feat: add support for `/stdlib todo` slash command by anandkaranubc · Pull Request #12014 · stdlib-js/stdlib

anandkaranubc · 2026-05-09T18:07:04Z

Resolves stdlib-js/metr-issue-tracker#185

Description

What is the purpose of this pull request?

This pull request:

adds support for /stdlib todo slash command

Related Issues

Does this pull request have any related issues?

This pull request has the following related issues:

[RFC]: add support for a stdlib-bot todo command metr-issue-tracker#185

Questions

Any questions for reviewers of this pull request?

No.

Other

Any other information relevant to this pull request? This may include screenshots, references, and/or implementation notes.

No.

Checklist

Please ensure the following tasks are completed before submitting this pull request.

Read, understood, and followed the contributing guidelines.

AI Assistance

When authoring the changes proposed in this PR, did you use any kind of AI assistance?

Yes
No

If you answered "yes" above, how did you use AI assistance?

Code generation (e.g., when writing an implementation or fixing a bug)
Test/benchmark generation
Documentation (including examples)
Research and understanding

Disclosure

If you answered "yes" to using AI assistance, please provide a short disclosure indicating how you used AI assistance. This helps reviewers determine how much scrutiny to apply when reviewing your contribution. Example disclosures: "This PR was written primarily by Claude Code." or "I consulted ChatGPT to understand the codebase, but the proposed changes were fully authored manually by myself.".

Used Cursor+VS Code code-generation tools to help assist with the feature.

@stdlib-js/reviewers

--- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: na - task: lint_typescript_declarations status: passed - task: lint_typescript_tests status: na - task: lint_license_headers status: passed ---

--- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: passed - task: lint_typescript_declarations status: passed - task: lint_typescript_tests status: na - task: lint_license_headers status: passed ---

--- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: na - task: lint_typescript_declarations status: passed - task: lint_typescript_tests status: na - task: lint_license_headers status: passed ---

--- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: passed - task: lint_typescript_declarations status: passed - task: lint_typescript_tests status: na - task: lint_license_headers status: passed ---

…al fields --- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: passed - task: lint_typescript_declarations status: passed - task: lint_typescript_tests status: na - task: lint_license_headers status: passed ---

--- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: passed - task: lint_typescript_declarations status: passed - task: lint_typescript_tests status: na - task: lint_license_headers status: passed ---

--- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: na - task: lint_typescript_declarations status: passed - task: lint_typescript_tests status: na - task: lint_license_headers status: passed ---

kgryte

Left a few more comments.

--- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: na - task: lint_typescript_declarations status: passed - task: lint_typescript_tests status: na - task: lint_license_headers status: passed ---

--- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: passed - task: lint_typescript_declarations status: passed - task: lint_typescript_tests status: na - task: lint_license_headers status: passed ---

--- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: na - task: lint_typescript_declarations status: passed - task: lint_typescript_tests status: na - task: lint_license_headers status: passed ---

--- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: passed - task: lint_typescript_declarations status: passed - task: lint_typescript_tests status: na - task: lint_license_headers status: passed ---

--- type: pre_commit_static_analysis_report description: Results of running static analysis checks when committing changes. report: - task: lint_filenames status: passed - task: lint_editorconfig status: passed - task: lint_markdown_pkg_readmes status: na - task: lint_markdown_docs status: na - task: lint_markdown status: na - task: lint_package_json status: na - task: lint_repl_help status: na - task: lint_javascript_src status: na - task: lint_javascript_cli status: na - task: lint_javascript_examples status: na - task: lint_javascript_tests status: na - task: lint_javascript_benchmarks status: na - task: lint_python status: na - task: lint_r status: na - task: lint_c_src status: na - task: lint_c_examples status: na - task: lint_c_benchmarks status: na - task: lint_c_tests_fixtures status: na - task: lint_shell status: passed - task: lint_typescript_declarations status: passed - task: lint_typescript_tests status: na - task: lint_license_headers status: passed ---

Co-authored-by: Athan <kgryte@gmail.com> Signed-off-by: Athan <kgryte@gmail.com>

kgryte

Looks to good to me.

Would be good for @Planeshifter to have a look, with particular regard for any potential security concerns.

Co-authored-by: Athan <kgryte@gmail.com> Signed-off-by: Athan <kgryte@gmail.com>

kgryte · 2026-05-17T08:18:26Z

@Planeshifter In particular, we want to ensure that we don't need any additional guards to prevent secret exfiltration.

Planeshifter

Looks good to me overall, including from a security perspective.

For consistency, let's use the same condition as in 89f67e9,

&& contains(fromJSON('["OWNER","MEMBER"]'), github.event.comment.author_association)

in addition to the runtime check. One advantage is that write-scoped PAT is never provisioned onto a runner for a non-member and we save CI minutes, but there is no exploitable attack vector here.

One problem might be that for issue comments at least, the slash commands workflow is also triggered for edits. Since there are no checks for whether issue was already created for a comment, edits of a /todo comment might unexpectedly create additional issues. Not a blocker in my view but something that would better be addressed.

kgryte · 2026-06-03T06:39:35Z

One problem might be that for issue comments at least, the slash commands workflow is also triggered for edits. Since there are no checks for whether issue was already created for a comment, edits of a /todo comment might unexpectedly create additional issues. Not a blocker in my view but something that would better be addressed.

