- align dev-release workflow with protected-branch bypass used by release.yml
- add a workflow regression test so checkout and release auth do not drift back to github.token
- cache only Bun's package cache so CI stops restoring partial hard-linked node_modules trees
- bump the cache key to avoid reusing corrupt node_modules archives on self-hosted runners
- Add concurrency group keyed on github.ref with cancel-in-progress to stop superseded runs on rapid pushes
- Split validate matrix into: validate (typecheck/lint/format), build, test
- Build uploads dist/ artifact; test downloads instead of rebuilding (removes inline build:all duplication)
- Net: faster feedback, less runner time, DRY build step
- ci.yml: 5-job matrix (typecheck/lint/format/build/test), fail-fast off,
actions/cache on ~/.bun/install/cache + node_modules + ui/node_modules.
Target wall time ~60-90s vs prior ~3-4min.
- .husky/pre-push: add bun run build:all to feature-branch fast gate so
UI tsc -b errors are caught pre-push (~18s warm).
- CLAUDE.md (symlinked as AGENTS.md): fix validate drift (maintainability
is NOT part of validate), add CI-First Protocol mandating gh pr checks
--watch after every push, replace pre-commit checklist with two-tier
model (iterative push vs pre-merge).
Branch protection on main/dev must be updated post-merge to require the
new matrix status checks instead of the single legacy "validate" check.
- replace hardcoded GLM endpoint with vars.AI_REVIEW_BASE_URL
- replace hardcoded model with vars.AI_REVIEW_MODEL
- use secrets.AI_REVIEW_API_KEY for auth token
- add configuration reference in header comment
- switch the reviewer workflow from glm-5-turbo to glm-5.1
- increase workflow timeout to 20 minutes and max turns to 45
- lock the workflow test to the full reviewer model configuration
Closes#922
- replace raw assistant-text fallback with structured output normalization
- simplify the review prompt toward a tighter findings-only contract
- add tests for malformed output, safe fallback, and markdown escaping
- Increase per-reviewer max-turns 25→40 (security review hit limit on
large PRs like codex runtime with ~5000 line diff)
- Increase orchestrator max-turns 15→20
- Improve fallback extraction: concatenate ALL assistant messages (not
just last) when reviewer hits turn limit without writing output file
- Add descriptive prefix to fallback output explaining why extraction
was needed (e.g., "hit turn limit", "no execution log")
- Ensures something meaningful is posted even when CI jobs fail
Replace echo with printf '%s\n' for subagent prompt GITHUB_OUTPUT writes
to match the existing main prompt pattern (line 216). Prevents edge case
where echo misinterprets leading -n/-e as flags.
--allowedTools is an approval list (skip permission prompts), redundant
with bypassPermissions. --tools is the actual availability whitelist.
Also simplified tool list: Bash sub-patterns (gh pr diff *, etc.) aren't
supported by --tools. The workflow token has contents:read only, so the
agent physically cannot push/delete/modify the repo even with full Bash.
- Remove --allowedTools from claude_args (redundant with bypassPermissions,
was never actually restricting tools)
- Strengthen orchestrator prompt: MANDATORY/FORBIDDEN language for subagent
dispatch, explicit "you MUST use Agent tool" enforcement