Feat/Auto Fix Github issues and do extensive AI PR reviews

[AndyMik90]

Base Branch

• This PR targets the develop branch (required for all feature/fix PRs)
• This PR targets main (hotfix only - maintainers)

Description

Adds the functionality for maintainers and users of Auto Claude to handle Github issues in full auto and also do extensive PR reviews much faster.

Related Issue

Closes #

Type of Change

• 🐛 Bug fix
• ✨ New feature
• 📚 Documentation
• ♻️ Refactor
• 🧪 Test

Area

• [] Frontend
• Backend
• Fullstack

Commit Message Format

Follow conventional commits: <type>: <subject>

Types: feat, fix, docs, style, refactor, test, chore

Example: feat: add user authentication system

Checklist

• I've synced with develop branch
• I've tested my changes locally
• I've followed the code principles (SOLID, DRY, KISS)
• My PR is small and focused (< 400 lines ideally)

CI/Testing Requirements

• All CI checks pass
• All existing tests pass
• New features include test coverage
• Bug fixes include regression tests

Screenshots

Before	After

Feature Toggle

• Behind localStorage flag: use_feature_name
• Behind settings toggle
• Behind environment variable/config
• N/A - Feature is complete and ready for all users

Breaking Changes

Breaking: Yes / No

Details:

Summary by CodeRabbit

Release Notes

• Chores

  • Bumped version from 2.7.1 to 2.7.2

• New Features

  • Implemented comprehensive GitHub automation framework supporting PR review, issue triage, and auto-fix workflows with AI-assisted analysis
  • Added batch processing capability to group and fix related issues together
  • Integrated multi-repository support with per-repo configuration and state isolation
  • Introduced permission-based controls and bot detection for safety

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR introduces a comprehensive GitHub automation framework comprising prompt-based analysis, multi-pass PR reviews, issue triage and batching, auto-fix workflow orchestration, and data persistence. It implements audit logging, permission checking, rate limiting, bot detection, and multi-repo support with specialized services coordinated through a central orchestrator.

Changes

Cohort / File(s)	Summary
Documentation & Prompts README.md, apps/backend/prompts/github/*	Version bump (2.7.1 → 2.7.2) and eight new Markdown prompts defining structured workflows for duplicate detection, issue analysis, triage, PR review, fixing, structural assessment, AI comment triage, and spam detection.
Core Framework & Data Models apps/backend/runners/github/models.py, apps/backend/runners/github/orchestrator.py, apps/backend/runners/github/errors.py	Comprehensive data structures for PR findings, triage results, auto-fix states, and config. Orchestrator coordinates PR review, triage, auto-fix, and batch workflows. Error hierarchy with structured error handling and UI-friendly formatting.
Persistence & State Management apps/backend/runners/github/file_lock.py, apps/backend/runners/github/lifecycle.py, apps/backend/runners/github/cleanup.py, apps/backend/runners/github/purge_strategy.py	Atomic file locking with async support; issue lifecycle state machine with conflict resolution; data retention policies and GDPR-compliant purge framework; archive and cleanup utilities.
GitHub Integration apps/backend/runners/github/gh_client.py, apps/backend/runners/github/bot_detection.py, apps/backend/runners/github/context_gatherer.py, apps/backend/runners/github/duplicates.py	Async GitHub CLI client with timeout/retry; bot detection to prevent self-review loops; PR context gathering with AI bot comment parsing; semantic duplicate detection with embeddings and entity extraction.
Analysis & Scoring apps/backend/runners/github/confidence.py, apps/backend/runners/github/output_validator.py, apps/backend/runners/github/sanitize.py	Confidence scoring for review findings with false-positive risk assessment; output validation with line number verification and actionability scoring; content sanitization and prompt-injection detection.
Learning & Memory apps/backend/runners/github/learning.py, apps/backend/runners/github/memory_integration.py, apps/backend/runners/github/audit.py	Review outcome tracking and accuracy metrics; Graphiti memory integration for codebase patterns and historical context; comprehensive audit logging with correlation IDs and operation history.
Batch Processing apps/backend/runners/github/batch_issues.py, apps/backend/runners/github/batch_validator.py	Issue clustering and batching with semantic similarity; AI-powered batch validation with suggested splits; state tracking and persistence for batch workflows.
Services Layer apps/backend/runners/github/services/*	Prompt management for multi-pass reviews; response parsing with confidence filtering; PR review engine with deduplication; triage, auto-fix, and batch processors with progress callbacks.
Authorization & Rate Limiting apps/backend/runners/github/permissions.py, apps/backend/runners/github/rate_limiter.py, apps/backend/runners/github/override.py	Role-based permission checking with scope validation; token bucket and cost tracking; grace period management and user command parsing for overrides.
Multi-Repo & Configuration apps/backend/runners/github/multi_repo.py, apps/backend/runners/github/onboarding.py	Multi-repo configuration with path-scoped monorepo support; cross-repo duplicate detection; onboarding workflow with progressive enablement phases and setup checklist.
Provider Abstraction apps/backend/runners/github/providers/*	Git provider protocol defining provider-agnostic interface; factory pattern for provider instantiation; GitHub provider implementation wrapping GH CLI.
Utilities apps/backend/runners/github/storage_metrics.py	Storage consumption analysis and metrics collection per component type.
Examples & CLI apps/backend/runners/github/example_usage.py, apps/backend/runners/github/bot_detection_example.py, apps/backend/runners/github/runner.py	Concurrent usage patterns; bot detection integration examples; comprehensive CLI with review, triage, auto-fix, batch, and queue commands.
Package Initialization apps/backend/runners/github/__init__.py, apps/backend/runners/github/services/__init__.py, apps/backend/runners/github/providers/__init__.py	Public API re-exports for orchestrator, models, config, and service components.

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant Orchestrator
    participant ContextGatherer
    participant PRReviewEngine
    participant Services
    participant AuditLogger
    
    User->>Orchestrator: review_pr(pr_number)
    Orchestrator->>AuditLogger: start_operation(PR_REVIEW_STARTED)
    Orchestrator->>ContextGatherer: gather()
    ContextGatherer->>ContextGatherer: fetch PR metadata, files, commits, AI bot comments
    ContextGatherer-->>Orchestrator: PRContext
    Orchestrator->>PRReviewEngine: run_multi_pass_review(context)
    PRReviewEngine->>Services: run_review_pass(QUICK_SCAN)
    Services->>Services: prompt + AI client → findings
    PRReviewEngine->>Services: run_review_pass(SECURITY)
    Services-->>PRReviewEngine: findings[]
    PRReviewEngine->>PRReviewEngine: deduplicate_findings()
    PRReviewEngine-->>Orchestrator: findings, structural_issues, ai_triages, quick_scan
    Orchestrator->>Orchestrator: generate verdict, risk assessment, summary
    Orchestrator->>Orchestrator: post review + ai_triage replies
    Orchestrator->>AuditLogger: log(PR_REVIEW_COMPLETED, result)
    Orchestrator-->>User: PRReviewResult

Loading

sequenceDiagram
    participant BatchService
    participant IssueBatcher
    participant DuplicateDetector
    participant BatchValidator
    participant Storage
    
    BatchService->>IssueBatcher: create_batches(issues)
    IssueBatcher->>DuplicateDetector: _build_similarity_matrix()
    DuplicateDetector->>DuplicateDetector: get embeddings (cache + compute)
    DuplicateDetector->>DuplicateDetector: cosine_similarity scores
    DuplicateDetector-->>IssueBatcher: similarity_matrix
    IssueBatcher->>IssueBatcher: _cluster_issues (agglomerative)
    IssueBatcher->>IssueBatcher: _create_batch_from_issues (primary + items)
    IssueBatcher->>BatchValidator: validate_batch()
    BatchValidator->>BatchValidator: format issues + call Claude
    BatchValidator-->>IssueBatcher: BatchValidationResult
    IssueBatcher->>IssueBatcher: _validate_and_split_batches (handle invalid)
    IssueBatcher->>Storage: save(IssueBatch) + update index
    IssueBatcher-->>BatchService: IssueBatch[]

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

---

🐰 wiggles nose at grand automation
GitHub issues now batch in formation!
Reviews and triages dance in the night,
With learning and memory keeping things right.
A framework so grand, let's hop into flight! 🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Feat/Auto Fix Github issues and do extensive AI PR reviews' clearly summarizes the main changes by mentioning the two primary capabilities added: issue auto-fixing and AI-powered PR reviews.
Docstring Coverage	✅ Passed	Docstring coverage is 80.94% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/auto-git-issues-prs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

Stale timestamp saved to file due to ordering error

The save method updates updated_at on line 149 AFTER writing the file on line 147. Since to_dict() includes updated_at in its serialization (line 113), the saved file contains the OLD timestamp, not the new one. When the batch is loaded from disk later, it will have a stale updated_at value. The timestamp assignment needs to happen before json.dump is called.

 

[cursor]

Inconsistent dict keys returned for empty findings list

The get_summary method returns inconsistent dictionary keys depending on whether scored_findings is empty. The empty case (lines 527-533) returns only total, avg_confidence, by_level, and by_risk. The non-empty case (lines 548-556) also includes high_confidence_count and low_risk_count. Callers accessing these missing keys on an empty summary will get a KeyError.

Additional Locations (1)

• apps/backend/runners/github/confidence.py#L547-L556

 

[coderabbitai]

Actionable comments posted: 135

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0f7d6e0 and b38a60e.

