@oss-autopilot/core 3.5.0 → 3.6.0

package/dist/commands/daily.d.ts

@@ -7,6 +7,7 @@
  * orchestration layer that wires up the phases and handles I/O.
  */
 import { type DailyDigest, type CommentedIssue, type PRCheckFailure, type RepoGroup } from '../core/index.js';
+import { type StrategyResult } from '../core/strategy.js';
 import { type DailyOutput, type DailyWarning, type CapacityAssessment, type ActionableIssue, type ActionMenu } from '../formatters/json.js';
 export { applyStatusOverrides, computeRepoSignals, groupPRsByRepo, assessCapacity, collectActionableIssues, computeActionMenu, toShelvedPRRef, formatBriefSummary, formatSummary, printDigest, CRITICAL_STATUSES, } from '../core/index.js';
 import { buildStarFilter } from '../core/daily-logic.js';
@@ -28,6 +29,13 @@ export interface DailyCheckResult {
     failures: PRCheckFailure[];
     /** Non-fatal warnings from ancillary pipeline phases — see #1042. */
     warnings: DailyWarning[];
+    /**
+     * Periodic strategy snapshot (#1270). Set when the cadence trigger
+     * fires AND the user has crossed `STRATEGY_MIN_PRS`. The action-menu
+     * renderer in `commands/oss.md` reads this; absent or null on runs
+     * where the gate stays silent.
+     */
+    strategySummary?: StrategyResult | null;
 }
 /**
  * Convert a full DailyCheckResult to the compact DailyOutput for JSON serialization (#287).

package/dist/commands/daily.js

@@ -8,6 +8,7 @@
  */
 import { getStateManager, PRMonitor, IssueConversationMonitor, requireGitHubToken, CRITICAL_STATUSES, applyStatusOverrides, computeRepoSignals, groupPRsByRepo, assessCapacity, collectActionableIssues, computeActionMenu, toShelvedPRRef, formatBriefSummary, formatSummary, } from '../core/index.js';
 import { errorMessage, isRateLimitOrAuthError } from '../core/errors.js';
+import { computeStrategy, shouldComputeStrategy } from '../core/strategy.js';
 import { warn } from '../core/logger.js';
 import { emptyPRCountsResult } from '../core/github-stats.js';
 import { createAutopilotScout } from './scout-bridge.js';
@@ -421,6 +422,24 @@ function generateDigestOutput(digest, activePRs, shelvedPRs, commentedIssues, fa
     const briefSummary = formatBriefSummary(digest, actionableIssues.length, issueResponses.length);
     const actionMenu = computeActionMenu(actionableIssues, capacity, filteredCommentedIssues);
     const repoGroups = groupPRsByRepo(activePRs);
+    // Periodic strategy snapshot (#1270 Step 2). Cadence-gated to fire every
+    // 30 days OR after 5+ PRs merge since the last snapshot, whichever comes
+    // first. Below STRATEGY_MIN_PRS the gate stays silent. Compute failures
+    // are non-fatal — the daily run continues and the snapshot is omitted.
+    let strategySummary;
+    try {
+        const state = stateManager.getState();
+        const nowIso = new Date().toISOString();
+        if (shouldComputeStrategy(state, nowIso)) {
+            strategySummary = computeStrategy(state);
+            if (strategySummary) {
+                stateManager.setLastStrategyAt(nowIso);
+            }
+        }
+    }
+    catch (error) {
+        recordWarning(warnings, 'analytics', 'compute strategy snapshot', error);
+    }
     return {
         digest,
         capacity,
@@ -432,6 +451,7 @@ function generateDigestOutput(digest, activePRs, shelvedPRs, commentedIssues, fa
         repoGroups,
         failures,
         warnings,
+        strategySummary,
     };
 }
 // ---------------------------------------------------------------------------
@@ -457,6 +477,7 @@ export function toDailyOutput(result) {
         repoGroups: compactRepoGroups(result.repoGroups),
         failures: result.failures,
         warnings: result.warnings,
+        strategySummary: result.strategySummary,
     };
 }
 /**

