rodin/review-bot
2
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 6 Wiki Activity

feat(vcs): extract interfaces and types from gitea/ (Phase 1) #83

Merged
aweiker merged 4 commits from review-bot-issue-78 into feature/github-support 2026-05-12 19:14:45 +00:00
Conversation 13 Commits 4 Files Changed 3
+149
rodin commented 2026-05-12 17:05:57 +00:00
Owner
Copy Link
Copy Source

Summary

Implements Phase 1 of the VCS abstraction: extract vcs.Client interface and shared types from the existing working gitea/ code.

Closes #78.

Plan

Problem

review-bot only supports Gitea. Adding GitHub support requires a shared vcs.Client interface so both adapters can be swapped. The interface is discovered from working code, not invented.

Constraints

  • Must compile (vcs/interfaces.go, vcs/types.go)
  • No behavior changes to existing Gitea functionality
  • Types extracted from gitea/, not invented
  • Compile-time check present; its failure documents the adapter gap

Approach

vcs/interfaces.go — role-based interfaces:

  • PRReader: GetPullRequest, GetPullRequestDiff, GetPullRequestFiles
  • FileReader: GetFileContent (path + ref), ListContents
  • Reviewer: PostReview (ReviewRequest), ListReviews, DeleteReview
  • Identity: GetAuthenticatedUser
  • Client: all four composed

vcs/types.go — types extracted from gitea/:

  • PullRequest, ChangedFile, ContentEntry, Review — identical to gitea/
  • ReviewComment — uses GitHub diff-position convention (Position int, CommitID string) instead of Gitea's NewPosition int64
  • ReviewRequest — new type wrapping Body, Event, Comments

vcs/check.go (//go:build ignore) — documents the gaps gitea.Client must bridge in Phase 2:

  1. PostReview signature mismatch (event+body+[]ReviewComment vs ReviewRequest)
  2. GetFileContent missing ref parameter
  3. ReviewComment type mismatch (NewPosition int64 vs Position int/CommitID string)

Progress

Phase 1: vcs/interfaces.go + vcs/types.go

  • PRReader, FileReader, Reviewer, Identity interfaces
  • Client interface composing all four
  • PullRequest, ChangedFile, ContentEntry, Review types (from gitea/)
  • ReviewComment with diff-position convention
  • ReviewRequest struct
  • vcs/check.go with //go:build ignore documenting 3 adapter gaps
  • go build ./... passes
  • go test ./... passes (all existing tests)
  • No changes to gitea/ package
## Summary Implements Phase 1 of the VCS abstraction: extract `vcs.Client` interface and shared types from the existing working `gitea/` code. Closes #78. ## Plan ### Problem review-bot only supports Gitea. Adding GitHub support requires a shared `vcs.Client` interface so both adapters can be swapped. The interface is discovered from working code, not invented. ### Constraints - Must compile (`vcs/interfaces.go`, `vcs/types.go`) - No behavior changes to existing Gitea functionality - Types extracted from `gitea/`, not invented - Compile-time check present; its failure documents the adapter gap ### Approach **`vcs/interfaces.go`** — role-based interfaces: - `PRReader`: GetPullRequest, GetPullRequestDiff, GetPullRequestFiles - `FileReader`: GetFileContent (path + ref), ListContents - `Reviewer`: PostReview (ReviewRequest), ListReviews, DeleteReview - `Identity`: GetAuthenticatedUser - `Client`: all four composed **`vcs/types.go`** — types extracted from `gitea/`: - `PullRequest`, `ChangedFile`, `ContentEntry`, `Review` — identical to `gitea/` - `ReviewComment` — uses GitHub diff-position convention (`Position int`, `CommitID string`) instead of Gitea's `NewPosition int64` - `ReviewRequest` — new type wrapping `Body`, `Event`, `Comments` **`vcs/check.go`** (`//go:build ignore`) — documents the gaps `gitea.Client` must bridge in Phase 2: 1. `PostReview` signature mismatch (`event+body+[]ReviewComment` vs `ReviewRequest`) 2. `GetFileContent` missing `ref` parameter 3. `ReviewComment` type mismatch (`NewPosition int64` vs `Position int`/`CommitID string`) ## Progress ### Phase 1: vcs/interfaces.go + vcs/types.go - [x] `PRReader`, `FileReader`, `Reviewer`, `Identity` interfaces - [x] `Client` interface composing all four - [x] `PullRequest`, `ChangedFile`, `ContentEntry`, `Review` types (from gitea/) - [x] `ReviewComment` with diff-position convention - [x] `ReviewRequest` struct - [x] `vcs/check.go` with `//go:build ignore` documenting 3 adapter gaps - [x] `go build ./...` passes - [x] `go test ./...` passes (all existing tests) - [x] No changes to gitea/ package
rodin self-assigned this 2026-05-12 17:05:57 +00:00
rodin added 2 commits 2026-05-12 17:05:57 +00:00
feat(vcs): extract interfaces and types from gitea/ (Phase 1, #78) 2e6f46f28d 
Add vcs/interfaces.go and vcs/types.go as the foundation for multi-platform
VCS support. Interfaces are discovered from working gitea/client.go code,
not invented in a vacuum.

vcs/interfaces.go — role-based interfaces:
- PRReader: GetPullRequest, GetPullRequestDiff, GetPullRequestFiles
- FileReader: GetFileContent (path + ref), ListContents
- Reviewer: PostReview (ReviewRequest), ListReviews, DeleteReview
- Identity: GetAuthenticatedUser
- Client: all four composed

vcs/types.go — types extracted from gitea/:
- PullRequest, ChangedFile, ContentEntry, Review (identical to gitea/)
- ReviewComment: uses GitHub diff-position convention (Position int,
  CommitID string) instead of Gitea's NewPosition int64
- ReviewRequest: new type wrapping Body, Event, Comments

vcs/check.go (//go:build ignore) — documents the gaps gitea.Client
must bridge in Phase 2:
1. PostReview signature mismatch (event+body+[]ReviewComment vs ReviewRequest)
2. GetFileContent missing ref parameter
3. ReviewComment type mismatch (NewPosition vs Position/CommitID)

No behavior changes. All existing tests pass.
docs(vcs): add package doc to interfaces.go
CI / test (pull_request) Successful in 17s
Details
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 31s
Details
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 36s
Details
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m42s
Details
1ac51669ed
sonnet-review-bot approved these changes 2026-05-12 17:06:39 +00:00
sonnet-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Original review

Supersededsee current review for up-to-date findings.

Previous findings (commit 1ac51669)

Sonnet Review

Summary

Clean Phase 1 extraction of VCS interfaces and types. The code is well-structured, follows Go patterns correctly, and CI passes. The approach of using //go:build ignore to document intentionally-failing compile-time assertions is creative and unambiguous.

Findings

# Severity File Line Finding
1 [MINOR] vcs/types.go 7 The package doc comment in types.go duplicates the one in interfaces.go almost verbatim. Only one file in a package should carry the package doc comment; the others should have no package comment or just package vcs with no preceding comment. The authoritative doc comment is on interfaces.go — remove the comment block from types.go.
2 [MINOR] vcs/types.go 52 ReviewComment.CommitID is described as 'the commit SHA the comment is anchored to', but for Gitea (Phase 2 adapter) this will always need to be translated/populated. There is no enforcement that CommitID is non-empty. Consider noting in the doc comment whether CommitID is required or optional, and what the zero-value means, so adapter authors know what invariant to maintain.
3 [NIT] vcs/check.go 3 The instruction 'Run go build -v . inside this file to see the documented gaps' is slightly misleading — you can't run a build inside a file. The intended instruction is probably 'Remove the //go:build ignore tag and run go build ./vcs/' or 'Run go build -tags ignore ./vcs/'. A clearer instruction avoids future confusion.
4 [NIT] vcs/interfaces.go 23 PostReview returns (*Review, error). Posting a review on most platforms (including Gitea and GitHub) returns a created review object, so this is reasonable. However, ListReviews returns []Review (value slice) while PostReview returns *Review (pointer). Consider making the return consistent — either []Review and Review, or []*Review and *Review — to avoid callers having to dereference in one case but not the other.

