fix: consolidate actionable review feedback from PRs #4, #6, #13, #26

[Copilot]

Multiple open PRs had unresolved review comments with concrete, actionable fixes that were blocking merge. This PR implements all outstanding feedback in a single change to unblock those PRs.

Type safety & API robustness (src/services/xapi.ts)

• Guard fetchThread() with Array.isArray() before calling parseThread() — prevents runtime crash on unexpected API shapes
• Replace string concatenation with URLSearchParams for mentions endpoint
• Add since_id pagination tracking with type guard on ID assignment
• Change parseThread parameter from any → unknown, use spread to avoid mutating input array

if (!Array.isArray(response.data)) {
  console.warn('Unexpected response shape from X API (thread): data is not an array');
  return null;
}

Memory management (src/services/agent.ts)

• Bound processedMentions Set to 10k entries with safe { value, done } iterator pruning
• Process mentions oldest-first (reverse API order) so Set insertion order matches chronology

Grok type safety (src/services/grok.ts)

• Replace const data: any with typed GrokApiResponse interface

MCP transport fix (src/index.ts)

• Redirect console.log → stderr to avoid corrupting MCP StdioServerTransport stdout protocol, typed as unknown[]

DevOps

• CODEOWNERS: Replace invalid usernames (@codex, @Vercel, @Claude, @Copilot) with @groupthinking
• Workflows: Add explicit permissions blocks to all three workflow files (least-privilege)
• issue-triage.yml: Add label existence check to prevent 422 errors on missing labels

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

🔍 PR Validation

⚠️ PR title should follow conventional commits format

[github-actions]

🔍 PR Validation

⚠️ PR title should follow conventional commits format

[github-actions]

🔍 PR Validation

⚠️ PR title should follow conventional commits format

[Copilot]

Pull request overview

This PR consolidates and applies previously requested review fixes across the X API client, agent orchestration, Grok integration, MCP stdout transport safety, and GitHub repo automation so earlier PRs can be unblocked.

Changes:

• Harden X API handling (mentions pagination via since_id, safer thread parsing guards, avoid in-place sort mutation).
• Improve agent processing order and introduce bounded memory for processed mentions.
• Add workflow permission blocks and CODEOWNERS normalization; adjust issue triage to avoid adding non-existent labels.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/services/xapi.ts	Adds mentions pagination + response shape guards; makes parseThread safer/less mutative.
src/services/agent.ts	Processes mentions oldest-first and prunes processedMentions to a fixed max size.
src/services/grok.ts	Introduces a typed GrokApiResponse cast for Grok responses.
src/index.ts	Redirects console.log to stderr to avoid corrupting MCP stdio protocol output.
.github/workflows/pr-checks.yml	Adds explicit workflow permissions block.
.github/workflows/issue-triage.yml	Adds explicit permissions + label existence filtering before labeling.
.github/workflows/auto-label.yml	Adds explicit workflow permissions block.
.github/CODEOWNERS	Replaces invalid owners with @groupthinking.

[Copilot]

Pruning processedMentions by Array.from(set).slice(...) copies the entire Set to an array each time pruning triggers (once the Set reaches 10k, this can happen on every poll). Prefer deleting the first excess entries via the Set iterator to avoid allocating an O(n) array and to keep pruning O(excess).

Suggested change

	// Sets maintain insertion order, so slice(0, excess) removes oldest entries
	if (this.processedMentions.size > AutonomousAgent.MAX_PROCESSED_MENTIONS) {
	const excess = this.processedMentions.size - AutonomousAgent.MAX_PROCESSED_MENTIONS;
	const toDelete = Array.from(this.processedMentions).slice(0, excess);
	toDelete.forEach(id => this.processedMentions.delete(id));
	// Sets maintain insertion order, so we remove the first `excess` entries via the iterator
	if (this.processedMentions.size > AutonomousAgent.MAX_PROCESSED_MENTIONS) {
	const excess = this.processedMentions.size - AutonomousAgent.MAX_PROCESSED_MENTIONS;
	let removed = 0;
	for (const id of this.processedMentions) {
	if (removed >= excess) {
	break;
	}
	this.processedMentions.delete(id);
	removed += 1;
	}

[Copilot]

response.json() is cast to GrokApiResponse, but the code then assumes data.choices exists. If the API returns an unexpected success payload (or an upstream proxy alters it), this will throw at runtime. Add a small runtime guard (e.g., verify data is an object and Array.isArray(data.choices)) before reading choices[0].

[Copilot]

The workflow calls github.rest.issues.createComment, which requires issues: write permissions (PRs are issues under the hood). With the current permissions block lacking issues: write, the action may fail with a 403 when trying to comment on the PR. Add issues: write (and consider reducing pull-requests to read if you’re aiming for least-privilege).

Suggested change

	pull-requests: write
	pull-requests: read
	issues: write

[Copilot]

This workflow uses github.rest.issues.addLabels/listLabelsForRepo, which require issues scope. The current permissions block omits issues: write, so labeling can fail with insufficient permissions. Update permissions to include issues: write (and pull-requests: read is sufficient for pulls.listFiles).

Suggested change

	pull-requests: write
	pull-requests: read
	issues: write