This playbook is the operational companion to docs/pr-workflow.md.
For broader documentation navigation, use docs/README.md.
- Purpose: define a deterministic reviewer operating model that keeps review quality high under heavy PR volume.
- Audience: maintainers, reviewers, and agent-assisted reviewers.
- Scope: intake triage, risk-to-depth routing, deep-review checks, automation overrides, and handoff protocol.
- Non-goals: replacing PR policy authority in
CONTRIBUTING.mdor workflow authority in CI files.
Use this section to route quickly before reading full detail.
- Leave one actionable checklist comment.
- Stop deep review until intake blockers are fixed.
Go to:
- Treat as
risk: highby default. - Require deep review and explicit rollback evidence.
Go to:
- Apply override protocol (
risk: manual, dedupe comments/labels). - Continue review with explicit rationale.
Go to:
- Handoff with scope/risk/validation/blockers.
- Assign concrete next action.
Go to:
| Risk label | Typical touched paths | Minimum review depth | Required evidence |
|---|---|---|---|
risk: low |
docs/tests/chore, isolated non-runtime changes | 1 reviewer + CI gate | coherent local validation + no behavior ambiguity |
risk: medium |
src/providers/**, src/channels/**, src/memory/**, src/config/** |
1 subsystem-aware reviewer + behavior verification | focused scenario proof + explicit side effects |
risk: high |
src/security/**, src/runtime/**, src/gateway/**, src/tools/**, .github/workflows/** |
fast triage + deep review + rollback readiness | security/failure-mode checks + rollback clarity |
When uncertain, treat as risk: high.
If automated risk labeling is contextually wrong, maintainers can apply risk: manual and set the final risk:* label explicitly.
For every new PR:
- Confirm template completeness (
summary,validation,security,rollback). - Confirm labels are present and plausible:
size:*,risk:*- scope labels (for example
provider,channel,security) - module-scoped labels (
channel:*,provider:*,tool:*) - contributor tier labels when applicable
- Confirm CI signal status (
CI Required Gate). - Confirm scope is one concern (reject mixed mega-PRs unless justified).
- Confirm privacy/data-hygiene and neutral test wording requirements are satisfied.
If any intake requirement fails, leave one actionable checklist comment instead of deep review.
- Scope boundary is explicit and believable.
- Validation commands are present and results are coherent.
- User-facing behavior changes are documented.
- Author demonstrates understanding of behavior and blast radius (especially for agent-assisted PRs).
- Rollback path is concrete (not just “revert”).
- Compatibility/migration impacts are clear.
- No personal/sensitive data leakage in diff artifacts; examples/tests remain neutral and project-scoped.
- If identity-like wording exists, it uses ZeroBuild/project-native roles (not personal or real-world identities).
- Naming and architecture boundaries follow project contracts (
AGENTS.md,CONTRIBUTING.md).
For high-risk PRs, verify at least one concrete example in each category:
- Security boundaries: deny-by-default behavior preserved, no accidental scope broadening.
- Failure modes: error handling is explicit and degrades safely.
- Contract stability: CLI/config/API compatibility preserved or migration documented.
- Observability: failures are diagnosable without leaking secrets.
- Rollback safety: revert path and blast radius are clear.
Prefer checklist-style comments with one explicit outcome:
- Ready to merge (say why).
- Needs author action (ordered blocker list).
- Needs deeper security/runtime review (state exact risk and requested evidence).
Avoid vague comments that create avoidable back-and-forth latency.
Use labels to keep backlog actionable:
r:needs-reprofor incomplete bug reports.r:supportfor usage/support questions better routed outside bug backlog.duplicate/invalidfor non-actionable duplicates/noise.no-stalefor accepted work waiting on external blockers.- Request redaction when logs/payloads include personal identifiers or sensitive data.
When review demand exceeds capacity, apply this order:
- Keep active bug/security PRs (
size: XS/S) at the top of queue. - Ask overlapping PRs to consolidate; close older ones as
supersededafter acknowledgement. - Mark dormant PRs as
stale-candidatebefore stale closure window starts. - Require rebase + fresh validation before reopening stale/superseded technical work.
Use this when automation output creates review side effects:
- Incorrect risk label: add
risk: manual, then set intendedrisk:*label. - Incorrect auto-close on issue triage: reopen issue, remove route label, leave one clarifying comment.
- Label spam/noise: keep one canonical maintainer comment and remove redundant route labels.
- Ambiguous PR scope: request split before deep review.
If handing off review to another maintainer/agent, include:
- Scope summary.
- Current risk class and rationale.
- What has been validated already.
- Open blockers.
- Suggested next action.
- Review stale queue and apply
no-staleonly to accepted-but-blocked work. - Prioritize
size: XS/Sbug/security PRs first. - Convert recurring support issues into docs updates and auto-response guidance.
- README.md — documentation taxonomy and navigation.
- pr-workflow.md — governance workflow and merge contract.
- ci-map.md — CI ownership and triage map.
- actions-source-policy.md — action source allowlist policy.
- Owner: maintainers responsible for review quality and queue throughput.
- Update trigger: PR policy changes, risk-routing model changes, or automation override behavior changes.
- Last reviewed: 2026-02-18.