Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
f86ae20
feat: add image generation metadata re-stamp script
BigSimmo Jul 8, 2026
bac1752
chore: reconcile ingestion RPC execute privileges, schema.sql and dri…
BigSimmo Jul 9, 2026
9216187
ci: add db-reset-verify and dependency-review workflows
BigSimmo Jul 9, 2026
83b437e
ci: remove dependency-review workflow because repository is private w…
BigSimmo Jul 9, 2026
1eee7d8
Merge origin/main into claude/llm-pipeline-review
Copilot Jul 9, 2026
50adfd5
Merge remote-tracking branch 'origin/claude/llm-pipeline-review' into…
Copilot Jul 9, 2026
6b7e581
📝 CodeRabbit Chat: Simplify code implementation (#434)
coderabbitai[bot] Jul 9, 2026
7efedc2
fix(db): rename duplicate migration version 20260708160000 to unique …
BigSimmo Jul 9, 2026
24314db
fix: run prettier on 19 files to fix CI format:check failure (#436)
Copilot Jul 9, 2026
def4753
fix: address PR 433 review comments
cursoragent Jul 9, 2026
255ca67
fix: address follow-up PR 433 review comments
cursoragent Jul 9, 2026
e811cc1
fix: address PR 433 review blockers
BigSimmo Jul 9, 2026
553eac9
fix: address PR 433 review comments on image re-stamp and eval forcing
cursoragent Jul 9, 2026
d831252
Merge origin/main into claude/llm-pipeline-review
Copilot Jul 9, 2026
7449ebf
Merge remote-tracking branch 'origin/claude/llm-pipeline-review' into…
BigSimmo Jul 9, 2026
a76fc39
Merge remote-tracking branch 'origin/claude/llm-pipeline-review' into…
BigSimmo Jul 9, 2026
6a90516
fix: restore neutralized 160000 migration for Supabase Preview parity
BigSimmo Jul 9, 2026
e1b5407
ci: keep supabase cache save non-blocking
BigSimmo Jul 9, 2026
6c06307
Merge remote-tracking branch 'origin/claude/llm-pipeline-review' into…
BigSimmo Jul 9, 2026
93c70e3
ci: run migration verification before docker image cache save
Copilot Jul 9, 2026
c424845
fix: address registry corpus review comments
BigSimmo Jul 9, 2026
75ad728
Finish RAG registry re-embed and quality routing (#438)
BigSimmo Jul 9, 2026
3e64189
docs: codify review and branch cleanup workflow
BigSimmo Jul 9, 2026
009e85c
Merge remote-tracking branch 'origin/claude/llm-pipeline-review' into…
BigSimmo Jul 9, 2026
fb382ee
ci: soft-skip Codex autoresolve comment permission errors
BigSimmo Jul 9, 2026
b40d991
merge: start resolving conflicts with origin/main
Copilot Jul 9, 2026
bb2f12c
Merge branch 'main' into codex/autoresolve-listcomments-403
BigSimmo Jul 9, 2026
11d567d
merge: resolve conflicts with origin/main
Copilot Jul 9, 2026
c5cd50a
fix: run prettier on files failing CI format:check
Copilot Jul 9, 2026
73aab70
fix: apply CodeRabbit auto-fixes
coderabbitai[bot] Jul 9, 2026
9130372
fix: format docs/branch-review-ledger.md to pass Prettier check
Copilot Jul 9, 2026
f81bdc4
merge: resolve conflicts with origin/main
Copilot Jul 9, 2026
ecd4fd4
fix: harden Codex auto-resolve review guard
BigSimmo Jul 9, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,9 @@ jobs:
- name: Runtime alignment
run: npm run check:runtime

- name: Codex auto-resolve workflow guard
run: npm run check:codex-autofix-workflow

- name: Dependency vulnerability audit
# Non-mutating gate. The document parsers (pdf-parse, pdfjs-dist, mammoth,
# exceljs, jszip) process untrusted uploads, so high/critical advisories in
Expand Down
24 changes: 18 additions & 6 deletions .github/workflows/codex-autofix-review-comments.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,12 +49,23 @@ jobs:
const issue_number = pr.number;
const marker = `<!-- codex-autoresolve-pr:${pr.number} -->`;

const existingComments = await github.paginate(github.rest.issues.listComments, {
owner,
repo,
issue_number,
per_page: 100,
});
let existingComments;
try {
existingComments = await github.paginate(github.rest.issues.listComments, {
owner,
repo,
issue_number,
per_page: 100,
});
} catch (error) {
if (error.status === 403) {
core.warning("Skipping Codex auto-resolve request because GitHub denied permission to list issue comments.");
core.notice("Grant issues: read/write permission or allow the workflow token to read issue comments to enable duplicate request checks.");
return;
}

throw error;
}

if (existingComments.some((comment) => (comment.body || "").includes(marker))) {
core.notice("Skipping duplicate Codex auto-resolve request for this pull request.");
Expand All @@ -79,5 +90,6 @@ jobs:
core.warning("Skipping Codex auto-resolve request because this workflow token cannot comment on the pull request.");
return;
}

throw error;
}
7 changes: 4 additions & 3 deletions AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -335,19 +335,20 @@ When explicitly asked to fix or resolve review findings:

### Automatic resolve trigger

Automatic Codex review is review-only by default. This repository includes `.github/workflows/codex-autofix-review-comments.yml`, which requests the resolve task automatically after Codex posts a top-level review comment.
Automatic Codex review is review-only by default. This repository includes `.github/workflows/codex-autofix-review-comments.yml`, which requests one scoped resolve task after Codex posts an inline PR review comment.

- The workflow must only trigger from Codex review bot comments on open pull requests.
- Do not add `issue_comment`, `pull_request_review`, scheduled, push, or broad PR triggers to this workflow without explicit human approval.
- The workflow must skip review-thread replies and auto-resolve request comments so Codex fix summaries do not re-trigger the workflow.
- The workflow must ask Codex to resolve all review comments using these repository instructions.
- The workflow must ask Codex to resolve only actionable Codex review findings for the triggering pull request and current head.
- The workflow must avoid duplicate requests for the same pull request, even after follow-up commits change the head SHA.
- The workflow must not run Codex directly with API credentials.
- P0 and P1 findings should always be fixed.
- P2 and lower findings should be fixed only when clear, scoped, low-risk, and testable; otherwise explain the decision and resolve or mark ready for human resolution.

### Primary PR command

`@codex resolve all review comments using the repository instructions. Always fix P0 and P1 findings. For P2 and lower findings, decide whether each is worth fixing automatically. Fix clear, scoped, low-risk issues with the best minimal change; otherwise reply explaining why the issue is deferred or not actionable. After each fix or decision, resolve the review conversation if supported. Do not use external APIs, paid services, credentials, dependency changes, or broad refactors unless explicitly authorized. Add targeted tests where behavior changes and run the narrowest relevant validation.`
`@codex resolve actionable Codex review findings for this pull request and current head using the repository instructions. Always fix P0 and P1 findings. For P2 and lower findings, decide whether each is worth fixing automatically. Fix clear, scoped, low-risk issues with the best minimal change; otherwise reply explaining why the issue is deferred or not actionable. Do not update the branch from main, address unrelated reviews, broaden scope, or create more than one scoped fix commit unless explicitly asked. After each fix or decision, resolve the review conversation if supported. Do not use external APIs, paid services, credentials, dependency changes, or broad refactors unless explicitly authorized. Add targeted tests where behavior changes and run the narrowest relevant validation.`

## Cursor Cloud specific instructions

Expand Down
6 changes: 3 additions & 3 deletions docs/branch-review-ledger.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,6 @@ Use this ledger to prevent repeated branch and PR reviews when the reviewed HEAD

