@oss-scout/core 0.4.0 → 0.6.0

package/dist/core/anti-llm-policy.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Anti-LLM Policy — scans repo policy docs (CONTRIBUTING.md, CODE_OF_CONDUCT.md,
+ * README.md) for keywords that signal an anti-AI / anti-LLM contribution policy
+ * (e.g. "no AI-generated code", "human-authored only", "no Copilot contributions").
+ *
+ * The keyword table lives here as a single source of truth so consumers
+ * can rely on a structured `AntiLLMPolicyResult` rather than re-implementing
+ * the scan in agent prose.
+ */
+import { Octokit } from "@octokit/rest";
+import type { AntiLLMPolicyResult } from "./types.js";
+/**
+ * Conservative anti-LLM keyword phrases. Each entry is a lowercase substring
+ * that — when present in policy text — is a strong signal of an anti-AI policy.
+ * Phrases are deliberately narrow to avoid flagging "we use Copilot internally"
+ * style mentions; the table can grow as new patterns are observed.
+ */
+export declare const ANTI_LLM_KEYWORDS: readonly string[];
+/**
+ * Pure scan: does this text contain any anti-LLM keyword?
+ * Case-insensitive; returns the matched keywords (deduped, in table order).
+ */
+export declare function scanForAntiLLMPolicy(text: string): {
+    matched: boolean;
+    matchedKeywords: string[];
+};
+/**
+ * Optional caller hints to avoid duplicate fetches.
+ *
+ * `contributingText`:
+ *   - `string` — caller already fetched CONTRIBUTING; scan this text directly.
+ *   - `null`   — caller fetched and CONTRIBUTING is known absent; skip the family.
+ *   - `undefined` (omitted) — fetch as normal.
+ *
+ * Note: the per-repo result cache (1-hour TTL) is consulted before this hint.
+ * On a cache hit the cached result wins regardless of what is passed here.
+ */
+export interface AntiLLMPolicyOptions {
+    contributingText?: string | null;
+}
+/**
+ * Fetch CONTRIBUTING/CODE_OF_CONDUCT/README in priority order and return the
+ * first family whose text matches an anti-LLM keyword. Returns
+ * `{matched: false, matchedKeywords: [], sourceFile: null}` when no source
+ * file matches. Cached per-repo for POLICY_SCAN_CACHE_TTL_MS.
+ *
+ * Sequential by design: if CONTRIBUTING throws auth/rate-limit, we want to
+ * short-circuit rather than burn API budget on COC + README probes.
+ */
+export declare function fetchAndScanAntiLLMPolicy(octokit: Octokit, owner: string, repo: string, options?: AntiLLMPolicyOptions): Promise<AntiLLMPolicyResult>;

