Enforce canonical GitHub megarepo sources

[schickling-assistant]

Problem
Megarepo lock sync normalizes GitHub inputs to the github: scheme, but repositories can still declare equivalent GitHub sources through SSH or git URLs. That lets source files and lock files drift into different auth/source shapes.

Goal
Add a reusable check that flags non-canonical GitHub member sources and incomplete GitHub lock metadata before lock sync drift reaches downstream repos.

Decisions

• Put the policy in @overeng/megarepo instead of a repo-local CI script, so all consumers can share the same rule.
• Expose it through generic mr check [--all] [--json], not a policy-specific mr config ... command, so the CLI can grow structurally without adding one-off top-level concepts.
• Keep the check deterministic and local. It inspects megarepo config plus Nix source/lock files; it does not call GitHub or Nix during linting.
• Preserve non-ref flake URL query params such as dir in canonical suggestions, while dropping ref/rev from the query and representing refs in the canonical github:owner/repo[/ref] shape.
• Require complete GitHub lock metadata (rev, narHash, lastModified) for matched megarepo inputs so incomplete normalized locks are caught.

Verification

• CI=1 ./node_modules/.bin/vitest run src/lib/source-policy.unit.test.ts (4 tests, including dir query-param preservation)
• devenv tasks run ts:check
• devenv tasks run lint:check:oxlint
• devenv tasks run lint:check:format
• devenv shell -- env DT_PASSTHROUGH=1 mr check --all --json returned zero violations.
• devenv shell -- env DT_PASSTHROUGH=1 mr config --help | rg "check-source-policy" returned no matches.
• devenv tasks run mr:source-policy-check --mode before --no-tui
• CI=1 devenv tasks run check:all (passed after rerunning a transient test:megarepo timeout; CI=1 devenv tasks run test:megarepo passed independently)

Complexity
Adds one policy module and a generic CLI entrypoint. The CLI surface stays small because future structural checks can compose under mr check instead of introducing separate commands.

Concerns
This check enforces source shape only. Private GitHub auth still must be provided to Nix explicitly through access-tokens in NIX_CONFIG; GH_TOKEN/GITHUB_TOKEN alone are not sufficient for Nix github: fetches.

Friction & bottlenecks
Running multiple devenv commands concurrently briefly hit a local GC-root cleanup race. Sequential reruns succeeded.

Follow-ups
Downstream repos should adopt this helper version and switch private GitHub flake inputs to canonical github: sources with explicit Nix access-tokens in CI/root flows.

References
Refs the megarepo source/lock alignment work.

Posted on behalf of @schickling

field	value
agent_name	🪨 co1-butte
agent_session_id	d03e6b40-88b1-4fa3-aa63-b73c83cfdc47
agent_tool	Codex CLI
agent_tool_version	0.130.0
agent_runtime	Codex CLI 0.130.0
agent_model	unknown
worktree	dotfiles/schickling/2026-05-19-github-source-policy
machine	dev3
tooling_profile	dotfiles@b228ad5

[github-actions]

Storybook Previews

Package	Latest URL	Last Deploy (Europe/Berlin)
react-inspector	https://react-inspector-pr-665--overeng-utils.netlify.app	2026-05-20 11:20 CEST
effect-schema-form-aria	https://effect-schema-form-aria-pr-665--overeng-utils.netlify.app	2026-05-20 11:20 CEST
effect-react	https://effect-react-pr-665--overeng-utils.netlify.app	2026-05-20 11:20 CEST
genie	https://genie-pr-665--overeng-utils.netlify.app	2026-05-20 11:20 CEST
notion-react	https://notion-react-pr-665--overeng-utils.netlify.app	2026-05-20 11:20 CEST
notion-cli	https://notion-cli-pr-665--overeng-utils.netlify.app	2026-05-20 11:20 CEST
tui-react	https://tui-react-pr-665--overeng-utils.netlify.app	2026-05-20 11:20 CEST
megarepo	https://megarepo-pr-665--overeng-utils.netlify.app	2026-05-20 11:20 CEST

