feat(advisor): add PR review advisor workflow

[cv]

Summary

Adds a trusted, read-only PR Review Advisor workflow modeled on the existing E2E Advisor. The new advisor analyzes PR diffs and GitHub metadata for NemoClaw-specific review signals, then posts an advisory sticky comment without approving, merging, dispatching workflows, or executing PR-provided code.

Changes

• Add tools/pr-review-advisor/ with the analyzer, sticky-comment updater, JSON schema, and README.
• Add .github/workflows/pr-review-advisor.yaml with the same trusted-code boundary pattern as e2e-advisor.yaml.
• Add test/pr-review-advisor.test.ts coverage for normalization, schema validation, comment rendering, test-depth classification, and workflow safety structure.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Additional verification run locally:

• npm run build:cli
• npm run typecheck:cli
• npm test -- --run test/pr-review-advisor.test.ts
• npm run source-shape:check
• PR_REVIEW_ADVISOR_RUN_ANALYSIS=0 node --experimental-strip-types tools/pr-review-advisor/analyze.mts --base main --head HEAD --schema tools/pr-review-advisor/schema.json --out-dir /tmp/pr-review-advisor-smoke

Known local pre-push/full-suite status: the full CLI test hook failed on existing environment/timeout-sensitive tests unrelated to this change, including test/cli.test.ts, test/sandbox-connect-inference.test.ts, test/dns-proxy.test.ts, test/generate-openclaw-config.test.ts, and test/secret-redaction.test.ts. Targeted advisor tests and type-checking passed.

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• New Features

  • Added a PR Review Advisor: GitHub Actions workflow + CLI that analyzes PRs, produces structured advisory results/artifacts, and can post/update a sticky advisory comment; supports manual runs.

• Documentation

  • Added documentation describing the advisor, execution modes, safety model, and output contract/schema.

• Tests

  • Added end-to-end tests validating result normalization, summary/comment rendering, and workflow configuration.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7dbf71f4-e627-42c7-b379-0be89ddfced9

📥 Commits

Reviewing files that changed from the base of the PR and between be4bf9d and 254ece7.

📒 Files selected for processing (5)

• .github/workflows/pr-review-advisor.yaml
• test/pr-review-advisor.test.ts
• tools/advisors/github.mts
• tools/pr-review-advisor/analyze.mts
• tools/pr-review-advisor/schema.json

---

📝 Walkthrough

Walkthrough

Adds shared advisor utilities (git, GitHub, IO, JSON, session), refactors e2e advisor to use them, implements a PR Review Advisor CLI that normalizes AI output against a JSON schema, an accompanying comment poster, a GitHub Actions workflow to run the advisor, and comprehensive tests.

Changes

PR Review Advisor & Shared Infrastructure

Layer / File(s)	Summary
Shared Advisor Utilities & Infrastructure tools/advisors/README.md, tools/advisors/git.mts, tools/advisors/github.mts, tools/advisors/io.mts, tools/advisors/json.mts, tools/advisors/session.mts	Foundational modules providing git operations, GitHub REST/GraphQL and sticky-comment helpers, CLI/io helpers, JSON extraction/sanitization, and a read-only advisor session runner with timeout/heartbeat and byte-capped buffering.
E2E Advisor Refactoring tools/e2e-advisor/analyze.mts, tools/e2e-advisor/comment.mts, tools/e2e-advisor/dispatch.mts	Refactors e2e advisor scripts to delegate git/IO/json/github/session responsibilities to shared utilities and removes duplicated local implementations.
PR Review Advisor Analysis & Normalization tools/pr-review-advisor/README.md, tools/pr-review-advisor/analyze.mts, tools/pr-review-advisor/schema.json	New CLI that gathers deterministic PR context (diffs, commits, risky areas, GitHub data), builds prompts, runs a read-only advisor session, normalizes and sanitizes AI output into a typed result, and renders a Markdown summary.
PR Review Advisor Comment Generation & Posting tools/pr-review-advisor/comment.mts	Builds and upserts a sticky PR comment containing the advisor summary, recommendation, confidence, analyzed HEAD SHA, and collapsible details section using shared upsertStickyComment.
PR Review Advisor GitHub Actions Workflow .github/workflows/pr-review-advisor.yaml	Orchestrates trusted advisor checkout, installs pinned Pi SDK, runs analysis (with skipped-artifact fallback), appends job summary, optionally posts comment on PR events, and uploads artifacts.
Test Suite & Schema Validation test/pr-review-advisor.test.ts	Vitest tests covering normalization, enum sanitization, classifyTestDepth, deriveGateStatus, GraphQL error handling, summary/comment rendering, schema validation via Ajv, and workflow trusted-boundary checks.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3504: Overlaps in e2e advisor refactoring and Pi SDK embedding; related changes to advisor execution wiring.
• NVIDIA/NemoClaw#3484: Related dispatcher/dispatch logic changes in tools/e2e-advisor/dispatch.mts and shared utilities usage.

Suggested labels

CI/CD, enhancement: feature, refactor

Suggested reviewers

• ericksoa
• jyaunches
• cjagwani

"🐰 I hopped through diffs and spun a thread,
Trusted tools in place, no code misled.
Summaries tucked in a sticky note,
Tests and schema keep the logic afloat.
Cheers from a rabbit — analyze ahead!"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 1.18% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(advisor): add PR review advisor workflow' accurately and specifically summarizes the main change: introducing a new PR review advisor workflow component.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/pr-review-advisor

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: e2e-advisor

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. No merge-blocking product E2E is required: the PR is limited to CI advisor workflows, advisor utilities, documentation, schemas, and unit tests. It does not change NemoClaw installer/onboarding code, sandbox lifecycle, credentials handling in the product, network policy assets, inference routing, deployment artifacts, or real assistant user flows.

Optional E2E

• e2e-advisor (low): Useful non-blocking confidence check because the PR refactors the existing E2E advisor and dispatcher/comment paths. Run the E2E / Advisor workflow against this PR to verify it still produces normalized artifacts and a comment/dispatch plan without requiring product runtime E2E.

New E2E recommendations

• advisor-workflow-security-smoke (medium): There is no dedicated end-to-end smoke coverage for the secret-bearing advisor workflow trusted-code boundary, artifact production, sticky-comment behavior, and safe no-dispatch behavior. Unit tests cover pieces, but not the GitHub Actions integration path.
  • Suggested test: Add an advisor workflow smoke E2E that runs e2e-advisor and pr-review-advisor via workflow_dispatch on a fixture PR checkout with analysis disabled or mocked, verifies trusted main checkout execution, artifact outputs, sticky-comment dry-run/update behavior, and that auto-dispatch is skipped unless the allowlist and job validation gates pass.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

test/pr-review-advisor.test.ts (1)

184-189: ⚡ Quick win

Add existence assertions before accessing step.run.

If a step name changes, these dereferences can fail with a TypeError before the intended assertion runs. Add explicit presence checks to keep failures clear and actionable.

Proposed patch

+    expect(installStep).toBeDefined();
+    expect(analyzeStep).toBeDefined();
+    expect(commentStep).toBeDefined();
+    if (!installStep || !analyzeStep || !commentStep) return;
+
     expect(installStep.run.includes("--ignore-scripts")).toBe(true);
     expect(analyzeStep.run.includes("$ADVISOR_DIR/tools/pr-review-advisor/analyze.mts")).toBe(true);
     expect(analyzeStep.run).toContain("trusted main checkout does not yet contain analyze.mts");
     expect(analyzeStep.run).toContain("pr-review-advisor-final-result.json");
     expect(commentStep.run).toContain("trusted main checkout does not yet contain comment.mts");

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/pr-review-advisor.test.ts` around lines 184 - 189, Add explicit presence
assertions for each step object before accessing their .run property to avoid
TypeError when a step name changes: for installStep, analyzeStep, and
commentStep assert they are defined/truthy (e.g.,
expect(installStep).toBeDefined()/toBeTruthy(), same for analyzeStep and
commentStep) immediately prior to the existing expect(... .run ...) checks so
failures clearly indicate a missing step rather than throwing while
dereferencing .run.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pr-review-advisor.yaml:
- Line 94: Replace the loose tags for the GitHub Actions with full commit SHAs:
change uses: actions/setup-node@v6 and uses: actions/upload-artifact@v4 to pin
to the corresponding full commit SHA for each repo (as was done for checkout).
Locate the official action repositories (actions/setup-node and
actions/upload-artifact), copy the desired release/commit hash, and update the
workflow lines so they read uses: actions/setup-node@<full-sha> and uses:
actions/upload-artifact@<full-sha>.

In `@tools/advisors/github.mts`:
- Around line 47-49: The githubGraphql function should parse the JSON body even
when response.ok is true, then check if the parsed payload has a non-empty
payload.errors array; if so, throw an Error (or a custom Error) that includes
the GraphQL errors and attach the full payload to the error (e.g., error.payload
= payload) so callers can still inspect ["data","..."] if needed; otherwise
return the full payload object (not payload.data). Update githubGraphql to await
response.json() into a variable (e.g., payload), inspect payload.errors, and
either throw with the payload attached or return payload.

In `@tools/pr-review-advisor/analyze.mts`:
- Around line 431-433: The current ternary treats "unstable" and "HAS_HOOKS" as
pass; change the logic so only clean states (e.g., /CLEAN|clean/i) produce
status "pass" and move /UNSTABLE|unstable|HAS_HOOKS/i into the warning branch.
Update the condition around mergeState (the regex tests that produce { status:
"pass", ... } and the subsequent /DIRTY|CONFLICT|BLOCKED|behind/i test) so that
UNSTABLE and HAS_HOOKS no longer match the pass regex and instead produce {
status: "warning", evidence: `mergeStateStatus=${mergeState}` }.

In `@tools/pr-review-advisor/schema.json`:
- Around line 1-4: The JSON file is missing the required SPDX header; add SPDX
metadata as a top-of-file comment string(s) before the JSON content including
SPDX-FileCopyrightText with the copyright owner and year and
SPDX-License-Identifier: Apache-2.0 so the file begins with the SPDX header
followed by the existing JSON object (which contains keys like "$schema", "$id",
and "title") to satisfy the repo policy for all .json source files.

---

Nitpick comments:
In `@test/pr-review-advisor.test.ts`:
- Around line 184-189: Add explicit presence assertions for each step object
before accessing their .run property to avoid TypeError when a step name
changes: for installStep, analyzeStep, and commentStep assert they are
defined/truthy (e.g., expect(installStep).toBeDefined()/toBeTruthy(), same for
analyzeStep and commentStep) immediately prior to the existing expect(... .run
...) checks so failures clearly indicate a missing step rather than throwing
while dereferencing .run.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 59b45ac7-e5f7-468a-9f20-4faf5575b6e0

📥 Commits

Reviewing files that changed from the base of the PR and between 6b8bb5e and 41780ef.

📒 Files selected for processing (15)

• .github/workflows/pr-review-advisor.yaml
• test/pr-review-advisor.test.ts
• tools/advisors/README.md
• tools/advisors/git.mts
• tools/advisors/github.mts
• tools/advisors/io.mts
• tools/advisors/json.mts
• tools/advisors/session.mts
• tools/e2e-advisor/analyze.mts
• tools/e2e-advisor/comment.mts
• tools/e2e-advisor/dispatch.mts
• tools/pr-review-advisor/README.md
• tools/pr-review-advisor/analyze.mts
• tools/pr-review-advisor/comment.mts
• tools/pr-review-advisor/schema.json