📒 Files selected for processing (116)

• README.md
• apps/backend/prompts/github/duplicate_detector.md
• apps/backend/prompts/github/issue_analyzer.md
• apps/backend/prompts/github/issue_triager.md
• apps/backend/prompts/github/pr_ai_triage.md
• apps/backend/prompts/github/pr_fixer.md
• apps/backend/prompts/github/pr_reviewer.md
• apps/backend/prompts/github/pr_structural.md
• apps/backend/prompts/github/spam_detector.md
• apps/backend/runners/github/__init__.py
• apps/backend/runners/github/audit.py
• apps/backend/runners/github/batch_issues.py
• apps/backend/runners/github/batch_validator.py
• apps/backend/runners/github/bot_detection.py
• apps/backend/runners/github/bot_detection_example.py
• apps/backend/runners/github/cleanup.py
• apps/backend/runners/github/confidence.py
• apps/backend/runners/github/context_gatherer.py
• apps/backend/runners/github/duplicates.py
• apps/backend/runners/github/errors.py
• apps/backend/runners/github/example_usage.py
• apps/backend/runners/github/file_lock.py
• apps/backend/runners/github/gh_client.py
• apps/backend/runners/github/learning.py
• apps/backend/runners/github/lifecycle.py
• apps/backend/runners/github/memory_integration.py
• apps/backend/runners/github/models.py
• apps/backend/runners/github/multi_repo.py
• apps/backend/runners/github/onboarding.py
• apps/backend/runners/github/orchestrator.py
• apps/backend/runners/github/output_validator.py
• apps/backend/runners/github/override.py
• apps/backend/runners/github/permissions.py
• apps/backend/runners/github/providers/__init__.py
• apps/backend/runners/github/providers/factory.py
• apps/backend/runners/github/providers/github_provider.py
• apps/backend/runners/github/providers/protocol.py
• apps/backend/runners/github/purge_strategy.py
• apps/backend/runners/github/rate_limiter.py
• apps/backend/runners/github/runner.py
• apps/backend/runners/github/sanitize.py
• apps/backend/runners/github/services/__init__.py
• apps/backend/runners/github/services/autofix_processor.py
• apps/backend/runners/github/services/batch_processor.py
• apps/backend/runners/github/services/pr_review_engine.py
• apps/backend/runners/github/services/prompt_manager.py
• apps/backend/runners/github/services/response_parsers.py
• apps/backend/runners/github/services/triage_engine.py
• apps/backend/runners/github/storage_metrics.py
• apps/backend/runners/github/test_bot_detection.py
• apps/backend/runners/github/test_context_gatherer.py
• apps/backend/runners/github/test_enhanced_pr_review.py
• apps/backend/runners/github/test_file_lock.py
• apps/backend/runners/github/test_gh_client.py
• apps/backend/runners/github/test_permissions.py
• apps/backend/runners/github/test_rate_limiter.py
• apps/backend/runners/github/testing.py
• apps/backend/runners/github/trust.py
• apps/backend/runners/github/validator_example.py
• apps/frontend/package.json
• apps/frontend/src/main/ipc-handlers/github/autofix-handlers.ts
• apps/frontend/src/main/ipc-handlers/github/index.ts
• apps/frontend/src/main/ipc-handlers/github/pr-handlers.ts
• apps/frontend/src/main/ipc-handlers/github/triage-handlers.ts
• apps/frontend/src/main/ipc-handlers/github/utils/index.ts
• apps/frontend/src/main/ipc-handlers/github/utils/ipc-communicator.ts
• apps/frontend/src/main/ipc-handlers/github/utils/logger.ts
• apps/frontend/src/main/ipc-handlers/github/utils/project-middleware.ts
• apps/frontend/src/main/ipc-handlers/github/utils/subprocess-runner.ts
• apps/frontend/src/main/ipc-handlers/task/crud-handlers.ts
• apps/frontend/src/preload/api/index.ts
• apps/frontend/src/preload/api/modules/github-api.ts
• apps/frontend/src/renderer/App.tsx
• apps/frontend/src/renderer/components/GitHubIssues.tsx
• apps/frontend/src/renderer/components/Sidebar.tsx
• apps/frontend/src/renderer/components/github-issues/components/AutoFixButton.tsx
• apps/frontend/src/renderer/components/github-issues/components/BatchReviewWizard.tsx
• apps/frontend/src/renderer/components/github-issues/components/IssueDetail.tsx
• apps/frontend/src/renderer/components/github-issues/components/IssueListHeader.tsx
• apps/frontend/src/renderer/components/github-issues/components/index.ts
• apps/frontend/src/renderer/components/github-issues/hooks/index.ts
• apps/frontend/src/renderer/components/github-issues/hooks/useAnalyzePreview.ts
• apps/frontend/src/renderer/components/github-issues/hooks/useAutoFix.ts
• apps/frontend/src/renderer/components/github-issues/hooks/useGitHubInvestigation.ts
• apps/frontend/src/renderer/components/github-issues/hooks/useGitHubIssues.ts
• apps/frontend/src/renderer/components/github-issues/types/index.ts
• apps/frontend/src/renderer/components/github-prs/GitHubPRs.tsx
• apps/frontend/src/renderer/components/github-prs/components/FindingItem.tsx
• apps/frontend/src/renderer/components/github-prs/components/FindingsSummary.tsx
• apps/frontend/src/renderer/components/github-prs/components/PRDetail.tsx
• apps/frontend/src/renderer/components/github-prs/components/PRList.tsx
• apps/frontend/src/renderer/components/github-prs/components/ReviewFindings.tsx
• apps/frontend/src/renderer/components/github-prs/components/SeverityGroupHeader.tsx
• apps/frontend/src/renderer/components/github-prs/components/index.ts
• apps/frontend/src/renderer/components/github-prs/constants/severity-config.ts
• apps/frontend/src/renderer/components/github-prs/hooks/index.ts
• apps/frontend/src/renderer/components/github-prs/hooks/useFindingSelection.ts
• apps/frontend/src/renderer/components/github-prs/hooks/useGitHubPRs.ts
• apps/frontend/src/renderer/components/github-prs/index.ts
• apps/frontend/src/renderer/components/project-settings/hooks/useProjectSettings.ts
• apps/frontend/src/renderer/components/settings/GeneralSettings.tsx
• apps/frontend/src/renderer/lib/browser-mock.ts
• apps/frontend/src/renderer/stores/github/index.ts
• apps/frontend/src/renderer/stores/github/investigation-store.ts
• apps/frontend/src/renderer/stores/github/issues-store.ts
• apps/frontend/src/renderer/stores/github/pr-review-store.ts
• apps/frontend/src/renderer/stores/github/sync-status-store.ts
• apps/frontend/src/shared/constants/ipc.ts
• apps/frontend/src/shared/constants/models.ts
• apps/frontend/src/shared/types/ipc.ts
• apps/frontend/src/shared/types/settings.ts
• package.json
• tests/QA_REPORT_TEST_REFACTORING.md
• tests/REFACTORING_SUMMARY.md
• tests/REVIEW_TESTS_REFACTORING.md
• tests/test_output_validator.py

🧰 Additional context used

📓 Path-based instructions (2)

apps/backend/prompts/**/*.md

📄 CodeRabbit inference engine (CLAUDE.md)

Agent prompts must be stored in apps/backend/prompts/ directory with descriptive filenames matching their purpose (e.g., planner.md, coder.md, qa_reviewer.md)

Files:

• apps/backend/prompts/github/duplicate_detector.md
• apps/backend/prompts/github/spam_detector.md
• apps/backend/prompts/github/issue_triager.md
• apps/backend/prompts/github/pr_reviewer.md
• apps/backend/prompts/github/pr_fixer.md
• apps/backend/prompts/github/pr_structural.md
• apps/backend/prompts/github/issue_analyzer.md
• apps/backend/prompts/github/pr_ai_triage.md

apps/backend/**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

apps/backend/**/*.py: Install test dependencies before running tests: cd apps/backend && uv pip install -r ../../tests/requirements-test.txt
Python 3.12+ is required for the backend

Files:

• apps/backend/runners/github/providers/__init__.py
• apps/backend/runners/github/services/batch_processor.py
• apps/backend/runners/github/rate_limiter.py
• apps/backend/runners/github/services/autofix_processor.py
• apps/backend/runners/github/sanitize.py
• apps/backend/runners/github/permissions.py
• apps/backend/runners/github/providers/protocol.py
• apps/backend/runners/github/services/pr_review_engine.py
• apps/backend/runners/github/purge_strategy.py
• apps/backend/runners/github/services/__init__.py
• apps/backend/runners/github/confidence.py
• apps/backend/runners/github/learning.py
• apps/backend/runners/github/override.py
• apps/backend/runners/github/runner.py
• apps/backend/runners/github/batch_validator.py
• apps/backend/runners/github/output_validator.py
• apps/backend/runners/github/bot_detection.py
• apps/backend/runners/github/gh_client.py
• apps/backend/runners/github/file_lock.py
• apps/backend/runners/github/cleanup.py
• apps/backend/runners/github/orchestrator.py
• apps/backend/runners/github/batch_issues.py
• apps/backend/runners/github/example_usage.py
• apps/backend/runners/github/onboarding.py
• apps/backend/runners/github/models.py
• apps/backend/runners/github/providers/factory.py
• apps/backend/runners/github/__init__.py
• apps/backend/runners/github/multi_repo.py
• apps/backend/runners/github/context_gatherer.py
• apps/backend/runners/github/audit.py
• apps/backend/runners/github/bot_detection_example.py
• apps/backend/runners/github/services/response_parsers.py
• apps/backend/runners/github/memory_integration.py
• apps/backend/runners/github/providers/github_provider.py
• apps/backend/runners/github/storage_metrics.py
• apps/backend/runners/github/services/triage_engine.py
• apps/backend/runners/github/duplicates.py
• apps/backend/runners/github/errors.py
• apps/backend/runners/github/services/prompt_manager.py
• apps/backend/runners/github/lifecycle.py

---

⚙️ CodeRabbit configuration file

apps/backend/**/*.py: Focus on Python best practices, type hints, and async patterns.
Check for proper error handling and security considerations.
Verify compatibility with Python 3.12+.