package/dist/core/anti-llm-policy.js

@@ -0,0 +1,207 @@
+/**
+ * Anti-LLM Policy — scans repo policy docs (CONTRIBUTING.md, CODE_OF_CONDUCT.md,
+ * README.md) for keywords that signal an anti-AI / anti-LLM contribution policy
+ * (e.g. "no AI-generated code", "human-authored only", "no Copilot contributions").
+ *
+ * The keyword table lives here as a single source of truth so consumers
+ * can rely on a structured `AntiLLMPolicyResult` rather than re-implementing
+ * the scan in agent prose.
+ */
+import { errorMessage, getHttpStatusCode, isRateLimitError } from "./errors.js";
+import { warn } from "./logger.js";
+import { getHttpCache } from "./http-cache.js";
+const MODULE = "anti-llm-policy";
+/** TTL for cached anti-LLM policy scan results (1 hour). Policy docs change rarely. */
+const POLICY_SCAN_CACHE_TTL_MS = 60 * 60 * 1000;
+/**
+ * Conservative anti-LLM keyword phrases. Each entry is a lowercase substring
+ * that — when present in policy text — is a strong signal of an anti-AI policy.
+ * Phrases are deliberately narrow to avoid flagging "we use Copilot internally"
+ * style mentions; the table can grow as new patterns are observed.
+ */
+export const ANTI_LLM_KEYWORDS = [
+    "no ai-generated",
+    "no ai generated",
+    "no ai-assisted",
+    "no ai assisted",
+    "no llm-generated",
+    "no llm generated",
+    "no copilot-generated",
+    "no chatgpt-generated",
+    "human-authored only",
+    "human authored only",
+    "human-written only",
+    "human written only",
+    "ai-free contributions",
+    "llm-free contributions",
+    "ai-generated code is not allowed",
+    "ai-generated code will not be accepted",
+    "do not submit ai-generated",
+    "do not submit llm-generated",
+    "do not use ai to",
+    "do not use llms",
+    "do not use copilot",
+    "do not use chatgpt",
+    "without ai assistance",
+    "without llm assistance",
+    "no use of generative ai",
+    "ban on ai-generated",
+    "prohibit ai-generated",
+    "prohibits ai-generated",
+];
+/**
+ * Pure scan: does this text contain any anti-LLM keyword?
+ * Case-insensitive; returns the matched keywords (deduped, in table order).
+ */
+export function scanForAntiLLMPolicy(text) {
+    if (!text)
+        return { matched: false, matchedKeywords: [] };
+    const haystack = text.toLowerCase();
+    const matchedKeywords = ANTI_LLM_KEYWORDS.filter((kw) => haystack.includes(kw));
+    return { matched: matchedKeywords.length > 0, matchedKeywords };
+}
+/** Source-file probe families, in priority order. First match wins. */
+const SOURCE_FILE_FAMILIES = [
+    {
+        canonical: "CONTRIBUTING.md",
+        paths: [
+            "CONTRIBUTING.md",
+            ".github/CONTRIBUTING.md",
+            "docs/CONTRIBUTING.md",
+            "contributing.md",
+        ],
+    },
+    {
+        canonical: "CODE_OF_CONDUCT.md",
+        paths: [
+            "CODE_OF_CONDUCT.md",
+            ".github/CODE_OF_CONDUCT.md",
+            "docs/CODE_OF_CONDUCT.md",
+            "code_of_conduct.md",
+        ],
+    },
+    {
+        canonical: "README.md",
+        paths: ["README.md", "readme.md", "Readme.md"],
+    },
+];
+/**
+ * Fetch one path's raw text content. The `transient` flag distinguishes a
+ * clean miss (404 — file absent) from a degraded miss (5xx, network) so the
+ * caller can decide whether to cache "no policy" or retry. Throws on
+ * 401/auth and rate-limit per documented project error strategy.
+ */
+async function fetchFileText(octokit, owner, repo, path) {
+    try {
+        const { data } = await octokit.repos.getContent({ owner, repo, path });
+        if ("content" in data && typeof data.content === "string") {
+            return {
+                text: Buffer.from(data.content, "base64").toString("utf-8"),
+                transient: false,
+            };
+        }
+        return { text: null, transient: false };
+    }
+    catch (error) {
+        const status = getHttpStatusCode(error);
+        if (status === 404)
