feat(mcp): expose repo label-policy audit via gittensory_get_label_audit

[oktofeesh1]

Summary

The deterministic label audit (buildLabelAudit, src/signals/engine.ts) reports whether a repo's configured (.gittensory.yml / dashboard) label set matches the live GitHub labels and is trustworthy for label-multiplier scoring — surfacing missing configured labels, suspicious status/source-style labels, and the overall trusted-label-pipeline readiness. It already powers the repo-intelligence response but had no MCP surface, so agents/CLI couldn't pull it (it is also absent from gittensory_get_repo_context, which exposes a different subset).

This adds gittensory_get_label_audit (maintainer-authenticated via the existing requireRepoAccess, advisory only), mirroring the merged gittensory_get_maintainer_noise (#1414) and gittensory_get_outcome_calibration (#1174): a thin load-or-compute service (src/services/label-audit.ts) that loads the repo's labels + cached signals and runs the existing builder, plus the MCP tool registration + output schema + method. Output flows through the existing redactSensitiveForMcp wrapper.

No linked issue: small, self-evident additive MCP surface over a live builder — same shape and scope as the merged maintainer-noise / outcome-calibration tools. No new REST route, no migration, no auth-policy change.

Scope

• The PR title follows type(scope): short summary Conventional Commit format.
• This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
• This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
• I linked an issue, or this is small enough that the summary explains why an issue is not needed.

Validation

• git diff --check
• npm run actionlint
• npm run typecheck
• npm run test:coverage — codecov/patch: every changed line and branch in src/services/label-audit.ts and the new src/mcp/server.ts lines is covered (verified via lcov, incl. both sides of the pipeline-readiness summary ternary).
• npm run test:workers
• npm run build:mcp
• npm run test:mcp-pack
• npm run ui:openapi:check
• npm run ui:lint
• npm run ui:typecheck
• npm run ui:build
• npm audit --audit-level=moderate (0 vulnerabilities)
• New behavior has unit + integration tests: service unit test (test/unit/label-audit.test.ts, incl. both readiness summary branches + sanitizer boundary), the MCP call-test in test/unit/mcp-output-schemas.test.ts, and the tool-list assertion in test/integration/api.test.ts.

Safety

• No secrets, wallets, hotkeys, raw trust scores, private rankings, or private maintainer evidence are exposed — the report is the same public-safe audit already served in the repo-intelligence response, routed through redactSensitiveForMcp; a test asserts no wallet/hotkey/payout/reward terms leak.
• Public text stays sanitized and low-noise; no compensation/optimization implications.
• No auth/cookie/CORS/session changes — the tool reuses the existing requireRepoAccess maintainer guard (no new auth surface).
• MCP behavior is updated and tested (new tool + output schema + call-test).
• No UI changes.
• No docs/changelog changes needed.

Notes

Third tool in the maintainer-side MCP series after the merged gittensory_get_maintainer_noise (#1414) and the in-review gittensory_get_maintainer_lane (#1456); identical blessed pattern (service + tool + output schema + tests). MCP-tool-only — does not touch the deliberately-consolidated /v1/contributors/:login/* surface.

🤖 Generated with Claude Code

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.37%. Comparing base (b5d575e) to head (ecbf205).
⚠️ Report is 6 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1461   +/-   ##
=======================================
  Coverage   95.37%   95.37%           
=======================================
  Files         199      200    +1     
  Lines       21546    21556   +10     
  Branches     7791     7792    +1     
=======================================
+ Hits        20550    20560   +10     
  Misses        416      416           
  Partials      580      580           

Files with missing lines	Coverage Δ
src/mcp/server.ts	95.66% <100.00%> (+0.04%)	⬆️
src/services/label-audit.ts	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gittensory-orb]

Caution

🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥

🛑 Gittensory review — blocked

5 files · 1 AI reviewers · no blockers · readiness 55/100 · CI failing · blocked

🛑 Blocked

Review summary
Adds `gittensory_get_label_audit`, a thin MCP tool that wires the existing `buildLabelAudit` builder to the MCP surface, mirroring the `maintainer-noise` and `outcome-calibration` precedent exactly. Tool registration, output schema, service layer, and test coverage all follow the established pattern correctly. The `requireRepoAccess` guard is correctly placed before `loadLabelAudit` in `getLabelAudit`, so the current MCP call path is protected.

