fix: resolve review findings — 16 bugs, DRY violations, and inconsistencies

Critical fixes:
- bootstrap: resolve bot identity BEFORE creating handlers so
  ignore_authors self-loop guard actually works (was normalized
  with null botLogin, making $BOT_LOGIN substitution a no-op)
- pipeline: remove leaked abort timer in stale-session retry that
  could fire prematurely before semaphore acquisition
- migrations: use actual column type from EXPECTED_TABLES in repair
  instead of hardcoded TEXT (would corrupt INTEGER columns)
- github-api: fix this-binding bug in fetchEntity that breaks when
  the fetcher is destructured; extract shared fetchByType helper

Medium fixes:
- bootstrap: add --global flag to git config calls (was writing to
  local repo config of whatever CWD happened to be)
- auto-merge: use timeline API instead of issues events endpoint
  for ready_for_review (PR events don't appear in issue events)
- fix-ci: filter attempt count by author to avoid miscounting
  human comments
- pr: guard against empty checks array being misread as CI passed
  when CI hasn't started yet
- respond-to-comment, review-pr: use $ME identity variable instead
  of redundant gh api user calls
- mark-pr-ready: fix wording that contradicted auto-merge flow

DRY consolidation:
- github-api: extract shared fetchByType helper, eliminating
  duplicate try/catch/Sentry logging in fetchPR and fetchIssue
- entity: consolidate 3 identical PR event handlers into one using
  a Set; consolidate check_suite/workflow_run into a shared lookup

Documentation:
- storage: document raw SQL vs Drizzle split and timestamp strategy
- schema: document that Drizzle enum is TypeScript-only, SQL CHECK
  comes from migrations

Author: MathurAditya724

packages/opentower/src/bootstrap.ts

@@ -57,12 +57,40 @@ export async function bootstrap(opts: BootstrapOptions): Promise<BootstrapResult
     return null
   }
 
-  const triggers = (cfg.triggers ?? []).map((t) => normalizeTrigger(t, null))
+  // Resolve bot identity BEFORE normalizing triggers so that
+  // ignore_authors substitution ($BOT_LOGIN) works correctly.
+  const { auth } = createHandlers({ triggers: [], githubApp })
+  let botLogin: string | null = null
+  let tokenRefreshTimer: ReturnType<typeof setInterval> | null = null
+
+  try {
+    const { botLogin: resolvedLogin, tokenRefreshTimer: refreshTimer } = await initAppIdentity(auth)
+    botLogin = resolvedLogin
+    tokenRefreshTimer = refreshTimer
+    logger.info("GitHub App identity resolved", { login: botLogin })
+    Sentry.setTag("bot.login", botLogin)
+  } catch (_err) {
+    botLogin = await resolveBotLogin()
+    if (botLogin) {
+      logger.warn("GitHub App identity failed, using GH_TOKEN identity", { login: botLogin })
+      Sentry.setTag("bot.login", botLogin)
+    } else {
+      logger.warn("could not resolve bot identity -- self-loop guard degraded")
+    }
+  }
+
+  // Normalize triggers with the resolved bot login so ignore_authors
+  // substitution works. This must happen after identity resolution.
+  const triggers = (cfg.triggers ?? []).map((t) => normalizeTrigger(t, botLogin))
   if (triggers.length === 0) {
     logger.info("no triggers configured -- listener disabled", { path: configPath() })
     return null
   }
 
+  // Re-create handlers with properly normalized triggers (the initial
+  // createHandlers call above was only to get the auth object).
+  const { handlers: normalizedHandlers } = createHandlers({ triggers, githubApp })
+
   const batchWindowMs = cfg.batch_window_ms ?? 5_000
   const dedup = makeDedup()
   const semaphore = makeSemaphore(maxConcurrent)
@@ -121,37 +149,6 @@ export async function bootstrap(opts: BootstrapOptions): Promise<BootstrapResult
   cronScheduler.start()
   logger.info("cron scheduler started")
 
