PR Merge Roadmap — reviewer guide for Joe

[richard-devbot]

For Joe — one place to check before touching any PR

Whitespace noise in diffs

Every PR diff can be viewed with whitespace changes hidden.
Just add ?w=1 to the PR URL:

https://github.com/CursorTouch/Operator-Use/pull/25?w=1

This strips formatting-only lines so you only see real code changes.

---

Merge order

Batch 1 — Phase 0 foundations (merge in any order, all independent)

PR	What it does	How to validate
#25	CI hardening, guardrails base, os.system fix	pytest tests/ -q passes, CI green
#33	AI_PRINCIPLES.md (6 safety principles)	File exists at repo root, all 6 sections present
#34	E2E test framework	pytest tests/e2e/ -v — 4 smoke tests pass
#35	AI ethics PR template	.github/PULL_REQUEST_TEMPLATE.md exists
#36	Security test scaffold	pytest tests/security/ --collect-only — 0 errors
#37	Adversarial test framework (55 payloads)	pytest tests/adversarial/ -v passes
#38	Coverage reporting + 60% gate in CI	CI coverage artifact uploads, threshold enforced
#40	guardrails/ module (57 unit tests)	pytest tests/security/test_guardrails_base.py — 57 pass

---

Batch 2 — Phase 1 security (merge only after ALL of Batch 1 is in)

PRs #26, #27, #28 branch from richardson/security-hardening — they need a rebase onto main after #25 lands before merge.

PR	What it does	How to validate
#26	Path traversal fix, download sanitisation, XPath injection	pytest tests/security/test_path_traversal.py — 3 pass
#27	Terminal allowlist + browser JS API restrictions	pytest tests/security/test_terminal_security.py — 3 pass
#28	Browser clean profile + allow_from default-deny	pytest tests/security/test_gateway_auth.py passes
#30	Credential masking in all log output	pytest tests/test_log_masking.py — 18 pass
#32	Session TTL and auto-expiry	pytest tests/test_session_ttl.py — 10 pass

---

Batch 3 — Phase 2 workspace isolation (independent of Batch 1/2, but #43 must merge first within this group)

PR	What it does	How to validate
#43 ← merge first	Cursorless UI automation (macOS + Windows)	pytest tests/ -q passes, no import errors
#41	Cooperative input locking (pause agent on user activity)	from operator_use.computer import InputActivityMonitor — no error
#42	macOS Agent Space — agent windows to Space 2	from operator_use.computer import AgentSpaceManager — no error
#44	Picture-in-picture agent monitor overlay	from operator_use.computer import PiPMonitor — no error
#45	Linux AT-SPI cursorless automation	from operator_use.computer import LinuxATSPIAutomation — no error
#46	Windows virtual display confinement (Parsec VDD)	from operator_use.computer import VirtualDisplayManager — no error

---

Standalone — review independently

PR	What it does	Notes
#1	Config-driven agent governance (srimon12)	Separate contributor — full review required

---

Quick reference

• Can I merge this now? Check its batch. If all PRs in the batch above it are merged, yes.
• Whitespace-only lines in the diff? Add ?w=1 to the URL.
• PRs Phase 1 Track 1.1: Fix path traversal, download sanitization, XPath injection #26 Phase 1 Track 1.2: Terminal allowlist + browser JS API restrictions #27 Phase 1 Track 1.3: Browser clean profile + allow_from default-deny #28 look like they conflict? They need a rebase onto main after Phase 0: Security foundations — CI hardening, guardrails module, test scaffolds #25 lands — ping Richardson.