Canonicalize manual credit GitHub worker aliases

[yyswhsccc]

Claim

• Claim Token comment: Claim MRG Tokens for Bug Bounty Reports - Comment New Bugs Here Before Opening a PR #1 (comment)
• Bounty amount: 25 MRG requested for a small backend alias-resolution bug fix; final amount is maintainer decision.
• Bounty type: bug bounty
• Bounty size: small
• Fix claim source: issue Claim MRG Tokens for Bug Bounty Reports - Comment New Bugs Here Before Opening a PR #1 claim token above. Separate QA verification reports may reference issue [300 MRG per PR] Test submitted PRs and verify bounty evidence #64 for verifier compensation; that is not this fix PR's claim source.

Description

Manual credit and payout-account resolution could treat worker:github:<name> as a distinct account instead of the canonical github:<name> payout alias.

This PR canonicalizes the worker GitHub alias before manual-credit storage and lower-level payout account resolution, preventing double-prefixed account identities.

Evidence

Before:

• worker:github:<name> could create or reference a separate/double-prefixed account path instead of the canonical github:<name> alias.

After:

• worker:github:<name> resolves to github:<name> for manual credit input and payout account resolution without changing reward amounts or crediting any wallet.

Additional logs or test output:

• go test ./internal/core -run 'TestManualCreditWorkerGitHubAliasUsesCanonicalPayoutAccount|TestAdminCanCreateManualLedgerCredit' -> ok mergeos/backend/internal/core 0.448s
• Current GitHub Backend build is blocked by the shared Go 1.25.10 govulncheck baseline; Bump backend Go patch version #218 updates the backend Go patch version and is green. Secret scan, web checks, and MergeIDE are passing on this PR.

Safety

• Alias canonicalization only.
• Does not change reward amounts, confirmation rules, production wallets, or admin secrets.
• Does not manually credit any wallet.

Tests

• I ran the relevant tests.
• I included the command output or explained why tests were not run.

Bounty Checklist

• I starred this repository before claiming or starting bounty work.
• This PR links to a confirmed Claim Token comment.
• This PR includes image evidence for UI bugs or logs/test output for non-UI bugs.
• This PR explains the behavior before and after the fix.
• This PR does not expose secrets, private keys, customer data, or sensitive production details.

[yyswhsccc]

Maintenance note: I checked the failing Backend build and test job on this PR. The failure is the shared base/toolchain govulncheck issue from backend/go.mod using Go 1.25.10, not this PR's local test suite. govulncheck reports standard-library issues GO-2026-5039 and GO-2026-5037 fixed in Go 1.25.11 before project tests run.

I opened #218 to bump backend/go.mod to Go 1.25.11. #218 is now green across Backend build and test, Secret scan, frontend/admin/scan web checks, and MergeIDE. After that toolchain patch lands and this PR is updated against it, the backend check should no longer fail on the Go 1.25.10 standard-library findings.

[TUPM96]

Findings
No blocking code issues were found. The changes correctly implement the alias canonicalization for worker:github:<name> to github:<name> in both manual credit processing and payout account resolution. The new tests adequately cover the introduced logic, and the placement of the new logic ensures no regressions. The scope is well-defined and limited to the described bug fix.

Bounty Readiness
*

---

MergeOS automated readiness signals:

• Evidence signal: evidence: missing
• Repository star: star: verified

[friendlygeorge]

Verification Report — PR #215

Verifier: friendlygeorge
Date: 2026-06-05
Claim: #64 (comment)

PR Details

• Title: Canonicalize manual credit GitHub worker aliases
• Author: yyswhsccc
• Head commit: 8e8e4d0
• Files changed: 1 (backend/internal/core)
• Additions: 21, Deletions: 0

What the PR Does

Adds alias canonicalization for worker:github:<name> → github:<name> payout accounts. Fixes two issues:

1. Admin manual credits now treat worker:github:<name> as the canonical github:<name> alias
2. Non-admin callers no longer create double-prefixed worker:worker:github:<name> accounts

Code Review

• Change is clean and focused: 21 lines added, 0 deleted
• No side effects: Only affects alias resolution, not reward amounts, wallets, or secrets
• Test coverage: Two new tests cover admin input normalization and payout account resolution

Test Results

=== RUN   TestAdminCanCreateManualLedgerCredit
--- PASS: TestAdminCanCreateManualLedgerCredit (0.13s)
=== RUN   TestManualCreditWorkerGitHubAliasUsesCanonicalPayoutAccount
--- PASS: TestManualCreditWorkerGitHubAliasUsesCanonicalPayoutAccount (0.00s)
PASS
ok  mergeos/backend/internal/core  0.140s

Full backend test suite: ok mergeos/backend/internal/core 10.301s — all tests pass.

GitHub Actions Status

Not checked (same pre-existing toolchain issue as other PRs). Local tests pass cleanly.

Evidence Status

• PR author provided: No screenshots/logs (not needed — pure backend logic change)
• Required evidence: Test output is the primary evidence
• Evidence assessment: ✅ Adequate

Recommendation

✅ Approve — Clean alias canonicalization fix. Prevents double-prefixed accounts. Well-tested. No risks.