docs: stop promising entry auto-merge until it exists + draft entry-auto-merge proposal

Two problems in registration UX, fixed honestly in this PR + designed for in a
follow-up:

1. README and the PR template both claim "CI validates the entry and auto-merges
   if it passes. No human review needed." That contradicts CI spec invariant #6
   ("Entries never auto-merge — a maintainer reviews every PR") and the
   workflow itself (quick-check.yml labels `ready-for-review` and stops). The
   docs were aspirational; reality requires a maintainer click. This commit
   corrects the docs to describe what actually happens today.

2. The reason the spec disabled auto-merge — fear of a buggy/compromised
   quick-check rubber-stamping anything — is the wrong threat model. The real
   threats auto-merge exposes are semantic (id-squatting, brand impersonation,
   author impersonation, description deception, legal misrepresentation), not
   install-time. None of those are catchable by `pip install` + `Benchmark`
   import; all of them are exactly what an LLM reviewer with structured output
   is good at.

   `openspec/changes/entry-auto-merge/` proposes adding `entry-review.yml`
   (Claude action returning verdict PASS|CONCERN with per-check booleans) as
   a CI gate, and enabling auto-merge when ownership + quick + entry-review
   all pass. Phased: this PR is Phase 0 (doc truth); Phase 1 ships the
   reviewer + auto-merge as a follow-up registry PR; Phase 2 moves slow-check
   pre-merge with a fork-PR label-gate.

   The proposal documents the threat model deltas explicitly so the security
   trade-off has explicit sign-off rather than being implied by a workflow
   comment.

Companion cube-standard work (separate PR, out of scope here):
  • `cube registry add` rerun-overwrites-edits fix
  • Post-submit CLI guidance update to match the new flow

Signed-off-by: Alexandre Lacoste <alex.lacoste.shmu@gmail.com>

Author: recursix

.github/pull_request_template.md

@@ -1,7 +1,8 @@
 ## CUBE Registry Submission
 
 Thank you for submitting a benchmark to the CUBE Registry!
-CI will validate your entry automatically — no human review needed in the happy path.
+CI will validate your entry automatically. On all checks green, the PR is labeled
+`ready-for-review` and a maintainer merges (typically within a business day).
 
 ---
 
@@ -25,7 +26,8 @@ CI will validate your entry automatically — no human review needed in the happ
 | PyPI install + API introspection | On PR | ~2 min |
 | Full debug episode on real infra | Post-merge (async) | ~5-15 min |
 
-Auto-merge triggers when `ownership-check` and `quick-compliance` both pass.
+When `ownership-check` and `quick-compliance` both pass, the PR is labeled
+`ready-for-review` and a maintainer completes the merge.
 
 The slow check runs asynchronously after merge. A failure will open a GitHub issue tagging
 your GitHub handle from `authors[].github`.

README.md

@@ -51,7 +51,11 @@ This generates the entry YAML from your `pyproject.toml`, forks this repo, commi
 2. Create `entries/<your-benchmark-id>.yaml` (see template below)
 3. Open a pull request
 
-Either way, CI validates the entry and auto-merges if it passes. No human review needed.
+Either way, CI validates the entry. On all checks green, the PR is labeled
+`ready-for-review` and a maintainer one-clicks merge — typically within a
+business day. Auto-merge for entries is on the roadmap; see
+[openspec/changes/entry-auto-merge/](openspec/changes/entry-auto-merge/proposal.md)
+for the design.
 
 ### Entry template
 
@@ -90,7 +94,8 @@ Fields populated automatically by CI (do not fill):
 ### Updating your entry
 
 Open a PR modifying your existing YAML. CI verifies you are a registered author
-(via `OWNERS.yaml`) and auto-merges if checks pass.
+(via `OWNERS.yaml`). On checks green, the PR is labeled `ready-for-review` for
+a maintainer to merge.
 