Files:

• apps/backend/runners/github/providers/__init__.py
• apps/backend/runners/github/services/batch_processor.py
• apps/backend/runners/github/rate_limiter.py
• apps/backend/runners/github/services/autofix_processor.py
• apps/backend/runners/github/sanitize.py
• apps/backend/runners/github/permissions.py
• apps/backend/runners/github/providers/protocol.py
• apps/backend/runners/github/services/pr_review_engine.py
• apps/backend/runners/github/purge_strategy.py
• apps/backend/runners/github/services/__init__.py
• apps/backend/runners/github/confidence.py
• apps/backend/runners/github/learning.py
• apps/backend/runners/github/override.py
• apps/backend/runners/github/runner.py
• apps/backend/runners/github/batch_validator.py
• apps/backend/runners/github/output_validator.py
• apps/backend/runners/github/bot_detection.py
• apps/backend/runners/github/gh_client.py
• apps/backend/runners/github/file_lock.py
• apps/backend/runners/github/cleanup.py
• apps/backend/runners/github/orchestrator.py
• apps/backend/runners/github/batch_issues.py
• apps/backend/runners/github/example_usage.py
• apps/backend/runners/github/onboarding.py
• apps/backend/runners/github/models.py
• apps/backend/runners/github/providers/factory.py
• apps/backend/runners/github/__init__.py
• apps/backend/runners/github/multi_repo.py
• apps/backend/runners/github/context_gatherer.py
• apps/backend/runners/github/audit.py
• apps/backend/runners/github/bot_detection_example.py
• apps/backend/runners/github/services/response_parsers.py
• apps/backend/runners/github/memory_integration.py
• apps/backend/runners/github/providers/github_provider.py
• apps/backend/runners/github/storage_metrics.py
• apps/backend/runners/github/services/triage_engine.py
• apps/backend/runners/github/duplicates.py
• apps/backend/runners/github/errors.py
• apps/backend/runners/github/services/prompt_manager.py
• apps/backend/runners/github/lifecycle.py

🧠 Learnings (2)

📚 Learning: 2025-12-23T13:28:36.005Z

Learnt from: CR
Repo: AndyMik90/Auto-Claude PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-23T13:28:36.005Z
Learning: Applies to apps/backend/prompts/**/*.md : Agent prompts must be stored in `apps/backend/prompts/` directory with descriptive filenames matching their purpose (e.g., `planner.md`, `coder.md`, `qa_reviewer.md`)

Applied to files:

• apps/backend/prompts/github/spam_detector.md
• apps/backend/prompts/github/issue_triager.md
• apps/backend/prompts/github/pr_reviewer.md
• apps/backend/prompts/github/pr_structural.md
• apps/backend/runners/github/services/prompt_manager.py

📚 Learning: 2025-12-23T13:28:36.005Z

Learnt from: CR
Repo: AndyMik90/Auto-Claude PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-23T13:28:36.005Z
Learning: Spec directories must contain: `spec.md`, `requirements.json`, `context.json`, `implementation_plan.json`, `qa_report.md`, and optional `QA_FIX_REQUEST.md`

Applied to files:

• apps/backend/prompts/github/issue_analyzer.md

🧬 Code graph analysis (16)

apps/backend/runners/github/providers/__init__.py (2)

apps/backend/runners/github/providers/factory.py (2)

• get_provider (41-107)
• register_provider (21-38)

apps/backend/runners/github/providers/github_provider.py (1)

• GitHubProvider (34-531)

apps/backend/runners/github/permissions.py (6)

apps/backend/runners/github/providers/github_provider.py (3)

• gh_client (70-72)
• repo (66-67)
• api_get (406-412)

apps/backend/runners/github/providers/protocol.py (2)

• repo (186-188)
• api_get (459-474)

apps/backend/runners/github/multi_repo.py (1)

• owner (84-86)

apps/backend/runners/github/gh_client.py (1)

• api_get (512-530)

apps/backend/runners/github/testing.py (2)

• api_get (73-77)
• api_get (293-304)

apps/backend/runners/github/lifecycle.py (1)

• get (406-414)

apps/backend/runners/github/providers/protocol.py (2)

apps/backend/runners/github/onboarding.py (1)

• LabelData (48-51)

apps/backend/runners/github/providers/github_provider.py (22)

• provider_type (62-63)
• repo (66-67)
• fetch_pr (78-104)
• fetch_prs (106-153)
• fetch_pr_diff (155-157)
• post_review (159-165)
• merge_pr (167-192)
• close_pr (194-206)
• fetch_issue (212-229)
• fetch_issues (231-276)
• create_issue (278-303)
• close_issue (305-317)
• add_comment (319-327)
• apply_labels (333-339)
• remove_labels (341-347)
• create_label (349-356)
• list_labels (358-377)
• get_repository_info (383-385)
• get_default_branch (387-390)
• check_permissions (392-400)
• api_get (406-412)
• api_post (414-420)

apps/backend/runners/github/services/pr_review_engine.py (4)

apps/backend/runners/github/context_gatherer.py (2)

• PRContext (83-101)
• gather (116-172)

apps/backend/runners/github/models.py (4)

• AICommentTriage (248-277)
• PRReviewFinding (203-244)
• ReviewPass (47-55)
• StructuralIssue (281-313)

apps/backend/runners/github/services/prompt_manager.py (2)

• PromptManager (18-268)
• get_review_pass_prompt (32-189)

apps/backend/runners/github/services/response_parsers.py (5)

• ResponseParser (40-214)
• parse_scan_result (44-64)
• parse_review_findings (67-113)
• parse_structural_issues (116-143)
• parse_ai_comment_triages (146-176)

apps/backend/runners/github/purge_strategy.py (3)

apps/backend/runners/github/providers/github_provider.py (1)

• repo (66-67)

apps/backend/runners/github/providers/protocol.py (1)

• repo (186-188)

apps/backend/runners/github/storage_metrics.py (1)

• _calculate_directory_size (124-146)

apps/backend/runners/github/services/__init__.py (3)

apps/backend/runners/github/services/prompt_manager.py (1)

• PromptManager (18-268)

apps/backend/runners/github/services/response_parsers.py (1)

• ResponseParser (40-214)

apps/backend/runners/github/services/triage_engine.py (1)

• TriageEngine (22-128)

apps/backend/runners/github/confidence.py (1)

apps/backend/runners/github/learning.py (7)

• LearningPattern (229-255)
• LearningTracker (258-642)
• to_dict (128-150)
• to_dict (213-225)
• to_dict (245-255)
• get_accuracy (415-475)
• accuracy (199-204)

apps/backend/runners/github/batch_validator.py (1)

apps/backend/runners/github/batch_issues.py (2)

• to_dict (56-63)
• to_dict (101-118)

apps/backend/runners/github/output_validator.py (1)

apps/backend/runners/github/models.py (2)

• PRReviewFinding (203-244)
• ReviewSeverity (26-32)

apps/backend/runners/github/onboarding.py (2)

apps/backend/runners/github/providers/protocol.py (4)

• LabelData (156-163)
• repo (186-188)
• get_repository_info (425-432)
• create_label (400-410)

apps/backend/runners/github/providers/github_provider.py (3)

• repo (66-67)
• get_repository_info (383-385)
• create_label (349-356)

apps/backend/runners/github/models.py (2)

apps/frontend/src/main/ipc-handlers/github/pr-handlers.ts (2)

• PRReviewFinding (37-48)
• PRReviewResult (53-63)

apps/frontend/src/preload/api/modules/github-api.ts (2)

• PRReviewFinding (276-287)
• PRReviewResult (292-302)

apps/backend/runners/github/context_gatherer.py (2)

apps/backend/runners/github/gh_client.py (2)

• run (100-249)
• pr_diff (335-347)

apps/backend/runners/github/orchestrator.py (1)

• _fetch_pr_diff (209-211)

apps/backend/runners/github/bot_detection_example.py (2)

apps/backend/runners/github/models.py (1)

• GitHubRunnerConfig (668-777)

apps/backend/runners/github/bot_detection.py (4)

• get_stats (379-397)
• should_skip_pr_review (280-328)
• mark_reviewed (330-358)
• clear_pr_state (360-377)

apps/backend/runners/github/services/response_parsers.py (2)

apps/backend/runners/github/models.py (8)

• AICommentTriage (248-277)
• AICommentVerdict (67-74)
• PRReviewFinding (203-244)
• ReviewCategory (35-44)
• ReviewSeverity (26-32)
• StructuralIssue (281-313)
• TriageCategory (77-86)
• TriageResult (468-541)

apps/backend/runners/github/trust.py (1)

• description (47-55)

apps/backend/runners/github/providers/github_provider.py (1)

apps/backend/runners/github/providers/protocol.py (6)

• IssueFilters (126-137)
• LabelData (156-163)
• PRData (33-62)
• PRFilters (141-152)
• ProviderType (17-24)
• ReviewData (111-122)

apps/backend/runners/github/storage_metrics.py (1)

apps/backend/runners/github/purge_strategy.py (1)

• _calculate_directory_size (271-288)

🪛 LanguageTool

apps/backend/prompts/github/issue_triager.md

[uncategorized] ~60-~60: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ...own` label ## Priority Assessment ### High Priority - Security vulnerabilities - Data loss ...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

---

[uncategorized] ~67-~67: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ...- Regression from previous version ### Medium Priority - Feature requests with clear use case ...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

---

[uncategorized] ~73-~73: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ...rformance issues - UX improvements ### Low Priority - Minor enhancements - Edge cases - Cos...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

apps/backend/prompts/github/pr_reviewer.md

[style] ~162-~162: To elevate your writing, try using a synonym here.
Context: ...xity**: Functions with >10 branches are hard to test - Code duplication: Same lo...

