas use sticky comments (markers <!-- ai-review:skeptic --> and <!-- ai-review:auditor -->), so reruns on subsequent pushes overwrite their previous verdict and explicitly reason about whether prior concerns were addressed.

Branch routing

• testnet → main: Skeptic only (final security gate before mainnet — Auditor is unnecessary at this stage).
• All other PRs: both personas run in sequence.
• workflow_dispatch lets a maintainer fire either persona standalone on any PR number.

Gittensor incentive awareness

The Auditor flags duplicate work from Gittensor (SN74) miners, who have a financial incentive to land merges. Detection has three tiers:

1. On-chain indexer (index_gittensor.py + ai-review-index-gittensor.yml) — daily cron walks completed issues in the issues-v0 ink! contract and asks GitHub which merged PR closed each bountied issue. Output: known-gittensor-accounts.json.
2. Curated supplement (gittensor-accounts.txt) — nucleus-maintained list for miners the indexer can't catch (e.g. PAT-only farmers).
3. Heuristic — concentration of merged-PR activity on whitelisted repos.

Local skills

Same persona files, invokable as slash commands locally:

• Claude Code users: /skeptic, /auditor via .claude/skills/
• Codex CLI users: /skeptic, /auditor via .agents/skills/

Local mode writes output to terminal + .skeptic-suggestions.patch / .auditor-suggestions.patch / .auditor-pr-description.md. No GitHub side effects.

Related Issue(s)

N/A — internal tooling.

Type of Change

• New feature (non-breaking change which adds functionality)

Breaking Change

None.

Setup required after merge

1. Set repo secret OPENAI_API_KEY (already done).
2. After the first successful run, add ai-review / skeptic and ai-review / auditor to required checks in branch protection.
3. Trigger ai-review-index-gittensor once manually via workflow_dispatch to seed known-gittensor-accounts.json; daily cron takes over after that.

Checklist

• I have performed a self-review of my own code
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works (N/A — this is workflow + prompt content; tests will come from real PR runs)

[github-actions]

⚠️ Superseded by a newer review comment. This is a historical snapshot.

VERDICT: [VULNERABLE]

Findings (status as of supersession)

Sev	File	Finding	Status

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[CRITICAL] Bootstrap fallback executes PR-controlled helpers with review tokens

When the base branch does not yet contain these helper files, this fallback copies prefetch.sh, post_review.py, and the schema/persona files from the PR worktree into /tmp/ai-review-trusted. That is exactly the bootstrap state for this PR, and the copied prefetch.sh is then run with GH_TOKEN at line 218; the same pattern is repeated in the Auditor job, where the token has contents: write. A malicious change to the PR-side helper could run arbitrary shell before the Skeptic has reviewed anything, tamper with the pre-fetched context, post misleading reviews, or in the Auditor path use the write-capable token. Bootstrap should fail closed or use helper code supplied from a trusted source outside the PR worktree.

[github-actions]

[HIGH] Reviewer policy is PR-controlled in this bootstrap change

This PR adds .github/ai-review/* relative to the trusted base copies. Per the bootstrap rule, these files are untrusted prompt/policy material: they define future reviewer behavior and must not be treated as self-approved by the automated reviewer. Land trusted policy/helper files through a manually reviewed bootstrap path, then require future PRs to diff against and execute only the base-branch copies.

[github-actions]

⚠️ Superseded by a newer review comment. This is a historical snapshot.

VERDICT: VULNERABLE

Findings (status as of supersession)

Sev	File	Finding	Status
CRITICAL	.github/workflows/ai-review.yml:199	Bootstrap fallback executes PR-controlled helpers with review tokens	➡️ Carried forward — see new comment The PR still copies PR-side prefetch.sh / post_review.py when the base copy is missing; it is carried forward as a bootstrap-scoped HIGH finding under the current trusted severity guidance.
HIGH	.github/ai-review/common.md:1	Reviewer policy is PR-controlled in this bootstrap change	➡️ Carried forward — see new comment The base-missing fallback still copies PR-side review policy/schema files for the bootstrap run, so the concern remains and is carried forward as a bootstrap-scoped HIGH finding.

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[HIGH] Auditor auto-fix push runs git hooks with the write token

The auditor step intentionally lets Codex and any build/test commands operate on the PR worktree before this later token-bearing step runs. A malicious same-repo PR, prompt injection, or build script can plant .git/hooks/* or set core.hooksPath; then git commit / git push execute those hooks while PUSH_TOKEN is in the environment, giving the PR-controlled code a fresh write token after the supposedly credential-free phase. Disable hooks for the commit and push and push to an explicit repository URL so PR-side git config cannot affect the token-bearing operation.

Suggested change

	git commit -m "chore: auditor auto-fix"
	git -c "http.https://github.com/.extraheader=AUTHORIZATION: bearer $PUSH_TOKEN" \
	push origin "HEAD:$HEAD_REF"
	git -c core.hooksPath=/dev/null commit -m "chore: auditor auto-fix"
	git -c core.hooksPath=/dev/null \
	-c "http.https://github.com/.extraheader=AUTHORIZATION: bearer $PUSH_TOKEN" \
	push "https://github.com/$REPO.git" "HEAD:$HEAD_REF"

[github-actions]

[HIGH] [BOOTSTRAP] Bootstrap fallback executes PR-controlled helpers with review tokens

When the base branch lacks .github/ai-review/*, this copies prefetch.sh and post_review.py from the PR worktree into /tmp/ai-review-trusted; the following prefetch/post steps run those files with the review token. This unsafe path is structurally unreachable after the first merge because the base branch will then have trusted copies, and the mitigation for this PR is the one nucleus-approved CI run plus heightened human scrutiny of these .github/ changes. A future PR reintroducing a PR-side helper fallback would be a strong red flag. The same fallback appears in the auditor job at line 399 and needs the same treatment.

[github-actions]

[HIGH] [BOOTSTRAP] Reviewer policy is PR-controlled in this bootstrap change

This PR adds the reviewer policy under .github/ai-review/*, and the workflow bootstrap fallback copies missing base-branch policy/schema files from the PR into /tmp/ai-review-trusted. That means the introducing run can be governed by PR-controlled review instructions and schema rather than an already-trusted base copy. This is a bootstrap-only risk: after merge the base copy should be used, with the current mitigation being nucleus-approved CI plus manual scrutiny of the .github/ additions; any later PR that makes policy fall back to PR-side files should be treated as a steady-state trust-boundary failure.

[github-actions]

⚠️ Superseded by a newer review comment. This is a historical snapshot.

VERDICT: VULNERABLE

Findings (status as of supersession)

Sev	File	Finding	Status
HIGH	.github/ai-review/common.md:1	[BOOTSTRAP] Reviewer policy is PR-controlled in this bootstrap change	⏭️ No longer applies The current trusted policy identifies this as the very-first introducing PR because .github/ai-review/common.md is added from /dev/null; bootstrap-only policy-control concerns are acknowledged in the summary and are not current findings.
HIGH	.github/workflows/ai-review.yml:199	[BOOTSTRAP] Bootstrap fallback executes PR-controlled helpers with review tokens	⏭️ No longer applies The fallback still exists only for the bootstrap run where base lacks trusted files. Under the trusted meta-bootstrap exception, this is structurally unreachable after merge and is not carried as a blocking finding on the introducing PR.
HIGH	.github/workflows/ai-review.yml:510	Auditor auto-fix push runs git hooks with the write token	✅ Addressed The auto-fix step now runs both git commit and git push with -c core.hooksPath=/dev/null, uses an explicit GitHub push URL, and supplies the write credential only through an inline extraheader during push.

[github-actions]

⚠️ Superseded by a newer review comment. This is a historical snapshot.

VERDICT: SAFE

Findings (status as of supersession)

Sev	File	Finding	Status

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[MEDIUM] Standalone auditor dispatch is always skipped

workflow_dispatch allows persona: auditor, and decide sets RUN_SKEPTIC=false; RUN_AUDITOR=true for that mode. However, the auditor job still requires needs.skeptic.result == 'success'; when the skeptic job is intentionally skipped, this condition is false, so the standalone Auditor path advertised in the PR never runs. Use always() and explicitly allow the skipped skeptic result for auditor-only dispatch while still blocking when Skeptic fails.

Suggested change

	if: needs.decide.outputs.run_auditor == 'true' && needs.skeptic.result == 'success'
	if: always() && needs.decide.outputs.run_auditor == 'true' && (needs.skeptic.result == 'success' || needs.skeptic.result == 'skipped')

[github-actions]

[LOW] Auto-fix commits can include review artifacts

The Codex action writes auditor-output.json in the workspace, and the persona can also write auditor-proposed-pr-body.md. git diff --quiet ignores untracked files, but once a real auto-fix exists this git add -A will sweep those artifacts into the chore: auditor auto-fix commit. Exclude the generated review files or add them to .gitignore so auto-fix commits contain only intended source changes.

Suggested change

	git add -A
	git add -A -- ':!auditor-output.json' ':!auditor-proposed-pr-body.md'

[github-actions]

⚠️ Superseded by a newer review comment. This is a historical snapshot.

VERDICT: 👎

Findings (status as of supersession)

Sev	File	Finding	Status
MEDIUM	.github/workflows/ai-review.yml:310	Standalone auditor dispatch is always skipped	✅ Addressed The Auditor job now uses always() and allows needs.skeptic.result == 'skipped', so standalone workflow_dispatch with persona=auditor can run.
LOW	.github/workflows/ai-review.yml:512	Auto-fix commits can include review artifacts	✅ Addressed The auto-fix commit step now excludes auditor-output.json and auditor-proposed-pr-body.md from git add -A.

[github-actions]

⚠️ Superseded by a newer review comment. This is a historical snapshot.

VERDICT: SAFE

Findings (status as of supersession)

Sev	File	Finding	Status

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[LOW] PR body auto-fill is not implemented

This tells the Auditor to write auditor-proposed-pr-body.md and says the workflow will update the PR body, but the workflow only excludes that file from auto-fix commits and post_review.py never reads or patches the PR body. In steady state, empty PR descriptions will remain empty despite the Auditor believing it handed off an auto-fill. Either implement the body update in the post step, or change this instruction so the proposed body is placed in summary_markdown instead.

Suggested change

	- **In CI**, write the proposed description to `auditor-proposed-pr-body.md` in the workspace. The workflow will detect this file and update the PR body via the post-comment step. Note in your verdict: "PR description was empty; I have proposed one in this comment — please review."
	- **In CI**, include the proposed description in `summary_markdown` and note: "PR description was empty; I have proposed one in this comment — please review."

[github-actions]

⚠️ Superseded by a newer review comment. This is a historical snapshot.

VERDICT: 👍

Findings (status as of supersession)

Sev	File	Finding	Status
LOW	.github/ai-review/auditor.md:46	PR body auto-fill is not implemented	✅ Addressed The CI Auditor path now explicitly proposes replacement PR descriptions in summary_markdown instead of promising to edit the PR body automatically, so the behavior and documentation are aligned.

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[HIGH] Fork PRs cannot run the required Codex review path

This workflow still runs on pull_request, but fork-triggered pull_request runs do not receive repository secrets such as OPENAI_API_KEY. Both Codex steps require secrets.OPENAI_API_KEY, and the auditor prompt still has explicit is_fork behavior, so a fork PR will not be able to execute the required review checks once ai-review / skeptic and ai-review / auditor are added to branch protection. workflow_dispatch can help maintainers inspect a PR manually, but it does not make the automatic required check path work for fork PRs. Either implement a secure maintainer-approved fork path that gets secrets while evaluating the PR head safely, or document/enforce that fork PRs are unsupported before these checks become required.

[github-actions]

⚠️ Superseded by a newer review comment. This is a historical snapshot.

VERDICT: 👎

Findings (status as of supersession)

Sev	File	Finding	Status
HIGH	.github/workflows/ai-review.yml:4	Fork PRs cannot run the required Codex review path	✅ Addressed Fork PR auto-triggers now short-circuit in decide, setting both persona jobs to skipped instead of attempting Codex with unavailable secrets; the README also documents that manual workflow_dispatch is the opt-in path for AI review on fork PRs.

[github-actions]

VERDICT: SAFE

BASELINE scrutiny: author is a long-established repo admin with matching commit authorship; no Gittensor allowlist hit; branch ai-reviewer -> devnet-ready.

Supersedes previous review.

No runtime, pallet, Cargo, or lockfile changes are present; review focused on the new AI-review workflows, token boundaries, helper scripts, action pinning, and trusted-instruction handling.

The PR-side .github/ai-review/* files and .github/copilot-instructions.md match the trusted copies available to this run. Bootstrap-only paths exist on this introducing PR; under the trusted meta-bootstrap rule, they become structurally unreachable after merge and are not current findings.

Findings

No findings.

Conclusion

I found no malicious behavior or security vulnerability in the current diff. The previously flagged mutable-action/token-boundary concern remains addressed by immutable action pinning, trusted base extraction, and separation of token-bearing steps from PR-controlled execution.

[github-actions]

VERDICT: 👍

Established repo admin / nucleus-caliber author; Gittensor association UNKNOWN from trusted allowlists, with no incentive adjustment applied.

Supersedes previous review.

Bootstrap-only trusted-file fallback paths exist on this introducing PR; per the trusted review rules, they become structurally unreachable after merge and are not counted as findings.

Description discrepancy: the PR body still says workflow_dispatch can fire either persona standalone, but the current workflow intentionally removed persona override and dispatch now runs the branch-routed persona set for the PR number. Suggested PR-body correction: replace that bullet with "workflow_dispatch reruns the branch-routed AI review for a PR number; it does not allow skipping a required persona."

Static validation passed for the added Python, shell, YAML, and JSON files (python3 -m py_compile, bash -n, python3 -m json.tool, YAML parse, and git diff --check). No cargo/runtime tests were run because this PR does not touch runtime code. No auto-fix changes were needed.

The overlapping-PR signal points at unrelated open PRs with only one shared file each, so there is no duplicate-work recommendation.

Findings

No findings.

Prior-comment reconciliation

• 7688737e: addressed — Fork PR auto-triggers now short-circuit in decide, setting both persona jobs to skipped instead of attempting Codex with unavailable secrets; the README also documents that manual workflow_dispatch is the opt-in path for AI review on fork PRs.

Conclusion

The previously-blocking fork path has been resolved by explicitly skipping automatic AI review for fork PRs and documenting manual workflow_dispatch as the opt-in path. The remaining discrepancy is PR-body text only; the workflow/helper implementation is coherent for this bootstrap introduction.

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[HIGH] Fork PRs bypass the required AI-review checks

On pull_request events from forks, this sets both persona jobs to skipped. The workflow comment immediately above notes that skipped jobs satisfy required checks, so the contributor class that most needs the Skeptic/Auditor gate can merge without either review unless a maintainer remembers to run workflow_dispatch. This is steady-state, not bootstrap-only.

Do not make the required checks green by skipping them for forks. The fork path should leave the required review check failing/pending until a trusted manual run completes, or the workflow should be redesigned around a safe pull_request_target/two-stage pattern that prefetches trusted context from base and runs untrusted head code only in the tokenless Codex step.

[github-actions]

🛡️ AI Review — Skeptic (security review)

VERDICT: SAFE

BASELINE scrutiny: author is a long-established repo admin; branch ai-reviewer -> devnet-ready; one GitHub Actions benchmark-weight commit is expected; no Gittensor allowlist hit.

The PR-side .github/ai-review/* files match the trusted copies under /tmp/ai-review-trusted, and .github/copilot-instructions.md is unchanged. This is the AI-review bootstrap PR (.github/ai-review/common.md is added from /dev/null), so bootstrap-only trusted-file fallback paths are acknowledged under the meta-bootstrap rule rather than counted as current findings.

Findings

No findings.

Prior-comment reconciliation

• b5f042d2: addressed — Fork auto-triggers keep RUN_SKEPTIC=true and RUN_AUDITOR=true, and both persona jobs fail fast for fork pull_request events instead of being skipped as satisfied required checks.

Conclusion

No malicious pattern or security vulnerability was found in the current diff. The prior fork-required-check bypass remains addressed, and the remaining bootstrap-only trust path becomes structurally unreachable after this introducing PR merges.

---

🔍 AI Review — Auditor (domain review)

VERDICT: 👍

Gittensor UNKNOWN from trusted allowlists; author has admin permission and a long substantive subtensor history, so review was calibrated toward workflow/domain correctness rather than intent.

Bootstrap-only trusted-file fallback paths exist on this introducing PR; per the trusted review rules, they become structurally unreachable after merge and are not counted as findings.

Description discrepancy: the PR body still says workflow_dispatch lets a maintainer fire either persona standalone, but the current workflow intentionally accepts only pr_number and runs whichever personas branch routing requires. The workflow behavior is coherent; the body should be updated before merge for reviewer clarity.

Spec version is bumped from 407 to 408 for the runtime-affecting generated weight changes. I did not apply any auto-fixes.

Validation performed: python3 -m py_compile for the added Python scripts, bash -n for prefetch.sh, YAML parsing for both added workflows, and git diff --check.

Findings

No findings.

Conclusion

The trusted-base extraction, token separation, fork fail-fast/manual-review path, structured output posting, and generated-weight/spec-version updates are coherent for the intended bootstrap rollout. I found no blocking domain issues.

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[HIGH] Fork PRs bypass the required AI-review checks

This still sets both required persona jobs to skipped on fork pull_request events. GitHub treats skipped required jobs as successful, so after these checks are added to branch protection a fork PR can merge without either AI review unless a maintainer remembers to manually dispatch. That is a steady-state bypass of the required security gate. Keep required checks failing or pending for fork auto-runs and let workflow_dispatch on the same head SHA be the explicit unblock path, or use a safe pull_request_target design that never checks out untrusted code with secrets.

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