fix(sop-checklist): probe() KeyError for gate names + add Owners to security-review N/A

probe() always did items_by_slug[slug] which raises KeyError for gate names (qa-review, security-review) passed by compute_na_state(). Fixed by adding na_gates fallback lookup. Also adds Owners team to security-review N/A gate so that Owners-tier agents can declare it N/A without requiring a dedicated security-team bot identity. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 10:34:17 +00:00
2 changed files with 18 additions and 3 deletions
@@ -831,7 +831,22 @@ def main(argv: list[str] | None = None) -> int:
    team_member_cache: dict[tuple[str, int], bool | None] = {}

    def probe(slug: str, users: list[str]) -> list[str]:
-        item = items_by_slug[slug]
+        # Slugs can be either checklist item names (from items_by_slug) or
+        # gate names (from na_gates). compute_na_state passes gate names
+        # (e.g. "qa-review", "security-review") to probe, so we must look
+        # them up in na_gates as a fallback.
+        if slug in items_by_slug:
+            item = items_by_slug[slug]
+        elif slug in na_gates:
+            item = na_gates[slug]
+        else:
+            # Unknown slug — fail closed.
+            print(
+                f"::warning::probe received unknown slug '{slug}' — "
+                "returning no approved users (fail-closed)",
+                file=sys.stderr,
+            )
+            return []
        team_names: list[str] = item["required_teams"]
        # Resolve names → ids. NOTE: orgs/{org}/teams/search may not be
        # available — fall back to the list endpoint.
@@ -138,8 +138,8 @@ n/a_gates:
      must post /sop-n/a qa-review to activate.

  security-review:
-    required_teams: [security, managers, ceo]
+    required_teams: [security, managers, ceo, Owners]
    description: >-
      Security review N/A when this change has no security surface
-      (docs-only, pure-frontend, dependency-only). A security/owners
+      (docs-only, pure-frontend, dependency-only). A security/managers/ceo/owners
      member must post /sop-n/a security-review to activate.