@oss-scout/core 0.11.0 → 1.0.0

package/dist/core/http-cache.js

@@ -16,6 +16,25 @@ import { getCacheDir } from "./utils.js";
 import { debug, warn } from "./logger.js";
 import { errorMessage, getHttpStatusCode } from "./errors.js";
 const MODULE = "http-cache";
+/**
+ * Schema version for cache entries whose body is an oss-scout-defined shape
+ * (vetting results, search payloads, policy scans, merged-PR counts) rather
+ * than a raw GitHub API response. These are deserialized with an unchecked
+ * cast, so a shape change between releases would otherwise let a new build read
+ * a stale-shaped entry. Bump this whenever one of those cached shapes changes:
+ * old entries then miss the version-prefixed key and are refetched instead of
+ * misread (#158). Raw ETag-keyed GitHub responses are not versioned — their
+ * shape is owned by GitHub, not us.
+ */
+export const CACHE_SCHEMA_VERSION = "v1";
+/**
+ * Prefix a synthetic (non-URL) cache key with the schema version so a shape
+ * change invalidates old entries. Use for every key whose body is read back
+ * with an unchecked cast.
+ */
+export function versionedCacheKey(key) {
+    return `${CACHE_SCHEMA_VERSION}:${key}`;
+}
 /**
  * Maximum age (in ms) before a cache entry is considered stale and eligible for
  * eviction during cleanup. Defaults to 24 hours. Entries older than this are
@@ -51,13 +70,21 @@ export class HttpCache {
      * (e.g., caching aggregated results from paginated API calls).
      */
     getIfFresh(key, maxAgeMs) {
+        return this.getEntryIfFresh(key, maxAgeMs)?.body ?? null;
+    }
+    /**
+     * Like {@link getIfFresh}, but returns the whole entry so callers can
+     * distinguish "no fresh entry" (null) from a legitimately cached falsy
+     * body (`0`, `""`, `false`, `null`).
+     */
+    getEntryIfFresh(key, maxAgeMs) {
         const entry = this.get(key);
         if (!entry)
             return null;
         const age = Date.now() - new Date(entry.cachedAt).getTime();
         if (!Number.isFinite(age) || age < 0 || age > maxAgeMs)
             return null;
-        return entry.body;
+        return entry;
     }
     /**
      * Look up a cached response. Returns `null` if no cache entry exists.
@@ -246,13 +273,29 @@ export function getHttpCache() {
  *    cached body without consuming a rate-limit point.
  * 3. On a fresh 200, caches the ETag + body for next time.
  */
-export async function cachedRequest(cache, url, fetcher) {
-    // --- Deduplication ---
-    const existing = cache.getInflight(url);
+/**
+ * Share one in-flight computation per key: concurrent callers for the same
+ * key await the same promise instead of paying duplicate API calls (#124).
+ * The check-then-register pair runs without an intervening await, so two
+ * concurrent callers cannot both miss. Rejections propagate to every waiter
+ * and are never cached.
+ */
+export async function withInflightDedup(cache, key, fn) {
+    const existing = cache.getInflight(key);
     if (existing) {
-        debug(MODULE, `Dedup hit for ${url}`);
+        debug(MODULE, `Dedup hit for ${key}`);
         return (await existing);
     }
+    const promise = fn();
+    const cleanup = cache.setInflight(key, promise);
+    try {
+        return await promise;
+    }
+    finally {
+        cleanup();
+    }
+}
+export async function cachedRequest(cache, url, fetcher) {
     const doFetch = async () => {
         const extraHeaders = {};
         const cached = cache.get(url);
@@ -276,19 +319,21 @@ export async function cachedRequest(cache, url, fetcher) {
                     debug(MODULE, `304 cache hit for ${url}`);
                     return freshCached.body;
                 }
+                // The entry that supplied If-None-Match vanished mid-flight (e.g. a
+                // concurrent process deleted it). Refetch unconditionally; without
+                // the conditional header the server cannot answer 304 again.
+                debug(MODULE, `304 but cache entry vanished for ${url}, refetching`);
+                const response = await fetcher({});
+                const etag = response.headers?.["etag"];
+                if (etag) {
+                    cache.set(url, etag, response.data);
+                }
+                return response.data;
             }
             throw err;
         }
     };
-    const promise = doFetch();
-    const cleanup = cache.setInflight(url, promise);
-    try {
-        const result = await promise;
-        return result;
-    }
-    finally {
-        cleanup();
-    }
+    return withInflightDedup(cache, url, doFetch);
 }
 /**
  * Time-based cache wrapper (no ETag / conditional requests).
