feat(ci): close GT-146 — secure, provider-neutral, token-bounded agentic review#56
Merged
Merged
Conversation
…view (GT-146) First increment toward GT-146. Add a pure, provider-neutral review-input module and wire it into the agentic CI review so the provider never sees raw secrets or an unbounded payload: - review-input.mjs: redactSecrets (PEM/JWT/AWS/GCP/GitHub/Slack/Bearer + generic *_KEY=… assignments), selectRelevantFiles (drop lockfiles, vendored, generated, binary), estimateTokens, budgetAndChunk (byte/token cap with per-file truncation), prepareReviewInput pipeline + telemetry - 13-agentic-code-review.mjs: sanitize/scope/budget the diff before submission, fail closed above the token ceiling, skip when no policy-relevant files changed, report aggregate non-sensitive telemetry - review-input.test.mjs: 9 node:test cases (redaction, selection, budget, chunking, end-to-end) Addresses done-when criterion 2 (redaction + relevant files + bounded/ chunked). Remaining: provider port, versioned response schema/validation. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…146) Second increment toward GT-146. Replace the fragile free-text 'VIOLATION_DETECTED' marker with a structured, versioned contract: - review-result.mjs: parseProviderResponse (tolerates fences/prose), validateReviewResult (schema v1.0: verdict + findings with severity, title, evidence file/line, confidence 0..1), evaluateProviderResponse (parse+validate+gate, fail-closed). Malformed/unsupported/indeterminate output resolves to verdict "error" and can never silently pass. - 13-agentic-code-review.mjs: prompt now requests the JSON schema; the gate uses evaluateProviderResponse and reports findings with evidence. - review-result.test.mjs: 11 node:test cases (parse, validate, fail-closed). Addresses done-when criterion 3. Remaining: provider-neutral port/adapters (1). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Third increment toward GT-146. Decouple the CI gate from any vendor: - review-provider.mjs: a review port selected by config (EVOLITH_REVIEW_PROVIDER/MODEL); Gemini adapter isolates the only vendor networking and sends the API key as a header (not the URL query). Unknown providers / missing credentials / invalid adapters fail closed. - 13-agentic-code-review.mjs: use createReviewProvider() + buildReviewPrompt() instead of a hard-coded Gemini call; all error paths fail closed. - review-provider.test.mjs: 7 node:test cases (registry, fail-closed, mock adapter contract, adapter-failure propagation). Addresses done-when criterion 1. All four criteria now have implementation: provider port (1), redaction/budget (2), schema validation (3), tests (4). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…146) Scope the Wilson Agentic Review job to `contents: read` — it only needs to read the repo to diff changes. Completes done-when criterion 4 (minimum permissions) alongside the redaction/budget telemetry already in place. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Mark GT-146 DONE with closure evidence (commit 3efbb59): provider-neutral review port, secret-redacting/token-bounded input, versioned fail-closed result schema, 27 node:test cases, and least-privilege CI permissions. Board progress 149/153 done, 4 pending. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
📊 Bilingual Coverage ImpactPR Changes
Repository Coverage
✅ Good: All EN changes have ES counterparts. Generated by GitHub Actions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cierra GT-146 (P0). Reescribe el agentic CI review en módulos puros y testeados:
review-input.mjs: redacción de secretos + selección de archivos relevantes + budget bytes/tokens + chunking.review-result.mjs: schema versionado v1.0 + validación fail-closed (adiós marcador de texto libre).review-provider.mjs: port neutral de proveedor + adapter Gemini (API key en header), fail-closed.agentic-reviewconpermissions: contents: read.🤖 Generated with Claude Code