Skip to content

fix: address PR #226 review comments and labeler workflow issues#229

Merged
rjmurillo merged 15 commits into
mainfrom
feat/auto-labeler
Dec 22, 2025
Merged

fix: address PR #226 review comments and labeler workflow issues#229
rjmurillo merged 15 commits into
mainfrom
feat/auto-labeler

Conversation

@rjmurillo-bot

@rjmurillo-bot rjmurillo-bot commented Dec 22, 2025
edited
Loading

Copy link
Copy Markdown
Collaborator

Pull Request

Summary

Addresses issues identified in PR #226 review comments and enhances auto-labeler workflow configuration.

Specification References

Type Reference Description
Spec .agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md PR #226 failure analysis
Spec .serena/memories/skill-autonomous-execution-guardrails.md AI agent guardrails

Changes

  • fix(label-issues.yml): Fix bug/feature regex patterns
    • Separate title prefix checks from content keyword matching
    • Remove overly generic patterns (\badd\b, \bnew\b) that caused false positives
  • fix(labeler.yml): Fix negation patterns
    • Use all-globs-to-all-files for patterns with ! negation
    • any-glob-to-any-file doesn't properly handle negation per actions/labeler docs
  • fix(label-pr.yml): Security improvements
    • Pin actions/labeler@v5 to full commit SHA (required by repo policy)
    • Add security comment explaining pull_request_target is safe for labeler
  • fix(label-issues.yml): Pin actions/github-script@v7 to full commit SHA
  • fix(Invoke-BatchPRReview.ps1): Capture and display git error output
  • refactor(commands): Update pr-review.md to Claude Code Slash Commands format
    • Add YAML frontmatter with description, argument-hint, allowed-tools
  • docs: Add retrospective analysis and skill documentation

Type of Change

  • Bug fix (non-breaking change fixing an issue)
  • New feature (non-breaking change adding functionality)
  • Breaking change (fix or feature causing existing functionality to change)
  • Documentation update
  • Infrastructure/CI change
  • Refactoring (no functional changes)

Testing

  • Workflow syntax validated (YAML schema)
  • Actions pinned to full commit SHAs
  • Manual testing completed
  • Tests added/updated

Agent Review

Security Review

Required for: Authentication, authorization, CI/CD, git hooks, secrets, infrastructure

  • No security-critical changes in this PR
  • Security agent reviewed infrastructure changes

Files requiring security review:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml

Other Agent Reviews

  • Architect reviewed design changes
  • Critic validated implementation plan
  • QA verified test coverage

Checklist

  • Code follows project style guidelines
  • Self-review completed
  • Comments added for complex logic
  • Documentation updated (if applicable)
  • No new warnings introduced

Related Issues

Fixes issues identified in PR #226 post-merge review

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings December 22, 2025 03:50
@github-actions

github-actions Bot commented Dec 22, 2025

Copy link
Copy Markdown
Contributor

Spec-to-Implementation Validation

Warning

No spec references found

This PR does not reference any specifications (REQ-, DESIGN-, TASK-*, or linked issues).

How to add spec references

Add spec references to your PR description to enable traceability:

Method Example
Reference requirements Implements REQ-001
Link issues Closes #123
Reference spec files .agents/specs/requirements/...

Spec Requirement by PR Type:

PR Type Required?
Feature (feat:) ✅ Required
Bug fix (fix:) Optional
Refactor (refactor:) Optional
Documentation (docs:) Not required
Infrastructure (ci:, build:, chore:) Optional

See PR template for full guidance.

Powered by AI Spec Validator - Validation skipped - no specs found

@coderabbitai coderabbitai Bot requested a review from rjmurillo December 22, 2025 03:51
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Dec 22, 2025
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a set of valuable fixes and improvements across workflows, scripts, and agent command definitions. The changes in labeler.yml correctly implement file globbing with negations, resolving a potential bug in issue labeling. The updates to Invoke-BatchPRReview.ps1 significantly improve error diagnostics by including git's output in error messages. The refactoring of .claude/commands/pr-review.md not only aligns it with the new slash command documentation format but also corrects several bash syntax errors in the code examples. I have one suggestion to further improve the robustness of a script example in the markdown file.

Comment thread .claude/commands/pr-review.md
@github-actions

github-actions Bot commented Dec 22, 2025

Copy link
Copy Markdown
Contributor

AI Quality Gate Review

Caution

Final Verdict: CRITICAL_FAIL

Walkthrough

This PR was reviewed by six AI agents in parallel, analyzing different aspects of the changes:

  • Security Agent: Scans for vulnerabilities, secrets exposure, and security anti-patterns
  • QA Agent: Evaluates test coverage, error handling, and code quality
  • Analyst Agent: Assesses code quality, impact analysis, and maintainability
  • Architect Agent: Reviews design patterns, system boundaries, and architectural concerns
  • DevOps Agent: Evaluates CI/CD, build pipelines, and infrastructure changes
  • Roadmap Agent: Assesses strategic alignment, feature scope, and user value

Review Summary

Agent Verdict Status
Security PASS
QA CRITICAL_FAIL
Analyst PASS
Architect PASS
DevOps PASS
Roadmap PASS
Analyst Review Details

Let me check the original PR #226 in the correct organization and examine the diff more closely.

I have sufficient information from the local files to complete the analysis. Let me now analyze the changes.

Code Quality Score

Criterion Score (1-5) Notes
Readability 5 Changes are clear and well-documented
Maintainability 5 Better error messages aid debugging
Consistency 5 Follows existing patterns in codebase
Simplicity 5 Minimal, targeted fixes

Overall: 5/5

Impact Assessment

  • Scope: Module-wide (affects 5 files across 3 subsystems)
  • Risk Level: Low
  • Affected Components: GitHub Actions workflows (labeler, label-issues, label-pr), PowerShell scripts (Invoke-BatchPRReview.ps1), Claude commands (pr-review.md)

Findings

Priority Category Finding Location
Low Documentation YAML frontmatter added correctly per Claude Code format .claude/commands/pr-review.md:1-5
Low Security Actions pinned to full SHAs as required by repo policy .github/workflows/label-pr.yml:38, label-issues.yml:36
Low Bug Fix Regex patterns correctly separated for title prefix vs content keyword matching .github/workflows/label-issues.yml:97-101
Low Bug Fix all-globs-to-all-files correctly used for negation patterns per actions/labeler docs .github/labeler.yml:54-58
Low Improvement Git error output now captured and displayed in error messages scripts/Invoke-BatchPRReview.ps1:86-89, 164-167

Recommendations

  1. None required. All changes are correct and address the stated issues.

Verdict

VERDICT: PASS
MESSAGE: All changes are targeted, correct fixes addressing specific issues from PR #226. Regex patterns correctly separate title prefix checks from content keyword matching. Negation patterns use proper labeler syntax. Actions pinned to SHAs per policy. Error handling improved with captured output.
Security Review Details

Security Report: PR Review

Findings

Severity Category Finding Location CWE
Low Security Misconfiguration pull_request_target trigger with labeler action .github/workflows/label-pr.yml:14 N/A

Analysis

1. Workflow Security (label-pr.yml)

The pull_request_target trigger is used with actions/labeler. The security comment added at lines 8-11 correctly documents that this is safe because:

  • The labeler action only reads file paths from PR diff metadata
  • No code from the PR branch is executed
  • Action is pinned to full SHA (8558fd74291d67161a8a78ce36a881fa63b766a9)

[PASS] - Appropriate security controls documented.

2. Workflow Security (label-issues.yml)

  • Action pinned to full SHA (f28e40c7f34bde8b3046d885e986cb6290c5673b) [PASS]
  • github-script uses hardcoded regex patterns, no untrusted input injection [PASS]
  • Permissions properly scoped (contents: read, issues: write) [PASS]

3. PowerShell Script (Invoke-BatchPRReview.ps1)

  • Error output capture improvement does not introduce vulnerabilities [PASS]
  • No command injection vectors (PR numbers are typed as [int[]]) [PASS]
  • Git commands use properly scoped variables [PASS]

4. Command File (pr-review.md)

  • Documentation changes only, no executable code changes [PASS]
  • Reduced attack surface by removing redundant examples [PASS]

5. Secret Detection

No hardcoded credentials, API keys, or tokens detected in any changed files.

6. Labeler Configuration (.github/labeler.yml)

The change from any-glob-to-any-file to all-globs-to-all-files for negation patterns is a configuration fix with no security implications.

Recommendations

None required. All changes follow security best practices.

Verdict

VERDICT: PASS
MESSAGE: No security vulnerabilities detected. Actions pinned to SHAs, pull_request_target usage properly documented, no secrets exposed, no injection vectors.
QA Review Details

Let me validate the YAML syntax and review the code changes:

Now I have comprehensive context. Let me produce the QA Test Report.