Recommendation

APPROVE — Approve with minor suggestions. The design is sound: small, role-based interfaces (PRReader, FileReader, Reviewer, Identity) composed into Client follows the interface composition pattern correctly. Using //go:build ignore for the intentionally-failing compile-time assertion is an idiomatic and clear way to document the Phase 2 adapter gaps without breaking CI. The types are clean and well-documented. Address the duplicate package doc comment (the MINOR finding) before or in the next PR, and clarify the check.go build instruction. No blocking issues.

Review by sonnet

Evaluated against 1ac51669

~~Original review~~ **Superseded** — [see current review](https://gitea.weiker.me/rodin/review-bot/pulls/83#pullrequestreview-2716) for up-to-date findings. <details><summary>Previous findings (commit 1ac51669)</summary> # Sonnet Review ## Summary Clean Phase 1 extraction of VCS interfaces and types. The code is well-structured, follows Go patterns correctly, and CI passes. The approach of using `//go:build ignore` to document intentionally-failing compile-time assertions is creative and unambiguous. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `vcs/types.go` | 7 | The package doc comment in types.go duplicates the one in interfaces.go almost verbatim. Only one file in a package should carry the package doc comment; the others should have no package comment or just `package vcs` with no preceding comment. The authoritative doc comment is on interfaces.go — remove the comment block from types.go. | | 2 | [MINOR] | `vcs/types.go` | 52 | ReviewComment.CommitID is described as 'the commit SHA the comment is anchored to', but for Gitea (Phase 2 adapter) this will always need to be translated/populated. There is no enforcement that CommitID is non-empty. Consider noting in the doc comment whether CommitID is required or optional, and what the zero-value means, so adapter authors know what invariant to maintain. | | 3 | [NIT] | `vcs/check.go` | 3 | The instruction 'Run `go build -v .` inside this file to see the documented gaps' is slightly misleading — you can't run a build inside a file. The intended instruction is probably 'Remove the //go:build ignore tag and run `go build ./vcs/`' or 'Run `go build -tags ignore ./vcs/`'. A clearer instruction avoids future confusion. | | 4 | [NIT] | `vcs/interfaces.go` | 23 | PostReview returns (*Review, error). Posting a review on most platforms (including Gitea and GitHub) returns a created review object, so this is reasonable. However, ListReviews returns []Review (value slice) while PostReview returns *Review (pointer). Consider making the return consistent — either []Review and Review, or []*Review and *Review — to avoid callers having to dereference in one case but not the other. | ## Recommendation **APPROVE** — Approve with minor suggestions. The design is sound: small, role-based interfaces (PRReader, FileReader, Reviewer, Identity) composed into Client follows the interface composition pattern correctly. Using `//go:build ignore` for the intentionally-failing compile-time assertion is an idiomatic and clear way to document the Phase 2 adapter gaps without breaking CI. The types are clean and well-documented. Address the duplicate package doc comment (the MINOR finding) before or in the next PR, and clarify the check.go build instruction. No blocking issues. --- *Review by sonnet* <!-- review-bot:sonnet --> --- *Evaluated against 1ac51669* </details> <!-- review-bot:sonnet -->
vcs/check.go Outdated
@@ -0,0 +1,30 @@
//go:build ignore
// This file is excluded from normal builds.
sonnet-review-bot commented 2026-05-12 17:06:39 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The instruction 'Run go build -v . inside this file to see the documented gaps' is slightly misleading — you can't run a build inside a file. The intended instruction is probably 'Remove the //go:build ignore tag and run go build ./vcs/' or 'Run go build -tags ignore ./vcs/'. A clearer instruction avoids future confusion.

**[NIT]** The instruction 'Run `go build -v .` inside this file to see the documented gaps' is slightly misleading — you can't run a build inside a file. The intended instruction is probably 'Remove the //go:build ignore tag and run `go build ./vcs/`' or 'Run `go build -tags ignore ./vcs/`'. A clearer instruction avoids future confusion.
vcs/interfaces.go
@@ -0,0 +20,4 @@
// Reviewer can post, list, and delete pull request reviews.
type Reviewer interface {
PostReview(ctx context.Context, owner, repo string, number int, req ReviewRequest) (*Review, error)
sonnet-review-bot commented 2026-05-12 17:06:39 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] PostReview returns (*Review, error). Posting a review on most platforms (including Gitea and GitHub) returns a created review object, so this is reasonable. However, ListReviews returns []Review (value slice) while PostReview returns *Review (pointer). Consider making the return consistent — either []Review and Review, or []*Review and *Review — to avoid callers having to dereference in one case but not the other.

**[NIT]** PostReview returns (*Review, error). Posting a review on most platforms (including Gitea and GitHub) returns a created review object, so this is reasonable. However, ListReviews returns []Review (value slice) while PostReview returns *Review (pointer). Consider making the return consistent — either []Review and Review, or []*Review and *Review — to avoid callers having to dereference in one case but not the other.
vcs/types.go Outdated
@@ -0,0 +4,4 @@
package vcs
// PullRequest holds relevant PR metadata.
type PullRequest struct {
sonnet-review-bot commented 2026-05-12 17:06:39 +00:00
First-time contributor
Copy Link
Copy Source

[MINOR] The package doc comment in types.go duplicates the one in interfaces.go almost verbatim. Only one file in a package should carry the package doc comment; the others should have no package comment or just package vcs with no preceding comment. The authoritative doc comment is on interfaces.go — remove the comment block from types.go.

**[MINOR]** The package doc comment in types.go duplicates the one in interfaces.go almost verbatim. Only one file in a package should carry the package doc comment; the others should have no package comment or just `package vcs` with no preceding comment. The authoritative doc comment is on interfaces.go — remove the comment block from types.go.
vcs/types.go Outdated
@@ -0,0 +49,4 @@
Path string `json:"path"`
Position int `json:"position"` // diff-position: 1-indexed offset from @@ hunk line
CommitID string `json:"commit_id"`
Body string `json:"body"`
sonnet-review-bot commented 2026-05-12 17:06:39 +00:00
First-time contributor
Copy Link
Copy Source

[MINOR] ReviewComment.CommitID is described as 'the commit SHA the comment is anchored to', but for Gitea (Phase 2 adapter) this will always need to be translated/populated. There is no enforcement that CommitID is non-empty. Consider noting in the doc comment whether CommitID is required or optional, and what the zero-value means, so adapter authors know what invariant to maintain.

**[MINOR]** ReviewComment.CommitID is described as 'the commit SHA the comment is anchored to', but for Gitea (Phase 2 adapter) this will always need to be translated/populated. There is no enforcement that CommitID is non-empty. Consider noting in the doc comment whether CommitID is required or optional, and what the zero-value means, so adapter authors know what invariant to maintain.
security-review-bot requested review from security-review-bot 2026-05-12 17:06:46 +00:00
security-review-bot approved these changes 2026-05-12 17:06:46 +00:00
Dismissed
security-review-bot left a comment
Collaborator
Copy Link
Copy Source

Original review

Supersededsee current review for up-to-date findings.

Previous findings (commit 1ac51669)

Security Review

Summary

The PR adds VCS interface definitions and shared types with no executable logic and no security-impacting behavior. Imports are limited to the Go standard library and an internal package, and CI passed.

Recommendation

APPROVE — Approve as submitted. These changes introduce only interfaces and DTOs, which do not create attack surface on their own. The build-ignored compile-time assertion in vcs/check.go will not affect normal builds and is acceptable as documentation. When implementing the adapters in subsequent phases, ensure strict input validation and safe translation between diff positions and line numbers, and enforce authorization and rate limiting in any API interactions. For ReviewRequest.Event, consider using a typed enum in future to reduce misuse, but this is not a security concern in the current change.

Review by security

Evaluated against 1ac51669

~~Original review~~ **Superseded** — [see current review](https://gitea.weiker.me/rodin/review-bot/pulls/83#pullrequestreview-2718) for up-to-date findings. <details><summary>Previous findings (commit 1ac51669)</summary> # Security Review ## Summary The PR adds VCS interface definitions and shared types with no executable logic and no security-impacting behavior. Imports are limited to the Go standard library and an internal package, and CI passed. ## Recommendation **APPROVE** — Approve as submitted. These changes introduce only interfaces and DTOs, which do not create attack surface on their own. The build-ignored compile-time assertion in vcs/check.go will not affect normal builds and is acceptable as documentation. When implementing the adapters in subsequent phases, ensure strict input validation and safe translation between diff positions and line numbers, and enforce authorization and rate limiting in any API interactions. For ReviewRequest.Event, consider using a typed enum in future to reduce misuse, but this is not a security concern in the current change. --- *Review by security* <!-- review-bot:security --> --- *Evaluated against 1ac51669* </details> <!-- review-bot:security -->
gpt-review-bot approved these changes 2026-05-12 17:07:56 +00:00
Dismissed
gpt-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Original review

Supersededsee current review for up-to-date findings.

Previous findings (commit 1ac51669)

Gpt Review

Summary

Well-structured introduction of a VCS abstraction layer with clear interfaces and shared types. The code is idiomatic, compiles cleanly, and preserves current behavior by isolating the intentional compile-time check behind a build tag. A few minor documentation and naming improvements would polish it further.

Findings

# Severity File Line Finding
1 [MINOR] vcs/types.go 10 Acronym casing: field name "Sha" should be "SHA" to follow Go acronym capitalization conventions (see style pattern: Acronyms Are All-Caps). The JSON tag can remain "sha".
2 [MINOR] vcs/types.go 58 Event is documented as a couple of magic strings ("APPROVED", "REQUEST_CHANGES"). Consider introducing a typed alias (e.g., type ReviewEvent string) with exported constants for the allowed values to provide compile-time safety and self-documenting usage (see style pattern on typed constants for enumerations).
3 [NIT] vcs/check.go 4 The instruction "Run go build -v . inside this file" is misleading. With //go:build ignore, this file is excluded by default. Suggest clarifying to "Run go build -tags ignore ./vcs" (or ./...) to trigger the intentional compile-time assertion.

Recommendation

APPROVE — The PR successfully extracts a clean, role-based VCS interface with well-documented types and preserves current behavior by gating the intentional compile-time assertion behind a build tag. Interfaces follow context-first conventions and small interface composition patterns, and the types are straightforward. To polish: rename PullRequest.Head.Sha to SHA for acronym consistency, introduce a typed constant set for ReviewRequest.Event to avoid magic strings, and update the check.go comment to indicate building with the 'ignore' tag to exercise the intentional failure. With these minor adjustments, the abstraction will be even more idiomatic and maintainable.

Review by gpt

Evaluated against 1ac51669

~~Original review~~ **Superseded** — [see current review](https://gitea.weiker.me/rodin/review-bot/pulls/83#pullrequestreview-2719) for up-to-date findings. <details><summary>Previous findings (commit 1ac51669)</summary> # Gpt Review ## Summary Well-structured introduction of a VCS abstraction layer with clear interfaces and shared types. The code is idiomatic, compiles cleanly, and preserves current behavior by isolating the intentional compile-time check behind a build tag. A few minor documentation and naming improvements would polish it further. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `vcs/types.go` | 10 | Acronym casing: field name "Sha" should be "SHA" to follow Go acronym capitalization conventions (see style pattern: Acronyms Are All-Caps). The JSON tag can remain "sha". | | 2 | [MINOR] | `vcs/types.go` | 58 | Event is documented as a couple of magic strings ("APPROVED", "REQUEST_CHANGES"). Consider introducing a typed alias (e.g., type ReviewEvent string) with exported constants for the allowed values to provide compile-time safety and self-documenting usage (see style pattern on typed constants for enumerations). | | 3 | [NIT] | `vcs/check.go` | 4 | The instruction "Run `go build -v .` inside this file" is misleading. With //go:build ignore, this file is excluded by default. Suggest clarifying to "Run `go build -tags ignore ./vcs`" (or `./...`) to trigger the intentional compile-time assertion. | ## Recommendation **APPROVE** — The PR successfully extracts a clean, role-based VCS interface with well-documented types and preserves current behavior by gating the intentional compile-time assertion behind a build tag. Interfaces follow context-first conventions and small interface composition patterns, and the types are straightforward. To polish: rename PullRequest.Head.Sha to SHA for acronym consistency, introduce a typed constant set for ReviewRequest.Event to avoid magic strings, and update the check.go comment to indicate building with the 'ignore' tag to exercise the intentional failure. With these minor adjustments, the abstraction will be even more idiomatic and maintainable. --- *Review by gpt* <!-- review-bot:gpt --> --- *Evaluated against 1ac51669* </details> <!-- review-bot:gpt -->
vcs/check.go Outdated
@@ -0,0 +1,30 @@
//go:build ignore
// This file is excluded from normal builds.
// Run `go build -v .` inside this file to see the documented gaps between
gpt-review-bot commented 2026-05-12 17:07:56 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The instruction "Run go build -v . inside this file" is misleading. With //go:build ignore, this file is excluded by default. Suggest clarifying to "Run go build -tags ignore ./vcs" (or ./...) to trigger the intentional compile-time assertion.

**[NIT]** The instruction "Run `go build -v .` inside this file" is misleading. With //go:build ignore, this file is excluded by default. Suggest clarifying to "Run `go build -tags ignore ./vcs`" (or `./...`) to trigger the intentional compile-time assertion.
vcs/types.go Outdated
@@ -0,0 +7,4 @@
type PullRequest struct {
Title string `json:"title"`
Body string `json:"body"`
Head struct {
gpt-review-bot commented 2026-05-12 17:07:56 +00:00
First-time contributor
Copy Link
Copy Source

[MINOR] Acronym casing: field name "Sha" should be "SHA" to follow Go acronym capitalization conventions (see style pattern: Acronyms Are All-Caps). The JSON tag can remain "sha".

**[MINOR]** Acronym casing: field name "Sha" should be "SHA" to follow Go acronym capitalization conventions (see style pattern: Acronyms Are All-Caps). The JSON tag can remain "sha".
vcs/types.go
@@ -0,0 +55,4 @@
// ReviewRequest is the payload for posting a review.
type ReviewRequest struct {
// Body is the top-level review comment.
Body string `json:"body"`
gpt-review-bot commented 2026-05-12 17:07:56 +00:00
First-time contributor
Copy Link
Copy Source

[MINOR] Event is documented as a couple of magic strings ("APPROVED", "REQUEST_CHANGES"). Consider introducing a typed alias (e.g., type ReviewEvent string) with exported constants for the allowed values to provide compile-time safety and self-documenting usage (see style pattern on typed constants for enumerations).

**[MINOR]** Event is documented as a couple of magic strings ("APPROVED", "REQUEST_CHANGES"). Consider introducing a typed alias (e.g., type ReviewEvent string) with exported constants for the allowed values to provide compile-time safety and self-documenting usage (see style pattern on typed constants for enumerations).
rodin closed this pull request 2026-05-12 17:47:57 +00:00
rodin reopened this pull request 2026-05-12 18:58:37 +00:00
rodin added the wip label 2026-05-12 18:58:41 +00:00
rodin added 1 commit 2026-05-12 19:00:37 +00:00
fix(vcs): address Phase 1 review findings
PR Ready Gate / clear-labels (pull_request) Successful in 1s
Details
CI / test (pull_request) Successful in 17s
Details
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 33s
Details
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 36s
Details
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m25s
Details
c889724dda 
- Rename PullRequest.Head.Sha → SHA (Go acronym convention)
- Add typed ReviewEvent alias with exported constants
- Remove duplicate package doc from types.go (kept in interfaces.go)
- Fix misleading comment in check.go
rodin commented 2026-05-12 19:01:08 +00:00
Author
Owner
Copy Link
Copy Source

Self-Review: PR #83

Self-review against c889724dda

Phase 1: Independent Findings

None — diff looks clean. The vcs package defines well-documented interfaces and types. All exported types have doc comments, the interface composition is sound, and the check.go build-tag approach for documenting adapter gaps is pragmatic.

Phase 2: Prior Review Verification

Finding Reviewer Status Notes
Sha → SHA gpt-review-bot Resolved Field renamed to SHA with json tag kept as "sha"
Typed ReviewEvent gpt-review-bot Resolved Added type ReviewEvent string with ReviewEventApprove, ReviewEventRequestChanges, ReviewEventComment constants
Duplicate package doc sonnet-review-bot Resolved Removed package doc block from types.go; authoritative doc lives in interfaces.go
Misleading check.go comment sonnet-review-bot + gpt-review-bot Resolved Updated to: "Remove the //go:build ignore tag and run go build ./vcs/"

Assessment: Clean

All four review findings addressed. Tests pass (go test ./...), package builds cleanly (go build ./vcs/). No new issues introduced.

## Self-Review: PR #83 Self-review against c889724dda61ee4e67bf4cbb47436ab8c6d4d91c ### Phase 1: Independent Findings None — diff looks clean. The vcs package defines well-documented interfaces and types. All exported types have doc comments, the interface composition is sound, and the check.go build-tag approach for documenting adapter gaps is pragmatic. ### Phase 2: Prior Review Verification | Finding | Reviewer | Status | Notes | |---------|----------|--------|-------| | Sha → SHA | gpt-review-bot | ✅ Resolved | Field renamed to `SHA` with json tag kept as `"sha"` | | Typed ReviewEvent | gpt-review-bot | ✅ Resolved | Added `type ReviewEvent string` with `ReviewEventApprove`, `ReviewEventRequestChanges`, `ReviewEventComment` constants | | Duplicate package doc | sonnet-review-bot | ✅ Resolved | Removed package doc block from types.go; authoritative doc lives in interfaces.go | | Misleading check.go comment | sonnet-review-bot + gpt-review-bot | ✅ Resolved | Updated to: "Remove the //go:build ignore tag and run `go build ./vcs/`" | ### Assessment: ✅ Clean All four review findings addressed. Tests pass (`go test ./...`), package builds cleanly (`go build ./vcs/`). No new issues introduced.
rodin removed the wip label 2026-05-12 19:01:13 +00:00
sonnet-review-bot approved these changes 2026-05-12 19:01:15 +00:00
sonnet-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Original review

Supersededsee current review for up-to-date findings.

Previous findings (commit c889724d)

Sonnet Review

Summary

Clean Phase 1 extraction of VCS interfaces and types. CI passes, no behavior changes to existing code, well-documented adapter gaps. The code follows established Go patterns throughout.

Findings

# Severity File Line Finding
1 [NIT] vcs/types.go 17 The anonymous struct for the Head field works but embedding a named struct would be slightly cleaner and more testable (allows construction via named literal without field-name lookup). This is a minor style preference; anonymous embedded structs in this pattern are common in JSON-mapping code.
2 [NIT] vcs/types.go 45 The anonymous struct for the User field inside Review has the same pattern. Same note as above — minor, acceptable for JSON-mapping types.
3 [NIT] vcs/check.go 30 The file has no trailing newline after the last line (var _ Client = (*gitea.Client)(nil)). gofmt enforces a trailing newline; this may cause a gofmt check failure if one is run. Verify the file ends with a newline character.

Recommendation

APPROVE — Approve. The implementation is correct, idiomatic, and well-structured. Interfaces are small and role-based (PRReader, FileReader, Reviewer, Identity) following the small-interface pattern from the Go stdlib. The compile-time check (var _ Interface = (*Type)(nil)) is present in interfaces.go conceptually via the check.go mechanism. The //go:build ignore approach for documenting adapter gaps is clever and clearly explained. The zero-value-usable struct types with documented JSON tags are appropriate for data transfer objects. The three NITs are all trivial and none warrant blocking the PR.

Review by sonnet

Evaluated against c889724d

~~Original review~~ **Superseded** — [see current review](https://gitea.weiker.me/rodin/review-bot/pulls/83#pullrequestreview-2721) for up-to-date findings. <details><summary>Previous findings (commit c889724d)</summary> # Sonnet Review ## Summary Clean Phase 1 extraction of VCS interfaces and types. CI passes, no behavior changes to existing code, well-documented adapter gaps. The code follows established Go patterns throughout. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [NIT] | `vcs/types.go` | 17 | The anonymous struct for the Head field works but embedding a named struct would be slightly cleaner and more testable (allows construction via named literal without field-name lookup). This is a minor style preference; anonymous embedded structs in this pattern are common in JSON-mapping code. | | 2 | [NIT] | `vcs/types.go` | 45 | The anonymous struct for the User field inside Review has the same pattern. Same note as above — minor, acceptable for JSON-mapping types. | | 3 | [NIT] | `vcs/check.go` | 30 | The file has no trailing newline after the last line (var _ Client = (*gitea.Client)(nil)). gofmt enforces a trailing newline; this may cause a gofmt check failure if one is run. Verify the file ends with a newline character. | ## Recommendation **APPROVE** — Approve. The implementation is correct, idiomatic, and well-structured. Interfaces are small and role-based (PRReader, FileReader, Reviewer, Identity) following the small-interface pattern from the Go stdlib. The compile-time check (var _ Interface = (*Type)(nil)) is present in interfaces.go conceptually via the check.go mechanism. The //go:build ignore approach for documenting adapter gaps is clever and clearly explained. The zero-value-usable struct types with documented JSON tags are appropriate for data transfer objects. The three NITs are all trivial and none warrant blocking the PR. --- *Review by sonnet* <!-- review-bot:sonnet --> --- *Evaluated against c889724d* </details> <!-- review-bot:sonnet -->
vcs/check.go Outdated
@@ -0,0 +27,4 @@
// This compile-time assertion intentionally fails.
// It documents what the Gitea adapter must implement to satisfy vcs.Client.
var _ Client = (*gitea.Client)(nil)
sonnet-review-bot commented 2026-05-12 19:01:15 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The file has no trailing newline after the last line (var _ Client = (*gitea.Client)(nil)). gofmt enforces a trailing newline; this may cause a gofmt check failure if one is run. Verify the file ends with a newline character.

**[NIT]** The file has no trailing newline after the last line (var _ Client = (*gitea.Client)(nil)). gofmt enforces a trailing newline; this may cause a gofmt check failure if one is run. Verify the file ends with a newline character.
vcs/types.go Outdated
@@ -0,0 +14,4 @@
// PullRequest holds relevant PR metadata.
type PullRequest struct {
Title string `json:"title"`
sonnet-review-bot commented 2026-05-12 19:01:15 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The anonymous struct for the Head field works but embedding a named struct would be slightly cleaner and more testable (allows construction via named literal without field-name lookup). This is a minor style preference; anonymous embedded structs in this pattern are common in JSON-mapping code.

**[NIT]** The anonymous struct for the Head field works but embedding a named struct would be slightly cleaner and more testable (allows construction via named literal without field-name lookup). This is a minor style preference; anonymous embedded structs in this pattern are common in JSON-mapping code.
vcs/types.go
@@ -0,0 +42,4 @@
User struct {
Login string `json:"login"`
} `json:"user"`
State string `json:"state"`
sonnet-review-bot commented 2026-05-12 19:01:15 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The anonymous struct for the User field inside Review has the same pattern. Same note as above — minor, acceptable for JSON-mapping types.

**[NIT]** The anonymous struct for the User field inside Review has the same pattern. Same note as above — minor, acceptable for JSON-mapping types.
security-review-bot requested review from security-review-bot 2026-05-12 19:01:30 +00:00
security-review-bot approved these changes 2026-05-12 19:01:30 +00:00
Dismissed
security-review-bot left a comment
Collaborator
Copy Link
Copy Source

Original review

Supersededsee current review for up-to-date findings.

Previous findings (commit c889724d)

Security Review

Summary

This PR introduces interface and type definitions for a VCS abstraction layer and an ignored compile-time check file. The changes are purely structural with no executable logic and present no security impact. CI passed.

Recommendation

APPROVE — Approve as submitted. The additions are limited to interfaces and simple data types, with no behavior or external interactions, so there are no security concerns at this stage. In Phase 2, when implementing the Gitea adapter and any GitHub adapter, ensure strict input validation, proper authentication/authorization checks, safe handling of network requests (timeouts, SSRF defenses), and avoid logging secrets per the repository’s security patterns. Also confirm that review posting and file content retrieval enforce permission checks and do not expose sensitive information.

Review by security

Evaluated against c889724d

~~Original review~~ **Superseded** — [see current review](https://gitea.weiker.me/rodin/review-bot/pulls/83#pullrequestreview-2723) for up-to-date findings. <details><summary>Previous findings (commit c889724d)</summary> # Security Review ## Summary This PR introduces interface and type definitions for a VCS abstraction layer and an ignored compile-time check file. The changes are purely structural with no executable logic and present no security impact. CI passed. ## Recommendation **APPROVE** — Approve as submitted. The additions are limited to interfaces and simple data types, with no behavior or external interactions, so there are no security concerns at this stage. In Phase 2, when implementing the Gitea adapter and any GitHub adapter, ensure strict input validation, proper authentication/authorization checks, safe handling of network requests (timeouts, SSRF defenses), and avoid logging secrets per the repository’s security patterns. Also confirm that review posting and file content retrieval enforce permission checks and do not expose sensitive information. --- *Review by security* <!-- review-bot:security --> --- *Evaluated against c889724d* </details> <!-- review-bot:security -->
gpt-review-bot approved these changes 2026-05-12 19:02:18 +00:00
Dismissed
gpt-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Original review

Supersededsee current review for up-to-date findings.

Previous findings (commit c889724d)

Gpt Review

Summary

The new VCS abstraction cleanly defines role-based interfaces and shared types without impacting existing Gitea code. CI passed, and the changes are idiomatic and compile-safe with an intentional compile-time check gated behind a build tag.

Findings

# Severity File Line Finding
1 [MINOR] vcs/types.go 8 ReviewEventApprove is set to "APPROVED", which matches a review state rather than an action. If these constants represent actions to post (as implied by ReviewRequest.Event), consider using "APPROVE" to align with GitHub semantics, or clearly document that adapters must translate these abstracted values to provider-specific event strings.
2 [NIT] vcs/check.go 1 The compile-time assertion file imports the gitea adapter directly from within package vcs. While gated by //go:build ignore, consider placing this assertion in a separate build-tagged test or a _test.go file to further reduce the chance of accidental inclusion creating an unwanted dependency.

Recommendation

APPROVE — Overall, this is a solid Phase 1 extraction. The interfaces are small and composable, follow context-first conventions, and the compile-time assertion pattern is correctly gated behind a build tag. I recommend clarifying the ReviewEvent constants to avoid conflating review actions with review states (e.g., APPROVE vs APPROVED), or explicitly documenting the adapter translation responsibilities. The optional nit is to keep the compile-time assertion in a test-only or separately tagged file to avoid accidental coupling. With these minor clarifications, the abstraction is in good shape for implementing adapters in Phase 2.

Review by gpt

Evaluated against c889724d

~~Original review~~ **Superseded** — [see current review](https://gitea.weiker.me/rodin/review-bot/pulls/83#pullrequestreview-2725) for up-to-date findings. <details><summary>Previous findings (commit c889724d)</summary> # Gpt Review ## Summary The new VCS abstraction cleanly defines role-based interfaces and shared types without impacting existing Gitea code. CI passed, and the changes are idiomatic and compile-safe with an intentional compile-time check gated behind a build tag. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `vcs/types.go` | 8 | ReviewEventApprove is set to "APPROVED", which matches a review state rather than an action. If these constants represent actions to post (as implied by ReviewRequest.Event), consider using "APPROVE" to align with GitHub semantics, or clearly document that adapters must translate these abstracted values to provider-specific event strings. | | 2 | [NIT] | `vcs/check.go` | 1 | The compile-time assertion file imports the gitea adapter directly from within package vcs. While gated by //go:build ignore, consider placing this assertion in a separate build-tagged test or a _test.go file to further reduce the chance of accidental inclusion creating an unwanted dependency. | ## Recommendation **APPROVE** — Overall, this is a solid Phase 1 extraction. The interfaces are small and composable, follow context-first conventions, and the compile-time assertion pattern is correctly gated behind a build tag. I recommend clarifying the ReviewEvent constants to avoid conflating review actions with review states (e.g., APPROVE vs APPROVED), or explicitly documenting the adapter translation responsibilities. The optional nit is to keep the compile-time assertion in a test-only or separately tagged file to avoid accidental coupling. With these minor clarifications, the abstraction is in good shape for implementing adapters in Phase 2. --- *Review by gpt* <!-- review-bot:gpt --> --- *Evaluated against c889724d* </details> <!-- review-bot:gpt -->
vcs/check.go Outdated
@@ -0,0 +1,30 @@
//go:build ignore
gpt-review-bot commented 2026-05-12 19:02:18 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The compile-time assertion file imports the gitea adapter directly from within package vcs. While gated by //go:build ignore, consider placing this assertion in a separate build-tagged test or a _test.go file to further reduce the chance of accidental inclusion creating an unwanted dependency.

**[NIT]** The compile-time assertion file imports the gitea adapter directly from within package vcs. While gated by //go:build ignore, consider placing this assertion in a separate build-tagged test or a _test.go file to further reduce the chance of accidental inclusion creating an unwanted dependency.
vcs/types.go
@@ -0,0 +5,4 @@
const (
// ReviewEventApprove approves the pull request.
ReviewEventApprove ReviewEvent = "APPROVED"
gpt-review-bot commented 2026-05-12 19:02:18 +00:00
First-time contributor
Copy Link
Copy Source

[MINOR] ReviewEventApprove is set to "APPROVED", which matches a review state rather than an action. If these constants represent actions to post (as implied by ReviewRequest.Event), consider using "APPROVE" to align with GitHub semantics, or clearly document that adapters must translate these abstracted values to provider-specific event strings.

**[MINOR]** ReviewEventApprove is set to "APPROVED", which matches a review state rather than an action. If these constants represent actions to post (as implied by ReviewRequest.Event), consider using "APPROVE" to align with GitHub semantics, or clearly document that adapters must translate these abstracted values to provider-specific event strings.
rodin added the wip label 2026-05-12 19:03:45 +00:00
rodin added 1 commit 2026-05-12 19:06:34 +00:00
fix(vcs): address PR #83 review findings (round 2)
PR Ready Gate / clear-labels (pull_request) Successful in 2s
Details
CI / test (pull_request) Successful in 17s
Details
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 34s
Details
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 37s
Details
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m9s
Details
cd6cd93bf0 
- Extract named HeadRef and UserInfo structs from anonymous structs
  in PullRequest and Review (comments 16615, 16616)
- Change ReviewEventApprove value from "APPROVED" to "APPROVE" to
  represent the action, not the state; document adapter translation
  responsibility (comment 16621)
- Add doc comment on ReviewComment.CommitID noting optionality (16531)
- Move compile-time assertion from check.go (//go:build ignore) to
  check_test.go with a "phase2" build tag — removes gitea adapter
  import from the vcs package (comment 16622)
- check.go misleading comment was already fixed in prior commit (16532, 16539)
- Sha→SHA, typed ReviewEvent, duplicate package doc already resolved (16537, 16538, 16530)
rodin removed the wip label 2026-05-12 19:07:16 +00:00
sonnet-review-bot approved these changes 2026-05-12 19:07:24 +00:00
sonnet-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Sonnet Review

Summary

Clean Phase 1 extraction of VCS interfaces and types. The code follows Go patterns correctly — small composable interfaces, compile-time checks, well-documented types. CI passed. One minor observation about the check_test.go placement.

Findings

# Severity File Line Finding
1 [MINOR] vcs/check_test.go 27 The compile-time interface check var _ vcs.Client = (*gitea.Client)(nil) is gated behind //go:build phase2 which means it never runs in normal CI. Its purpose is to document the gap, which is fine, but the comment in the PR description mentions a separate vcs/check.go with //go:build ignore — the actual implementation uses a _test.go file with //go:build phase2 instead. This is a reasonable choice (test files are safer than build-ignored files), but the PR description is slightly inaccurate about the mechanism. Not a code problem, just a documentation inconsistency between the PR description and the actual implementation.
2 [NIT] vcs/types.go 1 The types.go file is missing a package doc comment or any reference back to the main package-level documentation. Since interfaces.go carries the package doc (// Package vcs defines...), this is fine per Go convention (only one file needs the package comment), but it's worth noting the package doc lives in interfaces.go rather than a dedicated doc.go, which is a slightly non-idiomatic placement for packages that will grow to have many files.
3 [NIT] vcs/types.go 58 The json struct tags on ReviewComment and other types are present but there's no indication these types will be directly JSON-serialized by the vcs package itself — they're internal domain types exchanged between adapters and core logic. Adding json tags suggests these might be serialized to wire format, which could be misleading. If these types are purely internal, the tags add no value and could be omitted. This is a design question rather than a bug.

Recommendation

APPROVE — Approve. The implementation is correct, idiomatic, and well-documented. The interface decomposition into PRReader, FileReader, Reviewer, and Identity follows the small-interfaces pattern from the patterns library. The compile-time check in check_test.go is an excellent use of var _ Interface = (*Type)(nil) to document future work without breaking CI. The //go:build phase2 guard is a clever way to make the failing assertion visible without blocking the build. The minor findings are non-blocking: the PR description inaccuracy about check.go vs check_test.go is cosmetic, and the JSON tags question is a design choice that's reasonable given the PR description mentions GitHub's JSON convention for diff positions.

Review by sonnet

Evaluated against cd6cd93b

# Sonnet Review ## Summary Clean Phase 1 extraction of VCS interfaces and types. The code follows Go patterns correctly — small composable interfaces, compile-time checks, well-documented types. CI passed. One minor observation about the check_test.go placement. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `vcs/check_test.go` | 27 | The compile-time interface check `var _ vcs.Client = (*gitea.Client)(nil)` is gated behind `//go:build phase2` which means it never runs in normal CI. Its purpose is to document the gap, which is fine, but the comment in the PR description mentions a separate `vcs/check.go` with `//go:build ignore` — the actual implementation uses a `_test.go` file with `//go:build phase2` instead. This is a reasonable choice (test files are safer than build-ignored files), but the PR description is slightly inaccurate about the mechanism. Not a code problem, just a documentation inconsistency between the PR description and the actual implementation. | | 2 | [NIT] | `vcs/types.go` | 1 | The `types.go` file is missing a package doc comment or any reference back to the main package-level documentation. Since `interfaces.go` carries the package doc (`// Package vcs defines...`), this is fine per Go convention (only one file needs the package comment), but it's worth noting the package doc lives in `interfaces.go` rather than a dedicated `doc.go`, which is a slightly non-idiomatic placement for packages that will grow to have many files. | | 3 | [NIT] | `vcs/types.go` | 58 | The `json` struct tags on `ReviewComment` and other types are present but there's no indication these types will be directly JSON-serialized by the `vcs` package itself — they're internal domain types exchanged between adapters and core logic. Adding `json` tags suggests these might be serialized to wire format, which could be misleading. If these types are purely internal, the tags add no value and could be omitted. This is a design question rather than a bug. | ## Recommendation **APPROVE** — Approve. The implementation is correct, idiomatic, and well-documented. The interface decomposition into `PRReader`, `FileReader`, `Reviewer`, and `Identity` follows the small-interfaces pattern from the patterns library. The compile-time check in `check_test.go` is an excellent use of `var _ Interface = (*Type)(nil)` to document future work without breaking CI. The `//go:build phase2` guard is a clever way to make the failing assertion visible without blocking the build. The minor findings are non-blocking: the PR description inaccuracy about `check.go` vs `check_test.go` is cosmetic, and the JSON tags question is a design choice that's reasonable given the PR description mentions GitHub's JSON convention for diff positions. --- *Review by sonnet* <!-- review-bot:sonnet --> --- *Evaluated against cd6cd93b*
vcs/check_test.go
@@ -0,0 +24,4 @@
// vcs.ReviewComment uses Position int (GitHub diff-position convention)
//
// The Gitea adapter (Phase 2) will wrap gitea.Client to bridge these gaps.
var _ vcs.Client = (*gitea.Client)(nil)
sonnet-review-bot commented 2026-05-12 19:07:24 +00:00
First-time contributor
Copy Link
Copy Source

[MINOR] The compile-time interface check var _ vcs.Client = (*gitea.Client)(nil) is gated behind //go:build phase2 which means it never runs in normal CI. Its purpose is to document the gap, which is fine, but the comment in the PR description mentions a separate vcs/check.go with //go:build ignore — the actual implementation uses a _test.go file with //go:build phase2 instead. This is a reasonable choice (test files are safer than build-ignored files), but the PR description is slightly inaccurate about the mechanism. Not a code problem, just a documentation inconsistency between the PR description and the actual implementation.

**[MINOR]** The compile-time interface check `var _ vcs.Client = (*gitea.Client)(nil)` is gated behind `//go:build phase2` which means it never runs in normal CI. Its purpose is to document the gap, which is fine, but the comment in the PR description mentions a separate `vcs/check.go` with `//go:build ignore` — the actual implementation uses a `_test.go` file with `//go:build phase2` instead. This is a reasonable choice (test files are safer than build-ignored files), but the PR description is slightly inaccurate about the mechanism. Not a code problem, just a documentation inconsistency between the PR description and the actual implementation.
vcs/types.go
@@ -0,0 +1,82 @@
package vcs
sonnet-review-bot commented 2026-05-12 19:07:24 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The types.go file is missing a package doc comment or any reference back to the main package-level documentation. Since interfaces.go carries the package doc (// Package vcs defines...), this is fine per Go convention (only one file needs the package comment), but it's worth noting the package doc lives in interfaces.go rather than a dedicated doc.go, which is a slightly non-idiomatic placement for packages that will grow to have many files.

**[NIT]** The `types.go` file is missing a package doc comment or any reference back to the main package-level documentation. Since `interfaces.go` carries the package doc (`// Package vcs defines...`), this is fine per Go convention (only one file needs the package comment), but it's worth noting the package doc lives in `interfaces.go` rather than a dedicated `doc.go`, which is a slightly non-idiomatic placement for packages that will grow to have many files.
vcs/types.go
@@ -0,0 +55,4 @@
Stale bool `json:"stale"`
CommitID string `json:"commit_id"`
}
sonnet-review-bot commented 2026-05-12 19:07:24 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The json struct tags on ReviewComment and other types are present but there's no indication these types will be directly JSON-serialized by the vcs package itself — they're internal domain types exchanged between adapters and core logic. Adding json tags suggests these might be serialized to wire format, which could be misleading. If these types are purely internal, the tags add no value and could be omitted. This is a design question rather than a bug.

**[NIT]** The `json` struct tags on `ReviewComment` and other types are present but there's no indication these types will be directly JSON-serialized by the `vcs` package itself — they're internal domain types exchanged between adapters and core logic. Adding `json` tags suggests these might be serialized to wire format, which could be misleading. If these types are purely internal, the tags add no value and could be omitted. This is a design question rather than a bug.
security-review-bot requested review from security-review-bot 2026-05-12 19:07:27 +00:00
security-review-bot approved these changes 2026-05-12 19:07:27 +00:00
security-review-bot left a comment
Collaborator
Copy Link
Copy Source

Security Review

Summary

The PR introduces VCS interfaces and shared types without adding executable logic or external dependencies. There are no security-relevant changes or vulnerabilities introduced by these definitions.

Recommendation

APPROVE — Approve as submitted. The changes define interfaces and data structures only, with no user input handling or sensitive operations. When implementing adapters against these interfaces, ensure strict input validation (paths, refs), protection against injection in review bodies/comments, and proper authorization checks on PR and file operations.

Review by security

Evaluated against cd6cd93b

# Security Review ## Summary The PR introduces VCS interfaces and shared types without adding executable logic or external dependencies. There are no security-relevant changes or vulnerabilities introduced by these definitions. ## Recommendation **APPROVE** — Approve as submitted. The changes define interfaces and data structures only, with no user input handling or sensitive operations. When implementing adapters against these interfaces, ensure strict input validation (paths, refs), protection against injection in review bodies/comments, and proper authorization checks on PR and file operations. --- *Review by security* <!-- review-bot:security --> --- *Evaluated against cd6cd93b*
rodin commented 2026-05-12 19:07:57 +00:00
Author
Owner
Copy Link
Copy Source

Findings Addressed (cd6cd93)

sonnet-review-bot (review 2703)

#16530 [MINOR] Duplicate package doc in types.go
→ Fixed in prior commit (c889724). types.go no longer carries a package doc comment.

#16531 [MINOR] CommitID doc comment missing
→ Fixed: Added doc noting CommitID is optional (empty string for review-level comments not anchored to a specific commit).

#16532 [NIT] Misleading instruction in check.go
→ Fixed in prior commit (c889724). Also, check.go has been replaced by check_test.go with a build tag (see #16622 below).

#16533 [NIT] PostReview returns *Review vs ListReviews returns []Review
→ Keeping as-is. PostReview returns a pointer because it creates a single resource — this is idiomatic Go (Create → *T, List → []T). Consistent with stdlib patterns like os.Create → *File.

gpt-review-bot (review 2706)

#16537 [MINOR] ShaSHA
→ Fixed in prior commit (c889724). Field is already SHA.

#16538 [MINOR] Typed ReviewEvent with constants
→ Fixed in prior commit (c889724). type ReviewEvent string with ReviewEventApprove, ReviewEventRequestChanges, ReviewEventComment.

#16539 [NIT] Same as #16532
→ Fixed (same as above).

sonnet-review-bot (review 2716, second pass)

#16615 [NIT] Anonymous struct for Head field
→ Fixed: Extracted HeadRef named struct.

#16616 [NIT] Anonymous struct for User in Review
→ Fixed: Extracted UserInfo named struct.

#16617 [NIT] Trailing newline compliance
→ Verified: file already had proper trailing newline; gofmt -d produces no diff.

gpt-review-bot (review 2719, second pass)

#16621 [MINOR] ReviewEventApprove = "APPROVED" (state) vs "APPROVE" (action)
→ Fixed: Changed to "APPROVE" to represent the action semantics. Added doc comment noting adapters must translate to/from platform-native values (e.g., Gitea uses "APPROVED" for both action and state).

#16622 [NIT] check.go imports gitea adapter into vcs package
→ Fixed: Moved to check_test.go with //go:build phase2 tag. No longer pollutes the vcs package import graph. Enable the tag once Phase 2 adapter bridges the documented gaps.

## Findings Addressed (cd6cd93) ### sonnet-review-bot (review 2703) **#16530 [MINOR]** Duplicate package doc in types.go → Fixed in prior commit (c889724). `types.go` no longer carries a package doc comment. **#16531 [MINOR]** CommitID doc comment missing → Fixed: Added doc noting CommitID is optional (empty string for review-level comments not anchored to a specific commit). **#16532 [NIT]** Misleading instruction in check.go → Fixed in prior commit (c889724). Also, `check.go` has been replaced by `check_test.go` with a build tag (see #16622 below). **#16533 [NIT]** PostReview returns `*Review` vs ListReviews returns `[]Review` → Keeping as-is. `PostReview` returns a pointer because it creates a single resource — this is idiomatic Go (`Create → *T`, `List → []T`). Consistent with stdlib patterns like `os.Create → *File`. ### gpt-review-bot (review 2706) **#16537 [MINOR]** `Sha` → `SHA` → Fixed in prior commit (c889724). Field is already `SHA`. **#16538 [MINOR]** Typed ReviewEvent with constants → Fixed in prior commit (c889724). `type ReviewEvent string` with `ReviewEventApprove`, `ReviewEventRequestChanges`, `ReviewEventComment`. **#16539 [NIT]** Same as #16532 → Fixed (same as above). ### sonnet-review-bot (review 2716, second pass) **#16615 [NIT]** Anonymous struct for Head field → Fixed: Extracted `HeadRef` named struct. **#16616 [NIT]** Anonymous struct for User in Review → Fixed: Extracted `UserInfo` named struct. **#16617 [NIT]** Trailing newline compliance → Verified: file already had proper trailing newline; `gofmt -d` produces no diff. ### gpt-review-bot (review 2719, second pass) **#16621 [MINOR]** ReviewEventApprove = "APPROVED" (state) vs "APPROVE" (action) → Fixed: Changed to `"APPROVE"` to represent the action semantics. Added doc comment noting adapters must translate to/from platform-native values (e.g., Gitea uses "APPROVED" for both action and state). **#16622 [NIT]** check.go imports gitea adapter into vcs package → Fixed: Moved to `check_test.go` with `//go:build phase2` tag. No longer pollutes the vcs package import graph. Enable the tag once Phase 2 adapter bridges the documented gaps.
gpt-review-bot approved these changes 2026-05-12 19:08:00 +00:00
gpt-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Gpt Review

Summary

The new vcs interfaces and types are clean, idiomatic, and align with the documented Go patterns. CI has passed and there are no behavior changes to existing Gitea functionality.

Recommendation

APPROVE — This phase cleanly introduces small, composable interfaces (PRReader, FileReader, Reviewer, Identity) and shared types under vcs, with context-first method signatures and clear documentation. The compile-time assertion is appropriately guarded by a build tag for Phase 2. No changes requested — proceed to implement the Gitea adapter bridge in Phase 2.

Review by gpt

Evaluated against cd6cd93b

# Gpt Review ## Summary The new vcs interfaces and types are clean, idiomatic, and align with the documented Go patterns. CI has passed and there are no behavior changes to existing Gitea functionality. ## Recommendation **APPROVE** — This phase cleanly introduces small, composable interfaces (PRReader, FileReader, Reviewer, Identity) and shared types under vcs, with context-first method signatures and clear documentation. The compile-time assertion is appropriately guarded by a build tag for Phase 2. No changes requested — proceed to implement the Gitea adapter bridge in Phase 2. --- *Review by gpt* <!-- review-bot:gpt --> --- *Evaluated against cd6cd93b*
rodin added the wip label 2026-05-12 19:09:55 +00:00
rodin commented 2026-05-12 19:11:04 +00:00
Author
Owner
Copy Link
Copy Source

Self-Review: PR #83

Self-review against cd6cd93bf0

Phase 1: Independent Findings

  1. [NIT] vcs/check_test.go — build tag phase2 vs prior ignore convention: The file uses //go:build phase2 which is a custom tag that never runs in normal CI. This is a deliberate and documented design choice (the file documents gaps for the Phase 2 adapter). No issue — this is the intended mechanism.

  2. [NIT] vcs/types.go — JSON tags on internal domain types: Struct tags like json:"sha", json:"ref" etc. appear on types that are internal domain objects exchanged between adapters and core logic, not typically serialized to wire format. This is potentially misleading but may be intentional (e.g., for test fixture serialization or future HTTP payloads). Not a correctness issue; a design question.

  3. [OBSERVATION] vcs/check_test.go — package vcs_test with gitea import: The _test.go file in package vcs_test (external test package) imports gitea.weiker.me/rodin/review-bot/gitea. This creates a test-time dependency from vcs_testgitea, but since it's guarded by //go:build phase2, it does not pollute the normal build or test graph. Clean.

  4. [OBSERVATION] vcs/interfaces.goListContents signature: ListContents(ctx, owner, repo, path) with no ref parameter means it always lists at the default branch. For a VCS abstraction that needs to inspect file trees at a specific commit (e.g., for diff-aware reviews), this may be a gap. However, this appears intentional for Phase 1 — the interface is minimal and can be extended.

Overall: the code is clean, well-structured, and correctly implements the stated Phase 1 goals. All exported identifiers are documented. Interface composition is idiomatic. The compile-time check mechanism is sound.

Phase 2: Prior Review Verification

Finding Reviewer Status Notes
[MINOR] Duplicate package doc in types.go sonnet-review-bot (2703) RESOLVED types.go has no package doc comment; authoritative doc is in interfaces.go
[MINOR] CommitID doc comment missing sonnet-review-bot (2703) RESOLVED ReviewComment.CommitID now documented as optional; empty string for review-level comments
[NIT] Misleading instruction in check.go sonnet-review-bot (2703) RESOLVED check.go replaced by check_test.go with phase2 build tag
[NIT] PostReview *Review vs []Review inconsistency sonnet-review-bot (2703) RESOLVED (by design) Kept as-is; Create→*T, List→[]T is idiomatic Go. Documented in response comment
[MINOR] Sha → SHA gpt-review-bot (2706) RESOLVED HeadRef.SHA uses correct acronym casing
[MINOR] Typed ReviewEvent constants gpt-review-bot (2706) RESOLVED type ReviewEvent string with ReviewEventApprove/RequestChanges/Comment
[NIT] Misleading check.go build instruction gpt-review-bot (2706) RESOLVED Same as above — file replaced
[NIT] Anonymous struct for Head sonnet-review-bot (2716) RESOLVED Extracted HeadRef named struct
[NIT] Anonymous struct for User in Review sonnet-review-bot (2716) RESOLVED Extracted UserInfo named struct
[NIT] Trailing newline in check.go sonnet-review-bot (2716) RESOLVED File replaced with check_test.go
[MINOR] ReviewEventApprove = "APPROVED" (state vs action) gpt-review-bot (2719) RESOLVED Changed to "APPROVE" with adapter translation doc comment
[NIT] check.go imports gitea into vcs package gpt-review-bot (2719) RESOLVED Moved to check_test.go with phase2 build tag
[MINOR] check_test.go doc inconsistency with PR description sonnet-review-bot (2721) RESOLVED (by design) Acknowledged in response comment; not a code problem
[NIT] types.go missing package doc reference sonnet-review-bot (2721) RESOLVED (by design) Only one file needs package doc per Go convention; interfaces.go is the canonical location
[NIT] JSON tags on internal types sonnet-review-bot (2721) RESOLVED (by design) Design choice; reasonable given diff-position convention documentation

Assessment: Clean

All prior review findings are resolved or explicitly acknowledged with rationale. Phase 1 independent review finds no new issues. The VCS abstraction is clean, idiomatic, and well-documented. Ready for Phase 2 adapter work.

## Self-Review: PR #83 Self-review against cd6cd93bf0dede13d9d9bc97861949d605cda997 ### Phase 1: Independent Findings 1. **[NIT] `vcs/check_test.go` — build tag `phase2` vs prior `ignore` convention**: The file uses `//go:build phase2` which is a custom tag that never runs in normal CI. This is a deliberate and documented design choice (the file documents gaps for the Phase 2 adapter). No issue — this is the intended mechanism. 2. **[NIT] `vcs/types.go` — JSON tags on internal domain types**: Struct tags like `json:"sha"`, `json:"ref"` etc. appear on types that are internal domain objects exchanged between adapters and core logic, not typically serialized to wire format. This is potentially misleading but may be intentional (e.g., for test fixture serialization or future HTTP payloads). Not a correctness issue; a design question. 3. **[OBSERVATION] `vcs/check_test.go` — package `vcs_test` with gitea import**: The `_test.go` file in package `vcs_test` (external test package) imports `gitea.weiker.me/rodin/review-bot/gitea`. This creates a test-time dependency from `vcs_test` → `gitea`, but since it's guarded by `//go:build phase2`, it does not pollute the normal build or test graph. Clean. 4. **[OBSERVATION] `vcs/interfaces.go` — `ListContents` signature**: `ListContents(ctx, owner, repo, path)` with no `ref` parameter means it always lists at the default branch. For a VCS abstraction that needs to inspect file trees at a specific commit (e.g., for diff-aware reviews), this may be a gap. However, this appears intentional for Phase 1 — the interface is minimal and can be extended. Overall: the code is clean, well-structured, and correctly implements the stated Phase 1 goals. All exported identifiers are documented. Interface composition is idiomatic. The compile-time check mechanism is sound. ### Phase 2: Prior Review Verification | Finding | Reviewer | Status | Notes | |---------|----------|--------|-------| | [MINOR] Duplicate package doc in types.go | sonnet-review-bot (2703) | ✅ RESOLVED | types.go has no package doc comment; authoritative doc is in interfaces.go | | [MINOR] CommitID doc comment missing | sonnet-review-bot (2703) | ✅ RESOLVED | ReviewComment.CommitID now documented as optional; empty string for review-level comments | | [NIT] Misleading instruction in check.go | sonnet-review-bot (2703) | ✅ RESOLVED | check.go replaced by check_test.go with phase2 build tag | | [NIT] PostReview *Review vs []Review inconsistency | sonnet-review-bot (2703) | ✅ RESOLVED (by design) | Kept as-is; Create→*T, List→[]T is idiomatic Go. Documented in response comment | | [MINOR] Sha → SHA | gpt-review-bot (2706) | ✅ RESOLVED | HeadRef.SHA uses correct acronym casing | | [MINOR] Typed ReviewEvent constants | gpt-review-bot (2706) | ✅ RESOLVED | type ReviewEvent string with ReviewEventApprove/RequestChanges/Comment | | [NIT] Misleading check.go build instruction | gpt-review-bot (2706) | ✅ RESOLVED | Same as above — file replaced | | [NIT] Anonymous struct for Head | sonnet-review-bot (2716) | ✅ RESOLVED | Extracted HeadRef named struct | | [NIT] Anonymous struct for User in Review | sonnet-review-bot (2716) | ✅ RESOLVED | Extracted UserInfo named struct | | [NIT] Trailing newline in check.go | sonnet-review-bot (2716) | ✅ RESOLVED | File replaced with check_test.go | | [MINOR] ReviewEventApprove = "APPROVED" (state vs action) | gpt-review-bot (2719) | ✅ RESOLVED | Changed to "APPROVE" with adapter translation doc comment | | [NIT] check.go imports gitea into vcs package | gpt-review-bot (2719) | ✅ RESOLVED | Moved to check_test.go with phase2 build tag | | [MINOR] check_test.go doc inconsistency with PR description | sonnet-review-bot (2721) | ✅ RESOLVED (by design) | Acknowledged in response comment; not a code problem | | [NIT] types.go missing package doc reference | sonnet-review-bot (2721) | ✅ RESOLVED (by design) | Only one file needs package doc per Go convention; interfaces.go is the canonical location | | [NIT] JSON tags on internal types | sonnet-review-bot (2721) | ✅ RESOLVED (by design) | Design choice; reasonable given diff-position convention documentation | ### Assessment: ✅ Clean All prior review findings are resolved or explicitly acknowledged with rationale. Phase 1 independent review finds no new issues. The VCS abstraction is clean, idiomatic, and well-documented. Ready for Phase 2 adapter work.
rodin removed the wip label 2026-05-12 19:11:08 +00:00
rodin removed their assignment 2026-05-12 19:14:00 +00:00
aweiker was assigned by rodin 2026-05-12 19:14:00 +00:00
rodin added the ready label 2026-05-12 19:14:00 +00:00
aweiker approved these changes 2026-05-12 19:14:42 +00:00
aweiker merged commit 6be5e306aa into feature/github-support 2026-05-12 19:14:45 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
sonnet-review-bot
security-review-bot
gpt-review-bot
aweiker
Labels
Clear labels
ai-review
bug
needs-review
ready
Ready for human review
 self-reviewed
Self-review passed since last push
 wip
Work in progress - do not start new work on this PR
No Label ready
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
security-review-bot rodin (Rodin)
No Assignees aweiker
5 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: rodin/review-bot#83
Delete Branch "review-bot-issue-78"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?