package/dist/commands/index.d.ts

@@ -75,6 +75,8 @@ export { runStateUnlink } from './state-cmd.js';
 export { runParseList, pruneIssueList } from './parse-list.js';
 /** Move an issue between Pursue / Maybe / Skip sections of a curated list (#1107). */
 export { runListMoveTier, moveIssueToTier, type Tier, type ListMoveTierOptions, type ListMoveTierOutput, } from './list-move-tier.js';
+/** Mark an issue line in a curated list as done with strikethrough + Done sub-bullet (#1299). */
+export { runMarkIssueListItemDone, markIssueAsDone, type MarkDoneOptions, type MarkDoneOutput, } from './list-mark-done.js';
 /** Check if new files are properly referenced/integrated. */
 export { runCheckIntegration } from './check-integration.js';
 /** System-health diagnostic — verifies tokens, bundle, state, scout, rate limit. */

package/dist/commands/index.js

@@ -82,6 +82,8 @@ export { runStateUnlink } from './state-cmd.js';
 export { runParseList, pruneIssueList } from './parse-list.js';
 /** Move an issue between Pursue / Maybe / Skip sections of a curated list (#1107). */
 export { runListMoveTier, moveIssueToTier, } from './list-move-tier.js';
+/** Mark an issue line in a curated list as done with strikethrough + Done sub-bullet (#1299). */
+export { runMarkIssueListItemDone, markIssueAsDone, } from './list-mark-done.js';
 /** Check if new files are properly referenced/integrated. */
 export { runCheckIntegration } from './check-integration.js';
 /** System-health diagnostic — verifies tokens, bundle, state, scout, rate limit. */

package/dist/commands/startup.js

@@ -115,11 +115,33 @@ export function detectIssueList() {
         // Matches the sibling warn at line 64 for `issueListPath` read failures.
         warn('startup', `Could not read skippedIssuesPath from state: ${errorMessage(err)}`);
     }
-    // Probe default path: same directory as issue list, named skipped-issues.md
+    // Probe default path: same directory as issue list, named skipped-issues.md.
+    // When found, also persist to state.config so downstream commands
+    // (`skip-add`, `scout search`'s skip-list filter) read the same path
+    // instead of silently no-opping with "No skipped-issues path configured"
+    // (#1330). Without persistence, the auto-detect printed the path on
+    // every startup but nothing else honored it — search would re-surface
+    // already-skipped candidates round after round.
     if (!skippedIssuesPath && issueListPath) {
         const defaultSkipPath = path.join(path.dirname(issueListPath), 'skipped-issues.md');
         if (fs.existsSync(defaultSkipPath)) {
             skippedIssuesPath = defaultSkipPath;
+            try {
+                const stateManager = getStateManager();
+                // Only write when config actually doesn't have one — re-running
+                // startup shouldn't trigger an autoSave on every run if the
+                // value is already there.
+                const current = stateManager.getState().config.skippedIssuesPath;
+                if (!current) {
+                    stateManager.updateConfig({ skippedIssuesPath: defaultSkipPath });
+                }
+            }
+            catch (err) {
+                // Persistence is best-effort — startup still surfaces the path
+                // in its return value so the current run benefits, but the next
+                // run won't. Log so the failure is debuggable.
+                warn('startup', `Could not persist auto-detected skippedIssuesPath: ${errorMessage(err)}`);
+            }
         }
     }
     return { path: issueListPath, source, availableCount, completedCount, skippedIssuesPath };