Test Report: PR #227 - Fix PR #226 Review Comments and Labeler Workflow Issues

Summary

Metric Value
Total Tests 0 (for changed files)
Passed 0
Failed 0
Skipped N/A
Coverage 0%

Status

CRITICAL_FAIL

Test Coverage Assessment

Area Status Evidence Files Checked
Unit tests Missing NONE scripts/Invoke-BatchPRReview.ps1
Edge cases Missing No tests for error output capture New-PRWorktree, Remove-PRWorktree
Error paths Untested New error message formatting untested Lines 86-89, 164-167
Assertions N/A No test file exists tests/ directory lacks coverage

Evidence

VERDICT: CRITICAL_FAIL
MESSAGE: Zero tests exist for modified PowerShell script (Invoke-BatchPRReview.ps1) with 281 lines of code

EVIDENCE:
- Tests found: 0 for 1 modified script (Invoke-BatchPRReview.ps1)
- Edge cases: Missing - error output capture not tested
- Error handling: Untested - git failure scenarios not verified
- Blocking issues: 1 (no tests for new functionality)

Quality Concerns

Severity Issue Location Evidence Required Fix
BLOCKING No tests for Invoke-BatchPRReview.ps1 scripts/Invoke-BatchPRReview.ps1 281 lines of code, 0 test coverage Add Pester tests for New-PRWorktree and Remove-PRWorktree error handling
MEDIUM Error message format change untested Lines 86-89, 164-167 Write-Error "Failed to create worktree for PR #$PRNumber: $output" Verify error output is properly captured and displayed
LOW YAML workflow changes lack integration test .github/workflows/label-issues.yml, .github/workflows/label-pr.yml, .github/labeler.yml Static config changes Manual validation with test PR/issue recommended

Regression Risk Assessment

  • Risk Level: Medium
  • Affected Components:
    • scripts/Invoke-BatchPRReview.ps1 - PowerShell git worktree management
    • .github/workflows/label-issues.yml - GitHub Actions issue labeling
    • .github/workflows/label-pr.yml - GitHub Actions PR labeling
    • .github/labeler.yml - Labeler configuration
    • .claude/commands/pr-review.md - Claude Code command documentation
  • Breaking Changes: None (fixes existing bugs)
  • Required Testing:
    1. Create test issue with title [bug]: Test and body containing add new feature - verify only bug label applied (not enhancement)
    2. Create test PR modifying only .agents/ markdown files - verify documentation label NOT applied
    3. Run Invoke-BatchPRReview.ps1 with invalid PR number - verify error message includes git output

Detailed Analysis

1. scripts/Invoke-BatchPRReview.ps1 Changes (Lines 86-89, 164-167)

Change: Capture git error output and include in error message

# Before
git worktree add $worktreePath $branch 2>&1
if ($LASTEXITCODE -ne 0) {
    Write-Error "Failed to create worktree for PR #$PRNumber"

# After
$output = git worktree add $worktreePath $branch 2>&1
if ($LASTEXITCODE -ne 0) {
    Write-Error "Failed to create worktree for PR #$PRNumber: $output"

Assessment: Functional improvement, but no tests verify:

  • $output captures stderr correctly
  • Error message formatting is correct
  • Multi-line git error output is handled

2. .github/labeler.yml Changes (Lines 52-64)

Change: Use all-globs-to-all-files for negation patterns

# Before (broken)
documentation:
  - changed-files:
      - any-glob-to-any-file:
          - "docs/**/*"
          - "**/*.md"
          - "!.agents/**/*.md"

# After (fixed)
documentation:
  - changed-files:
      - all-globs-to-all-files:
          - "**/*.md"
          - "!.agents/**/*.md"
          - "!.serena/memories/**/*.md"
          - "!src/**/*.md"
  - changed-files:
      - any-glob-to-any-file:
          - "docs/**/*"

Assessment: Correct per actions/labeler documentation. The any-glob-to-any-file does not properly support negation. Fix is correct.

3. .github/workflows/label-issues.yml Changes (Lines 95-101)

Change: Separate title prefix matching from content keyword matching

// Before (false positives)
if (/^\[?bug\]?:?|\bbug\b|\bbroken\b/.test(content)) {
if (/^\[?feat(ure)?\]?:?|\bfeature\b|\badd\b|\bnew\b/.test(content)) {

// After (correct)
if (/^\[?bug\]?:?/i.test(title) || /\bbug\b|\bbroken\b/.test(content)) {
if (/^\[?feat(ure)?\]?:?/i.test(title) || /\bfeature\b|\benhance(ment)?\b/.test(content)) {

Assessment: Correct fix. Removed overly generic patterns (\badd\b, \bnew\b) that caused false positives. Title prefix patterns now check only title, not full content.

4. Action SHA Pinning

Action Before After
actions/github-script @v7 @f28e40c7f34bde8b3046d885e986cb6290c5673b
actions/labeler @v5 @8558fd74291d67161a8a78ce36a881fa63b766a9

Assessment: Complies with repository security policy requiring full commit SHA pinning.

5. .claude/commands/pr-review.md Changes

Assessment: Documentation-only changes following Claude Code Slash Commands format. Added YAML frontmatter, simplified workflow steps. No functional code changes.

Gaps Identified

Gap Impact
No Pester tests for Invoke-BatchPRReview.ps1 Unable to verify error handling works correctly
No workflow integration tests Labeler changes require manual validation
Regex pattern changes untested Title vs content matching logic not verified

Recommendations

  1. Add Pester tests for Invoke-BatchPRReview.ps1 covering:

    • New-PRWorktree with git failures
    • Remove-PRWorktree with git failures
    • Error message includes captured output

  2. Manual validation required before merge:

    • Create test issue with title [bug]: Test and body add new feature
    • Verify only bug label applied (not enhancement due to "add")
    • Create test PR with changes to .agents/*.md only
    • Verify documentation label is NOT applied

  3. Consider adding regex unit tests for label-issues.yml patterns

Final Verdict

VERDICT: CRITICAL_FAIL
MESSAGE: scripts/Invoke-BatchPRReview.ps1 has 281 lines with zero test coverage for new error handling

EVIDENCE:
- Tests found: 0 for 1 modified function (New-PRWorktree, Remove-PRWorktree)
- Edge cases: Missing - git stderr capture not tested
- Error handling: Untested - error message formatting not verified
- Blocking issues: 1 (untested error handling in I/O operations)

Rationale: Per QA guidelines, "Untested error handling for I/O, network, or file operations" is a CRITICAL_FAIL condition. The changes to New-PRWorktree and Remove-PRWorktree modify error handling for git operations (I/O) without corresponding tests.

Architect Review Details

Design Quality Assessment

Aspect Rating (1-5) Notes
Pattern Adherence 4 Changes follow established patterns, proper SHA pinning, defensive error handling
Boundary Respect 5 Clear separation: workflows, scripts, command definitions stay in their domains
Coupling 5 No new dependencies introduced, changes are isolated
Cohesion 4 Each file has single responsibility; minor documentation compression in pr-review.md
Extensibility 4 Regex patterns are maintainable, error output capture is reusable pattern

Overall Design Score: 4.4/5

Architectural Concerns

Severity Concern Location Recommendation
Low all-globs-to-all-files with multiple entries may not behave as expected .github/labeler.yml:54-61 Verify logic: all-globs requires ALL patterns to match ALL files; splitting into separate changed-files blocks is correct approach taken
Low pr-review.md reduced from 166 to 153 lines; removed Prerequisites and Related Commands sections .claude/commands/pr-review.md Acceptable if Claude Code slash command format requires this; verify prerequisite info is available elsewhere

Breaking Change Assessment

  • Breaking Changes: No
  • Impact Scope: None
  • Migration Required: No
  • Migration Path: N/A

All changes are backwards-compatible:

  • SHA pinning does not change action behavior
  • Regex fixes make patterns more precise (reduce false positives)
  • Error output capture adds information without changing control flow

Technical Debt Analysis

  • Debt Added: Low (none significant)
  • Debt Reduced: Medium (fixes regex over-matching, improves error diagnostics, standardizes command format)
  • Net Impact: Improved

ADR Assessment

  • ADR Required: No
  • Decisions Identified: None requiring ADR
  • Existing ADR: N/A
  • Recommendation: N/A

Changes are bug fixes and compliance corrections, not architectural decisions. SHA pinning is existing repo policy, not a new decision.

Recommendations

  1. Add integration test for labeler.yml patterns using actions/labeler dry-run mode if available
  2. Consider documenting the all-globs-to-all-files vs any-glob-to-any-file distinction in a comment for future maintainers

Verdict

VERDICT: PASS
MESSAGE: Bug fixes and compliance corrections with no architectural impact. Changes reduce false positives in labeling, improve error diagnostics, and follow existing repo policies for SHA pinning.
Roadmap Review Details

Let me check the product roadmap to understand strategic alignment.

Strategic Alignment Assessment

Criterion Rating Notes
Aligns with project goals High Fixes workflow automation and improves CI reliability. Supports multi-platform agent consistency.
Priority appropriate High Bug fixes to existing infrastructure. Addresses issues from prematurely merged PR #226.
User value clear Medium Indirect value through improved automation and error reporting.
Investment justified High Small, surgical fixes to existing code. Low effort, high reliability improvement.

Feature Completeness

  • Scope Assessment: Right-sized. Fixes specific issues identified in review comments.
  • Ship Ready: Yes. Changes are minimal and targeted.
  • MVP Complete: Yes. All identified issues from PR feat(workflows): add static PR and issue labeling workflows #226 review are addressed.
  • Enhancement Opportunities: None. This is a corrective PR, not a feature.

Impact Analysis

Dimension Assessment Notes
User Value Medium Improves automation reliability. Prevents false positive labels.
Business Impact Low Infrastructure maintenance, no direct user-facing features.
Technical Leverage Medium Proper action pinning sets security baseline. Better error output aids debugging.
Competitive Position Neutral Standard maintenance work.

Concerns

Priority Concern Recommendation
Low Test plan items unchecked Ensure label workflows are tested before merge.

Recommendations

  1. This PR demonstrates proper remediation of a prematurely merged PR. The root cause analysis is documented.
  2. The changes align with repository policy (SHA pinning for actions) and correct genuine bugs (regex patterns, labeler negation).
  3. The retrospective and P1 issue commitment for guardrail improvements is appropriate.

Verdict

VERDICT: PASS
MESSAGE: Corrective maintenance PR that aligns with infrastructure reliability goals. Fixes legitimate bugs in CI workflows and improves error reporting in scripts. Low risk, appropriate scope.
DevOps Review Details

Based on my review of the changes, here is my DevOps analysis:

Pipeline Impact Assessment

Area Impact Notes
Build None No build process changes
Test None No test infrastructure changes
Deploy None No deployment changes
Cost None Workflows run same duration

CI/CD Quality Checks

Check Status Location
YAML syntax valid All workflow files properly structured
Actions pinned label-pr.yml:38, label-issues.yml:36
Secrets secure Only ${{ secrets.GITHUB_TOKEN }} used, proper masking
Permissions minimal label-pr.yml:18-19, label-issues.yml:14-15
Shell scripts robust Invoke-BatchPRReview.ps1:86-89, 164-167

Findings

Severity Category Finding Location Fix
Low Documentation Security comment added for pull_request_target label-pr.yml:7-11 Good addition - no action needed

Positive Changes Verified

  1. Actions pinned to SHA - Both actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 and actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b are properly pinned with version comments
  2. Labeler negation fix - Using all-globs-to-all-files for patterns with ! negation is correct per actions/labeler documentation
  3. Regex improvements - Separating title prefix checks (/^\[?bug\]?:?/i.test(title)) from content keyword matching (/\bbug\b/) reduces false positives
  4. Removed overly generic patterns - Removing \badd\b and \bnew\b prevents false enhancement labels
  5. Error output capture - PowerShell script now captures and displays git error output for better debugging

Template Assessment

  • PR Template: Not modified in this PR
  • Issue Templates: Not modified in this PR
  • Template Issues: N/A

Automation Opportunities

Opportunity Type Benefit Effort
None identified - - -

Recommendations

  1. The .claude/commands/pr-review.md refactoring is cleaner and follows Claude Code Slash Commands format correctly
  2. Consider adding workflow dispatch trigger for manual testing of labeler workflows
VERDICT: PASS
MESSAGE: CI/CD changes are well-configured with proper action pinning, correct labeler pattern syntax, and improved error handling.
Run Details
Property Value
Run ID 20421157995
Triggered by pull_request on 229/merge
Commit c7dfd8952d7c2ebec9c2bd35fbb4e86dd232bef8

Powered by AI Quality Gate - View Workflow

@rjmurillo-bot rjmurillo-bot mentioned this pull request Dec 22, 2025
Closed
13 tasks
rjmurillo-bot added a commit that referenced this pull request Dec 22, 2025
@rjmurillo-bot @claude
docs(retrospective): add PR #226 premature merge failure analysis
0bd8105 
Document complete guardrail failure during autonomous agent execution:
- 7 MUST protocol violations
- 6 defects merged to main
- Root cause: trust-based compliance fails under autonomy

Creates P1 issue #230 for technical guardrail implementation.

Refs: #226, #229, #230

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Copilot AI reviewed Dec 22, 2025
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses technical debt from PR #226, which was merged prematurely without proper review. The changes focus on fixing workflow configuration issues, improving error handling, and updating documentation to follow proper standards.

Key changes:

  • Fixed GitHub Actions labeler workflows with proper SHA pinning and corrected regex patterns
  • Improved PowerShell error diagnostics by capturing git command output
  • Updated Claude command documentation to follow standard frontmatter format

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
scripts/Invoke-BatchPRReview.ps1 Enhanced error messages by capturing and displaying git command output for worktree operations
.github/workflows/label-pr.yml Pinned actions/labeler to commit SHA and added security documentation for pull_request_target usage
.github/workflows/label-issues.yml Pinned actions/github-script to commit SHA and fixed bug/feature regex patterns to separate title prefix checks from content keyword matching
.github/labeler.yml Fixed negation pattern handling by using all-globs-to-all-files for patterns with ! negation
.claude/commands/pr-review.md Streamlined documentation with YAML frontmatter and simplified workflow instructions

Comment thread .claude/commands/pr-review.md
@coderabbitai

coderabbitai Bot commented Dec 22, 2025
edited
Loading

Copy link
Copy Markdown

Caution

Review failed

The pull request is closed.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Adds a PR #226 retrospective and autonomous-execution guardrails; expands PR-comment-responder to be session-aware with multi-phase completion checks; introduces labeler/labeler-skill docs and adjusts labeler/workflow YAMLs (pinning actions and title-prefix logic); small PowerShell diagnostic improvement; several memory/docs added.

Changes

Cohort / File(s) Summary
Retrospective & Guardrails Docs
.agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md, .serena/memories/skill-autonomous-execution-guardrails.md		 Add full post‑mortem for PR #226 (timeline, protocol violations, root cause, remediation plan, metrics, follow-ups) and a guardrails memory specifying mandatory pre-merge checks, anti‑patterns, and enforcement proposals (pre-commit hooks, CI/merge guards, unattended-exec protocols).
PR‑comment Responder / Session Flow
src/claude/pr-comment-responder.md, .claude/commands/pr-review.md		 Introduce Phase‑0 session state check and session directory layout; add session-aware branching (detect NEW vs PREVIOUS comments); expand Phase 8 into subphases (verification, recheck, QA gate, completion checklist); update pr-review docs to pass per-PR session context and richer completion criteria.
Labeler Skills & Guidance
.agents/skills/github-labeler-skills.md, .serena/memories/skills-github-actions-labeler.md		 New skill/memory documents cataloging labeler matcher patterns, negation handling, examples, validation history, anti-patterns, and concrete YAML guidance informed by recent failures/passes.
Workflows & Labeler Config
.github/labeler.yml, .github/workflows/label-issues.yml, .github/workflows/label-pr.yml		 Pin labeler/labeler-action steps to specific commit SHAs; add pull_request_target security notes; set sync-labels: false; change title-prefix detection to be case-insensitive and include title-prefix checks for bug/enhancement; adjust docs glob rules with explicit exclusions for agent/memory paths.
Batch PR Review Script
scripts/Invoke-BatchPRReview.ps1		 Capture git worktree removal stdout/stderr in $output and append it to the removal-failure warning message.
QA Test Report & Metrics
.agents/qa/cursor-bot-fixes-test-report.md, .serena/memories/pr-comment-responder-skills.md		 Document test outcomes and fixes (PowerShell message change; labeler config key adjustments), expand multi-PR telemetry and per-reviewer/per-PR breakdowns with updated actionability and false-positive metrics.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

  • Pay attention to:
    • Session/state handling in src/claude/pr-comment-responder.md — branching logic for NEW vs PREVIOUS comments and loopback conditions.
    • Phase 8 verification steps and QA gate checks for correctness and potential infinite-loop or race conditions.
    • Labeler matcher semantics and negation/exclusion patterns in .github/labeler.yml to avoid false positives/negations.
    • Workflow pins to commit SHAs and pull_request_target usage for fork-safety/security implications.
    • PowerShell $output capture — ensure it doesn’t suppress/generate oversized messages or change exit behavior.

Possibly related issues

Possibly related PRs

Suggested reviewers

  • Copilot
  • rjmurillo

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title follows conventional commit format with 'fix:' prefix and clearly describes the main change: addressing PR #226 review comments and labeler workflow issues.
Description check ✅ Passed The description is directly related to the changeset, providing detailed specification references, change breakdown, testing status, and related issues tied to PR #226.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
📜 Recent review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5597833 and daddffb.

📒 Files selected for processing (7)
  • .agents/qa/cursor-bot-fixes-test-report.md
  • .agents/skills/github-labeler-skills.md
  • .claude/commands/pr-review.md
  • .github/labeler.yml
  • .serena/memories/pr-comment-responder-skills.md
  • .serena/memories/skills-github-actions-labeler.md
  • src/claude/pr-comment-responder.md

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai

coderabbitai Bot commented Dec 22, 2025
edited
Loading

Copy link
Copy Markdown

Caution

Review failed

Failed to post review comments

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

These changes document an incident failure, refactor PR review guidance, harden GitHub Actions workflows with pinned action versions, refine labeling rules for markdown files, and enhance error reporting in PowerShell worktree management functions.

Changes

Cohort / File(s) Summary
Incident documentation
.agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md		 New retrospective report documenting a premature merge failure with timeline, root causes, defects reached main, and remediation plans
Command documentation
.claude/commands/pr-review.md		 Rewrote PR review command doc from execution-focused to workflow-driven format; reorganized steps, updated examples, refined parallel execution flow, consolidated constraints section
Labeler configuration
.github/labeler.yml		 Split markdown documentation labeling into two rules: one matching all **/*.md with exclusions, another for docs/**/* only; changes how PRs are categorized for markdown file changes
Workflow updates
.github/workflows/label-issues.yml, .github/workflows/label-pr.yml		 Pinned GitHub Actions to specific commit hashes for reproducibility; refined bug/enhancement detection in label-issues.yml to require title-prefix matches in addition to content keywords; added explicit sync-labels flag in label-pr.yml
PowerShell error handling
scripts/Invoke-BatchPRReview.ps1		 Enhanced New-PRWorktree and Remove-PRWorktree functions to capture and include command output in error messages on failure

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

  • Labeler rule changes (.github/labeler.yml): Verify the new split logic correctly labels markdown files and doesn't create conflicts or duplicate labels
  • Detection logic refinement (.github/workflows/label-issues.yml): Ensure title-prefix matching works correctly for [Bug] and [Feat] prefixes and doesn't block valid issues
  • Documentation accuracy (.claude/commands/pr-review.md): Confirm rewritten workflow matches actual tool behavior and all examples are current

Possibly related PRs

Suggested reviewers

  • rjmurillo
  • Copilot

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed Title follows conventional commit format with 'fix:' prefix and clearly describes the main changes addressing PR #226 review issues and labeler workflow problems.
Description check ✅ Passed Description is directly related to the changeset, explaining the fixes to workflows, scripts, and documentation, plus the root cause of PR #226's premature merge.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/auto-labeler

Comment @coderabbitai help to get the list of available commands and usage tips.

rjmurillo-bot and others added 7 commits December 21, 2025 21:32
@rjmurillo-bot @claude
feat(commands): add /pr-review command for batch PR review with workt…
3e8322c 
…rees

Add Claude command for processing multiple PR review comments in parallel:

- .claude/commands/pr-review.md: Main command documentation with usage examples
- .claude/commands/batch-pr-review.md: Detailed workflow specification
- scripts/Invoke-BatchPRReview.ps1: PowerShell helper for worktree management

Features:
- Process single or multiple PRs (comma-separated or all-open)
- Optional parallel execution with git worktrees for isolation
- Automatic cleanup: commit uncommitted changes, push, remove worktrees
- Progress monitoring and summary table output
- Error recovery for common failure scenarios

Usage:
  /pr-review 194                           # Single PR
  /pr-review 53,141,143 --parallel         # Multiple PRs with worktrees
  /pr-review all-open --parallel           # All open PRs needing review

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@rjmurillo-bot
chore: remove redundant batch-pr-review.md (consolidated into pr-revi…
52d1eb0 
…ew.md)
@rjmurillo-bot @claude
fix: address Copilot review comments on PR #225
5232549 
- Clarify pr-comment-responder skill is optional (comment 2638201580, 2638201614)
- Improve warning message with actionable guidance (comment 2638201588)
- Add $LASTEXITCODE checks after git operations (comment 2638201593)
- Use default push behavior instead of hardcoded 'origin' (comment 2638201619)
- Add language specifier to usage code block (markdownlint MD040)

Comment 2638201604 dismissed as false positive - commit message already
contains "session" as shown in line 193.
Comment 2638201612 (missing tests) deferred to follow-up issue.

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@rjmurillo-bot @claude
refactor(commands): update pr-review.md to follow Claude Code Slash C…
7662179 
…ommands format

- Add YAML frontmatter with description, argument-hint, and allowed-tools
- Use $ARGUMENTS for dynamic argument capture
- Add !-prefixed bash commands for context execution
- Streamline content while preserving critical constraints

Follows: https://code.claude.com/docs/en/slash-commands

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@rjmurillo-bot @claude
fix(workflows): pin actions to full-length commit SHAs
91d900d 
Repository policy requires all actions to be pinned to full-length commit SHAs.

- actions/labeler@v5 → @8558fd74291d67161a8a78ce36a881fa63b766a9
- actions/github-script@v7 → @f28e40c7f34bde8b3046d885e986cb6290c5673b

Fixes workflow run 20420863324 failure.

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@rjmurillo-bot @claude
fix: address PR #226 review comments
24797ac 
Fixes issues identified in Copilot review comments:

label-issues.yml:
- Fix bug/feature regex patterns: separate title prefix checks from content
  keyword matching (prefix patterns now check title only, not combined content)
- Remove overly generic patterns (\badd\b, \bnew\b) that caused false positives

labeler.yml:
- Fix negation patterns: use all-globs-to-all-files for patterns with ! negation
  (any-glob-to-any-file doesn't properly handle negation patterns)

label-pr.yml:
- Add security comment explaining pull_request_target is safe for labeler
  (action only reads file paths, doesn't execute PR code)

Invoke-BatchPRReview.ps1:
- Capture and display git error output in New-PRWorktree
- Capture and display git error output in Remove-PRWorktree

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@rjmurillo-bot @claude
docs(retrospective): add PR #226 premature merge failure analysis
dda0eaa 
Document complete guardrail failure during autonomous agent execution:
- 7 MUST protocol violations
- 6 defects merged to main
- Root cause: trust-based compliance fails under autonomy

Creates P1 issue #230 for technical guardrail implementation.

Refs: #226, #229, #230

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings December 22, 2025 05:37
Copilot AI reviewed Dec 22, 2025
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Comment thread .claude/commands/pr-review.md Outdated
Comment thread .claude/commands/pr-review.md Outdated
Comment thread .claude/commands/pr-review.md
Comment thread .claude/commands/pr-review.md
coderabbitai[bot]
coderabbitai Bot reviewed Dec 22, 2025
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

♻️ Duplicate comments (1)
.claude/commands/pr-review.md (1)

91-102: Fix bash placeholder syntax.

Past review comment remains unresolved: {main_repo} is not valid bash syntax. Use $main_repo if it's a variable, or replace with actual command like git rev-parse --show-toplevel. The placeholder appears to be documentation-only but could confuse users trying to execute the code.

🔎 Suggested fix 
-cd "{main_repo}"
+cd "$(git rev-parse --show-toplevel)"
 for pr in pr_numbers; do
     worktree_path="../worktree-pr-${pr}"
     cd "$worktree_path"
     status="$(git status --short)"
     if [[ -z "$status" ]]; then
-        cd "{main_repo}"
+        cd "$(git rev-parse --show-toplevel)"
         git worktree remove "$worktree_path"
     else
         echo "WARNING: worktree-pr-${pr} has uncommitted changes"
     fi
 done
🧹 Nitpick comments (1)
.claude/commands/pr-review.md (1)

107-122: Example output simplified.

Past reviewer noted that the multi-PR example (showing both #53 and #141) was clearer. Current single-row example is still valid but less illustrative for the multi-PR use case documented in this command.

📜 Review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 41071f9 and 15b4a89.

📒 Files selected for processing (7)
  • .agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md
  • .claude/commands/pr-review.md
  • .github/labeler.yml
  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
  • .serena/memories/skill-autonomous-execution-guardrails.md
  • scripts/Invoke-BatchPRReview.ps1
🧰 Additional context used
📓 Path-based instructions (71)
{.github/workflows/*,*/.githooks/*,Dockerfile}

📄 CodeRabbit inference engine (.agents/governance/interviews/security-interview.md)

Review infrastructure code changes including GitHub Actions workflows, git hooks, and Dockerfile for security vulnerabilities

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
{.githooks/**,**/.github/**,**/infrastructure/**,**/config/**,**/*.tf,**/*.yml,**/*.yaml}

📄 CodeRabbit inference engine (.agents/metrics/baseline-report.md)

Infrastructure files (including .githooks/pre-commit) must receive security review before deployment

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
  • .github/labeler.yml
.github/workflows/*

📄 CodeRabbit inference engine (.agents/metrics/dashboard-template.md)

Ensure infrastructure files in GitHub workflows directory are reviewed by agents with target rate of 100%

Implement full CodeRabbit enforcement for CI/CD workflow files in .github/workflows/ directory

.github/workflows/*: Detect files matching .github/workflows/* as infrastructure changes requiring specialist review from devops and security agents
GitHub Actions workflows must include an explicit permissions block with minimally privileged permissions
GitHub Actions workflows must not use pull_request_target trigger with actions/checkout action using pull request head SHA reference, as this creates a dangerous security pattern
GitHub Actions workflows requiring test reporting must explicitly grant checks: write permission for dorny/test-reporter compatibility
GitHub Actions workflows must avoid using overly permissive permissions: write-all and instead use explicit minimal permissions

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/security/infrastructure-file-patterns.md)

GitHub Actions workflow files (.github/workflows/*.yml and .github/workflows/*.yaml) should trigger security agent review due to critical security implications

Add security detection check to CI/CD pipelines to analyze staged files for infrastructure changes before implementation

.github/workflows/*.{yml,yaml}: Infrastructure files (.github/workflows/) require devops and security agent review before commit
Add pre-commit validation that fails on infrastructure files (.github/workflows/) lacking security review documentation
Infrastructure files must include a security impact analysis document before creation or modification
Retroactive security review is required for quick-fix changes to workflow files made without pre-commit review
Workflow files must validate that all required permissions are explicitly declared and justified

Keep workflow YAML files light and thin - MUST NOT put complex logic in workflow YAML files; use thin workflows with calls to external testable modules or skills

GitHub Actions workflows should remain thin and delegate complex logic to PowerShell modules rather than embedding bash-like commands in workflow YAML run blocks

.github/workflows/*.{yml,yaml}: Never use || true pattern without explicit error handling and ADR justification
Do not use || true error suppression in workflows without documenting rationale in an ADR

Use thin workflow pattern: minimize logic in YAML files, delegate complex operations to PowerShell modules

.github/workflows/*.{yml,yaml}: Use YAML heredoc with proper indentation for multi-line GitHub Actions values
Use GH_TOKEN for auto-authentication in GitHub Actions shell scripts
Use fixed-length lookbehinds for regex patterns in GitHub Actions
GitHub Actions outputs must be single-line format
Matrix jobs in GitHub Actions should use artifacts for output storage
Use environment variables for shell command interpolation in GitHub Actions to prevent injection vulnerabilities
Use verdict tokens for str...

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
{.github/workflows/**,{.githooks,husky}/**,**/Auth/**,**/Security/**}

📄 CodeRabbit inference engine (.agents/utilities/security-detection/SKILL.md)

CI/CD workflow files (.github/workflows/*), git hooks (.githooks/*, .husky/*), and authentication code (**/Auth/**, **/Security/**) require security agent review (CRITICAL level)

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
.github/workflows/*.yml

📄 CodeRabbit inference engine (.agents/analysis/pr41-issue-analysis.md)

.github/workflows/*.yml: Use dotnet-nunit reporter in dorny/test-reporter@v1 when Pester tests output NUnitXml format
Add explicit permissions block to GitHub Actions workflow jobs, specifying minimal required permissions (e.g., contents: read and checks: write for test reporting workflows)

.github/workflows/*.yml: Use minimal GitHub Actions permissions in CI workflows
Add workflow_dispatch trigger to GitHub Actions workflows for manual triggering capability
Add PowerShell-Yaml module installation step in CI workflows
Use ubuntu-latest for drift detection CI workflows for lighter weight execution
Add issue deduplication for drift alerts in GitHub Actions workflows
Use path filtering appropriately scoped in GitHub Actions workflows

CI/CD pipeline must include a drift-linting job that compares Claude agent content against generated VS Code and Copilot CLI variants on every PR modifying agent files

Create automated CI validation to detect absolute paths (Windows, macOS, Linux patterns) in markdown files with colored output, line numbers, and remediation steps

Configure concurrency groups in GitHub Actions workflows to prevent comment spam and race conditions when multiple commits trigger parallel workflow runs on the same PR

.github/workflows/*.yml: Remove silent || true error suppression from critical operations; instead track failures in arrays and provide summarized error reporting at workflow completion
Use minimal token scopes in GitHub Actions workflows: use repo scope for read-only operations, issues:write for issue modifications, and workflow permissions declarations following principle of least privilege

.github/workflows/*.yml: Store heredoc content in separate files instead of inline within YAML run: blocks to avoid YAML parsing errors when content lacks proper indentation
Use github.token (workflow's built-in token) for PR comments in GitHub Actions instead of service account PATs, as it automatically has write access t...

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
.github/**/*.yml

📄 CodeRabbit inference engine (.agents/planning/prd-pre-pr-security-gate.md)

Detect files matching .github/**/*.yml as infrastructure changes requiring specialist review from devops and security agents

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
  • .github/labeler.yml
.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/retrospective/pr-feedback-remediation.md)

Use 'ubuntu-latest' for CI runner preference instead of 'windows-latest' for significantly faster performance, except for PowerShell Desktop or Windows-specific features

.github/workflows/**/*.{yml,yaml}: Workflows should be thin and contain only orchestration logic; all business logic (parsing, validation, formatting) must be extracted to PowerShell modules (.psm1)
Keep workflow YAML files to a maximum of 100 lines (orchestration only)
Do not parse complex strings (verdict, labels, etc.) in workflow YAML run: blocks; delegate to PowerShell modules
Do not validate business rules directly in workflow YAML; delegate to PowerShell modules
All PowerShell scripting for workflows must be PowerShell-only (no bash or other shell languages embedded in workflows)

.github/workflows/**/*.{yml,yaml}: PowerShell used consistently for label and milestone parsing in AI workflow (extract parsing logic to AIReviewCommon.psm1::Get-LabelsFromAIOutput rather than inline bash)
Use ::error:: GitHub Actions format for error output instead of echo or Write-Error to ensure errors are properly captured and cause workflow failure
Remove all '|| true' patterns and silent failure suppression in workflow steps - errors must be aggregated and reported explicitly using ::error:: format
Add token masking with ::add-mask:: before using secrets in workflow run steps to prevent accidental token leakage in logs
Replace secrets.BOT_PAT with github.token for issue and PR operations to minimize token privileges and reduce security attack surface
Document minimum required token scopes in workflow comments for each operation (e.g., 'repo' scope for issue edit and label application, 'read' scope for readonly operations)
Extract AI workflow parsing logic to testable PowerShell module functions (AIReviewCommon.psm1) rather than inline bash - enables unit testing in isolation and reduces regression risk

.github/workflows/**/*.{yml,yaml}: Use bash/PowerShell error collection pattern: initialize FAILED_...

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
**/.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/skills/ci-runner-preference.md)

**/.github/workflows/*.{yml,yaml}: Use ubuntu-latest (or linux-latest) runners for GitHub Actions workflows instead of windows-latest for better CI/CD pipeline performance
Only use windows-latest runner when PowerShell Desktop (5.1) is required, Windows-specific features are needed, or testing Windows-only scenarios
Prefer PowerShell Core (pwsh) over PowerShell Desktop for GitHub Actions scripts to enable cross-platform compatibility on Linux runners

Workflows SHOULD be less than 100 lines, containing orchestration only. Business logic SHOULD be extracted to PowerShell modules (.psm1).

PowerShell workflow files must follow the thin-workflow pattern where orchestration logic stays in the workflow and business logic is extracted to reusable modules

Maintain consistent token scopes and authentication strategy throughout workflows; use the same token source for all related operations to avoid permission errors

**/.github/workflows/*.{yml,yaml}: Avoid code injection vulnerabilities by never directly interpolating unsanitized GitHub context variables (like ${{ github.event.issue.title }} or ${{ github.event.issue.body }}) into bash commands; instead save them to files using heredoc syntax and read them back
Use toJSON() to escape GitHub context variables when passing them to bash commands, or employ input validation before using variables in shell contexts
GitHub Actions workflows should request only the minimum necessary permissions (principle of least privilege) required for their operations

**/.github/workflows/*.{yml,yaml}: When ≥2 GitHub Actions workflows share logic, extract to composite action with parameterized inputs for reusability
GitHub Actions workflow files should include YAML syntax validation and actionlint checks in pre-commit configuration

**/.github/workflows/*.{yml,yaml}: Use artifacts instead of job outputs for passing data between matrix jobs in GitHub Actions workflows
Use environment variables for shell variable expans...

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
.github/workflows/**

📄 CodeRabbit inference engine (.agents/steering/security-practices.md)

Implement OWASP Top 10 prevention practices in GitHub Actions workflows

Use secure defaults and minimal exposure for security misconfiguration prevention

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml

⚙️ CodeRabbit configuration file

.github/workflows/**: SECURITY-CRITICAL PATH - ASSERTIVE ENFORCEMENT
Review for: - Authentication and authorization (secrets handling, OIDC) - Credential exposure (env vars, git output, logs) - Injection vulnerabilities (command injection, script injection) - Race conditions (concurrent jobs, artifact operations) - Resource exhaustion (limits on runners, matrix expansions)
Flag: - Unquoted variables in shell commands - Direct use of user input in scripts - Missing error handling and early exit conditions - Hardcoded secrets or credentials - Unsafe use of 3rd party actions
DO NOT IGNORE any security-related findings on this path.

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
.github/workflows/**/*.yml

📄 CodeRabbit inference engine (.agents/architecture/DESIGN-REVIEW-pr-60-remediation-architecture.md)

Use GitHub Actions workflow steps with PowerShell for JSON parsing and data manipulation; reserve bash only for simple npm install, git operations, and environment variable exports

Aggregate errors across workflow steps using error accumulation arrays and export failure summary via GITHUB_OUTPUT

.github/workflows/**/*.yml: GitHub Actions workflows orchestrating multiple agents should use matrix strategy with fail-fast: false to ensure all reviews complete
Use artifact passing (not job outputs) to transfer data between workflow jobs when using matrix strategy
Implement idempotency in workflow comment generation using comment markers to distinguish update vs create operations
Use skip optimization to check for docs-only changes before executing expensive AI review jobs
Add CI validation step to verify prompt templates include required output format markers before merging

.github/workflows/**/*.yml: Replace bash parsing with PowerShell functions in GitHub Actions workflows - use Get-LabelsFromAIOutput and Get-MilestoneFromAIOutput from AIReviewCommon.psm1 instead of bash grep/tr/xargs to prevent command injection (CWE-78) and word splitting vulnerabilities (CWE-20)
In GitHub Actions workflows parsing AI output, never use bash xargs, unquoted variable expansion, or for loops with simple string parsing - replace with PowerShell cmdlets that handle structured output safely
Verify PowerShell Core is available on GitHub Actions ubuntu-latest runner before using PowerShell in workflows

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
**/.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/governance/PROJECT-CONSTRAINTS.md)

**/.github/workflows/**/*.{yml,yaml}: MUST NOT put business logic in workflow YAML files
SHOULD keep workflows under 100 lines (orchestration only)

Workflows must be thin and composed of testable, reusable modules

Follow Copilot follow-up PR naming convention: copilot/sub-pr-{original_pr_number} for branches targeting the original PR's base branch

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
**/.github/**/*.{yml,yaml,sh,bash}

📄 CodeRabbit inference engine (.agents/planning/PR-60/001-pr-60-review-gap-analysis.md)

Use unique identifiers (e.g., run ID, timestamp) for temporary file paths in CI/CD workflows to prevent conflicts in concurrent runs on shared runners

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
  • .github/labeler.yml
**/.github/workflows/**/*.yml

📄 CodeRabbit inference engine (.agents/planning/PR-60/004-pr-60-implementation-review.md)

**/.github/workflows/**/*.yml: Replace bash label parsing in GitHub Actions workflows with PowerShell validation to prevent command injection via untrusted AI output
Validate all label strings against regex pattern '^[\w-.\s]{1,50}$' before applying to GitHub issues
Validate all category strings against regex pattern '^[\w-]{1,30}$' before using in workflow outputs
Validate all milestone strings against regex pattern '^[\w-.\s]{1,50}$' before assigning to issues
Use explicit error handling with informative error messages instead of '|| true' for GitHub CLI (gh) commands that should not fail silently
Keep '|| true' only for commands where empty/missing results are valid expected outcomes (e.g., grep with no matches, find with no results)
Verify GitHub CLI authentication status is successful before attempting API operations in CI workflows
Log validation rejections with details (invalid format, rejected label) for debugging label application failures
Provide detailed error messages in GitHub Actions workflow steps including context (what failed, why, what to check)
Use PowerShell 'Write-Host' with color output for structured workflow logging instead of plain echo statements
Use '|| true' in workflows only for commands where missing data is an expected valid state; document the reason in comments
Validate workflow inputs and outputs against strict regex patterns before using them in GitHub API commands

**/.github/workflows/**/*.yml: Use environment variables instead of direct ${{ }} template syntax in shell scripts to prevent shell injection attacks
Use artifacts instead of job outputs to pass data between matrix job legs, since outputs only expose one matrix leg
Prepare multi-line content via prior steps with GITHUB_OUTPUT heredoc syntax rather than attempting to execute shell commands in YAML with: inputs

Ensure GitHub workflow YAML files that use skip-validation jobs include a checkout step if equivalent reference implementations contain one

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
**/.github/workflows/*.yml

📄 CodeRabbit inference engine (.agents/planning/PR-60/007-phase-1-detailed-schedule.md)

Use PowerShell-only code (no bash, Python, or shell scripts) with all workflow steps configured with 'shell: pwsh' per ADR-006

Use quoted heredoc (with 'EOF' delimiter) for safely handling github.event.pull_request.title and github.event.pull_request.body in bash env vars to prevent code injection

GitHub Actions workflows must use PowerShell functions from exported modules rather than inline bash parsing (grep/sed/tr) for consistent security and testability

In workflow comments, use explicit language about verdict behavior and consequences (e.g., 'should cause the check to FAIL (block merge)' rather than ambiguous phrasing)

**/.github/workflows/*.yml: Use PowerShell syntax (shell: pwsh) for GitHub workflow steps when handling untrusted AI output
Import PowerShell modules using correct relative path format (Import-Module .github/scripts/AIReviewCommon.psm1) in GitHub workflows to ensure module dependencies are properly resolved
Use PowerShell environment variables for all user input in GitHub workflows instead of direct bash variable interpolation to eliminate word-splitting vulnerabilities

Use $env:GITHUB_WORKSPACE with absolute paths instead of relative ./ prefix when importing PowerShell modules in GitHub Actions workflows

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
**/.github/{scripts,workflows}/*.{sh,yml}

📄 CodeRabbit inference engine (.agents/planning/pr-60-focused-plan.md)

Use sed with POSIX character classes instead of grep -P for regex patterns to ensure portability across Linux and macOS (grep -P is GNU-only)

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
.github/{workflows,scripts}/**/*.{yml,yaml,sh}

📄 CodeRabbit inference engine (.agents/planning/pr-60-security-review.md)

.github/{workflows,scripts}/**/*.{yml,yaml,sh}: Avoid leaking sensitive information or internal configuration details in error messages and workflow logs that could be visible to attackers. Use generic error messages in production and reserve detailed diagnostics for debug logs only.
Sanitize and validate all untrusted user input (such as GitHub event data like PR titles, issue bodies, commit messages) before using in shell commands, API calls, or other operations that could interpret special characters.
When updating GitHub comments in workflows, use idempotent markers (HTML comments with unique identifiers) in comment bodies to enable safe updates by specific comment ID rather than relying on comment position.

Enforce ADR-005 with pre-commit hook rejecting bash in .github/workflows/ and .github/scripts/ directories

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
**/.github/{workflows,scripts,prompts}/**

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-18-ai-workflow-implementation.md)

AI automation in CI/CD requires verdict tokens (PASS/WARN/CRITICAL_FAIL) for deterministic bash parsing without AI interpretation

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
{.github/**/*.sh,.github/workflows/*.yml,.github/actions/**/*.yml}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-04-ai-workflow-debugging.md)

Avoid explicit gh auth login --with-token when GH_TOKEN environment variable is already set, as gh CLI automatically uses the env var and will fail with exit code 1

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
**/.github/{workflows,actions}/**/*.yml

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-13-workflow-lessons.md)

Use composite actions to encapsulate reusable workflow steps (Node.js/npm/Copilot CLI setup, authentication, agent loading, verdict parsing)

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
**/.github/workflows/***.yml

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-13-workflow-lessons.md)

Convert single-job loops to multi-job matrix structures (detect → validate → aggregate) for parallel validation with artifact passing

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
{.github/**/*.{sh,yml,yaml},**/*.sh}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-34-pr-60-comment-response.md)

{.github/**/*.{sh,yml,yaml},**/*.sh}: Avoid gh auth login authentication patterns; use session-based authentication instead (reference Session 04 for implementation details)
Use secret masking for sensitive tokens like BOT_PAT in shell commands and CI/CD workflows

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
  • .github/labeler.yml
**/{.github/workflows/*.yml,.github/scripts/*.psm1}

📄 CodeRabbit inference engine (.agents/qa/057-pr-222-import-module-standardization.md)

Standardize Import-Module paths to use $env:GITHUB_WORKSPACE variable instead of relative paths

Files:

  • .github/workflows/label-issues.yml
  • .github/workflows/label-pr.yml
scripts/**/*.ps1

📄 CodeRabbit inference engine (.agents/security/infrastructure-file-patterns.md)

PowerShell scripts in scripts directory (scripts/**/*.ps1) should trigger security agent review due to high security implications

Validation scripts belong in scripts/ directory; may duplicate to .agents/utilities/ for agent access

All scripts must avoid credential handling and should not store or process sensitive authentication information

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,psm1,psd1}

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-15-cva-install-scripts.md)

Extract environment variations to .psd1 data files, keeping logic generic rather than hardcoding configuration in scripts

Convert PathInfo objects to string representations when passing to string-typed parameters to prevent type mismatch errors

Files:

  • scripts/Invoke-BatchPRReview.ps1
scripts/**/*.{ps1,psm1,psd1}

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-15-documentation-gap.md)

Create module-specific README documentation for PowerShell scripts and modules, including parameter documentation and usage examples

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,psd1}?(@(test|spec))

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-15-install-scripts-session.md)

Use BeforeAll blocks for all variable initialization in Pester 5.x tests; avoid variable assignments outside BeforeAll during Discovery phase

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.ps1

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-15-instruction-files-gap.md)

User instruction files should be excluded from agent file copying during installation to prevent them from being treated as agent files

Use .Path property to extract string value from PathInfo objects returned by Resolve-Path in PowerShell (e.g., (Resolve-Path $Path).Path instead of Resolve-Path $Path)

PowerShell scripts should normalize output line endings (convert CRLF to LF) when output is intended to be processed by shell commands like grep to ensure cross-platform compatibility

Use -cmatch instead of -match when pattern requires case-sensitive matching in PowerShell validation scripts (e.g., EPIC vs epic for naming conventions)

**/*.ps1: In PowerShell script scope, use exit with explicit exit codes instead of return; return exits with code 0 regardless of boolean value
Document the bash-PowerShell exit code contract explicitly in PowerShell script comments: exit code 0 means success, non-zero means failure

When combining ShouldProcess with PassThru in PowerShell cmdlets: always provide explicit return value in else branch when ShouldProcess returns false

Before executing any PowerShell generation script, audit its code for alignment with known user requirements and identify dead/unused functions

**/*.ps1: Create regression tests for PowerShell scripts covering wildcard character detection, path resolution correctness, and edge cases when fixing path handling logic
In PowerShell, validate wildcard detection logic by distinguishing between literal wildcard characters (? and *) vs. actual wildcard patterns, using the -like operator correctly with character class escaping (e.g., *[?]* instead of *?*)

**/*.ps1: Before implementing features search for pre-existing test coverage
When tests pre-exist run them first to understand feature expectations
Use deep cloning to preserve source data integrity when transforming configurations
Use regex with exact match anchors (^...$) to prevent partial matches in configuration transformations
Up...

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/{install,*.ps1,*.json}

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-15-instruction-files-gap.md)

Verify that all files referenced in installer configuration (InstructionsFile, SourceDir, etc.) exist in their expected locations before release

Files:

  • scripts/Invoke-BatchPRReview.ps1
{install.ps1,build/**/*.{ps1,sh},scripts/**/*.{ps1,sh}}

📄 CodeRabbit inference engine (.agents/roadmap/epic-agent-consolidation.md)

Build script must generate platform-specific YAML frontmatter for VS Code and Copilot CLI variants at build time

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{md,json,yml,yaml,ps1,sh,bash,toml,ini,cfg,config,txt}

📄 CodeRabbit inference engine (.agents/retrospective/phase1-remediation-pr43.md)

Use relative paths only in documentation and configuration files; avoid absolute paths (e.g., C:\ on Windows) to prevent environment contamination and maintain cross-platform portability

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,psm1}

📄 CodeRabbit inference engine (.agents/steering/powershell-patterns.md)

**/*.{ps1,psm1}: Use approved verbs for PowerShell functions (Get-, Set-, New-, Remove-, etc.)
Implement parameter conventions and validation in PowerShell functions
Use proper error handling with ErrorActionPreference, try/catch blocks in PowerShell
Follow PowerShell pipeline usage and best practices for function design
Use comment-based help standards in PowerShell functions
Implement advanced function templates with CmdletBinding attribute
Use parameter validation attributes in PowerShell functions
Handle pipeline input properly in PowerShell cmdlets
Implement progress reporting for long-running PowerShell operations
Use proper configuration management patterns in PowerShell
Avoid using aliases in PowerShell scripts
Never suppress errors without proper error handling in PowerShell
Avoid hardcoded paths in PowerShell scripts

Use .claude/skills/github/ scripts for GitHub operations. NEVER use raw gh commands directly.

**/*.{ps1,psm1}: All PowerShell scripts (.ps1, .psm1) must include corresponding Pester test files (.Tests.ps1) with test coverage
PowerShell modules should use type safety, object pipelines, and structured error handling rather than string-based output

**/*.{ps1,psm1}: Use PowerShell regex pattern ^[a-zA-Z0-9][a-zA-Z0-9 _\-\.]{0,48}[a-zA-Z0-9]?$ for GitHub label validation to allow spaces in labels
All GitHub label validation must reject empty strings, accept single characters only if alphanumeric, reject newlines and tabs, enforce maximum 50 character limit per GitHub's specifications, and allow spaces in label names
Document all regex edge cases including empty string rejection, single character handling, newline/tab rejection, and character limit rationale in PowerShell code comments

MUST use PowerShell for all scripting (.ps1, .psm1)

**/*.{ps1,psm1}: Sanitize all values written to $env:GITHUB_OUTPUT by escaping newlines and special characters to prevent injection of arbitrary output variables
Quote label names in gh commands or...

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,yml,yaml,md}

📄 CodeRabbit inference engine (.agents/analysis/003-session-protocol-skill-gate.md)

Validate skill availability before implementing GitHub operations - Check if .claude/skills/github/ directory exists and contains the required capability; list available GitHub skill scripts; read the skill-usage-mandatory memory; document available skills in session log; use existing skills if they exist rather than writing inline code

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,yml,yaml}

📄 CodeRabbit inference engine (.agents/analysis/003-session-protocol-skill-gate.md)

NEVER use raw gh commands (like gh pr view, gh issue create, gh api) when a Claude skill exists for that functionality - Always use the tested skill scripts from .claude/skills/github/ instead of writing inline commands

**/*.{ps1,yml,yaml}: Use atomic gh label create $label --force operation instead of separate check + create steps to prevent TOCTOU race conditions
Implement all 4 mandatory Phase 1 security hardening conditions (label creation atomicity, auth check always-run, GITHUB_OUTPUT sanitization, debug file path randomization) before merge approval

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/{ai-issue-triage.yml,*.ps1}

📄 CodeRabbit inference engine (.agents/analysis/004-pr-60-gap-coverage-validation.md)

Add explicit exit code checks for npm and GitHub CLI commands instead of using || true error suppression patterns

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{yml,yaml,ps1}

📄 CodeRabbit inference engine (.agents/analysis/004-pr-60-gap-coverage-validation.md)

Generate unique temporary directories for each workflow run using timestamped or UUID-based naming to prevent directory collision

Ensure authentication checks always run and are not skipped by conditional logic in diagnostics mode - remove or restructure conditions that bypass authentication

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,psm1,yml,yaml}

📄 CodeRabbit inference engine (.agents/planning/PR-60/006-agent-validation-sign-offs.md)

Align all PowerShell implementations with ADR-005 (PowerShell-only requirement) and ADR-006 (thin workflows principle) to maintain architecture coherence

Add rate limiting for label operations to prevent DoS of GitHub API quota by capping the maximum number of labels per issue

Files:

  • scripts/Invoke-BatchPRReview.ps1
{**/*.yml,**/*.ps1}

📄 CodeRabbit inference engine (.agents/planning/PR-60/007-phase-1-detailed-schedule.md)

Verify exit code after each critical command (gh issue edit, npm install) in PowerShell workflows and scripts

Files:

  • scripts/Invoke-BatchPRReview.ps1
{**/*.ps1,**/*.yml}

📄 CodeRabbit inference engine (.agents/planning/PR-60/007-phase-1-detailed-schedule.md)

Remove or justify all '|| true' patterns in PowerShell scripts and workflows to prevent silent failures

Files:

  • scripts/Invoke-BatchPRReview.ps1
{**/*.psm1,**/*.ps1}

📄 CodeRabbit inference engine (.agents/planning/PR-60/007-phase-1-detailed-schedule.md)

Replace 'exit 1' with 'throw' statements in PowerShell modules and scripts for proper exception handling

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{md,js,ts,tsx,jsx,json,yaml,yml,sh,ps1}

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-18-serena-memory-reference-migration.md)

Search entire codebase for pattern before migration to identify all references

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,psm1,sh,bash}

📄 CodeRabbit inference engine (.agents/security/SR-PR60-implementation-review.md)

Use unique, secured temporary file paths with random identifiers and cleanup logic instead of hardcoded predictable paths like /tmp/categorize-output.txt

Files:

  • scripts/Invoke-BatchPRReview.ps1
scripts/*.ps1

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-21-check-skill-exists.md)

PowerShell scripts must support -Operation, -Action, and -ListAvailable parameters with ValidateSet constraint for valid operations

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{js,ts,ps1,py,json,yaml,yml,md}

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-19-skill-extraction-summary.md)

Use identical syntax for all instances when migrating patterns to maintain consistency

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*{.ps1,github,reaction}*

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-20-pr-94-acknowledgment-failure.md)

PowerShell script failure requires immediate gh CLI fallback attempt (dual-path tooling for GitHub operations)

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,js,ts,tsx,jsx,py}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-20-session-43-qa-validation-pr147.md)

Use regex patterns with single-line mode flag (?s) for multi-line matching in YAML comment extraction

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.@(js|ts|py|go|java|rb|php|ps1|regex)

📄 CodeRabbit inference engine (.agents/critique/047-pr-212-retrospective-critique.md)

Use ([pattern])? instead of [pattern]? for optional trailing groups in regex to ensure correct optional behavior and prevent special character bypass

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,js,ts,py}

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-20-pr-212-comment-response.md)

Use atomic optional groups ([pattern])?$ instead of [pattern]?$ for optional trailing characters in regex validation to prevent special character bypass

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,ts,tsx,js}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-20-session-01.md)

Verify regex validation patterns in security remediation code

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,sh,bash}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-21-session-53-pr212-security-continuation.md)

Transform validation error messages into 5-word activation prompts that trigger correct behavior

Use gh api --paginate flag when fetching sweep jobs to handle pagination in GitHub CLI commands

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,psm1,yml}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-21-session-57-pr-222-review-response.md)

Include the -Force flag when using Import-Module to ensure module reload and prevent stale module state

Files:

  • scripts/Invoke-BatchPRReview.ps1
**/*.{ps1,yml,yaml,sh}

📄 CodeRabbit inference engine (.agents/HANDOFF.md)

Use PowerShell only for script implementations, avoiding bash and Python (ADR-005 compliance)

Files:

  • scripts/Invoke-BatchPRReview.ps1
.claude/commands/**/*.md

📄 CodeRabbit inference engine (.agents/pr-comments/PR-225/comments.md)

Clarify optional skill dependencies in command documentation, specifically marking /pr-comment-responder as optional with separate installation guidance in .claude/commands/pr-review.md

Files:

  • .claude/commands/pr-review.md
**/.agents/**/*.md

📄 CodeRabbit inference engine (.agents/governance/interview-response-template.md)

Primary deliverables from agents should be saved to .agents/[category]/[pattern].md with naming convention [PREFIX]-NNN-[description].md

Single-source agent files should use frontmatter markers to delineate platform-specific sections for VS Code and Copilot CLI variants

Maintain artifact synchronization markers in tracking files (.md) with status indicators ([COMPLETE], [RESOLVED], [VERIFIED]) and timestamps to document completion and verification of work

Files:

  • .agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md
.agents/**/*.{md,yml,yaml,json}

📄 CodeRabbit inference engine (.agents/critique/001-agent-templating-critique.md)

For agent platform files, evaluate whether near-identical variants (99%+ overlap) can be consolidated with conditional configuration rather than maintaining separate files

Files:

  • .agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md
.agents/**/*.md

📄 CodeRabbit inference engine (.agents/retrospective/pr43-coderabbit-root-cause-analysis.md)

.agents/**/*.md: Use PREFIX-NNN naming convention (e.g., EPIC-001, CRITIQUE-001) for sequenced artifacts and type-prefixed naming (e.g., prd-, tasks-) for non-sequenced artifacts
Normalize all file paths in markdown documents to be repository-relative before committing, removing absolute machine-specific paths

.agents/**/*.md: Session logs and documentation must include Phase checklist verification (Phase 1-3 protocol compliance including agent activation, instruction reading, handoff file updates, and session logging)
Session logs must document Session ID, date, agent name, and branch information in a standardized header format

All artifact files in .agents/ must be in Markdown format

Document analysis recommendations with specific rationale when adding new governance documents like PROJECT-CONSTRAINTS.md

Maintain debugging skills documentation in .agents/ directory

Document implementation notes explaining deviations from user prompts or decisions made during development (e.g., using plural form for directory names)

Run markdown lint on all generated artifacts before completing a session

Run markdown lint validation (0 errors expected) before committing documentation files in the .agents directory

Files:

  • .agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md
.agents/retrospective/*.md

📄 CodeRabbit inference engine (.agents/SESSION-END-PROMPT.md)

Create retrospective document at .agents/retrospective/YYYY-MM-DD-session-NN.md with analysis of emerging patterns, skills to extract, learnings, and discovered risks

Retrospective analysis documents must include Phases 0-5 (Data Gathering, Generate Insights, Diagnosis, Decide What to Do, Learning Extraction, Close)

Retrospective documents MUST include atomicity validation table, deduplication analysis section, and clear skills extraction summary with impact metrics (scored 1-10)

Retrospective analysis files should document outcomes, patterns, and learnings from completed sessions while maintaining clarity about tool usage patterns discovered

Files:

  • .agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md
.agents/retrospective/[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]-*.md

📄 CodeRabbit inference engine (.agents/governance/naming-conventions.md)

Retrospective artifacts should use the pattern YYYY-MM-DD-[kebab-case-topic].md with ISO 8601 date format, located in .agents/retrospective/ (e.g., 2025-01-15-authentication-sprint.md)

Retrospective artifacts must follow naming pattern YYYY-MM-DD-topic.md

Files:

  • .agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md
.agents/retrospective/**/*.md

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-10-hyper-critical-retrospective.md)

Document failures and fixes in retrospective analysis files

Files:

  • .agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md
.agents/**

⚙️ CodeRabbit configuration file

Agent configuration files. Only flag security issues or broken cross-references. Ignore style, formatting, and structure.

Files:

  • .agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md
.serena/memories/**/*.md

📄 CodeRabbit inference engine (.agents/retrospective/pr43-coderabbit-root-cause-analysis.md)

Update memory/knowledge base snapshots when refined estimates or critical data diverges from previously stored values by more than 10%

.serena/memories/**/*.md: Skill memory files MUST include atomicity scores (>85% threshold required for persistence), evidence citations with specific session numbers, and SMART validation criteria (Specific, Measurable, Actionable, Relevant, Time-bound)
Skill deduplication analysis MUST be performed with similarity scoring (0-100%) before persistence, comparing new skills against existing memories and documenting the decision (ADD, UPDATE, or MERGE)
All skill memory entries MUST include source reference, validation count (number of times applied), and cross-references to related skills in other memory files

.serena/memories/**/*.md: Atomic memory files must contain focused, high-relevance content to minimize token waste during read operations; avoid consolidating multiple skills into single library files
Memory files and index statements must be designed for human readability and agent pattern recognition; avoid relying on unverified internal mechanisms like word frequency matching

Capture user insights about token efficiency and activation vocabulary in the .serena/memories/ directory for future reference

Document workflow pattern requirements (such as dorny/paths-filter checkout dependencies) in serialized memory files for future reference

Files:

  • .serena/memories/skill-autonomous-execution-guardrails.md
.serena/memories/*skill*.md

📄 CodeRabbit inference engine (.agents/analysis/004-check-skill-exists-tool.md)

Memory files documenting skill usage requirements (e.g., skill-usage-mandatory.md) must be kept synchronized with actual Check-SkillExists.ps1 tool interface and available skills

Files:

  • .serena/memories/skill-autonomous-execution-guardrails.md
**/.serena/memories/skill-*.md

📄 CodeRabbit inference engine (.agents/analysis/005-semantic-slug-protocol-analysis.md)

Use semantic slug naming convention for memory files instead of numeric IDs, following the pattern skill-{technology}-{technique}.md (e.g., skill-git-squash-merge-clean-history.md)

Consolidate atomic skill files into domain libraries (e.g., merge multiple skill-react-*.md files into a single context-react-development-standards.md) with a target of 15-20 domain libraries instead of 65+ individual files

Files:

  • .serena/memories/skill-autonomous-execution-guardrails.md
**/.serena/memories/{adr,context,pattern,skill}-*.md

📄 CodeRabbit inference engine (.agents/analysis/005-semantic-slug-protocol-analysis.md)

Use prefix taxonomy for memory files: adr- for Architecture Decision Records, context- for domain knowledge libraries, pattern- for reusable solution patterns, and skill- for how-to guides

Files:

  • .serena/memories/skill-autonomous-execution-guardrails.md
**/.serena/memories/{skill,pattern}-*.md

📄 CodeRabbit inference engine (.agents/analysis/005-semantic-slug-protocol-analysis.md)

Use descriptive slugs in memory file names that include the technology, domain, and specific technique to enable LLM semantic matching (e.g., skill-pester-test-isolation-pattern.md rather than Skill-PowerShell-004.md)

Files:

  • .serena/memories/skill-autonomous-execution-guardrails.md
**/.serena/memories/{skill,pattern,context}-*.md

📄 CodeRabbit inference engine (.agents/analysis/005-semantic-slug-protocol-analysis.md)

Enforce semantic slug distinctiveness to prevent near-duplicate file names within the same domain (e.g., avoid both skill-git-rebase.md and skill-git-interactive-rebase.md)

Files:

  • .serena/memories/skill-autonomous-execution-guardrails.md
.serena/memories/skill-*.md

📄 CodeRabbit inference engine (.agents/critique/050-token-efficiency-principle-critique.md)

Use sequential numbering and collision prevention patterns for memory file naming to enforce skill lifecycle states and governance

.serena/memories/skill-*.md: Skill memory files in .serena/memories/ with names matching skill-* or skills-* pattern are subject to retrieval tracking and cold skill identification
Cold skill identification must exclude newly created skills (created less than threshold days ago, default 30 days) when reporting unused skills

.serena/memories/skill-*.md: Enforce skill ID naming convention: Skill-{Domain}-{Number} where Domain is CamelCase, Number is 3-digit zero-padded (001-999), and skill IDs must be globally unique
Reserve skill ID numbers 001-099 per domain for foundational skills; higher numbers (100+) are available for advanced or specialized skills

.serena/memories/skill-*.md: Extract skills from retrospectives with atomicity score >= 85%, persisting to .serena/memories/ with Skill-{Domain}-{Number} naming convention
Use structured skill ID naming: Skill-{Domain}-{Number} with CamelCase domain and 3-digit zero-padded number (e.g., Skill-Analysis-001)

Files:

  • .serena/memories/skill-autonomous-execution-guardrails.md
.serena/memories/skill*.md

📄 CodeRabbit inference engine (.agents/planning/PRD-skills-index-registry.md)

.serena/memories/skill*.md: Include activation vocabulary (5 words) in both skill file names and index statements to increase LLM association patterns and selection probability during skill discovery
Preserve all deprecated skill files (do NOT delete); link them in the index's Deprecated Skills section to prevent confusion when old references appear in historical documents

.serena/memories/skill*.md: Skill files must be renamed from numeric ID pattern (skill-domain-NNN) to semantic slug pattern (skill-domain-semantic-slug.md)
Verify all skill file migrations with content hash verification to ensure no data loss or corruption
Test Serena MCP integration operations (read_memory, list_memories, write_memory, edit_memory) with new semantic slug names to ensure compatibility

Maintain skill lifecycle states with transitions: Draft → Active → Deprecated, with replacement references for deprecated skills

Files:

  • .serena/memories/skill-autonomous-execution-guardrails.md
**/.serena/memories/**/*.md

📄 CodeRabbit inference engine (.agents/sessions/2025-12-20-session-22.md)

Memory file names and index statements MUST contain dense, high-signal keywords because agents select memories based on word frequency matching

**/.serena/memories/**/*.md: Use semantic slugs for memory file naming instead of numeric IDs (e.g., skill-git-squash-merge-clean-history.md instead of Skill-Git-004.md)
Adopt prefix taxonomy for memory files: adr-[number]-[slug].md for architectural decisions, context-[domain]-[topic].md for domain knowledge, pattern-[problem]-[solution].md for recurring solutions, skill-[technology]-[technique].md for how-to guides

Files:

  • .serena/memories/skill-autonomous-execution-guardrails.md
.serena/memories/**

📄 CodeRabbit inference engine (.agents/sessions/2025-12-20-session-48-semantic-slug-orchestration.md)

Commit all changes including .serena/memories files as part of session completion

Files:

  • .serena/memories/skill-autonomous-execution-guardrails.md
**/.serena/memories/*.md

📄 CodeRabbit inference engine (.agents/sessions/2025-12-20-session-38-pr-94-review.md)

Document discovered skills from retrospectives or code reviews with atomicity scores and evidence references in the skillbook

Files:

  • .serena/memories/skill-autonomous-execution-guardrails.md
🪛 LanguageTool
.claude/commands/pr-review.md

[style] ~39-~39: Using many exclamation marks might seem excessive (in this case: 4 exclamation marks for a text that’s 1861 characters long)
Context: ... ``` Verify: PR exists, is open (state != MERGED, CLOSED), targets current repo....

(EN_EXCESSIVE_EXCLAMATION)

.agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md

[uncategorized] ~63-~63: The official name of this software platform is spelled with a capital “H”.
Context: ...--------| | skill-usage-mandatory | Use .claude/skills/github/ scripts | Used raw gh api commands ...

(GITHUB)

🔇 Additional comments (12)
.github/labeler.yml (1)

52-64: LGTM - Negation handling fixed correctly.

The switch to all-globs-to-all-files for patterns with ! negation correctly addresses the defect from PR #226. Per actions/labeler docs, negation patterns don't work with any-glob-to-any-file. The additional docs/**/* rule provides broader coverage.

scripts/Invoke-BatchPRReview.ps1 (2)

86-89: LGTM - Error diagnostics improved.

Capturing git output helps debugging worktree creation failures. The 2>&1 redirection ensures both stdout and stderr are captured.

164-167: LGTM - Consistent error handling.

Same diagnostic improvement pattern as New-PRWorktree. Good consistency.

.serena/memories/skill-autonomous-execution-guardrails.md (1)

1-80: LGTM - Clear guardrails documentation.

Well-structured retrospective learning. The checklist and anti-patterns provide actionable guidance. References to PR #226 and Issue #230 are appropriate.

.agents/retrospective/2025-12-22-pr-226-premature-merge-failure.md (1)

1-219: LGTM - Thorough retrospective.

Comprehensive failure analysis with clear timeline, root causes, and remediation plan. The metrics and lessons learned sections provide actionable insights. References to PRs and issues are valid.

.claude/commands/pr-review.md (3)

1-5: Clarify platform and tool syntax.

Two unresolved issues from past reviews:

  1. Line 2: Comment says "Claude Code" but format is Claude Desktop's slash command structure. Past reviewer noted this inconsistency.
  2. Line 4: Bash(pwsh:*) syntax is unusual - typically PowerShell is invoked directly, not through Bash. Past reviewer questioned if this would work as expected.

Are these YAML frontmatter fields actually recognized by the target platform? The syntax appears to be Claude Desktop specific but needs verification.

11-16: Document command execution syntax.

The ! backtick syntax (e.g., !git branch --show-current``) is non-standard. Past reviewer asked what environment interprets these commands. This needs clarification or a more portable approach should be documented.

1-152: Documentation restructure improves clarity.

The step-by-step workflow organization is clearer than the previous version. However, several past review comments about syntax and placeholders remain unresolved (see specific comments above).

.github/workflows/label-pr.yml (2)

7-11: LGTM - Security rationale documented.

The security comment correctly explains why pull_request_target is safe here: the labeler action only reads file paths from diff metadata without executing PR code. No actions/checkout step present, which is correct.

38-38: Action pinning to commit SHA is correct.

The SHA 8558fd74291d67161a8a78ce36a881fa63b766a9 corresponds to a v5 release commit and matches the tag's expected commit. Per repository policy, pinning actions to full commit SHAs is the correct approach.

.github/workflows/label-issues.yml (2)

95-102: LGTM - Title prefix logic fixed.

Separating title prefix checks (/^\[?bug\]?:?/i.test(title)) from content keyword matching correctly addresses the defect from PR #226. The previous ^ anchor on combined title + body only matched the start of the concatenated string. Now title prefixes are properly detected.

36-36: Verify that the pinned SHA corresponds to the v7 release tag.

While pinning actions/github-script to a full commit SHA follows security best practices, the specific SHA f28e40c7f34bde8b3046d885e986cb6290c5673b cannot be verified as matching the v7 release. Check the official release page or use git to confirm this SHA is the correct one for the v7 tag before merging.

coderabbitai[bot]
coderabbitai Bot previously approved these changes Dec 22, 2025
View reviewed changes
cursor[bot]
cursor Bot reviewed Dec 22, 2025
View reviewed changes
Comment thread scripts/Invoke-BatchPRReview.ps1
Comment thread .github/labeler.yml
@rjmurillo-bot
fix: address cursor[bot] review comments
c4799c9 
- Display captured git error output in worktree removal failure
- Fix documentation label to match ANY markdown file, not ALL files

Addresses review comments from @cursor[bot]:
- Comment 2638885289: Display $output in error message
- Comment 2638885293: Change all-globs-to-all-files to any-glob-to-any-file

Comment-IDs: 2638885289, 2638885293
Copilot AI review requested due to automatic review settings December 22, 2025 07:13
This was referenced Dec 31, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Jan 8, 2026
Closed
Closed
Closed
Closed
Closed
This was referenced Jan 19, 2026
Closed
Closed
Closed
Closed
This was referenced Apr 11, 2026
Closed
Closed
This was referenced May 4, 2026
Closed
Closed
Closed
Closed
Closed
@coderabbitai coderabbitai Bot mentioned this pull request May 11, 2026
Open
6 tasks
This was referenced May 30, 2026
Closed
Closed
This was referenced Jun 6, 2026
Closed
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cursor cursor[bot] cursor[bot] left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@rjmurillo rjmurillo Awaiting requested review from rjmurillo

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rjmurillo-bot @rjmurillo