chore(ci): keppo-bot privileged user; remove dyadbot from privileged lists (#3114)

.claude/skills/deflake-e2e-recent-commits/SKILL.md

 ---
 name: dyad:deflake-e2e-recent-commits
-description: Automatically gather flaky E2E tests from recent CI runs on the main branch and from recent PRs by wwwillchen/wwwillchen-bot/dyadbot/dyad-assistant, then deflake them.
+description: Automatically gather flaky E2E tests from recent CI runs on the main branch and from recent PRs by wwwillchen/keppo-bot/dyad-assistant, then deflake them.
 ---
 
 # Deflake E2E Tests from Recent Commits
 
-Automatically gather flaky E2E tests from recent CI runs on the main branch and from recent PRs by wwwillchen/wwwillchen-bot/dyadbot/dyad-assistant, then deflake them.
+Automatically gather flaky E2E tests from recent CI runs on the main branch and from recent PRs by wwwillchen/keppo-bot/dyad-assistant, then deflake them.
 
 ## Arguments
 
@@ -49,16 +49,15 @@ Automatically gather flaky E2E tests from recent CI runs on the main branch and
 
    **Note:** Some runs may not have an html-report artifact (e.g., if they were cancelled early, the merge-reports job didn't complete, or artifacts have expired past the 3-day retention period). Skip these runs and continue to the next one.
 
-2. **Gather flaky tests from recent PRs by wwwillchen, wwwillchen-bot, dyadbot, and dyad-assistant:**
+2. **Gather flaky tests from recent PRs by wwwillchen, keppo-bot, and dyad-assistant:**
 
-In addition to main branch CI runs, scan recent open PRs authored by `wwwillchen`, `wwwillchen-bot`, `dyadbot`, or `dyad-assistant` for flaky tests reported in Playwright report comments.
+In addition to main branch CI runs, scan recent open PRs authored by `wwwillchen`, `keppo-bot`, or `dyad-assistant` for flaky tests reported in Playwright report comments.
 
 a. List recent open PRs by these authors:
 
 ```
 gh pr list --author wwwillchen --state open --limit 10 --json number,title
-gh pr list --author wwwillchen-bot --state open --limit 10 --json number,title
-gh pr list --author dyadbot --state open --limit 10 --json number,title
+gh pr list --author keppo-bot --state open --limit 10 --json number,title
 gh pr list --author dyad-assistant --state open --limit 10 --json number,title
 ```
 
@@ -151,7 +150,7 @@ d. Add these flaky tests to the overall collection, noting they came from PR #N
    Report:
    - Total flaky tests found across main branch commits and PRs
 
-- Sources of flaky tests (main branch CI runs vs. PR comments from wwwillchen/wwwillchen-bot/dyadbot/dyad-assistant)
+- Sources of flaky tests (main branch CI runs vs. PR comments from wwwillchen/keppo-bot/dyad-assistant)
   - Which tests were successfully deflaked
   - What fixes were applied to each
   - Which tests could not be fixed (and why)

.claude/skills/pr-fix-comments/SKILL.md

@@ -22,7 +22,7 @@ Only process review comments from these trusted authors. Comments from other aut
 **Trusted humans (collaborators):**
 
 - wwwillchen
-- wwwillchen-bot
+- keppo-bot
 - princeaden1
 - azizmejri1
 
@@ -33,7 +33,6 @@ Only process review comments from these trusted authors. Comments from other aut
 - cubic-dev-ai
 - cursor
 - github-actions
-- dyadbot
 - dyad-assistant
 - chatgpt-codex-connector
 - devin-ai-integration

.github/workflows/bugbot-trigger.yml

@@ -13,8 +13,7 @@ jobs:
     # Only review code from regular contributors since bug bot has a capped # of PR reviews.
     if: |
       (github.event.pull_request.user.login == 'wwwillchen' ||
-      github.event.pull_request.user.login == 'wwwillchen-bot' ||
-      github.event.pull_request.user.login == 'dyadbot' ||
+      github.event.pull_request.user.login == 'keppo-bot' ||
       github.event.pull_request.user.login == 'dyad-assistant' ||
       github.event.pull_request.user.login == 'azizmejri1' ||
       github.event.pull_request.user.login == 'princeaden1') &&

.github/workflows/ci.yml

@@ -86,7 +86,7 @@ jobs:
             AUTHOR="${{ github.event.pull_request.user.login }}"
           fi
           echo "Author: $AUTHOR"
-          if [ "$AUTHOR" = "wwwillchen" ] || [ "$AUTHOR" = "wwwillchen-bot" ] || [ "$AUTHOR" = "dyadbot" ] || [ "$AUTHOR" = "dyad-assistant" ] || [ "$AUTHOR" = "azizmejri1" ]; then
+          if [ "$AUTHOR" = "wwwillchen" ] || [ "$AUTHOR" = "keppo-bot" ] || [ "$AUTHOR" = "dyad-assistant" ] || [ "$AUTHOR" = "azizmejri1" ]; then
             echo "is_privileged=true" >> $GITHUB_OUTPUT
           else
             echo "is_privileged=false" >> $GITHUB_OUTPUT
@@ -96,7 +96,7 @@ jobs:
       # The "image" field is a JSON-encoded array string so that fromJSON() in runs-on
       # can produce the correct label(s) for both GitHub-hosted and self-hosted runners.
       #
-      # Privileged authors (wwwillchen, wwwillchen-bot, dyadbot, dyad-assistant, azizmejri1):
+      # Privileged authors (wwwillchen, keppo-bot, dyad-assistant, azizmejri1):
       #   - Self-hosted macOS ARM64 runners, no Windows, no sharding.
       #
       #   build (macOS self-hosted) ──> e2e-tests (macOS self-hosted, shard 1/1)

.github/workflows/claude-pr-review.yml

@@ -23,8 +23,7 @@ jobs:
     # https://github.com/anthropics/claude-code-action/blob/main/examples/pr-review-filtered-authors.yml
     if: |
       github.event.pull_request.user.login == 'wwwillchen' ||
-      github.event.pull_request.user.login == 'wwwillchen-bot' ||
-      github.event.pull_request.user.login == 'dyadbot' ||
+      github.event.pull_request.user.login == 'keppo-bot' ||
       github.event.pull_request.user.login == 'dyad-assistant' ||
       github.event.pull_request.user.login == 'azizmejri1' ||
       github.event.pull_request.user.login == 'princeaden1'
@@ -61,7 +60,7 @@ jobs:
 
           # See: https://github.com/anthropics/claude-code-action/blob/v1/docs/security.md
           github_token: ${{ steps.app-token.outputs.token }}
-          allowed_non_write_users: "princeaden1,wwwillchen-bot,dyadbot,dyad-assistant" # remember, we already filter above.
+          allowed_non_write_users: "princeaden1,keppo-bot,dyad-assistant" # remember, we already filter above.
 
           # Disable progress tracking (try to save tokens)
           track_progress: false

.github/workflows/claude-rebase.yml

@@ -36,7 +36,7 @@ jobs:
           github-token: ${{ steps.base-app-token.outputs.token }}
           script: |
             const pr = context.payload.pull_request;
-            const allowedUsers = ['wwwillchen', 'wwwillchen-bot', 'dyadbot', 'dyad-assistant', 'azizmejri1', 'princeaden1'];
+            const allowedUsers = ['wwwillchen', 'keppo-bot', 'dyad-assistant', 'azizmejri1', 'princeaden1'];
             if (!allowedUsers.includes(pr.user.login)) {
               console.log(`PR author ${pr.user.login} is not allowed to use this workflow`);
               core.setOutput('should_continue', 'false');

.github/workflows/claude-triage.yml

@@ -135,14 +135,14 @@ jobs:
 
             ### Surfacing Helpful Comments
 
-            If a **high-confidence** duplicate is found and there is a helpful comment from **wwwillchen@**, **wwwillchen-bot@**, **dyadbot@**, or **dyad-assistant@** on the original issue, include a recommendation in your comment:
+            If a **high-confidence** duplicate is found and there is a helpful comment from **wwwillchen@**, **keppo-bot@**, or **dyad-assistant@** on the original issue, include a recommendation in your comment:
 
             > You might want to try [summary of the suggestion] based on this earlier [comment]([direct link to the comment]).
 
             **Notes:**
 
             - Only do this for high-confidence duplicates where you're very confident the issues are the same.
-            - Only surface comments from wwwillchen@, wwwillchen-bot@, dyadbot@, or dyad-assistant@ — do not surface comments from other users.
+            - Only surface comments from wwwillchen@, keppo-bot@, or dyad-assistant@ — do not surface comments from other users.
             - Link directly to the specific comment, not just the issue.
 
             ### If No Duplicates Found

.github/workflows/label-rebase-prs.yml

@@ -26,7 +26,7 @@ jobs:
         with:
           github-token: ${{ steps.app-token.outputs.token }}
           script: |
-            const allowedAuthors = ['wwwillchen', 'wwwillchen-bot', 'dyadbot', 'dyad-assistant'];
+            const allowedAuthors = ['wwwillchen', 'keppo-bot', 'dyad-assistant'];
 
             const prs = await github.paginate(github.rest.pulls.list, {
               owner: context.repo.owner,

.github/workflows/pr-review-responder.yml

@@ -65,7 +65,7 @@ jobs:
 
               // Check that the person who applied the label is a trusted actor
               const actor = context.actor;
-              const allowedActors = ['wwwillchen', 'wwwillchen-bot', 'dyadbot', 'dyad-assistant'];
+              const allowedActors = ['wwwillchen', 'keppo-bot', 'dyad-assistant'];
               if (!allowedActors.includes(actor)) {
                 console.log(`Label applied by ${actor} who is not in the allowed actors list`);
                 core.setOutput('should_continue', 'false');
@@ -128,8 +128,8 @@ jobs:
               prAuthor = pr.user.login;
             }
 
-            // Only allow wwwillchen, wwwillchen-bot, dyadbot, dyad-assistant, and princeaden1 to use this workflow
-            if (prAuthor !== 'wwwillchen' && prAuthor !== 'wwwillchen-bot' && prAuthor !== 'dyadbot' && prAuthor !== 'dyad-assistant' && prAuthor !== 'princeaden1') {
+            // Only allow wwwillchen, keppo-bot, dyad-assistant, and princeaden1 to use this workflow
+            if (prAuthor !== 'wwwillchen' && prAuthor !== 'keppo-bot' && prAuthor !== 'dyad-assistant' && prAuthor !== 'princeaden1') {
               console.log(`PR #${prNumber} author ${prAuthor} is not allowed to use this workflow`);
               core.setOutput('should_continue', 'false');
               return;

plans/faster-pr-workflows.md

@@ -4,7 +4,7 @@
 
 ## Summary
 
-Improve the speed of landing PRs for the maintainer (wwwillchen/wwwillchen-bot/dyadbot) by optimizing the CI pipeline, automating the fix-and-retry loop, and improving developer feedback during wait times. The current workflow is already highly automated — this plan targets the remaining friction: CI wall-clock time, human-in-the-loop steps, and the "waiting black hole" between push and merge.
+Improve the speed of landing PRs for the maintainer (wwwillchen/keppo-bot) by optimizing the CI pipeline, automating the fix-and-retry loop, and improving developer feedback during wait times. The current workflow is already highly automated — this plan targets the remaining friction: CI wall-clock time, human-in-the-loop steps, and the "waiting black hole" between push and merge.
 
 ## Problem Statement
 

rules/git-workflow.md

@@ -6,7 +6,7 @@ When pushing changes and creating PRs:
 2. If the branch hasn't been pushed before, default to pushing to `origin` (the fork `wwwillchen/dyad`), then create a PR from the fork to the upstream repo (`dyad-sh/dyad`).
 3. If you cannot push to the fork due to permissions, push directly to `upstream` (`dyad-sh/dyad`) as a last resort.
 
-**Bot account push permissions:** The `wwwillchen-bot` account does NOT have write access to `upstream` (`dyad-sh/dyad`). If a branch tracks `upstream` (e.g., `upstream/claude/...`), pushing will fail with a permission error. In this case, push to `origin` (the bot's fork at `wwwillchen-bot/dyad`) instead:
+**Bot account push permissions:** The `keppo-bot` account does NOT have write access to `upstream` (`dyad-sh/dyad`). If a branch tracks `upstream` (e.g., `upstream/claude/...`), pushing will fail with a permission error. In this case, push to `origin` (the bot's fork at `keppo-bot/dyad`) instead:
 
 ```bash
 git push --force-with-lease -u origin HEAD
@@ -90,7 +90,7 @@ gh api graphql --input .claude/tmp/resolve_thread.json
 gh api repos/dyad-sh/dyad/issues/{PR_NUMBER}/labels -f "labels[]=label-name"
 ```
 
-2. **Bot account permission errors:** The `wwwillchen-bot` account (and similar bot/fork accounts) may not have permission to add labels on the upstream repo (`dyad-sh/dyad`). Both `gh pr edit --add-label` and the REST API will fail with 403/permission errors. In this case, skip label addition and note it in the PR summary rather than failing the workflow. Labels can be added later by a maintainer with appropriate permissions.
+2. **Bot account permission errors:** The `keppo-bot` account (and similar bot/fork accounts) may not have permission to add labels on the upstream repo (`dyad-sh/dyad`). Both `gh pr edit --add-label` and the REST API will fail with 403/permission errors. In this case, skip label addition and note it in the PR summary rather than failing the workflow. Labels can be added later by a maintainer with appropriate permissions.
 
 ## CI file access (claude-code-action)
 
@@ -98,7 +98,7 @@ In CI, `claude-code-action` restricts file access to the repo working directory
 
 ## Force-pushing after rebase with split-remote origin
 
-When `origin` has separate fetch and push URLs (e.g., fetch → `dyad-sh/dyad`, push → `wwwillchen-bot/dyad`), `git push --force-with-lease` fails with **"stale info"** after a rebase because the local tracking ref was refreshed from the fetch URL but does not reflect the push URL's state. In this specific split-remote configuration, use `git push --force origin HEAD`:
+When `origin` has separate fetch and push URLs (e.g., fetch → `dyad-sh/dyad`, push → `keppo-bot/dyad`), `git push --force-with-lease` fails with **"stale info"** after a rebase because the local tracking ref was refreshed from the fetch URL but does not reflect the push URL's state. In this specific split-remote configuration, use `git push --force origin HEAD`:
 
 ```bash
 git push --force origin HEAD