Draft: automate post-execution bounty issue updates

[ramimbo]

Summary

• finalize GitHub bounty issues after successful create_bounty treasury execution
• add mrwk:bounty and post a claims-open Reserved on MergeWork comment when MERGEWORK_GITHUB_ISSUE_TOKEN is configured
• record skipped/failed/updated finalization status on the treasury proposal result without blocking execution
• document the operator fallback and env var

Stack / merge order

Depends on #625 and targets maintainer/treasury-capacity-visibility. Keep this draft until #625 is merged and deployed, then rebase/retarget as needed.

Maintainer note

This is a maintainer PR and is not asking for a bounty. It keeps proposed issues non-live until the proposal executes; only after execution does the app add mrwk:bounty and announce that claims are open.

Validation

• ./.venv/bin/python scripts/check_agents.py
• ./.venv/bin/python -m pytest
• ./.venv/bin/python -m ruff format --check .
• ./.venv/bin/python -m ruff check .
• ./.venv/bin/python -m mypy app
• ./.venv/bin/python scripts/docs_smoke.py

Summary by CodeRabbit

Release Notes

• New Features

  • GitHub issues created for bounties are now automatically labeled and updated with bounty information when a GitHub token is configured.

• Documentation

  • Updated administrator runbook with guidance on automatic GitHub issue finalization for bounties and fallback procedures when finalization is skipped or fails.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: ae68df7d-bc45-43b1-b696-4532d83d0ce5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• ✅ Review completed - (🔄 Check again to review again)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[peterxing]

Reviewed the draft diff for #630 via the public .diff and PR metadata.

Finding: the new finalization helper is unit-tested, but I do not see route-level coverage for the execute_treasury_proposal path that writes result.github_issue_finalization back onto the executed proposal. That is the risky integration point here: execution now commits the treasury action, then performs an external GitHub label/comment call, then reopens the DB session to mutate result_json. A focused route test with a fake finalizer or monkeypatched opener would lock down the intended non-blocking behavior for all three cases: updated, skipped when no token is configured, and failed when GitHub raises.

This matters because the admin runbook tells operators to inspect result.github_issue_finalization before manual fallback. If that field is not reliably persisted from the route path, operators could double-post the Reserved on MergeWork comment or miss a failed finalization even though the bounty row was created.

I did not run local commands; evidence reviewed: .env.example, app/config.py, new app/github_issue_finalization.py, app/treasury.py, app/treasury_routes.py, docs/admin-runbook.md, and tests/test_github_issue_finalization.py from the PR diff. No private data, token values, wallet material, production mutation, price/liquidity/exchange/bridge/off-ramp claims, or fabricated payout claims involved.