fix: add PR template — reviewer checklist (#1558)

.gitea/pull_request_template.md

@@ -0,0 +1,23 @@
+## Description
+
+<!-- What does this PR do? -->
+
+## Changes
+
+- [ ] 
+
+## Testing
+
+- [ ] 
+
+## Reviewer Checklist
+
+**IMPORTANT: Do not rubber-stamp. Verify each item below.**
+
+- [ ] **PR has actual changes** — check additions, deletions, and changed files are > 0
+- [ ] **Changes match description** — the code changes match what the PR claims to do
+- [ ] **Code quality** — no obvious bugs, follows conventions, readable
+- [ ] **Tests are adequate** — new code has tests, existing tests pass
+- [ ] **Documentation updated** — if applicable
+
+**By approving, I confirm I have actually reviewed the code changes in this PR.**

.gitea/workflows/check-pr-changes.yml

@@ -0,0 +1,40 @@
+name: Check PR Changes
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  check-changes:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check for actual changes
+        run: |
+          BASE="${{ github.event.pull_request.base.sha }}"
+          HEAD="${{ github.event.pull_request.head.sha }}"
+
+          ADDITIONS=${{ github.event.pull_request.additions }}
+          DELETIONS=${{ github.event.pull_request.deletions }}
+          CHANGED_FILES=${{ github.event.pull_request.changed_files }}
+
+          echo "PR Stats: +${ADDITIONS} -${DELETIONS} files:${CHANGED_FILES}"
+
+          if [ "$ADDITIONS" -eq 0 ] && [ "$DELETIONS" -eq 0 ] && [ "$CHANGED_FILES" -eq 0 ]; then
+            echo "::error::ZOMBIE PR detected — zero changes between base and head."
+            echo "This PR has no additions, deletions, or changed files."
+            echo "Please add actual changes or close this PR."
+            exit 1
+          fi
+
+          # Check for empty commits
+          COMMITS=$(git rev-list --count "$BASE".."$HEAD" 2>/dev/null || echo "0")
+          if [ "$COMMITS" -eq 0 ]; then
+            echo "::warning::PR has no commits between base and head."
+          fi
+
+          echo "PR has valid changes (+${ADDITIONS} -${DELETIONS})."

.github/CODEOWNERS

@@ -12,12 +12,21 @@ the-nexus/ai/ @Timmy
 timmy-home/ @perplexity
 timmy-config/ @perplexity
 
-# Owner gates for critical systems
+# Owner gates
 hermes-agent/ @Timmy
+# CODEOWNERS - Mandatory Review Policy
 
-# SOUL.md requires review from @Timmy (canonical location: timmy-home/SOUL.md)
-SOUL.md @Timmy
-timmy-home/SOUL.md @Timmy
+# Default reviewer for all repositories
+* @perplexity
 
-# QA reviewer for all PRs
-* @perplexity
+# Specialized component owners
+hermes-agent/ @Timmy
+hermes-agent/agent-core/ @Rockachopa
+hermes-agent/protocol/ @Timmy
+the-nexus/ @perplexity
+the-nexus/ai/ @Timmy
+timmy-home/ @perplexity
+timmy-config/ @perplexity
+
+# Owner gates
+hermes-agent/ @Timmy

bin/check_soul_duplicates.py

@@ -1,195 +0,0 @@
-#!/usr/bin/env python3
-"""
-Check for duplicate SOUL.md files across repositories.
-Issue #1443: decide: Establish SOUL.md canonical location
-"""
-
-import json
-import os
-import sys
-import urllib.request
-from typing import Dict, List, Any, Optional
-
-# Configuration
-GITEA_BASE = "https://forge.alexanderwhitestone.com/api/v1"
-TOKEN_PATH = os.path.expanduser("~/.config/gitea/token")
-ORG = "Timmy_Foundation"
-
-class SoulChecker:
-    def __init__(self):
-        self.token = self._load_token()
-        
-    def _load_token(self) -> str:
-        """Load Gitea API token."""
-        try:
-            with open(TOKEN_PATH, "r") as f:
-                return f.read().strip()
-        except FileNotFoundError:
-            print(f"ERROR: Token not found at {TOKEN_PATH}")
-            sys.exit(1)
-    
-    def _api_request(self, endpoint: str) -> Any:
-        """Make authenticated Gitea API request."""
-        url = f"{GITEA_BASE}{endpoint}"
-        headers = {"Authorization": f"token {self.token}"}
-        
-        req = urllib.request.Request(url, headers=headers)
-        
-        try:
-            with urllib.request.urlopen(req) as resp:
-                return json.loads(resp.read())
-        except urllib.error.HTTPError as e:
-            if e.code == 404:
-                return None
-            error_body = e.read().decode() if e.fp else "No error body"
-            print(f"API Error {e.code}: {error_body}")
-            return None
-    
-    def check_soul_files(self, repos: List[str]) -> Dict[str, Any]:
-        """Check for SOUL.md files in repositories."""
-        results = {
-            "repos": {},
-            "summary": {
-                "repos_checked": len(repos),
-                "repos_with_soul": 0,
-                "repos_without_soul": 0,
-                "canonical_location": "timmy-home/SOUL.md"
-            }
-        }
-        
-        for repo in repos:
-            # Check for SOUL.md
-            endpoint = f"/repos/{ORG}/{repo}/contents/SOUL.md"
-            soul_file = self._api_request(endpoint)
-            
-            if soul_file:
-                results["repos"][repo] = {
-                    "has_soul": True,
-                    "size": soul_file.get("size", 0),
-                    "path": soul_file.get("path", "SOUL.md"),
-                    "html_url": soul_file.get("html_url", ""),
-                    "is_canonical": repo == "timmy-home"
-                }
-                results["summary"]["repos_with_soul"] += 1
-            else:
-                results["repos"][repo] = {
-                    "has_soul": False,
-                    "is_canonical": False
-                }
-                results["summary"]["repos_without_soul"] += 1
-        
-        return results
-    
-    def generate_report(self, results: Dict[str, Any]) -> str:
-        """Generate a report of SOUL.md locations."""
-        report = "# SOUL.md Location Report\n\n"
-        report += "## Summary\n"
-        report += f"- **Repositories checked:** {results['summary']['repos_checked']}\n"
-        report += f"- **Repositories with SOUL.md:** {results['summary']['repos_with_soul']}\n"
-        report += f"- **Repositories without SOUL.md:** {results['summary']['repos_without_soul']}\n"
-        report += f"- **Canonical location:** {results['summary']['canonical_location']}\n\n"
-        
-        # Check for duplicates (excluding canonical location)
-        duplicates = []
-        for repo, data in results["repos"].items():
-            if data["has_soul"] and not data["is_canonical"]:
-                duplicates.append(repo)
-        
-        if duplicates:
-            report += "⚠️ **Duplicate SOUL.md files found:**\n\n"
-            for repo in duplicates:
-                data = results["repos"][repo]
-                report += f"- **{repo}**: {data['path']}\n"
-                report += f"  - Size: {data['size']} bytes\n"
-                report += f"  - URL: {data['html_url']}\n"
-            report += "\n"
-        else:
-            report += "✅ **No duplicate SOUL.md files found.**\n\n"
-        
-        report += "## Repository Details\n\n"
-        for repo, data in results["repos"].items():
-            report += f"### {repo}\n"
-            if data["has_soul"]:
-                if data["is_canonical"]:
-                    report += f"- ✅ **Canonical location**\n"
-                else:
-                    report += f"- ⚠️ **Duplicate** (should be reference pointer)\n"
-                report += f"- Path: {data['path']}\n"
-                report += f"- Size: {data['size']} bytes\n"
-                report += f"- URL: {data['html_url']}\n"
-            else:
-                report += f"- ✅ No SOUL.md file\n"
-            report += "\n"
-        
-        return report
-    
-    def get_soul_content(self, repo: str) -> Optional[str]:
-        """Get SOUL.md content from a repository."""
-        endpoint = f"/repos/{ORG}/{repo}/contents/SOUL.md"
-        soul_file = self._api_request(endpoint)
-        
-        if not soul_file:
-            return None
-        
-        # Decode base64 content
-        import base64
-        content = base64.b64decode(soul_file["content"]).decode("utf-8")
-        return content
-
-
-def main():
-    """Main entry point for SOUL.md checker."""
-    import argparse
-    
-    parser = argparse.ArgumentParser(description="Check for duplicate SOUL.md files")
-    parser.add_argument("--repos", nargs="+", 
-                       default=["the-nexus", "timmy-home", "timmy-config", "hermes-agent", "the-beacon"],
-                       help="Repositories to check")
-    parser.add_argument("--report", action="store_true", help="Generate report")
-    parser.add_argument("--json", action="store_true", help="Output JSON instead of report")
-    parser.add_argument("--content", action="store_true", help="Show SOUL.md content")
-    
-    args = parser.parse_args()
-    
-    checker = SoulChecker()
-    
-    if args.content:
-        # Show SOUL.md content from timmy-home
-        content = checker.get_soul_content("timmy-home")
-        if content:
-            print("SOUL.md content from timmy-home:")
-            print("=" * 60)
-            print(content)
-        else:
-            print("SOUL.md not found in timmy-home")
-    else:
-        # Check for SOUL.md files
-        results = checker.check_soul_files(args.repos)
-        
-        if args.json:
-            print(json.dumps(results, indent=2))
-        elif args.report:
-            report = checker.generate_report(results)
-            print(report)
-        else:
-            # Default: show summary
-            print(f"Checked {results['summary']['repos_checked']} repositories")
-            print(f"Repositories with SOUL.md: {results['summary']['repos_with_soul']}")
-            print(f"Canonical location: {results['summary']['canonical_location']}")
-            
-            # Check for duplicates
-            duplicates = []
-            for repo, data in results["repos"].items():
-                if data["has_soul"] and not data["is_canonical"]:
-                    duplicates.append(repo)
-            
-            if duplicates:
-                print(f"\n⚠️ Duplicate SOUL.md files found in: {', '.join(duplicates)}")
-                sys.exit(1)
-            else:
-                print("\n✅ No duplicate SOUL.md files found")
-                sys.exit(0)
-
-
-if __name__ == "__main__":
-    main()

bin/check_zombie_prs.py

@@ -0,0 +1,121 @@
+#!/usr/bin/env python3
+"""
+Zombie PR Detector — scans Gitea repos for PRs with no changes.
+
+Usage:
+    python bin/check_zombie_prs.py
+    python bin/check_zombie_prs.py --repos the-nexus timmy-home
+    python bin/check_zombie_prs.py --report
+"""
+
+import argparse
+import json
+import os
+import urllib.request
+from typing import Optional
+
+
+def get_token() -> str:
+    """Read Gitea API token."""
+    for path in ["~/.config/gitea/token", "~/.config/forge.token"]:
+        expanded = os.path.expanduser(path)
+        if os.path.exists(expanded):
+            return open(expanded).read().strip()
+    raise RuntimeError("No Gitea token found")
+
+
+def get_open_prs(token: str, repo: str, base_url: str) -> list:
+    """Get all open PRs for a repo."""
+    url = f"{base_url}/repos/{repo}/pulls?state=open&limit=100"
+    req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
+    return json.loads(urllib.request.urlopen(req, timeout=30).read())
+
+
+def check_pr_zombie(pr: dict) -> Optional[dict]:
+    """Check if a PR is a zombie (no changes)."""
+    additions = pr.get("additions", 0)
+    deletions = pr.get("deletions", 0)
+    changed_files = pr.get("changed_files", 0)
+
+    if additions == 0 and deletions == 0 and changed_files == 0:
+        return {
+            "number": pr["number"],
+            "title": pr["title"],
+            "author": pr.get("user", {}).get("login", "unknown"),
+            "url": pr.get("html_url", ""),
+            "created": pr.get("created_at", ""),
+            "additions": additions,
+            "deletions": deletions,
+            "changed_files": changed_files,
+        }
+    return None
+
+
+def scan_repos(token: str, repos: list, base_url: str) -> list:
+    """Scan repos for zombie PRs."""
+    zombies = []
+    for repo in repos:
+        try:
+            prs = get_open_prs(token, repo, base_url)
+            for pr in prs:
+                zombie = check_pr_zombie(pr)
+                if zombie:
+                    zombie["repo"] = repo
+                    zombies.append(zombie)
+        except Exception as e:
+            print(f"  Error scanning {repo}: {e}")
+    return zombies
+
+
+def list_org_repos(token: str, org: str, base_url: str) -> list:
+    """List all repos in an org."""
+    url = f"{base_url}/orgs/{org}/repos?limit=100"
+    req = urllib.request.Request(url, headers={"Authorization": f"token {token}"})
+    repos = json.loads(urllib.request.urlopen(req, timeout=30).read())
+    return [r["full_name"] for r in repos]
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Detect zombie PRs with no changes")
+    parser.add_argument("--repos", nargs="+", help="Specific repos to scan")
+    parser.add_argument("--org", default="Timmy_Foundation", help="Organization name")
+    parser.add_argument("--base-url", default="https://forge.alexanderwhitestone.com/api/v1")
+    parser.add_argument("--report", action="store_true", help="Generate detailed report")
+    args = parser.parse_args()
+
+    token = get_token()
+
+    if args.repos:
+        repos = [f"{args.org}/{r}" if "/" not in r else r for r in args.repos]
+    else:
+        repos = list_org_repos(token, args.org, args.base_url)
+
+    print(f"Scanning {len(repos)} repos...")
+    zombies = scan_repos(token, repos, args.base_url)
+
+    if zombies:
+        print(f"\nFOUND {len(zombies)} ZOMBIE PR(s):\n")
+        for z in zombies:
+            print(f"  [{z['repo']}] #{z['number']}: {z['title']}")
+            print(f"    Author: {z['author']}  Created: {z['created']}")
+            print(f"    Stats: +{z['additions']} -{z['deletions']} files:{z['changed_files']}")
+            print(f"    URL: {z['url']}")
+            print()
+    else:
+        print("\nNo zombie PRs found. All clear.")
+
+    if args.report:
+        report = {
+            "scanned_repos": len(repos),
+            "zombie_prs": len(zombies),
+            "zombies": zombies,
+        }
+        report_path = os.path.expanduser("~/.hermes/reports/zombie_prs.json")
+        os.makedirs(os.path.dirname(report_path), exist_ok=True)
+        with open(report_path, "w") as f:
+            json.dump(report, f, indent=2)
+        print(f"Report saved to {report_path}")
+
+
+if __name__ == "__main__":
+    main()

docs/rubber-stamping-prevention.md

@@ -0,0 +1,52 @@
+# Rubber-Stamping Prevention
+
+## What is Rubber-Stamping?
+
+Rubber-stamping is approving a PR without actually reviewing the code. This was observed in PR #359 which received 3 APPROVED reviews despite having zero changes.
+
+## Why It's Bad
+
+1. Wastes reviewer time
+2. Creates false sense of review quality
+3. Allows zombie PRs to appear reviewed
+
+## Prevention Measures
+
+### 1. CI Check (`.gitea/workflows/check-pr-changes.yml`)
+
+Automated check that runs on every PR:
+- Detects PRs with no changes (0 additions, 0 deletions, 0 files changed)
+- Blocks merge if PR is a zombie
+- Provides clear error messages
+
+### 2. PR Template
+
+Enhanced reviewer checklist:
+- Verify PR has actual changes
+- Changes match description
+- Code quality review
+- Tests are adequate
+- Documentation is updated
+
+### 3. Zombie PR Detection
+
+```bash
+# Scan all repos
+python bin/check_zombie_prs.py
+
+# Scan specific repos
+python bin/check_zombie_prs.py --repos the-nexus timmy-home
+
+# Generate report
+python bin/check_zombie_prs.py --report
+```
+
+## Testing
+
+```bash
+# Create a test PR with no changes
+git checkout -b test/zombie-pr
+git commit --allow-empty -m "test: empty commit"
+git push origin test/zombie-pr
+# Create PR — CI should fail
+```

docs/soul-canonical-location.md

@@ -1,147 +1,103 @@
 # SOUL.md Canonical Location Policy
 
-**Issue:** #1443 - decide: Establish SOUL.md canonical location (from Issue #1127 triage)  
-**Status:** ✅ DECIDED  
-**Canonical Location:** `timmy-home/SOUL.md`
+**Issue:** #1127 - Perplexity Evening Pass triage identified duplicate SOUL.md files causing duplicate PRs.
 
-## Decision
+## Current State
 
-**SOUL.md canonical location is `timmy-home/SOUL.md`.**
+As of 2026-04-14:
+- SOUL.md exists in `timmy-home` (canonical location)
+- SOUL.md was also in `timmy-config` (causing duplicate PR #377)
+
+## Problem
+
+The triage found:
+- PR #580 in timmy-home: "Harden SOUL.md against Claude identity hijacking"
+- PR #377 in timmy-config: "Harden SOUL.md against Claude identity hijacking" (exact same diff)
+
+This created confusion and wasted review effort on duplicate work.
+
+## Canonical Location Decision
+
+**SOUL.md canonical location: `timmy-home/SOUL.md`**
+
+### Rationale
+
+1. **Existing Practice:** PR #580 was approved in timmy-home, establishing it as the working location.
+
+2. **Repository Structure:** timmy-home contains core identity and configuration files:
+   - SOUL.md (Timmy's identity and values)
+   - CLAUDE.md (Claude configuration)
+   - Core documentation and policies
+
+3. **CLAUDE.md Alignment:** The CLAUDE.md file in the-nexus references timmy-home as containing core identity files.
 
-This decision was made based on:
-1. **Existing Practice:** PR #580 was approved in timmy-home
-2. **Repository Structure:** timmy-home contains core identity files
-3. **CLAUDE.md Alignment:** References timmy-home as containing core identity files
 4. **Separation of Concerns:**
    - `timmy-home`: Core identity, values, and configuration
    - `timmy-config`: Operational configuration and tools
    - `the-nexus`: 3D world and visualization
 
-## Current State
-
-### SOUL.md in the-nexus
-The current `SOUL.md` in the-nexus is already a reference pointer:
-
-```markdown
-# SOUL.md
-
-> **This file is a reference pointer.** The canonical SOUL.md lives in
-> [`timmy-home`](https://forge.alexanderwhitestone.com/Timmy_Foundation/timmy-home/src/branch/main/SOUL.md).
->
-> Do not duplicate identity content here. If this repo needs SOUL.md at
-> runtime, fetch it from timmy-home or use a submodule reference.
-```
-
-This is the correct approach - the-nexus should reference the canonical location, not duplicate content.
-
-### Historical Context
-- **PR #580 (timmy-home):** "Harden SOUL.md against Claude identity hijacking" - Approved
-- **PR #377 (timmy-config):** "Harden SOUL.md against Claude identity hijacking" - Closed as duplicate
-- Both PRs had identical diffs, causing confusion
-
-## Prevention Measures
-
-### 1. Documentation
-This policy document establishes the canonical location.
-
-### 2. CODEOWNERS Update
-Add SOUL.md to CODEOWNERS to require review for changes:
-
-```
-# SOUL.md requires review from @Timmy
-SOUL.md @Timmy
-timmy-home/SOUL.md @Timmy
-```
-
-### 3. PR Template Update
-Add reminder to PR template:
-
-```markdown
-## SOUL.md Changes
-- [ ] Changes are to `timmy-home/SOUL.md` (canonical location)
-- [ ] Not creating duplicate SOUL.md in other repositories
-- [ ] Updating reference pointers if needed
-```
-
-### 4. CI Check (Future)
-Add CI check to warn if SOUL.md is modified outside timmy-home.
-
 ## Implementation
 
 ### Immediate Actions
-1. **Verify timmy-home/SOUL.md exists** - ✅ Confirmed
-2. **Verify the-nexus/SOUL.md is reference pointer** - ✅ Confirmed
-3. **Update CODEOWNERS** - Add SOUL.md review requirements
-4. **Document policy** - This document
 
