Refs #406: Guard webhook native bounty ids

[Baijack-star]

Summary

• keep accepted-label webhook payout parsing from treating live/native/internal MRWK bounty ids as GitHub issue references
• accept explicit issue #<number> / issues #<number> references in PR bodies so mixed evidence text like live bounty #66 / issue #406 can still pay the intended GitHub bounty issue
• add regression coverage where a real GitHub issue Prefill linked wallet on claim form #66 bounty exists, proving the webhook pays issue MRWK bounty: useful bug reports and small fixes, round 5 #406 instead of the native-id lookalike

Evidence

• Existing accepted-label webhook parsing treated any bounty #... text as a GitHub issue reference before payout lookup.
• Live bounty preflight/evidence text often includes native MRWK ids such as live bounty #66, native bounty #66, or internal bounty #66 beside the actual GitHub issue reference.
• In a mixed body, the wrong native id can be selected first if an issue with that number also has a bounty; otherwise a valid issue #406 text was not parsed.

Validation

• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 ./.venv/bin/python -m pytest tests/test_webhooks.py -q -> 19 passed
• ./.venv/bin/python -m ruff check app/webhooks/github.py tests/test_webhooks.py -> passed
• ./.venv/bin/python -m ruff format --check app/webhooks/github.py tests/test_webhooks.py -> passed
• ./.venv/bin/python -m mypy app/webhooks/github.py -> passed
• git diff --check -> clean

No private keys, cookies, tokens, wallet JSON, browser storage, OAuth state, signatures, private data, price claims, liquidity claims, exchange claims, or off-ramp claims are added.

Summary by CodeRabbit

• Bug Fixes

  • Improved detection of bounty references in GitHub webhook handling to avoid false matches from native/internal bounty formats.
  • Reduced incorrect selection of lookalike bounty IDs when multiple bounties are referenced.

• Tests

  • Added a test ensuring labeled PR webhooks ignore native/internal bounty mentions and correctly select the intended bounty, with expected payment and processing outcomes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f4e785f7-6967-4254-a761-8a23a7f8bc16

📥 Commits

Reviewing files that changed from the base of the PR and between dfdc60a and 1467986.

📒 Files selected for processing (1)

• tests/test_webhooks.py

---

📝 Walkthrough

Walkthrough

The PR tightens bounty keyword matching in GitHub webhook parsing by adding negative lookbehind constraints to the LINKED_ISSUE_RE regex, preventing bounty matches when preceded by live , mrwk , native , or internal . A new test validates the webhook handler correctly selects bounties by GitHub issue reference, not native bounty IDs.

Changes

Bounty Keyword Matching

Layer / File(s)	Summary
LINKED_ISSUE_RE regex pattern update app/webhooks/github.py	LINKED_ISSUE_RE regex applies negative lookbehind to the bounty token (excluding live , mrwk , native , internal ) and removes bounty from the second alternation so those exclusions only apply to the bounty branch.
Webhook test for native bounty ID exclusion tests/test_webhooks.py	New test seeds competing bounties and sends multiple pull_request labeled webhook deliveries with PR bodies referencing native/internal bounty id #66, asserting each delivery is processed as paid, contributor balance equals the expected total, and a WebhookEvent row exists per delivery with processed_status == "paid".

Possibly related PRs

• ramimbo/mergework#296: Both PRs modify GitHub webhook linked-issue parsing and add webhook tests around accepted-label bounty selection.

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Refs #406: Guard webhook native bounty ids' is concrete and directly names the changed surface - the webhook bounty ID parsing logic.
Description check	✅ Passed	The description includes a clear summary, evidence of the problem, validation steps with passing results, and links to issue #406 as required.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Mergework Public Artifact Hygiene	✅ Passed	PR contains only webhook parsing code and test changes. No investment, price, cash-out, off-ramp, or security claims found in code, comments, or documentation.
Bounty Pr Focus	✅ Passed	PR diff matches stated files and implementation: regex filters native bounty IDs, test covers four variants with valid assertions, validation documented (pytest 19 passed), focused scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tinyopsstudio]

Reviewed PR #548 at dfdc60a1537ccf2d5f5a32777bddd2724666502d for the accepted-label webhook native bounty-id parser.

Evidence checked:

• inspected app/webhooks/github.py and the new regression coverage in tests/test_webhooks.py;
• confirmed the regex keeps plain bounty #406, refs ramimbo/mergework#406, and explicit issue #406 references working;
• confirmed live bounty #66 / issue #406 and MRWK bounty #66 maps to issues #406 resolve to [406] instead of the native/live id.

Validation:

• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest tests/test_webhooks.py -q -> 19 passed
• uv run --extra dev ruff check app/webhooks/github.py tests/test_webhooks.py -> passed
• uv run --extra dev ruff format --check app/webhooks/github.py tests/test_webhooks.py -> 2 files already formatted
• git diff --check origin/main...HEAD -> clean

Assessment: no blocker found. The patch is narrow and preserves the existing accepted-label GitHub issue reference paths while filtering the native/live MRWK bounty-id lookalikes that can otherwise select the wrong bounty.

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f8e8806e-c0cb-470a-980d-d00d85b6c8c8

📥 Commits

Reviewing files that changed from the base of the PR and between d8532d4 and dfdc60a.

📒 Files selected for processing (2)

• app/webhooks/github.py
• tests/test_webhooks.py

[Baijack-star]

Addressed the CodeRabbit coverage note in 1467986: added the explicit MRWK bounty #66 / issue #406 regression case and updated the aggregate balance assertion to derive from the case count.

