chore(coderabbit): enable proplus review config

[ANcpLua]

What changed

• Replace or add the repo-root CodeRabbit v2 config with a Pro+ / Enterprise-grade setup.
• Enable request-changes workflow, failing commit status, expanded review details, linked issues/PRs, sequence diagrams, cross-repository knowledge, web search, MCP knowledge, code generation guidance, issue enrichment, slop detection, and custom finishing-touch recipes.
• Add repo-aware path instructions while preserving existing bespoke guidance where present.
• Enable relevant security/static-analysis tools and explicit pre-merge checks for generated-file drift, secrets/PII, async/cancellation safety, public contract drift, CI/release safety, test risk, dependency hygiene, observability, hidden fallbacks, and copy-paste tables.

Why

We have the paid CodeRabbit capacity; this makes CodeRabbit spend it on review depth instead of staying on the old advisory baseline.

Validation

• Generated from the current CodeRabbit v2 schema reference (https://coderabbit.ai/integrations/schema.v2.json, docs last updated 2026-05-10).
• Validated .coderabbit.yaml locally against the live schema before pushing this branch.

[github-actions]

@coderabbitai autofix

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Behavior Changes

Upgraded CodeRabbit v2 configuration from baseline analyzer-focused setup to Pro+ Enterprise-grade posture with blocking workflows. Enabled request_changes_workflow and fail_commit_status, allowing CodeRabbit to block PRs and commits on error-mode pre-merge checks. Disabled collapse_walkthrough to expand review visibility, enabled sequence_diagrams, related_issues, related_prs, and switched profile to assertive with principal/staff-level tone targeting architecture, correctness, security, and CI/release safety. High-level summaries now explicitly instruct for dense engineering summaries avoiding praise/filler.

Path filtering expanded from absent to explicit: excludes **/*.g.{cs,ts,sql,tsp}, **/*.Designer.cs, **/Generated/**, **/bin/**, **/obj/**, **/dist/**, and locks. Path instructions added for C#/.NET flagging sync-over-async patterns, missing CancellationToken on async public/internal methods, DateTime.Now/UtcNow in domain logic, null-forgiving ! without documented justification, catch-and-fallback paths hiding failures, and hardcoded switch/case tables.

Risk Surface

Pre-merge checks expanded substantially. Error-mode checks enforce:

• No new ISourceGenerator implementations (must use IIncrementalGenerator)
• No ISymbol storage in incremental generator models (extract value-equatable data only)
• No null-forgiving operators without inline justification
• Generated-file regeneration drift detection
• Secrets/PII detection (gitleaks, trufflehop, presidio)
• Async/cancellation safety and public contract documentation
• CI/release safety
• Hidden fallback paths
• Copy-paste tables and observability boundary violations
• Dependency hygiene

Warning-mode checks cover test risk vs code volume, observability boundaries, and analyzer-specific bans (e.g., no symbol storage in incremental models). Tooling baseline shifted from mostly disabled to enabled: github-checks (900s timeout), languagetool (picky mode), shellcheck, markdownlint, yamllint, gitleaks, trufflehof, checkov, trivy, actionlint, opengrep, semgrep, osvScanner, presidio, psscriptanalyzer.

Validation Evidence

Configuration generated from CodeRabbit v2 schema reference (docs last updated 2026-05-10) and validated locally against live schema before push. Single-commit approach with no incremental staging.

Generated Artifacts

finishing_touches expanded to enable docstrings, unit tests, and simplify passes plus custom architecture/security/test-gap/docs-alignment/performance instructions. code_generation now includes path-specific docstring instructions for C# (XML docs for public/protected APIs) and TypeScript (TSDoc for exports/hooks/components). Unit test generation with path instructions for xUnit v3, frontend test stack, and pytest conventions. Issue enrichment auto-enabled with auto-planning for enhancement, bug, good-first-issue, help-wanted labels and auto-apply across 13 area labels including area:analyzers, area:codefixes, area:infra.

Cross-Repo Implications

16 linked repositories registered (ANcpLua/ANcpLua.Agents, ANcpLua/ANcpLua.NET.Sdk, O-ANcppLua/ANcpLua.OtelConventions.Api, ANcpLua/ANcpLua.Roslyn.Utilities, ANcpLua/Arqio, etc.) with instructions to use for cross-repo API, package, build, telemetry, and agent workflow context. MCP usage enabled. Knowledge base configured with global scope for learnings and pull_requests, plus web search enabled. Code guidelines reference CLAUDE.md, AGENTS.md, Directory.Build.props, Directory.Packages.props, global.json, and Version.props for context inheritance.

Walkthrough

.coderabbit.yaml migrated from minimal analyzer-focused configuration to comprehensive Pro/Enterprise review automation, expanding core workflow behavior (request-changes, labeling, path-scoping), pre-merge checks and finishing-touches automation, tooling baselines (security scanners, github-checks), knowledge-base integration with linked repositories and code generation, and issue enrichment with auto-labeling.

Changes

CodeRabbit Review and Automation Configuration

Layer / File(s)	Summary
Core review workflow and path scoping .coderabbit.yaml	Request-changes workflow enabled, review metadata/reporting toggles changed, labeling expanded from mostly false to enabled, path filtering rewritten with broader includes and explicit exclusion patterns for bins/obj/dist/locks/generated outputs, and repository-area instructions broadened.
Finishing touches and pre-merge checks .coderabbit.yaml	Finishing-touches automation expanded to docstrings/unit-tests/simplify plus custom passes (architecture/security/test-gap/docs/performance). Pre-merge checks substantially expanded with docstring thresholds, blocking checks for secrets/PII/regeneration/async-safety/contract-docs/CI-release-safety, and warnings for test-risk/copy-paste/fallback-paths/observability/dependency-hygiene.
Analyzer and security tool configuration .coderabbit.yaml	Tooling baseline shifted from mostly disabled to enabled: security scanners, github-checks with extended timeout, languagetool picky mode, and multiple analyzers activated. Prior disabled-by-default baseline removed.
Knowledge base, MCP, and code generation .coderabbit.yaml	Knowledge-base file patterns broadened, learning scopes changed, MCP usage enabled, and extensive linked-repositories list added with cross-repo review instructions. Code-generation rules added for docstring and unit-test generation with explicit path instructions.
Issue planning and auto-labeling .coderabbit.yaml	Issue enrichment planning auto-enabled, labeling instructions expanded to include area labels and review:slop guidance, and auto-apply labels toggled on, compared to prior minimal/disabled planning behavior.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• ANcpLua/ANcpLua.Analyzers#95: Both PRs modify .coderabbit.yaml to configure CodeRabbit Pro/Enterprise behavior for Roslyn analyzer review workflows.
• ANcpLua/ANcpLua.Roslyn.Utilities#92: The .coderabbit.yaml overhaul here is directly tied to that PR's Claude/CodeRabbit automation workflows, which treat .coderabbit.yaml (Sources/ invariants) as authoritative for review decisions.
• ANcpLua/ANcpLua.Agents#25: Both PRs center on updating CodeRabbit configuration rules and workflow behavior in .coderabbit.yaml.

Suggested labels

area:agents, area:infra, area:security

🚥 Pre-merge checks | ✅ 18 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
No Copy Paste Tables	⚠️ Warning	PR duplicates labeling_instructions at lines 46-88 and 600-642. Also hardcodes 16 linked_repositories with identical instruction text. Hand-maintained tables should be data-driven or referenced once.	Extract labeling_instructions to single definition; refactor linked_repositories to data-driven list or template per schema.
No Null-Forgiving Operator Without Justification	⚠️ Warning	Check mode is warning but instruction text says "Fail if". Semantics contradiction: mode: warning does not block, but "Fail" means it should block.	Change mode to error, or reword instruction from "Fail if" to "Warn if" for consistency.

✅ Passed checks (18 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows conventional commits format with area scope, is under 72 characters (47 chars), has no trailing punctuation, and accurately names the primary change: enabling a Pro+ CodeRabbit configuration.
Description check	✅ Passed	Description is directly related to the changeset, providing clear rationale, detailed feature enumeration, validation approach, and context for the Pro+ configuration changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No Secrets Or Pii	✅ Passed	No secrets, tokens, API keys, credentials, or PII found. Repository links are standard GitHub references. Sensitive-data mentions appear only in review policy instructions, not actual secret values.
Generated Files Regenerated	✅ Passed	All repository-generated files (.Designer.cs from .resx, docs/ from analyzer code) are properly synchronized with sources. Source files and generated outputs both included in PR.
Async And Cancellation Safe	✅ Passed	No async/cancellation safety violations. Zero blocking calls, proper CancellationToken propagation, no fire-and-forget tasks.
Public Contract Documented	✅ Passed	PR modifies only .coderabbit.yaml—an internal CodeRabbit review config. No changes to public APIs, schemas, CLI, package surfaces, storage, or contracts. Check not applicable.
Ci Release Safety	✅ Passed	No CI/release safety issues: validation intact, no bypasses/force-push, scoped permissions, no secrets, concurrency on, publish via tag, auto-merge gated by protection.
Tests Match Risk	✅ Passed	Configuration-only PR with no production behavior changes. "Tests Match Risk" requires testing code logic changes; infrastructure/config changes don't trigger this check.
No Hidden Fallback Path	✅ Passed	The "No Hidden Fallback Path" check is correctly configured in .coderabbit.yaml with mode=warning and instructions matching the criteria exactly. Mode and instructions are semantically consistent.
Observability Boundary	✅ Passed	PR adds Roslyn analyzers, code fixes, and configuration. No services, background jobs, queues, network clients, storage writers, MCP tools, or agent workflows introduced.
Dependency Hygiene	✅ Passed	PR is config-only; creates no new dependencies, version changes, or lockfile mismatches. Dependency Hygiene check does not apply.
No Datetime.Now/Utcnow In Analyzer Code	✅ Passed	No DateTime.Now/UtcNow in analyzer/codefix code. The 3 text matches found are only in XML documentation comments, which are appropriately exempt.
No .Result/.Wait() Blocking Async	✅ Passed	Check properly configured in .coderabbit.yaml with error mode, complete instructions for .Result/.Wait()/GetAwaiter().GetResult() detection in C# files. All requirements satisfied.
No Isourcegenerator	✅ Passed	No new ISourceGenerator implementations added. All references are in AL0120UseIncrementalGeneratorAnalyzer, a DiagnosticAnalyzer that detects violations, not implements ISourceGenerator.
No Isymbol Stored In Incremental Models	✅ Passed	No incremental model classes/records in added C# files store ISymbol, SyntaxNode, or Compilation. All production records use only value types (strings, ints, ImmutableArray of primitives).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev/coderabbit-proplus-20260516155428

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch dev/coderabbit-proplus-20260516155428

• 🛠️ architecture hardening
• 🛠️ security pass
• 🛠️ test gap closure
• 🛠️ docs and changelog alignment
• 🛠️ performance and allocation pass

Warning

Review ran into problems

🔥 Problems

Linked repositories: Your configuration references 17 linked repositories, but your current plan allows 10. Analyzed ANcpLua/ANcpLua.Agents, ANcpLua/ANcpLua.NET.Sdk, O-ANcppLua/ANcpLua.OtelConventions.Api, ANcpLua/ANcpLua.Roslyn.Utilities, ANcpLua/Arqio, ANcpLua/BSc_2025_Alexander_Nachtmann, ANcpLua/C64AIToolChain, ANcpLua/ErrorOrX, O-ANcppLua/Nuke.OpenTelemetry.Conventions, ANcpLua/Paperless, skipped ANcpLua/ancplua-claude-plugins, ANcpLua/dotcov, ANcpLua/nhmw-digital-collection, O-ANcppLua/qyl, ANcpLua/safe-autoresearch, ANcpLua/typespec-otel-semconv, ANcpLua/yt-transcript.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Autofix skipped. No unresolved CodeRabbit review comments with fix instructions found.

[claude]

Claude encountered an error after 2s —— View job

---

I'll analyze this and get back to you.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

The pull request successfully upgrades the repository to a Pro+/Enterprise-grade configuration, aligning with the intent to enforce stricter architectural and security standards. The configuration is generally up to standards; however, a significant logic conflict exists between the global path_filters and the specific instructions for generated files. This conflict currently prevents the 'Generated Files Regenerated' check from functioning, which was a core requirement of this update. Addressing the file exclusion list is necessary to fully realize the intended automated drift detection and safety checks.

About this PR

• While the configuration implements the requested strict pre-merge checks (Secrets, Async Safety, etc.), there is a pattern of duplication in the labeling logic between Pull Requests and Issues. Using YAML anchors for these shared instruction blocks would reduce future maintenance overhead.

Test suggestions

• Validate the .coderabbit.yaml file against the official v2 schema for syntax and structural correctness.
• Verify that path-specific instructions for analyzer code (src/ANcpLua.Analyzers/) include the requirement for IIncrementalGenerator and no ISymbol storage.
• Ensure all requested custom pre-merge checks (e.g., No Secrets, Async Safe) are correctly defined in the configuration.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}

[codacy-production]

_{🟡 MEDIUM RISK}

Excluding generated files (e.g., **/*.g.cs, **/Generated/**) via path_filters prevents CodeRabbit from detecting drift or verifying that downstream files were correctly updated. This conflicts with the 'Generated Files Regenerated' pre-merge check (line 274) and the specific 'Generated-output discipline' instructions (line 156). To support regeneration validation and ensure the AI can monitor for manual edits to generated artifacts, these exclusions should be removed from the top-level filters. Instead, rely on the path_instructions to prevent the AI from suggesting manual edits to them.

Try running the following prompt in your coding agent:

Remove the exclusion patterns for generated files and directories from .coderabbit.yaml (lines 101-107) to ensure the Generated Files Regenerated check and related path_instructions have access to the necessary file context.

[codacy-production]

_{⚪ LOW RISK}

Suggestion: The labeling_instructions block is repeated identically at line 600. To improve maintainability and ensure both Pull Requests and Issues use consistent logic, consider defining the list once using a YAML anchor and referencing it with an alias in both sections.

Try running the following prompt in your coding agent:

Consolidate the identical labeling_instructions blocks at lines 46 and 600 in .coderabbit.yaml using a YAML anchor and alias to eliminate redundancy.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: aafd42cab7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Include generated directories in review scope

The new Generated Files Regenerated pre-merge check requires CodeRabbit to verify downstream generated artifacts, but path_filters now excludes both **/Generated/** and **/generated/**. Because path filters define which files are available for review/sparse checkout, this creates false negatives when generator inputs change and generated outputs are missing or stale, so the check can no longer reliably enforce the rule it was added for.

Useful? React with 👍 / 👎.