(HARD_TO)

apps/backend/prompts/github/pr_ai_triage.md

[style] ~174-~174: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...lly null? Is there validation upstream? Is this in a try/catch? TypeScript non-nul...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

🪛 markdownlint-cli2 (0.18.1)

README.md

7-7: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

21-21: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

apps/backend/prompts/github/spam_detector.md

7-7: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

14-14: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

21-21: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

28-28: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

36-36: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

43-43: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

49-49: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

apps/backend/prompts/github/issue_triager.md

7-7: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

18-18: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

31-31: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

45-45: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

60-60: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

67-67: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

73-73: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

81-81: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

87-87: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

92-92: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

98-98: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

104-104: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

129-129: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

130-130: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

146-146: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

147-147: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

167-167: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

168-168: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

apps/backend/prompts/github/pr_reviewer.md

19-19: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

40-40: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

49-49: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

57-57: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

72-72: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

80-80: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

89-89: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

96-96: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

105-105: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

114-114: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

122-122: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

133-133: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

146-146: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

apps/backend/prompts/github/pr_fixer.md

24-24: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

31-31: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

38-38: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

91-91: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

98-98: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

apps/backend/prompts/github/pr_structural.md

85-85: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

90-90: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

95-95: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

100-100: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

apps/backend/prompts/github/issue_analyzer.md

15-15: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

24-24: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

33-33: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

95-95: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

apps/backend/prompts/github/pr_ai_triage.md

22-22: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

31-31: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

40-40: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

49-49: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

58-58: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

72-72: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

77-77: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

82-82: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

87-87: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

169-169: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

173-173: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

177-177: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

181-181: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Cursor Bugbot

🔇 Additional comments (57)

README.md (1)

7-7: Version bump applied consistently across documentation.

The update from 2.7.2 is correctly reflected in both the version badge (Line 7) and all five download links (Lines 20–24), with proper filename conventions maintained for each platform.

Also applies to: 20-24

apps/backend/runners/github/lifecycle.py (5)

1-22: LGTM!

Clean module docstring and imports. Using standard library only is appropriate for this foundational module.

---

24-72: LGTM!

Well-structured enum with clear state groupings and useful class methods for state classification. The str, Enum inheritance ensures JSON-serializable values.

---

74-151: LGTM!

Comprehensive state transition mapping. Good that terminal states explicitly define empty transition sets, and retry/override paths are documented with comments.

---

154-184: LGTM!

Clean conflict type enumeration and result dataclass with proper serialization.

---

187-217: LGTM!

Clean transition record dataclass with proper serialization support.

apps/backend/runners/github/multi_repo.py (2)

1-32: LGTM!

Clear module documentation with usage examples and appropriate imports for the functionality.

---

35-41: LGTM!

The (str, Enum) inheritance pattern enables clean JSON serialization.

apps/backend/prompts/github/spam_detector.md (1)

94-102: LGTM! Well-designed safety guidelines.

The guidelines appropriately prioritize human review ("Never auto-close"), consider edge cases (new users, language barriers), and emphasize that false positives are worse than missed spam. This is a responsible approach for automated moderation. The prompt location and naming follow the coding guidelines for agent prompts.

apps/backend/runners/github/rate_limiter.py (2)

68-98: LGTM! Correct token bucket implementation for async usage.

The token bucket algorithm is correctly implemented using time.monotonic() for elapsed time tracking. The refill logic and token acquisition are sound for single-threaded async contexts.

---

161-172: Verify AI model pricing is current.

The AI_PRICING dictionary contains hardcoded model costs. These prices can change frequently, and the comment "as of 2025" suggests they may need periodic updates.

Consider loading pricing from a configuration file or environment variable for easier updates, or add a TODO to review periodically.

apps/backend/runners/github/confidence.py (3)

31-36: LGTM! Graceful handling of optional dependency.

The try/except pattern for importing LearningTracker allows the module to function without the learning subsystem while enabling enhanced features when available.

---

319-348: LGTM! Defensive pattern access with fallback.

The _score_patterns method handles both object attributes and dictionary access using getattr with dict get fallback. This makes the code resilient to different pattern data structures.

---

360-373: The code is correct. AccuracyStats has an accuracy property that is properly implemented as a @property decorator, which computes correct_predictions / (correct_predictions + incorrect_predictions) with zero-division handling. The access to stats.accuracy at lines 366-367 is valid and requires no changes. The suggested fix is unnecessary.

Likely an incorrect or invalid review comment.

apps/backend/runners/github/duplicates.py (1)

166-201: LGTM! Reasonable entity extraction with sensible limits.

The extraction patterns cover common technical content (error codes, file paths, function names, URLs, versions, stack traces) with appropriate limits to prevent excessive data. The limits (20 functions, 10 URLs, etc.) are sensible for similarity comparison.

apps/backend/runners/github/memory_integration.py (1)

201-213: LGTM! Sensible local storage with size limits.

The local insights storage limits to the last 1000 entries and sanitizes the repo name for the filename. This prevents unbounded growth while maintaining useful history.

apps/backend/runners/github/errors.py (2)

68-148: LGTM! Well-designed structured error model.

The StructuredError dataclass provides comprehensive error information including categorization, retry hints, correlation IDs, and serialization. The design supports both IPC and UI display needs effectively.

---

463-499: LGTM! Clean Result type for operation outcomes.

The Result dataclass with success() and failure() factory methods provides a clean pattern for handling operations that may fail, similar to Rust's Result type.

apps/backend/prompts/github/duplicate_detector.md (1)

1-90: LGTM! Comprehensive duplicate detection prompt.

The prompt is well-structured with clear detection strategies, weighted indicators, comparison process, and confidence thresholds. The guidelines and edge cases sections help prevent false positives. The file is correctly located in apps/backend/prompts/github/ per coding guidelines.

apps/backend/runners/github/providers/__init__.py (1)

1-48: LGTM! Clean package interface with proper exports.

The __init__.py provides a well-organized public API with:

• Protocol types (GitProvider, data classes)
• Concrete implementation (GitHubProvider)
• Factory functions (get_provider, register_provider)

The __all__ list correctly documents the public interface, and the docstring provides clear usage examples.

apps/backend/prompts/github/issue_analyzer.md (1)

1-112: LGTM: Well-structured issue analysis prompt.

The prompt provides a clear workflow for transforming GitHub issues into structured specs, with well-defined JSON output format, complexity levels, and readiness criteria. The separation of issue types (Bug Report, Feature Request, Documentation) with specific extraction guidelines is particularly helpful.

Optional: Fix heading spacing for consistency

Static analysis flagged missing blank lines around some headings (MD022). While not critical, adding blank lines improves readability:

• Line 15: Add blank line before "### Bug Report Analysis"
• Line 24: Add blank line before "### Feature Request Analysis"
• Line 33: Add blank line before "### Documentation Issue Analysis"
• Line 95: Add blank line before "```json"

Based on learnings, this file correctly follows the convention of storing agent prompts in apps/backend/prompts/ with descriptive filenames.

apps/backend/runners/github/services/__init__.py (1)

1-22: LGTM: Clean service layer API surface.

The module provides a well-organized public API for GitHub automation services. The __all__ export list is complete and consistent with the imports, enabling clean external usage patterns like from apps.backend.runners.github.services import PromptManager.

apps/backend/prompts/github/pr_structural.md (1)

1-171: LGTM: Comprehensive structural review guide.

This prompt provides excellent guidance for identifying feature creep, scope issues, architecture violations, and PR structure problems. The severity guidelines (lines 83-103), concrete examples (lines 109-139), and constructive approach are particularly well-designed.

Optional: Fix heading spacing for consistency

Static analysis flagged missing blank lines around severity level headings (MD022):

• Line 85: Add blank line before "### Critical"
• Line 90: Add blank line before "### High"
• Line 95: Add blank line before "### Medium"
• Line 100: Add blank line before "### Low"

Based on learnings, this file correctly follows the convention of storing agent prompts in apps/backend/prompts/ with descriptive filenames.

apps/backend/prompts/github/pr_fixer.md (1)

1-120: LGTM: Well-designed fix generation prompt.

The prompt provides clear guidance for generating precise code fixes, with comprehensive JSON output format including line-level changes, explanations, and test requirements. The Do/Don't guidelines (lines 89-103) effectively prevent over-fixing and scope creep.

Optional: Fix heading spacing for consistency

Static analysis flagged missing blank lines around category headings (MD022):

• Line 24: Add blank line before "### Security Fixes"
• Line 31: Add blank line before "### Quality Fixes"
• Line 38: Add blank line before "### Logic Fixes"
• Line 91: Add blank line before "### Do"
• Line 98: Add blank line before "### Don't"

Based on learnings, this file correctly follows the convention of storing agent prompts in apps/backend/prompts/ with descriptive filenames.

apps/backend/prompts/github/pr_ai_triage.md (1)

1-183: LGTM: Excellent meta-review prompt for AI comment triage.

This prompt addresses a real problem (AI false positives) with a well-structured verdict taxonomy and evaluation framework. The inclusion of response templates (lines 142-150) and practical examples (lines 167-183) makes this immediately actionable.

Optional improvements

1. Minor style improvement at line 174:

LanguageTool flagged three successive sentences starting with "Is". Consider rephrasing for variety:

-**Your analysis**: Is this actually user input or internal data? Is there sanitization elsewhere (middleware, framework)? What's the actual attack vector?
+**Your analysis**: Is this actually user input or internal data? Check for sanitization elsewhere (middleware, framework). What's the actual attack vector?

2. Fix heading spacing for consistency:

Multiple MD022 warnings for missing blank lines around headings (lines 22, 31, 40, 49, 58, 72, 77, 82, 87, 169, 173, 177, 181).

Based on learnings, this file correctly follows the convention of storing agent prompts in apps/backend/prompts/ with descriptive filenames.

apps/backend/runners/github/providers/factory.py (2)

1-152: Well-designed extensible provider factory.

The factory pattern with dynamic registration is clean and extensible. Type hints are comprehensive, error handling is clear, and the API supports both built-in providers (GitHub) and future extensions (registry-based).