package/dist/core/anti-llm-policy.d.ts

@@ -1,26 +1,35 @@
 /**
- * Anti-LLM policy scan (#108, #911, #979).
+ * AI/LLM policy scans (#108, #911, #979, #1269).
  *
- * Scan concatenated repo docs (CONTRIBUTING.md, CODE_OF_CONDUCT.md,
- * README) for language that indicates the project does not accept
- * AI/LLM-generated contributions. Previously described as a keyword
- * table in prose in agents/issue-scout.md.
+ * Two complementary scanners over the same input (concatenated repo docs
+ * — CONTRIBUTING.md, CODE_OF_CONDUCT.md, README, etc.):
+ *
+ * 1. {@link scanForAntiLLMPolicy} — detects language indicating the
+ *    project does NOT accept AI/LLM-generated contributions. Used by
+ *    issue-scout / repo-evaluator to filter out repos where landing a
+ *    PR is impossible.
+ *
+ * 2. {@link scanAIDisclosureRequirement} — detects the opposite:
+ *    language requiring or inviting AI disclosure ("must disclose AI
+ *    use", "credit AI tools"). Used by pr-compliance-checker to decide
+ *    whether AI attribution should be flagged as a violation, encouraged,
+ *    or required (#1269 Improvement C).
  *
  * The long-term home for this logic is `@oss-scout/core`, where the
  * relevant files are already fetched during vetting. Keeping it here
  * for now lets the agent invoke it directly and gives scout a
  * reference implementation + test fixtures to adopt. See #979.
  *
- * Precision matters more than recall. False positives (flagging a
- * project that actually welcomes AI help) silently shrink the user's
- * contribution surface without recourse. We only match on phrases
- * that combine a rejection keyword (no / reject / will be closed /
- * don't accept) with an AI/LLM noun.
+ * Precision matters more than recall in both directions. A false
+ * positive on the anti-LLM side silently shrinks the user's
+ * contribution surface; a false positive on the disclosure side tells
+ * the user to add attribution that the maintainer didn't actually ask
+ * for. Patterns require an explicit verb-phrase + AI/LLM-noun pairing.
  *
  * **User-facing reference:** `docs/anti-llm-policy.md` — explains the
- * three categories, example phrases per category, and the false-positive-
- * resistance design (why "AI division will be closed at end of Q4"
- * does NOT match).
+ * three anti-LLM categories, example phrases per category, and the
+ * false-positive-resistance design (why "AI division will be closed at
+ * end of Q4" does NOT match).
  */
 export type AntiLLMCategory = 'explicit_ban' | 'tool_ban' | 'reject_framing';
 export interface AntiLLMMatch {
@@ -35,3 +44,23 @@ export interface AntiLLMScanResult {
     matches: AntiLLMMatch[];
 }
 export declare function scanForAntiLLMPolicy(text: string): AntiLLMScanResult;
+export type AIDisclosureCategory = 'mandatory' | 'recommended' | 'invited';
+export interface AIDisclosureMatch {
+    category: AIDisclosureCategory;
+    phrase: string;
+    excerpt: string;
+}
+export interface AIDisclosureScanResult {
+    matched: boolean;
+    matches: AIDisclosureMatch[];
+}
+/**
+ * Scan repo docs for language requiring or inviting AI disclosure (#1269).
+ *
+ * Mirrors {@link scanForAntiLLMPolicy}'s shape: same input contract,
+ * same false-positive-resistance discipline, same per-match excerpt for
+ * surfacing to the user. Categories are ordered by binding strength —
+ * callers that want to avoid false-positive flagging on weak invitations
+ * can filter to 'mandatory' / 'recommended' only.
+ */
+export declare function scanAIDisclosureRequirement(text: string): AIDisclosureScanResult;

