review-bot

Author	SHA1	Message	Date
Rodin	4a1cb6b47c	docs: add read:user to required token scopes CI / test (pull_request) Successful in 13s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 20s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 27s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 50s Details The read:user scope is needed for the bot to self-request as a reviewer on PRs. Without it, the bot still functions but cannot add itself to the reviewer list. Closes #66	2026-05-10 23:40:24 -07:00
Rodin	deade3c5a0	feat: log loaded pattern files for debugging CI / test (pull_request) Successful in 19s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 29s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 42s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m5s Details When patterns-repo is configured, now logs at Info level: - File paths loaded from each repo - Count of files per repo At Debug level logs skipped files (non-markdown/txt/yaml). Warns if no pattern files were loaded from a repo (likely misconfigured patterns-files path). Closes #64	2026-05-10 23:37:14 -07:00
aweiker	c54cee134e	Merge pull request 'feat: load personas from target repo .review-bot/personas/' (#61 ) from issue-60 into main CI / test (push) Successful in 9m33s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details Reviewed-on: #61 Reviewed-by: security-review-bot <10+security-review-bot@noreply.gitea.weiker.me> Reviewed-by: Aaron Weiker <aaron@weiker.org>	2026-05-11 02:54:46 +00:00
Rodin	1dd73bc4df	Revert "ci: disable setup-go cache (cache server unreachable)" PR Ready Gate / clear-labels (pull_request) Successful in 3s Details CI / test (pull_request) Successful in 9m32s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Failing after 5m21s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Failing after 5m51s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Failing after 5m58s Details This reverts commit `8f564ea4f8`.	2026-05-10 19:44:08 -07:00
Rodin	8f564ea4f8	ci: disable setup-go cache (cache server unreachable) PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 15s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 36s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m28s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m43s Details Cache server at 192.168.109.55:35239 times out, adding 4+ minutes to each job. Disable until cache infra is fixed.	2026-05-10 19:43:46 -07:00
Rodin	9775cb098c	fix: address PR #61 review findings PR Ready Gate / clear-labels (pull_request) Successful in 1s Details CI / test (pull_request) Successful in 9m32s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 9m55s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 10m38s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 11m3s Details MAJOR: - LoadRepoPersonas: add MaxPersonaFileSize check before parsing to prevent resource exhaustion from oversized YAML files committed to target repositories MINOR: - isNotFoundError: tighten substring match to 'HTTP 404' only to avoid masking auth/transport errors containing generic 'not found' - main.go: remove duplicate flag.Parse() call - main.go: add comment explaining nil map indexing is safe in Go when LoadRepoPersonas returns an error Tests updated to reflect the intentional behavior change in isNotFoundError and added test case for oversized file rejection.	2026-05-10 19:29:13 -07:00
Rodin	3f06ba2ea6	feat: load personas from target repo .review-bot/personas/ PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 9m32s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 10m10s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 10m51s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 10m33s Details Implements #60. - Add ParsePersonaBytes() for parsing personas from byte data - Add LoadRepoPersonas() to fetch personas from repo via Gitea API - Add MergePersonas() to combine built-in and repo personas - Add GetBuiltinPersonasMap() helper - Update main.go to load repo personas first, fall back to built-in - Add giteaClientAdapter to bridge gitea.Client to review.GiteaClient When --persona is specified, the bot now: 1. Attempts to fetch personas from .review-bot/personas/*.yaml 2. If the named persona exists in the repo, uses it 3. Otherwise falls back to built-in personas This allows repos to define domain-specific personas (e.g., trading experts for gargoyle, crypto experts for kms-lite) without modifying the review-bot codebase.	2026-05-10 19:05:37 -07:00
aweiker	593b249e09	Merge pull request 'feat: add YAML support for persona files' (#58 ) from issue-57 into main CI / test (push) Successful in 9m31s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details Reviewed-on: #58 Reviewed-by: security-review-bot <10+security-review-bot@noreply.gitea.weiker.me> Reviewed-by: Aaron Weiker <aaron@weiker.org>	2026-05-11 01:39:43 +00:00
