From 6c5cb2ffa71e684eedfea622fbd747ac07840bda Mon Sep 17 00:00:00 2001 From: ghost <49853598+JSONbored@users.noreply.github.com> Date: Wed, 27 May 2026 14:32:55 -0700 Subject: [PATCH 1/2] fix(submissions): keep high-risk import-ready entries out of ready triage --- packages/registry/src/submission.js | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/registry/src/submission.js b/packages/registry/src/submission.js index 9a8400414c..e861fb3f28 100644 --- a/packages/registry/src/submission.js +++ b/packages/registry/src/submission.js @@ -932,6 +932,7 @@ function submissionTriageGroup({ report, risk, status }) { if (status === "close_eligible") return "close_eligible"; if (status === "stale_reminder_due") return "stale"; if (submissionLooksBlocked({ report, risk })) return "blocked"; + if (status === "import_ready" && risk.riskTier === "high") return "blocked"; if (submissionLooksPromotional({ report, risk })) { return "likely_promo_spam"; } From 5cfa1b0a24197caa81b0f0d9420a4cb6c5b27530 Mon Sep 17 00:00:00 2001 From: JSONbored <49853598+JSONbored@users.noreply.github.com> Date: Wed, 27 May 2026 22:54:17 -0700 Subject: [PATCH 2/2] fix(submissions): explain high-risk blocked triage --- packages/registry/src/submission.js | 3 ++ tests/submission-intake.test.ts | 54 +++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/packages/registry/src/submission.js b/packages/registry/src/submission.js index 0c3ff0f22d..f0fae79b64 100644 --- a/packages/registry/src/submission.js +++ b/packages/registry/src/submission.js @@ -1016,6 +1016,9 @@ function submissionTriageReason({ entry, report, risk }) { : "Schema passed and the submission is ready for maintainer review."; } if (entry.triageGroup === "blocked") { + if (entry.status === "import_ready" && risk.riskTier === "high") { + return "High-risk import-ready submissions require manual maintainer risk review before import."; + } const blockedGate = Object.entries(risk.policyMatrix || {}).find( ([, gate]) => gate?.status === "block", ); diff --git a/tests/submission-intake.test.ts b/tests/submission-intake.test.ts index 70d1f7e381..2ace11db6c 100644 --- a/tests/submission-intake.test.ts +++ b/tests/submission-intake.test.ts @@ -1245,6 +1245,60 @@ Reads the configured API key from the local environment and sends requests to th expect(risk.policyDecision).toBe("auto_import_eligible"); }); + it("blocks high-risk import-ready submissions with a specific review reason", () => { + const submission = issue(`### Name +Xquik MCP Server + +### Slug +xquik-mcp-server + +### Category +mcp + +### Public contact +@xquik + +### GitHub URL +https://github.com/Xquik-dev/x-twitter-scraper + +### Docs URL +https://docs.xquik.com/mcp/overview + +### Description +Remote MCP server for X and Twitter automation, tweet search, webhooks, and confirmation-gated posting. + +### Card description +MCP server for social media posting workflows. + +### Install command +npx -y mcp-remote@0.1.38 https://xquik.com/mcp --header x-api-key:\${XQUIK_API_KEY} + +### Usage snippet +Use an API key for Xquik social media posting workflows. + +### Safety notes +Can post, reply, send DMs, or update profiles through the configured Xquik account. + +### Privacy notes +Reads the configured API key and sends social media workflow requests to Xquik.`); + const queue = buildSubmissionQueue([submission], { + now: "2026-04-30T00:00:00Z", + }); + const [entry] = queue.entries; + + expect(entry.status).toBe("import_ready"); + expect(entry.riskTier).toBe("high"); + expect(entry.policyDecision).toBe("maintainer_review"); + expect(entry.triageGroup).toBe("blocked"); + expect(entry.triageReason).toContain( + "High-risk import-ready submissions require manual maintainer risk review", + ); + expect(entry.nextAction).toBe("review_risk"); + expect(queue.summary.ready).toBe(0); + expect(queue.summary.blocked).toBe(1); + expect(queue.summary.importReady).toBe(1); + }); + it("preserves commas inside newline-delimited safety and privacy notes", () => { const submission = issue(`### Name Comma Notes MCP