-  const { handlers, auth } = createHandlers({
-    triggers,
-    githubApp,
-  })
-
-  // Resolve bot identity from the GitHub App. The app's bot login is
-  // "<slug>[bot]" and the installation token is set as GH_TOKEN so the
-  // agent's gh CLI calls are attributed to the app.
-  let botLogin: string | null = null
-  let tokenRefreshTimer: ReturnType<typeof setInterval> | null = null
-
-  try {
-    const { botLogin: resolvedLogin, tokenRefreshTimer: refreshTimer } = await initAppIdentity(auth)
-    botLogin = resolvedLogin
-    tokenRefreshTimer = refreshTimer
-    logger.info("GitHub App identity resolved", { login: botLogin })
-    Sentry.setTag("bot.login", botLogin)
-  } catch (_err) {
-    // Fall back to GH_TOKEN-based identity if App identity fails
-    botLogin = await resolveBotLogin()
-    if (botLogin) {
-      logger.warn("GitHub App identity failed, using GH_TOKEN identity", { login: botLogin })
-      Sentry.setTag("bot.login", botLogin)
-    } else {
-      logger.warn("could not resolve bot identity -- self-loop guard degraded")
-    }
-  }
-
-  // Re-normalize triggers with the resolved bot login for ignore_authors
-  const normalizedTriggers = (cfg.triggers ?? []).map((t) => normalizeTrigger(t, botLogin))
-
   const handlerContext: HandlerContext = {
     pipeline,
     dedup,
@@ -160,7 +157,7 @@ export async function bootstrap(opts: BootstrapOptions): Promise<BootstrapResult
   }
 
   const app = createApp({
-    handlers,
+    handlers: normalizedHandlers,
     handlerContext,
     store,
     apiToken,
@@ -173,7 +170,7 @@ export async function bootstrap(opts: BootstrapOptions): Promise<BootstrapResult
     fetch: app.fetch,
   })
 
-  const triggerCount = normalizedTriggers.filter((t) => t.source === "github_app").length
+  const triggerCount = triggers.filter((t) => t.source === "github_app").length
   logger.info("listening", {
     url: `http://0.0.0.0:${server.port}`,
     triggers: {
@@ -269,8 +266,8 @@ async function configureGitIdentity(botLogin: string): Promise<void> {
         await proc.exited
       }
 
-      await gitConfig([], "user.name", botLogin)
-      await gitConfig([], "user.email", email)
+      await gitConfig(["--global"], "user.name", botLogin)
+      await gitConfig(["--global"], "user.email", email)
       await gitConfig(["-C", devDir], "user.name", botLogin)
       await gitConfig(["-C", devDir], "user.email", email)
 

packages/opentower/src/entity.ts

@@ -19,6 +19,15 @@ export type EntityKey = {
   linkedIssues: number[]
 }
 
+// PR-related events that all extract from payload.pull_request.
+const PR_EVENTS = new Set(["pull_request", "pull_request_review_comment", "pull_request_review"])
+
+// CI events that extract from a pull_requests array inside the event object.
+const CI_EVENTS: Record<string, string> = {
+  check_suite: "check_suite.pull_requests",
+  workflow_run: "workflow_run.pull_requests",
+}
+
 // Extract entity key from a GitHub webhook payload.
 // Returns null for events that don't map to a trackable entity.
 // When a GitHubFetcher is provided, events that lack full context
@@ -54,22 +63,9 @@ export async function extractEntityKey(
     return { key: `${repo}#${num}`, repo, number: num, kind: "issue", linkedIssues: [] }
   }
 
-  // pull_request.*
-  if (event === "pull_request") {
-    const num = lookup(payload, "pull_request.number")
-    if (typeof num !== "number") return null
-    const body = lookupString(payload, "pull_request.body") ?? ""
-    return {
-      key: `${repo}#${num}`,
-      repo,
-      number: num,
-      kind: "pull_request",
-      linkedIssues: extractLinkedIssues(body, repo),
-    }
-  }
-
-  // pull_request_review_comment.*
-  if (event === "pull_request_review_comment") {
+  // pull_request, pull_request_review_comment, pull_request_review
+  // All extract from payload.pull_request with identical logic.
+  if (PR_EVENTS.has(event)) {
     const num = lookup(payload, "pull_request.number")
     if (typeof num !== "number") return null
     const body = lookupString(payload, "pull_request.body") ?? ""
@@ -82,34 +78,11 @@ export async function extractEntityKey(
     }
   }
 
-  // pull_request_review.*
-  if (event === "pull_request_review") {
-    const num = lookup(payload, "pull_request.number")
-    if (typeof num !== "number") return null
-    const body = lookupString(payload, "pull_request.body") ?? ""
-    return {
-      key: `${repo}#${num}`,
-      repo,
-      number: num,
-      kind: "pull_request",
-      linkedIssues: extractLinkedIssues(body, repo),
-    }
-  }
-
-  // check_suite.* -- extract from pull_requests array, fetch PR body for links
-  if (event === "check_suite") {
-    const prs = lookup(payload, "check_suite.pull_requests")
-    if (!Array.isArray(prs) || prs.length === 0) return null
-    const first = prs[0] as Record<string, unknown>
-    const num = first?.number
-    if (typeof num !== "number") return null
-    const linkedIssues = fetcher ? await fetchLinkedIssues(fetcher, repo, num) : []
-    return { key: `${repo}#${num}`, repo, number: num, kind: "pull_request", linkedIssues }
-  }
-
-  // workflow_run.* -- extract from pull_requests array, fetch PR body for links
-  if (event === "workflow_run") {
-    const prs = lookup(payload, "workflow_run.pull_requests")
+  // check_suite, workflow_run — extract from pull_requests array,
+  // fetch PR body for linked issue detection.
+  const ciPath = CI_EVENTS[event]
+  if (ciPath) {
+    const prs = lookup(payload, ciPath)
     if (!Array.isArray(prs) || prs.length === 0) return null
     const first = prs[0] as Record<string, unknown>
     const num = first?.number
@@ -118,7 +91,7 @@ export async function extractEntityKey(
     return { key: `${repo}#${num}`, repo, number: num, kind: "pull_request", linkedIssues }
   }
 