Per-Commit Deploy History

Commit 8560fd5 · 2026-05-20 11:20 CEST

Package	URL
react-inspector	https://6a0d7cc551841b86ab77dc40--overeng-utils.netlify.app Alias: https://react-inspector-pr-665--overeng-utils.netlify.app
effect-schema-form-aria	https://6a0d7cc610073c7c58f46069--overeng-utils.netlify.app Alias: https://effect-schema-form-aria-pr-665--overeng-utils.netlify.app
effect-react	https://6a0d7cc65f8bfc97c8d91bd6--overeng-utils.netlify.app Alias: https://effect-react-pr-665--overeng-utils.netlify.app
genie	https://6a0d7cc7419ece9afb0860e5--overeng-utils.netlify.app Alias: https://genie-pr-665--overeng-utils.netlify.app
notion-react	https://6a0d7cc7a9977f7d13451e20--overeng-utils.netlify.app Alias: https://notion-react-pr-665--overeng-utils.netlify.app
notion-cli	https://6a0d7cc88e8865a0c9f08bbf--overeng-utils.netlify.app Alias: https://notion-cli-pr-665--overeng-utils.netlify.app
tui-react	https://6a0d7cc9bb01058ffbc36879--overeng-utils.netlify.app Alias: https://tui-react-pr-665--overeng-utils.netlify.app
megarepo	https://6a0d7ccb8683169c2d3ff804--overeng-utils.netlify.app Alias: https://megarepo-pr-665--overeng-utils.netlify.app

Commit 5e83f92 · 2026-05-20 09:19 CEST

Package	URL
react-inspector	https://6a0d604906b5c24a732cf811--overeng-utils.netlify.app Alias: https://react-inspector-pr-665--overeng-utils.netlify.app
effect-schema-form-aria	https://6a0d604b79fc754510fa7078--overeng-utils.netlify.app Alias: https://effect-schema-form-aria-pr-665--overeng-utils.netlify.app
effect-react	https://6a0d604a3e1c1b33d13aa54c--overeng-utils.netlify.app Alias: https://effect-react-pr-665--overeng-utils.netlify.app
genie	https://6a0d604c2344cf43fab51770--overeng-utils.netlify.app Alias: https://genie-pr-665--overeng-utils.netlify.app
notion-react	https://6a0d604af93d2b4f4ca1d6ae--overeng-utils.netlify.app Alias: https://notion-react-pr-665--overeng-utils.netlify.app
notion-cli	https://6a0d604c65bb454a5ab312d3--overeng-utils.netlify.app Alias: https://notion-cli-pr-665--overeng-utils.netlify.app
tui-react	https://6a0d604d4fb1ce3a1b5f11c3--overeng-utils.netlify.app Alias: https://tui-react-pr-665--overeng-utils.netlify.app
megarepo	https://6a0d604e7f1d13451216845d--overeng-utils.netlify.app Alias: https://megarepo-pr-665--overeng-utils.netlify.app

Commit 18cdefa · 2026-05-19 10:28 CEST

Package	URL
react-inspector	https://6a0c1ee3566d09639d27d491--overeng-utils.netlify.app Alias: https://react-inspector-pr-665--overeng-utils.netlify.app
effect-schema-form-aria	https://6a0c1ee48ffa036d17da503a--overeng-utils.netlify.app Alias: https://effect-schema-form-aria-pr-665--overeng-utils.netlify.app
effect-react	https://6a0c1ee46a38ee61ba23b309--overeng-utils.netlify.app Alias: https://effect-react-pr-665--overeng-utils.netlify.app
genie	https://6a0c1ee56a38ee629023b300--overeng-utils.netlify.app Alias: https://genie-pr-665--overeng-utils.netlify.app
notion-react	https://6a0c1ee40b6f366328b2f316--overeng-utils.netlify.app Alias: https://notion-react-pr-665--overeng-utils.netlify.app
notion-cli	https://6a0c1ee5af867c5603760910--overeng-utils.netlify.app Alias: https://notion-cli-pr-665--overeng-utils.netlify.app
tui-react	https://6a0c1ee6106d0255027c71ab--overeng-utils.netlify.app Alias: https://tui-react-pr-665--overeng-utils.netlify.app
megarepo	https://6a0c1ee70b6f3662bbb2f54e--overeng-utils.netlify.app Alias: https://megarepo-pr-665--overeng-utils.netlify.app

[github-actions]

Devenv Performance

• Status: warn
• Mode: warn
• Commit: 2c7bfab
• Run: workflow run
• Baseline: main run 26136127972 + 4 older baseline runs

Chart: performance change versus baseline median. Green is faster, red is slower, gray is within noise or baseline range.