Key strengths:

• Clean separation between registry and built-in providers
• Proper enum normalization from strings (lines 65-72)
• Helpful error messages for unimplemented providers
• Python 3.12+ compatible with modern type hints

---

80-80: The parameter name _repo is correct and matches the GitHubProvider dataclass definition.

The GitHubProvider class uses @dataclass with _repo: str as a field (line 46), which automatically generates an __init__ method that accepts _repo as a parameter. Line 80's usage of _repo=repo is correct.

The underscore prefix is intentional—it follows Python convention for internal/private attributes and is used consistently throughout the class. No change needed.

apps/backend/runners/github/__init__.py (1)

1-41: LGTM: Clean public API for GitHub automation runners.

The module provides a well-organized public API with clear separation between orchestrator, models, and enums. The docstring (lines 1-12) helpfully clarifies that this is separate from the main task execution pipeline, which prevents confusion about the architecture.

apps/backend/prompts/github/issue_triager.md (1)

1-199: LGTM: Comprehensive issue triage prompt with clear criteria.

This prompt provides excellent guidance for issue classification with well-defined categories, appropriate confidence thresholds for different detection types (duplicate 80%+, spam 75%+, feature creep 70%+), and a comprehensive label taxonomy. The emphasis on conservative flagging and human-in-the-loop review (lines 184-191) is particularly important.

Key strengths:

• Clear detection criteria with specific confidence thresholds
• Multiple concrete examples showing different scenarios
• Complete JSON schema with all necessary fields
• Conservative approach prevents over-automation

Optional: Fix heading spacing for consistency

Static analysis flagged missing blank lines around numerous headings (MD022). While not critical, adding blank lines improves readability. Main occurrences at lines 7, 18, 31, 45, 60, 67, 73, 81, 87, 92, 98, 104, 129-130, 146-147, 167-168.

Based on learnings, this file correctly follows the convention of storing agent prompts in apps/backend/prompts/ with descriptive filenames.

apps/backend/prompts/github/pr_reviewer.md (1)

1-335: LGTM! Well-structured PR review prompt.

The prompt follows the coding guidelines by being stored in apps/backend/prompts/github/ with a descriptive filename matching its purpose. The multi-phase methodology (OWASP Top 10, language-specific checks, quality, logic, tests, patterns, documentation) is comprehensive, and the JSON output contract is clearly defined with good examples.

The markdownlint warnings about missing blank lines around headings (lines 40, 49, 57, etc.) are minor formatting issues that don't affect functionality.

apps/backend/runners/github/bot_detection_example.py (1)

14-65: LGTM - Clear demonstration of bot detection integration.

The example effectively illustrates the three key scenarios (human PR, cooling-off period, bot-authored PR) and shows how to access statistics. The placeholder tokens and paths are appropriate for example code.

apps/backend/runners/github/services/prompt_manager.py (1)

191-267: LGTM - Good prompt loading pattern with fallbacks.

The file-based prompt loading with embedded fallbacks provides flexibility for customization while ensuring the system works out-of-the-box. The prompt content aligns with the coding guidelines requiring prompts in apps/backend/prompts/.

apps/backend/runners/github/storage_metrics.py (1)

26-62: LGTM - Clean dataclass design.

The StorageMetrics dataclass is well-structured with sensible defaults, a convenient total_mb property, and a to_dict method for serialization. The breakdown structure in to_dict provides good organization for API responses.

apps/backend/runners/github/services/batch_processor.py (1)

118-119: Division by zero risk when batches is empty.

If batches is an empty list, this loop body will never execute, but the progress calculation 40 * (i / len(batches)) would cause a ZeroDivisionError if the loop did run with an empty list. While the current for loop naturally handles this, consider adding an explicit guard for clarity and future-proofing.

The current code is safe because the loop won't execute if batches is empty, but verify this assumption holds if the code is refactored.

apps/backend/runners/github/output_validator.py (1)

70-89: LGTM on the validation pipeline structure.

The validate_findings method has a clean design: filter invalid findings and enhance valid ones. The separation of concerns between _is_valid and _enhance is appropriate.

apps/backend/runners/github/runner.py (2)

68-76: Well-structured progress callback with context.

The print_progress function cleanly formats progress with optional PR/issue context prefixes. Good UX for CLI output.

---

326-331: The review comment is incorrect. The IssueBatch class in apps/backend/runners/github/batch_issues.py (line 83) is defined with an issues attribute (issues: list[IssueBatchItem]), not items. The code correctly accesses batch.issues at lines 327 and 464 in runner.py, and no AttributeError would be raised.

Likely an incorrect or invalid review comment.

apps/backend/runners/github/purge_strategy.py (1)

32-58: Clean dataclass design for PurgeResult.

The PurgeResult dataclass with computed freed_mb property and to_dict() serialization is well-designed for tracking purge operations.

apps/backend/runners/github/sanitize.py (2)

75-96: Excellent prompt injection detection patterns.

The INJECTION_PATTERNS list covers key attack vectors including instruction override attempts, system prompt injections, and role manipulation. The detection-only approach (warn, don't remove) is appropriate for logging suspicious content while avoiding false positive content modification.

---

201-207: Good defense against delimiter injection.

Escaping the <user_content> delimiters when they appear in user input prevents attackers from prematurely closing the content wrapper and injecting instructions.

apps/backend/runners/github/providers/protocol.py (1)

170-178: Well-designed provider protocol with comprehensive coverage.

The GitProvider protocol provides a clean abstraction with:

• PR operations (fetch, review, merge, close)
• Issue operations (fetch, create, close, comment)
• Label operations (apply, remove, create, list)
• Repository operations (info, permissions)
• Low-level API access

This enables clean multi-provider support.

apps/backend/runners/github/gh_client.py (2)

100-231: Robust retry and timeout handling.

The run method has well-implemented:

• Per-attempt timeouts with proper process cleanup on timeout
• Exponential backoff (1s, 2s, 4s)
• Rate limit detection from stderr patterns
• Structured logging throughout
• Proper exception hierarchy (GHTimeoutError, GHCommandError, RateLimitExceeded)

---

157-162: Process cleanup logs warning but doesn't re-raise on kill failure.

If proc.kill() fails (line 159), the warning is logged but the code continues to the retry logic. This is acceptable, but consider that a zombie process might accumulate resources.

Verify that repeated kill failures don't lead to resource exhaustion in long-running automation scenarios.

apps/backend/runners/github/models.py (1)

202-229: Transformation layer already exists between backend and frontend.

The backend correctly returns suggested_fix in snake_case from to_dict(), and the frontend IPC handler (apps/frontend/src/main/ipc-handlers/github/pr-handlers.ts, lines 127-130) explicitly converts it to camelCase suggestedFix when building the response. Each layer appropriately uses its own naming convention.

Likely an incorrect or invalid review comment.

apps/backend/runners/github/cleanup.py (1)

368-372: Dead code in _prune_indexes: the method targets a non-existent data structure.

The _prune_indexes method expects index files with an "items" key containing entries with "file_path" or "path" fields. However, the actual index structures created by PRReviewResult._update_index() and AutoFixState._update_index() use different keys:

• PR index: {"reviews": [...]}
• Issues index: {"triaged": [], "auto_fix_queue": [...]}

Neither contains an "items" key or entries with file path fields. The items = index_data.get("items", {}) call will always return an empty dictionary, making the pruning loop never execute.

Likely an incorrect or invalid review comment.

apps/backend/runners/github/providers/github_provider.py (2)

69-72: Property may return None despite return type annotation.

The gh_client property is typed to return GHClient, but _gh_client can be None if __post_init__ logic fails. While __post_init__ initializes it when None, if an exception occurs during GHClient construction, subsequent access would fail.

Consider adding a runtime check:

🔎 Proposed fix

     @property
     def gh_client(self) -> GHClient:
         """Get the underlying GHClient."""
+        if self._gh_client is None:
+            raise RuntimeError("GHClient not initialized")
         return self._gh_client

---

426-467: LGTM!

The _parse_pr_data helper handles various edge cases well - checking for dict vs string author, iterating labels safely, handling None files, and providing sensible defaults.

apps/backend/runners/github/batch_issues.py (2)

721-735: remove_batch doesn't handle concurrent access.

If another process is reading/writing the batch file simultaneously, this could lead to race conditions or partial reads.

For a single-user CLI tool this may be acceptable, but verify if this will be used in a multi-process environment.

---

559-564: This concern is incorrect. The initialization of self.validator at line 225 does not have exception handling that could silently fail, and BatchValidator.__init__ does not raise exceptions—it only logs warnings if the Claude SDK is unavailable. The defensive check at line 496 (if self.validate_batches_enabled and self.validator:) correctly ensures that _validate_and_split_batches() is only called when self.validator is not None, making the code at line 559 safe. There is no scenario where a silent initialization failure could occur and then line 559 would be reached.

apps/backend/runners/github/onboarding.py (1)

256-271: LGTM!

The progressive enablement thresholds and minimum action requirements are well-documented and reasonable for a graduated rollout approach.

apps/backend/runners/github/learning.py (2)

624-642: check_pr_status is a stub that returns 0.

This method is documented as checking pending outcomes but does nothing. If callers rely on it, they'll get incorrect behavior.

Either implement the method or mark it clearly as not implemented:

     def check_pr_status(
         self,
         repo: str,
         gh_provider,
     ) -> int:
-        # This would be called periodically to update pending outcomes
-        # Implementation depends on gh_provider being async
-        # Leaving as stub for now
-        return 0
+        raise NotImplementedError(
+            "check_pr_status requires async implementation - use check_pr_status_async instead"
+        )

---

491-599: LGTM!

The detect_patterns method is well-structured with clear pattern detection logic for file types, categories, and change sizes. The confidence calculation based on sample size is a reasonable heuristic.

apps/backend/runners/github/audit.py (1)

377-439: LGTM!

The operation context manager is well-designed - it properly logs start/completion/failure with timing, and uses time.monotonic() for accurate duration measurement regardless of system clock changes.

apps/backend/runners/github/context_gatherer.py (4)

590-636: _resolve_import_path resolves against filesystem but checks existence using project_dir.