@@ -300,14 +345,24 @@ export async function cachedRequest(cache, url, fetcher) {
  * (e.g. search queries, project health checks).
  */
 export async function cachedTimeBased(cache, key, maxAgeMs, fetcher) {
-    const cached = cache.getIfFresh(key, maxAgeMs);
+    const cached = cache.getEntryIfFresh(key, maxAgeMs);
     if (cached) {
         debug(MODULE, `Time-based cache hit for ${key}`);
-        return cached;
+        return cached.body;
     }
-    const result = await fetcher();
-    cache.set(key, "", result);
-    return result;
+    // Concurrent same-key callers (parallel vetting hitting one repo) share
+    // a single fetch instead of stampeding the API (#124)
+    return withInflightDedup(cache, key, async () => {
+        // Re-check inside the dedup window: a caller that finished while we
+        // queued may have populated the cache
+        const fresh = cache.getEntryIfFresh(key, maxAgeMs);
+        if (fresh) {
+            return fresh.body;
+        }
+        const result = await fetcher();
+        cache.set(key, "", result);
+        return result;
+    });
 }
 /**
  * Detect whether an error is a 304 Not Modified response.

package/dist/core/issue-discovery.d.ts

@@ -77,6 +77,8 @@ export declare class IssueDiscovery {
         preferLanguages?: string[];
         preferRepos?: string[];
         diversityRatio?: number;
+        interPhaseDelayMs?: number;
+        broadPhaseDelayMs?: number;
     }): Promise<{
         candidates: IssueCandidate[];
         strategiesUsed: SearchStrategy[];

package/dist/core/issue-discovery.js

@@ -22,7 +22,7 @@ import { isDocOnlyIssue, applyPerRepoCap, } from "./issue-filtering.js";
 import { IssueVetter } from "./issue-vetting.js";
 import { getTopicsForCategories } from "./category-mapping.js";
 import { buildEffectiveLabels, interleaveArrays, cachedSearchIssues, fetchIssuesFromMaintainedRepos, filterVetAndScore, fetchIssuesFromKnownRepos, searchAcrossLanguagesAndLabels, } from "./search-phases.js";
-import { annotateBoost, applyDiversityRatio } from "./personalization.js";
+import { annotateBoost, applyDiversityRatio, boostScoreOf, } from "./personalization.js";
 const MODULE = "issue-discovery";
 /** If remaining search quota is below this, skip heavy phases (2, 3). */
 const LOW_BUDGET_THRESHOLD = 20;
@@ -35,16 +35,19 @@ function buildIssueFilter(config) {
             const repoFullName = extractRepoFromUrl(item.repository_url);
             if (!repoFullName)
                 return false;
-            if (config.excludedRepos.has(repoFullName))
+            // Repo-name sets are lowercased at construction; compare lowercased so
+            // user-typed casing (Microsoft/TypeScript) still matches API casing.
+            const repoLower = repoFullName.toLowerCase();
+            if (config.excludedRepos.has(repoLower))
                 return false;
             if (config.excludeOrgs.size > 0) {
-                const orgName = repoFullName.split("/")[0]?.toLowerCase();
+                const orgName = repoLower.split("/")[0];
                 if (orgName && config.excludeOrgs.has(orgName))
                     return false;
             }
-            if (config.aiBlocklisted.has(repoFullName))
+            if (config.aiBlocklisted.has(repoLower))
                 return false;
-            if (config.lowScoringRepos.has(repoFullName))
+            if (config.lowScoringRepos.has(repoLower))
                 return false;
             if (config.skippedUrls.has(item.html_url))
                 return false;
@@ -286,11 +289,12 @@ export class IssueDiscovery {
             (scopes ? buildEffectiveLabels(scopes, config.labels) : config.labels);
         const maxResults = options.maxResults || 10;
         const minStars = config.minStars ?? 50;
-        const interPhaseDelay = config.interPhaseDelayMs ?? 30000;
-        // Strategy selection
+        const interPhaseDelay = options.interPhaseDelayMs ?? config.interPhaseDelayMs ?? 30000;
+        // Strategy selection. Empty arrays count as "unset" so a stored
+        // defaultStrategy of [] can't silently produce zero-strategy searches.
         const ALL_STRATEGIES = CONCRETE_STRATEGIES;
-        const rawStrategies = options.strategies ??
