feat(governance): org-wide approved-PR queue sweep + Noema second-reviewer PAT fallback#451
Conversation
OpenCode Review Overview
Pull request overviewOpenCode reviewed the current-head bounded evidence and found no blocking issues. FindingsNo blocking findings. SummaryApproval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Changed-File Evidence Mapflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow (2 files)"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow (2 files)"]
R1 --> V1["actionlint plus required checks"]
Evidence --> S2["Docs: org-required-workflow-rollout.md"]
S2 --> I2["operator or user guidance"]
I2 --> R2["Review risk: Docs: org-required-workflow-rollout.md"]
R2 --> V2["docs review"]
Evidence --> S3["Test: test_required_workflow_queue_contract.py"]
S3 --> I3["regression suite"]
I3 --> R3["Review risk: Test: test_required_workflow_queue_contract.py"]
R3 --> V3["targeted test run"]
|
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/pr-review-merge-scheduler.yml, docs/org-required-workflow-rollout.md, tests/test_required_workflow_queue_contract.py.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/pr-review-merge-scheduler.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
- Result: APPROVE
- Reason: PR adds an hourly org-wide sweep for approved PRs with secure token handling and tests.
- Head SHA:
c9317151733bd548f3ad9653136669f4bb924a22 - Workflow run: 29145640407
- Workflow attempt: 1
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow: pr-review-merge-scheduler.yml"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow: pr-review-merge-scheduler.yml"]
R1 --> V1["actionlint plus required checks"]
Evidence --> S2["Docs: org-required-workflow-rollout.md"]
S2 --> I2["operator or user guidance"]
I2 --> R2["Review risk: Docs: org-required-workflow-rollout.md"]
R2 --> V2["docs review"]
Evidence --> S3["Test: test_required_workflow_queue_contract.py"]
S3 --> I3["regression suite"]
I3 --> R3["Review risk: Test: test_required_workflow_queue_contract.py"]
R3 --> V3["targeted test run"]
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/noema-review.yml, .github/workflows/pr-review-merge-scheduler.yml, docs/org-required-workflow-rollout.md, tests/test_required_workflow_queue_contract.py.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/noema-review.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
- Result: APPROVE
- Reason: Changes are well-tested, secure, and improve the PR merge process
- Head SHA:
e7bd74fc6cbeeef17a8211b5555ae443ad35b647 - Workflow run: 29147888235
- Workflow attempt: 1
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow (2 files)"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow (2 files)"]
R1 --> V1["actionlint plus required checks"]
Evidence --> S2["Docs: org-required-workflow-rollout.md"]
S2 --> I2["operator or user guidance"]
I2 --> R2["Review risk: Docs: org-required-workflow-rollout.md"]
R2 --> V2["docs review"]
Evidence --> S3["Test: test_required_workflow_queue_contract.py"]
S3 --> I3["regression suite"]
I3 --> R3["Review risk: Test: test_required_workflow_queue_contract.py"]
R3 --> V3["targeted test run"]
|
Confirmed Empirically verified just now: a direct squash-merge of the approved+all-green #449 returns This is This is the exact deadlock the second reviewer targets, and it's chicken-and-egg: the PRs that wire the Noema second reviewer can't merge until a second reviewer exists. Resolution (any one, admin):
Recommend (1) to unblock immediately, then (2) so it self-sustains. Generated by Claude Code |
Event-driven scheduler runs in target repositories stop retrying once their triggering event is consumed, so a PR that becomes mergeable AFTER its last event (approval published after the scheduler pass, merge-preview checks landing late, a temporary base-branch policy blocker clearing) has no later trigger and accumulates as approved-but-unmerged. Live evidence: bandscope #600/#604/#606/#627, html4tree #139-#148, clearfolio #136-#141, codec-carver #226-#232, appguardrail #278-#283, keyverse #10/#14, gyeot #9/#10, aFIPC #127/#128, nonnest2 #42/#44/#45, naruon #1034. Add an org-queue-sweep job to the central scheduler workflow: - runs hourly (cron 17 * * * *) only in ContextualWisdomLab/.github, or on workflow_dispatch with org_sweep=true; the single-repository scan skips those triggers so nothing double-runs - re-runs the trusted scheduler script against every non-archived org repository through the same guarded merge/update/review contract - requires a cross-repository mutation credential (PR_REVIEW_MERGE_TOKEN, OPENCODE_APPROVE_TOKEN, or the exchanged OpenCode app token) and fails with a visible ::error reason instead of silently no-opping on the repository-scoped github.token - prints each repository's per-PR decision log so every unmerged PR has a concrete logged reason at most one hour old - queue hygiene: cancels workflow runs still queued after ORG_SWEEP_STALE_QUEUE_HOURS (default 24h), logging run id, workflow, head branch, and age, so the Actions queue only holds current-head work Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z
…viewer The two-reviewer merge rule needs a second approving-review identity beyond OpenCode. Today it only works if the Noema Worker is deployed and NOEMA_TOKEN_EXCHANGE_URL is set, so no PR gets a second review and .github's classic 2-review protection blocks every .github PR. Add a NOEMA_REVIEW_TOKEN secret fallback: when present it is used directly as the reviewer identity and the OIDC app-token exchange is skipped; the review step prefers it over the exchanged app token. The secret is never emitted as a step output. When neither the secret nor the exchange URL is configured, the step still emits the unconfigured notice and skips (green-by-skip), not a failure. noema_review_gate.py already refuses to review as a primary review actor, so the fallback cannot manufacture a fake second review from the github-actions/opencode identity. Pairs with the noema PydanticAI reviewer agent (ContextualWisdomLab/noema#9) that produces the verdict this identity publishes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z
