PR Backlog — Data-Driven Overview and Suggestions from a Contributor

[ecthelion77]

Hi @crivetimihai,

First, thank you for the incredible work on ContextForge. We have been running a POC deployment for a few weeks at our company and are really impressed with the platform's potential. We also maintain a small fork with 9 open PRs upstream, so we have a direct stake in the health of the contribution pipeline.

While preparing our next set of contributions, we analyzed the current PR backlog programmatically (GitHub API) to better understand where things stand and how we might help. We are sharing this analysis in the hope it is useful — not to criticize, but to offer a data point that might save you some time.

Backlog Snapshot (Apr 8, 2026)

Metric	Value
Open PRs	168
Ready	~151
Draft	~17
Merged in last 14 days	~90
Stale (> 30 days, no activity)	~70 (42%)
Zero completed reviews	~96%

The merge rate is healthy (~6/day), which is impressive for a project of this size. The backlog appears to be growing slowly because the inflow rate is slightly higher.

Code-Verified Superseded PRs

We compared the actual changed files and code diffs for pairs of PRs that appeared to address the same problem. Out of 10 candidate pairs, only 4 are confirmed superseded (the rest turned out to be complementary features or partial overlaps with different scope):

PR (close candidate)	Superseded By	Evidence
#3899	#3938	Identical results_store.py patch (SQL injection fix for #3898). #3938 adds an extra run_mutmut.py security fix — strict superset.
#3653	#3978	All 13 files in #3653 are also in #3978 (26 files). #3978 doubles meta-tools (6→12), adds Admin UI/RBAC/OAuth/vector search. #3653's heavy refactoring makes it harder to merge with current main.
#3192	#3692	All 9 files in #3192 are also in #3692 (18 files). Same _user → current_user_ctx rename (#2505). #3192 misses 9 files. #3692 is the complete version.
#3726	#3729	Same author, 14/17 files identical. #3726 dispatches via Axum Router (HTTP re-encoding overhead), #3729 calls handlers directly (zero-copy, removes tower dep). Architectural refinement.

We also found 2 pairs with partial overlap that would need coordination (not superseded):

• feat: include full URL in OAuth authorization error messages #4055 / fix: use absolute OAuth authorize URL and allow non-admin users to authorize #4000: Both fix OAuth relative-URL bug, but touch different files. Only tool_service.py overlaps. Merging fix: use absolute OAuth authorize URL and allow non-admin users to authorize #4000 still leaves 2 files from feat: include full URL in OAuth authorization error messages #4055 unfixed.
• feat: add semantic auto filtering #3782 / feat(plugins): add CRT-based semantic tool router plugin (#1428) #3766: Same CRT router plugin code (byte-for-byte identical in 12 files) but wired with different integration architectures — neither is a superset.

And 3 pairs that are fully complementary (zero functional overlap despite similar titles):

• feat(api): add embedding and semantic search services #3594 / feat(api): add Virtual Meta Server implementation #3653: Embedding infrastructure vs meta-server abstraction (different features, same author, feat(api): add Virtual Meta Server implementation #3653 likely depends on feat(api): add embedding and semantic search services #3594)
• feat(vfs): Virtual Tool Filesystem for browsable tool metadata #3175 / feat(mcp): add secure code execution and virtual tool filesystem #3149: Standalone VFS service vs full Code Mode (same concept, completely different implementations)
• feat(plugins): add Source Scanner plugin scaffold with Semgrep integration #3195 / feat(security): add custom Semgrep rules for MCP patterns (#2237) #3568: Source Scanner plugin (engine) vs Semgrep rule YAMLs (rules) — zero file overlap

Finally, #3652 has its head branch set to main (same as base) — it is structurally unmergeable and has had zero engagement since March 20.

Conflict Clusters We Identified

A few groups of PRs seem to touch overlapping areas and would likely conflict if merged in the wrong order. From our analysis:

Observability chain: #3977 → #4050 → #3964 → #3584 — these all touch the observability layer and have an implicit dependency order.

OAuth/Auth improvements: #4055, #4000, #4048, #3992, #3993, #3715, #3695 — several of these modify the same OAuth flow paths.

Rename refactors: #3192, #3692, #3875 — each touches 18+ files. Merging any one would create significant rebase churn for the others.

CPEX Plugin Migration (#3754)

We noticed #3754 is labeled MUST / RC3 and is still in Draft. It changes 333 files and removes 34k+ lines. From our count, ~12 open plugin PRs would need to be rebased or reworked once it merges. Any signal on the intended timeline would help contributors plan their plugin-related work.

Suggested "Quick Win" Wave

If it helps, here are 15 PRs we identified as low-risk, small-scope changes that could be reviewed and merged quickly to reduce the backlog:

• Security fixes: security: Replace os.system() with shutil.rmtree() in run_mutmut.py #3944 (os.system → shutil.rmtree), fix: use parameterized query to prevent SQL injection in cleanup_old_results #3938 (SQL injection parameterized query)
• Bug fixes: fix: convert schema PromptArgument to mcp types in prompts/list handler #3963 (PromptArgument type), fix/3879-mcp-plugin-context-sharing #3915 (plugin context sharing), Fixed time in test to avoid test failing due time window #4065 (test timing)
• OAuth (our PRs): fix: handle missing expires_in in OAuth token response #3992 (expires_in), fix: include resource_metadata in all 401 WWW-Authenticate responses #3993 (resource_metadata 401), feat: expose token_endpoint_auth_method in gateway admin UI #3994 (token_endpoint_auth_method UI), feat(sso): add SSO_ENTRA_TEAM_MAPPING env var for declarative team mapping #3999 (SSO team mapping env), fix: use absolute OAuth authorize URL and allow non-admin users to authorize #4000 (absolute OAuth URL)
• Small improvements: fix(ui): clarify MCP Servers and Virtual Servers naming in admin UI #3988 (naming clarification), chore(docs): add AgentAudit safe badge #3199 (badge), test(api): add regression coverage for prompt original_name during federation (#3087) #3208 (test coverage), fix(llmchat): add missing LangChain/LangGraph dependencies in Containerfiles #3922 (LangChain deps), feat(sso): add SSO_OKTA_APIAM_ENABLED to support Okta Org Authorization Server #3957 (Okta toggle)

Additionally, there are 4 new release-fix PRs from @bogdanmariusc10 (#4074, #4079, #4080, #4081) that look like urgent, small fixes.

How We Can Help

We are happy to:

• Help review PRs in areas we know (OAuth, gateway config, plugins)
• Test PRs against our deployment before merge
• Help triage the superseded/duplicate PRs listed above
• Take on integration testing for conflict clusters if given a merge order

We are a small team running a POC, so our bandwidth is limited, but we want to contribute where we can.

---

Disclosure: This analysis was prepared with the assistance of an AI agent (GitHub Copilot) querying the GitHub API programmatically. Every PR referenced was individually verified via API. Despite review, some categorizations may not reflect the full technical context. Corrections and feedback are very welcome.