-            config.defaultStrategy ?? ["all"];
+        const pickStrategies = (...candidates) => candidates.find((c) => c && c.length > 0) ?? ["all"];
+        const rawStrategies = pickStrategies(options.strategies, config.defaultStrategy);
         const enabledStrategies = new Set(rawStrategies.includes("all") ? ALL_STRATEGIES : rawStrategies);
         const strategiesUsed = [];
         const allCandidates = [];
@@ -332,19 +336,19 @@ export class IssueDiscovery {
         const openPRRepos = this.stateReader.getReposWithOpenPRs();
         const starredRepos = this.getStarredRepos();
         const starredRepoSet = new Set(starredRepos);
-        const lowScoringRepos = new Set(this.deriveLowScoringRepos(config.minRepoScoreThreshold));
+        const lowScoringRepos = new Set(this.deriveLowScoringRepos(config.minRepoScoreThreshold).map((r) => r.toLowerCase()));
         // Build query parts
         const isAnyLanguage = languages.some((l) => l.toLowerCase() === "any");
         const langQuery = isAnyLanguage
             ? ""
             : languages.map((l) => `language:${l}`).join(" ");
-        // Build reusable filter
-        const aiBlocklisted = new Set(config.aiPolicyBlocklist);
+        // Build reusable filter (repo-name sets lowercased; see buildIssueFilter)
+        const aiBlocklisted = new Set(config.aiPolicyBlocklist.map((r) => r.toLowerCase()));
         if (aiBlocklisted.size > 0) {
             debug(MODULE, `[AI_POLICY_FILTER] Filtering issues from ${aiBlocklisted.size} blocklisted repo(s): ${[...aiBlocklisted].join(", ")}`);
         }
         const filterIssues = buildIssueFilter({
-            excludedRepos: new Set(config.excludeRepos),
+            excludedRepos: new Set(config.excludeRepos.map((r) => r.toLowerCase())),
             excludeOrgs: new Set((config.excludeOrgs ?? []).map((o) => o.toLowerCase())),
             aiBlocklisted,
             lowScoringRepos,
@@ -396,13 +400,21 @@ export class IssueDiscovery {
                     phaseErrors["1"] = result.error;
                     if (result.rateLimitHit)
                         rateLimitHitDuringSearch = true;
+                    // Recorded only when the phase actually queried (#130)
+                    strategiesUsed.push("starred");
                 }
             }
-            strategiesUsed.push("starred");
         }
         // Phase 2: General search (with rate limit mitigation)
-        const broadDelay = config.broadPhaseDelayMs ?? 90000;
-        const skipThreshold = config.skipBroadWhenSufficientResults ?? 15;
+        const broadDelay = options.broadPhaseDelayMs ?? config.broadPhaseDelayMs ?? 90000;
+        // Clamp to maxResults - 1: the phase gate below already skips the whole
+        // phase at >= maxResults, so any larger threshold would be unsatisfiable
+        // (the default 15 vs default maxResults 10 made this dead config). 0
+        // stays "never skip".
+        const configuredSkipThreshold = config.skipBroadWhenSufficientResults ?? 8;
+        const skipThreshold = configuredSkipThreshold > 0
+            ? Math.min(configuredSkipThreshold, maxResults - 1)
+            : 0;
         if (allCandidates.length < maxResults &&
             searchBudget >= LOW_BUDGET_THRESHOLD &&
             enabledStrategies.has("broad")) {
@@ -430,8 +442,10 @@ export class IssueDiscovery {
                 phaseErrors["2"] = result.error;
                 if (result.rateLimitHit)
                     rateLimitHitDuringSearch = true;
+                // Recorded only when the phase actually queried, not when the
+                // skip-threshold branch short-circuited it (#130)
+                strategiesUsed.push("broad");
             }
-            strategiesUsed.push("broad");
         }
         // Phase 3: Actively maintained repos
         if (allCandidates.length < maxResults &&
@@ -487,12 +501,13 @@ export class IssueDiscovery {
                     `Found ${allCandidates.length} candidate${allCandidates.length === 1 ? "" : "s"} but some search phases were limited. ` +
                     `Try again after the rate limit resets for complete results.`;
         }
-        // Personalization annotation (#1244): tag each candidate with
-        // boostScore + boostReasons before sorting so the new sort tier has
-        // values to read. No-op when neither preference list is supplied.
-        annotateBoost(allCandidates, options.preferLanguages, options.preferRepos);
+        // Personalization annotation (#1244): tag matched candidates with a
+        // `personalization` marker before sorting so the new sort tier has values
+        // to read. Returns a new array (no in-place candidate mutation, #158);
+        // a no-op when neither preference list is supplied.
+        const ranked = annotateBoost(allCandidates, options.preferLanguages, options.preferRepos);
         // Sort by priority, recommendation, boost (#1244), then viability score
-        allCandidates.sort((a, b) => {
+        ranked.sort((a, b) => {
             const priorityOrder = {
                 merged_pr: 0,
                 starred: 1,
@@ -506,17 +521,17 @@ export class IssueDiscovery {
                 recommendationOrder[b.recommendation];
             if (recDiff !== 0)
                 return recDiff;
-            // Personalization tier (#1244): higher boostScore wins. Treats
-            // undefined as 0 so unboosted candidates rank below boosted peers
-            // but stay ordered among themselves by viabilityScore. No-op when
-            // `preferLanguages`/`preferRepos` are absent — all candidates carry
-            // `boostScore: undefined` and the difference collapses to 0.
-            const boostDiff = (b.boostScore ?? 0) - (a.boostScore ?? 0);
+            // Personalization tier (#1244): higher boost wins. boostScoreOf treats
+            // an unboosted candidate as 0 so they rank below boosted peers but stay
+            // ordered among themselves by viabilityScore. No-op when
+            // `preferLanguages`/`preferRepos` are absent — every candidate scores 0
+            // and the difference collapses.
+            const boostDiff = boostScoreOf(b) - boostScoreOf(a);
             if (boostDiff !== 0)
                 return boostDiff;
             return b.viabilityScore - a.viabilityScore;
         });
-        const capped = applyPerRepoCap(allCandidates, 2);
+        const capped = applyPerRepoCap(ranked, 2);
         // Diversity counterweight (#1244): when `diversityRatio > 0`, reserve
         // a fraction of the final slots for candidates that matched neither
         // preference list. No-op when the ratio is 0 or absent — collapses to

package/dist/core/issue-eligibility.d.ts

@@ -7,10 +7,16 @@
  */
 import { Octokit } from "@octokit/rest";
 import type { CheckResult, LinkedPR } from "./types.js";
-/** Result of the existing-PR check, including metadata for the first linked PR (if any). */
-export interface ExistingPRCheckResult extends CheckResult {
+/**
+ * Result of the existing-PR check, including metadata for the first linked PR
+ * (if any). An intersection (not `extends`) because CheckResult is now a
+ * discriminated union (#158); the `& { linkedPR }` distributes over both arms.
+ */
+export type ExistingPRCheckResult = CheckResult & {
     linkedPR: LinkedPR | null;
-}
+};
+/** True when a single comment body claims the issue. */
+export declare function commentClaimsIssue(body: string): boolean;
 /**
  * Check whether an open PR already exists for the given issue.
  * Uses the timeline API (REST) to detect cross-referenced PRs, avoiding
@@ -23,7 +29,7 @@ export declare function checkNoExistingPR(octokit: Octokit, owner: string, repo:
  * Results are cached per-repo for 15 minutes to avoid redundant Search API
  * calls when multiple issues from the same repo are vetted.
  */
-export declare function checkUserMergedPRsInRepo(octokit: Octokit, owner: string, repo: string): Promise<number>;
+export declare function checkUserMergedPRsInRepo(octokit: Octokit, owner: string, repo: string): Promise<number | null>;
 /**
  * Check whether an issue has been claimed by another contributor
  * by scanning recent comments for claim phrases.

package/dist/core/issue-eligibility.js

@@ -6,9 +6,9 @@
  * Extracted from issue-vetting.ts to isolate eligibility logic.
