From 573ebe091890da08ea3691a4e9faafaa73b12569 Mon Sep 17 00:00:00 2001
From: Victor Casado <victor.casado.nyc@gmail.com>
Date: Thu, 11 Jun 2026 15:00:34 -0400
Subject: [PATCH] fix: enforce policy.review.required gate in applyPublish

applyPublish was forcing review='approved' for any state that wasn't
'changes-requested', bypassing policy.review.required entirely. Add a
guard that throws before buildIssueStateFromAction when review approval
is required but not yet granted.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 scripts/lib/github-coordination/actions.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/lib/github-coordination/actions.js b/scripts/lib/github-coordination/actions.js
index 0682d8c3..4548c4ad 100644
--- a/scripts/lib/github-coordination/actions.js
+++ b/scripts/lib/github-coordination/actions.js
@@ -183,6 +183,10 @@ function applyPublish(repo, issueNumber, options = {}, context = {}) {
     throw new Error(`Issue #${issueNumber} is not ready to publish: ${validation.validations.map(entry => `${entry.check}=${entry.ok}`).join(', ')}`);
   }
 
+  if (policy.review && policy.review.required && state.review !== 'approved') {
+    throw new Error(`Issue #${issueNumber} cannot be published: review approval required (current: ${state.review})`);
+  }
+
   const nextState = buildIssueStateFromAction(issue, state, 'publish', {
     status: 'published',
     validation: 'passed',