feat(enrichment): commit-signature and verified-author provenance

[dale053]

Summary

• Adds a CommitSignatureFinding type and commitSignature key to BriefFindings in review-enrichment/src/types.ts.
• Implements review-enrichment/src/analyzers/commit-signature.ts: two-phase GitHub REST analysis of the PR head commit. Phase 1 fetches GET /repos/{owner}/{repo}/commits/{headSha} and checks commit.verification.verified; an unsigned or unverified commit produces a kind: "unsigned" finding with the verification.reason (e.g. "unsigned", "gpgkeys_missing", "no_user"). Phase 2 (verified commits only) fetches up to 20 recent repo commits to compute the verified-commit ratio; if ≥80%, fetches GET /commits?author={login}&per_page=3 — a never-before-seen author in that context produces a kind: "new-committer" finding (supply-chain / impersonation signal). Bounded at 3 API calls per brief; fail-safe on any network error, non-ok response, missing token, or missing sha.
• Registers the analyzer in src/brief.ts ANALYZERS registry with abort-signal forwarding.
• Renders a ### Commit-signature / verified-author provenance block in src/render.ts; unsigned findings cite the abbreviated sha + reason; new-committer findings cite the sha + login with an impersonation-risk note. safeCodeSpan wraps all user-controlled values.
• Adds 17 node:test unit and integration tests covering every branch: missing token/sha, network failure (phases 1 and 2), non-ok responses for all three fetch calls, unsigned detection, null author login, insufficient history, below-threshold verified ratio, known committer, new-committer detection, render block (unsigned, new-committer with login, new-committer with null login), and orchestrator wiring. Total: 61 tests, all passing.

Closes #1517. Parent: #1499.

Scope

• The PR title follows type(scope): short summary Conventional Commit format, for example fix(api): restore profile access checks.
• This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
• This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
• I linked an issue, or this is small enough that the summary explains why an issue is not needed.

Validation

• git diff --check
• npm run actionlint
• npm run typecheck
• npm run test:coverage locally; codecov/patch requires ≥97% coverage of the lines AND branches you changed (aim for 98%+ on your diff so CI variance does not fail near the threshold). Global coverage is a non-blocking trend with a loose 90% backstop, not the gate.
• npm run test:workers
• npm run build:mcp
• npm run test:mcp-pack
• npm run ui:openapi:check
• npm run ui:lint
• npm run ui:typecheck
• npm run ui:build
• npm audit --audit-level=moderate
• New or changed behavior has unit/integration tests for new branches, fallback paths, and sanitizer boundaries

If any required check was skipped, explain why:

• All changes are confined to review-enrichment/, which is a standalone Node.js service outside the main Cloudflare Worker build and outside the Codecov src/** include path. The enrichment-service test suite (npm test inside review-enrichment/) runs 61 tests, all passing, including the 17 new commit-signature tests. The root-level CI checks above apply to the Worker and do not cover this service.

Safety

• No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
• Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
• Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests. — N/A: no auth/CORS/session changes.
• API/OpenAPI/MCP behavior is updated and tested where needed. — N/A: no API schema changes; the enrichment service is an internal analysis layer, not a public endpoint change.
• UI changes use live API data or real empty/error/loading states, not production mock/demo fallbacks. — N/A: no UI changes.
• Visible UI changes include a UI Evidence section below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository. — N/A: no visible UI changes.
• Public docs/changelogs are updated where needed; changelogs are only edited for release-prep PRs.

UI Evidence

N/A — no visible UI, frontend, docs, or extension changes.

Notes

• The githubToken from EnrichRequest is forwarded only in Authorization: Bearer headers for GitHub API calls; it is never logged or included in any finding output.
• safeCodeSpan is used for all user-controlled strings in the render block (sha, reason, author login) — same convention as every other network-based analyzer in the service.
• Phase 2 only runs when the head commit is already verified — if it is unsigned, phase 2 is skipped entirely (the unsigned finding is more actionable and the additional API calls would not change the result).
• The 80% verified-ratio threshold avoids false positives on repos with mixed signing discipline while reliably triggering on repos where signing is a hard requirement.

[superagent-security]

Superagent found 1 security concern(s).

[gittensory-orb]

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review — held for maintainer review

5 files · 1 AI reviewer · no blockers · readiness 55/100 · CI green · dirty

⏸️ Held for maintainer review

Signal	Result	Evidence
Code review	✅ No blockers	1 reviewer
Linked issue	✅ Linked	#1517
Related work	⚠️ 3 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels; size label size:L.
Validation evidence	❌ 5/25	Cached preflight status is hold.
Open PR queue	❌ 3/10	15 open PR(s), 9 likely reviewable, 6 unlinked.
Contributor context	✅ Confirmed Gittensor contributor	dale053; Gittensor profile; 43 PR(s), 20 issue(s).
Gate result	✅ Passing	No configured blocker found.

Nits — 1 non-blocking

• Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.

Review context

• Author: dale053
• Role context: outside_contributor
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 43 PR(s), 20 issue(s).
• Related work: Items reference the same linked issue feat(enrichment): Commit-signature / verified-author provenance #1517. (issue #1517)
• Related work: Open PR work references issue feat(enrichment): Commit-signature / verified-author provenance #1517. (issue #1517)
• Related work: Titles/paths share 6 meaningful terms. (issue #1501, issue #1505)
• Additional title-only matches omitted; title-only overlap does not block.

Contributor next steps

• Review top overlaps.
• Add scope summary.
• Fix blocker.
• Expect slower review.
• Refresh registry data or choose a registered active repo.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review

[JSONbored]

4 merge conflicts due to previous analyzer merges that touched the same files - please fix and resubmit. I recommend submitting analyzer PRs one at a time, to reduce the chances for future merge conflicts.

This branch has conflicts that must be resolved
Use the [web editor](https://github.com/JSONbored/gittensory/pull/1635/conflicts) or the command line to resolve conflicts before continuing.

review-enrichment/src/brief.ts
review-enrichment/src/render.ts
review-enrichment/src/types.ts
review-enrichment/test/enrichment.test.ts