fix: prevent processing 3rd party maintainers [CM-1097]

[mbani01]

This pull request enhances the accuracy and reliability of maintainer extraction by introducing robust detection and exclusion of third-party and vendored files. The changes add new logic and rules to identify and skip files that are likely to be bundled dependencies or unrelated to project governance, both in the backend logic and the extraction prompt. This helps prevent false maintainer detections from third-party code and clarifies the extraction process.

Third-party and vendor file detection and exclusion:

• Added a comprehensive set of directory names (THIRD_PARTY_DIR_EXACT) and a regular expression (_VERSION_DIR_RE) to identify third-party, vendored, or versioned directories in file paths. Also introduced a maximum path depth (MAX_NON_GOVERNANCE_DEPTH) for files without governance keywords to further filter out likely third-party files.
• Implemented the _is_third_party_path class method to encapsulate the logic for detecting third-party or vendor file paths using the above rules.
• Integrated the _is_third_party_path check into the analyze_and_build_result method, so that files matching any exclusion rule are skipped and logged, raising a NO_MAINTAINER_FOUND error.

Extraction prompt improvements:

• Updated the maintainer extraction prompt in get_extraction_prompt to explicitly instruct the model to check for third-party/vendor file paths first, with detailed rules and examples for exclusion. This ensures the extraction process aligns with the backend logic and avoids extracting maintainers from irrelevant files.

Governance and scoring keyword updates:

• Added contributing.md to the list of recognized governance filenames and contributing to the set of governance stems, improving coverage of legitimate maintainer files. [1] [2]

Dependency update:

• Imported the re module to support regular expression matching for versioned directories.

---

Note

Medium Risk
Introduces new heuristics that change which files are analyzed, which could inadvertently skip legitimate governance files in deeply nested or unusually named paths.

Overview
Prevents maintainer extraction from vendored/third-party files by adding path-based heuristics (known dependency directory names, versioned directories, and deep paths lacking governance keywords) and skipping those candidates early in analyze_and_build_result with a NO_MAINTAINER_FOUND outcome.

Updates the LLM extraction prompt to apply the same third-party/path rejection rules first (with explicit rules/examples) and expands filename/stem matching to include contributing/contributing.md as potential governance indicators.

^{Reviewed by Cursor Bugbot for commit d2a588f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

This PR aims to reduce false maintainer extraction by adding heuristics to detect and skip third-party/vendored files (both in backend filtering and in the LLM extraction prompt), and expands governance filename/stem matching to include CONTRIBUTING files.

Changes:

• Added _is_third_party_path() with directory-name, versioned-directory, and “deep path without governance keywords” rejection rules, and applied it in analyze_and_build_result().
• Expanded governance matching by adding contributing.md to known paths and contributing to governance stems.
• Updated the LLM extraction prompt to require an upfront third-party path check with rules and examples.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

contributing.md/contributing are added to the governance match sets, but _ripgrep_search() later excludes basenames in EXCLUDED_FILENAMES (which includes contributing.md and contributing). As a result, CONTRIBUTING files still won’t be discovered as candidates, so this change won’t improve coverage as intended. Consider either removing CONTRIBUTING from EXCLUDED_FILENAMES or not adding it to KNOWN_PATHS/GOVERNANCE_STEMS (and update the PR description accordingly).

[Copilot]

GOVERNANCE_PATH_KEYWORDS is used to exempt deep paths from the third-party filter, but it doesn’t include contributing even though this PR adds contributing to governance stems/known paths. This can cause deep CONTRIBUTING-related governance paths (e.g., docs/contributing/...) to be treated as third-party under Rule 3. Consider adding contributing (and any other governance stems you expect in paths) to GOVERNANCE_PATH_KEYWORDS to keep the heuristics consistent.

[Copilot]

The prompt’s vendor/third-party rules are not aligned with the backend _is_third_party_path() implementation:

• Rule 1’s directory list is missing entries that the backend rejects (e.g. externallibs, bower_components_external).
• The prompt includes Pods/Godeps with capital letters, while the backend lowercases paths before matching.
• The css/bootstrap/README.md example says to “use your judgment” even though it doesn’t match any of the three mandatory reject rules, which conflicts with “MANDATORY — evaluate FIRST” + “MUST return … immediately”.
  To avoid model/backend divergence, make the prompt list/casing match the code exactly and remove (or rework) the “use your judgment” example so it doesn’t contradict the stated rules.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit d2a588f. Configure here.}

[cursor]

contributing.md contradicts existing exclusion rules

Medium Severity

Adding contributing.md to KNOWN_PATHS and contributing to GOVERNANCE_STEMS directly contradicts EXCLUDED_FILENAMES, which still contains both entries. The _ripgrep_search method filters out any file whose basename is in EXCLUDED_FILENAMES, so contributing.md can never be discovered as a candidate. Additionally, KNOWN_PATHS is passed as example governance files to the LLM file-detection prompt, which simultaneously says "CONTRIBUTING.md must ALWAYS be ignored." This creates a self-contradictory LLM prompt and makes the KNOWN_PATHS addition effectively dead code. It also disables section extraction for contributing.md if it reaches analysis via a saved file path, sending the full (mostly irrelevant) contributing guide to the LLM.

Additional Locations (2)

• services/apps/git_integration/src/crowdgit/services/maintainer/maintainer_service.py#L128-L134
• services/apps/git_integration/src/crowdgit/services/maintainer/maintainer_service.py#L99-L100

 

^{Reviewed by Cursor Bugbot for commit d2a588f. Configure here.}