The resolution uses (base_dir / import_path).resolve() which gives an absolute path, but then checks resolved.exists(). If base_dir doesn't contain project_dir as a prefix (e.g., symlinks), the relative_to call will raise ValueError.

The code handles ValueError but the logic flow is complex. Verify this works correctly with symlinked directories.

---

57-79: LGTM!

The AI_BOT_PATTERNS dictionary provides good coverage of known AI code review tools with consistent naming. This is a reasonable approach for bot detection.

---

424-503: LGTM!

The _detect_repo_structure method thoroughly checks for common monorepo patterns, workspaces, and framework indicators. The markdown formatting will produce clear context for AI consumption.

---

386-403: The endpoint syntax is correct — no changes needed.

The gh api command correctly uses {owner} and {repo} placeholders. These are auto-expanded by gh CLI from the repository context. The f-string with escaped braces ({{owner}} → {owner}) produces the correct endpoint format that gh api expects. The suggested :owner/:repo syntax is not valid for gh api.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Minor Markdown formatting: add blank lines around headings.

The static analysis tool flagged missing blank lines below headings at lines 7, 14, 21, 28, 36, 43, and 49. While this doesn't affect functionality, adding blank lines improves readability and adheres to Markdown best practices.

🔎 Example fix for one section

 ### Promotional Spam
+
 - Product advertisements
 - Service promotions

Apply similar changes to the other flagged headings.

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

7-7: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

14-14: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

21-21: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

28-28: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

36-36: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

43-43: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

49-49: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

🤖 Prompt for AI Agents

In apps/backend/prompts/github/spam_detector.md around lines 7 to 52, several
Markdown headings (lines 7, 14, 21, 28, 36, 43, 49) lack blank lines before
and/or after them; add a single blank line above and below each of these heading
lines so each heading is separated from surrounding content (improves
readability and satisfies the linter), and verify the rest of the file follows
the same spacing convention.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Main block doesn't execute async examples.

The __main__ block only runs the synchronous example_configuration_options() and prints instructions to manually run the async examples. Consider using asyncio.run() for a complete demo:

🔎 Proposed fix

 if __name__ == "__main__":
+    import asyncio
+    
     print("Bot Detection Integration Examples\n")

     print("\n1. Configuration Options")
     print("=" * 50)
     example_configuration_options()

     print("\n2. With Bot Detection (requires GitHub setup)")
     print("=" * 50)
-    print("Run: asyncio.run(example_with_bot_detection())")
+    # Uncomment to run with valid GitHub credentials:
+    # asyncio.run(example_with_bot_detection())
+    print("Skipped: requires valid GitHub setup")

     print("\n3. Manual State Management")
     print("=" * 50)
-    print("Run: asyncio.run(example_manual_state_management())")
+    # Uncomment to run with valid GitHub credentials:
+    # asyncio.run(example_manual_state_management())
+    print("Skipped: requires valid GitHub setup")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if __name__ == "__main__":
	print("Bot Detection Integration Examples\n")
	print("\n1. Configuration Options")
	print("=" * 50)
	example_configuration_options()
	print("\n2. With Bot Detection (requires GitHub setup)")
	print("=" * 50)
	print("Run: asyncio.run(example_with_bot_detection())")
	print("\n3. Manual State Management")
	print("=" * 50)
	print("Run: asyncio.run(example_manual_state_management())")
	if __name__ == "__main__":
	import asyncio
	print("Bot Detection Integration Examples\n")
	print("\n1. Configuration Options")
	print("=" * 50)
	example_configuration_options()
	print("\n2. With Bot Detection (requires GitHub setup)")
	print("=" * 50)
	# Uncomment to run with valid GitHub credentials:
	# asyncio.run(example_with_bot_detection())
	print("Skipped: requires valid GitHub setup")
	print("\n3. Manual State Management")
	print("=" * 50)
	# Uncomment to run with valid GitHub credentials:
	# asyncio.run(example_manual_state_management())
	print("Skipped: requires valid GitHub setup")

🤖 Prompt for AI Agents

In apps/backend/runners/github/bot_detection_example.py around lines 141 to 154,
the __main__ block only calls the synchronous example_configuration_options()
and prints instructions for async examples; change it to actually execute the
async demos by calling asyncio.run(example_with_bot_detection()) and
asyncio.run(example_manual_state_management()) (add an import asyncio at the top
if not present) so the script runs the full demonstration automatically when
executed; keep the printed headers but replace the plain run instructions with
real asyncio.run calls and handle/propagate any exceptions as currently done by
the module.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Performance issue: embedding clients and models are created on every call.

Each embedding request creates a new client (OpenAI, httpx) or loads a new model (SentenceTransformer). This is inefficient and slow, especially for _local_embedding which loads a model from disk/downloads it each time.

🔎 Recommended fix: cache clients/models

 class EmbeddingProvider:
     def __init__(
         self,
         provider: str = "openai",
         api_key: str | None = None,
         model: str | None = None,
     ):
         self.provider = provider
         self.api_key = api_key
         self.model = model or self._default_model()
+        self._openai_client: Any = None
+        self._local_model: Any = None

     async def _openai_embedding(self, text: str) -> list[float]:
         try:
             import openai
-            client = openai.AsyncOpenAI(api_key=self.api_key)
+            if self._openai_client is None:
+                self._openai_client = openai.AsyncOpenAI(api_key=self.api_key)
+            client = self._openai_client
             # ...

     async def _local_embedding(self, text: str) -> list[float]:
         try:
             from sentence_transformers import SentenceTransformer
-            model = SentenceTransformer(self.model)
+            if self._local_model is None:
+                self._local_model = SentenceTransformer(self.model)
+            model = self._local_model
             # ...

Committable suggestion skipped: line range outside the PR's diff.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Missing response status validation for Voyage API call.

The response status code is not checked before parsing JSON. If the API returns an error (4xx/5xx), response.json() may fail or return an error structure, and accessing data["data"][0]["embedding"] will raise a KeyError.

🔎 Recommended fix

             async with httpx.AsyncClient() as client:
                 response = await client.post(
                     "https://api.voyageai.com/v1/embeddings",
                     headers={"Authorization": f"Bearer {self.api_key}"},
                     json={
                         "model": self.model,
                         "input": text[:8000],
                     },
+                    timeout=30.0,
                 )
+                response.raise_for_status()
                 data = response.json()
                 return data["data"][0]["embedding"]

🤖 Prompt for AI Agents

In apps/backend/runners/github/duplicates.py around lines 256 to 274, the Voyage
API response is used without validating the HTTP status or JSON structure;
update the code to check response.status_code (or response.is_success) and if
it's not a 2xx, log the status code and response.text/body and return
self._fallback_embedding(text); if it is successful, parse the JSON safely
(catch JSON decode errors), validate that "data" and the first element and
"embedding" exist (or use dict.get checks) before returning the embedding, and
on any parsing/key error fall back to logging the detailed error and returning
self._fallback_embedding(text).

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider async file I/O for cache operations.

The cache loading and saving use synchronous file operations (open(), json.load(), json.dump()), which block the event loop. For large caches or slow storage, this could impact performance.

For high-throughput scenarios, consider using aiofiles for async file operations or running file I/O in an executor.

🤖 Prompt for AI Agents

In apps/backend/runners/github/duplicates.py around lines 357 to 383, the cache
load/save use blocking open()/json.load()/json.dump() which can block the event
loop; make these non-blocking by converting the methods to async and using async
file I/O or executors. Change _load_cache/_save_cache to async, use
aiofiles.open to read/write the file (await f.read()/f.write()) and
parse/serialize JSON with json.loads/json.dumps inside asyncio.to_thread if
parsing large data, or call json.loads/dumps on the small string directly;
ensure all callers await the new async methods and add error handling for
I/O/JSON errors.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

LGTM - good use of asyncio.gather with fault tolerance.

The use of return_exceptions=True and individual result checking provides graceful degradation when passes fail. Consider adding traceback logging for easier debugging of failures:

if isinstance(result, Exception):
    import traceback
    print(f"[AI] Pass '{task_names[i]}' failed: {result}\n{traceback.format_exception(type(result), result, result.__traceback__)}", flush=True)

🤖 Prompt for AI Agents

In apps/backend/runners/github/services/pr_review_engine.py around lines 312 to
326, the exception branch only prints the exception message which loses the
stack trace; capture and include the full traceback for easier debugging by
importing the traceback module (either at top or locally) and replacing the
current print with one that appends traceback.format_exception(type(result),
result, result.__traceback__) (joined or formatted) so the log shows the
exception message plus the full stack trace and flushes output.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Default triage result on error may mask real issues.

When an error occurs, the method returns a TriageResult with category=TriageCategory.FEATURE and confidence=0.0. This silent fallback could cause issues to be incorrectly categorized. Consider re-raising or returning a distinct error state.

🔎 Proposed fix: Add error indicator

         except Exception as e:
-            print(f"Triage error for #{issue['number']}: {e}")
+            print(f"Triage error for #{issue['number']}: {e}", flush=True)
             return TriageResult(
                 issue_number=issue["number"],
                 repo=self.config.repo,
-                category=TriageCategory.FEATURE,
+                category=TriageCategory.UNKNOWN,  # Add UNKNOWN to TriageCategory enum
                 confidence=0.0,
+                error=str(e),  # If TriageResult supports an error field
             )

Alternatively, consider re-raising the exception to let callers handle it:

except Exception as e:
    print(f"Triage error for #{issue['number']}: {e}", flush=True)
    raise  # Let caller decide how to handle

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In apps/backend/runners/github/services/triage_engine.py around lines 87 to 94,
the except block currently swallows exceptions and returns a default
TriageResult (FEATURE, confidence=0.0), which can mask real errors; change the
handler to either re-raise the caught exception after logging (e.g., print(...,
flush=True); raise) so callers can handle failures, or return an explicit
error-state TriageResult (use a distinct category such as TriageCategory.UNKNOWN
or add an error flag/message on the result) so consumers can detect and treat
triage failures differently.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Potential KeyError or TypeError on author access.

Line 113 accesses issue['author']['login'] directly. GitHub can return null for the author field (e.g., for deleted users), which would cause a TypeError.

🔎 Proposed fix: Safe access

         lines = [
             f"## Issue #{issue['number']}",
             f"**Title:** {issue['title']}",
-            f"**Author:** {issue['author']['login']}",
+            f"**Author:** {issue.get('author', {}).get('login', 'unknown')}",
             f"**Created:** {issue['createdAt']}",
             f"**Labels:** {', '.join(label['name'] for label in issue.get('labels', []))}",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	lines = [
	f"## Issue #{issue['number']}",
	f"**Title:** {issue['title']}",
	f"**Author:** {issue['author']['login']}",
	f"**Created:** {issue['createdAt']}",
	f"**Labels:** {', '.join(label['name'] for label in issue.get('labels', []))}",
	"",
	"### Body",
	issue.get("body", "No description"),
	"",
	]
	lines = [
	f"## Issue #{issue['number']}",
	f"**Title:** {issue['title']}",
	f"**Author:** {issue.get('author', {}).get('login', 'unknown')}",
	f"**Created:** {issue['createdAt']}",
	f"**Labels:** {', '.join(label['name'] for label in issue.get('labels', []))}",
	"",
	"### Body",
	issue.get("body", "No description"),
	"",
	]

🤖 Prompt for AI Agents

In apps/backend/runners/github/services/triage_engine.py around lines 110 to
120, the code directly indexes issue['author']['login'] which can raise a
TypeError/KeyError when author is None or missing; change to safely retrieve the
login (e.g., author = issue.get('author') and login = (author.get('login') if
author else "unknown" or "deleted user")) and use that fallback string in the
formatted lines so missing or null authors do not crash the formatter.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Code duplication with purge_strategy.py.

The _calculate_directory_size method is nearly identical to the one in apps/backend/runners/github/purge_strategy.py (lines 270-287 per relevant code snippets). Consider extracting to a shared utility module.

🔎 Proposed fix: Extract to shared utility

Create a shared utility (e.g., apps/backend/runners/github/utils/filesystem.py):

from pathlib import Path

def calculate_directory_size(path: Path) -> int:
    """Calculate total size of all files in a directory recursively."""
    if not path.exists():
        return 0
    
    total = 0
    for file_path in path.rglob("*"):
        if file_path.is_file():
            try:
                total += file_path.stat().st_size
            except OSError:
                continue
    return total

Then import and use in both storage_metrics.py and purge_strategy.py.

🤖 Prompt for AI Agents

In apps/backend/runners/github/storage_metrics.py around lines 124-146 there is
a _calculate_directory_size implementation duplicated in
apps/backend/runners/github/purge_strategy.py (around lines 270-287); extract
this logic into a shared utility function (e.g.,
apps/backend/runners/github/utils/filesystem.py) named
calculate_directory_size(path: Path) that implements the same behavior (return 0
if not exists, iterate rglob, sum st_size, skip OSError), replace the local
methods in both storage_metrics.py and purge_strategy.py with imports from the
new utility, update references to call calculate_directory_size, and run
tests/linters to ensure imports and paths are correct.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Minor: Consider using sum() for counting.

The loop-based counting works correctly. A slightly more Pythonic alternative:

return sum(1 for _ in path.rglob("*.json"))

This is a minor style preference and the current implementation is perfectly fine.

🤖 Prompt for AI Agents

In apps/backend/runners/github/storage_metrics.py around lines 148 to 165, the
current loop-based JSON file counter can be simplified: replace the manual loop
that increments `count` over `path.rglob("*.json")` with a single expression
that returns `sum(1 for _ in path.rglob("*.json"))`, preserving the existing `if
not path.exists(): return 0` guard.

[coderabbitai]

Review continued from previous batch...

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Inconsistent datetime format - should use timezone-aware timestamp.

datetime.now().isoformat() produces a naive datetime string. For consistency and to avoid the comparison issues mentioned above, use datetime.now(timezone.utc).isoformat().

🤖 Prompt for AI Agents

In apps/backend/runners/github/bot_detection.py around line 350, the code sets a
naive timestamp with datetime.now().isoformat(); replace this with a
timezone-aware timestamp by calling datetime.now(timezone.utc).isoformat() and
ensure timezone is imported from datetime (add "from datetime import timezone"
or update existing import). This will produce a UTC-aware ISO timestamp for
consistent comparisons.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Remove unnecessary pass statements after docstrings.

The pass statements are redundant when the exception class body only contains a docstring.

🔎 Proposed fix

 class FileLockError(Exception):
     """Raised when file locking operations fail."""
-
-    pass


 class FileLockTimeout(FileLockError):
     """Raised when lock acquisition times out."""
-
-    pass

Also applies to: 41-41

🤖 Prompt for AI Agents

In apps/backend/runners/github/file_lock.py around lines 35 and 41, the
exception class bodies contain only a docstring followed by a redundant pass;
remove the unnecessary pass statements so the classes consist solely of their
docstrings (keep the docstrings intact and ensure proper indentation).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

asyncio.get_event_loop() is deprecated in Python 3.12+.

Per coding guidelines, Python 3.12+ is required. Using asyncio.get_event_loop().time() is deprecated and may raise DeprecationWarning. Use asyncio.get_running_loop() instead.

🔎 Proposed fix

-        start_time = asyncio.get_event_loop().time()
+        start_time = asyncio.get_running_loop().time()

Apply to lines 123, 179, and 190. Alternatively, use time.monotonic() which doesn't require an event loop:

import time
start_time = time.monotonic()

Also applies to: 179-179, 190-190

🤖 Prompt for AI Agents

In apps/backend/runners/github/gh_client.py around lines 123, 179 and 190,
replace uses of asyncio.get_event_loop().time() (deprecated in Python 3.12+)
with a non-deprecated alternative: either call asyncio.get_running_loop().time()
when running inside an active event loop, or switch to time.monotonic() by
importing time at the top of the module; update the three sites accordingly to
avoid DeprecationWarning and ensure consistent timing behavior.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Rate limit pre-check acquires token even when available.

When available is True (line 127), the code still calls acquire_github (line 135). This is correct for consuming a token, but the 1.0 second timeout is inconsistent with the 30.0 second wait when rate-limited.

Consider using a non-blocking acquire when tokens are known to be available:

             else:
                 # Consume a token for this request
-                await self._rate_limiter.acquire_github(timeout=1.0)
+                await self._rate_limiter.acquire_github(timeout=0.1)  # Should be instant

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Pre-flight rate limit check
	if self.enable_rate_limiting:
	available, msg = self._rate_limiter.check_github_available()
	if not available:
	# Try to acquire (will wait if needed)
	logger.info(f"Rate limited, waiting for token: {msg}")
	if not await self._rate_limiter.acquire_github(timeout=30.0):
	raise RateLimitExceeded(f"GitHub API rate limit exceeded: {msg}")
	else:
	# Consume a token for this request
	await self._rate_limiter.acquire_github(timeout=1.0)
	# Pre-flight rate limit check
	if self.enable_rate_limiting:
	available, msg = self._rate_limiter.check_github_available()
	if not available:
	# Try to acquire (will wait if needed)
	logger.info(f"Rate limited, waiting for token: {msg}")
	if not await self._rate_limiter.acquire_github(timeout=30.0):
	raise RateLimitExceeded(f"GitHub API rate limit exceeded: {msg}")
	else:
	# Consume a token for this request
	await self._rate_limiter.acquire_github(timeout=0.1) # Should be instant

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Missing api_post method required by GitProvider protocol.

The GitProvider protocol (protocol.py lines 476-491) requires an api_post method, but GHClient only implements api_get. The GitHub provider (github_provider.py lines 413-419) delegates to this method.

🔎 Suggested implementation

async def api_post(
    self, endpoint: str, data: dict[str, Any] | None = None
) -> Any:
    """
    Make a POST request to GitHub API.

    Args:
        endpoint: API endpoint
        data: JSON body data

    Returns:
        JSON response
    """
    args = ["api", endpoint, "--method", "POST"]
    
    if data:
        import json as json_module
        args.extend(["--input", "-"])
        # Note: gh api accepts JSON via stdin with --input -
        # This requires a different approach using stdin
        
    result = await self.run(args)
    return json.loads(result.stdout) if result.stdout else {}

Note: Implementing POST with body via gh api requires passing JSON via stdin, which needs additional subprocess handling.

🤖 Prompt for AI Agents

In apps/backend/runners/github/gh_client.py around lines 512 to 529, GHClient is
missing the api_post method required by the GitProvider protocol; implement an
async api_post(self, endpoint: str, data: dict[str, Any] | None = None) -> Any
that builds args = ["api", endpoint, "--method", "POST"], and when data is
provided serialize it to JSON and pass it to the gh subprocess via stdin (use
--input -), call await self.run with the prepared args and input bytes, parse
result.stdout with json.loads if present, return an empty dict when no stdout,
and raise or propagate errors consistently with api_get behavior; ensure the
signature and return type match the protocol and import json as needed.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider adding module-level logger.

The module uses bare print() statements but other files in this PR use logging. Adding a logger would enable consistent log management.

import logging
logger = logging.getLogger(__name__)

🤖 Prompt for AI Agents

In apps/backend/runners/github/services/response_parsers.py around lines 40 to
41, the module uses bare print() calls instead of a module-level logger; add a
logger at module scope (import logging and create logger =
logging.getLogger(__name__)) and replace print() usages with logger methods
(e.g., logger.debug/info/warning/error as appropriate) so the module aligns with
the project's logging practice and consistent log handling.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Non-greedy regex may fail on nested JSON structures.

