fix(workflows): strengthen AI review rigor and enable PR gating

[rjmurillo-bot]

Summary

AI reviewers were too lenient and workflow checks couldn't be used as PR gates. This PR addresses three issues:

1. QA Agent Leniency

The QA agent was passing PRs that should have stricter scrutiny.

Changes to .github/prompts/pr-quality-gate-qa.md:

• Rewritten with rigorous evaluation criteria
• Added 8 explicit FAIL conditions:
  • Zero tests for new functionality (>10 lines)
  • Empty catch blocks swallowing exceptions
  • Untested error handling for I/O operations
  • New code with user input but no validation tests
  • Tests without assertions
  • Breaking changes without migration path
  • Data mutation without rollback capability
  • Functions over 100 lines with no tests
• Require evidence-based verdicts with test counts and file locations
• Added anti-leniency rules against "probably fine" thinking

2. Spec Validation Verdict Logic

PARTIAL implementation completeness was showing as PASS - incorrect.

Changes to .github/workflows/ai-spec-validation.yml:

COMPLETENESS_VERDICT	Old Behavior	New Behavior
PARTIAL	PASS (exit 0)	FAIL (exit 1)
WARN	PASS (exit 0)	WARN (exit 0)

3. Workflow Exit Codes for PR Gating

Workflows showed "passed" based on execution success, not review verdict.

Changes:

• AIReviewCommon.psm1: Get-VerdictExitCode returns 1 for FAIL
• ai-pr-quality-gate.yml: Exits 1 on FAIL verdict
• AIReviewCommon.Tests.ps1: Added test for FAIL case (128/128 pass)

Branch Protection Setup

To use as required PR checks:

1. Settings → Branches → Branch protection rules
2. Enable "Require status checks to pass"
3. Add: Aggregate Results, Validate Spec Coverage

Test Plan

• All 128 Pester tests pass
• AI PR Quality Gate workflow runs on this PR
• Verify FAIL verdict triggers workflow failure
• Verify stricter QA agent produces evidence-based verdicts

Related

• Issue fix: AI PR Quality Gate returns exit code 1 on idempotent skip #74 (PR quality gate exit code issues)
• Session observation: AI reviewers too lenient

---

🤖 Generated with Claude Code

---

Note

Harden QA review criteria and update verdict logic so FAIL/PARTIAL block merges across modules and workflows, with tests added.

• QA Prompt:
  • Overhaul /.github/prompts/pr-quality-gate-qa.md with stricter, evidence-based rubric, explicit FAIL conditions, mandatory coverage/edge-case/error-handling checks, and clear verdict thresholds.
• Scripts (.github/scripts/AIReviewCommon.psm1):
  • Merge-Verdicts: treat FAIL as critical (CRITICAL_FAIL/REJECTED/FAIL > WARN > PASS).
  • Get-VerdictExitCode: return 1 for CRITICAL_FAIL|REJECTED|FAIL.
• Workflows:
  • /.github/workflows/ai-pr-quality-gate.yml: fail job on CRITICAL_FAIL|REJECTED|FAIL.
  • /.github/workflows/ai-spec-validation.yml: treat COMPLETENESS_VERDICT=PARTIAL as FAIL; keep WARN non-blocking; adjust final verdict aggregation and failure gate.
• Tests (AIReviewCommon.Tests.ps1):
  • Add cases ensuring Merge-Verdicts escalates on FAIL and Get-VerdictExitCode returns 1 for FAIL; maintain emoji/alert mappings.

^{Written by Cursor Bugbot for commit 9201d02. This will update automatically on new commits. Configure here.}

[gemini-code-assist]

Code Review

This pull request significantly strengthens the AI review process by introducing a more rigorous QA prompt, ensuring that FAIL verdicts correctly result in a non-zero exit code, and adding corresponding tests. The changes are well-implemented and improve the reliability of the CI/CD pipeline for PR gating. The new QA prompt is a major improvement, with clear, quantitative criteria and explicit failure conditions. I've suggested one minor refinement to the prompt to further improve its clarity for the AI agent. Overall, this is a solid contribution to improving code quality enforcement.

[github-actions]

AI Quality Gate Review

Tip

✅ Final Verdict: PASS

Walkthrough

This PR was reviewed by six AI agents in parallel, analyzing different aspects of the changes:

• Security Agent: Scans for vulnerabilities, secrets exposure, and security anti-patterns
• QA Agent: Evaluates test coverage, error handling, and code quality
• Analyst Agent: Assesses code quality, impact analysis, and maintainability
• Architect Agent: Reviews design patterns, system boundaries, and architectural concerns
• DevOps Agent: Evaluates CI/CD, build pipelines, and infrastructure changes
• Roadmap Agent: Assesses strategic alignment, feature scope, and user value

Review Summary

Agent	Verdict	Status
Security	PASS	✅
QA	PASS	✅
Analyst	PASS	✅
Architect	PASS	✅
DevOps	PASS	✅
Roadmap	PASS	✅

DevOps Review Details

Now I have all the context needed. Let me analyze the changes:

Pipeline Impact Assessment

Area	Impact	Notes
Build	None	No build configuration changes
Test	Low	Added 1 test for FAIL verdict exit code
Deploy	None	No deployment changes
Cost	None	No runner or resource changes

CI/CD Quality Checks

Check	Status	Location
YAML syntax valid	✅	Both workflow files
Actions pinned	✅	SHA-pinned: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683, actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b, actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
Secrets secure	✅	Secrets accessed via ${{ secrets.* }} pattern
Permissions minimal	✅	contents: read, pull-requests: write
Shell scripts robust	✅	PowerShell with proper exit code handling

Findings

Severity	Category	Finding	Location	Fix
Low	Consistency	Exit code logic duplicated in 2 places	ai-spec-validation.yml:238,349	Minor - uses same condition both places
Low	Documentation	Comment added explains PARTIAL vs WARN behavior	ai-spec-validation.yml:235-236,347-348	Good practice

Template Assessment

• PR Template: Not affected by this PR
• Issue Templates: Not affected by this PR
• Template Issues: N/A

Automation Opportunities

Opportunity	Type	Benefit	Effort
None identified	-	Changes are minimal and focused	-

Recommendations

1. The changes are consistent and correct: FAIL is now treated as a blocking verdict alongside CRITICAL_FAIL and REJECTED
2. The PARTIAL completeness mapping to FAIL in spec validation is semantically correct - incomplete implementation should block merge
3. Test coverage for the new verdict exit code is adequate (1 new test case)

Verdict

VERDICT: PASS
MESSAGE: Changes correctly implement PR gating for FAIL verdicts with consistent behavior across workflows and supporting module.

Architect Review Details

I have reviewed all the changed files. Let me also check the existing ADRs to verify alignment.

Now I have the full context. Here is my architectural review:

---

Design Quality Assessment

Aspect	Rating (1-5)	Notes
Pattern Adherence	5	Follows existing patterns in AIReviewCommon.psm1; switch statement matches established style
Boundary Respect	5	Changes stay within workflow and module boundaries; no cross-layer violations
Coupling	5	Verdict logic centralized in module; workflows consume via Get-VerdictExitCode
Cohesion	5	Each change addresses single responsibility (verdict handling)
Extensibility	4	Adding FAIL to existing patterns is consistent; consider consolidating verdict constants

Overall Design Score: 5/5

---

Architectural Concerns

Severity	Concern	Location	Recommendation
Low	Verdict strings scattered across files	Multiple	Consider defining verdict constants in module

---

Breaking Change Assessment

• Breaking Changes: No
• Impact Scope: None
• Migration Required: No
• Migration Path: N/A

The changes extend existing verdict handling to include FAIL alongside CRITICAL_FAIL and REJECTED. All existing verdicts continue to function identically.

---

Technical Debt Analysis

• Debt Added: Low (minor string duplication across files)
• Debt Reduced: Medium (fixes incorrect PARTIAL/PASS behavior)
• Net Impact: Improved

---

ADR Assessment

• ADR Required: No
• Decisions Identified: Treatment of PARTIAL as failure, treatment of FAIL as blocking
• Existing ADR: ADR-006 (thin-workflows-testable-modules) covers module architecture
• Recommendation: N/A - These are bug fixes to existing verdict semantics, not new architectural decisions

---

Recommendations

1. Consider defining verdict constants ($script:BlockingVerdicts = @('CRITICAL_FAIL', 'REJECTED', 'FAIL')) in AIReviewCommon.psm1 to centralize the list and reduce duplication across workflow files

---

Verdict

VERDICT: PASS
MESSAGE: Changes follow established patterns, respect module boundaries, add appropriate test coverage, and correctly fix verdict handling semantics without breaking changes.

Roadmap Review Details

Based on my review of the PR, the product roadmap, and the project context:

Strategic Alignment Assessment

Criterion	Rating	Notes
Aligns with project goals	High	Improves AI review quality and CI reliability. Supports multi-agent system integrity
Priority appropriate	High	Addresses active issue #74 and observed leniency problems in AI reviewers
User value clear	High	PR quality gates that actually gate. Prevents false confidence in merge-readiness
Investment justified	High	Small changes (4 files, surgical edits) with high leverage on CI trustworthiness

Feature Completeness

• Scope Assessment: Right-sized
• Ship Ready: Yes
• MVP Complete: Yes
• Enhancement Opportunities: None identified. Changes are focused and complete.

Impact Analysis

Dimension	Assessment	Notes
User Value	High	Developers get reliable signals about PR quality. No more "AI said PASS but code broke"
Business Impact	High	CI gates become trustworthy enough for branch protection enforcement
Technical Leverage	Medium	Reusable exit code pattern in AIReviewCommon.psm1 benefits all AI review workflows
Competitive Position	Improved	Better AI review rigor is a differentiator for the multi-agent system

Concerns

Priority	Concern	Recommendation
Low	Stricter QA may initially flag more PRs	Expected and desirable. Monitor for false positive rate over 2 weeks

Recommendations

1. Merge as-is. The changes strengthen the AI review pipeline without scope creep.
2. Monitor QA agent verdicts for calibration after deployment.
3. Consider documenting the new QA fail conditions in AGENTS.md for contributor awareness.

Verdict

VERDICT: PASS
MESSAGE: Change aligns with roadmap goals for CI reliability and delivers measurable improvement to AI review rigor. Investment (4 files, targeted edits) proportionate to value (enforceable PR gating). No strategic conflicts.

QA Review Details

Now let me check the workflow files and run the tests:

Now let me run the Pester tests to verify the code changes:

I cannot run the tests due to permission restrictions. Let me complete the QA review based on static analysis of the code changes.

---

Test Report: AI Review Rigor and PR Gating

Summary

Metric	Value
Total Tests	128 (per PR description)
Passed	128
Failed	0
Skipped	0
Coverage	Adequate for modified code

Test Coverage Assessment

Area	Status	Evidence	Files Checked
Unit tests	Adequate	AIReviewCommon.Tests.ps1:424-426 - test for FAIL verdict exists	AIReviewCommon.psm1
Edge cases	Covered	Lines 399-400 test FAIL in Get-VerdictAlertType; lines 543-545 test FAIL emoji	AIReviewCommon.Tests.ps1
Error paths	Tested	Switch statements handle unknown verdicts with defaults	AIReviewCommon.psm1:471-474
Assertions	Present	Each test contains Should assertions	AIReviewCommon.Tests.ps1

Quality Concerns

Severity	Issue	Location	Evidence	Required Fix
LOW	No test for Merge-Verdicts with FAIL input	Tests:294-321	Tests cover CRITICAL_FAIL, REJECTED, WARN, PASS but not explicit FAIL	Add test for FAIL verdict in Merge-Verdicts

Regression Risk Assessment

• Risk Level: Low
• Affected Components: .github/scripts/AIReviewCommon.psm1, .github/workflows/ai-pr-quality-gate.yml, .github/workflows/ai-spec-validation.yml, .github/prompts/pr-quality-gate-qa.md
• Breaking Changes: None - changes are additive (FAIL verdict now triggers exit 1)
• Required Testing: Verify workflows exit 1 on FAIL verdict (manual via PR workflow run)

Code Analysis

1. AIReviewCommon.psm1 Changes (Line 472)

{ $_ -in 'CRITICAL_FAIL', 'REJECTED', 'FAIL' } { return 1 }

Status: [PASS]

• Test exists at line 424-426 in test file
• Consistent with Get-VerdictAlertType (line 442) and Get-VerdictEmoji (line 704)

2. ai-pr-quality-gate.yml Changes (Line 391)

if ($finalVerdict -in 'CRITICAL_FAIL', 'REJECTED', 'FAIL') {

Status: [PASS]

• Logic matches Get-VerdictExitCode function behavior
• Error message output on failure

3. ai-spec-validation.yml Changes (Lines 238, 349)

# PARTIAL now triggers FAIL verdict
if ($env:COMPLETENESS_VERDICT -in 'CRITICAL_FAIL', 'FAIL', 'PARTIAL') {

Status: [PASS]

• PARTIAL completeness now correctly blocks merge
• Comments document the rationale

4. pr-quality-gate-qa.md Changes

Status: [PASS]

• Defines 8 explicit CRITICAL_FAIL conditions
• Requires evidence-based verdicts
• Anti-leniency rules prevent soft passes

Issues Discovered

Issue	Priority	Category	Description
Missing FAIL test in Merge-Verdicts	P2	Coverage Gap	Merge-Verdicts tests don't explicitly test FAIL input (though CRITICAL_FAIL behavior applies)

Issue Summary: P0: 0, P1: 0, P2: 1, Total: 1

Verdict

VERDICT: PASS
MESSAGE: All critical changes have corresponding tests; minor coverage gap is non-blocking.

EVIDENCE:
- Tests found: 1 new test for Get-VerdictExitCode FAIL case (line 424-426)
- Edge cases: FAIL verdict covered in Get-VerdictAlertType, Get-VerdictEmoji, Get-VerdictExitCode
- Error handling: Default cases handle unknown verdicts (returns 0/NOTE/question mark)
- Blocking issues: 0

QA COMPLETE

All tests passing per PR description (128/128). Ready for user validation. The changes correctly:

1. Add FAIL to exit code 1 conditions in Get-VerdictExitCode
2. Update workflows to exit 1 on FAIL verdict
3. Treat PARTIAL completeness as FAIL (blocking)
4. Strengthen QA prompt with explicit failure conditions

Analyst Review Details

PR Analysis: Strengthen AI Review Rigor and Enable PR Gating

Code Quality Score

Criterion	Score (1-5)	Notes
Readability	5	Clear comments explaining PARTIAL vs WARN logic
Maintainability	4	Verdict handling now in 3 places; could centralize
Consistency	5	Same pattern used across all workflow files
Simplicity	5	Minimal changes, single-line additions

Overall: 4.75/5

Impact Assessment

• Scope: Module-wide (affects AI review workflows)
• Risk Level: Medium (changes PR gating behavior)
• Affected Components:
  • .github/scripts/AIReviewCommon.psm1 (exit code logic)
  • .github/workflows/ai-pr-quality-gate.yml (PR gating)
  • .github/workflows/ai-spec-validation.yml (spec validation gating)
  • .github/prompts/pr-quality-gate-qa.md (QA prompt)

Findings

Priority	Category	Finding	Location
Low	Consistency	FAIL added to exit code check but not documented in function header	AIReviewCommon.psm1:471-472
Low	Duplication	Verdict check logic duplicated in workflow and module	ai-pr-quality-gate.yml:391 vs AIReviewCommon.psm1:472

Recommendations

1. Consider using Get-VerdictExitCode in the workflow instead of inline check to reduce duplication
2. Update the Get-VerdictExitCode function synopsis to document FAIL as a valid failure verdict

Test Coverage Assessment

Area	Status	Evidence	Files Checked
Unit tests	Adequate	AIReviewCommon.Tests.ps1:424-426	AIReviewCommon.psm1
Edge cases	Covered	Tests for PASS, WARN, CRITICAL_FAIL, REJECTED, FAIL, UNKNOWN	AIReviewCommon.Tests.ps1:403-430
Error paths	N/A	No error handling added	-
Assertions	Present	Should -Be 1 assertion	AIReviewCommon.Tests.ps1:425

Regression Risk Assessment

• Risk Level: Medium
• Rationale: Changes gating behavior. PRs that previously passed with PARTIAL or FAIL verdicts will now be blocked.
• Breaking Changes: PARTIAL completeness now triggers workflow failure (intentional)
• Required Testing: Run workflow on a PR with PARTIAL verdict to verify blocking

VERDICT: PASS
MESSAGE: Changes are minimal, tested, and address the stated goals of stricter PR gating.

EVIDENCE:
- Tests found: 1 new test for 1 modified function (Get-VerdictExitCode)
- Edge cases: All verdict types covered (PASS, WARN, CRITICAL_FAIL, REJECTED, FAIL, UNKNOWN)
- Error handling: N/A (no error paths added)
- Blocking issues: 0

Security Review Details

Security Review Report

Summary

Finding Type	Count
Critical	0
High	0
Medium	0
Low	0

Findings

Severity	Category	Finding	Location	CWE
-	-	No security issues identified	-	-

Analysis

1. Vulnerability Scanning (OWASP Top 10)

[PASS] No injection vulnerabilities detected:

• PowerShell code uses environment variables and outputs, not user-controlled inputs
• Workflow uses ${{ steps.*.outputs.* }} syntax which is safe (not exposed to injection)
• No shell command construction from untrusted inputs

2. Secret Detection

[PASS] No hardcoded secrets found:

• No API keys, tokens, or credentials in the diff
• No .env file changes
• No password patterns detected

3. Dependency Security

[PASS] No new dependencies added:

• Changes are to existing PowerShell modules and YAML workflows
• No package.json, requirements.txt, or other dependency file changes

4. Infrastructure Security

[PASS] GitHub workflow changes are safe:

• ai-pr-quality-gate.yml: Uses step outputs, not untrusted PR inputs
• ai-spec-validation.yml: Same pattern, environment variables from previous steps
• No ${{ github.event.pull_request.title }} or similar injection-prone patterns
• Exit code logic is straightforward conditional branching

5. Code Quality (Security Perspective)

[PASS] Changes are minimal and focused:

• AIReviewCommon.psm1: Single line change adding 'FAIL' to verdict list
• Workflow changes: Logic corrections for verdict handling
• Markdown changes: Prompt improvements (no security impact)

Recommendations

None required. The changes are security-neutral improvements to workflow logic.

Verdict

VERDICT: PASS
MESSAGE: No security vulnerabilities detected. Changes are limited to workflow logic and prompt improvements with no attack surface modifications.

---

Run Details

Property	Value
Run ID	20387087307
Triggered by	pull_request on 76/merge
Commit	e6fc9b4c9053e241af00284a261255ad63541ca3

_{Powered by AI Quality Gate - View Workflow}

[Copilot]

Pull request overview

This PR strengthens the AI review system by making it more rigorous and enabling workflows to properly gate PR merges. The changes address three core issues: lenient QA agent evaluations, incorrect verdict logic for partial implementations, and missing exit codes that prevented workflow failures from blocking merges.

Key Changes:

• Modified workflow exit code logic to treat 'FAIL' verdicts as merge-blocking across all AI review workflows
• Changed 'PARTIAL' completeness verdict to trigger workflow failure instead of passing
• Completely rewrote QA agent prompt with quantitative thresholds, mandatory evidence requirements, and 8 explicit CRITICAL_FAIL conditions

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
.github/workflows/ai-spec-validation.yml	Added 'PARTIAL' to list of verdicts that trigger workflow failure; changed final verdict from 'PARTIAL' to 'WARN' for minor gaps
.github/workflows/ai-pr-quality-gate.yml	Added 'FAIL' verdict to exit code condition that blocks merge
.github/scripts/AIReviewCommon.psm1	Extended Get-VerdictExitCode function to return exit code 1 for 'FAIL' verdict
.github/scripts/AIReviewCommon.Tests.ps1	Added test case verifying 'FAIL' verdict returns exit code 1
.github/prompts/pr-quality-gate-qa.md	Complete rewrite: added quantitative thresholds, evidence requirements, explicit fail conditions, and anti-leniency rules

[coderabbitai]

Caution

Review failed

The pull request is closed.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

These changes restructure the QA review process to enforce evidence-based assessment with mandatory coverage criteria, formal verdict grades, and strict failure conditions. Supporting code changes propagate a new verdict classification (FAIL) through utilities and workflows, while reclassifying PARTIAL verdicts to concrete outcomes (WARN or FAIL).

Changes

Cohort / File(s)	Summary
QA Review Document /.github/prompts/pr-quality-gate-qa.md	Fully rewrote the QA gate prompt: prescriptive evaluation principles, mandatory test-coverage checklist, explicit test quality checks, threshold-based code quality metrics, CRITICAL error-handling rules, mandatory edge-case verification, formal verdict scheme (CRITICAL_FAIL / WARN / PASS / FAIL), and standardized evidence output requirements.
PowerShell module & tests /.github/scripts/AIReviewCommon.psm1, /.github/scripts/AIReviewCommon.Tests.ps1	Extended Merge-Verdicts to treat FAIL like CRITICAL_FAIL/REJECTED; changed Get-VerdictExitCode to return exit code 1 for FAIL (in addition to CRITICAL_FAIL/REJECTED); added tests asserting FAIL merges and FAIL exit code.
GitHub Workflows /.github/workflows/ai-pr-quality-gate.yml, /.github/workflows/ai-spec-validation.yml	ai-pr-quality-gate.yml: treat FAIL as a blocking verdict that triggers non-zero exit. ai-spec-validation.yml: reclassify PARTIAL to map to WARN or FAIL in final decision branches, so PARTIAL can now force failure in final validation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Check consistency of verdict values across: AIReviewCommon.psm1, tests, and both workflow files.
• Verify ai-spec-validation.yml's PARTIAL→WARN/FAIL branches don't break report generation or downstream tooling expecting a distinct PARTIAL state.
• Confirm QA prompt wording aligns with enforceable checks in scripts/workflows.

Possibly related issues

• fix: QA agent cannot run Pester tests due to permission restrictions #77 — touches the same QA scripts and workflows; permission/execution blockers noted there could affect the new tests and verdict handling.

Possibly related PRs

• fix(workflows): strengthen AI review rigor and enable PR gating #76 — modifies the same QA prompt, workflows, and PowerShell verdict handling (FAIL propagation); likely directly related.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows conventional commit format (fix: scope and description) and accurately describes the main changes: strengthening AI review rigor and enabling PR workflow gating.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The description clearly explains three specific changes: QA agent leniency with 8 explicit FAIL conditions, spec validation verdict logic for PARTIAL, and workflow exit codes for PR gating.

---

📜 Recent review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5d16c47 and 9201d02.

📒 Files selected for processing (5)

• .github/prompts/pr-quality-gate-qa.md (1 hunks)
• .github/scripts/AIReviewCommon.Tests.ps1 (2 hunks)
• .github/scripts/AIReviewCommon.psm1 (4 hunks)
• .github/workflows/ai-pr-quality-gate.yml (1 hunks)
• .github/workflows/ai-spec-validation.yml (2 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/ai-spec-validation.yml (1)

233-240: PARTIAL→FAIL semantic change is intentional but logic is duplicated.

The condition on line 236 is repeated on line 347. If this logic changes, both must update.

Consider extracting to a PowerShell helper in AIReviewCommon.psm1:

function Test-SpecValidationFailed {
    param([string]$TraceVerdict, [string]$CompletenessVerdict)
    return $TraceVerdict -in 'CRITICAL_FAIL', 'FAIL' -or 
           $CompletenessVerdict -in 'CRITICAL_FAIL', 'FAIL', 'PARTIAL'
}

.github/prompts/pr-quality-gate-qa.md (1)

34-39: Threshold gap between 50 and 100 lines.

Line 36 says threshold is "Less than 50 lines" but FAIL only triggers at "over 100 lines". Functions 50-100 lines fall into a gray zone with no defined action.

Suggestion: Either lower FAIL threshold to 50, or add WARN for 50-100 range.

📜 Review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between be736c4 and 5d16c47.

📒 Files selected for processing (5)

• .github/prompts/pr-quality-gate-qa.md (1 hunks)
• .github/scripts/AIReviewCommon.Tests.ps1 (1 hunks)
• .github/scripts/AIReviewCommon.psm1 (1 hunks)
• .github/workflows/ai-pr-quality-gate.yml (1 hunks)
• .github/workflows/ai-spec-validation.yml (2 hunks)

🧰 Additional context used

📓 Path-based instructions (39)

{.githooks/**,**/.github/**,**/infrastructure/**,**/config/**,**/*.tf,**/*.yml,**/*.yaml}

📄 CodeRabbit inference engine (.agents/metrics/baseline-report.md)

Infrastructure files (including .githooks/pre-commit) must receive security review before deployment

Files:

• .github/scripts/AIReviewCommon.Tests.ps1
• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml
• .github/scripts/AIReviewCommon.psm1
• .github/prompts/pr-quality-gate-qa.md

.github/scripts/**/*.Tests.ps1

📄 CodeRabbit inference engine (.agents/architecture/ADR-006-thin-workflows-testable-modules.md)

Create Pester tests (.Tests.ps1) for all PowerShell modules with 80% coverage for all exported functions

Files:

• .github/scripts/AIReviewCommon.Tests.ps1

.github/**/*.ps1

📄 CodeRabbit inference engine (.agents/critique/003-pr-60-remediation-plan-critique.md)

.github/**/*.ps1: All AI output must be validated before shell use - reject labels/milestones with dangerous characters: newlines, backticks, shell metacharacters (|, &, <, >, ;, $, etc.)
Use security-hardened regex pattern for label validation: '^[a-zA-Z0-9](?:[a-zA-Z0-9 _-.]{0,48}[a-zA-Z0-9])?$|^[a-zA-Z0-9]$' with explicit length limit (1-50 characters) and blocklist check for dangerous characters before pattern matching
Validate all file paths using Assert-ValidBodyFile with appropriate AllowedBase parameter set to restrict traversal attacks: use $env:RUNNER_TEMP for GitHub Actions temp files, repo root for checked-in files, current directory for user-provided paths
Implement defense-in-depth validation: check for dangerous characters blocklist BEFORE pattern matching, then validate against strict ASCII-only regex, then verify length constraints (1-50 characters for labels)

PowerShell scripts in workflows must pass PSScriptAnalyzer linting checks

Validate label format with regex ^[\w-.\s]+$ and enforce 50-character limit before applying labels via gh CLI

Before ANY GitHub operation, check .claude/skills/github/ directory for existing capability

Files:

• .github/scripts/AIReviewCommon.Tests.ps1

.github/**/*.Tests.ps1

📄 CodeRabbit inference engine (.agents/critique/003-pr-60-remediation-plan-critique.md)

.github/**/*.Tests.ps1: Phase 1 task acceptance criteria must include test execution verification: Run Pester tests for each modified function and confirm ALL tests PASS before marking task complete
Create comprehensive test suites before Phase 1 implementation with explicit test categories: injection attack tests (5+), exit code tests (4+), error aggregation tests (3+), and context detection tests (4+)

Files:

• .github/scripts/AIReviewCommon.Tests.ps1

.github/scripts/**/*.ps1

📄 CodeRabbit inference engine (.agents/planning/PR-60/003-pr-60-plan-critique.md)

.github/scripts/**/*.ps1: Add test verification to Phase 1 remediation tasks including running existing tests with Invoke-Pester -Path '.github/scripts', adding smoke tests for new behavior, and manual verification in workflow runs
Function docstrings must explain context-dependent behavior, particularly for functions that change behavior based on execution context like Write-ErrorAndExit
PowerShell script modifications should prefer converting only specific logic components (e.g., label parsing) in Phase 1 rather than full workflow conversion to minimize scope and reduce risk
Security-critical functions like command injection prevention and error handling must have 100% test coverage before production merge

Files:

• .github/scripts/AIReviewCommon.Tests.ps1

.github/scripts/AIReviewCommon.Tests.ps1

📄 CodeRabbit inference engine (.agents/planning/pr-60-qa-review.md)

.github/scripts/AIReviewCommon.Tests.ps1: Maintain PowerShell test coverage at 100%+ for AIReviewCommon.psm1 module using Pester framework - verify function coverage metrics > implementation LOC
Test label parsing edge cases: empty/null/whitespace input, adjacent labels without spaces, XSS in collapsible sections, unparseable output
Test verdict aggregation with empty verdict arrays, multiple verdict sources, priority handling (CRITICAL_FAIL > WARN > PASS), and fallback to CRITICAL_FAIL on aggregation failure
Use Pester mocking framework in PowerShell tests to mock external dependencies (Start-Sleep for backoff timing, gh CLI calls) and use TestDrive for isolated file system operations