 ---
 

openspec/changes/entry-auto-merge/deltas.md

@@ -0,0 +1,122 @@
+# Deltas: Auto-merge entries via LLM-reviewed CI
+
+## `openspec/specs/ci/spec.md`
+
+### Pipeline overview
+
+**Before**:
+```
+PR opened
+ ├─ ownership-check  (scripts/ownership_check.py, ~10s)  ─┐
+ └─ quick-check      (scripts/quick_check.py, ~2 min)     ├─ both pass → ready-for-review label
+
+maintainer reviews + merges
+ ├─ update-owners
+ ├─ generate-site
+ └─ slow-check (async, post-merge)
+```
+
+**After (Phase 1)**:
+```
+PR opened
+ ├─ ownership-check  (~10s)                              ─┐
+ ├─ quick-check      (~2 min)                            ─┤
+ └─ entry-review     (Claude action, ~1 min)              ├─ all pass + verdict PASS → auto-merge
+                                                          ├─ verdict CONCERN → ready-for-review (manual)
+                                                          │
+post-merge:
+ ├─ update-owners
+ ├─ generate-site
+ └─ slow-check (async, post-merge)
+```
+
+### New section: `## Entry review (every PR touching entries/*.yaml)`
+
+Runs after ownership + quick checks pass. Invokes Claude with a checked-in
+prompt (`scripts/entry_review_prompt.md`) plus the entry YAML, the package's
+PyPI page + README, the linked repo (if `dev_install_url` is set), and the
+existing `entries/` directory + `known-authors.yaml` for cross-reference.
+
+Returns structured verdict:
+
+```yaml
+verdict: PASS | CONCERN
+checks:
+  description_matches_package: pass | fail | unverified
+  authors_consistent_with_git:  pass | fail | unverified
+  no_id_squat_vs_existing:      pass | fail | unverified
+  no_brand_impersonation:       pass | fail | unverified
+  wrapper_license_plausible:    pass | fail | unverified
+notes: <freeform>
+```
+
+**Triggers auto-merge when all of:**
+
+- ownership-check ✅
+- quick-compliance ✅
+- entry-review verdict = `PASS` (explicit; defaults are NOT merge-permissive)
+- PR diff is strictly additions/modifications under `entries/<id>.yaml`
+  for an id the submitter owns (or a brand-new id)
+
+**On `CONCERN`**: post review as PR comment, apply `human-review-needed`,
+do NOT merge.
+
+**Security boundary**: review job runs with read-only `pull_request`
+permissions. Merge happens in a separate job that consumes the verdict —
+compromising the LLM step alone does not bypass ownership / schema / install
+checks (separate jobs).
+
+### Invariants
+
+**Invariant #6 changes from**:
+
+> 6. Entries never auto-merge — a maintainer reviews every PR.
+
+**To**:
+
+> 6. Entries auto-merge iff (ownership-check ∧ quick-compliance ∧
+>    entry-review verdict=PASS) AND the diff is strictly
+>    additions/modifications under `entries/<id>.yaml`. Any deviation
+>    falls back to `ready-for-review` + manual merge.
+
+## `openspec/specs/entry/spec.md`
+
+### `## Contracts for submitters`
+
+**Add bullet**:
+
+> - On submission, an LLM reviewer checks that the entry's description matches
+>   the package, the GitHub handles in `authors[]` are plausibly tied to the
+>   linked repo's commit history, the wrapper license is consistent with the
+>   source, and the `id`/`name` doesn't collide with or impersonate an existing
+>   entry. PRs that fail any of these are labeled `human-review-needed` and
+>   held for a maintainer.
+
+## `README.md`
+
+### "Submission steps" section
+
+Replace the auto-merge promise that PR #50 already softened with the actual
+Phase-1 behavior:
+
+> Either way, CI validates the entry. On all checks green, including the LLM
+> semantic-review verdict, the PR auto-merges. PRs flagged `human-review-needed`
+> are held for a maintainer.
+
+## `.github/pull_request_template.md`
+
+### "What CI will check" section
+
+Add a row:
+
+| Check | When | ~Time |
+|---|---|---|
+| LLM semantic review (Claude) | On PR (after ownership + quick) | ~1 min |
+
+### Below the table
+
+Replace the "ready-for-review" copy with:
+
+> When ownership-check, quick-compliance, and the LLM review verdict all
+> pass, the PR auto-merges. A `human-review-needed` label means the LLM
+> reviewer surfaced a concern; a maintainer will follow up.

