fix(api): blunt slop-risk / issue-slop REST + CLI to match the MCP tools (#6990)#7052
Conversation
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
|
Tip ✅ LoopOver review result - approve/merge recommendedReview updated: 2026-07-17 20:08:57 UTC
Review summary Nits — 3 non-blocking
Decision drivers
Context & advisory signals — never blocks the verdict
Linked issue satisfactionAddressed Review context
Contributor next steps
Signal definitions
🧪 Chat with LoopOverAsk LoopOver a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.
Full command reference: https://loopover.ai/docs/loopover-commands 🧪 Experimental — new and may change. 🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by LoopOver, a quiet PR intelligence layer for OSS maintainers.
|
Codecov Report✅ All modified and coverable lines are covered by tests.
Additional details and impacted files@@ Coverage Diff @@
## main #7052 +/- ##
==========================================
- Coverage 95.98% 88.02% -7.96%
==========================================
Files 609 692 +83
Lines 48137 68708 +20571
Branches 15132 18760 +3628
==========================================
+ Hits 46202 60477 +14275
- Misses 1118 6570 +5452
- Partials 817 1661 +844
Flags with carried forward coverage won't be shown. Click here to find out more.
|
mcp-v3.1.0 and miner-v3.1.0 are tagged and merged but stuck: GitHub's tag-protection ruleset rejects moving them to include the release pipeline fixes (#7054, #7060, #7064), and workflow_dispatch resolves a run's YAML from the ref it's dispatched against, so re-running those exact tags would still use the pre-fix workflow definitions. Bumping to fresh, never-tagged versions is the documented human-override path (publish-mcp.yml's own on: comment) around this exact situation. mcp v3.1.1 picks up one real fix that landed after v3.1.0's cut (#6990/#7052). miner v3.1.1 picks up two (bdb11d9, 77ca20f).
Summary
The
loopover_check_slop_riskandloopover_check_issue_slopMCP tools deliberately return only{ band, findings }— omitting the exact numeric score and rubric thresholds to prevent reverse-engineering the slop weights via controlled inputs. Their REST mirrors and CLI commands did not blunt at all:POST /v1/lint/slop-riskandPOST /v1/lint/issue-slopreturned the full numericslopRiskscore plus the rubric text, and the CLI printed the raw score straight through — so anyone could get exactly what the MCP blunting withholds simply by calling REST/CLI instead of the MCP tool.POST /v1/lint/slop-riskandPOST /v1/lint/issue-slopnow return the same blunted{ band, findings }shape as the MCP tools (no numeric score, no rubric); the now-unused rubric-constant imports are dropped.slop-risk/issue-slopcommands print the band only, and thereview-prreport's embedded slop line — which consumes the same route — does too.Why
The blunting exists to stop weight reverse-engineering through a value/gate signal; leaving the REST and CLI surfaces un-blunted defeated it entirely. This brings all served surfaces to parity with the MCP tools.
Validation
npm run typecheckclean.test/integration/api.test.ts(47 route tests) updated + green: both routes now assert{ band, findings }and explicitly assert the numericslopRiskscore andrubricare ABSENT.mcp-cli-slop-risk,mcp-cli-issue-slop,mcp-cli-review-pr) are updated to the blunted shape. The offline local self-check (loopover_check_slop_riskstdio tool) is intentionally left full — it computes on the user's own local inputs and is out of this served-surface leak's scope (mcp-local-check-slop-risk.test.tsalready pins that behavior).Closes #6990