package/dist/core/anti-llm-policy.js

@@ -1,26 +1,35 @@
 /**
- * Anti-LLM policy scan (#108, #911, #979).
+ * AI/LLM policy scans (#108, #911, #979, #1269).
  *
- * Scan concatenated repo docs (CONTRIBUTING.md, CODE_OF_CONDUCT.md,
- * README) for language that indicates the project does not accept
- * AI/LLM-generated contributions. Previously described as a keyword
- * table in prose in agents/issue-scout.md.
+ * Two complementary scanners over the same input (concatenated repo docs
+ * — CONTRIBUTING.md, CODE_OF_CONDUCT.md, README, etc.):
+ *
+ * 1. {@link scanForAntiLLMPolicy} — detects language indicating the
+ *    project does NOT accept AI/LLM-generated contributions. Used by
+ *    issue-scout / repo-evaluator to filter out repos where landing a
+ *    PR is impossible.
+ *
+ * 2. {@link scanAIDisclosureRequirement} — detects the opposite:
+ *    language requiring or inviting AI disclosure ("must disclose AI
+ *    use", "credit AI tools"). Used by pr-compliance-checker to decide
+ *    whether AI attribution should be flagged as a violation, encouraged,
+ *    or required (#1269 Improvement C).
  *
  * The long-term home for this logic is `@oss-scout/core`, where the
  * relevant files are already fetched during vetting. Keeping it here
  * for now lets the agent invoke it directly and gives scout a
  * reference implementation + test fixtures to adopt. See #979.
  *
- * Precision matters more than recall. False positives (flagging a
- * project that actually welcomes AI help) silently shrink the user's
- * contribution surface without recourse. We only match on phrases
- * that combine a rejection keyword (no / reject / will be closed /
- * don't accept) with an AI/LLM noun.
+ * Precision matters more than recall in both directions. A false
+ * positive on the anti-LLM side silently shrinks the user's
+ * contribution surface; a false positive on the disclosure side tells
+ * the user to add attribution that the maintainer didn't actually ask
+ * for. Patterns require an explicit verb-phrase + AI/LLM-noun pairing.
  *
  * **User-facing reference:** `docs/anti-llm-policy.md` — explains the
- * three categories, example phrases per category, and the false-positive-
- * resistance design (why "AI division will be closed at end of Q4"
- * does NOT match).
+ * three anti-LLM categories, example phrases per category, and the
+ * false-positive-resistance design (why "AI division will be closed at
+ * end of Q4" does NOT match).
  */
 const PATTERNS = [
     // Explicit "no X" bans against AI/LLM nouns.
@@ -104,3 +113,83 @@ export function scanForAntiLLMPolicy(text) {
     }
     return { matched: matches.length > 0, matches };
 }
+const DISCLOSURE_PATTERNS = [
+    // Mandatory: imperative verbs binding to an AI/LLM disclosure noun.
+    // Match shape: <verb-phrase> <AI noun> <disclosure noun>?
+    // Verb phrases: "must disclose", "required to disclose", "are required
+    // to indicate", "you must indicate". The optional disclosure-action
+    // noun catches "must disclose use of AI" without requiring a separate
+    // pattern. The AI noun can be plain "ai/llm" or a tool name.
+    {
+        category: 'mandatory',
+        regex: /\b(must|required\s+to|are\s+required\s+to)\s+(disclose|indicate|declare|note|state|mention|label|tag|credit|acknowledge)\s+(?:[a-z\s'-]{0,40}?\b)?(ai|llm|generative\s+ai|copilot|chatgpt|claude|cursor)\b/i,
+    },
+    // "PRs using AI must be labeled / tagged / disclosed"
+    {
+        category: 'mandatory',