Rodin	10cd6203d4	fix: address remaining PR #58 review findings PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 9m31s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 9m54s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 10m40s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 11m27s Details 1. Remove dead JSON fallback in LoadBuiltinPersona - The embed directive only includes *.yaml files - JSON fallback code could never succeed - Simplified function to only try YAML 2. JSON parsing now rejects unknown fields - Switched from json.Unmarshal to json.Decoder - DisallowUnknownFields() matches YAML's KnownFields(true) - Added test coverage for JSON unknown field rejection 3. Documented symlink support in LoadPersona - os.Stat follows symlinks, so symlinks to regular files work - Added doc comment explaining the behavior - Added test for symlink support	2026-05-10 17:53:42 -07:00
Aaron Weiker	26f326cf51	fix: add YAML alias cycle detection and multi-document rejection PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 9m34s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 9m53s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 10m23s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 11m24s Details Address security review findings: MAJOR: Add cycle detection to checkYAMLDepth using a visited set (seen map[*yaml.Node]struct{}) to prevent infinite recursion from crafted YAML with self-referential aliases. MINOR fixes: - Add MaxYAMLNodes (1000) limit as defense-in-depth against wide-but-shallow structures that bypass depth limits - Increment depth when following alias targets (was incorrectly passing same depth, allowing alias chains to bypass depth limit) - Reject multi-document YAML files instead of silently ignoring additional documents (prevents confusing silent data loss) Tests added: - TestYAMLAliasCycleDetection: Direct test of cycle detection logic - TestYAMLMultiDocumentRejection: Verifies multi-doc files rejected - TestYAMLNodeCountLimit: Verifies wide structures are rejected - TestCheckYAMLDepthCycleDetectionDirect: Unit test with artificial cycle	2026-05-10 17:12:01 -07:00
Rodin	4fed59ac85	yaml: enable strict field checking to catch typos PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 9m33s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 9m54s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 10m51s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 11m30s Details Addresses PR #58 MINOR finding: YAML decoder now rejects unknown fields. - Enable KnownFields(true) on YAML decoder to catch typos like 'focuss' or 'identiy' in persona files - Since yaml.Node.Decode() doesn't support KnownFields, we now do a two-pass decode: first pass checks depth limits, second pass decodes with strict field checking - Add tests for unknown field rejection at top-level and nested levels	2026-05-10 16:50:07 -07:00
Rodin	6035afeea7	fix: address MINOR review findings from `c3e8f0f` review PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 9m33s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 9m51s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 11m13s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 11m25s Details	2026-05-10 16:29:44 -07:00
Rodin	c3e8f0f231	fix: address PR review findings PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 9m32s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 9m53s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 10m52s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 11m0s Details MAJOR fixes: - Remove false security claim about gopkg.in/yaml.v3 having built-in depth protection - Add explicit YAML depth limiting via yaml.Node API (MaxYAMLDepth=20) - Add file size limit for persona files (MaxPersonaFileSize=64KB) - Add test for deeply nested YAML rejection MINOR fixes: - Add sort.Strings to ListBuiltinPersonas for deterministic ordering - Update design doc to reflect actual library used (gopkg.in/yaml.v3) - Update README: 'Zero dependencies' → 'Minimal dependencies' - Add test for file size limit - Add test for sorted persona list	2026-05-10 14:43:31 -07:00
Rodin	7898dd939f	feat: add YAML support for persona files (#57 ) PR Ready Gate / clear-labels (pull_request) Successful in 1s Details CI / test (pull_request) Successful in 9m33s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 9m55s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 10m32s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 11m0s Details - Add gopkg.in/yaml.v3 dependency (approved in CONVENTIONS.md) - Update parsePersona to detect format by file extension - Support both .yaml and .yml extensions (case-insensitive) - Convert built-in personas to YAML format - Add comprehensive tests for YAML parsing - Update README with YAML examples and documentation YAML provides cleaner multi-line strings via literal block scalars and supports comments, making persona definitions more readable. JSON remains supported for backwards compatibility. Closes #57	2026-05-10 14:16:41 -07:00
rodin	fededd18ad	Merge pull request 'docs: allow approved third-party packages' (#59 ) from allow-deps into main CI / test (push) Successful in 15s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details docs: strict dependency allowlist with CI enforcement	2026-05-10 21:07:10 +00:00
Rodin	01cde16d47	fix: validate all deps and improve robustness PR Ready Gate / clear-labels (pull_request) Successful in 1s Details CI / test (pull_request) Successful in 15s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 34s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m51s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m51s Details Addresses GPT review feedback: 1. MAJOR - Test deps now validated: All direct module deps (from go.mod) are checked against the allowlist, whether used in prod or tests. 2. MINOR - Prefix match: Uses grep -E with word boundary (^pkg(/\|$\|$)) to avoid false positives on similarly-prefixed modules. 3. MINOR - Bash version check: Script now fails early with helpful message if Bash < 4 (macOS default). Added shebang: #!/usr/bin/env bash 4. NIT - Removed redundant grep -v '_test' (go list -deps already excludes test-only deps without -test flag).	2026-05-10 14:02:06 -07:00
Rodin	aeb0c8cb79	fix: enforce Scope column and improve portability PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 14s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 35s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m46s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 2m2s Details Addresses review feedback: 1. MAJOR - Scope enforcement: Script now parses the Scope column and ensures 'test only' packages don't appear in non-test code. Uses 'go list -deps' to check production imports. 2. MINOR - Portability: Replaced 'grep -P' (GNU-only) with awk-based parsing that works on macOS/BSD. 3. MINOR - Robustness: Table parsing uses awk to split on '\|' and extract columns properly, handling whitespace variations. 4. MINOR - Glob safety: Prefix matching now uses parameter expansion instead of glob patterns to prevent metacharacter issues.	2026-05-10 13:57:49 -07:00
Rodin	70267b68f4	fix: address review feedback on dependency allowlist PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 14s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 32s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m27s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m28s Details Fixes: - Single source of truth: script now parses allowlist from CONVENTIONS.md - Fail closed: script exits non-zero if 'go list' fails - Direct deps only: uses '-f' flag to exclude transitive deps - Added 'precommit' to .PHONY in Makefile - Removed unused ALLOWED_PATTERN variable - Added Scope column to distinguish test-only vs production deps - Clarified that transitive deps of approved packages are allowed - Added note that enforcement script parses the table	2026-05-10 13:53:55 -07:00
Rodin	4b96231b32	docs: strict dependency allowlist with CI enforcement PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 15s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 28s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m40s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m48s Details STRICT ALLOWLIST policy: Only packages explicitly listed in CONVENTIONS.md may be imported. No exceptions. ## Changes - Updates CONVENTIONS.md with strict allowlist language - Adds scripts/check-deps.sh to enforce the allowlist - Adds 'make check-deps' and 'make precommit' targets - CI will fail if any unapproved dependency is detected ## Approved packages - gopkg.in/yaml.v3 — YAML parsing - github.com/google/go-cmp — test comparisons ## Process for new dependencies 1. Open a PR that ONLY updates CONVENTIONS.md 2. Requires explicit approval from Aaron 3. After merge, a separate PR may use the package	2026-05-10 13:45:12 -07:00
rodin	230419f0e2	Merge pull request 'feat: native SAP AI Core support' (#54 ) from feat/aicore-provider-v2 into main CI / test (push) Successful in 14s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details feat: native SAP AI Core support (#54)	2026-05-10 20:03:32 +00:00
Rodin	7dab35de41	feat: native SAP AI Core support PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 14s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 35s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m30s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 2m0s Details Add native SAP AI Core provider that handles OAuth token management and deployment discovery automatically. This eliminates the need for the external LLM proxy when running in SAP environments. Changes: - Add AICoreClient with OAuth token caching and deployment URL discovery - Support both Anthropic and OpenAI models via AI Core deployments - Update CI to use native AI Core provider - Update action inputs to accept AI Core credentials - Update README with AI Core configuration examples Model names must match AI Core deployment names (e.g. anthropic--claude-4.6-sonnet, gpt-5).	2026-05-10 10:25:10 -07:00
aweiker	c41c9590b7	Merge pull request 'feat(persona): add role-based review personas' (#55 ) from issue-51 into main CI / test (push) Successful in 12s Details CI / review (/anthropic/v1, anthropic--claude-4.6-sonnet, sonnet, anthropic, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details Reviewed-on: #55 Reviewed-by: security-review-bot <10+security-review-bot@noreply.gitea.weiker.me> Reviewed-by: Aaron Weiker <aaron@weiker.org>	2026-05-10 17:16:10 +00:00
Rodin	4dd67742f9	fix: address review feedback on persona feature PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 15s Details CI / review (/anthropic/v1, anthropic--claude-4.6-sonnet, sonnet, anthropic, SONNET_REVIEW_TOKEN) (pull_request) Successful in 43s Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m28s Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m55s Details MAJOR fixes: - Remove external YAML dependency (github.com/goccy/go-yaml) Per project convention: Go standard library only, zero dependencies. Convert all persona files from YAML to JSON format. - Fix TestValidateWorkspacePath error expectation Go 1.21+ filepath.Join normalizes absolute paths differently. MINOR fixes: - Remove custom contains helper in persona_test.go (use strings.Contains) - Add Unicode-safe CapitalizeFirst function for header titles - ListBuiltinPersonas returns empty slice instead of nil on error - Fix test comment about filepath.Join behavior Documentation: - Update README to reflect JSON-only persona format - Update design doc with note about JSON decision - Fix action.yml description for persona-file input	2026-05-10 10:01:34 -07:00
Rodin	57e62a345f	feat(persona): add role-based review personas PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 9m31s Details CI / review (/anthropic/v1, anthropic--claude-4.6-sonnet, sonnet, anthropic, SONNET_REVIEW_TOKEN) (pull_request) Successful in 10m3s Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 11m30s Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 10m56s Details Add persona system for specialized review roles. Each persona defines: - A specific review focus (security, architecture, documentation) - Custom system prompt additions - Personality/tone adjustments Built-in personas: security, architect, docs Custom personas: load from JSON via persona-file flag Includes workspace validation to prevent path traversal attacks. Closes #51	2026-05-10 09:14:48 -07:00
Rodin	44d6fa9d57	ci: always run ready gate on synchronize CI / test (push) Successful in 13s Details CI / review (/anthropic/v1, anthropic--claude-4.6-sonnet, sonnet, anthropic, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details Remove conditional - just always try to clear the labels. The curl commands handle missing labels gracefully with \|\| true.	2026-05-10 08:47:36 -07:00
Rodin	4ea41e164e	ci: add ready label to PR ready gate CI / test (push) Successful in 14s Details CI / review (/anthropic/v1, anthropic--claude-4.6-sonnet, sonnet, anthropic, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details Also clear the ready label (ID 38) on push, matching gargoyle behavior.	2026-05-10 08:44:24 -07:00
aweiker	0e3c85f05c	Merge pull request 'ci: add PR ready gate to clear self-reviewed label on push' (#56 ) from ci/pr-ready-gate into main CI / test (push) Successful in 15s Details CI / review (/anthropic/v1, anthropic--claude-4.6-sonnet, sonnet, anthropic, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details Reviewed-on: #56 Reviewed-by: security-review-bot <10+security-review-bot@noreply.gitea.weiker.me> Reviewed-by: Aaron Weiker <aaron@weiker.org>	2026-05-10 15:41:37 +00:00
Rodin	b24c4dcc86	ci: add PR ready gate to clear self-reviewed label on push CI / test (pull_request) Successful in 14s Details CI / review (/anthropic/v1, anthropic--claude-4.6-sonnet, sonnet, anthropic, SONNET_REVIEW_TOKEN) (pull_request) Successful in 26s Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m10s Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m5s Details When a PR is pushed after being marked self-reviewed, the label is now stale and should be removed. This matches the gargoyle CI behavior. On synchronize: - Remove self-reviewed label if present - Reassign PR back to the author	2026-05-10 08:39:19 -07:00
aweiker	4bb3a2f960	Merge pull request 'fix: skip posting review when HEAD moves during evaluation' (#53 ) from fix/stale-commit-check into main CI / test (push) Successful in 15s Details CI / review (/anthropic/v1, anthropic--claude-4.6-sonnet, sonnet, anthropic, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details Reviewed-on: #53 Reviewed-by: Aaron Weiker <aaron@weiker.org> Reviewed-by: security-review-bot <10+security-review-bot@noreply.gitea.weiker.me>	2026-05-10 15:26:11 +00:00
Rodin	ced1fa7ffd	ci: fix model names to match SAP AI Core deployments CI / test (pull_request) Successful in 14s Details CI / review (/anthropic/v1, anthropic--claude-4.6-sonnet, sonnet, anthropic, SONNET_REVIEW_TOKEN) (pull_request) Successful in 26s Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 35s Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 50s Details - Restore sonnet reviewer with correct model name (anthropic--claude-4.6-sonnet) - Remove gpt-4.1, gpt-4.1-mini, gpt-5-mini (not deployed on SAP AI Core) - Keep gpt-5 and security reviewers The previous model names (claude-sonnet-4-6, etc.) were incorrect — SAP AI Core uses 'anthropic--claude-4.6-sonnet' format.	2026-05-10 08:23:10 -07:00
Rodin	6b615c77d5	ci: remove unavailable models from review matrix CI / test (pull_request) Successful in 15s Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 38s Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 49s Details Models claude-sonnet-4-6, gpt-4.1, gpt-4.1-mini, and gpt-5-mini are not deployed on the LLM proxy, causing 502 errors. Keep only gpt-5 which is the only available model.	2026-05-10 03:15:04 -07:00
Rodin	b43b86a4a5	fix: skip posting review when HEAD moves during evaluation CI / test (pull_request) Successful in 13s Details CI / review (/anthropic/v1, claude-sonnet-4-6, sonnet, anthropic, SONNET_REVIEW_TOKEN) (pull_request) Failing after 13s Details CI / review (/openai/v1, gpt-4.1, gpt41, openai, GPT_REVIEW_TOKEN) (pull_request) Failing after 13s Details CI / review (/openai/v1, gpt-4.1-mini, gpt41-mini, openai, GPT_REVIEW_TOKEN) (pull_request) Failing after 13s Details CI / review (/openai/v1, gpt-5-mini, gpt5-mini, openai, GPT_REVIEW_TOKEN) (pull_request) Failing after 13s Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 53s Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m3s Details When a new push arrives while review-bot is processing, the review would be posted against a stale commit. This causes noise in the PR timeline with findings that reference code that no longer exists. Before posting, re-fetch PR metadata and compare HEAD SHA with the commit we evaluated against. If they differ, log a warning and exit successfully — a new workflow run should already be processing the new HEAD. Fixes #52	2026-05-09 23:18:13 -07:00
aweiker	2089ca0f2d	Merge pull request 'fix: retry on transient LLM response body truncation' (#48 ) from fix/response-body-truncation into main CI / test (push) Successful in 12s Details CI / review (/anthropic/v1, claude-sonnet-4-6, sonnet, anthropic, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-4.1, gpt41, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-4.1-mini, gpt41-mini, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5-mini, gpt5-mini, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details Reviewed-on: #48 Reviewed-by: Aaron Weiker <aaron@weiker.org>	2026-05-08 02:32:37 +00:00
claw	db479d0ff4	fix: retry on transient LLM response body truncation CI / test (pull_request) Successful in 15s Details CI / review (/openai/v1, gpt-4.1, gpt41, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 25s Details CI / review (/openai/v1, gpt-4.1-mini, gpt41-mini, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 29s Details CI / review (/anthropic/v1, claude-sonnet-4-6, sonnet, anthropic, SONNET_REVIEW_TOKEN) (pull_request) Successful in 49s Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 50s Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m15s Details CI / review (/openai/v1, gpt-5-mini, gpt5-mini, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 52s Details Addresses intermittent 'unexpected end of JSON input' failures where the LLM response body is truncated in transit between the proxy and client. Root cause: network-level truncation where io.ReadAll returns partial data (observed in 3/50 CI runs through HAI proxy). The response body reading was already using io.ReadAll correctly, but transient network issues between the proxy and client can still cause partial reads. Changes: - Add Content-Length validation in doRequest: detect when fewer bytes arrive than the server declared, triggering a retry - Add retry logic in Complete: retries once on retryable errors (body read failures, content-length mismatches) with a 500ms backoff - Add parse-level retry in main: if ParseResponse fails, re-requests from the LLM once before giving up (defensive, since retries always succeed per issue evidence) - Improve ParseResponse error diagnostics: log raw vs cleaned lengths and a preview of the cleaned content to aid future debugging Does NOT retry on API errors (4xx/5xx) or structural issues — only transient body read problems. Closes #47	2026-05-07 00:44:32 -07:00
rodin	cabbb5a55a	fix: repair unescaped quotes in LLM JSON responses (#45 ) CI / test (push) Successful in 14s Details CI / review (/anthropic/v1, claude-sonnet-4-6, sonnet, anthropic, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-4.1, gpt41, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-4.1-mini, gpt41-mini, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5-mini, gpt5-mini, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details Release / release (push) Successful in 34s Details fix: repair unescaped quotes in LLM JSON responses Add repairJSON fallback that handles unescaped quotes in LLM string values using first-valid-candidate heuristic with structural lookahead. Reviewed-by: sonnet-review-bot Reviewed-by: gpt-review-bot Reviewed-by: security-review-bot v0.3.2	2026-05-05 12:40:39 +00:00
rodin	55cf3fd4b9	Merge pull request 'ci: fix reviewer models — sonnet uses Anthropic, gpt uses GPT-5' (#44 ) from fix/sonnet-reviewer into main CI / test (push) Successful in 13s Details CI / review (/anthropic/v1, claude-sonnet-4-6, sonnet, anthropic, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-4.1, gpt41, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-4.1-mini, gpt41-mini, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details CI / review (/openai/v1, gpt-5-mini, gpt5-mini, openai, GPT_REVIEW_TOKEN) (push) Has been skipped Details ci: fix reviewer models — sonnet uses Anthropic, gpt uses GPT-5	2026-05-05 04:20:54 +00:00
Rodin	f48288bf2e	fix: address review feedback — tokens, secrets, no hardcoded IPs CI / test (pull_request) Successful in 14s Details CI / review (/anthropic/v1, claude-sonnet-4-6, sonnet, anthropic, SONNET_REVIEW_TOKEN) (pull_request) Successful in 22s Details CI / review (/openai/v1, gpt-4.1-mini, gpt41-mini, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 21s Details CI / review (/openai/v1, gpt-4.1, gpt41, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 22s Details CI / review (/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 45s Details CI / review (/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 52s Details CI / review (/openai/v1, gpt-5-mini, gpt5-mini, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 48s Details - Fix token_secret for gpt41/gpt5-mini/gpt41-mini: use GPT_REVIEW_TOKEN instead of SONNET_REVIEW_TOKEN (wrong reviewer identity) - Move LLM base URL back to secrets.LLM_BASE_URL (prevents exfiltration via PR-controlled matrix values) - Remove hardcoded internal IP from workflow file; only provider path suffix (/anthropic/v1, /openai/v1) remains in matrix Addresses: security-review-bot REQUEST_CHANGES (major: exfiltration risk, minor: HTTP/hardcoded IP) and sonnet-review-bot REQUEST_CHANGES (major: wrong token_secret on gpt entries).	2026-05-03 08:42:08 -07:00
Rodin	b4c994d0fa	ci: fix reviewer models — sonnet uses Anthropic, gpt uses GPT-5 CI / test (pull_request) Successful in 14s Details CI / review (http://100.86.77.84:6655/openai/v1, gpt-4.1-mini, gpt41-mini, openai, SONNET_REVIEW_TOKEN) (pull_request) Successful in 19s Details CI / review (http://100.86.77.84:6655/openai/v1, gpt-4.1, gpt41, openai, SONNET_REVIEW_TOKEN) (pull_request) Successful in 22s Details CI / review (http://100.86.77.84:6655/anthropic/v1, claude-sonnet-4-6, sonnet, anthropic, SONNET_REVIEW_TOKEN) (pull_request) Successful in 24s Details CI / review (http://100.86.77.84:6655/openai/v1, gpt-5, gpt, openai, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m14s Details CI / review (http://100.86.77.84:6655/openai/v1, gpt-5, security, openai, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 54s Details CI / review (http://100.86.77.84:6655/openai/v1, gpt-5-mini, gpt5-mini, openai, SONNET_REVIEW_TOKEN) (pull_request) Successful in 55s Details The matrix was wrong: "sonnet" was running GPT-5 and "gpt" was running GPT-4.1. Now: - sonnet → Claude Sonnet 4.6 via HAI Anthropic endpoint - gpt → GPT-5 via HAI OpenAI endpoint - security → GPT-5 via HAI OpenAI endpoint Each matrix entry specifies its own provider and base_url.	2026-05-02 21:06:11 -07:00
rodin	8d8a249481	Merge pull request 'fix: supersede ALL old reviews, not just the most recent' (#43 ) from fix/supersede-all-old-reviews into main CI / test (push) Successful in 13s Details CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (push) Has been skipped Details Release / release (push) Successful in 31s Details v0.3.1	2026-05-02 20:35:23 +00:00
Rodin	a0fd882b0d	fix: address review findings CI / test (pull_request) Successful in 14s Details CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 24s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 37s Details CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 1m4s Details - Tighten timeline matching: also check ev.User.Login matches the review author (prevents collision on identical body prefix) - Remove unused sharedTokenMode variable (inline condition) - Aggregate resolution failures with warn-level summary	2026-05-02 13:31:59 -07:00
Rodin	d4bf13eeab	fix: supersede ALL old reviews, not just the most recent CI / test (pull_request) Successful in 14s Details CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 22s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 46s Details CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 1m7s Details Previously findOwnReview returned only the single most-recent matching review, so on PRs with multiple force-pushes only the latest old review got superseded. The rest accumulated as unsuperseded stale reviews. Changes: - Add findAllOwnReviews() to collect all non-superseded matching reviews - Loop over all old reviews in the supersede phase - Add GetTimelineReviewCommentIDForReview() to find comment IDs by review ID (fetches review body, matches in timeline by prefix) - Each old review gets independently superseded and its inline comments resolved The old findOwnReview is kept for backward compat (tested, may be useful as a utility).	2026-05-02 13:28:03 -07:00
rodin	23443ef378	Merge pull request 'feat: resolve old inline comments when superseding review' (#42 ) from feat/27-resolve-inline-comments into main CI / test (push) Successful in 14s Details CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details Release / release (push) Successful in 32s Details v0.3.0	2026-05-02 19:18:41 +00:00
Rodin	bc5a4a1dcd	feat: resolve old inline comments when superseding review CI / test (pull_request) Successful in 14s Details CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 22s Details CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 44s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 46s Details Closes #27 After superseding an old review, resolves all its inline comments via POST /pulls/comments/{id}/resolve. This clears unresolved conversation markers from the PR timeline and diff view. New API methods: - ListReviewComments: paginated GET /repos/.../pulls/{n}/reviews/{id}/comments - ResolveComment: POST /repos/.../pulls/comments/{id}/resolve Behavior: - Only resolves after successful supersede (gated on supersedeOK) - Aggregates failures and logs at warn level - Truncates error bodies to 256 bytes (security) - Non-fatal: review still posts even if resolution fails	2026-05-02 12:15:52 -07:00
rodin	d30f3d4278	Merge pull request 'feat: self-request as reviewer before posting' (#41 ) from feat/35-self-request-reviewer into main CI / test (push) Successful in 14s Details CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details	2026-05-02 19:11:15 +00:00
Rodin	2507ee22e7	fix: address review findings on RequestReviewer CI / test (pull_request) Successful in 13s Details CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 21s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 35s Details CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 1m3s Details - Accept 204 No Content as success (idempotent operations) - Truncate error response body to 256 bytes (prevent log leakage) - Add unit tests for GetAuthenticatedUser and RequestReviewer	2026-05-02 12:09:25 -07:00
Rodin	c39845ca03	feat: self-request as reviewer before posting CI / test (pull_request) Successful in 13s Details CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 21s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 48s Details CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 58s Details Closes #35 Before posting a review, the bot: 1. Discovers its own Gitea login via GET /user 2. Calls POST /requested_reviewers to add itself This ensures the bot appears in the required-reviewers list without manual configuration on the repo. The call is idempotent (no-op if already requested). Both failures are non-fatal (warn + continue) — the review still posts even if the self-request fails.	2026-05-02 12:04:55 -07:00
rodin	cd601bdcf4	Merge pull request 'fix: trim trailing slash from giteaURL when building review link' (#40 ) from fix/url-normalization into main CI / test (push) Successful in 14s Details CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (push) Has been skipped Details	2026-05-02 18:52:13 +00:00
Rodin	50091941e1	fix: trim trailing slash from giteaURL when building review link CI / test (pull_request) Successful in 14s Details CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 20s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 28s Details CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 41s Details Prevents double-slash in supersede URL if GITEA_URL ends with '/'. Aligns with how gitea.NewClient already normalizes the base URL.	2026-05-02 11:49:24 -07:00
rodin	ed06cdd942	Merge pull request 'fix: post new review first, then supersede old with link' (#39 ) from fix/34-supersede-order into main CI / test (push) Successful in 13s Details CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (push) Has been skipped Details	2026-05-02 18:46:50 +00:00
Rodin	ed69d26e87	fix: post new review first, then supersede old with link CI / test (pull_request) Successful in 14s Details CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 22s Details CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 44s Details CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 1m8s Details Changes the order of operations: 1. POST new review (gets non-stale badge immediately) 2. PATCH old review with superseded message linking to the new one This gives the superseded comment a clickable link to the current review, making navigation between review iterations easy. buildSupersededBody now accepts a newReviewURL parameter.	2026-05-02 11:43:53 -07:00

1 2 3 4

182 Commits