  */
 import { paginateAll } from "./pagination.js";
-import { errorMessage, getHttpStatusCode, isRateLimitError } from "./errors.js";
+import { errorMessage, rethrowIfFatal } from "./errors.js";
 import { warn } from "./logger.js";
-import { getHttpCache } from "./http-cache.js";
+import { getHttpCache, withInflightDedup, versionedCacheKey, } from "./http-cache.js";
 import { getSearchBudgetTracker } from "./search-budget.js";
 function isLinkedPREvent(e) {
     return e.event === "cross-referenced" && !!e.source?.issue?.pull_request;
@@ -50,24 +50,65 @@ function buildLinkedPRFromTimelineEvent(e, context) {
     };
 }
 const MODULE = "issue-eligibility";
-/** Phrases that indicate someone has already claimed an issue. */
-const CLAIM_PHRASES = [
-    "i'm working on this",
-    "i am working on this",
-    "i'll take this",
-    "i will take this",
-    "working on it",
-    "i'd like to work on",
-    "i would like to work on",
-    "can i work on",
-    "may i work on",
-    "assigned to me",
-    "i'm on it",
-    "i'll submit a pr",
-    "i will submit a pr",
-    "working on a fix",
-    "working on a pr",
+/**
+ * Claim detection, applied per clause (sentence). Plain substring matching
+ * flagged questions ("is anyone working on it?") and negations ("no one is
+ * working on this") as claims. Rules:
+ *
+ * - A clause ending in "?" is never a claim, EXCEPT a permission request
+ *   ("can I work on this?"), which is the author asking to take the issue.
+ * - A declarative clause with an indefinite or negated subject (anyone,
+ *   someone, nobody, not, ...) is never a claim.
+ * - Otherwise declarative claim patterns match, including third-person
+ *   ("Bob is working on it" means the issue is taken).
+ */
+/**
+ * Object that refers to the issue at hand: this/it/that, "the <thing>",
+ * "#123", "issue ...". Deliberately excludes "a <thing>" ("can I work on a
+ * repro?" introduces new work, it does not claim the issue). The numeric
+ * branch requires the # prefix: a bare number collides with quantity idioms
+ * ("can I take 5 minutes"). Residual misses: gerund objects ("work on
+ * fixing the bug") and bare numbers ("work on 126").
+ */
+const ISSUE_OBJECT = String.raw `(?:this\b|it\b|that\b|the\b|#\d+|issue\b)`;
+/** Explicit first-person claims; not subject to the subject guard. */
+const FIRST_PERSON_CLAIM_PATTERNS = [
+    new RegExp(String.raw `\bi\s*(?:'ll|will) take ${ISSUE_OBJECT}`),
+    new RegExp(String.raw `\bi\s*(?:'d|would) (?:like|love) to work on ${ISSUE_OBJECT}`),
+    /\bi\s*(?:'m|am) on it\b/,
+    /\bi\s*(?:'ll|will) submit a pr\b/,
+    /\bassigned to me\b/,
+];
+/**
+ * Generic "working on ..." phrasings. These also match third-person claims
+ * ("Bob is working on it"), so they need the subject guard below to avoid
+ * flagging indefinite or negated subjects.
+ */
+const GENERIC_WORKING_PATTERNS = [
+    /\bworking on (?:this|it)\b/,
+    /\bworking on a (?:fix|pr)\b/,
 ];
+/** Asking to take the issue counts as a claim even phrased as a question. */
+const PERMISSION_CLAIM_PATTERN = new RegExp(String.raw `\b(?:can|may|could) i (?:work on|take) ${ISSUE_OBJECT}`);
+/** Subjects/negations that make a "working on ..." clause a non-claim. */
+const NON_CLAIM_SUBJECTS = /\b(?:anyone|anybody|someone|somebody|who|whoever|nobody|no[- ]?one|not)\b/;
+/** True when a single comment body claims the issue. */
+export function commentClaimsIssue(body) {
+    const clauses = body.toLowerCase().split(/(?<=[.!?])|\n+/);
+    for (const clause of clauses) {
+        if (PERMISSION_CLAIM_PATTERN.test(clause))
+            return true;
+        if (clause.trimEnd().endsWith("?"))
+            continue;
+        if (FIRST_PERSON_CLAIM_PATTERNS.some((p) => p.test(clause)))
+            return true;
+        if (NON_CLAIM_SUBJECTS.test(clause))
+            continue;
+        if (GENERIC_WORKING_PATTERNS.some((p) => p.test(clause)))
+            return true;
+    }
+    return false;
+}
 /**
  * Check whether an open PR already exists for the given issue.