openspec/changes/entry-auto-merge/proposal.md

@@ -0,0 +1,100 @@
+# Proposal: Auto-merge entries via LLM-reviewed CI
+
+## Context
+
+README and PR template promise auto-merge for entries. The actual workflow
+labels `ready-for-review` and waits for a maintainer click. CI spec invariant
+#6 codifies the manual-review rule on the grounds that a buggy or
+compromised quick-check could rubber-stamp anything.
+
+The security argument addresses the wrong threat model. The threats auto-merge
+exposes are **semantic**, not install-time:
+
+| Threat | Catchable by `pip install` + `Benchmark` import? |
+|---|---|
+| Malicious code at install | ✅ (hardened sandbox catches outbound calls in import) |
+| Privilege escalation via `OWNERS.yaml` | ✅ (ownership-check reads `origin/main`) |
+| id-squatting | ❌ |
+| Brand impersonation | ❌ |
+| Author-handle impersonation | ❌ |
+| Description deception (entry text doesn't match package) | ❌ |
+| Legal misrepresentation (wrong SPDX, stolen content) | ❌ |
+| Sophisticated supply-chain backdoor in PyPI release | ❌ (same for manual review) |
+
+A maintainer eyeballing a YAML for 30 seconds doesn't catch a supply-chain
+backdoor either — so the bar for "what manual review buys" is the semantic
+checks. Those are exactly what an LLM reviewer with structured output is
+good at. As the registry scales, manual review degrades to rubber-stamping
+anyway, and rubber-stamped human review is strictly worse than structured
+automated review.
+
+## What
+
+A new workflow `entry-review.yml` runs after ownership + quick-check pass on
+any PR touching `entries/*.yaml`. It invokes a Claude action with a checked-in
+prompt (`scripts/entry_review_prompt.md`) that returns a structured verdict:
+
+```yaml
+verdict: PASS | CONCERN
+checks:
+  description_matches_package: pass | fail | unverified
+  authors_consistent_with_git: pass | fail | unverified
+  no_id_squat_vs_existing: pass | fail | unverified
+  no_brand_impersonation: pass | fail | unverified
+  wrapper_license_plausible: pass | fail | unverified
+notes: <freeform>
+```
+
+The reviewer reads: the entry YAML, the package's PyPI page + README, the
+linked repo (`dev_install_url` if present) including `git log` of the cube
+subdirectory, the existing `entries/` and `known-authors.yaml` for cross-reference.
+
+**Auto-merge fires when all of:**
+
+- `ownership-check` ✅
+- `quick-compliance` ✅
+- `entry-review` verdict = `PASS` (explicit positive, not absence-of-failure)
+- PR diff is strictly additions / modifications under `entries/<id>.yaml`
+  for an id the submitter owns (or a brand-new id)
+
+On `CONCERN`: post the review as a PR comment, apply `human-review-needed`,
+do NOT merge. On any check `unverified`: surfaces in `notes`; verdict is up
+to the reviewer.
+
+## What stays manual
+
+- `OWNERS.yaml` edits (already CI-bot-only)
+- Workflow / script / spec changes
+- Any PR touching files outside `entries/`
+- Verdict = `CONCERN` (label-gated)
+
+## Threat model deltas
+
+- Review prompt is checked into the repo — diffable, auditable, blameable.
+- Verdict defaults to NOT merge-permissive (`PASS` must be explicit).
+- The LLM step runs in a separate job from ownership/schema/install — compromising
+  one doesn't compromise the others.
+- Action runs under read-only `pull_request` permissions; merge happens in a
+  follow-up job that requires the verdict.
+- Cost: ~$0.50–3 per PR with Opus. At low hundreds of submissions / year, modest.
+
+## Phasing
+
+| Phase | Scope | PR scope |
+|---|---|---|
+| 0 | Doc-truth fix: stop promising auto-merge until it exists | PR #50 (this PR) |
+| 1 | `entry-review.yml` + auto-merge gated on `ownership ∧ quick ∧ review=PASS` | Follow-up registry PR |
+| 2 | Slow-check moved pre-merge with `/ok-to-test` label-gate for fork PRs | Later registry PR |
+| 3 | Per-cube `review_overrides` (e.g. cubes with unusual provenance) | Later, optional |
+
+Phase 1 doesn't lower the bar from today's manual review (which also only
+sees quick-check pass before merge). It removes the human-click step and adds
+the semantic-checks the human wasn't catching anyway.
+
+Phase 2 is independently valuable but bigger — fork PRs running cloud-infra
+jobs is a known abuse vector, so it needs a label-gate.
+
+## Not in scope (handled in cube-standard)
+
+- `cube registry add` rerun-overwrites-edits fix
+- Post-submit CLI guidance ("a maintainer will merge…" → "auto-merging on green…")