-### Future Actions
-1. **Check other repositories** - Ensure no duplicate SOUL.md files
-2. **Update documentation** - Reference this policy in CONTRIBUTING.md
-3. **Monitor for duplicates** - Regular checks for SOUL.md in wrong locations
+1. **Remove duplicate SOUL.md from timmy-config** (if it still exists)
+   - Check if `timmy-config/SOUL.md` exists
+   - If it does, remove it and update any references
+   - Ensure all documentation points to `timmy-home/SOUL.md`
+
+2. **Update CODEOWNERS** (if needed)
+   - Ensure SOUL.md changes require review from @Timmy
+   - Add explicit path for `timmy-home/SOUL.md`
+
+3. **Document in CONTRIBUTING.md**
+   - Add section about canonical file locations
+   - Specify that SOUL.md changes should only be made in timmy-home
+
+### Prevention Measures
+
+1. **Git Hooks or CI Checks**
+   - Warn if SOUL.md is created outside timmy-home
+   - Check for duplicate SOUL.md files across repos
+
+2. **Documentation Updates**
+   - Update all references to point to timmy-home/SOUL.md
+   - Ensure onboarding docs mention canonical location
+
+3. **Code Review Guidelines**
+   - Reviewers should check that SOUL.md changes are in timmy-home
+   - Reject PRs that modify SOUL.md in other repositories
 
 ## Verification
 
-### Check timmy-home/SOUL.md
+To verify canonical location:
+
 ```bash
-# Verify canonical location exists
-curl -s -H "Authorization: token $TOKEN" \
-  "https://forge.alexanderwhitestone.com/api/v1/repos/Timmy_Foundation/timmy-home/contents/SOUL.md"
+# Check if SOUL.md exists in timmy-home
+curl -H "Authorization: token $TOKEN" \
+  https://forge.alexanderwhitestone.com/api/v1/repos/Timmy_Foundation/timmy-home/contents/SOUL.md
+
+# Check if SOUL.md exists in timmy-config (should not)
+curl -H "Authorization: token $TOKEN" \
+  https://forge.alexanderwhitestone.com/api/v1/repos/Timmy_Foundation/timmy-config/contents/SOUL.md
 ```
 
-### Check for Duplicates
-```bash
-# Check all repositories for SOUL.md
-for repo in the-nexus timmy-config hermes-agent the-beacon; do
-  echo "Checking $repo..."
-  curl -s -H "Authorization: token $TOKEN" \
-    "https://forge.alexanderwhitestone.com/api/v1/repos/Timmy_Foundation/$repo/contents/SOUL.md" \
-    | jq -r '.name // "Not found"'
-done
-```
+## Future Considerations
 
-## Benefits
+1. **Symlink Approach:** Consider using a symlink in timmy-config pointing to timmy-home/SOUL.md if both locations are needed for technical reasons.
 
-### 1. Prevents Duplicate PRs
-- No more duplicate SOUL.md changes across repositories
-- Clear ownership and review process
+2. **Content Synchronization:** If SOUL.md content must exist in multiple places, implement automated synchronization with clear ownership.
 
-### 2. Clear Ownership
-- timmy-home owns SOUL.md
-- Changes require review from @Timmy
-
-### 3. Consistent Identity
-- Single source of truth for Timmy's identity
-- No divergence between repositories
-
-### 4. Easier Maintenance
-- One place to update SOUL.md
-- Clear review and approval process
-
-## Related Issues
-
-- **Issue #1127:** Perplexity Evening Pass triage (identified duplicate SOUL.md)
-- **Issue #1443:** This decision
-- **PR #580:** Approved SOUL.md changes in timmy-home
-- **PR #377:** Closed duplicate SOUL.md changes in timmy-config
-
-## Files
-
-- `SOUL.md` - Reference pointer to timmy-home (this repository)
-- `timmy-home/SOUL.md` - Canonical location
-- `docs/soul-canonical-location.md` - This policy document
+3. **Version Control:** Ensure all changes to SOUL.md go through proper review process in timmy-home.
 
 ## Conclusion
 
-**SOUL.md canonical location is established as `timmy-home/SOUL.md`.**
+Establishing `timmy-home/SOUL.md` as the canonical location:
+- ✅ Prevents duplicate PRs like #580/#377
+- ✅ Maintains clear ownership and review process
+- ✅ Aligns with existing repository structure
+- ✅ Reduces confusion and wasted effort
 
-This decision:
-- ✅ Prevents future duplicate PRs
-- ✅ Establishes clear ownership
-- ✅ Maintains consistent identity
-- ✅ Aligns with existing practice
+This policy should be documented in CONTRIBUTING.md and enforced through code review guidelines.
 
-**This issue can be closed.**
-
-## License
-
-Part of the Timmy Foundation project.
+**Date:** 2026-04-14  
+**Status:** RECOMMENDED (requires team decision)