chore(github): add issue templates and enforce issue-link check on PRs

[Omee11]

Thinking Path

• Paperclip orchestrates AI agents for zero-human companies, and the GitHub tracker is the entry point for anyone — humans or agents — reporting problems or proposing work
• But the repo has no issue templates today, so new issues arrive with no environment data, no reproduction steps, and a meaningful fraction are filed by users' own AI agents reacting to their provider-side errors (API quota, auth, external adapter plugin failures) rather than actual Paperclip bugs
• New PRs also sometimes arrive without a linked issue, which makes triage harder — the existing PR template already has a closes # line but nothing nudges contributors when it is empty
• So this PR closes the intake gap: four YAML issue templates (bug / feature / enhancement / docs) with required environment fields and PII warnings; config.yml disabling blank issues and pinning Discord + Discussions; a small workflow that tags every new issue with needs-triage; a soft PR-body check for Closes/Fixes/Resolves #NNN; and an AGENTS.md subsection teaching AI agents to deflect their own false-positive filings
• The benefit is that the backlog (currently ~1,100 open issues and ~1,500 open PRs) becomes cheaper to triage going forward, agent-filed noise is either gated at intake or dissuaded upstream, and PRs consistently reference their issue so review can start from context instead of reconstruction

What Changed

New files under .github/ISSUE_TEMPLATE/:

• bug_report.yml — required fields for Paperclip version, Node, OS, install method, adapter(s), DB mode (PGlite / external Postgres), access context (board / agent). Frequency + impact dropdowns. PII warnings on every paste field plus a mandatory privacy checkbox
• feature_request.yml — pre-submission checklist, subsystem picker (server / ui / packages/db / packages/shared / packages/adapters / packages/plugins / cross-cutting), impact-on-invariants field referencing AGENTS.md §5
• enhancement.yml — for improvements to existing behaviour (before/after, breaking-change check)
• docs_issue.yml — lightweight, 4 fields
• config.yml — blank_issues_enabled: false and pinned contact links to Discord and GitHub Discussions

New files under .github/workflows/:

• auto-label-issues.yml — applies needs-triage to every new issue. Self-healing: creates the label on first run if it doesn't exist (it currently doesn't). SHA-pinned actions/github-script@3a2844b7... (v9.0.0). No shell interpolation of untrusted input — all logic in the github-script JS sandbox
• require-issue-link.yml — scans PR body for Closes/Fixes/Resolves #NNN; if missing, posts a comment and fails the check. Soft check — contributors can add a rationale line in the PR body for genuinely issue-less PRs. Untrusted input (github.event.pull_request.body) is bound to $PR_BODY via env: and scanned with grep, never interpolated directly into the shell command (follows the documented safe pattern). Uses pull_request_target and only [opened, edited, reopened] trigger types — see "Changes from Greptile review" below

Modified files:

• AGENTS.md — adds new §11 "For AI Agents Filing Issues" listing common false positives (API quota / rate limit, auth failures in user's own config, external plugin errors) that agents should not file against Paperclip. Also fixes an existing duplicate-§11 numbering bug (both "Definition of Done" and "Fork-Specific: HenkDz/paperclip" were §11) by renumbering them to §12 and §13 respectively
• CONTRIBUTING.md — one-line pointer at the top of the file directing question-askers to Discord/Discussions and bug-filers to the template chooser

Deliberately NOT touched:

• .github/PULL_REQUEST_TEMPLATE.md — already rich (Thinking Path, Model Used, full checklist), would be a regression to weaken it
• All existing workflows (docker.yml, e2e.yml, pr.yml, refresh-lockfile.yml, release.yml, release-smoke.yml) — no interaction, the two new workflows run alongside
• CODEOWNERS

How the issue templates work (and the concrete benefits for Paperclip)

Mechanically, YAML issue forms ≠ markdown templates. GitHub renders .yml templates as typed UI forms, not a textarea pre-filled with boilerplate. The submit button stays disabled until every field marked required: true has content. This is the key mechanism: it converts "please include these details" (a polite request that lazy filers and AI agents ignore) into "you cannot submit without these details" (a hard gate enforced by the GitHub UI, before anything reaches your tracker).

blank_issues_enabled: false closes the bypass route. GitHub normally shows an "Open a blank issue" button underneath the template chooser — that button is where most of the unstructured agent noise currently slips through. With the config, every issue must pick one of the four templates; there is no blank path.

