docs, feat(SREP-4460, SREP-4926: Add Standardized Claude hooks, skill, agents. Update standardised docs)#479
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@devppratik: This pull request references SREP-4460 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. This pull request references SREP-4926 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: devppratik The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Warning Review limit reached
More reviews will be available in 2 minutes and 40 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (21)
WalkthroughThis PR establishes a complete Claude Code development infrastructure framework for the Certman Operator repository. It introduces specialized agents for automation (lint, test, security, docs, CI), pre-commit hooks with file edit safeguards and validation, Prow CI skill documentation, gitleaks secret scanning configuration, and comprehensive developer guides for contributions, development workflows, and testing practices. ChangesClaude Code Development Infrastructure
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error, 1 warning)
✅ Passed checks (13 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #479 +/- ##
=======================================
Coverage 57.14% 57.14%
=======================================
Files 29 29
Lines 2170 2170
=======================================
Hits 1240 1240
Misses 812 812
Partials 118 118 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 13
♻️ Duplicate comments (6)
.claude/agents/test-agent.md (1)
10-10:⚠️ Potential issue | 🟠 Major | ⚡ Quick winIncorrect repository reference.
References "OCM Agent Operator" instead of "Certman Operator".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.claude/agents/test-agent.md at line 10, Update the incorrect repository reference in the documentation: find the text "OCM Agent Operator" in test-agent.md (the string literal appears in the sentence describing automated testing) and replace it with "Certman Operator" so the document correctly names the Certman Operator repository; ensure the rest of the sentence remains grammatically correct after the substitution..claude/agents/ci-agent.md (1)
10-10:⚠️ Potential issue | 🟠 Major | ⚡ Quick winIncorrect repository reference.
References "OCM Agent Operator" instead of "Certman Operator".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.claude/agents/ci-agent.md at line 10, The README line currently refers to "OCM Agent Operator" but should reference "Certman Operator"; update the phrase "OCM Agent Operator" to "Certman Operator" in .claude/agents/ci-agent.md and search for any other occurrences of that exact term in the same file (e.g., the header or description string "CI/CD validation and workflow integrity for OCM Agent Operator") and replace them so all references consistently use "Certman Operator"..claude/agents/lint-agent.md (1)
10-10:⚠️ Potential issue | 🟠 Major | ⚡ Quick winIncorrect repository reference.
Same issue as in the main README - references "OCM Agent Operator" instead of "Certman Operator".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.claude/agents/lint-agent.md at line 10, The README text incorrectly references "OCM Agent Operator" instead of "Certman Operator"; update the phrase "OCM Agent Operator" in .claude/agents/lint-agent.md to "Certman Operator" so the repository/reference is accurate, ensuring any occurrences of the exact string "OCM Agent Operator" (search for that literal) are replaced and commit the change..claude/agents/security-agent.md (1)
10-10:⚠️ Potential issue | 🟠 Major | ⚡ Quick winIncorrect repository reference.
References "OCM Agent Operator" instead of "Certman Operator".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.claude/agents/security-agent.md at line 10, The document incorrectly references "OCM Agent Operator" instead of "Certman Operator"; update the phrase "OCM Agent Operator" to "Certman Operator" in .claude/agents/security-agent.md (search for the exact string "OCM Agent Operator") and scan the same file for any other occurrences or related mentions to replace to ensure the repository description and header consistently reference "Certman Operator"..claude/agents/docs-agent.md (1)
10-10:⚠️ Potential issue | 🟠 Major | ⚡ Quick winIncorrect repository reference.
References "OCM Agent Operator" instead of "Certman Operator".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.claude/agents/docs-agent.md at line 10, Replace the incorrect repository reference string "OCM Agent Operator" with "Certman Operator" in the .claude/agents/docs-agent.md documentation entry (look for the line containing "Documentation maintenance and synchronization for OCM Agent Operator"); update any nearby description/title text that mentions "OCM Agent Operator" to "Certman Operator" so the doc consistently references the correct operator..claude/hooks/README.md (1)
3-3:⚠️ Potential issue | 🟠 Major | ⚡ Quick winIncorrect repository reference.
References "OCM Agent Operator development" instead of "certman-operator" or "Certman Operator".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.claude/hooks/README.md at line 3, Update the README text that currently says "Security and validation hooks for OCM Agent Operator development." to refer to this repository by its correct name—use "certman-operator" or "Certman Operator" instead; edit the sentence in .claude/hooks/README.md to read something like "Security and validation hooks for Certman Operator development" so the repository reference is accurate.
🧹 Nitpick comments (2)
.claude/agents/security-agent.md (1)
234-234: ⚡ Quick winOCM-specific token detection may not apply.
Line 234 mentions "OCM-specific tokens" in the context of gitleaks secret detection. This is specific to OCM Agent Operator and may not be relevant for certman-operator. Review the gitleaks configuration to ensure it's tailored to certman-operator's actual secret patterns.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.claude/agents/security-agent.md at line 234, The mention of "OCM-specific tokens" in security-agent.md is not applicable to certman-operator; update the gitleaks configuration and the documentation reference (the phrase "OCM-specific tokens") to remove OCM-specific patterns and replace them with certman-operator-relevant secret patterns, e.g., audit the gitleaks ruleset referenced in the doc (the gitleaks configuration section) and remove or rename rules that match OCM tokens, add or adjust regexes for certman-operator secrets (service account keys, TLS certs, kubeconfigs) and update the text to describe certman-operator-specific token detection..claude/agents/docs-agent.md (1)
186-198: ⚡ Quick winMissing language tag on code block.