Validation after the follow-up:

• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 ./.venv/bin/python -m pytest tests/test_webhooks.py -q -> 19 passed
• ./.venv/bin/python -m ruff check app/webhooks/github.py tests/test_webhooks.py -> passed
• ./.venv/bin/python -m ruff format --check app/webhooks/github.py tests/test_webhooks.py -> passed
• ./.venv/bin/python -m mypy app/webhooks/github.py -> passed
• git diff --check -> clean

[yui-stingray]

Reviewed current head 14679860a986e724a19df5b46fbf33d60371ffa0 for the accepted-label webhook native bounty-id parsing change after the follow-up regression case.

No blocker found in this pass. The negative lookbehind guard now skips live bounty, mrwk bounty, native bounty, and internal bounty phrases before matching the later GitHub issue reference, so native MRWK bounty ids in PR prose are not treated as payable GitHub issue numbers. The new parametrized coverage exercises all four phrases, including the follow-up MRWK bounty #66 / issue #406 case, and verifies the payout goes to the #406 bounty amount instead of the native-id lookalike.

Validation:

• Inspected app/webhooks/github.py and tests/test_webhooks.py on the current head.
• pytest tests/test_webhooks.py -q --capture=no with plugin autoload disabled: 19 passed.
• ruff check app/webhooks/github.py tests/test_webhooks.py: passed.
• ruff format --check app/webhooks/github.py tests/test_webhooks.py: 2 files already formatted.
• git diff --check origin/main...HEAD: clean.
• Latest CodeRabbit summary had no actionable comments, and hosted quality/readiness checks are green.

[jakerated-r]

Requesting changes for mergeability, not for the focused webhook behavior.

I reviewed current head 14679860a986e724a19df5b46fbf33d60371ffa0 as a non-author. The native/live/internal MRWK bounty-id guard itself looks scoped and tested, and the branch passes its local checks, but it cannot be merged into current origin/main as-is.

Evidence checked:

• inspected the PR diff: app/webhooks/github.py and tests/test_webhooks.py, 86 insertions / 1 deletion;
• confirmed the new regression cases cover live bounty #66 / issue #406, MRWK bounty #66 / issue #406, native bounty #66 maps to issue #406, and internal bounty #66; issue #406;
• confirmed hosted checks are green, but GitHub reports this PR as CONFLICTING;
• reproduced the merge blocker locally with git merge --no-commit --no-ff origin/main.

Validation run locally on the PR head:

• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest tests/test_webhooks.py -q -> 19 passed
• uv run --extra dev ruff check app/webhooks/github.py tests/test_webhooks.py -> passed
• uv run --extra dev ruff format --check app/webhooks/github.py tests/test_webhooks.py -> 2 files already formatted
• uv run --extra dev python -m mypy app/webhooks/github.py -> success
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python scripts/docs_smoke.py -> docs smoke ok
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --extra dev python -m pytest -q -> 415 passed, 1 warning
• git diff --check origin/main...HEAD -> clean

Mergeability repro:

Auto-merging app/webhooks/github.py
CONFLICT (content): Merge conflict in app/webhooks/github.py
Auto-merging tests/test_webhooks.py
CONFLICT (content): Merge conflict in tests/test_webhooks.py
Automatic merge failed; fix conflicts and then commit the result.

So the remaining blocker is a rebase/conflict-resolution pass against current main, especially around LINKED_ISSUE_RE in app/webhooks/github.py and the overlapping webhook regression additions in tests/test_webhooks.py. No private data, credentials, cookies, wallet material, signatures, production mutation, price/liquidity/exchange/off-ramp claims, or fabricated payout claims were used.

[eliasx45]

Reviewed PR #548 at head 14679860a986e724a19df5b46fbf33d60371ffa0 for the accepted-label webhook native/live/internal bounty-id parsing change.

The focused behavior looks right on this branch: the new cases keep native MRWK bounty-id prose such as live bounty #66, MRWK bounty #66, native bounty #66, and internal bounty #66 from being treated as the GitHub issue bounty, while the later explicit issue #406 / issues #406 reference still drives the payout target.

Blocking issue:

• The branch is no longer mergeable against current origin/main.
• Reproduced locally with git merge --no-commit --no-ff origin/main:

Auto-merging app/webhooks/github.py
CONFLICT (content): Merge conflict in app/webhooks/github.py
Auto-merging tests/test_webhooks.py
CONFLICT (content): Merge conflict in tests/test_webhooks.py
Automatic merge failed; fix conflicts and then commit the result.

Please rebase or merge current main and resolve the overlapping webhook parser/test changes before this can land.

Validation run locally on the PR head before the mergeability probe:

• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 .\.venv\Scripts\python.exe -m pytest tests\test_webhooks.py -q -> 19 passed
• .\.venv\Scripts\python.exe -m ruff check app\webhooks\github.py tests\test_webhooks.py -> all checks passed
• .\.venv\Scripts\python.exe -m ruff format --check app\webhooks\github.py tests\test_webhooks.py -> 2 files already formatted
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 .\.venv\Scripts\python.exe -m mypy app\webhooks\github.py -> success
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 .\.venv\Scripts\python.exe scripts\docs_smoke.py -> docs smoke ok
• git diff --check origin/main...HEAD -> clean

Requesting changes for the merge conflict, not for the focused webhook behavior.

[ramimbo]

Maintainer cleanup note: holding this until the branch is rebased or otherwise updated. The focused behavior may be useful, but the branch currently conflicts with origin/main in app/webhooks/github.py and tests/test_webhooks.py.