+        regex: /\b(prs?|contributions?|commits?|code)\s+(using|generated\s+by|written\s+by|made\s+with)\s+(ai|llm|copilot|chatgpt|claude|cursor)\s+(?:tools?\s+)?(must\s+be|need\s+to\s+be|are\s+to\s+be)\s+(labeled|tagged|disclosed|marked|flagged|noted)\b/i,
+    },
+    // "Disclosure of AI assistance is required" — passive form
+    {
+        category: 'mandatory',
+        regex: /\b(disclosure|disclosing|labeling|labelling|tagging|crediting)\s+(of\s+)?(ai|llm|copilot|chatgpt|claude|cursor)(\s+(use|usage|assistance|tools?|contributions?|generated\s+code))?\s+(is\s+required|is\s+mandatory|must\s+be\s+included)\b/i,
+    },
+    // Recommended: softer "should" or "we ask" framing. Same noun anchors.
+    // Verb forms allow optional gerund (-ing) endings since "we strongly
+    // encourage acknowledging AI" reads naturally even though "acknowledge"
+    // is the bare verb in the imperative list.
+    {
+        category: 'recommended',
+        regex: /\b(should|we\s+ask\s+you\s+to|we\s+ask\s+that\s+you|we\s+(?:strongly\s+)?(?:encourage|recommend))\s+(disclose|disclosing|indicate|indicating|declare|declaring|note|noting|mention|mentioning|label|labeling|labelling|tag|tagging|credit|crediting|acknowledge|acknowledging)\s+(?:[a-z\s'-]{0,40}?\b)?(ai|llm|generative\s+ai|copilot|chatgpt|claude|cursor)\b/i,
+    },
+    // "credit AI tools you used" — direct imperative without "must/should"
+    {
+        category: 'recommended',
+        regex: /\b(credit|acknowledge|attribute)\s+(ai|llm|generative\s+ai)\s+(tools?|assistants?|use|usage|assistance)\b/i,
+    },
+    // Invited: permissive framing. Lower confidence.
+    // The "please" branch is dropped intentionally — bare "please mention X"
+    // doesn't carry enough policy weight on its own, and including it as
+    // `please\s+(?:feel\s+free\s+to)?\s+` introduces super-linear backtracking
+    // (regexp/no-super-linear-backtracking) because of the ambiguous \s+
+    // boundary on either side of the optional group.
+    {
+        category: 'invited',
+        regex: /\b(feel\s+free\s+to|please\s+feel\s+free\s+to|you('re|\s+are)\s+welcome\s+to|welcome\s+to)\s+(disclose|mention|note|indicate|label|tag|credit)\s+(?:[a-z\s'-]{0,40}?\b)?(ai|llm|generative\s+ai|copilot|chatgpt|claude|cursor)\b/i,
+    },
+];
+/**
+ * Scan repo docs for language requiring or inviting AI disclosure (#1269).
+ *
+ * Mirrors {@link scanForAntiLLMPolicy}'s shape: same input contract,
+ * same false-positive-resistance discipline, same per-match excerpt for
+ * surfacing to the user. Categories are ordered by binding strength —
+ * callers that want to avoid false-positive flagging on weak invitations
+ * can filter to 'mandatory' / 'recommended' only.
+ */
+export function scanAIDisclosureRequirement(text) {
+    if (typeof text !== 'string') {
+        throw new TypeError(`scanAIDisclosureRequirement: expected string, received ${typeof text}`);
+    }
+    if (text === '')
+        return { matched: false, matches: [] };
+    const normalized = normalizeText(text);
+    const seenLabels = new Set();
+    const matches = [];
+    for (const pattern of DISCLOSURE_PATTERNS) {
+        const hit = normalized.match(pattern.regex);
+        if (!hit || hit.index === undefined)
+            continue;
+        const phrase = hit[0];
+        const key = `${pattern.category}:${phrase.toLowerCase()}`;
+        if (seenLabels.has(key))
+            continue;
+        seenLabels.add(key);
+        matches.push({
+            category: pattern.category,
+            phrase,
+            excerpt: makeExcerpt(normalized, hit.index, phrase.length),
+        });
+    }
+    return { matched: matches.length > 0, matches };
+}

