[NREM][Space] Triage 10 stale draft PRs from copilot branches #30
Description
Summary
There are 10 draft PRs from copilot/* branches that have been open since late February and mid-March 2026 with no review activity. All associated CI runs are stuck in action_required status (likely awaiting first-run approval for the workflow).
Evidence
| PR # | Title | Branch | Created |
|---|---|---|---|
| #29 | CI hardening, type safety improvements, and DX gaps | copilot/featureci-pipeline-hardening |
2026-03-15 |
| #28 | Fix cross-SDK JSON serialization mismatch | copilot/fix-json-serialization-mismatch |
2026-03-15 |
| #27 | Private key signer callback, token masking, source map removal | copilot/fix-private-key-exposure |
2026-03-15 |
| #26 | Enforce HTTPS for baseUrl, stop forwarding auth token | copilot/sec-15-fix-unrestricted-baseurl |
2026-03-15 |
| #21 | Centralize request routing, enforce feature parity in CI | copilot/centralize-request-routing |
2026-03-01 |
| #20 | Streaming file upload support and AsyncCapture client | copilot/add-streaming-file-upload-support |
2026-03-01 |
| #19 | Fix SSRF, file size DoS, PermissionError shadowing | copilot/fix-ssrf-risk-in-sdks |
2026-03-01 |
| #18 | Path traversal via unsanitized nid | copilot/fix-path-traversal-issue |
2026-03-01 |
| #13 | Remove token leakage to third-party NFT endpoint | copilot/fix-token-leakage-risk |
2026-02-27 |
| #12 | Expand unit test coverage | copilot/expand-unit-test-coverage |
2026-02-27 |
Proposed Action
- Approve CI workflows for these branches so checks can run
- Prioritize security PRs (Security: enforce HTTPS for baseUrl and stop forwarding auth token to third-party endpoints #26, security: private key signer callback, token masking, source map removal, metadata limits, exception logging, URL scheme validation #27, fix(security): path traversal via unsanitized nid + integrity proof serialization mismatch #18, security: fix SSRF, file size DoS, PermissionError shadowing, and CI/CD supply chain gaps #19, fix(security): remove token leakage to third-party NFT endpoint and enforce response size limits #13) — these address token leakage, path traversal, SSRF, and private key exposure
- Review or close feature PRs (Add streaming file upload support and AsyncCapture client #20, Centralize request routing, enforce feature parity in CI, add request cancellation #21, Fix cross-SDK JSON serialization mismatch, httpx resource leak, and missing network error handling #28, CI hardening, type safety improvements, and DX gaps (11 fixes) #29, feat(tests): Expand unit test coverage for core SDK operations #12) based on current roadmap
- Clean up stale branches for any PRs that are closed without merging
Rationale
Leaving security-related PRs unreviewed increases risk. The action_required CI state means none of these PRs have been validated. A focused triage session would bring the repo to a healthier state.
Generated by NREM Mode with Omni