[DEVEX-1523] Stop AI auto-approvals; comment-only with first-time Slack ping

[ronneseth]

Summary

Follow-up to DEVEX-1523. The AI reviewer no longer submits formal GitHub approvals — human review is always required. When the AI would have approved, it now posts a --comment review explaining why, and Slack is pinged only the first time per PR so humans see a quick-review candidate without channel spam on every push.

What changed

• No more formal AI approvals. The approve arm of the apply-verdict step now uses gh pr review --comment. The body opens with the stable marker AI Review: Would have approved — human review still required. followed by I would have approved this PR for the following reasons: and the AI's reasoning.
• Output renamed did_approve → would_have_approved to reflect the new semantics.
• Slack dedupe per PR. The Slack step now lists bot-authored reviews on the PR and skips if a prior review already begins with the marker, so re-pushes and re-runs don't re-ping. The first-ever would-have-approved run sees exactly one (the one we just posted) and notifies; subsequent runs see ≥2 and skip with a step-summary note.
• Slack copy updated from "AI auto-approved" to "AI would have approved (candidate for quick review)".
• AI prompt clarifies that approve now triggers a comment rather than a formal approval so calibration stays right.
• Check Run for the would-have-approved case keeps success (green) with title "AI would have approved" so the signal remains visible at a glance.

Unchanged

• Size gate, dismiss-unauthorized-approvals defense-in-depth step, comment and defer arms, and Check Run publishing. Token permissions stay pull-requests: write.

Blast radius

Reusable workflow consumed via @main by encodium/radmin and encodium/manage. Both pick up the change on the next PR event after merge. This PR's own CI still runs the pre-merge workflow, so the new behavior is only observable on the next PR in a consumer repo.

Test plan

• Open a small low-risk PR in a consumer repo (radmin or manage) and confirm: AI posts a --comment review beginning with the marker line, no formal approval shows on the PR, AI Code Review check is green.
• Push a second commit to the same PR (or re-run the workflow) and confirm the marker review repeats but the Slack channel does NOT receive a second ping.
• Open a PR that the AI would comment on (real concerns) — confirm inline comments + neutral check, no Slack ping.
• Open a PR that the AI defers — confirm deferral comment + skipped check, no Slack ping.
• Confirm the dismiss-unauthorized-approvals step is unchanged and still arms (no behavior change expected).

Made with Cursor

[cursor]

PR Summary

Low Risk
Workflow-only change to review posting and Slack dedupe; no application runtime or auth logic.

Overview
The reusable Claude AI code review workflow no longer submits formal GitHub approvals when the model chooses approve. Apply verdict now posts a --comment review with a stable AI Review: Would have approved marker and explanatory body, sets would_have_approved (replacing did_approve), and keeps the AI Code Review check green with title AI would have approved.

The reviewer prompt and slack_channel input text now state that human approval is always required and that approve only flags a quick-review candidate.

Slack notifies on the first would-have-approved run per PR by counting bot reviews whose bodies start with that marker (including the review just posted); later re-runs skip posting. Message copy shifts from “auto-approved” to “candidate for quick review.”

^{Reviewed by Cursor Bugbot for commit d6e4e46. Bugbot is set up for automated code reviews on this repo. Configure here.}