Skip to content

fix(api): blunt slop-risk / issue-slop REST + CLI to match the MCP tools (#6990)#7052

Merged
loopover-orb[bot] merged 1 commit into
JSONbored:mainfrom
jeffrey701:fix-slop-blunt-rest-cli-6990
Jul 17, 2026
Merged

fix(api): blunt slop-risk / issue-slop REST + CLI to match the MCP tools (#6990)#7052
loopover-orb[bot] merged 1 commit into
JSONbored:mainfrom
jeffrey701:fix-slop-blunt-rest-cli-6990

Conversation

@jeffrey701

Copy link
Copy Markdown
Contributor

Summary

The loopover_check_slop_risk and loopover_check_issue_slop MCP tools deliberately return only { band, findings } — omitting the exact numeric score and rubric thresholds to prevent reverse-engineering the slop weights via controlled inputs. Their REST mirrors and CLI commands did not blunt at all: POST /v1/lint/slop-risk and POST /v1/lint/issue-slop returned the full numeric slopRisk score plus the rubric text, and the CLI printed the raw score straight through — so anyone could get exactly what the MCP blunting withholds simply by calling REST/CLI instead of the MCP tool.

  • POST /v1/lint/slop-risk and POST /v1/lint/issue-slop now return the same blunted { band, findings } shape as the MCP tools (no numeric score, no rubric); the now-unused rubric-constant imports are dropped.
  • The CLI slop-risk / issue-slop commands print the band only, and the review-pr report's embedded slop line — which consumes the same route — does too.

Why

The blunting exists to stop weight reverse-engineering through a value/gate signal; leaving the REST and CLI surfaces un-blunted defeated it entirely. This brings all served surfaces to parity with the MCP tools.

Validation

  • npm run typecheck clean.
  • test/integration/api.test.ts (47 route tests) updated + green: both routes now assert { band, findings } and explicitly assert the numeric slopRisk score and rubric are ABSENT.
  • The CLI test fixtures + assertions (mcp-cli-slop-risk, mcp-cli-issue-slop, mcp-cli-review-pr) are updated to the blunted shape. The offline local self-check (loopover_check_slop_risk stdio tool) is intentionally left full — it computes on the user's own local inputs and is out of this served-surface leak's scope (mcp-local-check-slop-risk.test.ts already pins that behavior).

Closes #6990

@jeffrey701
jeffrey701 requested a review from JSONbored as a code owner July 17, 2026 19:46
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@loopover-orb loopover-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 17, 2026
@loopover-orb

loopover-orb Bot commented Jul 17, 2026

Copy link
Copy Markdown

Tip

✅ LoopOver review result - approve/merge recommended

Review updated: 2026-07-17 20:08:57 UTC

7 files · 1 AI reviewer · no blockers · readiness 86/100 · CI green · clean

✅ Suggested Action - Approve/Merge

  • safe to merge

Review summary
The AI review returned non-blocking notes for this change but did not include a separate narrative summary. Review the nits below before deciding this PR.

Nits — 3 non-blocking
  • The two rubric-constant imports (ISSUE_SLOP_RUBRIC_MARKDOWN, SLOP_RUBRIC_MARKDOWN) are dropped from routes.ts — worth confirming they aren't dead exports elsewhere now that no route consumes them, or clean them up in signals/issue-slop.ts and signals/slop.ts if truly unused.
  • mcp-cli-harness.ts fixtures still compute an internal `slopRisk` variable to derive `band` but no longer return it — fine, but a short comment noting this is intentional (already present) is good; just confirm no other fixture consumer still expects the `slopRisk` field.
  • If `SLOP_RUBRIC_MARKDOWN`/`ISSUE_SLOP_RUBRIC_MARKDOWN` are now unused anywhere in src/, remove them to avoid dead exports lingering as a future footgun.

Decision drivers

  • ✅ Code review — No blockers (1 reviewer)
  • ✅ Gate result — Passing (No configured blocker found.)
Context & advisory signals — never blocks the verdict
Signal Result Evidence
Linked issue ✅ Linked #6990
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ❌ 8/20 High review scope from cached public metadata (1 linked issue).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 145 registered-repo PR(s), 70 merged, 32 issue(s).
Contributor context ✅ Confirmed Gittensor contributor jeffrey701; Gittensor profile; 145 PR(s), 32 issue(s).
Improvement ✅ Minor risk: clean · value: minor · LLM: moderate
Linked issue satisfaction

Addressed
Both REST routes now return only { band, findings } (rubric constants unused/removed, no numeric slopRisk in the response), and both CLI commands print band-only with tests explicitly asserting slopRisk/rubric are absent, matching the MCP tools' blunted shape.

Review context
  • Author: jeffrey701
  • Role context: outside_contributor
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 145 PR(s), 32 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Start here: Add a concise scope and risk note.
  • Then work through the remaining 1 step in the Signals table above.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
🧪 Chat with LoopOver

Ask LoopOver a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @loopover ask <question> answers contribution-quality Q&A with source citations and freshness.
  • @loopover chat <question> answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @loopover mention with a real question is routed to the closest matching read-only command automatically — no exact syntax required.

Full command reference: https://loopover.ai/docs/loopover-commands

🧪 Experimental — new and may change.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by LoopOver, a quiet PR intelligence layer for OSS maintainers.

  • Re-run LoopOver review

@loopover-orb loopover-orb Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LoopOver approves — the gate is satisfied and CI is green.

@loopover-orb
loopover-orb Bot merged commit 9971476 into JSONbored:main Jul 17, 2026
14 checks passed
@codecov

codecov Bot commented Jul 17, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.02%. Comparing base (bdb11d9) to head (2016416).
⚠️ Report is 21 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (bdb11d9) and HEAD (2016416). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (bdb11d9) HEAD (2016416)
shard-2 1 0
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #7052      +/-   ##
==========================================
- Coverage   95.98%   88.02%   -7.96%     
==========================================
  Files         609      692      +83     
  Lines       48137    68708   +20571     
  Branches    15132    18760    +3628     
==========================================
+ Hits        46202    60477   +14275     
- Misses       1118     6570    +5452     
- Partials      817     1661     +844     
Flag Coverage Δ
shard-1 43.79% <0.00%> (+0.40%) ⬆️
shard-2 ?
shard-3 33.30% <0.00%> (+0.14%) ⬆️
shard-4 33.89% <0.00%> (-0.50%) ⬇️
shard-5 32.24% <0.00%> (+0.57%) ⬆️
shard-6 45.75% <100.00%> (-0.31%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
src/api/routes.ts 92.50% <100.00%> (-2.46%) ⬇️

... and 193 files with indirect coverage changes

JSONbored added a commit that referenced this pull request Jul 17, 2026
mcp-v3.1.0 and miner-v3.1.0 are tagged and merged but stuck: GitHub's
tag-protection ruleset rejects moving them to include the release
pipeline fixes (#7054, #7060, #7064), and workflow_dispatch resolves a
run's YAML from the ref it's dispatched against, so re-running those
exact tags would still use the pre-fix workflow definitions. Bumping to
fresh, never-tagged versions is the documented human-override path
(publish-mcp.yml's own on: comment) around this exact situation.

mcp v3.1.1 picks up one real fix that landed after v3.1.0's cut
(#6990/#7052). miner v3.1.1 picks up two (bdb11d9, 77ca20f).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

REST + CLI slop-risk and issue-slop routes leak the numeric score MCP deliberately blunts

1 participant