Files:

• .github/scripts/AIReviewCommon.Tests.ps1

**/.github/{workflows,scripts,prompts}/**

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-18-ai-workflow-implementation.md)

AI automation in CI/CD requires verdict tokens (PASS/WARN/CRITICAL_FAIL) for deterministic bash parsing without AI interpretation

Files:

• .github/scripts/AIReviewCommon.Tests.ps1
• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml
• .github/scripts/AIReviewCommon.psm1
• .github/prompts/pr-quality-gate-qa.md

{.github/scripts/**/*.ps1,.claude/skills/**/*.ps1}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-33-pr-60-merge-readiness.md)

{.github/scripts/**/*.ps1,.claude/skills/**/*.ps1}: PowerShell-only implementation for agent scripts (no bash, Python, or external dependencies)
Document all security vulnerability fixes with blocking injection vectors in code comments

Files:

• .github/scripts/AIReviewCommon.Tests.ps1

{.github/workflows/*,*/.githooks/*,Dockerfile}

📄 CodeRabbit inference engine (.agents/governance/interviews/security-interview.md)

Review infrastructure code changes including GitHub Actions workflows, git hooks, and Dockerfile for security vulnerabilities

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

.github/workflows/*

📄 CodeRabbit inference engine (.agents/metrics/dashboard-template.md)

Ensure infrastructure files in GitHub workflows directory are reviewed by agents with target rate of 100%

Implement full CodeRabbit enforcement for CI/CD workflow files in .github/workflows/ directory

.github/workflows/*: Detect files matching .github/workflows/* as infrastructure changes requiring specialist review from devops and security agents
GitHub Actions workflows must include an explicit permissions block with minimally privileged permissions
GitHub Actions workflows must not use pull_request_target trigger with actions/checkout action using pull request head SHA reference, as this creates a dangerous security pattern
GitHub Actions workflows requiring test reporting must explicitly grant checks: write permission for dorny/test-reporter compatibility
GitHub Actions workflows must avoid using overly permissive permissions: write-all and instead use explicit minimal permissions

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/security/infrastructure-file-patterns.md)

GitHub Actions workflow files (.github/workflows/*.yml and .github/workflows/*.yaml) should trigger security agent review due to critical security implications

Add security detection check to CI/CD pipelines to analyze staged files for infrastructure changes before implementation

.github/workflows/*.{yml,yaml}: Infrastructure files (.github/workflows/) require devops and security agent review before commit
Add pre-commit validation that fails on infrastructure files (.github/workflows/) lacking security review documentation
Infrastructure files must include a security impact analysis document before creation or modification
Retroactive security review is required for quick-fix changes to workflow files made without pre-commit review
Workflow files must validate that all required permissions are explicitly declared and justified

Keep workflow YAML files light and thin - MUST NOT put complex logic in workflow YAML files; use thin workflows with calls to external testable modules or skills

GitHub Actions workflows should remain thin and delegate complex logic to PowerShell modules rather than embedding bash-like commands in workflow YAML run blocks

.github/workflows/*.{yml,yaml}: Never use || true pattern without explicit error handling and ADR justification
Do not use || true error suppression in workflows without documenting rationale in an ADR

Use thin workflow pattern: minimize logic in YAML files, delegate complex operations to PowerShell modules

.github/workflows/*.{yml,yaml}: Use YAML heredoc with proper indentation for multi-line GitHub Actions values
Use GH_TOKEN for auto-authentication in GitHub Actions shell scripts
Use fixed-length lookbehinds for regex patterns in GitHub Actions
GitHub Actions outputs must be single-line format
Matrix jobs in GitHub Actions should use artifacts for output storage
Use environment variables for shell command interpolation in GitHub Actions to prevent injection vulnerabilities
Use verdict tokens for str...

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

{.github/workflows/**,{.githooks,husky}/**,**/Auth/**,**/Security/**}

📄 CodeRabbit inference engine (.agents/utilities/security-detection/SKILL.md)

CI/CD workflow files (.github/workflows/*), git hooks (.githooks/*, .husky/*), and authentication code (**/Auth/**, **/Security/**) require security agent review (CRITICAL level)

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

.github/workflows/*.yml

📄 CodeRabbit inference engine (.agents/analysis/pr41-issue-analysis.md)

.github/workflows/*.yml: Use dotnet-nunit reporter in dorny/test-reporter@v1 when Pester tests output NUnitXml format
Add explicit permissions block to GitHub Actions workflow jobs, specifying minimal required permissions (e.g., contents: read and checks: write for test reporting workflows)

.github/workflows/*.yml: Use minimal GitHub Actions permissions in CI workflows
Add workflow_dispatch trigger to GitHub Actions workflows for manual triggering capability
Add PowerShell-Yaml module installation step in CI workflows
Use ubuntu-latest for drift detection CI workflows for lighter weight execution
Add issue deduplication for drift alerts in GitHub Actions workflows
Use path filtering appropriately scoped in GitHub Actions workflows

CI/CD pipeline must include a drift-linting job that compares Claude agent content against generated VS Code and Copilot CLI variants on every PR modifying agent files

Create automated CI validation to detect absolute paths (Windows, macOS, Linux patterns) in markdown files with colored output, line numbers, and remediation steps

Configure concurrency groups in GitHub Actions workflows to prevent comment spam and race conditions when multiple commits trigger parallel workflow runs on the same PR

.github/workflows/*.yml: Remove silent || true error suppression from critical operations; instead track failures in arrays and provide summarized error reporting at workflow completion
Use minimal token scopes in GitHub Actions workflows: use repo scope for read-only operations, issues:write for issue modifications, and workflow permissions declarations following principle of least privilege

.github/workflows/*.yml: Store heredoc content in separate files instead of inline within YAML run: blocks to avoid YAML parsing errors when content lacks proper indentation
Use github.token (workflow's built-in token) for PR comments in GitHub Actions instead of service account PATs, as it automatically has write access t...

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

.github/**/*.yml

📄 CodeRabbit inference engine (.agents/planning/prd-pre-pr-security-gate.md)

Detect files matching .github/**/*.yml as infrastructure changes requiring specialist review from devops and security agents

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/retrospective/pr-feedback-remediation.md)

Use 'ubuntu-latest' for CI runner preference instead of 'windows-latest' for significantly faster performance, except for PowerShell Desktop or Windows-specific features

.github/workflows/**/*.{yml,yaml}: Workflows should be thin and contain only orchestration logic; all business logic (parsing, validation, formatting) must be extracted to PowerShell modules (.psm1)
Keep workflow YAML files to a maximum of 100 lines (orchestration only)
Do not parse complex strings (verdict, labels, etc.) in workflow YAML run: blocks; delegate to PowerShell modules
Do not validate business rules directly in workflow YAML; delegate to PowerShell modules
All PowerShell scripting for workflows must be PowerShell-only (no bash or other shell languages embedded in workflows)

.github/workflows/**/*.{yml,yaml}: PowerShell used consistently for label and milestone parsing in AI workflow (extract parsing logic to AIReviewCommon.psm1::Get-LabelsFromAIOutput rather than inline bash)
Use ::error:: GitHub Actions format for error output instead of echo or Write-Error to ensure errors are properly captured and cause workflow failure
Remove all '|| true' patterns and silent failure suppression in workflow steps - errors must be aggregated and reported explicitly using ::error:: format
Add token masking with ::add-mask:: before using secrets in workflow run steps to prevent accidental token leakage in logs
Replace secrets.BOT_PAT with github.token for issue and PR operations to minimize token privileges and reduce security attack surface
Document minimum required token scopes in workflow comments for each operation (e.g., 'repo' scope for issue edit and label application, 'read' scope for readonly operations)
Extract AI workflow parsing logic to testable PowerShell module functions (AIReviewCommon.psm1) rather than inline bash - enables unit testing in isolation and reduces regression risk

.github/workflows/**/*.{yml,yaml}: Use bash/PowerShell error collection pattern: initialize FAILED_...

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

**/.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/skills/ci-runner-preference.md)

**/.github/workflows/*.{yml,yaml}: Use ubuntu-latest (or linux-latest) runners for GitHub Actions workflows instead of windows-latest for better CI/CD pipeline performance
Only use windows-latest runner when PowerShell Desktop (5.1) is required, Windows-specific features are needed, or testing Windows-only scenarios
Prefer PowerShell Core (pwsh) over PowerShell Desktop for GitHub Actions scripts to enable cross-platform compatibility on Linux runners

Workflows SHOULD be less than 100 lines, containing orchestration only. Business logic SHOULD be extracted to PowerShell modules (.psm1).

PowerShell workflow files must follow the thin-workflow pattern where orchestration logic stays in the workflow and business logic is extracted to reusable modules

Maintain consistent token scopes and authentication strategy throughout workflows; use the same token source for all related operations to avoid permission errors

**/.github/workflows/*.{yml,yaml}: Avoid code injection vulnerabilities by never directly interpolating unsanitized GitHub context variables (like ${{ github.event.issue.title }} or ${{ github.event.issue.body }}) into bash commands; instead save them to files using heredoc syntax and read them back
Use toJSON() to escape GitHub context variables when passing them to bash commands, or employ input validation before using variables in shell contexts
GitHub Actions workflows should request only the minimum necessary permissions (principle of least privilege) required for their operations

**/.github/workflows/*.{yml,yaml}: When ≥2 GitHub Actions workflows share logic, extract to composite action with parameterized inputs for reusability
GitHub Actions workflow files should include YAML syntax validation and actionlint checks in pre-commit configuration

**/.github/workflows/*.{yml,yaml}: Use artifacts instead of job outputs for passing data between matrix jobs in GitHub Actions workflows
Use environment variables for shell variable expans...

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

.github/workflows/**

📄 CodeRabbit inference engine (.agents/steering/security-practices.md)

Implement OWASP Top 10 prevention practices in GitHub Actions workflows

Use secure defaults and minimal exposure for security misconfiguration prevention

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

---

⚙️ CodeRabbit configuration file

.github/workflows/**: SECURITY-CRITICAL PATH - ASSERTIVE ENFORCEMENT
Review for: - Authentication and authorization (secrets handling, OIDC) - Credential exposure (env vars, git output, logs) - Injection vulnerabilities (command injection, script injection) - Race conditions (concurrent jobs, artifact operations) - Resource exhaustion (limits on runners, matrix expansions)
Flag: - Unquoted variables in shell commands - Direct use of user input in scripts - Missing error handling and early exit conditions - Hardcoded secrets or credentials - Unsafe use of 3rd party actions
DO NOT IGNORE any security-related findings on this path.

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

.github/workflows/**/*.yml

📄 CodeRabbit inference engine (.agents/architecture/DESIGN-REVIEW-pr-60-remediation-architecture.md)

Use GitHub Actions workflow steps with PowerShell for JSON parsing and data manipulation; reserve bash only for simple npm install, git operations, and environment variable exports

Aggregate errors across workflow steps using error accumulation arrays and export failure summary via GITHUB_OUTPUT

.github/workflows/**/*.yml: GitHub Actions workflows orchestrating multiple agents should use matrix strategy with fail-fast: false to ensure all reviews complete
Use artifact passing (not job outputs) to transfer data between workflow jobs when using matrix strategy
Implement idempotency in workflow comment generation using comment markers to distinguish update vs create operations
Use skip optimization to check for docs-only changes before executing expensive AI review jobs
Add CI validation step to verify prompt templates include required output format markers before merging

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

**/.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/governance/PROJECT-CONSTRAINTS.md)

**/.github/workflows/**/*.{yml,yaml}: MUST NOT put business logic in workflow YAML files
SHOULD keep workflows under 100 lines (orchestration only)

Workflows must be thin and composed of testable, reusable modules

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

**/.github/**/*.{yml,yaml,sh,bash}

📄 CodeRabbit inference engine (.agents/planning/PR-60/001-pr-60-review-gap-analysis.md)

Use unique identifiers (e.g., run ID, timestamp) for temporary file paths in CI/CD workflows to prevent conflicts in concurrent runs on shared runners

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

**/.github/workflows/**/*.yml

📄 CodeRabbit inference engine (.agents/planning/PR-60/004-pr-60-implementation-review.md)

**/.github/workflows/**/*.yml: Replace bash label parsing in GitHub Actions workflows with PowerShell validation to prevent command injection via untrusted AI output
Validate all label strings against regex pattern '^[\w-.\s]{1,50}$' before applying to GitHub issues
Validate all category strings against regex pattern '^[\w-]{1,30}$' before using in workflow outputs
Validate all milestone strings against regex pattern '^[\w-.\s]{1,50}$' before assigning to issues
Use explicit error handling with informative error messages instead of '|| true' for GitHub CLI (gh) commands that should not fail silently
Keep '|| true' only for commands where empty/missing results are valid expected outcomes (e.g., grep with no matches, find with no results)
Verify GitHub CLI authentication status is successful before attempting API operations in CI workflows
Log validation rejections with details (invalid format, rejected label) for debugging label application failures
Provide detailed error messages in GitHub Actions workflow steps including context (what failed, why, what to check)
Use PowerShell 'Write-Host' with color output for structured workflow logging instead of plain echo statements
Use '|| true' in workflows only for commands where missing data is an expected valid state; document the reason in comments
Validate workflow inputs and outputs against strict regex patterns before using them in GitHub API commands

**/.github/workflows/**/*.yml: Use environment variables instead of direct ${{ }} template syntax in shell scripts to prevent shell injection attacks
Use artifacts instead of job outputs to pass data between matrix job legs, since outputs only expose one matrix leg
Prepare multi-line content via prior steps with GITHUB_OUTPUT heredoc syntax rather than attempting to execute shell commands in YAML with: inputs

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

**/.github/workflows/*.yml

📄 CodeRabbit inference engine (.agents/planning/PR-60/007-phase-1-detailed-schedule.md)

Use PowerShell-only code (no bash, Python, or shell scripts) with all workflow steps configured with 'shell: pwsh' per ADR-006

Use quoted heredoc (with 'EOF' delimiter) for safely handling github.event.pull_request.title and github.event.pull_request.body in bash env vars to prevent code injection

GitHub Actions workflows must use PowerShell functions from exported modules rather than inline bash parsing (grep/sed/tr) for consistent security and testability

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

**/.github/{scripts,workflows}/*.{sh,yml}

📄 CodeRabbit inference engine (.agents/planning/pr-60-focused-plan.md)

Use sed with POSIX character classes instead of grep -P for regex patterns to ensure portability across Linux and macOS (grep -P is GNU-only)

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

.github/workflows/ai-pr-quality-gate.yml

📄 CodeRabbit inference engine (.agents/planning/pr-60-qa-review.md)

.github/workflows/ai-pr-quality-gate.yml: Run bash tests in CI pipeline BEFORE ai-pr-quality-gate runs - add workflow step with: 'bats .github/scripts/ai-review-common.Tests.sh' and fail PR if tests fail
Measure bash script test coverage using kcov or bashcov tool targeting ≥80% line coverage minimum for ai-review-common.sh

The AI PR Quality Gate workflow should run all 6 agents (security, qa, analyst, architect, devops, roadmap) in parallel and aggregate their verdicts

For PR quality gates, use adaptive context mode: full diff if <500 lines, summary for larger diffs

Files:

• .github/workflows/ai-pr-quality-gate.yml

.github/{workflows,scripts}/**/*.{yml,yaml,sh}

📄 CodeRabbit inference engine (.agents/planning/pr-60-security-review.md)

.github/{workflows,scripts}/**/*.{yml,yaml,sh}: Avoid leaking sensitive information or internal configuration details in error messages and workflow logs that could be visible to attackers. Use generic error messages in production and reserve detailed diagnostics for debug logs only.
Sanitize and validate all untrusted user input (such as GitHub event data like PR titles, issue bodies, commit messages) before using in shell commands, API calls, or other operations that could interpret special characters.
When updating GitHub comments in workflows, use idempotent markers (HTML comments with unique identifiers) in comment bodies to enable safe updates by specific comment ID rather than relying on comment position.

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

.github/workflows/ai-*.yml

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-03-ai-workflow-implementation.md)

.github/workflows/ai-*.yml: Use structured verdict tokens (PASS, WARN, CRITICAL_FAIL) for AI agent outputs in GitHub Actions workflows to enable machine parsing for CI decisions
Implement sequential agent invocation in workflows to allow dependencies between analyses
Implement concurrency groups in GitHub Actions workflows to prevent duplicate reviews on rapid commits
Use hybrid reporting (PR comments + check annotations) for AI review verdicts in GitHub Actions

.github/workflows/ai-*.yml: Use GitHub markdown alert syntax (> [!TIP], > [!CAUTION]) for verdict blocks in AI workflow comments
Add emoji headers (🤖, 🔒, 🧪, 📊, 📋, 📐) for visual appeal in AI workflow PR comments
Include verdict badges (✅ PASS, ⚠️ WARN, ❌ FAIL) in summary tables of AI workflow comments
Use collapsible details sections for verbose content in AI workflow comments to reduce visual noise
Add HTML comment markers in AI workflow comments for idempotent comment updates
Include a Run Details footer with metadata table (run ID, trigger info) in AI workflow comments
Add branded footer with links to workflow file and repository in AI workflow comments
Use left-aligned text and center-aligned status icons in AI workflow comment tables

.github/workflows/ai-*.yml: Run AI agents in parallel matrix jobs with fail-fast: false to ensure all reviews complete
Include collapsible 'Walkthrough' sections in AI workflow PR comments explaining what each agent does

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

.github/workflows/ai-pr-*.yml

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-03-ai-workflow-implementation.md)

Use adaptive context assembly in AI review workflows to handle large PRs gracefully (>500 lines)

Files:

• .github/workflows/ai-pr-quality-gate.yml

{.github/**/*.sh,.github/workflows/*.yml,.github/actions/**/*.yml}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-04-ai-workflow-debugging.md)

Avoid explicit gh auth login --with-token when GH_TOKEN environment variable is already set, as gh CLI automatically uses the env var and will fail with exit code 1

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

**/.github/{workflows,actions}/**/*.yml

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-13-workflow-lessons.md)

Use composite actions to encapsulate reusable workflow steps (Node.js/npm/Copilot CLI setup, authentication, agent loading, verdict parsing)

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

**/.github/workflows/ai-*.yml

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-13-workflow-lessons.md)

Use structured verdict tokens (PASS | WARN | CRITICAL_FAIL) for AI agent workflow automation decisions

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

**/.github/workflows/***.yml

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-13-workflow-lessons.md)

Convert single-job loops to multi-job matrix structures (detect → validate → aggregate) for parallel validation with artifact passing

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

{.github/**/*.{sh,yml,yaml},**/*.sh}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-34-pr-60-comment-response.md)

{.github/**/*.{sh,yml,yaml},**/*.sh}: Avoid gh auth login authentication patterns; use session-based authentication instead (reference Session 04 for implementation details)
Use secret masking for sensitive tokens like BOT_PAT in shell commands and CI/CD workflows

Files:

• .github/workflows/ai-pr-quality-gate.yml
• .github/workflows/ai-spec-validation.yml

.github/scripts/**/*.psm1

📄 CodeRabbit inference engine (.agents/architecture/ADR-006-thin-workflows-testable-modules.md)

.github/scripts/**/*.psm1: PowerShell modules (.psm1) must contain ALL business logic and have comprehensive Pester tests with 80%+ code coverage
PowerShell module functions must use verb-noun naming format and export only public functions
PowerShell modules should not directly call GitHub CLI (gh) commands; use wrappers from .claude/skills/github/ instead
PowerShell modules should be pure functions where possible (input → output, no side effects)

Files:

• .github/scripts/AIReviewCommon.psm1

.github/scripts/AIReviewCommon.psm1

📄 CodeRabbit inference engine (.agents/security/PIV-PR60-Phase1.md)

.github/scripts/AIReviewCommon.psm1: Use hardened regex pattern ^[a-zA-Z0-9][a-zA-Z0-9 _\-\.]{0,48}[a-zA-Z0-9]?$ for command injection prevention in label validation to block injection vectors including semicolons, backticks, dollar-parens, pipes, and newlines
Implement fail-closed approach for label validation: invalid labels must be rejected with warnings rather than thrown exceptions, and rejection attempts must be logged for security monitoring

Files:

• .github/scripts/AIReviewCommon.psm1

.github/scripts/**/*.{sh,psm1}

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-34-pr-60-comment-response.md)

Bash scripts should be migrated to PowerShell (use PowerShell modules like AIReviewCommon.psm1 instead of bash scripts like ai-review-common.sh)

Files:

• .github/scripts/AIReviewCommon.psm1

.github/prompts/**/*.md

📄 CodeRabbit inference engine (.agents/planning/pr-60-architect-review.md)

.github/prompts/**/*.md: Organize prompt templates in .github/prompts/ directory with naming convention: {workflow-name}-{agent-name}.md
Prompt templates should include structured output format instructions with VERDICT:, LABEL:, and MILESTONE: markers

Files:

• .github/prompts/pr-quality-gate-qa.md

**/.github/prompts/**

📄 CodeRabbit inference engine (.agents/retrospective/2025-12-18-ai-workflow-implementation.md)

Use structured output format (PASS/WARN/CRITICAL_FAIL tokens) in GitHub Actions AI review prompts to enable deterministic bash parsing

Files:

• .github/prompts/pr-quality-gate-qa.md

.github/prompts/*.md

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-03-ai-workflow-implementation.md)

Create prompt templates for each specialized AI agent use case in .github/prompts/ directory

Use structured verdict tokens (PASS, WARN, CRITICAL_FAIL) in AI agent output for deterministic bash parsing

Files:

• .github/prompts/pr-quality-gate-qa.md

.github/prompts/pr-quality-gate-*.md

📄 CodeRabbit inference engine (.agents/sessions/2025-12-18-session-11-expand-quality-gate.md)

.github/prompts/pr-quality-gate-*.md: Follow the same prompt structure as existing agents (focus areas, output requirements, verdict format) when creating new AI agent prompts
All AI agent prompts must use the same PASS/WARN/CRITICAL_FAIL verdict structure for consistency in verdict aggregation

Files:

• .github/prompts/pr-quality-gate-qa.md

🔍 Remote MCP GitHub Copilot

It appears the repository may be private or not publicly accessible. Let me search for more general information about AI review workflows and the patterns used in this PR, which may help contextualize the changes:Now let me search for more specific information about GitHub branch protection rules and exit codes in PowerShell workflows:Based on my research, I now have sufficient context to provide a comprehensive summary for PR review. Let me compile the findings.

Additional Context for PR Review

PowerShell Testing & Exit Code Behavior

The PR involves adding a workflow that runs tests with PowerShell and Pester. Pester is used to execute PowerShell tests within a GitHub Workflow and generate reports. The key implementation detail is that exit code 1 (or any non-zero exit code) indicates a process failure, which GitHub Actions uses to fail workflow jobs and block PR merges when branch protections are configured.

Quality Gates & PR Gating Architecture

A software quality gate is an automated checkpoint in the SDLC that evaluates if code meets predefined criteria before it can proceed to the next phase. Required status checks must have a successful, skipped, or neutral status before collaborators can make changes to a protected branch. The PR implements this pattern by mapping verdict states (CRITICAL_FAIL, REJECTED, FAIL, WARN, PASS) to exit codes that GitHub Actions interprets.

GitHub Branch Protection Integration

To enable this PR's gating capability, branch protection rules enforce workflows by requiring passing status checks for all pull requests merged into the protected branch, and you select which checks must pass before merging. GitHub only shows checks that have run on the protected branch within the last 7 days—checks that only ran on PR branches won't appear. This means the workflow must first run on the main branch to become selectable as a required status check.

PowerShell Exit Code Handling

Exit code 1 simply means a process failed; the log should tell which process and might provide hints why. The PR's change to map the FAIL verdict to exit code 1 is architecturally sound and aligns with standard CI/CD practices.

Test Coverage & Verdict Semantics [::PR context summary]

The PR increases QA rigor through: (1) eight explicit FAIL conditions in the QA prompt rewrite, (2) expanded exit code mapping so FAIL produces exit code 1 (previously only CRITICAL_FAIL/REJECTED returned non-zero), (3) treating PARTIAL completeness verdicts as FAIL in spec validation (rather than PARTIAL status), and (4) test coverage for the new FAIL behavior via 128 passing Pester tests.

Key Review Considerations

1. Verdict Logic Coupling: The PR tightly couples verdict semantics (CRITICAL_FAIL, REJECTED, FAIL all return 1) to branch protection enforcement. Verify that the QA prompt FAIL conditions align with team intent for what should block merges.

2. Partial Verdict Handling: The shift from PARTIAL→PARTIAL to PARTIAL→FAIL in spec validation is a breaking semantic change; confirm this aligns with intended strictness for specification compliance gates.

3. Branch Protection Setup: Once merged, repos must manually run workflows on main and configure branch protection rules specifying "Aggregate Results" and "Validate Spec Coverage" as required checks for this to take effect as a PR gate.

🔇 Additional comments (6)

.github/scripts/AIReviewCommon.Tests.ps1 (1)

424-427: Test addition looks correct.

New test case covers the FAIL verdict exit code mapping. Consistent with existing test patterns for CRITICAL_FAIL and REJECTED.

.github/scripts/AIReviewCommon.psm1 (1)

472-474: Exit code mapping expanded correctly.

Adding FAIL to the blocking verdicts aligns with workflow changes. Test coverage confirmed in AIReviewCommon.Tests.ps1.

.github/workflows/ai-pr-quality-gate.yml (1)

390-393: Critical verdict expansion is consistent with module changes.

FAIL now blocks merge alongside CRITICAL_FAIL and REJECTED. Exit code 1 enables branch protection gating.

.github/workflows/ai-spec-validation.yml (1)

345-350: Duplicate logic - see comment on lines 233-240.

Same condition repeated here. Works correctly, but manual sync required if logic changes.

.github/prompts/pr-quality-gate-qa.md (2)

102-137: Verdict thresholds are well-defined with clear FAIL conditions.

The 8 FAIL conditions match PR objectives:

1. Zero tests for new functionality (>10 lines)
2. Empty catch blocks
3. Untested error handling for I/O
4. New code with user input, no validation tests
5. Tests without assertions
6. Breaking changes without migration
7. Data mutation without rollback
8. Functions >100 lines with no tests

Evidence requirements enforce accountability.

---

154-160: Anti-leniency rules are concrete and actionable.

These rules prevent the "probably fine" failure mode. Each rule addresses a specific leniency pattern.

[rjmurillo-bot]

All Review Comments Addressed

Thank you @copilot and @gemini-code-assist for the thorough reviews! All comments have been addressed with the following fixes:

Fixed: HIGH → WARN threshold clarity (Comment 2636679803)

Added explicit condition "One or more HIGH severity issues are found" to WARN verdict threshold
📍 .github/prompts/pr-quality-gate-qa.md:123

✅ Fixed: Verdict options consistency (Comment 2636680854)

Updated verdict options from [PASS|WARN|CRITICAL_FAIL] to [PASS|WARN|FAIL|CRITICAL_FAIL]
📍 .github/prompts/pr-quality-gate-qa.md:145

✅ Fixed: Comment wording precision (Comment 2636680857)

Clarified comment to "PARTIAL completeness verdict should cause the check to FAIL (block merge)"
📍 .github/workflows/ai-spec-validation.yml:233

✅ Fixed: Test Coverage Assessment format (Comment 2636680859)

Added clarifying text "Provide a summary table of test coverage verification results:" before the table
📍 .github/prompts/pr-quality-gate-qa.md:75

✅ Fixed: Get-VerdictExitCode documentation (Comment 2636680861)

Updated function documentation to explicitly state all verdict types returning exit code 1
📍 .github/scripts/AIReviewCommon.psm1:453-455

✅ Bonus: QA-identified test gap

Added explicit test for FAIL verdict in Merge-Verdicts
📍 .github/scripts/AIReviewCommon.Tests.ps1:323-325

Updated Merge-Verdicts logic to treat FAIL as CRITICAL_FAIL
📍 .github/scripts/AIReviewCommon.psm1:304

---

Test Results: ✅ All 129 tests passing
Changes: Documentation only (no logic changes except Merge-Verdicts FAIL handling)
Impact: Improves AI reviewer clarity and completeness

[Copilot]

@rjmurillo-bot I've opened a new pull request, #80, to work on those changes. Once the pull request is ready, I'll request review from you.

[gemini-code-assist]

Thank you, @rjmurillo-bot! I appreciate you addressing all the review comments and for the thorough fixes, especially the bonus test gap resolution. It's great to see the improvements implemented.