Probe	Baseline	Current	Change	Result	Confidence
Warm shell eval	3.37 s range 3.233 s - 6.843 s	5.552 s	+2.182 s / 64.7%	yellow regression	threshold_exceeded baseline n=123, current samples=3
devenv processes --help	0.02 s range 0.016 s - 0.06 s	0.018 s	-0.002 s / -10%	gray noise floor	noise_floor baseline n=123, current samples=5
devenv tasks list	0.045 s range 0.039 s - 0.133 s	0.039 s	-0.006 s / -13.3%	gray noise floor	noise_floor baseline n=123, current samples=5
pnpm install task	0.591 s range 0.552 s - 1.862 s	0.513 s	-0.078 s / -13.2%	gray noise floor	noise_floor baseline n=123, current samples=1
Genie run task	1.279 s range 1.211 s - 3.162 s	1.14 s	-0.139 s / -10.9%	gray needs repeat	low_sample_count baseline n=123, current samples=1
Genie check direct	9.879 s range 6.352 s - 10.951 s	8.602 s	-1.277 s / -12.9%	gray within range	within_baseline_range baseline n=62, current samples=3
Quick check task	21.955 s range 20.299 s - 36.458 s	19.472 s	-2.483 s / -11.3%	gray needs repeat	low_sample_count baseline n=123, current samples=1
Shell eval with OTEL trace	79.89 s range 73.152 s - 115.602 s	68.614 s	-11.276 s / -14.1%	gray needs repeat	low_sample_count baseline n=123, current samples=1

All measurements

Status	Target	Observation	Dimensions	Baseline	Current	Delta	Ratio
warn	Dev shell	Warm shell eval	devenvRev=2cf62a010000b70f15c78a72761fad7c9e6fb47a otelServiceName=devenv-perf-ci probe=shell_eval_warm probeLabel=Warm shell eval sampleCount=3 status=0	3.37 s	5.552 s	+2.182 s	64.7%
pass	Dev shell	devenv processes --help	devenvRev=2cf62a010000b70f15c78a72761fad7c9e6fb47a otelServiceName=devenv-perf-ci probe=processes_help probeLabel=devenv processes --help sampleCount=5 status=0	0.02 s	0.018 s	-0.002 s	-10%
pass	Dev shell	devenv tasks list	devenvRev=2cf62a010000b70f15c78a72761fad7c9e6fb47a otelServiceName=devenv-perf-ci probe=tasks_list probeLabel=devenv tasks list sampleCount=5 status=0	0.045 s	0.039 s	-0.006 s	-13.3%
pass	Dev shell	pnpm install task	devenvRev=2cf62a010000b70f15c78a72761fad7c9e6fb47a otelServiceName=devenv-perf-ci probe=task_pnpm_install probeLabel=pnpm install task sampleCount=1 status=0	0.591 s	0.513 s	-0.078 s	-13.2%
pass	Dev shell	Genie run task	devenvRev=2cf62a010000b70f15c78a72761fad7c9e6fb47a otelServiceName=devenv-perf-ci probe=task_genie_run probeLabel=Genie run task sampleCount=1 status=0	1.279 s	1.14 s	-0.139 s	-10.9%
pass	Dev shell	Genie check direct	devenvRev=2cf62a010000b70f15c78a72761fad7c9e6fb47a otelServiceName=devenv-perf-ci probe=genie_check_direct probeLabel=Genie check direct sampleCount=3 status=0	9.879 s	8.602 s	-1.277 s	-12.9%
pass	Dev shell	Quick check task	devenvRev=2cf62a010000b70f15c78a72761fad7c9e6fb47a otelServiceName=devenv-perf-ci probe=task_check_quick probeLabel=Quick check task sampleCount=1 status=0	21.955 s	19.472 s	-2.483 s	-11.3%
pass	Dev shell	Shell eval with OTEL trace	devenvRev=2cf62a010000b70f15c78a72761fad7c9e6fb47a otelServiceName=devenv-perf-ci probe=shell_eval_traced probeLabel=Shell eval with OTEL trace sampleCount=1 status=0	79.89 s	68.614 s	-11.276 s	-14.1%

Previous runs

Commit	Status	Mode	Top changes
460c17f	warn	warn	warn Dev shell Warm shell eval +2.908 s / 86.3% pass Dev shell Shell eval with OTEL trace +19.186 s / 24% pass Dev shell Quick check task +5.663 s / 25.8%
60b3634	fail	warn	fail Dev shell Warm shell eval +4.872 s / 144.6% warn Dev shell Genie check direct +2.558 s / 25.9% pass Dev shell Shell eval with OTEL trace +32.035 s / 40.1%

[schickling]

@codex

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5e83f92a46

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".