Objective
Restrict Every Code comment ingestion so only trusted humans can send feedback to Every Code sessions.
Finish Line
Every Code only consumes GitHub comments, reviews, and preview commands from trusted actors: repo owner, configured managers, and source issue author where explicitly allowed; bots and untrusted commenters are accepted-but-skipped without reaching the worker/session.
Current Status
State: Immediate Every Code feedback ingestion bug is fixed and deployed in PR #515: bot/untrusted comments are skipped, repo owner is trusted, source issue author can validate previews, and configured managers are accepted from planning JSON as a bootstrap policy source. The reusable thin preview workflow contract from #509 has landed, so #509 is no longer a native blocker for this issue. Remaining work is the broader authority move: replace local planning JSON as live authority with a Launchplane-owned mutable repo trust policy/API/UI.
Next action: Design the Launchplane-owned mutable repo trust policy/API/UI after choosing the preview-enabled repo migration path; do not treat #509's completed contract slice as a blocker.
Blocked by: No native issue blocker.
Waiting for: Product/Launchplane boundary decision for repo trust policy authority and preview-enabled repo migration scope.
Last verified: 2026-05-18 during issue-graph cleanup; #509 native blocker removed because its reusable contract slice is complete.
Scope
- Every Code PR issue comments.
- Pull request reviews and review comments routed as Every Code feedback.
- Source issue
/preview ok and /preview changes ... commands.
- Trusted actor lookup from repo owner plus configured manager routing.
- Bot and untrusted-user skip responses with durable tests.
Acceptance Criteria
cbusillo/repo owner can always use /preview ok, /preview changes ..., and PR feedback comments on managed repos.- Configured managers can use the same feedback surfaces when the repository mapping grants them authority.
- The source issue author can continue to approve or request preview changes for their own Every Code request.
- Bot-authored comments, including
github-actions[bot], never create pending Every Code PR feedback or reach the local Every Code session.
- Untrusted human commenters are accepted and skipped with an auditable reason.
- Tests cover repo owner, manager, source issue author, bot, and untrusted-user behavior.
Relationships
Validation
- Targeted service tests for Every Code webhook PR feedback and preview validation comments.
- Typecheck and lint for touched Launchplane files.
Decisions
- Webhook signature validation is necessary transport security but not sufficient actor authorization.
Open Questions
- Which JSON is the canonical manager mapping for this path: workspace planning config, product profile metadata, or a Launchplane-managed repo policy record?
- Should repo admins be trusted in addition to repo owner and configured managers, or should this stay narrower for Every Code feedback?
Objective
Restrict Every Code comment ingestion so only trusted humans can send feedback to Every Code sessions.
Finish Line
Every Code only consumes GitHub comments, reviews, and preview commands from trusted actors: repo owner, configured managers, and source issue author where explicitly allowed; bots and untrusted commenters are accepted-but-skipped without reaching the worker/session.
Current Status
State: Immediate Every Code feedback ingestion bug is fixed and deployed in PR #515: bot/untrusted comments are skipped, repo owner is trusted, source issue author can validate previews, and configured managers are accepted from planning JSON as a bootstrap policy source. The reusable thin preview workflow contract from #509 has landed, so #509 is no longer a native blocker for this issue. Remaining work is the broader authority move: replace local planning JSON as live authority with a Launchplane-owned mutable repo trust policy/API/UI.
Next action: Design the Launchplane-owned mutable repo trust policy/API/UI after choosing the preview-enabled repo migration path; do not treat #509's completed contract slice as a blocker.
Blocked by: No native issue blocker.
Waiting for: Product/Launchplane boundary decision for repo trust policy authority and preview-enabled repo migration scope.
Last verified: 2026-05-18 during issue-graph cleanup; #509 native blocker removed because its reusable contract slice is complete.
Scope
/preview okand/preview changes ...commands.Acceptance Criteria
cbusillo/repo owner can always use/preview ok,/preview changes ..., and PR feedback comments on managed repos.github-actions[bot], never create pending Every Code PR feedback or reach the local Every Code session.Relationships
Validation
Decisions
Open Questions