feat(review): request human reviewers for spec PRs from external contributors

[captainsafia]

Summary

Spec-only PRs (markdown-only) from external contributors previously received an automated agent review as a COMMENT but no human reviewer was ever pinged. This PR wires up reviewer pinging for spec PRs from non-members so the right maintainers are notified.

Changes

• _MAX_SPEC_REVIEWERS = 2 — new constant capping reviewers pinged for a single spec PR
• _resolve_spec_reviewer_request() — new helper that extracts recommended_reviewers from review.json for spec-only non-member PRs (capped at 2, filtered to STAKEHOLDERS)
• is_spec_non_member — new flag in main() (spec_only and _is_non_member_pr(pr)) that selects the spec reviewer path without entering the APPROVE/REQUEST_CHANGES gate
• Prompt section — when is_spec_non_member, the agent receives a "Spec Reviewer Request" section instructing it to identify 1-2 best-fit reviewers from .github/STAKEHOLDERS based on the spec content and path patterns
• Reviewer request — after posting the COMMENT review, the workflow calls create_review_request with the normalized reviewer list (best-effort; errors are logged but don't fail the workflow)
• Short-circuit update — the empty-review short-circuit now only fires when there are no reviewers to request, so spec PRs with reviewers always get their review + request posted
• Completion message — _format_review_completion_message now returns a spec-specific message when event is COMMENT but reviewers are present
• Tests — new ResolveSpecReviewerRequestTest class (6 cases) and a new test_comment_with_reviewers_mentions_logins case; all 59 tests pass

Behavior

PR type	Before	After
Spec PR from org member	COMMENT, no ping	COMMENT, no ping (unchanged)
Spec PR from external contributor	COMMENT, no ping	COMMENT, request 1-2 STAKEHOLDERS reviewers
Implementation PR from external contributor	APPROVE/REQUEST_CHANGES + ping on APPROVE	Unchanged

Conversation: https://staging.warp.dev/conversation/dec82960-2e0e-456d-ae79-8870b7433ae3
Run: https://oz.staging.warp.dev/runs/019dd0a6-6894-78c9-868b-0481c96f3ec2

This PR was generated with Oz.

[oz-for-oss]

@captainsafia

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and posted feedback on this pull request.

Powered by Oz

[oz-for-oss]

Overview

This adds a dedicated spec-only non-member path so the workflow can keep COMMENT reviews for spec PRs while still requesting 1-2 human reviewers from .github/STAKEHOLDERS. The split between the implementation-PR gate and the new spec-reviewer flow is clear, and I did not find any separate security issues in the changed code.

Concerns

• _normalize_reviewer_logins() still de-duplicates case-sensitively, so the new spec-reviewer path can preserve mixed-case duplicates like Alice/alice and hand the same GitHub reviewer to create_review_request() twice. Because reviewer requests are best-effort here, a GitHub validation failure would silently drop the human ping this change is trying to add.
• I could not execute test_review_pr.py in this environment because the github dependency is not installed, so the review is based on the diff plus the added unit coverage.

Verdict

Found: 0 critical, 1 important, 0 suggestions

Request changes

Powered by Oz

[oz-for-oss]

⚠️ [IMPORTANT] This new path inherits _normalize_reviewer_logins()'s case-sensitive dedupe, so a reviewer list like ['Alice', 'alice'] will survive normalization and can hand the same GitHub account to create_review_request() twice. Because reviewer requests are best-effort here, that can silently drop the human ping this PR is trying to add. Please normalize the dedupe key to lowercase and add a mixed-case regression test for the spec reviewer path.