Concrete downstream effects for the paperclip tracker:

• Reproducibility data arrives by default. A bug report cannot be filed without the Paperclip version, Node version, OS, install method, adapter(s), DB mode, and access context. No more "what version are you on?" / "which adapter?" ping-pong — the fields are there because the submit is blocked without them.
• Agent-filed noise is largely self-gated. The common pattern today is an AI agent auto-filing on any unhandled exception from its own provider or local config. Between required environment fields (which agent auto-filers tend to leave blank) and the AGENTS.md §11 addition listing common false positives (API quota, auth, external plugin errors), those filings either arrive with enough context to see they're not Paperclip's problem (→ quick close with a link to AGENTS.md §11) or they don't arrive at all.
• Auto-applied labels take the first triage step off the maintainer's plate. Every bug lands with bug + needs-triage, every feature with enhancement + needs-triage, every docs issue with documentation + needs-triage. Combined with the subsystem picker in feature/enhancement templates, issues?q=label:needs-triage+label:bug or an equivalent subsystem filter gives you a tight queue instead of the full backlog.
• PII protection. Every paste field (logs, config, state) carries an explicit warning about PII, with suggested anonymisers. The mandatory privacy checkbox at the bottom of the bug report forces the filer to confirm they've redacted before submission. Given that Paperclip state routinely contains agent transcripts, company names, encrypted-secrets paths, and tokens, this protects both the filer and the tracker's public history.
• Paperclip-specific framing, not generic boilerplate. The feature/enhancement templates reference AGENTS.md §5 directly (company scoping, atomic issue checkout, approval gates, budget hard-stop, activity logging) and force the filer to answer "does this affect any of them?" That single field tends to surface scope-creep and invariant-conflict issues before a maintainer has to read the body and work it out.
• needs-triage as a queue marker, not decoration. Once merged, issues?q=label:needs-triage becomes a clean "inbox" view — separate from the ~1,100 historic backlog. Every issue reviewed and classified (or closed) leaves that queue, so triage work has a concrete end state rather than being open-ended. The filter is the forcing function that makes triage feel finite.

Changes from Greptile review (commit c858806)

Greptile's initial review flagged two P1 issues in require-issue-link.yml, both fixed:

1. Duplicate bot comments under synchronize — every pushed commit on a link-less PR was posting a fresh identical "Missing issue link" comment. Dropped synchronize from the trigger list. Adding a Closes/Fixes/Resolves reference happens by editing the PR body, which fires edited, so the check still runs when the reference is added after opening — no dedup loop needed.
2. Fork PRs got read-only GITHUB_TOKEN under pull_request — the comment step would silently 403 for every external contributor, meaning they never saw the helpful message. Switched to pull_request_target. Safe here because neither step checks out PR-supplied code: the grep step reads $PR_BODY from an env var, and the github-script step only calls the REST API with trusted context values (owner, repo, PR number).

Verification

Local checks (all green on this branch against current upstream/master):

• python3 -c "import yaml; yaml.safe_load(...)" on all 7 new YAML files — all parse
• pnpm -r typecheck — exit 0
• pnpm build — exit 0
• pnpm test:run — has 40 failing tests. I verified these are pre-existing by stashing this branch's changes and running the same failing test files against clean upstream/master — they fail identically there (TypeError: localStorage.clear is not a function in ui/src/pages/Routines.test.tsx and ui/src/pages/InviteLanding.test.tsx, which are test-environment setup issues unrelated to this PR's .github/ + markdown-only diff). Flagging here so CI noise doesn't obscure the actual signal

Post-merge reviewer checks:

• Issue templates: navigate to github.com/paperclipai/paperclip/issues/new/choose. Expect four template cards + two contact links. Expect no "Open a blank issue" option. Click into each — required fields should block submission when empty
• auto-label-issues.yml: open a fresh test issue after merge. Expect a needs-triage label to appear (the workflow creates the label on its first run if it doesn't exist). Subsequent issues reuse the same label
• require-issue-link.yml: this PR itself demonstrates the happy path — the body contains Closes #4188, so the check will pass. To verify the negative path, temporarily remove that line, observe the workflow post its comment and fail, then restore it. After merge, future PRs without a closing reference will surface the comment automatically
• Existing pr.yml CI (policy / verify / e2e jobs) stays green — none of those jobs touch .github/ content