+            return { text: null, transient: false };
+        if (status === 401 || isRateLimitError(error))
+            throw error;
+        warn(MODULE, `Unexpected error fetching ${path} from ${owner}/${repo}: ${errorMessage(error)}`);
+        return { text: null, transient: true };
+    }
+}
+/**
+ * Fetch the first available file from a family. Probes are issued in parallel,
+ * but auth/rate-limit rejections re-throw so the IssueVetter's existing
+ * rate-limit handling kicks in instead of silently caching a wrong answer.
+ */
+async function fetchFamilyText(octokit, owner, repo, paths) {
+    const results = await Promise.allSettled(paths.map((p) => fetchFileText(octokit, owner, repo, p)));
+    let hadTransientFailure = false;
+    for (const result of results) {
+        if (result.status === "fulfilled") {
+            if (result.value.transient)
+                hadTransientFailure = true;
+            if (result.value.text)
+                return { text: result.value.text, hadTransientFailure };
+        }
+        else {
+            // Re-throw so vetIssuesParallel's isRateLimitError classifier sees it.
+            if (isRateLimitError(result.reason) ||
+                getHttpStatusCode(result.reason) === 401) {
+                throw result.reason;
+            }
+            hadTransientFailure = true;
+        }
+    }
+    return { text: null, hadTransientFailure };
+}
+/** Cached value passes runtime shape checks for AntiLLMPolicyResult. */
+function isAntiLLMPolicyResult(value) {
+    if (!value || typeof value !== "object")
+        return false;
+    const v = value;
+    if (typeof v.matched !== "boolean")
+        return false;
+    if (!Array.isArray(v.matchedKeywords))
+        return false;
+    if (v.sourceFile !== null && typeof v.sourceFile !== "string")
+        return false;
+    return true;
+}
+/**
+ * Fetch CONTRIBUTING/CODE_OF_CONDUCT/README in priority order and return the
+ * first family whose text matches an anti-LLM keyword. Returns
+ * `{matched: false, matchedKeywords: [], sourceFile: null}` when no source
+ * file matches. Cached per-repo for POLICY_SCAN_CACHE_TTL_MS.
+ *
+ * Sequential by design: if CONTRIBUTING throws auth/rate-limit, we want to
+ * short-circuit rather than burn API budget on COC + README probes.
+ */
+export async function fetchAndScanAntiLLMPolicy(octokit, owner, repo, options) {
+    const cache = getHttpCache();
+    const cacheKey = `anti-llm-policy:${owner}/${repo}`;
+    const cached = cache.getIfFresh(cacheKey, POLICY_SCAN_CACHE_TTL_MS);
+    if (isAntiLLMPolicyResult(cached))
+        return cached;
+    let anyTransientFailure = false;
+    for (const family of SOURCE_FILE_FAMILIES) {
+        let text;
+        let hadTransientFailure = false;
+        if (family.canonical === "CONTRIBUTING.md" &&
+            options?.contributingText !== undefined) {
+            // Use caller-provided text. null = known absent, string = use directly.
+            text = options.contributingText;
+        }
+        else {
+            ({ text, hadTransientFailure } = await fetchFamilyText(octokit, owner, repo, family.paths));
+        }
+        if (hadTransientFailure)
+            anyTransientFailure = true;
+        if (!text)
+            continue;
+        const { matched, matchedKeywords } = scanForAntiLLMPolicy(text);
+        if (matched) {
+            const result = {
+                matched: true,
+                matchedKeywords,
+                sourceFile: family.canonical,
+            };
+            cache.set(cacheKey, "", result);
+            return result;
+        }
+    }
+    const noMatch = {
+        matched: false,
+        matchedKeywords: [],
+        sourceFile: null,
+    };
+    // Skip the cache write when probes failed transiently — otherwise a
+    // single 5xx pin "no policy" for an hour for a repo that may actually have one.
+    if (!anyTransientFailure) {
+        cache.set(cacheKey, "", noMatch);
+    }
+    return noMatch;
+}