  * Uses the timeline API (REST) to detect cross-referenced PRs, avoiding
@@ -106,9 +147,7 @@ export async function checkNoExistingPR(octokit, owner, repo, issueNumber) {
         return { passed: linkedPRCount === 0, linkedPR };
     }
     catch (error) {
-        if (getHttpStatusCode(error) === 401 || isRateLimitError(error)) {
-            throw error;
-        }
+        rethrowIfFatal(error);
         const errMsg = errorMessage(error);
         warn(MODULE, `Failed to check for existing PRs on ${owner}/${repo}#${issueNumber}: ${errMsg}. Assuming no existing PR.`);
         return { passed: true, inconclusive: true, reason: errMsg, linkedPR: null };
@@ -124,40 +163,46 @@ const MERGED_PR_CACHE_TTL_MS = 15 * 60 * 1000;
  */
 export async function checkUserMergedPRsInRepo(octokit, owner, repo) {
     const cache = getHttpCache();
-    const cacheKey = `merged-prs:${owner}/${repo}`;
-    // Manual cache check — do not use cachedTimeBased because we must NOT cache
-    // error-path fallback values (a transient failure returning 0 would poison the
-    // cache for 15 minutes, hiding that the user has merged PRs in the repo).
-    const cached = cache.getIfFresh(cacheKey, MERGED_PR_CACHE_TTL_MS);
-    if (cached != null && typeof cached === "number") {
-        return cached;
-    }
-    try {
-        const tracker = getSearchBudgetTracker();
-        await tracker.waitForBudget();
-        try {
-            // Use @me to search as the authenticated user
-            const { data } = await octokit.search.issuesAndPullRequests({
-                q: `repo:${owner}/${repo} is:pr is:merged author:@me`,
-                per_page: 1, // We only need total_count
-            });
-            // Only cache successful results
-            cache.set(cacheKey, "", data.total_count);
-            return data.total_count;
+    const cacheKey = versionedCacheKey(`merged-prs:${owner}/${repo}`);
+    // In-flight dedup: parallel vetting frequently hits several issues from
+    // one repo at once, and each used to pay a separate Search API call
+    // before the first populated the cache (#124).
+    return withInflightDedup(cache, cacheKey, async () => {
+        // Manual cache check — do not use cachedTimeBased because we must NOT
+        // cache error-path fallback values (a transient failure returning 0
+        // would poison the cache for 15 minutes, hiding that the user has
+        // merged PRs in the repo).
+        const cached = cache.getIfFresh(cacheKey, MERGED_PR_CACHE_TTL_MS);
+        if (cached != null && typeof cached === "number") {
+            return cached;
         }
-        finally {
-            // Always record the call — failed requests still consume GitHub rate limit points
-            tracker.recordCall();
+        try {
+            const tracker = getSearchBudgetTracker();
+            await tracker.waitForBudget();
+            try {
+                // Use @me to search as the authenticated user
+                const { data } = await octokit.search.issuesAndPullRequests({
+                    q: `repo:${owner}/${repo} is:pr is:merged author:@me`,
+                    per_page: 1, // We only need total_count
+                });
+                // Only cache successful results
+                cache.set(cacheKey, "", data.total_count);
+                return data.total_count;
+            }
+            finally {
+                // Always record the call — failed requests still consume GitHub rate limit points
+                tracker.recordCall();
+            }
         }
-    }
-    catch (error) {
-        if (getHttpStatusCode(error) === 401 || isRateLimitError(error)) {
-            throw error;
+        catch (error) {
+            rethrowIfFatal(error);
+            const errMsg = errorMessage(error);
+            warn(MODULE, `Could not check merged PRs in ${owner}/${repo}: ${errMsg}. Treating as unknown.`);
+            // null (not 0) so callers can tell a transient failure from a real zero
+            // and avoid caching verdicts built on it. Not cached — next call retries.
+            return null;
         }
-        const errMsg = errorMessage(error);
-        warn(MODULE, `Could not check merged PRs in ${owner}/${repo}: ${errMsg}. Defaulting to 0.`);
-        return 0; // Not cached — next call will retry
-    }
+    });
 }
 /**
  * Check whether an issue has been claimed by another contributor
@@ -167,27 +212,34 @@ export async function checkNotClaimed(octokit, owner, repo, issueNumber, comment
     if (commentCount === 0)
         return { passed: true };
     try {
-        // Paginate through all comments
-        const comments = await octokit.paginate(octokit.issues.listComments, {
-            owner,
-            repo,
-            issue_number: issueNumber,
-            per_page: 100,
-        }, (response) => response.data);
-        // Limit to last 100 comments to avoid excessive processing
-        const recentComments = comments.slice(-100);
+        // Fetch only the newest comments. Walking every page cost a
+        // 2,000-comment issue 20 list calls per vet, then discarded all but the
+        // tail anyway. Claims live in recent activity, so fetch the last page
+        // (plus its predecessor so a short last page still yields ~100+
+        // comments): at most 2 calls.
+        const PER_PAGE = 100;
+        const lastPage = Math.max(1, Math.ceil(commentCount / PER_PAGE));
+        const pagesToFetch = lastPage > 1 ? [lastPage - 1, lastPage] : [1];
+        const recentComments = [];
+        for (const page of pagesToFetch) {
+            const response = await octokit.issues.listComments({
+                owner,
+                repo,
+                issue_number: issueNumber,
+                per_page: PER_PAGE,
+                page,
+            });
+            recentComments.push(...response.data);
+        }
         for (const comment of recentComments) {
-            const body = (comment.body || "").toLowerCase();
-            if (CLAIM_PHRASES.some((phrase) => body.includes(phrase))) {
+            if (commentClaimsIssue(comment.body || "")) {
                 return { passed: false };
             }
         }
         return { passed: true };
     }
     catch (error) {
-        if (getHttpStatusCode(error) === 401 || isRateLimitError(error)) {
-            throw error;
-        }
+        rethrowIfFatal(error);
         const errMsg = errorMessage(error);
         warn(MODULE, `Failed to check claim status on ${owner}/${repo}#${issueNumber}: ${errMsg}. Assuming not claimed.`);
         return { passed: true, inconclusive: true, reason: errMsg };

package/dist/core/issue-graphql.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Batched GraphQL prefetch of issue "core" data (#169).
+ *
+ * `vetIssue` re-fetches each issue's basic fields (title, body, state, labels,
+ * timestamps, comment count) via a per-issue REST `issues.get`. When a search
+ * surfaces N issues that all need vetting, that is N separate REST calls before
+ * any of the deeper checks even start.
+ *
+ * `prefetchIssueCores` collapses those N calls into ONE aliased GraphQL query.
+ * The result is a map keyed by `owner/repo#number`; `vetIssue` consumes a hit
+ * instead of calling `issues.get`, and falls back to REST for any miss (a
+ * deleted issue, a permission error on one repo, or a non-fatal GraphQL blip).
+ *
+ * Scope is deliberately limited to the `issues.get` fields. The other vetting
+ * calls (timeline-based PR detection, claim scanning, project health,
+ * contribution guidelines) stay REST — batching those has pagination-semantics
+ * divergence risk and is left as a follow-up.
+ */
+import type { Octokit } from "@octokit/rest";
+/**
+ * Normalized issue fields equivalent to the subset of a REST `issues.get`
+ * response that `vetIssue` reads. Produced from either GraphQL (prefetch) or
+ * REST (fallback) so the two paths are interchangeable.
+ */
+export interface PrefetchedIssueCore {
+    /** GitHub numeric database id (REST `id` / GraphQL `databaseId`). */
+    id: number;
+    title: string;
+    /** Empty string when the issue has no body (matches REST `body || ""`). */
+    body: string;
+    state: "open" | "closed";
+    /** Label names, in declared order. */
+    labels: string[];
+    /** Total comment count (REST `comments` / GraphQL `comments.totalCount`). */
+    commentCount: number;
+    createdAt: string;
+    updatedAt: string;
+}
+/** A single issue to prefetch. */
+export interface IssueRef {
+    owner: string;
+    repo: string;
+    number: number;
+}
+/** Map key for a prefetched core, also used by callers to look one up. */
+export declare function issueCoreKey(owner: string, repo: string, number: number): string;
+/**
+ * Batch-fetch issue core data with one aliased GraphQL query. Returns a map of
+ * `owner/repo#number` to the normalized core. Issues that the query could not
+ * resolve are simply absent — the caller is expected to fall back to REST for
+ * any key not in the map.
+ *
+ * Failure handling mirrors the rest of the vetter: fatal errors (401 / rate
+ * limit) propagate via `rethrowIfFatal`; a partial-data GraphQL error (one bad
+ * issue in the batch) keeps the aliases that did resolve; any other non-fatal
+ * error returns whatever resolved so the caller degrades to all-REST.
+ */
+export declare function prefetchIssueCores(octokit: Octokit, issues: IssueRef[]): Promise<Map<string, PrefetchedIssueCore>>;