Skip to content

[NREM][Space] Triage 10 stale draft PRs from copilot branches #30

Open
Open
[NREM][Space] Triage 10 stale draft PRs from copilot branches#30
Labels
nremNREM Mode findingnrem:improvementGeneral improvementnrem:spaceSpace-level nrem finding
@numbers-official

Description

@numbers-official
numbers-official
opened on Mar 23, 2026

Summary

There are 10 draft PRs from copilot/* branches that have been open since late February and mid-March 2026 with no review activity. All associated CI runs are stuck in action_required status (likely awaiting first-run approval for the workflow).

Evidence

PR # Title Branch Created
#29 CI hardening, type safety improvements, and DX gaps copilot/featureci-pipeline-hardening 2026-03-15
#28 Fix cross-SDK JSON serialization mismatch copilot/fix-json-serialization-mismatch 2026-03-15
#27 Private key signer callback, token masking, source map removal copilot/fix-private-key-exposure 2026-03-15
#26 Enforce HTTPS for baseUrl, stop forwarding auth token copilot/sec-15-fix-unrestricted-baseurl 2026-03-15
#21 Centralize request routing, enforce feature parity in CI copilot/centralize-request-routing 2026-03-01
#20 Streaming file upload support and AsyncCapture client copilot/add-streaming-file-upload-support 2026-03-01
#19 Fix SSRF, file size DoS, PermissionError shadowing copilot/fix-ssrf-risk-in-sdks 2026-03-01
#18 Path traversal via unsanitized nid copilot/fix-path-traversal-issue 2026-03-01
#13 Remove token leakage to third-party NFT endpoint copilot/fix-token-leakage-risk 2026-02-27
#12 Expand unit test coverage copilot/expand-unit-test-coverage 2026-02-27

Proposed Action

  1. Approve CI workflows for these branches so checks can run
  2. Prioritize security PRs (Security: enforce HTTPS for baseUrl and stop forwarding auth token to third-party endpoints #26, security: private key signer callback, token masking, source map removal, metadata limits, exception logging, URL scheme validation #27, fix(security): path traversal via unsanitized nid + integrity proof serialization mismatch #18, security: fix SSRF, file size DoS, PermissionError shadowing, and CI/CD supply chain gaps #19, fix(security): remove token leakage to third-party NFT endpoint and enforce response size limits #13) — these address token leakage, path traversal, SSRF, and private key exposure
  3. Review or close feature PRs (Add streaming file upload support and AsyncCapture client #20, Centralize request routing, enforce feature parity in CI, add request cancellation #21, Fix cross-SDK JSON serialization mismatch, httpx resource leak, and missing network error handling #28, CI hardening, type safety improvements, and DX gaps (11 fixes) #29, feat(tests): Expand unit test coverage for core SDK operations #12) based on current roadmap
  4. Clean up stale branches for any PRs that are closed without merging

Rationale

Leaving security-related PRs unreviewed increases risk. The action_required CI state means none of these PRs have been validated. A focused triage session would bring the repo to a healthier state.

Generated by NREM Mode with Omni

Metadata

Metadata

Assignees

No one assigned

    Labels

    nremNREM Mode findingnrem:improvementGeneral improvementnrem:spaceSpace-level nrem finding

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions