feat: add agentic issue and PR processing

[jescalada]

This PR adds automated issue triaging, PR description quality checks and diff vulnerability scanning.

Features

Issue triaging

Automatically processes freshly opened issues and:

• Adds appropriate tags
• Analyzes the n last issues to check for duplicates or related issues, provides reasons why they may be related/duplicate
  • n defaults to 100
• Requests more info if the description insufficient

PR quality check

Automatically processes freshly opened PRs and:

• Points new contributors to our CONTRIBUTING.md
• Requests more info if the description is insufficient
• Requests linking to an issue if not done
• Checks if the PR description complies with the CONTRIBUTING.md, provides reasoning if not compliant

PR security review

Automatically processes freshly opened PRs, and also triggers when commenting "/security-review":

• Looks at the PR diff and scans for vulnerabilities
  • Certain generated files are always excluded (*.lock, etc.)
  • The diff for a given is truncated down to 3000 chars to prevent bloating the prompt (it may contain generated files that weren't properly excluded)

Prompt details

Prompted specifically to detect:

• Hardcoded secrets, tokens, passwords or API keys
• Injection vulnerabilities (SQL, shell, template, etc.)
• Insecure use of cryptography or hashing
• Unsafe deserialization
• Path traversal or directory traversal risks
• Insecure direct object references
• Missing input validation or sanitisation on user-controlled data
• Use of known-vulnerable dependency versions (if visible in the diff)
• Overly permissive file or network access

---

Examples

PR scanning/quality control

Sample vulnerable diff

PR security review on obvious vulnerable diff

Screenshots

Actual GitProxy PR opened on my fork (#1457)

PR security review on actual upstream PR

Screenshots

Issue tagging

Screenshots

---

To-do

• Improve/clean up prompts
  • Shorten prompts to save tokens
  • Remove emojis
  • Standardize responses
• Extract constants/make configurable through envs
• Extract helpers into separate file, move agent scripts to more appropriate location

Notes

• It'd be great to improve the issue triage to reproduce bugs and look for solutions. We could also review issues in more depth and assess feasibility or critique feature requests, etc.
• I deliberately made the PR reviewer focus only on the security aspect, as we wouldn't want to raise eyebrows with full-blown AI reviews. That said, there's definitely a lot of added value in having AI process the diff before a human gets to look at it. I'm happy to implement a more sophisticated solution if we need it 🙂

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name	Link
🔨 Latest commit	cdd01cf
🔍 Latest deploy log	https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/69df36e968f7df0008fbee2f

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.21%. Comparing base (70d42d5) to head (cdd01cf).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1503   +/-   ##
=======================================
  Coverage   90.21%   90.21%           
=======================================
  Files          69       69           
  Lines        5511     5511           
  Branches      944      944           
=======================================
  Hits         4972     4972           
  Misses        521      521           
  Partials       18       18           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.