package/dist/core/bootstrap.d.ts

@@ -7,6 +7,7 @@ export interface BootstrapResult {
     starredRepoCount: number;
     mergedPRCount: number;
     closedPRCount: number;
+    openPRCount: number;
     reposScoredCount: number;
     skippedDueToRateLimit: boolean;
     errors: string[];

package/dist/core/bootstrap.js

@@ -4,7 +4,7 @@
  */
 import { getOctokit, checkRateLimit } from "./github.js";
 import { debug, warn } from "./logger.js";
-import { ConfigurationError, errorMessage } from "./errors.js";
+import { ConfigurationError, errorMessage, getHttpStatusCode, isRateLimitError, } from "./errors.js";
 import { extractRepoFromUrl } from "./utils.js";
 const MODULE = "bootstrap";
 const STARRED_MAX_PAGES = 5;
@@ -23,6 +23,7 @@ export async function bootstrapScout(scout, token) {
             starredRepoCount: 0,
             mergedPRCount: 0,
             closedPRCount: 0,
+            openPRCount: 0,
             reposScoredCount: 0,
             skippedDueToRateLimit: true,
             errors: [],
@@ -80,6 +81,8 @@ export async function bootstrapScout(scout, token) {
         debug(MODULE, `Imported ${mergedPRCount} merged PRs`);
     }
     catch (err) {
+        if (getHttpStatusCode(err) === 401 || isRateLimitError(err))
+            throw err;
         warn(MODULE, `Failed to fetch merged PRs: ${errorMessage(err)}`);
         errors.push("merged PR fetch failed");
     }
@@ -110,15 +113,50 @@ export async function bootstrapScout(scout, token) {
         debug(MODULE, `Imported ${closedPRCount} closed PRs`);
     }
     catch (err) {
+        if (getHttpStatusCode(err) === 401 || isRateLimitError(err))
+            throw err;
         warn(MODULE, `Failed to fetch closed PRs: ${errorMessage(err)}`);
         errors.push("closed PR fetch failed");
     }
+    // 4. Fetch currently-open PRs via Search API
+    let openPRCount = 0;
+    try {
+        for (let page = 1; page <= SEARCH_MAX_PAGES; page++) {
+            const { data } = await octokit.search.issuesAndPullRequests({
+                q: `is:pr is:open author:${username}`,
+                per_page: PER_PAGE,
+                page,
+            });
+            for (const item of data.items) {
+                const repo = extractRepoFromUrl(item.html_url);
+                if (!repo)
+                    continue;
+                scout.recordOpenPR({
+                    url: item.html_url,
+                    title: item.title,
+                    openedAt: item.created_at ?? new Date().toISOString(),
+                    repo,
+                });
+                openPRCount++;
+            }
+            if (data.items.length < PER_PAGE)
+                break;
+        }
+        debug(MODULE, `Imported ${openPRCount} open PRs`);
+    }
+    catch (err) {
+        if (getHttpStatusCode(err) === 401 || isRateLimitError(err))
+            throw err;
+        warn(MODULE, `Failed to fetch open PRs: ${errorMessage(err)}`);
+        errors.push("open PR fetch failed");
+    }
     const state = scout.getState();
     const reposScoredCount = Object.keys(state.repoScores).length;
     return {
         starredRepoCount: starredRepos.length,
         mergedPRCount,
         closedPRCount,
+        openPRCount,
         reposScoredCount,
         skippedDueToRateLimit: false,
         errors,

package/dist/core/gist-state-store.d.ts

@@ -88,7 +88,7 @@ export declare class GistStateStore {
 /**
  * Merge two ScoutState objects with conflict resolution:
  * - repoScores: per-repo, keep the one with more total PR activity
- * - mergedPRs/closedPRs: union by URL
+ * - mergedPRs/closedPRs/openPRs: union by URL
  * - preferences: remote wins
  * - starredRepos: keep the list with the fresher timestamp
  * - savedResults: union by issueUrl, keep newer lastSeenAt

package/dist/core/gist-state-store.js

@@ -238,7 +238,7 @@ export class GistStateStore {
 /**
  * Merge two ScoutState objects with conflict resolution:
  * - repoScores: per-repo, keep the one with more total PR activity
- * - mergedPRs/closedPRs: union by URL
+ * - mergedPRs/closedPRs/openPRs: union by URL
  * - preferences: remote wins
  * - starredRepos: keep the list with the fresher timestamp
  * - savedResults: union by issueUrl, keep newer lastSeenAt
@@ -252,6 +252,7 @@ export function mergeStates(local, remote) {
         starredReposLastFetched: pickFresherTimestamp(local.starredReposLastFetched, remote.starredReposLastFetched),
         mergedPRs: unionByUrl(local.mergedPRs, remote.mergedPRs),
         closedPRs: unionByUrl(local.closedPRs, remote.closedPRs),
+        openPRs: unionByUrl(local.openPRs ?? [], remote.openPRs ?? []),
         savedResults: mergeSavedResults(local.savedResults ?? [], remote.savedResults ?? []),
         skippedIssues: mergeSkippedIssues(local.skippedIssues ?? [], remote.skippedIssues ?? []),
         lastSearchAt: pickFresherTimestamp(local.lastSearchAt, remote.lastSearchAt),

package/dist/core/issue-discovery.js

@@ -326,6 +326,7 @@ export class IssueDiscovery {
         }
         // Derive search context
         const mergedPRRepos = this.stateReader.getReposWithMergedPRs();
+        const openPRRepos = this.stateReader.getReposWithOpenPRs();
         const starredRepos = this.getStarredRepos();
         const starredRepoSet = new Set(starredRepos);
         const lowScoringRepos = new Set(this.deriveLowScoringRepos(config.minRepoScoreThreshold));
@@ -352,8 +353,19 @@ export class IssueDiscovery {
             now: new Date(),
             includeDocIssues: config.includeDocIssues ?? true,
         });
-        // Phase 0: Merged-PR repos
-        const phase0Repos = mergedPRRepos.slice(0, 10);
+        // Phase 0: Repos the user has engaged with — merged PRs first (strongest
+        // signal), then open PRs (active engagement even without a merge yet).
+        // Deduped and capped so REST cost stays bounded.
+        const seenPhase0 = new Set();
+        const phase0Repos = [];
+        for (const repo of [...mergedPRRepos, ...openPRRepos]) {
+            if (seenPhase0.has(repo))
+                continue;
+            seenPhase0.add(repo);
+            phase0Repos.push(repo);
+            if (phase0Repos.length >= 10)
+                break;
+        }
         const phase0RepoSet = new Set(phase0Repos);
         if (phase0Repos.length > 0 && enabledStrategies.has("merged")) {
             const remaining = maxResults - allCandidates.length;

package/dist/core/issue-eligibility.d.ts

@@ -6,13 +6,17 @@
  * Extracted from issue-vetting.ts to isolate eligibility logic.
  */
 import { Octokit } from "@octokit/rest";
-import type { CheckResult } from "./types.js";
+import type { CheckResult, LinkedPR } from "./types.js";
+/** Result of the existing-PR check, including metadata for the first linked PR (if any). */
+export interface ExistingPRCheckResult extends CheckResult {
+    linkedPR: LinkedPR | null;
+}
 /**
  * Check whether an open PR already exists for the given issue.
  * Uses the timeline API (REST) to detect cross-referenced PRs, avoiding
  * the Search API's strict 30 req/min rate limit.
  */
-export declare function checkNoExistingPR(octokit: Octokit, owner: string, repo: string, issueNumber: number): Promise<CheckResult>;
+export declare function checkNoExistingPR(octokit: Octokit, owner: string, repo: string, issueNumber: number): Promise<ExistingPRCheckResult>;
 /**
  * Check how many merged PRs the authenticated user has in a repo.
  * Uses GitHub Search API. Returns 0 on error (non-fatal).