package/dist/core/ci-analysis.d.ts

@@ -3,7 +3,7 @@
  * Extracted from PRMonitor to isolate CI-related logic (#263).
  */
 import type { Octokit } from '@octokit/rest';
-import { CIFailureCategory, ClassifiedCheck, CIStatusResult } from './types.js';
+import { CIFailureCategory, ClassifiedCheck, CIStatusResult, CIStatus, CIStatusCategorization } from './types.js';
 /**
  * Classify a failing CI check as actionable, fork_limitation, auth_gate, or infrastructure (#81, #145, #743).
  * Default is 'actionable' — only known patterns get reclassified.
@@ -16,6 +16,37 @@ export declare function classifyCICheck(name: string, description?: string, conc
  * Accepts optional conclusion data to detect infrastructure failures and auth gates.
  */
 export declare function classifyFailingChecks(failingCheckNames: string[], conclusions?: Map<string, string>): ClassifiedCheck[];
+/**
+ * Map an aggregate `ciStatus + failingCheckNames + classifiedChecks` triple
+ * into one of five mutually exclusive overall states (#1272). The 5-row
+ * truth table previously lived as prose in `agents/pr-health-checker.md`;
+ * extracting it lets that agent (and any future consumer — dashboard,
+ * MCP, sibling agents that adopt the field) read a single typed value
+ * instead of re-deriving from `ciStatus + failingCheckNames + classifiedChecks`.
+ *
+ * Decision order (each branch is exclusive):
+ *   1. `passing`                      → `all_passing`
+ *   2. `pending`                      → `blocked` (awaiting trigger / completion)
+ *   3. `failing` + actionable         → `failing` (real test/lint/build issue)
+ *   4. `failing` + only infrastructure → `blocked` (cancelled/timed-out runner — needs rerun)
+ *   5. `failing` + only fork/auth     → `fork_limitation` (informational)
+ *   6. `failing` + zero classified    → `failing` w/ "details unavailable" summary
+ *   7. `unknown`                      → `not_running`
+ *
+ * Why infrastructure routes to `blocked` and not `fork_limitation`:
+ * a cancelled or timed-out runner is genuinely worth re-running; calling
+ * it "informational" would tell the agent to ignore something the user
+ * can fix with a rerun-request.
+ *
+ * The `summary` is short (≤180 char even for 10+ failing checks) and
+ * suitable for inline display. `action` is a hint, not enforcement —
+ * agents may still escalate based on other PR context.
+ */
+export declare function categorizeCIStatus(input: {
+    ciStatus: CIStatus;
+    failingCheckNames: string[];
+    classifiedChecks: ClassifiedCheck[];
+}): CIStatusCategorization;
 /**
  * Analyze check runs (GitHub Actions, etc.) and categorize them.
  * Returns flags for failing/pending/success and lists of failing check names + conclusions.

package/dist/core/ci-analysis.js

@@ -92,6 +92,98 @@ export function classifyFailingChecks(failingCheckNames, conclusions) {
         };
     });
 }
+/**
+ * Map an aggregate `ciStatus + failingCheckNames + classifiedChecks` triple
+ * into one of five mutually exclusive overall states (#1272). The 5-row
+ * truth table previously lived as prose in `agents/pr-health-checker.md`;
+ * extracting it lets that agent (and any future consumer — dashboard,
+ * MCP, sibling agents that adopt the field) read a single typed value
+ * instead of re-deriving from `ciStatus + failingCheckNames + classifiedChecks`.
+ *
+ * Decision order (each branch is exclusive):
+ *   1. `passing`                      → `all_passing`
+ *   2. `pending`                      → `blocked` (awaiting trigger / completion)
+ *   3. `failing` + actionable         → `failing` (real test/lint/build issue)
+ *   4. `failing` + only infrastructure → `blocked` (cancelled/timed-out runner — needs rerun)
+ *   5. `failing` + only fork/auth     → `fork_limitation` (informational)
+ *   6. `failing` + zero classified    → `failing` w/ "details unavailable" summary
+ *   7. `unknown`                      → `not_running`
+ *
+ * Why infrastructure routes to `blocked` and not `fork_limitation`:
+ * a cancelled or timed-out runner is genuinely worth re-running; calling
+ * it "informational" would tell the agent to ignore something the user
+ * can fix with a rerun-request.
+ *
+ * The `summary` is short (≤180 char even for 10+ failing checks) and
+ * suitable for inline display. `action` is a hint, not enforcement —
+ * agents may still escalate based on other PR context.
+ */
+export function categorizeCIStatus(input) {
+    const { ciStatus, failingCheckNames, classifiedChecks } = input;
+    if (ciStatus === 'passing') {
+        return { category: 'all_passing', summary: 'All checks passing', action: 'none' };
+    }
+    if (ciStatus === 'pending') {
+        // `mergeStatuses` currently sets `failingCheckNames: []` on pending,
+        // so the count branch is defensive — kept so a future caller that
+        // forwards pending names doesn't silently drop them.
+        const count = failingCheckNames.length;
+        const summary = count > 0 ? `${count} pending check(s); CI run incomplete` : 'CI checks pending';
+        return { category: 'blocked', summary, action: 'request_rerun' };
+    }
+    if (ciStatus === 'failing') {
+        const actionable = classifiedChecks.filter((c) => c.category === 'actionable');
+        if (actionable.length > 0) {
+            const preview = actionable
+                .slice(0, 3)
+                .map((c) => c.name)
+                .join(', ');
+            const more = actionable.length > 3 ? ` (+${actionable.length - 3} more)` : '';
+            return {
+                category: 'failing',
+                summary: `${actionable.length} actionable failure(s): ${preview}${more}`,
+                action: 'investigate',
+            };
+        }
+        // No actionable failures. Distinguish three sub-cases:
+        // (a) failing with zero classified checks: status came from the
+        //     legacy combined-status endpoint without per-check detail. Be
+        //     honest about the missing detail rather than asserting "fork
+        //     limitations" the caller can't verify.
+        if (classifiedChecks.length === 0) {
+            return {
+                category: 'failing',
+                summary: 'CI reported failure but no check details available',
+                action: 'investigate',
+            };
+        }
+        // (b) at least one infrastructure failure (cancelled / timed-out /
+        //     dependency-install). Re-running often fixes the issue, so
+        //     surface as `blocked` with `request_rerun` rather than
+        //     mislabeling as "fork limits / auth gates."
+        const hasInfrastructure = classifiedChecks.some((c) => c.category === 'infrastructure');
+        if (hasInfrastructure) {
+            const total = classifiedChecks.length;
+            return {
+                category: 'blocked',
+                summary: `${total} non-actionable failure(s) including infrastructure issues; rerun may resolve`,
+                action: 'request_rerun',
+            };
+        }
+        // (c) only fork-limitation / auth-gate failures — purely informational.
+        const total = classifiedChecks.length;
+        return {
+            category: 'fork_limitation',
+            summary: `${total} non-actionable failure(s) (fork limits / auth gates)`,
+            action: 'informational',
+        };
+    }
+    // ciStatus === 'unknown' — no checks reported, or status couldn't be
+    // determined. Treat both as not_running so callers don't have to
+    // distinguish the rare indeterminate case from the common "no CI
+    // configured" case.
+    return { category: 'not_running', summary: 'No CI checks reported', action: 'check_workflows' };
+}
 /**
  * Analyze check runs (GitHub Actions, etc.) and categorize them.
  * Returns flags for failing/pending/success and lists of failing check names + conclusions.

package/dist/core/errors.d.ts

@@ -85,6 +85,25 @@ export declare function errorMessage(e: unknown): string;
 export declare function getHttpStatusCode(error: unknown): number | undefined;
 /** Check if an error is a GitHub rate limit error (429 or rate-limit 403). */
 export declare function isRateLimitError(error: unknown): boolean;
+/**
+ * Check if an error is GitHub's "users do not exist" Search-API validation
+ * failure (HTTP 422 with `resource: 'Search', code: 'invalid'` and a message
+ * indicating the user couldn't be resolved). Returned when the Search API
+ * can't resolve the user named in an `author:`/`user:` qualifier — the
+ * typical cause is a stale or mis-typed `githubUsername` in
+ * `~/.oss-autopilot/state.json`.
+ *
+ * Surfaced as a generic "Validation Failed" string by Octokit, which gives
+ * the user no actionable signal. Callers wrap the search and rethrow this
+ * as a {@link ConfigurationError} so the CLI prints the configured username
+ * and points at `/setup-oss`.
+ *
+ * The message-text gate is load-bearing: GitHub returns the same
+ * `resource`/`code` pair for other Search 422s (query too long, too many
+ * ORs). Without the gate, those would silently rewrite to "your configured
+ * username is wrong," which is actively misleading.
+ */
+export declare function isInvalidUserSearchError(err: unknown): boolean;
 /** Return true for errors that should propagate (not degrade gracefully): rate limits, auth failures, abuse detection. */
 export declare function isRateLimitOrAuthError(err: unknown): boolean;
 /**

