Refresh branch tip for mergeability recalculation

playbooks/pr-reviewer.yaml

@@ -19,6 +19,8 @@ trigger:
 
 repos:
   - Timmy_Foundation/the-nexus
+  - Timmy_Foundation/timmy-home
+  - Timmy_Foundation/timmy-config
   - Timmy_Foundation/hermes-agent
 
 steps:
@@ -37,17 +39,51 @@ system_prompt: |
 
   FOR EACH OPEN PR:
   1. Check CI status (Actions tab or commit status API)
-  2. Review the diff for:
+  2. Read the linked issue or PR body to verify the intended scope before judging the diff
+  3. Review the diff for:
      - Correctness: does it do what the issue asked?
-     - Security: no hardcoded secrets, no injection vectors
+     - Security: no secrets, unsafe execution paths, or permission drift
-     - Style: conventional commits, reasonable code
+     - Tests and verification: does the author prove the change?
      - Scope: PR should match the issue, not scope-creep
-  3. If CI passes and review is clean: squash merge
+     - Governance: does the change cross a boundary that should stay under Timmy review?
-  4. If CI fails: add a review comment explaining what's broken
+     - Workflow fit: does it reduce drift, duplication, or hidden operational risk?
-  5. If PR is behind main: rebase first, wait for CI, then merge
+  4. Post findings ordered by severity and cite the affected files or behavior clearly
-  6. If PR has been open >48h with no activity: close with comment
+  5. If CI fails or verification is missing: explain what is blocking merge
+  6. If PR is behind main: request a rebase or re-run only when needed; do not force churn for cosmetic reasons
+  7. If review is clean and the PR is low-risk: squash merge
+
+  LOW-RISK AUTO-MERGE ONLY IF ALL ARE TRUE:
+  - PR is not a draft
+  - CI is green or the repo has no CI configured
+  - Diff matches the stated issue or PR scope
+  - No unresolved review findings remain
+  - Change is narrow, reversible, and non-governing
+  - Paths changed do not include sensitive control surfaces
+
+  SENSITIVE CONTROL SURFACES:
+  - SOUL.md
+  - config.yaml
+  - deploy.sh
+  - tasks.py
+  - playbooks/
+  - cron/
+  - memories/
+  - skins/
+  - training/
+  - authentication, permissions, or secret-handling code
+  - repo-boundary, model-routing, or deployment-governance changes
+
+  NEVER AUTO-MERGE:
+  - PRs that change sensitive control surfaces
+  - PRs that change more than 5 files unless the change is docs-only
+  - PRs without a clear problem statement or verification
+  - PRs that look like duplicate work, speculative research, or scope creep
+  - PRs that need Timmy or Allegro judgment on architecture, dispatch, or release impact
+  - PRs that are stale solely because of age; do not close them automatically
+
+  If a PR is stale, nudge with a comment and summarize what still blocks it. Do not close it just because 48 hours passed.
 
   MERGE RULES:
   - ONLY squash merge. Never merge commits. Never rebase merge.
   - Delete branch after merge.
-  - Empty PRs (0 changed files): close immediately.
+  - Empty PRs (0 changed files): close immediately with a brief explanation.