Fearvox · Fearvox · May 27, 2026 · May 27, 2026
diff --git a/.github/MUW_REVIEW_REPLY.md b/.github/MUW_REVIEW_REPLY.md
@@ -0,0 +1,24 @@
+VERDICT: FLAG
+VERDICT_SUMMARY: The PR adds a comprehensive MUW review lane, tracker templates, and automation wiring, but one default target points to the wrong repository and makes the core script unsafe by default. Workflow-level verification evidence is not attached in this branch, so rollout should be held until that default is corrected and one end-to-end dry run is captured.
+EVIDENCE:
+
+1) Severity: High
+- File/path: `.github/scripts/muw-review-lane.mjs`
+- Evidence: `DEFAULT_REPO` is set to `Fearvox/EverOS` even though this repository remote is `EverMind-AI/EverOS`.
+- Why it matters: Running the script without `--repo` can collect/post to the wrong project, creating data leakage risk and invalid review artifacts.
+- Fix guidance: Change default to `EverMind-AI/EverOS` (or require explicit `--repo`) and add a guard that confirms current git remote matches the target repo before posting.
+
+2) Severity: Medium
+- File/path: `.github/workflows/overnight-watch.yml`, `.github/workflows/linear-sync.yml`, `.github/workflows/sync-upstream.yml`
+- Evidence: New automation workflows are introduced, but this branch does not provide a successful run artifact, dry-run log, or fixture-based script test proving safe behavior.
+- Why it matters: These workflows can post comments/sync state automatically; missing proof increases risk of noisy or incorrect cross-system updates.
+- Fix guidance: Attach one successful dry run per workflow (or script-level unit test evidence) in PR checks/comments before merge.
+
+3) Severity: Low
+- File/path: `.github/ISSUE_TEMPLATE/pr_tracker.yml`, `.github/ISSUE_TEMPLATE/security_tracker.yml`
+- Evidence: Templates are detailed and useful, but they introduce mandatory operational fields without a short onboarding note in CONTRIBUTING/docs.
+- Why it matters: Contributors may submit incomplete triage data, reducing template effectiveness.
+- Fix guidance: Add a short “how to use tracker templates” section in contributor docs with one minimal example.
+
+Residual verification gap:
+- Confirm no credentials appear in generated context bundles after redaction by running the script against a test PR and scanning artifacts.
@@ -152,3 +152,23 @@ Agents must not remove labels applied by humans or CI.
   Manual label changes can create Linear mirror noise.
 - `.github/workflows/overnight-watch.yml` powers the sleep-lane patrol. Do not
   edit it during an active sleep run unless the owner assigns that work.
+
+## Development Notes
+
+- All I/O is async; use `await`.
+- EverCore is multi-tenant; data must remain tenant-scoped.
+- Prompts live in `methods/EverCore/src/memory_layer/prompts/` with EN/ZH
+  variants.
+- Prefer existing repo patterns and component boundaries before adding new
+  abstractions.
+
+## GitHub Agent Review Contract
+
+- GitHub Copilot, Codex, and other review agents should follow
+  `.github/copilot-instructions.md`.
+- Start PR reviews with the MUW block:
+  `VERDICT: PASS / FLAG / BLOCK`, `VERDICT_SUMMARY:`, and `EVIDENCE:`.
+- Do not mark a PR `PASS` from author summary alone; inspect the actual diff,
+  linked issue, and available checks first.
+- Report actionable findings first, ordered by severity, with file/path,
+  evidence, impact, and fix guidance.