Nits (5)

• The 7-line block comment in `src/services/label-audit.ts` (lines 3–7) violates the project's no-multi-line-comment convention; condense to a single descriptive line.
• `loadLabelAudit` passes the result of `getRepository` directly to `buildLabelAudit` without a null guard — safe via the MCP path (protected by `requireRepoAccess`) but will produce a cryptic error if any future caller invokes the exported function without a prior existence check.
• `observedLabels` and `findings` in `labelAuditOutputSchema` (server.ts ~line 619) are typed as `z.array(z.unknown())` — if the corresponding fields on `LabelAudit` have stable element types, narrowing these would improve schema-level validation.
• Trim the opening comment in `src/services/label-audit.ts` to one line to match project conventions and likely address the lint failure.
• Add a null/undefined guard for `repo` in `loadLabelAudit` (or document the precondition) so a missing-repo error surfaces as a clear message rather than a runtime throw inside `buildLabelAudit`.

CI checks failing

• validate
• lint

Signal	Result	Evidence
Code review	✅ No blockers	1 reviewers, synthesized
Linked issue	✅ No-issue rationale	PR body explains why no issue is linked.
Related work	⚠️ 3 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels; size label size:M.
Validation evidence	❌ 5/25	Cached preflight status is hold.
Open PR queue	❌ 3/10	20 open PR(s), 9 likely reviewable, 11 unlinked.
Contributor context	✅ Confirmed Gittensor contributor	oktofeesh1; Gittensor profile; 992 PR(s), 5 issue(s).
Gate result	✅ Passing	No configured blocker found.

Nits — 2 non-blocking

• Repository config was not parsed
• No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.

Review context

• Author: oktofeesh1
• Role context: outside_contributor
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 992 PR(s), 5 issue(s).
• Related work: Titles/paths share 9 meaningful terms. (PR #1456)
• Related work: Titles/paths share 5 meaningful terms. (PR #1448)
• Related work: Items reference the same linked issue MCP CLI: add PowerShell shell completion #1452. (issue #1452, PR #1448)
• Additional title-only matches omitted; title-only overlap does not block.

Contributor next steps

• Review top overlaps.
• Add scope summary.
• Fix blocker.
• Expect slower review.
• Refresh registry data or choose a registered active repo.
• Link the issue being solved, or explicitly explain why this is a no-issue PR.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

Review details

Generated from public PR metadata and the diff. Advisory only; deterministic signals remain authoritative.

Adds `gittensory_get_label_audit`, a thin MCP tool that wires the existing `buildLabelAudit` builder to the MCP surface, mirroring the `maintainer-noise` and `outcome-calibration` precedent exactly. Tool registration, output schema, service layer, and test coverage all follow the established pattern correctly. The `requireRepoAccess` guard is correctly placed before `loadLabelAudit` in `getLabelAudit`, so the current MCP call path is protected.

Nits (5)

• The 7-line block comment in `src/services/label-audit.ts` (lines 3–7) violates the project's no-multi-line-comment convention; condense to a single descriptive line.
• `loadLabelAudit` passes the result of `getRepository` directly to `buildLabelAudit` without a null guard — safe via the MCP path (protected by `requireRepoAccess`) but will produce a cryptic error if any future caller invokes the exported function without a prior existence check.
• `observedLabels` and `findings` in `labelAuditOutputSchema` (server.ts ~line 619) are typed as `z.array(z.unknown())` — if the corresponding fields on `LabelAudit` have stable element types, narrowing these would improve schema-level validation.
• Trim the opening comment in `src/services/label-audit.ts` to one line to match project conventions and likely address the lint failure.
• Add a null/undefined guard for `repo` in `loadLabelAudit` (or document the precondition) so a missing-repo error surfaces as a clear message rather than a runtime throw inside `buildLabelAudit`.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review