e7bd74f to
b7c7b9a
Compare
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/noema-review.yml, .github/workflows/pr-review-merge-scheduler.yml, docs/org-required-workflow-rollout.md, tests/test_required_workflow_queue_contract.py.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/noema-review.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
- Result: APPROVE
- Reason: No blocking issues found in current-head evidence
- Head SHA:
b7c7b9a29e3cae80718c7eb52b20db04cc39554b - Workflow run: 29149549810
- Workflow attempt: 1
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow (2 files)"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow (2 files)"]
R1 --> V1["actionlint plus required checks"]
Evidence --> S2["Docs: org-required-workflow-rollout.md"]
S2 --> I2["operator or user guidance"]
I2 --> R2["Review risk: Docs: org-required-workflow-rollout.md"]
R2 --> V2["docs review"]
Evidence --> S3["Test: test_required_workflow_queue_contract.py"]
S3 --> I3["regression suite"]
I3 --> R3["Review risk: Test: test_required_workflow_queue_contract.py"]
R3 --> V3["targeted test run"]
The first live org-queue-sweep run (dispatched after #451 merged) failed every repository with '--project-flow is required': pr_review_merge_scheduler.py requires --project-flow, and the sweep loop — unlike the single-repository scan-pr-queue job — never derived or passed it. Derive project_flow per target the same way the single-repository job does (main/master -> github-flow, develop -> git-flow, else github-flow) and pass --project-flow. Add a contract-test assertion so the sweep can never regress to the missing-flag state. The credential path and per-repo iteration already worked in that run; the HTTP 403 lines were the non-fatal stale-queue cancel fallback, not this failure. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z
The first live org-queue-sweep run (dispatched after #451 merged) failed every repository with '--project-flow is required': pr_review_merge_scheduler.py requires --project-flow, and the sweep loop — unlike the single-repository scan-pr-queue job — never derived or passed it. Derive project_flow per target the same way the single-repository job does (main/master -> github-flow, develop -> git-flow, else github-flow) and pass --project-flow. Add a contract-test assertion so the sweep can never regress to the missing-flag state. The credential path and per-repo iteration already worked in that run; the HTTP 403 lines were the non-fatal stale-queue cancel fallback, not this failure. Claude-Session: https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: opencode-agent[bot] <219766164+opencode-agent[bot]@users.noreply.github.com>
Two central-governance fixes that together unblock the "approved but not merged" backlog and the two-reviewer deadlock.
1. Hourly org-wide approved-PR queue sweep + stale-queue hygiene
Live audit found ~30 PRs across 12 repositories OpenCode-APPROVED on their exact current head with all checks green, yet unmerged. Root cause: target repositories only get merge-scheduler runs on PR events / review completion / protected-branch pushes. A PR that becomes mergeable after its last event has no later trigger and sits approved-but-unmerged. Only
.githubhas a cron.org-queue-sweepjob topr-review-merge-scheduler.yml: runs hourly (17 * * * *) only in.github(orworkflow_dispatchorg_sweep=true); the single-reposcan-pr-queueskips those triggers so nothing double-runs.PR_REVIEW_MERGE_TOKEN→OPENCODE_APPROVE_TOKEN→ OpenCode app token) and fails with a visible::errorinstead of silently no-opping on the repo-scopedgithub.token.queuedafterORG_SWEEP_STALE_QUEUE_HOURS(default 24h), logging run id, workflow, head branch, and age.2. Noema second-reviewer
NOEMA_REVIEW_TOKENPAT fallbackThe two-reviewer rule needs a second approving-review identity beyond OpenCode. Today it only works if the Noema Worker is deployed and
NOEMA_TOKEN_EXCHANGE_URLis set — so no PR gets a second review and.github's classic 2-review protection blocks every.githubPR (including approved+green #443/#449 and this one).noema-review.ymlnow prefers aNOEMA_REVIEW_TOKENsecret as the reviewer identity, skipping the OIDC exchange; the review step prefers it over the exchanged app token. The secret is never emitted as a step output.noema_review_gate.pyalready refuses to review as a primary review actor (opencode-agent/github-actions), so the fallback can't manufacture a fake second review.Verification
python3 -m pytest -q→ 308 passed (addstest_org_queue_sweep_covers_target_repositories_on_a_heartbeatandtest_noema_review_supports_review_token_pat_fallback).Operator notes (admin actions this PR cannot perform)
.github@mainclassic protection requires 2 approving reviews while org ruleset normalization setrequired_approving_review_count=0— this deadlocks every.githubPR. Activate the Noema second reviewer (setNOEMA_REVIEW_TOKEN+NOEMA_LLM_*) or reconcile the classic protection with the ruleset.bandscope@developclassic protection requires 9 status contexts current workflows don't emit →9 of 9 required status checks are expected. []. Normalize into the ruleset or drop stale contexts.PR_REVIEW_MERGE_TOKEN(orOPENCODE_APPROVE_TOKEN) for cross-repo mutations; until set it fails loudly each hour with the fix instruction in the log.🤖 Generated with Claude Code
https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z