Skip to content

fix(scm-github): filter bot review comments by GraphQL __typename#703

Open
ashutosh-makwana wants to merge 1 commit intoComposioHQ:mainfrom
ashutosh-makwana:fix/bot-author-double-dispatch
Open

fix(scm-github): filter bot review comments by GraphQL __typename#703
ashutosh-makwana wants to merge 1 commit intoComposioHQ:mainfrom
ashutosh-makwana:fix/bot-author-double-dispatch

Conversation

@ashutosh-makwana
Copy link

@ashutosh-makwana ashutosh-makwana commented Mar 26, 2026

Summary

  • Root cause: getPendingComments() uses GitHub's GraphQL API, which returns bot logins without the [bot] suffix (e.g. "cursor" not "cursor[bot]"). BOT_AUTHORS contains entries with [bot], so the check fails and bot comments leak through as human pending comments.
  • Impact: The lifecycle manager dispatches both changes-requested and bugbot-comments reactions for the same bot review thread — the agent gets duplicate instructions.
  • Fix: Add __typename to the GraphQL author field. Check author.__typename === "Bot" in addition to the existing BOT_AUTHORS name check. This catches all GitHub App bots regardless of login format.

Before → After

Scenario Before After
Cursor bot leaves unresolved review threads Leak into getPendingComments as "human" Filtered out (__typename === "Bot")
Human + bot review same PR getPendingComments returns human + bot Returns human only
Reaction dispatch for bot threads Dispatched twice (changes-requested + bugbot-comments) Dispatched once (bugbot-comments only)
getAutomatedComments (REST) Unaffected No change

Changes

File Change
packages/plugins/scm-github/src/index.ts Add __typename to GraphQL author selection; check author.__typename === "Bot" in filter
packages/plugins/scm-github/test/index.test.ts Update existing bot test to use realistic GraphQL data; add tests for __typename-based filtering

Test plan

  • Bot with __typename: "Bot" and login without [bot] suffix is filtered out
  • Human with __typename: "User" passes through (regression)
  • Non-App bot in BOT_AUTHORS (snyk-bot, __typename: "User") still filtered by name
  • Existing tests updated to use realistic GraphQL login format
  • Verify against live PR with Cursor bot review threads

Closes #702

@ashutosh-makwana
fix(scm-github): filter bot review comments by GraphQL __typename
253e21b 
GitHub's GraphQL API returns bot logins without the [bot] suffix
(e.g., "cursor" instead of "cursor[bot]"), while the REST API includes
it. BOT_AUTHORS contains entries with [bot], so the check in
getPendingComments() fails for bots — their comments leak through as
"human" pending comments. This causes double-dispatch: the lifecycle
manager fires both changes-requested and bugbot-comments reactions for
the same bot review thread.

Add __typename to the GraphQL author field and check for Bot type in
addition to the existing BOT_AUTHORS name check. Update tests to use
realistic GraphQL data (login without [bot] suffix, __typename: "Bot").
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: bot review comments leak through getPendingComments filter due to GraphQL/REST login mismatch

1 participant

@ashutosh-makwana