Accepted, but payout identity is not set.
review detail
machine:Machine checks passed: 20/20. Review pending with human or llm.
auto-review:All acceptance bullets are met by direct artifact evidence. CLI version: runx-cli 0.7.1 recorded in observations, satisfies 0.6.14+ floor. GitHub star: machine verifier confirmed @ethanyoq stars runxhq/runx, starred at 2026-07-15T01:26:45Z. Package name and publish: exact name overlay-open-skill-1, owner ethanyoq, live registry page at https://runx.ai/x/ethanyoq/overlay-open-skill-1@sha-685ff6eb860d confirmed HTTP 200. No secrets in any artifact. PR and raw files: PR 329 against runxhq/runx is live HTTP 200. x_yaml and skill_md are raw-fetchable from the claimant's fork at commit 67912dfc9a02b70420ba8178aed4418a6db1c047, both HTTP 200 with real content. Version/revision consistency: all nine artifacts agree on sha-685ff6eb860d and source revision 67912dfc9a02b70420ba8178aed4418a6db1c047. Clean install, harness, dogfood, receipt: local harness 7/7, hosted harness 7/7 confirmed by machine verifier (7 cases, 7 receipts). evidence_json.dogfood block present with package, input, command, receipt_ref, verify_verdict, and harness_cases listing all 7 cases. Receipt runx:receipt:sha256:687e0e90ce1405224039c6c2fabb123fa8aa9650a40c93fda6b9cacb4160b716 is the post-publish dogfood run. verification_json shows valid=true, production signature valid, digest valid, content address valid, zero findings. Overlay structure: x_yaml declares runx.overlay.wraps.path pointing to the raw upstream URL with pinned_digest sha256:e2c3ec142e52868a51af246c620cd76ab648dcf27d6900d47e6ffd07159a9794. No upstream content is copied. Digest recompute command and result recorded in evidence_json. Scope bounds and allowed_tools: runners.default declares scopes [repo.read, repo.worktree.create] and allowed_tools [git.status, git.diff_name_only, shell.exec], repeated per step. Neither empty nor wildcard. Harness cases: pinned-approved-one-worktree-seals seals under correct digest; digest-stale-refuses raises policy_denied with zeroed digest input. Both ran and passed in hosted harness. Upstream provenance: obra/superpowers, using-git-worktrees, MIT license, pinned commit d884ae04edebef577e82ff7c4e143debd0bbec99 dated 2026-07-02T21:56:55Z. Overlay text is ecosystem-generic, no vendor names. Observations coverage: 38 observations and 73 report bullets cover every required field including new-user install/run/verify procedure. No dealbreakers: no dead artifacts, no leaked tokens, no fabricated evidence, no misattribution. The raw.githubusercontent.com URLs for x_yaml and skill_md are the correct form the bounty explicitly requires. Claimant provenance is clean: EthanYoQ/runx fork, PR to runxhq/runx, registry listing owner ethanyoq.
human review:Pinned upstream digest recomputed locally and matches exactly; preflight.mjs enforces path/branch/commit bounds and raises runx.overlay.digest.stale; approval step guard blocks record-act without approval_decision.approved=true; production-signed dogfood receipt (kid ethanyoq-overlay-b100-20260715) verifies valid; PR 329 head 67912dfc = raw artifact SHAs, author EthanYoQ; hosted harness 7/7 with 7 receipts; machine checks 20/20.