package/dist/core/issue-eligibility.js

@@ -6,10 +6,44 @@
  * Extracted from issue-vetting.ts to isolate eligibility logic.
  */
 import { paginateAll } from "./pagination.js";
-import { errorMessage } from "./errors.js";
+import { errorMessage, getHttpStatusCode, isRateLimitError } from "./errors.js";
 import { warn } from "./logger.js";
 import { getHttpCache } from "./http-cache.js";
 import { getSearchBudgetTracker } from "./search-budget.js";
+function isLinkedPREvent(e) {
+    return e.event === "cross-referenced" && !!e.source?.issue?.pull_request;
+}
+/**
+ * Build a LinkedPR from a cross-referenced timeline event's source.issue.
+ * Returns null if required fields are missing — and warns, because callers
+ * only invoke this after asserting the event is a linked-PR event, so a
+ * null return signals API shape drift, not absent data.
+ */
+function buildLinkedPRFromTimelineEvent(e, context) {
+    const issue = e.source?.issue;
+    const ctx = `${context.owner}/${context.repo}#${context.issueNumber}`;
+    if (!issue || typeof issue.number !== "number") {
+        warn(MODULE, `Cross-referenced timeline event for ${ctx} missing source.issue.number — possible API shape drift`);
+        return null;
+    }
+    const author = issue.user?.login;
+    if (!author) {
+        warn(MODULE, `Cross-referenced PR #${issue.number} for ${ctx} has no user.login (deleted user?) — skipping linkedPR metadata`);
+        return null;
+    }
+    const url = issue.html_url;
+    if (!url) {
+        warn(MODULE, `Cross-referenced PR #${issue.number} for ${ctx} missing html_url — skipping linkedPR metadata`);
+        return null;
+    }
+    return {
+        number: issue.number,
+        author,
+        state: issue.state === "closed" ? "closed" : "open",
+        merged: !!issue.pull_request?.merged_at,
+        url,
+    };
+}
 const MODULE = "issue-eligibility";
 /** Phrases that indicate someone has already claimed an issue. */
 const CLAIM_PHRASES = [
@@ -48,16 +82,31 @@ export async function checkNoExistingPR(octokit, owner, repo, issueNumber) {
             per_page: 100,
             page,
         }));
-        const linkedPRs = timeline.filter((event) => {
+        // Single pass: count linked-PR events and capture metadata for the
+        // first valid one, so consumers can classify (own vs. competing,
+        // open vs. closed-unmerged) without a separate fetch.
+        let linkedPRCount = 0;
+        let linkedPR = null;
+        for (const event of timeline) {
             const e = event;
-            return e.event === "cross-referenced" && e.source?.issue?.pull_request;
-        });
-        return { passed: linkedPRs.length === 0 };
+            if (!isLinkedPREvent(e))
+                continue;
+            linkedPRCount++;
+            linkedPR ??= buildLinkedPRFromTimelineEvent(e, {
+                owner,
+                repo,
+                issueNumber,
+            });
+        }
+        return { passed: linkedPRCount === 0, linkedPR };
     }
     catch (error) {
+        if (getHttpStatusCode(error) === 401 || isRateLimitError(error)) {
+            throw error;
+        }
         const errMsg = errorMessage(error);
         warn(MODULE, `Failed to check for existing PRs on ${owner}/${repo}#${issueNumber}: ${errMsg}. Assuming no existing PR.`);
-        return { passed: true, inconclusive: true, reason: errMsg };
+        return { passed: true, inconclusive: true, reason: errMsg, linkedPR: null };
     }
 }
 /** TTL for cached merged-PR counts per repo (15 minutes). */
@@ -97,6 +146,9 @@ export async function checkUserMergedPRsInRepo(octokit, owner, repo) {
         }
     }
     catch (error) {
+        if (getHttpStatusCode(error) === 401 || isRateLimitError(error)) {
+            throw error;
+        }
         const errMsg = errorMessage(error);
         warn(MODULE, `Could not check merged PRs in ${owner}/${repo}: ${errMsg}. Defaulting to 0.`);
         return 0; // Not cached — next call will retry
@@ -128,6 +180,9 @@ export async function checkNotClaimed(octokit, owner, repo, issueNumber, comment
         return { passed: true };
     }
     catch (error) {
+        if (getHttpStatusCode(error) === 401 || isRateLimitError(error)) {
+            throw error;
+        }
         const errMsg = errorMessage(error);
         warn(MODULE, `Failed to check claim status on ${owner}/${repo}#${issueNumber}: ${errMsg}. Assuming not claimed.`);
         return { passed: true, inconclusive: true, reason: errMsg };

package/dist/core/issue-vetting.d.ts

@@ -15,6 +15,8 @@ import { type SearchPriority, type IssueCandidate, type ProjectCategory } from "
 export interface ScoutStateReader {
     /** Repos where the user has at least one merged PR. */
     getReposWithMergedPRs(): string[];
+    /** Repos where the user has at least one open PR. */
+    getReposWithOpenPRs(): string[];
     /** User's starred repos (from GitHub). */
     getStarredRepos(): string[];
     /** Preferred project categories from user preferences. */