## Review Records

| Date | Branch or ref | Reviewed HEAD | Scope | Outcome | Checks |
| ---------- | -------------- | ------------- | -------------- | ------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- |
| 2026-07-09 | example/branch | abc1234 | branch-cleanup | Example: already merged into `main`; no unique patch content. | `git log --right-only --cherry-pick main...example/branch`; `git diff --name-status main...example/branch` |
| Date | Branch or ref | Reviewed HEAD | Scope | Outcome | Checks |
| ---------- | -------------- | --------------------------------------- | -------------- | ------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- |
| 2026-07-09 | example/branch | abc1234567890abcdef1234567890abcdef1234 | branch-cleanup | Example: already merged into `main`; no unique patch content. | `git log --right-only --cherry-pick main...example/branch`; `git diff --name-status main...example/branch` |
4 changes: 2 additions & 2 deletions docs/codex-review-protocol.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,10 @@ Use this protocol for every Codex review, audit, bug hunt, PR review, release-re
## Mutation Rules

- For a pure review request, do not edit files, stage, commit, push, post PR comments, rerun hosted CI, or call provider-backed services.
- Exception: append the completed review record to `docs/branch-review-ledger.md` so throttling state persists.
- If the user clearly asks to fix confirmed findings, make the smallest safe change and verify with local, static, or mocked checks first.
- Ask before any OpenAI, Supabase, GitHub/GitLab, hosted CI, or provider-backed workflow.
- After any completed branch/PR review, update `docs/branch-review-ledger.md` with date, branch/ref, HEAD, scope, outcome, and checks. This ledger append is allowed even during a pure review.
- For pure reviews, do not update `docs/branch-review-ledger.md` unless the user explicitly asks for a committed process update. If a ledger note would be useful, mention the suggested row in the final response instead.
- When the user explicitly asks for a branch/PR review record, update `docs/branch-review-ledger.md` with date, branch/ref, HEAD, scope, outcome, and checks as a scoped documentation change.

## Severity Guide

Expand Down
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
"sitemap:update": "tsx scripts/generate-site-map.ts",
"sitemap:check": "tsx scripts/generate-site-map.ts --check",
"check:runtime": "tsx scripts/check-runtime.ts",
"check:codex-autofix-workflow": "node scripts/check-codex-autofix-workflow.mjs",
"check:deployment-readiness": "node scripts/deployment-boot-smoke.mjs",
"check:edge:functions": "node scripts/check-edge-functions.mjs",
"check:production-readiness": "tsx scripts/production-readiness.ts",
Expand Down
53 changes: 53 additions & 0 deletions scripts/check-codex-autofix-workflow.mjs
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
import fs from "node:fs";

const workflowPath = ".github/workflows/codex-autofix-review-comments.yml";
const workflow = fs.readFileSync(workflowPath, "utf8");

const failures = [];

const forbiddenPatterns = [
{
pattern: /github\.event\.pull_request\.head\.sha/,
message: "Do not key the Codex auto-resolve workflow on github.event.pull_request.head.sha.",
},
{
pattern: /pr\.head\.sha/,
message: "Do not key the Codex auto-resolve workflow on pr.head.sha.",
},
{
pattern: /^\s*issue_comment:/m,
message: "Do not trigger Codex auto-resolve from issue_comment events.",
},
{
pattern: /^\s*pull_request_review:/m,
message: "Do not trigger Codex auto-resolve from whole pull_request_review events.",
},
];

for (const { pattern, message } of forbiddenPatterns) {
if (pattern.test(workflow)) {
failures.push(message);
}
}

if (!workflow.includes("group: codex-autoresolve-${{ github.event.pull_request.number }}")) {
failures.push("Codex auto-resolve concurrency must be scoped to the pull request number only.");
}

if (!workflow.includes("codex-autoresolve-pr:${pr.number}")) {
failures.push("Codex auto-resolve marker must be scoped to the pull request, not the head SHA.");
}

if (!workflow.includes('sourceBody.includes("@codex resolve all review comments")')) {
Comment thread
BigSimmo marked this conversation as resolved.
failures.push("Codex auto-resolve workflow must skip comments that already look like resolve requests.");
}

if (failures.length > 0) {
console.error(`Codex auto-resolve workflow guard failed for ${workflowPath}:`);
for (const failure of failures) {
console.error(`- ${failure}`);
}
process.exit(1);
}

console.log("Codex auto-resolve workflow guard passed.");
Loading