-  // push -- resolve branch to PR, or parse commit messages for issue refs
+  // push — resolve branch to PR, or parse commit messages for issue refs
   if (event === "push") {
     return resolvePushEntity(payload, repo, fetcher)
   }

packages/opentower/src/github-api.ts

@@ -21,67 +21,65 @@ export function createGitHubFetcher(token: string): GitHubFetcher {
     "X-GitHub-Api-Version": "2022-11-28",
   }
 
-  return {
-    async fetchPR(repo, number) {
-      try {
-        const res = await fetch(`${GITHUB_API}/repos/${repo}/pulls/${number}`, { headers })
-        if (!res.ok) return null
-        const data = (await res.json()) as { body: string | null }
-        return { body: data.body }
-      } catch (err) {
-        Sentry.logger.warn("github_api.fetch_pr_failed", {
-          repo,
-          number,
-          error: formatError(err),
-        })
-        return null
-      }
-    },
+  // Shared fetch helper for PR and issue endpoints. Avoids duplicating
+  // the try/catch + Sentry logging pattern across fetchPR and fetchIssue.
+  async function fetchByType(
+    type: "pulls" | "issues",
+    repo: string,
+    number: number,
+  ): Promise<{ body: string | null } | null> {
+    try {
+      const res = await fetch(`${GITHUB_API}/repos/${repo}/${type}/${number}`, { headers })
+      if (!res.ok) return null
+      const data = (await res.json()) as { body: string | null }
+      return { body: data.body }
+    } catch (err) {
+      Sentry.logger.warn(`github_api.fetch_${type === "pulls" ? "pr" : "issue"}_failed`, {
+        repo,
+        number,
+        error: formatError(err),
+      })
+      return null
+    }
+  }
 
-    async fetchIssue(repo, number) {
-      try {
-        const res = await fetch(`${GITHUB_API}/repos/${repo}/issues/${number}`, { headers })
-        if (!res.ok) return null
-        const data = (await res.json()) as { body: string | null }
-        return { body: data.body }
-      } catch (err) {
-        Sentry.logger.warn("github_api.fetch_issue_failed", {
-          repo,
-          number,
-          error: formatError(err),
-        })
-        return null
-      }
-    },
+  async function fetchPR(repo: string, number: number) {
+    return fetchByType("pulls", repo, number)
+  }
 
-    async fetchEntity(repo, number) {
-      // Try PR first — issues API also returns PRs but with less detail
-      const pr = await this.fetchPR(repo, number)
-      if (pr) return { kind: "pull_request" as const, body: pr.body }
-      const issue = await this.fetchIssue(repo, number)
-      if (issue) return { kind: "issue" as const, body: issue.body }
-      return null
-    },
+  async function fetchIssue(repo: string, number: number) {
+    return fetchByType("issues", repo, number)
+  }
 
-    async findPRForBranch(repo, branch) {
-      try {
-        const [owner] = repo.split("/")
-        const res = await fetch(
-          `${GITHUB_API}/repos/${repo}/pulls?head=${encodeURIComponent(`${owner}:${branch}`)}&state=open&per_page=1`,
-          { headers },
-        )
-        if (!res.ok) return null
-        const data = (await res.json()) as Array<{ number: number; body: string | null }>
-        if (data.length === 0) return null
-        return { number: data[0].number, body: data[0].body }
-      } catch (err) {
-        Sentry.logger.warn("github_api.find_pr_failed", {
-          repo,
-          branch,
-          error: formatError(err),
-        })
-        return null
-      }
-    },
+  async function fetchEntity(repo: string, number: number) {
+    // Try PR first — issues API also returns PRs but with less detail
+    const pr = await fetchPR(repo, number)
+    if (pr) return { kind: "pull_request" as const, body: pr.body }
+    const issue = await fetchIssue(repo, number)
+    if (issue) return { kind: "issue" as const, body: issue.body }
+    return null
   }
+
+  async function findPRForBranch(repo: string, branch: string) {
+    try {
+      const [owner] = repo.split("/")
+      const res = await fetch(
+        `${GITHUB_API}/repos/${repo}/pulls?head=${encodeURIComponent(`${owner}:${branch}`)}&state=open&per_page=1`,
+        { headers },
+      )
+      if (!res.ok) return null
+      const data = (await res.json()) as Array<{ number: number; body: string | null }>
+      if (data.length === 0) return null
+      return { number: data[0].number, body: data[0].body }
+    } catch (err) {
+      Sentry.logger.warn("github_api.find_pr_failed", {
+        repo,
+        branch,
+        error: formatError(err),
+      })
+      return null
+    }
+  }
+
+  return { fetchPR, fetchIssue, fetchEntity, findPRForBranch }
 }