I suppose we could go two ways here:

Authors have to simply know that comments, once written, cannot be edited.
We somehow persist a comment ID and its associated issue ID. In this scenario, before opening an issue, we'd need to check the persistence store. If not present, create the issue. If already present, then we'd be left with a choice. We could either update the existing issue OP or we could do nothing. The former is slightly problematic as the issue OP could be independently edited after creation and overwriting would undo those changes. That doesn't seem desirable. For the latter, we could post a follow-up comment stating that the edit is purely local, but this just seems like additional complication.

As I don't see this being heavily used (abused) by maintainers, I think it is fine to punt the responsibility to authors to know that todo comments should not be edited.

I suppose a third possibility is to do (2), but instead of overwriting the OP, the bot could post a verbatim comment to the existing issue thread.

Again, not sure if it is worth the effort.

@anandkaranubc At a minimum, we can update the bot response comment after issue creation to state that any subsequent edits should be made to the issue itself rather than by updating the todo comment.

anandkaranubc added 2 commits May 9, 2026 11:02

Merge branch 'develop' into stdlib-todo-bot

7bf24b8

anandkaranubc requested a review from a team May 9, 2026 18:07

stdlib-bot added the Needs Review A pull request which needs code review. label May 9, 2026

anandkaranubc added Feature Issue or pull request for adding a new feature. METR Pull request associated with the METR project. labels May 9, 2026

anandkaranubc commented May 9, 2026

View reviewed changes

Comment thread .github/workflows/slash_commands.yml Outdated

anandkaranubc commented May 9, 2026

View reviewed changes

Comment thread .github/workflows/slash_commands.yml Outdated

Comment thread .github/workflows/slash_commands.yml Outdated

Comment thread .github/workflows/slash_commands.yml Outdated

Comment thread .github/workflows/slash_commands.yml Outdated

anandkaranubc requested a review from kgryte May 9, 2026 18:19

anandkaranubc changed the title ~~feat: add support for /stdlib todo slash command~~ build: add support for /stdlib todo slash command May 9, 2026

anandkaranubc added the CI Issue or pull request specific to continuous integration environments. label May 9, 2026

anandkaranubc changed the title ~~build: add support for /stdlib todo slash command~~ feat: add support for /stdlib todo slash command May 9, 2026

kgryte reviewed May 12, 2026

View reviewed changes

Comment thread .github/workflows/slash_commands.yml Outdated

kgryte reviewed May 12, 2026

View reviewed changes

Comment thread .github/workflows/slash_commands.yml Outdated

anandkaranubc added 2 commits May 13, 2026 20:53

Merge branch 'develop' into stdlib-todo-bot

d62e280

kgryte added Needs Changes Pull request which needs changes before being merged. and removed Needs Review A pull request which needs code review. labels May 14, 2026

anandkaranubc added 8 commits May 14, 2026 20:33

Merge branch 'develop' into stdlib-todo-bot

b3b6379

kgryte reviewed May 16, 2026

View reviewed changes

Comment thread .github/workflows/scripts/create_todo_issue/run Outdated

kgryte reviewed May 16, 2026

View reviewed changes

Comment thread .github/workflows/scripts/create_todo_issue/run Outdated

kgryte reviewed May 16, 2026

View reviewed changes

Comment thread .github/workflows/scripts/create_todo_issue/run Outdated

kgryte reviewed May 16, 2026

View reviewed changes

Comment thread .github/workflows/scripts/create_todo_issue/run Outdated

kgryte reviewed May 16, 2026

View reviewed changes

Comment thread .github/workflows/scripts/create_todo_issue/run Outdated

kgryte reviewed May 16, 2026

View reviewed changes

Comment thread .github/workflows/create_todo_issue.yml Outdated

kgryte requested changes May 16, 2026

View reviewed changes

anandkaranubc added 10 commits May 15, 2026 19:42

Merge branch 'develop' into stdlib-todo-bot

a5c351d

anandkaranubc added Needs Review A pull request which needs code review. and removed Needs Changes Pull request which needs changes before being merged. labels May 16, 2026

kgryte removed the Needs Review A pull request which needs code review. label May 17, 2026

kgryte reviewed May 17, 2026

View reviewed changes

Comment thread .github/workflows/scripts/create_todo_issue/run Outdated

Apply suggestions from code review

fc87d75

Co-authored-by: Athan <kgryte@gmail.com> Signed-off-by: Athan <kgryte@gmail.com>

kgryte reviewed May 17, 2026

View reviewed changes

Comment thread .github/workflows/scripts/create_todo_issue/run Outdated

Apply suggestions from code review

9887bb2

Co-authored-by: Athan <kgryte@gmail.com> Signed-off-by: Athan <kgryte@gmail.com>

kgryte requested a review from Planeshifter May 17, 2026 08:17

stdlib-bot added the Needs Review A pull request which needs code review. label May 17, 2026

Planeshifter approved these changes Jun 3, 2026

View reviewed changes

Uh oh!

Conversation

anandkaranubc commented May 9, 2026

Description

Related Issues

Questions

Other

Checklist

AI Assistance

Disclosure

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

kgryte left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

kgryte left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

kgryte commented May 17, 2026

Uh oh!

Planeshifter left a comment

Choose a reason for hiding this comment

Uh oh!

kgryte commented Jun 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants