Commit Graph
139 Commits
Author SHA1 Message Date
Tam Nhu Tran 63a10e0e8d fix(ci): invoke semantic-release through bun x 2026-05-01 00:55:53 -04:00
Tam Nhu Tran 4458774d5c fix(ci): align stable release runner 2026-04-28 23:30:33 -04:00
Tam Nhu Tran 0381fa9b52 fix(ci): align release sync with protected dev checks 2026-04-28 23:14:25 -04:00
Kai (Tam Nhu) TranandGitHub 8d4a7761b1 fix(ci): guard generated dev release commits 2026-04-28 22:33:14 -04:00
Kai (Tam Nhu) TranandGitHub fea7f18687 fix(ci): keep dev release commits visible to PR checks 2026-04-28 22:18:45 -04:00
Tam Nhu Tran aa4a05e859 ci: preserve fast test budget summary on failure 2026-04-23 19:52:12 -04:00
Tam Nhu Tran 4c677507d0 ci: add fast test budget warning 2026-04-23 17:25:48 -04:00
Tam Nhu Tran b314cf353e fix(ci): keep release workflows on full test coverage 2026-04-22 15:12:07 -04:00
Tam Nhu Tran 051f78aee7 chore(ci): split dev quality checks from release automation 2026-04-22 15:05:44 -04:00
Tam Nhu Tran 08edf1eef4 fix(ci): isolate bun cache per job 2026-04-21 12:34:43 -04:00
Tam Nhu Tran 06fffd3025 fix(ci): use PAT token for dev release pushes
- align dev-release workflow with protected-branch bypass used by release.yml

- add a workflow regression test so checkout and release auth do not drift back to github.token
2026-04-20 14:56:25 -04:00
Tam Nhu Tran 1b3ca82a84 fix(ci): stop caching node_modules in GitHub Actions
- cache only Bun's package cache so CI stops restoring partial hard-linked node_modules trees

- bump the cache key to avoid reusing corrupt node_modules archives on self-hosted runners
2026-04-20 13:23:42 -04:00
Tam Nhu Tran 69da284104 test(proxy): gate proxy e2e coverage in checks 2026-04-20 12:44:53 -04:00
Wooseong Kim 02747edb72 fix(ci): validate cached ui dependencies 2026-04-20 14:15:00 +09:00
Tam Nhu Tran ad54e179b6 ci: add concurrency group and split build/test with artifact sharing
- Add concurrency group keyed on github.ref with cancel-in-progress to stop superseded runs on rapid pushes
- Split validate matrix into: validate (typecheck/lint/format), build, test
- Build uploads dist/ artifact; test downloads instead of rebuilding (removes inline build:all duplication)
- Net: faster feedback, less runner time, DRY build step
2026-04-19 15:40:21 -04:00
Tam Nhu Tran b014b5cb51 chore(ci): parallelize CI matrix + cache, tighten AI-facing quality gate
- ci.yml: 5-job matrix (typecheck/lint/format/build/test), fail-fast off,
  actions/cache on ~/.bun/install/cache + node_modules + ui/node_modules.
  Target wall time ~60-90s vs prior ~3-4min.
- .husky/pre-push: add bun run build:all to feature-branch fast gate so
  UI tsc -b errors are caught pre-push (~18s warm).
- CLAUDE.md (symlinked as AGENTS.md): fix validate drift (maintainability
  is NOT part of validate), add CI-First Protocol mandating gh pr checks
  --watch after every push, replace pre-commit checklist with two-tier
  model (iterative push vs pre-merge).

Branch protection on main/dev must be updated post-merge to require the
new matrix status checks instead of the single legacy "validate" check.
2026-04-19 14:47:18 -04:00
Tam Nhu Tran 4bd16b89ce fix(ci): restore PR-Agent reviewer bot identity 2026-04-14 17:22:50 -04:00
Tam Nhu Tran 9a91901a9b fix(ci): allow PR-Agent dispatch bot reruns 2026-04-14 14:19:28 -04:00
Tam Nhu Tran 0d2ce7d1b3 fix(ci): restore trusted PR review dispatch 2026-04-14 13:47:55 -04:00
Tam Nhu Tran d6ec5eeebd fix(ci): preserve AI review variable contract 2026-04-14 13:28:29 -04:00
Tam Nhu Tran e1271e2dbf fix(ci): restrict self-hosted PR-Agent comment triggers 2026-04-14 12:43:25 -04:00
Tam Nhu Tran 25216eaf33 feat(ci): migrate AI review to self-hosted PR-Agent 2026-04-14 12:39:52 -04:00
Tam Nhu Tran 026ff6cedd refactor(ci): make ai-review model/endpoint configurable via repository variables
- replace hardcoded GLM endpoint with vars.AI_REVIEW_BASE_URL
- replace hardcoded model with vars.AI_REVIEW_MODEL
- use secrets.AI_REVIEW_API_KEY for auth token
- add configuration reference in header comment
2026-04-13 11:27:15 -04:00
Tam Nhu Tran f954f0f8ab hotfix: update ai-review workflow model budget
- switch the reviewer workflow from glm-5-turbo to glm-5.1

- increase workflow timeout to 20 minutes and max turns to 45

- lock the workflow test to the full reviewer model configuration

Closes #922
2026-04-07 16:43:30 -04:00
Tam Nhu Tran 58a0fc43e6 hotfix(ci): restore default ai review output 2026-04-02 14:36:12 -04:00
Tam Nhu Tran 25dddf4707 hotfix(ci): compact ai review comments and switch to glm-5-turbo 2026-04-02 01:07:03 -04:00
Tam Nhu Tran f47e7ae5a7 hotfix(ci): clean up ai review reruns and logging 2026-04-02 00:31:51 -04:00
Tam Nhu Tran 5b9427f8a0 hotfix(ci): restore reliable structured ai review comments 2026-04-02 00:24:29 -04:00
Tam Nhu Tran 4e05488c19 hotfix(ci): keep ai review feedback fast and deterministic 2026-04-01 22:20:55 -04:00
Tam Nhu Tran 3935574494 fix(ci): degrade timed-out ai reviews gracefully 2026-04-01 20:38:14 -04:00
Tam Nhu Tran 44e2a49650 fix(ci): resolve self-hosted Claude path dynamically 2026-04-01 20:24:52 -04:00
Tam Nhu Tran 09276518a7 fix(ci): repair ai review fallback scope script 2026-04-01 20:18:28 -04:00
Tam Nhu Tran 0883b9a8fe fix(ci): use self-hosted Claude binary for ai review 2026-04-01 20:13:03 -04:00
Tam Nhu Tran 7396179c72 feat(ci): bound ai review runtime for large PRs
- add trusted scope generation for bounded ai-review runs
- restrict large PR reviews to a prepared read-only workspace
- render explicit mode, scope, and budget metadata in review comments

Closes #880
2026-04-01 19:54:11 -04:00
Tam Nhu Tran fa37f391c1 fix: harden ai review comment formatting 2026-03-30 16:08:21 -04:00
Tam Nhu Tran 4950be7fc0 fix(ci): harden ai review output
- replace raw assistant-text fallback with structured output normalization

- simplify the review prompt toward a tighter findings-only contract

- add tests for malformed output, safe fallback, and markdown escaping
2026-03-30 14:22:59 -04:00
Tam Nhu Tran bcbf8a236d fix(ai-review): increase max-turns to 40 and add hotfix commitlint type
- Bump --max-turns 30→40 for comprehensive single-reviewer prompt
- Add 'hotfix' to commitlint allowed types (already in .releaserc.cjs)
2026-03-29 13:01:55 -04:00
Tam Nhu Tran fb8b26c694 fix(ai-review): revert to single-job review with enhanced prompt
Multi-job parallel pipeline proved too fragile for CI:
- Agent tool unavailable in claude-code-action
- 6-job workflow: artifact passing failures, turn budget exhaustion
- GLM API errors cascade across jobs

Reverts to proven single-job architecture. Keeps enhanced prompt
combining security, quality, and CCS compliance scopes.
2026-03-29 13:00:09 -04:00
Tam Nhu Tran 106067fefb fix(ai-review): bump orchestrator max-turns 20→25 for large PR merges 2026-03-29 12:33:38 -04:00
Tam Nhu Tran 1c4fc96d33 fix(ai-review): increase turn budget and improve fallback extraction
- Increase per-reviewer max-turns 25→40 (security review hit limit on
  large PRs like codex runtime with ~5000 line diff)
- Increase orchestrator max-turns 15→20
- Improve fallback extraction: concatenate ALL assistant messages (not
  just last) when reviewer hits turn limit without writing output file
- Add descriptive prefix to fallback output explaining why extraction
  was needed (e.g., "hit turn limit", "no execution log")
- Ensures something meaningful is posted even when CI jobs fail
2026-03-29 12:21:28 -04:00
Tam Nhu Tran 97f07c2b12 refactor(ai-review): matrix strategy + orchestrator AI merge
- Replace 3 duplicate review jobs with 1 matrix job (-200 lines)
  Matrix entries: Security, Quality, CCS Compliance (run in parallel)
- Restore review-prompt.md as orchestrator merge prompt
  (dedup, severity rank, unified assessment, security+CCS tables)
- Aggregate job now runs claude-code-action with orchestrator prompt
  to produce polished unified review (not just stapled sections)
- Fallback to simple concat if orchestrator fails
- Dynamic prompt access via outputs[matrix.prompt_output] syntax
2026-03-28 21:02:57 -04:00
Tam Nhu Tran 8c371e73a3 feat(ai-review): workflow-level parallel review jobs
Replace single monolithic review job with 3 parallel GitHub Actions jobs
running simultaneously. Agent tool is unavailable in claude-code-action,
so parallelism is achieved at the workflow level instead.

Pipeline: prepare → load-prompts → 3 parallel reviews → aggregate

Jobs:
- prepare: resolve PR metadata and runner (unchanged)
- load-prompts: load focused prompts from base branch (security model)
- security-review: injection, auth, race conditions, supply chain
- quality-review: error handling, false assumptions, performance
- ccs-review: CCS-specific project compliance rules
- aggregate: merge 3 outputs into single PR comment

Each reviewer runs independently with 10min timeout, 25 max-turns.
Aggregate is pure bash (no API calls) — downloads artifacts, merges,
posts/updates single deduped comment.

Closes #843
2026-03-28 20:55:42 -04:00
Tam Nhu Tran d2510fc860 fix(ai-review): use printf for subagent prompt outputs, match existing pattern
Replace echo with printf '%s\n' for subagent prompt GITHUB_OUTPUT writes
to match the existing main prompt pattern (line 216). Prevents edge case
where echo misinterprets leading -n/-e as flags.
2026-03-28 20:24:46 -04:00
Tam Nhu Tran 53ad2836c4 refactor(ai-review): switch --allowedTools to --tools for actual restriction
--allowedTools is an approval list (skip permission prompts), redundant
with bypassPermissions. --tools is the actual availability whitelist.

Also simplified tool list: Bash sub-patterns (gh pr diff *, etc.) aren't
supported by --tools. The workflow token has contents:read only, so the
agent physically cannot push/delete/modify the repo even with full Bash.
2026-03-28 20:13:47 -04:00
Tam Nhu Tran 36e8cc47d9 fix(ai-review): address all review findings — restore allowedTools, add fallbacks
Fixes from ai-review bot feedback on PR #838:

- [HIGH] Restore --allowedTools with Agent added (was incorrectly removed,
  not redundant with bypassPermissions — it's a tool whitelist)
- [MED] Add inline fallback prompts when subagent files missing from base branch
- [MED] Add graceful degradation in orchestrator for Agent tool failures
  and empty subagent prompts
- [MED] Replace hardcoded PROMPT_EOF delimiters with random openssl-generated
  delimiters to prevent early heredoc termination
- [LOW] Add per-subagent turn budget guidance (8-10 turns each, 50 total)
- [LOW] Add "Do NOT fetch diff separately" instruction to all 4 subagent prompts
2026-03-28 19:59:35 -04:00
Tam Nhu Tran d67fa350b8 refactor(ai-review): remove redundant allowedTools, enforce subagent dispatch
- Remove --allowedTools from claude_args (redundant with bypassPermissions,
  was never actually restricting tools)
- Strengthen orchestrator prompt: MANDATORY/FORBIDDEN language for subagent
  dispatch, explicit "you MUST use Agent tool" enforcement
2026-03-28 19:50:13 -04:00
Tam Nhu Tran ce023aa8f4 feat(ai-review): parallel subagent review pipeline
Rewrite ai-review workflow to use parallel subagents for faster,
more thorough PR reviews. Splits monolithic single-agent review into
4-stage pipeline: triage → 3 parallel focused reviewers → adversarial
red-team → aggregated single comment.

Changes:
- Add Agent tool to allowedTools for subagent spawning
- Increase max-turns 30→50, timeout 15→18min for subagent overhead
- Rewrite review-prompt.md as orchestration prompt (198→93 lines)
- Create 4 focused subagent prompts in .github/review-prompts/:
  - security.md: injection, auth, race conditions, supply chain
  - quality.md: error handling, false assumptions, AI blind spots
  - ccs-compliance.md: all 12 CCS-specific project rules
  - adversarial.md: red-team gap hunter (runs after parallel phase)
- Load all subagent prompts from base branch (security model preserved)
- Scope-aware dispatch: trivial PRs skip subagents entirely

Target: reduce avg review time from ~7min to <5min.

Closes #837
2026-03-28 19:32:08 -04:00
Tam Nhu Tran cc55b9d794 Merge remote-tracking branch 'origin/dev' into kai/chore/ccs-backlog-project-automation-refresh 2026-03-28 10:17:56 -04:00
Tam Nhu Tran 3ebf17f170 fix(ci): require explicit /review command for AI review reruns 2026-03-28 10:10:31 -04:00
Tam Nhu Tran e6617726cb fix: harden CCS backlog sync pagination and recovery 2026-03-28 09:51:53 -04:00