Risks

• Label creation side-effect: the auto-label-issues workflow creates the needs-triage label on first run. Colour chosen: fbca04 (yellow). If that colour clashes with something existing, the label still creates; only the visual clashes. Easy to adjust post-merge
• require-issue-link.yml on in-flight PRs: will run on currently-open PRs when they're next edited/reopened and comment on any without Closes/Fixes/Resolves #NNN. Because synchronize is intentionally excluded, a push alone does not retrigger the check — only an opened/edited/reopened event will. The check is soft (contributors can override by adding a one-line rationale in the PR body)
• AGENTS.md numbering: the renumber of §11 → §13 for the HenkDz fork section is incidental to fixing a pre-existing duplicate-§11 bug. If you'd rather leave the duplicate and only have my new section appended at the end, happy to re-arrange
• Tone calibration: the PII warnings and pre-submission checklists are modelled on gsd-build/get-shit-done's templates but dialled softer (no "unchecked boxes are an immediate close" language, no auto-close behaviour). Happy to dial further up or down — this PR is the starting point, not the destination
• Explicitly deferred to future separate PRs: stale bot (would use a 42-day / 14-day window with exempt labels), approval-label gates (approved-feature etc.), multi-typed PR template chooser, draft-PR auto-close. Mentioning only so you know what's not being proposed here

Model Used

Claude Opus 4.7 (1M context) — provider Anthropic, exact model ID claude-opus-4-7[1m], 1,000,000-token context window, extended thinking mode with tool use. Used for: research (reading gsd-build/get-shit-done/.github as reference, studying this repo's AGENTS.md §5 invariants and existing PR template), drafting all 9 files, writing the tracking issue body, authoring this PR description, and applying the Greptile-flagged fixes in commit c8588061. All code reviewed and approved by a human (@Omee11) before pushing.

Checklist

• I have included a thinking path that traces from project context to this change
• I have specified the model used (with version and capability details)
• I have run tests locally and they pass (typecheck + build green; pre-existing UI test failures in Routines.test.tsx / InviteLanding.test.tsx are unrelated — verified against clean upstream/master, see Verification)
• I have added or updated tests where applicable (N/A — .github/ + markdown only; no runtime code changed)
• If this change affects the UI, I have included before/after screenshots (N/A — no UI changes)
• I have updated relevant documentation to reflect my changes (AGENTS.md §11 + CONTRIBUTING.md pointer)
• I have considered and documented any risks above
• I will address all Greptile and reviewer comments before requesting merge

Closes #4188

[greptile-apps]

Greptile Summary

This PR adds four YAML issue templates, a config.yml disabling blank issues, two new GitHub Actions workflows (auto-label-issues and require-issue-link), an AGENTS.md §11 section for AI agent filers, and a one-line pointer in CONTRIBUTING.md. Previous Greptile-flagged P1s (duplicate bot comments on synchronize, fork 403s with pull_request, and an incomplete closing-keyword regex) are all resolved in this revision.

Confidence Score: 5/5

Safe to merge — no runtime code changed, all workflows follow secure patterns, and prior review findings are addressed.

All changes are in .github/ config and markdown files with no production code impact. The two workflows use minimal permissions, avoid untrusted input interpolation, and the pull_request_target usage is safe because no PR code is checked out. All previously flagged P1 issues are fixed.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/require-issue-link.yml	New workflow that checks PR body for issue-closing keywords using pull_request_target; previous Greptile-flagged issues (duplicate comments, fork 403s, incomplete regex) are all fixed.
.github/workflows/auto-label-issues.yml	New workflow that self-healingly creates and applies needs-triage label on every new issue; minimal permissions, no shell steps, no untrusted input interpolation.
.github/ISSUE_TEMPLATE/bug_report.yml	Comprehensive YAML issue form with required environment fields, PII warnings, and privacy checkbox; well-structured for both human and AI agent filers.
.github/ISSUE_TEMPLATE/config.yml	Disables blank issues and adds Discord/Discussions contact links, closing the bypass route for unstructured filings.
AGENTS.md	Adds §11 for AI agent issue-filing guidance and fixes pre-existing duplicate §11 numbering by renumbering to §12/§13.
CONTRIBUTING.md	Adds one-line callout at the top directing issue filers to templates and question-askers to Discord/Discussions.
.github/ISSUE_TEMPLATE/feature_request.yml	Feature request form with pre-submission checklist, subsystem picker, and invariants impact field referencing AGENTS.md §5.
.github/ISSUE_TEMPLATE/enhancement.yml	Enhancement form covering before/after behaviour and breaking-change check for improvements to existing functionality.
.github/ISSUE_TEMPLATE/docs_issue.yml	Lightweight 4-field docs issue template; appropriately minimal for documentation problems.

_{Reviews (5): Last reviewed commit: "fix(require-issue-link): paginate commen..." | Re-trigger Greptile}

[greptile-apps]

Duplicate bot comments on each push

Because the trigger includes synchronize, every commit pushed to a PR that still lacks an issue link will post a brand-new "Missing issue link" comment — there is no deduplication guard. A contributor who pushes 10 commits before noticing the requirement ends up with 10 identical bot comments on their PR.

A common fix is to check whether the bot has already commented before posting, or to limit the trigger to only opened and edited (since contributors add the link by editing the PR body):

    types: [opened, edited, reopened]

If synchronize coverage is still wanted, the github-script step should search existing comments and skip posting when an identical message is already present.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/require-issue-link.yml
Line: 11

Comment:
**Duplicate bot comments on each push**

Because the trigger includes `synchronize`, every commit pushed to a PR that still lacks an issue link will post a brand-new "Missing issue link" comment — there is no deduplication guard. A contributor who pushes 10 commits before noticing the requirement ends up with 10 identical bot comments on their PR.

A common fix is to check whether the bot has already commented before posting, or to limit the trigger to only `opened` and `edited` (since contributors add the link by editing the PR body):

```yaml
    types: [opened, edited, reopened]
```

If `synchronize` coverage is still wanted, the `github-script` step should search existing comments and skip posting when an identical message is already present.

How can I resolve this? If you propose a fix, please make it concise.

[Omee11]

Fixed in commit c858806. Dropped synchronize from the trigger types — adding a Closes/Fixes/Resolves reference happens by editing the PR body (which fires edited), so the check still runs when the reference is added after opening, without the duplicate-comment loop. Went with the simpler trigger-scope fix rather than dedup-via-search to keep the workflow's logic minimal.

[greptile-apps]

Comment step silently fails on fork PRs

With the pull_request trigger, GitHub issues a read-only GITHUB_TOKEN to workflows running against PRs from forks, regardless of the permissions: block declared here. The issues.createComment call will return a 403 for any external contributor submitting from a fork, so the helpful "Missing issue link" message is never delivered — contributors see only a failed check with no explanation.

The standard approach for workflows that need write access on fork PRs is pull_request_target. Since neither step checks out the PR's code (the grep step only reads an env var and the github-script step only calls the REST API), switching the trigger is safe here:

on:
  pull_request_target:
    types: [opened, edited, reopened, synchronize]

pull_request_target runs in the base-branch context and carries a full-permission token, while the PR body is still accessed via github.event.pull_request.body.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/require-issue-link.yml
Line: 13-15

Comment:
**Comment step silently fails on fork PRs**

With the `pull_request` trigger, GitHub issues a read-only `GITHUB_TOKEN` to workflows running against PRs from forks, regardless of the `permissions:` block declared here. The `issues.createComment` call will return a 403 for any external contributor submitting from a fork, so the helpful "Missing issue link" message is never delivered — contributors see only a failed check with no explanation.

The standard approach for workflows that need write access on fork PRs is `pull_request_target`. Since neither step checks out the PR's code (the grep step only reads an env var and the github-script step only calls the REST API), switching the trigger is safe here:

```yaml
on:
  pull_request_target:
    types: [opened, edited, reopened, synchronize]
```

`pull_request_target` runs in the base-branch context and carries a full-permission token, while the PR body is still accessed via `github.event.pull_request.body`.

How can I resolve this? If you propose a fix, please make it concise.