The output format example uses a fenced code block without a language specifier. According to the document's own style guidance (lines 98-99), code blocks should specify their language. Consider adding
textormarkdownas the language identifier.📝 Proposed fix
## Output Format When updating docs, report: -``` +```text Updated: DEVELOPMENT.md - Added section on new make target: go-bench - Fixed typo in test commands🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.claude/agents/docs-agent.md around lines 186 - 198, Update the fenced code block in the example that starts with "Updated: DEVELOPMENT.md" to include a language tag (e.g., add ```text or ```markdown) so it conforms with the style guidance; edit the code block delimiter that currently is just ``` to be ```text (or ```markdown) and ensure the block content remains unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.claude/agents/ci-agent.md:
- Around line 23-29: Update the Tekton pipeline filename list in
.claude/agents/ci-agent.md: replace the `ocm-agent-operator-*` entries with the
actual pipeline filenames under .tekton, i.e. use
`certman-operator-pull-request.yaml`, `certman-operator-push.yaml`,
`certman-operator-e2e-pull-request.yaml`, `certman-operator-e2e-push.yaml`,
`certman-operator-pko-push.yaml`, and `certman-operator-pko-pull-request.yaml`
so the documented names match the actual YAMLs.
In @.claude/agents/README.md:
- Line 3: Update all hard-coded "OCM Agent Operator" references to the correct
project name "Certman Operator" (and lowercase "certman-operator" where
appropriate) in the listed files: replace the phrase in
.claude/agents/README.md, .claude/skills/README.md, .claude/hooks/README.md,
.claude/hooks/pre-edit.sh, .claude/hooks/cleanup.sh, and the agent docs under
.claude/agents/*.md (test-agent.md, security-agent.md, lint-agent.md,
docs-agent.md, ci-agent.md); also review and, if needed, rename pipeline
identifiers "ocm-agent-operator-*.yaml" to "certman-operator-*.yaml" inside
.claude/agents/ci-agent.md so all human-facing text and pipeline IDs
consistently use "Certman Operator"/"certman-operator".
In @.claude/agents/security-agent.md:
- Line 119: Update the stale secret-handling path in the security-agent policy:
replace references to the non-existent pattern pkg/ocmagenthandler/*_secret.go
with the actual Secret usage locations in this repo such as
pkg/leclient/utils.go (GetSecret) and credential handling in
pkg/clients/azure/dns.go, pkg/clients/aws/route53.go, pkg/clients/gcp/dns.go
where corev1.Secret is used; ensure the policy now points to those
functions/files and any exported symbols (GetSecret, the credential
parsing/usage functions in each provider client) that perform secret retrieval
and handling.
In @.claude/agents/test-agent.md:
- Around line 57-60: Replace the invalid test invocations "go test -v
./pkg/ocmagenthandler/" and "ginkgo -focus=\"NetworkPolicy\"
./pkg/ocmagenthandler/" with the real test package paths and actual Ginkgo spec
focus used in this repository: locate the package(s) that contain the
certman-operator tests (search for packages with _test.go or Ginkgo
Describe/Context blocks), update both commands to point to those package paths,
and change the focus string "NetworkPolicy" to a Describe/Context/It label that
actually exists in the repo so the ginkgo -focus filter matches real specs.
In @.claude/hooks/cleanup.sh:
- Line 3: Update the comment header that currently reads "OCM Agent Operator" to
the correct repository name "Certman Operator" (or "certman-operator") in the
cleanup hook; locate the literal string "OCM Agent Operator" in the file (the
header comment) and replace it with "Certman Operator" so the script comment
accurately reflects the repository.
In @.claude/hooks/README.md:
- Line 182: Documentation inconsistency: update the stop hook description so
both occurrences match; decide whether the stop hook runs `prek run --all-files`
or `prek run --config hack/prek.ci.toml` and make the same command appear at
line 182 and line 72 (and in the "stop hook" section) so references to the stop
hook in .claude/hooks/README.md consistently mention the chosen `prek run`
invocation.
In @.claude/settings.json:
- Around line 37-39: Replace the exact command-deny entries so they use
wildcard/family deny patterns that match extra arguments and variants: update
the three entries "Bash(git commit --no-verify)", "Bash(git push --force origin
master)" and "Bash(git push --force origin main)" to wildcard family patterns
that cover appended flags/arguments and different remotes/branches (e.g., use
patterns like Bash(git commit --no-verify*), Bash(git push --force*) or similar
family-style denies) so any variant such as added -m messages or different
branch/remotes will be blocked; apply this change to the entries in
.claude/settings.json.
In @.claude/skills/README.md:
- Around line 66-72: The fenced code block in .claude/skills/README.md showing
the directory tree is missing a language identifier; update the opening fence
from ``` to ```text so the block is rendered as plain text (i.e., change the
triple-backtick that precedes the directory listing to ```text) while keeping
the closing ``` unchanged.
- Line 3: Replace the incorrect repository name string "OCM Agent Operator" in
the README heading/sentence with the correct repository reference
"certman-operator" so the repository description accurately reads "Reusable
workflow skills for certman-operator development"; locate the phrase "OCM Agent
Operator" in .claude/skills/README.md and update it to "certman-operator".
In @.gitleaks.toml:
- Around line 26-32: The allowlist currently contains a blanket pattern
'''.*_test\.go''' under allowlist.paths which silences all test files; remove
that broad pattern and replace it with narrow, explicit path patterns (e.g.
specific test helper directories or known generated-test paths) or scoped
regexes that target only safe/generated test files; update the .gitleaks.toml
allowlist.paths entry to enumerate those safe directories/patterns instead of
'''.*_test\.go''' so tests with potential secrets are still scanned.
- Around line 12-13: The config currently only defines custom [allowlist] and
[[rules]] and lacks an [extend] directive, so gitleaks v8 will not include
default rules; add an [extend] block with useDefault = true (reference the
[extend] section and useDefault symbol) to ensure default gitleaks rules are
retained alongside your custom [[rules]] and existing [allowlist]; update the
top-level .gitleaks.toml accordingly and keep the comment about extending
defaults in sync.
In `@DEVELOPMENT.md`:
- Around line 140-145: Update the architecture directory list to match actual
repo paths: replace the non-existent controllers/{ocmagent,fleetnotification}/
entries with the real controller directory names used in the repo (locate
controller packages referenced by Controller structs or Reconcile methods, e.g.,
the actual controller package directories under controllers/), change
pkg/ocmagenthandler/ to the correct package path that contains the business
logic (find the package that defines the handler functions or types formerly
referred to as ocmagenthandler), and update pkg/util/test/generated/ to the
actual mocks location (search for generated mock packages or files used by
tests); ensure the lines listing API Types (`api/v1alpha1/`) and E2E
(`test/e2e/`) remain unchanged and reflect exact directory names.
- Around line 196-197: DEVELOPMENT.md currently links to non-existent files
./docs/design.md and ./docs/how-to-test.md; update those links to point to
existing documentation (for example docs/developing.md or other appropriate
docs) or add the missing files; locate the link entries in DEVELOPMENT.md (the
two lines containing [Design Documentation] and [How to Test]) and either change
their hrefs to the correct existing paths or create the referenced documents
(design.md and how-to-test.md) under docs/ with the expected content so the
links resolve.
---
Duplicate comments:
In @.claude/agents/ci-agent.md:
- Line 10: The README line currently refers to "OCM Agent Operator" but should
reference "Certman Operator"; update the phrase "OCM Agent Operator" to "Certman
Operator" in .claude/agents/ci-agent.md and search for any other occurrences of
that exact term in the same file (e.g., the header or description string "CI/CD
validation and workflow integrity for OCM Agent Operator") and replace them so
all references consistently use "Certman Operator".
In @.claude/agents/docs-agent.md:
- Line 10: Replace the incorrect repository reference string "OCM Agent
Operator" with "Certman Operator" in the .claude/agents/docs-agent.md
documentation entry (look for the line containing "Documentation maintenance and
synchronization for OCM Agent Operator"); update any nearby description/title
text that mentions "OCM Agent Operator" to "Certman Operator" so the doc
consistently references the correct operator.
In @.claude/agents/lint-agent.md:
- Line 10: The README text incorrectly references "OCM Agent Operator" instead
of "Certman Operator"; update the phrase "OCM Agent Operator" in
.claude/agents/lint-agent.md to "Certman Operator" so the repository/reference
is accurate, ensuring any occurrences of the exact string "OCM Agent Operator"
(search for that literal) are replaced and commit the change.
In @.claude/agents/security-agent.md:
- Line 10: The document incorrectly references "OCM Agent Operator" instead of
"Certman Operator"; update the phrase "OCM Agent Operator" to "Certman Operator"
in .claude/agents/security-agent.md (search for the exact string "OCM Agent
Operator") and scan the same file for any other occurrences or related mentions
to replace to ensure the repository description and header consistently
reference "Certman Operator".
In @.claude/agents/test-agent.md:
- Line 10: Update the incorrect repository reference in the documentation: find
the text "OCM Agent Operator" in test-agent.md (the string literal appears in
the sentence describing automated testing) and replace it with "Certman
Operator" so the document correctly names the Certman Operator repository;
ensure the rest of the sentence remains grammatically correct after the
substitution.
In @.claude/hooks/README.md:
- Line 3: Update the README text that currently says "Security and validation
hooks for OCM Agent Operator development." to refer to this repository by its
correct name—use "certman-operator" or "Certman Operator" instead; edit the
sentence in .claude/hooks/README.md to read something like "Security and
validation hooks for Certman Operator development" so the repository reference
is accurate.
---
Nitpick comments:
In @.claude/agents/docs-agent.md:
- Around line 186-198: Update the fenced code block in the example that starts
with "Updated: DEVELOPMENT.md" to include a language tag (e.g., add ```text or
```markdown) so it conforms with the style guidance; edit the code block
delimiter that currently is just ``` to be ```text (or ```markdown) and ensure
the block content remains unchanged.
In @.claude/agents/security-agent.md:
- Line 234: The mention of "OCM-specific tokens" in security-agent.md is not
applicable to certman-operator; update the gitleaks configuration and the
documentation reference (the phrase "OCM-specific tokens") to remove
OCM-specific patterns and replace them with certman-operator-relevant secret
patterns, e.g., audit the gitleaks ruleset referenced in the doc (the gitleaks
configuration section) and remove or rename rules that match OCM tokens, add or
adjust regexes for certman-operator secrets (service account keys, TLS certs,
kubeconfigs) and update the text to describe certman-operator-specific token
detection.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 5e9db685-ed58-4020-87bb-a397cc3edca4
📒 Files selected for processing (21)
.claude/agents/README.md.claude/agents/ci-agent.md.claude/agents/docs-agent.md.claude/agents/lint-agent.md.claude/agents/security-agent.md.claude/agents/test-agent.md.claude/hooks/README.md.claude/hooks/cleanup.sh.claude/hooks/pre-edit.sh.claude/hooks/stop-prek-validation.sh.claude/settings.json.claude/skills/README.md.claude/skills/prow-ci/SKILL.md.gitleaks.toml.prek-versionCONTRIBUTING.mdDEVELOPMENT.mdTESTING.mdhack/ci.shhack/prek.ci.tomlprek.toml
| **Tekton Pipelines** (`.tekton/`): | ||
| - `ocm-agent-operator-pull-request.yaml`: PR validation | ||
| - `ocm-agent-operator-push.yaml`: Main branch builds | ||
| - `ocm-agent-operator-e2e-pull-request.yaml`: E2E tests on PR | ||
| - `ocm-agent-operator-e2e-push.yaml`: E2E tests on merge | ||
| - `ocm-agent-operator-pko-push.yaml`: PKO deployment | ||
| - `ocm-agent-operator-pko-pull-request.yaml`: PKO validation |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: List actual Tekton pipeline files in certman-operator
fd -t f -e yaml -e yml . .tekton/ 2>/dev/null || echo ".tekton/ directory not found"Repository: openshift/certman-operator
Length of output: 320
Fix Tekton pipeline filename documentation in ci-agent
File: .claude/agents/ci-agent.md
Lines: 23-29
**Tekton Pipelines** (`.tekton/`):
- `certman-operator-pull-request.yaml`: PR validation
- `certman-operator-push.yaml`: Main branch builds
- `certman-operator-e2e-pull-request.yaml`: E2E tests on PR
- `certman-operator-e2e-push.yaml`: E2E tests on merge
- `certman-operator-pko-push.yaml`: PKO deployment
- `certman-operator-pko-pull-request.yaml`: PKO validationThe current doc lists ocm-agent-operator-* filenames, but the actual Tekton pipeline YAMLs under .tekton/ are certman-operator-*—update the list accordingly.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.claude/agents/ci-agent.md around lines 23 - 29, Update the Tekton pipeline
filename list in .claude/agents/ci-agent.md: replace the `ocm-agent-operator-*`
entries with the actual pipeline filenames under .tekton, i.e. use
`certman-operator-pull-request.yaml`, `certman-operator-push.yaml`,
`certman-operator-e2e-pull-request.yaml`, `certman-operator-e2e-push.yaml`,
`certman-operator-pko-push.yaml`, and `certman-operator-pko-pull-request.yaml`
so the documented names match the actual YAMLs.
| @@ -0,0 +1,244 @@ | |||
| # Claude Agents | |||
|
|
|||
| Specialized agents for OCM Agent Operator development workflows. | |||
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Find all references to OCM Agent Operator in .claude directory
rg -n "OCM Agent Operator" .claude/Repository: openshift/certman-operator
Length of output: 1139
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== OCM Agent Operator =="
rg -n "OCM Agent Operator" .claude/ || true
echo
echo "== ocm-agent-operator =="
rg -n "ocm-agent-operator" .claude/ || true
echo
echo "== certman-operator =="
rg -n "certman-operator" .claude/ || true
echo
echo "== Certman Operator =="
rg -n "Certman Operator" .claude/ || trueRepository: openshift/certman-operator
Length of output: 5997
Fix incorrect “OCM Agent Operator” references in .claude docs
The certman-operator Claude agent documentation still hard-codes “OCM Agent Operator” in multiple places (this PR targets openshift/certman-operator). Update these references to the correct “Certman Operator”/“certman-operator” naming in:
- .claude/agents/README.md (line 3)
- .claude/skills/README.md
- .claude/hooks/README.md, .claude/hooks/pre-edit.sh, .claude/hooks/cleanup.sh
- .claude/agents/test-agent.md, .claude/agents/security-agent.md, .claude/agents/lint-agent.md, .claude/agents/docs-agent.md, .claude/agents/ci-agent.md
Also review whether the “ocm-agent-operator-.yaml” pipeline identifiers in .claude/agents/ci-agent.md should be “certman-operator-.yaml”.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.claude/agents/README.md at line 3, Update all hard-coded "OCM Agent
Operator" references to the correct project name "Certman Operator" (and
lowercase "certman-operator" where appropriate) in the listed files: replace the
phrase in .claude/agents/README.md, .claude/skills/README.md,
.claude/hooks/README.md, .claude/hooks/pre-edit.sh, .claude/hooks/cleanup.sh,
and the agent docs under .claude/agents/*.md (test-agent.md, security-agent.md,
lint-agent.md, docs-agent.md, ci-agent.md); also review and, if needed, rename
pipeline identifiers "ocm-agent-operator-*.yaml" to "certman-operator-*.yaml"
inside .claude/agents/ci-agent.md so all human-facing text and pipeline IDs
consistently use "Certman Operator"/"certman-operator".
| Files requiring extra scrutiny: | ||
| - `deploy/*.yaml` (RBAC, NetworkPolicy) | ||
| - `*_rbac.go` (authorization logic) | ||
| - `pkg/ocmagenthandler/*_secret.go` (secret handling) |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Find secret-handling code in certman-operator
fd -t f -e go . pkg/ | rg -i "secret"
rg -l "Secret|secret" --type go pkg/ | head -10Repository: openshift/certman-operator
Length of output: 341
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# 1) Inspect the markdown line around 119
echo "---- security-agent.md around line 119 ----"
nl -ba .claude/agents/security-agent.md | sed -n '100,140p'
# 2) Check whether the repo contains the referenced ocmagenthandler path/pattern
echo "---- Search for ocmagenthandler reference ----"
rg -n "ocmagenthandler" -S . || true
echo "---- Find *_secret.go files under pkg/ ----"
fd -t f -e go pkg/ | rg -n "_secret\.go$" || true
echo "---- Search for secret-handling mentions with that filename pattern ----"
rg -n --glob='**/*_secret.go' "secret" . || trueRepository: openshift/certman-operator
Length of output: 175
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- security-agent.md around line 119 ----"
# Print the nearby content without relying on nl
sed -n '110,130p' .claude/agents/security-agent.md
echo "---- Search for ocmagenthandler reference ----"
rg -n "ocmagenthandler" -S . || true
echo "---- Find *_secret.go files under pkg/ ----"
fd -t f -e go pkg/ | rg -n "_secret\.go$" || true
echo "---- Search for *_secret.go filenames (anywhere) ----"
fd -t f -e go . | rg -n "_secret\.go$" || true
echo "---- Search for secret-handling mentions (filename pattern) ----"
rg -n --glob='**/*_secret.go' "secret" . || trueRepository: openshift/certman-operator
Length of output: 1709
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- List Go files under pkg/ocmagenthandler ----"
fd -t f -e go --full-path 'pkg/ocmagenthandler' . || true
# The above might be empty if fd treats full-path differently; also try with path filter:
fd -t f -e go -a --full-path -p 'pkg/ocmagenthandler' . || true
echo "---- Find any *_secret.go anywhere under pkg/ocmagenthandler ----"
fd -t f -e go --full-path -g '*_secret.go' 'pkg/ocmagenthandler' || true
echo "---- Search for Secret/secret usage under pkg/ocmagenthandler ----"
rg -n --type go --glob '**/*.go' -S "(\\bSecret\\b|\\bsecret\\b|Create\\w*Secret|Update\\w*Secret|Get\\w*Secret)" pkg/ocmagenthandler || true
echo "---- Search for any hardcoded secret patterns under pkg/ocmagenthandler ----"
rg -n --type go --glob '**/*.go' -S "(password\\s*[:=]|api[_-]?key\\s*[:=]|token\\s*[:=]|private[_-]?key\\s*[:=])" pkg/ocmagenthandler || trueRepository: openshift/certman-operator
Length of output: 575
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- Find any directory named ocmagenthandler ----"
find . -type d -name 'ocmagenthandler' 2>/dev/null || true
echo "---- Find any Go files ending with *_secret.go ----"
find . -type f -name '*_secret.go' 2>/dev/null || true
echo "---- Search for Kubernetes Secret usage in Go under pkg/ ----"
rg -n --type go --glob '**/*.go' "(corev1\\.Secret|\\bSecret\\b)" pkg 2>/dev/null || true
echo "---- Search for client secret CRUD patterns in Go under pkg/ ----"
rg -n --type go --glob '**/*.go' "(Create\\w*Secret|Update\\w*Secret|Get\\w*Secret|Delete\\w*Secret|Secrets\\().*)" pkg 2>/dev/null || trueRepository: openshift/certman-operator
Length of output: 1972
Fix stale secret-handling path in security-agent policy.
pkg/ocmagenthandler/*_secret.go doesn’t exist in this certman-operator repo (no ocmagenthandler directory and no *_secret.go files), so the “secret handling” entry points to foreign/stale code. Update it to the actual Secret usage locations, e.g.:
pkg/leclient/utils.go(GetSecret)pkg/clients/azure/dns.go,pkg/clients/aws/route53.go,pkg/clients/gcp/dns.go(corev1.Secretand secret-derived credential handling)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.claude/agents/security-agent.md at line 119, Update the stale
secret-handling path in the security-agent policy: replace references to the
non-existent pattern pkg/ocmagenthandler/*_secret.go with the actual Secret
usage locations in this repo such as pkg/leclient/utils.go (GetSecret) and
credential handling in pkg/clients/azure/dns.go, pkg/clients/aws/route53.go,
pkg/clients/gcp/dns.go where corev1.Secret is used; ensure the policy now points
to those functions/files and any exported symbols (GetSecret, the credential
parsing/usage functions in each provider client) that perform secret retrieval
and handling.
| go test -v ./pkg/ocmagenthandler/ | ||
|
|
||
| # Focused test | ||
| ginkgo -focus="NetworkPolicy" ./pkg/ocmagenthandler/ |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: List actual Go packages in certman-operator
fd -t d "^pkg$" --exec fd -t d . {} \; | head -20Repository: openshift/certman-operator
Length of output: 335
🏁 Script executed:
#!/bin/bash
# List all pkg subdirectories (avoid truncation)
fd -t d "^pkg$" --exec fd -t d . {} \;
# Check whether the focus string exists in this repo
rg -n --hidden --no-ignore-vcs '"NetworkPolicy"' . || trueRepository: openshift/certman-operator
Length of output: 564
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Directories matching ocmagenthandler =="
fd -t d -i "ocmagenthandler" . || true
echo
echo "== Occurrences of NetworkPolicy =="
rg -n --hidden --no-ignore-vcs "NetworkPolicy" . || true
echo
echo "== Occurrences of ocmagenthandler =="
rg -n --hidden --no-ignore-vcs "ocmagenthandler" . || trueRepository: openshift/certman-operator
Length of output: 1360
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Directory existence =="
if [ -d "pkg/ocmagenthandler" ]; then
echo "pkg/ocmagenthandler exists"
echo "== Files in pkg/ocmagenthandler (top 50) =="
find "pkg/ocmagenthandler" -maxdepth 2 -type f | head -50
else
echo "pkg/ocmagenthandler does NOT exist"
fi
echo
echo "== NetworkPolicy occurrences under pkg/ =="
rg -n --hidden --no-ignore-vcs "NetworkPolicy" pkg || true
echo
echo "== ginkgo usage under pkg/ocmagenthandler (if exists) =="
if [ -d "pkg/ocmagenthandler" ]; then
rg -n --hidden --no-ignore-vcs "ginkgo|Describe\\(|It\\(" pkg/ocmagenthandler || true
fiRepository: openshift/certman-operator
Length of output: 233
Fix test-agent.md to use real certman-operator test package paths (no pkg/ocmagenthandler).
In openshift/certman-operator, pkg/ocmagenthandler/ does not exist, so both go test -v ./pkg/ocmagenthandler/ and ginkgo -focus="NetworkPolicy" ./pkg/ocmagenthandler/ (lines 57-60 in .claude/agents/test-agent.md) reference an invalid package path. Also, NetworkPolicy does not appear under pkg/ in this repo, so the focus string needs to be updated to whatever Ginkgo spec(s) actually exist here.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.claude/agents/test-agent.md around lines 57 - 60, Replace the invalid test
invocations "go test -v ./pkg/ocmagenthandler/" and "ginkgo
-focus=\"NetworkPolicy\" ./pkg/ocmagenthandler/" with the real test package
paths and actual Ginkgo spec focus used in this repository: locate the
package(s) that contain the certman-operator tests (search for packages with
_test.go or Ginkgo Describe/Context blocks), update both commands to point to
those package paths, and change the focus string "NetworkPolicy" to a
Describe/Context/It label that actually exists in the repo so the ginkgo -focus
filter matches real specs.
| ``` | ||
| .claude/skills/ | ||
| ├── README.md | ||
| └── skillname/ | ||
| ├── SKILL.md # Required: skill definition | ||
| └── reference/ # Optional: supporting docs | ||
| ``` |
There was a problem hiding this comment.
Specify language identifier for fenced code block.
The directory structure code block is missing a language identifier. Add text to enable proper rendering.
📝 Proposed fix
-```
+```text
.claude/skills/
├── README.md
└── skillname/🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 66-66: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.claude/skills/README.md around lines 66 - 72, The fenced code block in
.claude/skills/README.md showing the directory tree is missing a language
identifier; update the opening fence from ``` to ```text so the block is
rendered as plain text (i.e., change the triple-backtick that precedes the
directory listing to ```text) while keeping the closing ``` unchanged.
| title = "gitleaks config for OCM Agent Operator" | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
In gitleaks v8 (including v8.18.x), when running with --config <custom.toml>, are default rules automatically included, or must [extend] useDefault=true be set explicitly?
💡 Result:
In Gitleaks v8, including v8.18.x, when you provide a custom configuration file via the --config option, the default rules are not automatically included [1][2]. By default, providing a custom configuration file replaces the default, baked-in ruleset entirely [1][2]. If you wish to retain the default rules while also using your custom rules, you must explicitly enable them by adding the [extend] section to your configuration file and setting useDefault = true [1][3][4]. Configuration example: [extend] useDefault = true [[rules]] # Your custom rules go here...
Citations:
- 1: https://openaitx.github.io/projects/gitleaks/gitleaks/README-en.html
- 2: https://github.com/gitleaks/gitleaks
- 3: https://oneuptime.com/blog/post/2026-01-25-secret-scanning-gitleaks/view
- 4: https://developer.harness.io/docs/security-testing-orchestration/sto-techref-category/gitleaks-scanner-reference
🏁 Script executed:
#!/bin/bash
set -euo pipefail
nl -ba .gitleaks.toml | sed -n '1,80p'Repository: openshift/certman-operator
Length of output: 113
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n --fixed-string '^\[extend\]' .gitleaks.toml || true
rg -n --fixed-string 'useDefault' .gitleaks.toml || trueRepository: openshift/certman-operator
Length of output: 966
🏁 Script executed:
#!/bin/bash
set -euo pipefail
awk '{printf "%d\t%s\n", NR, $0}' .gitleaks.toml | sed -n '1,120p'Repository: openshift/certman-operator
Length of output: 4354
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n --fixed-strings '^[extend]' .gitleaks.toml || true
rg -n --fixed-strings 'useDefault' .gitleaks.toml || trueRepository: openshift/certman-operator
Length of output: 52
🏁 Script executed:
#!/bin/bash
set -euo pipefail
wc -l .gitleaks.toml
rg -n '\[extend\]' .gitleaks.toml || true
rg -n 'useDefault' .gitleaks.toml || trueRepository: openshift/certman-operator
Length of output: 89
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n '\[extend\]' .gitleaks.toml || true
rg -n 'useDefault' .gitleaks.toml || trueRepository: openshift/certman-operator
Length of output: 52
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show end of file to ensure no extend block exists after line 120
awk 'NR>=100 && NR<=155 {print NR "\t" $0}' .gitleaks.tomlRepository: openshift/certman-operator
Length of output: 2530
Add an explicit [extend] block to retain gitleaks default rules
.gitleaks.toml defines only custom [allowlist] and [[rules]], and there’s no [extend] / useDefault setting—despite comments stating it “extends gitleaks default rules” (lines 139-141). In gitleaks v8, using --config does not automatically include default rules, so detection coverage may drop to only the custom rules.
🔐 Suggested fix
title = "gitleaks config for OCM Agent Operator"
+
+[extend]
+useDefault = true🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.gitleaks.toml around lines 12 - 13, The config currently only defines
custom [allowlist] and [[rules]] and lacks an [extend] directive, so gitleaks v8
will not include default rules; add an [extend] block with useDefault = true
(reference the [extend] section and useDefault symbol) to ensure default
gitleaks rules are retained alongside your custom [[rules]] and existing
[allowlist]; update the top-level .gitleaks.toml accordingly and keep the
comment about extending defaults in sync.
| '''test/fixtures/.*''', | ||
| '''test/deploy/.*''', | ||
| '''.*_test\.go''', | ||
| '''boilerplate/.*''', | ||
| '''vendor/.*''', | ||
| '''zz_generated\..*\.go''', | ||
| ] |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
In gitleaks, does allowlist.paths skip scanning of matching files entirely? If yes, is allowlisting all .*_test\\.go generally discouraged?
💡 Result:
Yes and no—“allowlist.paths” is intended to ignore findings whose matched file path matches an allowlist pattern, but historically it has not always fully prevented the scanner from opening/processing those files. 1) Does allowlist.paths skip scanning matching files entirely? - The allowlist “paths” setting is described as “paths is a slice of path regular expressions that are allowed to be ignored” and allowlist logic includes checking a path via PathAllowed(...) [1]. That implies it suppresses detection results for matching paths, not a guaranteed “do not read file contents” guarantee. - There is an issue report stating that using allowlist.paths “to skip gitleaks scan of this file” did not work as expected (a finding in a path that should have been ignored still appeared). The issue describes “Actual behavior” where a leak in src/readme.md was found despite paths being set to ignore that file [2]. This indicates that allowlisting paths has, at least in some versions/conditions, not fully eliminated scanning/processing of matching files. - Separately, a more recent change note indicates the code path can skip opening/dir work “if allowlist matches” (i.e., there is optimization to avoid processing) [3]. So, depending on gitleaks version and code paths, it may or may not fully avoid scanning. Bottom line: allowlist.paths reliably suppresses findings for matching paths per the allowlist mechanism [1], but it is not safe to assume it always skips scanning/opening the files entirely; at least some versions have shown behavior where matching allowlist.paths did not fully prevent findings [2], while later code includes explicit skipping when allowlist matches [3]. 2) Is allowlisting all.*_test.go generally discouraged? - Generally yes, because allowlisting by paths is a blunt instrument: it ignores findings for an entire class of files. That can hide real test-only secrets (or secrets introduced into tests) rather than narrowly suppressing known false positives. - The official docs emphasize that allowlists are for known false positives/inactive/rotated/deactivated secrets, and that otherwise gitleaks will continue to detect secrets in commit history even after they are updated—i.e., allowlists should be targeted rather than broadly blanket-denying areas where secrets can still legitimately exist [4]. - Additionally, there’s a clear distinction in gitleaks between ignoring specific findings vs. leaving detection active: allowlists are meant to exclude known bad/irrelevant patterns/locations, not to globally disable whole file categories [1][4]. Therefore, allowlisting every _test.go via a pattern like._test.go is generally discouraged unless you have strong justification that your repository’s test files never contain real secrets (or you accept the risk of suppressing any that do). A safer approach is to allowlist specific rules/regexes or narrower path patterns tied to specific false positives (e.g., a known fixture directory), or to use line-based inline suppression when possible [5].
Citations:
- 1: https://pkg.go.dev/github.com/grachovskaia/gitleaks/config
- 2: allowlist.paths is not ignoring files gitleaks/gitleaks#467
- 3: gitleaks/gitleaks@ed205a5
- 4: https://developer.harness.io/docs/security-testing-orchestration/sto-techref-category/gitleaks-scanner-reference
- 5: https://openaitx.github.io/projects/gitleaks/gitleaks/README-en.html
Narrow the gitleaks allowlist instead of blanket .*_test\.go suppression.
allowlist.paths is meant to ignore findings for matching file-path patterns (and it has not always been a guaranteed “no processing” guarantee in all versions/paths), so allowlisting every *_test.go can hide real secrets that land in test helpers/integration tests.
🔎 Suggested narrowing
paths = [
'''test/fixtures/.*''',
'''test/deploy/.*''',
- '''.*_test\.go''',
'''boilerplate/.*''',
'''vendor/.*''',
'''zz_generated\..*\.go''',
]📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| '''test/fixtures/.*''', | |
| '''test/deploy/.*''', | |
| '''.*_test\.go''', | |
| '''boilerplate/.*''', | |
| '''vendor/.*''', | |
| '''zz_generated\..*\.go''', | |
| ] | |
| '''test/fixtures/.*''', | |
| '''test/deploy/.*''', | |
| '''boilerplate/.*''', | |
| '''vendor/.*''', | |
| '''zz_generated\..*\.go''', | |
| ] |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.gitleaks.toml around lines 26 - 32, The allowlist currently contains a
blanket pattern '''.*_test\.go''' under allowlist.paths which silences all test
files; remove that broad pattern and replace it with narrow, explicit path
patterns (e.g. specific test helper directories or known generated-test paths)
or scoped regexes that target only safe/generated test files; update the
.gitleaks.toml allowlist.paths entry to enumerate those safe
directories/patterns instead of '''.*_test\.go''' so tests with potential
secrets are still scanned.
| - **API Types**: `api/v1alpha1/` - CRD definitions | ||
| - **Controllers**: `controllers/{ocmagent,fleetnotification}/` - Reconciliation logic | ||
| - **Business Logic**: `pkg/ocmagenthandler/` - Resource management | ||
| - **Tests**: `*_test.go` alongside source, `*_suite_test.go` for Ginkgo | ||
| - **Mocks**: `pkg/util/test/generated/` - Generated mocks | ||
| - **E2E**: `test/e2e/` - End-to-end tests |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify repository directory structure
echo "=== Checking architecture directories ==="
# Check each referenced directory
for dir in "api/v1alpha1" "controllers/ocmagent" "controllers/fleetnotification" \
"pkg/ocmagenthandler" "pkg/util/test/generated" "test/e2e"; do
if [ -d "$dir" ]; then
echo "✓ Found: $dir"
else
echo "✗ Not found: $dir"
fi
done
# List actual structure
echo ""
echo "=== Actual directory structure ==="
echo "API:"
fd -t d -d 2 . api/
echo "Controllers:"
fd -t d -d 1 . controllers/
echo "Pkg:"
fd -t d -d 2 . pkg/
echo "Test:"
fd -t d -d 1 . test/Repository: openshift/certman-operator
Length of output: 678
Fix incorrect architecture directory links in DEVELOPMENT.md (lines 140-145)
The referenced paths don’t match the repo layout:
api/v1alpha1/✅ existstest/e2e/✅ existscontrollers/ocmagent/❌ not foundcontrollers/fleetnotification/❌ not foundpkg/ocmagenthandler/❌ not foundpkg/util/test/generated/❌ not found
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@DEVELOPMENT.md` around lines 140 - 145, Update the architecture directory
list to match actual repo paths: replace the non-existent
controllers/{ocmagent,fleetnotification}/ entries with the real controller
directory names used in the repo (locate controller packages referenced by
Controller structs or Reconcile methods, e.g., the actual controller package
directories under controllers/), change pkg/ocmagenthandler/ to the correct
package path that contains the business logic (find the package that defines the
handler functions or types formerly referred to as ocmagenthandler), and update
pkg/util/test/generated/ to the actual mocks location (search for generated mock
packages or files used by tests); ensure the lines listing API Types
(`api/v1alpha1/`) and E2E (`test/e2e/`) remain unchanged and reflect exact
directory names.
| - [Design Documentation](./docs/design.md) | ||
| - [How to Test](./docs/how-to-test.md) |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify referenced documentation files exist
echo "=== Checking for referenced docs ==="
for file in "docs/design.md" "docs/how-to-test.md"; do
if [ -f "$file" ]; then
echo "✓ Found: $file"
else
echo "✗ Not found: $file"
fi
done
# List actual docs directory contents
echo ""
echo "=== Actual docs directory ==="
if [ -d "docs" ]; then
fd -t f . docs/
else
echo "✗ docs/ directory not found"
fiRepository: openshift/certman-operator
Length of output: 218
Fix broken documentation links in DEVELOPMENT.md (lines 196-197).
./docs/design.md and ./docs/how-to-test.md don’t exist in the repo (only docs/developing.md is present), so these links should be updated to existing docs or the missing files should be added.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@DEVELOPMENT.md` around lines 196 - 197, DEVELOPMENT.md currently links to
non-existent files ./docs/design.md and ./docs/how-to-test.md; update those
links to point to existing documentation (for example docs/developing.md or
other appropriate docs) or add the missing files; locate the link entries in
DEVELOPMENT.md (the two lines containing [Design Documentation] and [How to
Test]) and either change their hrefs to the correct existing paths or create the
referenced documents (design.md and how-to-test.md) under docs/ with the
expected content so the links resolve.
devppratik
force-pushed
the
add-claude-and-docs
branch
from
0fa7431 to
11499bc
Compare
- Add .claude/ directory with agents, hooks, and skills - Add prek validation framework (prek.toml, hack/prek.ci.toml) - Add gitleaks secret scanning (.gitleaks.toml) - Add CONTRIBUTING.md, DEVELOPMENT.md, TESTING.md - Add CLAUDE.md (if not already present) - Add stop hook for automatic validation Based on ocm-agent-operator PR openshift#257 (SREP-4410, SREP-4411) Brings the repo up to Agentic SDLC contribution standard
devppratik
force-pushed
the
add-claude-and-docs
branch
from
11499bc to
1e0dbfe
Compare
|
@devppratik: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
2 participants
What type of PR is this?
docs/feature
What this PR does / why we need it?
References
Summary by CodeRabbit
Documentation
Chores