package/dist/core/issue-vetting.js

@@ -13,6 +13,7 @@ import { calculateRepoQualityBonus, calculateViabilityScore, } from "./issue-sco
 import { repoBelongsToCategory } from "./category-mapping.js";
 import { checkNoExistingPR, checkNotClaimed, checkUserMergedPRsInRepo, analyzeRequirements, } from "./issue-eligibility.js";
 import { checkProjectHealth, fetchContributionGuidelines, } from "./repo-health.js";
+import { fetchAndScanAntiLLMPolicy } from "./anti-llm-policy.js";
 import { getHttpCache } from "./http-cache.js";
 const MODULE = "issue-vetting";
 /** Vetting concurrency: kept low to reduce burst pressure on GitHub's secondary rate limit. */
@@ -68,6 +69,13 @@ export class IssueVetter {
                 ? Promise.resolve(0)
                 : checkUserMergedPRsInRepo(this.octokit, owner, repo),
         ]);
+        // Anti-LLM scan reuses the CONTRIBUTING text just fetched above —
+        // dedup'd to avoid 4 redundant getContent calls on cold-cache repos.
+        // We deliberately pass undefined (not null) when guidelines is missing,
+        // because fetchContributionGuidelines returns undefined for BOTH a 404
+        // and a transient 5xx — collapsing them to null would bypass the
+        // anti-llm-policy transient-failure cache safeguard.
+        const antiLLMPolicy = await fetchAndScanAntiLLMPolicy(this.octokit, owner, repo, { contributingText: contributionGuidelines?.rawContent });
         const noExistingPR = existingPRCheck.passed;
         const notClaimed = claimCheck.passed;
         // Analyze issue quality
@@ -87,6 +95,7 @@ export class IssueVetter {
                 contributionGuidelinesFound: !!contributionGuidelines,
             },
             contributionGuidelines,
+            linkedPR: existingPRCheck.linkedPR,
             notes: [],
         };
         // Build notes
@@ -216,6 +225,7 @@ export class IssueVetter {
             issue: trackedIssue,
             vettingResult,
             projectHealth,
+            antiLLMPolicy,
             recommendation,
             reasonsToSkip,
             reasonsToApprove,

package/dist/core/repo-health.js

@@ -5,7 +5,7 @@
  * from issue-level eligibility logic.
  */
 import { daysBetween } from "./utils.js";
-import { errorMessage } from "./errors.js";
+import { errorMessage, getHttpStatusCode, isRateLimitError } from "./errors.js";
 import { warn } from "./logger.js";
 import { getHttpCache, cachedRequest, cachedTimeBased } from "./http-cache.js";
 const MODULE = "repo-health";
@@ -114,6 +114,17 @@ export async function fetchContributionGuidelines(octokit, owner, repo) {
         }
         return null;
     })));
+    // Pre-scan: auth/rate-limit must propagate even if a faster probe succeeded —
+    // otherwise a path-restricted token that 401s on .github/CONTRIBUTING.md but
+    // wins on CONTRIBUTING.md would silently hide the auth misconfiguration.
+    for (const result of results) {
+        if (result.status !== "rejected")
+            continue;
+        if (getHttpStatusCode(result.reason) === 401 ||
+            isRateLimitError(result.reason)) {
+            throw result.reason;
+        }
+    }
     for (let i = 0; i < results.length; i++) {
         const result = results[i];
         if (result.status === "fulfilled" && result.value) {
@@ -123,11 +134,9 @@ export async function fetchContributionGuidelines(octokit, owner, repo) {
             return guidelines;
         }
         if (result.status === "rejected") {
-            const msg = result.reason instanceof Error
-                ? result.reason.message
-                : String(result.reason);
-            if (!msg.includes("404") && !msg.includes("Not Found")) {
-                warn(MODULE, `Unexpected error fetching ${filesToCheck[i]} from ${owner}/${repo}: ${msg}`);
+            const status = getHttpStatusCode(result.reason);
+            if (status !== 404) {
+                warn(MODULE, `Unexpected error fetching ${filesToCheck[i]} from ${owner}/${repo}: ${errorMessage(result.reason)}`);
             }
         }
     }