[Omee11]

Fixed in commit c858806. Switched the trigger to pull_request_target. Confirmed this is safe here because neither step checks out PR-supplied code — the grep step only reads $PR_BODY from an env var, and the github-script step only calls the REST API with trusted context values (owner, repo, PR number). No untrusted content is executed or written at any point. The body of the PR also now calls this out explicitly under "Changes from Greptile review".

[Omee11]

@greptileai rereview

Both P1 issues from the initial review have been addressed in commit c858806:

1. Duplicate bot comments under synchronize — dropped synchronize from the trigger list. Adding a Closes/Fixes/Resolves reference happens via editing the PR body (fires edited), so the check still runs at the right moment without the dedup loop.
2. Fork PRs got read-only GITHUB_TOKEN under pull_request — switched to pull_request_target. Safe here because neither step checks out PR-supplied code: the grep step reads $PR_BODY from an env var, and the github-script step only calls the REST API with trusted context values.

Both threaded replies are on the original inline comments, and the PR body has a new "Changes from Greptile review" section documenting the fixes.

[Omee11]

@greptileai rereview

The P2 dedup-guard concern is addressed in commit 1889a67. Added a guard that lists existing PR comments and skips posting when a Bot-authored comment starting with ## Missing issue link is already present — so title edits no longer accumulate duplicate bot comments.

The check itself still fails unconditionally when the issue link is missing (core.setFailed stays outside the guard) — only the comment is skipped on repeats, so CI remains blocked until the contributor adds the Closes/Fixes/Resolves reference.

[greptile-apps]

Regex misses several valid GitHub closing keywords

GitHub's full set of auto-closing keywords includes all tenses: close, closes, closed, fix, fixes, fixed, resolve, resolves, resolved. The current pattern only covers the present-tense third-person forms (closes, fixes, resolves), so a contributor who writes Fixed #123 or Closed #4188 will receive a failing check and a bot comment even though GitHub would correctly close the issue on merge.

Suggested change

	if printf '%s' "$PR_BODY" | grep -qiE '(closes|fixes|resolves)\s+#[0-9]+'; then
	echo "found=true" >> "$GITHUB_OUTPUT"
	else
	echo "found=false" >> "$GITHUB_OUTPUT"
	fi
	if printf '%s' "$PR_BODY" | grep -qiE '(close[sd]?|fix(e[sd])?|resolve[sd]?)\s+#[0-9]+'; then

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/require-issue-link.yml
Line: 36-40

Comment:
**Regex misses several valid GitHub closing keywords**

GitHub's full set of auto-closing keywords includes all tenses: `close`, `closes`, `closed`, `fix`, `fixes`, `fixed`, `resolve`, `resolves`, `resolved`. The current pattern only covers the present-tense third-person forms (`closes`, `fixes`, `resolves`), so a contributor who writes `Fixed #123` or `Closed #4188` will receive a failing check and a bot comment even though GitHub would correctly close the issue on merge.

```suggestion
          if printf '%s' "$PR_BODY" | grep -qiE '(close[sd]?|fix(e[sd])?|resolve[sd]?)\s+#[0-9]+'; then
```

How can I resolve this? If you propose a fix, please make it concise.

[Omee11]

Fixed in commit 37f4f54. Applied the suggested regex verbatim. Sanity-checked locally against all 9 keyword variants (close/closes/closed, fix/fixes/fixed, resolve/resolves/resolved), case-insensitive forms (Close, FIXED), and non-matches (closing, fixes without #, bug #1) — all behave as expected. Thanks for catching this.

[Omee11]

@greptileai rereview

Regex scope fix applied in commit 37f4f54 — now matches GitHub's full set of auto-closing keywords across all tenses (close/closes/closed, fix/fixes/fixed, resolve/resolves/resolved). Reply posted on the inline comment with sanity-check details.

[Omee11]

@greptileai rereview

Pagination P2 addressed in commit 9e4fa34. Swapped the direct listComments call for github.paginate(github.rest.issues.listComments, ...) so the dedup check walks every page of comments, not just the first 100. Same flat array shape, so the .some(...) check is unchanged. API cost stays bounded — the workflow only runs on three events (opened, edited, reopened), so even a PR with 1,000+ comments costs at most ~10 REST calls per trigger.