packages/opentower/src/migrations.ts

@@ -315,8 +315,11 @@ export function repairSchema(db: Database): RepairResult {
           break
         }
         case "missing_column": {
-          db.exec(`ALTER TABLE ${issue.table} ADD COLUMN ${issue.column} TEXT`)
-          result.fixed.push(`added column ${issue.table}.${issue.column}`)
+          const table = EXPECTED_TABLES.find((t) => t.name === issue.table)
+          const col = table?.columns.find((c) => c.name === issue.column)
+          const colType = col?.type ?? "TEXT"
+          db.exec(`ALTER TABLE ${issue.table} ADD COLUMN ${issue.column} ${colType}`)
+          result.fixed.push(`added column ${issue.table}.${issue.column} (${colType})`)
           break
         }
         case "missing_index": {

packages/opentower/src/pipeline.ts

@@ -349,10 +349,10 @@ export function makePipeline(opts: {
         // call — createAndPrompt will start its own.
         drainCounter.end()
 
-        // Retry with a brand-new session.
+        // Retry with a brand-new session. Don't start an abort timer
+        // here — createAndPrompt sets its own after semaphore acquisition
+        // so wait time doesn't count against the timeout budget.
         const newAbort = new AbortController()
-        const newAbortTimer = setTimeout(() => newAbort.abort(), timeoutMs)
-        newAbortTimer.unref?.()
         const fresh: SessionEntry = {
           sessionId: "",
           entityKey: entityKey.key,
@@ -361,7 +361,7 @@ export function makePipeline(opts: {
           busy: true,
           queue: entry.queue,
           abort: newAbort,
-          abortTimer: newAbortTimer,
+          abortTimer: null as unknown as ReturnType<typeof setTimeout>,
           batchTimer: null,
           batchStart: null,
           idleTimer: null,

packages/opentower/src/schema.ts

@@ -8,6 +8,9 @@ export const entities = sqliteTable(
     entity_key: text("entity_key").primaryKey(),
     repo: text("repo").notNull(),
     number: integer("number").notNull(),
+    // The enum restricts values at the TypeScript level only. The SQL-level
+    // CHECK(kind IN ('issue','pull_request')) constraint comes from the
+    // migration SQL in migrations.ts, which is the actual DB-level guard.
     kind: text("kind", { enum: ["issue", "pull_request"] }).notNull(),
     session_id: text("session_id").notNull(),
     share_url: text("share_url"),

packages/opentower/src/storage.ts

@@ -170,6 +170,16 @@ export function openLifecycleStore(dbPath: string): LifecycleStore {
 
   const db = drizzle(sqlite, { schema })
 
+  // Some methods use raw sqlite.prepare() instead of Drizzle:
+  //   - upsertEntity: COALESCE/CASE WHEN in ON CONFLICT not expressible in Drizzle
+  //   - addLink: INSERT OR IGNORE not expressible in Drizzle for composite PKs
+  //   - pruneOlderThan: bulk transactional deletes with subqueries, cleaner in raw SQL
+  //   - setRetentionDays: simple upsert, kept raw for consistency with getRetentionDays
+  //
+  // Timestamps: raw SQL uses datetime('now') (SQLite clock, UTC). Drizzle
+  // .values() calls use the JS now() helper which produces the same
+  // "YYYY-MM-DD HH:MM:SS" format in UTC. Both are equivalent when the
+  // process runs with TZ=UTC (the default in the Docker container).
   return {
     upsertEntity(row) {
       sqlite

skills/auto-merge/SKILL.md

@@ -60,7 +60,7 @@ needs human review and list which criteria it exceeded.
 0. **Check quiet period**. Verify the PR was marked ready at least
    10 minutes ago with no reviewer activity since:
    ```sh
-   READY_AT=$(gh api "repos/<owner>/<repo>/issues/<N>/events" \
+   READY_AT=$(gh api "repos/<owner>/<repo>/issues/<N>/timeline" --paginate \
      --jq '[.[] | select(.event=="ready_for_review")] | last | .created_at')
    ```
    Calculate elapsed time. If less than 10 minutes have passed,