package/dist/core/errors.js

@@ -142,6 +142,60 @@ export function isRateLimitError(error) {
     }
     return false;
 }
+/**
+ * Match-text used to discriminate the user-resolution failure from sibling
+ * `resource: 'Search', code: 'invalid'` 422s (query-too-long,
+ * too-many-OR-operators, malformed qualifier). Both the structured and the
+ * fallback paths gate on this pattern so the matcher's name remains accurate
+ * if a future caller uses a different Search query.
+ */
+const USER_NOT_FOUND_SEARCH_MESSAGE = /users.*do not exist|cannot be searched/i;
+/**
+ * Check if an error is GitHub's "users do not exist" Search-API validation
+ * failure (HTTP 422 with `resource: 'Search', code: 'invalid'` and a message
+ * indicating the user couldn't be resolved). Returned when the Search API
+ * can't resolve the user named in an `author:`/`user:` qualifier — the
+ * typical cause is a stale or mis-typed `githubUsername` in
+ * `~/.oss-autopilot/state.json`.
+ *
+ * Surfaced as a generic "Validation Failed" string by Octokit, which gives
+ * the user no actionable signal. Callers wrap the search and rethrow this
+ * as a {@link ConfigurationError} so the CLI prints the configured username
+ * and points at `/setup-oss`.
+ *
+ * The message-text gate is load-bearing: GitHub returns the same
+ * `resource`/`code` pair for other Search 422s (query too long, too many
+ * ORs). Without the gate, those would silently rewrite to "your configured
+ * username is wrong," which is actively misleading.
+ */
+export function isInvalidUserSearchError(err) {
+    if (getHttpStatusCode(err) !== 422)
+        return false;
+    const data = err?.response?.data;
+    const errors = data && typeof data === 'object' ? data.errors : undefined;
+    if (Array.isArray(errors)) {
+        return errors.some((e) => {
+            if (!e || typeof e !== 'object')
+                return false;
+            const entry = e;
+            if (entry.resource !== 'Search' || entry.code !== 'invalid')
+                return false;
+            // The Search API includes a per-error `message` for this case. When
+            // present, gate on it to avoid matching sibling validation failures
+            // that share the resource/code pair. When absent, fall back to the
+            // top-level message check below — some serializations drop the
+            // per-entry message but keep it on the response.
+            if (typeof entry.message === 'string') {
+                return USER_NOT_FOUND_SEARCH_MESSAGE.test(entry.message);
+            }
+            return USER_NOT_FOUND_SEARCH_MESSAGE.test(errorMessage(err));
+        });
+    }
+    // Fallback for serialized errors that lost the structured `response.data`
+    // (e.g. messages re-thrown across boundaries). The Search API's own copy
+    // is stable enough to match against.
+    return USER_NOT_FOUND_SEARCH_MESSAGE.test(errorMessage(err));
+}
 /** Return true for errors that should propagate (not degrade gracefully): rate limits, auth failures, abuse detection. */
 export function isRateLimitOrAuthError(err) {
     const status = getHttpStatusCode(err);

package/dist/core/pr-monitor.d.ts

@@ -15,7 +15,7 @@
 import { FetchedPR, DailyDigest, ClosedPR, MergedPR, StarFilter } from './types.js';
 import { type PRCountsResult } from './github-stats.js';
 export { computeDisplayLabel } from './display-utils.js';
-export { classifyCICheck, classifyFailingChecks, getCIStatus } from './ci-analysis.js';
+export { categorizeCIStatus, classifyCICheck, classifyFailingChecks, getCIStatus } from './ci-analysis.js';
 export { isConditionalChecklistItem } from './checklist-analysis.js';
 export { determineStatus } from './status-determination.js';
 /**