feat: implement issue #395 — Compliance: dev-lead-stub-concurrency

[don-petry]

Closes #395

Implemented by dev-lead agent. Please review.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 30 minutes and 27 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 72f1112e-62db-4174-9a7e-d150a808aeb3

📥 Commits

Reviewing files that changed from the base of the PR and between 4c801bc and 1d9a75f.

📒 Files selected for processing (1)

• .github/workflows/dev-lead.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev-lead/issue-395-20260626-2206

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

Issues addressed: 0 (rate-limit notification only, no code issues identified)
Files reviewed: .github/workflows/dev-lead.yml (rate-limited before completion)
Action needed: None — this is informational about account rate limits, not code quality
All CI checks: ✅ Passing
```
The PR is ready to merge from a code quality perspective. The CodeRabbit rate limit is an organizational account issue and not something that requires code changes.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 1d9a75f71c882303f9be4a96bc21699b456b8de1
Review mode: triage-approved (single reviewer)

Summary

Compliance fix for issue #395 (dev-lead-stub-concurrency). Removes the per-stub concurrency: block from .github/workflows/dev-lead.yml so concurrency is governed solely by the centralized per-issue/per-PR lanes in dev-lead-reusable.yml, preventing drift and cancelled issue pickups. Remaining changes are explanatory comments and one stale-comment removal on the statuses: read permission. Net +9/-4, single file, no logic or security-surface change.

Linked issue analysis

Issue #395 asked to remove the stub's own concurrency: block because concurrency is centralized in the reusable workflow. The PR does exactly that, replacing the block with a comment documenting the rationale and the #402 reference. Substantively addressed.

Findings

No blocking findings. The concurrency block is correctly removed; centralization in dev-lead-reusable.yml is the established pattern. The 'uses:' pin to @dev-lead/stable (moving channel tag) is pre-existing and intentional per the added comment (avoids the self-host circular dependency), not introduced here. Removal of the '# required by ...#435' comment on 'statuses: read' is cosmetic — the permission itself is retained. Secret-scanning MCP tool unavailable in this environment; relied on the gitleaks CI check (passed) — diff contains no secret material.

CI status

All required checks green: build-and-test, Node.js Tests, Playwright, Coverage, CodeQL (actions/js-ts/python), SonarCloud, gitleaks secret scan, dependency-audit, agent-shield, autofix. Skipped checks are expected no-ops (dependabot, pr-review-mention, etc.). mergeStateStatus is BLOCKED only because org-leads review is still required — which this approval satisfies.

---

Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

[github-actions]

CI Failure: SonarCloud Code Analysis

Step: SonarCloud Code Analysis (external quality gate)
Root cause: Config error

The SonarCloud quality gate is blocking this PR, but the diff only modifies .github/workflows/dev-lead.yml (removing the repo-level concurrency block and a trailing comment). SonarCloud analyzes source code quality across the whole project and its gate can fail for reasons unrelated to the specific change — most commonly because the project has unresolved quality-gate conditions (coverage, bugs, or code smells) that predate this PR, or because the SONAR_TOKEN secret is not available in the context of this workflow run.

Suggested fix: Check the SonarCloud dashboard for the failing quality-gate condition (coverage drop, new bugs, or a missing/expired SONAR_TOKEN secret in repo settings), then either resolve the flagged issue or, if it is a pre-existing baseline problem, mark it as accepted in SonarCloud before re-running the check.

View run logs