The pattern r"```json\s*(\{.*?\})\s*```" with re.DOTALL uses a non-greedy match (.*?) which will stop at the first closing brace }. For nested JSON objects, this will truncate the content. Consider using a more robust JSON extraction approach.

🔎 Suggested fix using balanced matching or alternative approach

@staticmethod
def _extract_json_block(response_text: str, expect_array: bool = False) -> str | None:
    """Extract JSON from code block, handling nested structures."""
    pattern = r"```json\s*([\s\S]*?)\s*```"
    match = re.search(pattern, response_text)
    if match:
        content = match.group(1).strip()
        # Validate it's parseable before returning
        try:
            json.loads(content)
            return content
        except json.JSONDecodeError:
            pass
    return None

The key issue is \{.*?\} should be [\s\S]*? to capture the full block content between the fences, then validate with json.loads.

Also applies to: 74-76, 121-123, 151-153, 190-192

🤖 Prompt for AI Agents

In apps/backend/runners/github/services/response_parsers.py around lines 54-56
(and similarly at 74-76, 121-123, 151-153, 190-192), the regex
r"```json\s*(\{.*?\})\s*```" uses a non-greedy brace-limited capture which will
truncate nested JSON; replace these matches with a robust extractor that
captures the full fenced block (e.g. use pattern "```json\s*([\s\S]*?)\s*```")
and then validate/parse the captured content with json.loads (and handle
expect_array by validating against list if needed) so only valid JSON is
returned and nested structures are preserved.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

PRReviewFinding construction may raise ValueError on invalid enum values.

If the AI returns an unexpected severity or category value (e.g., "info" or "other"), ReviewSeverity(...) or ReviewCategory(...) will raise ValueError, which is caught by the outer exception handler but results in losing all subsequent findings.

🔎 Suggested defensive handling

                     try:
+                        severity = ReviewSeverity(f.get("severity", "medium").lower())
+                    except ValueError:
+                        severity = ReviewSeverity.MEDIUM
+                    try:
+                        category = ReviewCategory(f.get("category", "quality").lower())
+                    except ValueError:
+                        category = ReviewCategory.QUALITY
+
                     findings.append(
                         PRReviewFinding(
                             id=f.get("id", f"finding-{i + 1}"),
-                            severity=ReviewSeverity(
-                                f.get("severity", "medium").lower()
-                            ),
-                            category=ReviewCategory(
-                                f.get("category", "quality").lower()
-                            ),
+                            severity=severity,
+                            category=category,

🤖 Prompt for AI Agents

In apps/backend/runners/github/services/response_parsers.py around lines 92 to
109, constructing ReviewSeverity(...) and ReviewCategory(...) from untrusted AI
strings can raise ValueError and abort processing of the entire list; instead,
defensively map or validate those fields per-finding and fall back to safe
defaults (e.g., medium/quality) on invalid values: use a small helper or mapping
to convert the incoming string to the enum with a try/except or lookup.get(...,
DEFAULT) for severity and category, wrap the PRReviewFinding creation for each
finding in its own try/except to log the bad value and continue, and ensure
invalid/missing fields are replaced with the chosen defaults so one malformed
finding doesn’t stop all subsequent findings.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Use logging instead of bare print statements for consistency.

Error messages use print() without flush=True (inconsistent with other files) and without log levels. Consider using logging.warning() or logging.error() for proper observability.

As per coding guidelines, focus on Python best practices for error handling.

Also applies to: 140-141, 173-174, 211-212

🤖 Prompt for AI Agents

In apps/backend/runners/github/services/response_parsers.py around lines
110-111, 140-141, 173-174, and 211-212, replace bare print() error messages with
the logging module at an appropriate level (e.g., logging.warning or
logging.error). Import logging at the top if not present, and change each
print(f"Failed to parse findings: {e}") (and similar prints) to
logging.error(...) or logging.warning(...) including the exception message and
any contextual info; avoid flush=True and ensure messages are clear and
consistent with existing logger usage in the project.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Field name mismatch: original_summary vs original_comment.

Line 167 reads triage.get("original_summary", "") but the AICommentTriage dataclass (per the relevant snippet at models.py lines 247-276) expects original_comment. This will silently result in empty strings for that field.

🔎 Proposed fix

                     triages.append(
                         AICommentTriage(
                             comment_id=triage.get("comment_id", 0),
                             tool_name=triage.get("tool_name", "Unknown"),
-                            original_comment=triage.get("original_summary", ""),
+                            original_comment=triage.get("original_comment", triage.get("original_summary", "")),
                             verdict=verdict,
                             reasoning=triage.get("reasoning", ""),
                             response_comment=triage.get("response_comment"),
                         )
                     )

🤖 Prompt for AI Agents

In apps/backend/runners/github/services/response_parsers.py around lines 163 to
171, the code uses triage.get("original_summary", "") to populate
AICommentTriage.original_comment, causing the field to be empty; change the key
to triage.get("original_comment", "") so the dataclass receives the correct
value (keep the same default ""), and run tests to ensure no other places rely
on "original_summary".

[coderabbitai]

Review continued from previous batch...

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Log rotation renames file without locking.

If multiple processes are writing to the same log file, the rename operation could interfere with concurrent writes.

Consider using a file lock during rotation or atomic file operations. For a single-process tool this may be acceptable.

🤖 Prompt for AI Agents

In apps/backend/runners/github/audit.py around lines 250 to 259, the log
rotation renames the file without any inter-process locking which can clash with
concurrent writers; acquire an exclusive file lock on the log file (e.g. via
fcntl.lockf on Unix or a cross-platform locker like portalocker) before checking
size and performing the rename, perform the size-check and rename while holding
the lock, reopen or recreate the target log file after the atomic rename and
update self._current_log_file, and handle lock acquisition failures with a short
retry/backoff and a safe fallback to skip rotation if lock cannot be obtained.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

asyncio import inside function body.

Moving the import to the top of the file would be cleaner and avoid repeated import overhead if the decorator is applied multiple times.

🤖 Prompt for AI Agents

In apps/backend/runners/github/audit.py around lines 732 to 736, the asyncio
import is performed inside the function body; move "import asyncio" to the
top-level imports of the file, remove the in-function import, and update any
references to asyncio accordingly so the decorator uses the module imported once
(ensure no naming conflicts with existing imports).

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Broad exception handler logs but continues, potentially returning partial/corrupt data.

If a batch file is malformed, it's skipped with a log message, but callers have no indication that the result is incomplete.

Consider returning a tuple (batches, errors) or raising after logging to make partial failures visible.

🤖 Prompt for AI Agents

In apps/backend/runners/github/batch_issues.py around lines 686 to 693, the
current loop swallows all exceptions when loading batch files and simply logs
them, which can produce silently incomplete results; change the implementation
to either (A) collect load errors and return them with the batches as a tuple
(batches, errors) by adding an errors list, appending error info (file path and
exception) on failure, and updating the function signature and all callers to
handle the tuple, or (B) re-raise after logging by storing a flag or the first
exception during iteration and, after the loop, raise a new exception (or the
stored one) to make partial failures visible; ensure the chosen approach is
applied consistently and update the docs/tests/call sites accordingly.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Settings file write is not atomic and lacks error handling.

Writing the settings file uses synchronous I/O without atomicity guarantees or proper error handling. If the write fails partially, it could leave a corrupted file.

🔎 Proposed fix

-            settings_file = self.project_dir / ".batch_validator_settings.json"
-            with open(settings_file, "w") as f:
-                json.dump(settings, f)
+            settings_file = self.project_dir / ".batch_validator_settings.json"
+            # Write atomically using temp file
+            import tempfile
+            fd, tmp_path = tempfile.mkstemp(
+                dir=self.project_dir, prefix=".batch_validator_settings.", suffix=".tmp"
+            )
+            try:
+                with os.fdopen(fd, "w") as f:
+                    json.dump(settings, f)
+                os.replace(tmp_path, settings_file)
+            except Exception:
+                try:
+                    os.unlink(tmp_path)
+                except OSError:
+                    pass
+                raise

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	settings_file = self.project_dir / ".batch_validator_settings.json"
	with open(settings_file, "w") as f:
	json.dump(settings, f)
	settings_file = self.project_dir / ".batch_validator_settings.json"
	# Write atomically using temp file
	import tempfile
	fd, tmp_path = tempfile.mkstemp(
	dir=self.project_dir, prefix=".batch_validator_settings.", suffix=".tmp"
	)
	try:
	with os.fdopen(fd, "w") as f:
	json.dump(settings, f)
	os.replace(tmp_path, settings_file)
	except Exception:
	try:
	os.unlink(tmp_path)
	except OSError:
	pass
	raise

🤖 Prompt for AI Agents

In apps/backend/runners/github/batch_validator.py around lines 204 to 206 the
settings file is written directly which is not atomic and has no error handling;
instead, write to a temporary file in the same directory (e.g.
settings_file.with_suffix(".tmp")), use json.dump to the temp file, flush and
os.fsync the file descriptor to ensure data hits disk, close it, then atomically
replace the target file using os.replace; wrap the sequence in try/except to
catch and log or re-raise I/O errors (and ensure the directory exists and
temporary file is cleaned up on failure) so partial writes and silent failures
are avoided.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

JSON parsing fallback may extract invalid JSON from surrounding text.

The fallback logic using find("{") and rfind("}") can match mismatched braces if the response contains multiple JSON-like structures or nested objects within text. Consider using a more robust JSON extraction approach.

🔎 Proposed fix

         try:
             return json.loads(text)
         except json.JSONDecodeError:
             # Try to find JSON object in text
             start = text.find("{")
             end = text.rfind("}") + 1
-            if start >= 0 and end > start:
-                return json.loads(text[start:end])
-            raise
+            if start >= 0 and end > start:
+                try:
+                    return json.loads(text[start:end])
+                except json.JSONDecodeError:
+                    pass
+            # Return safe defaults if parsing fails completely
+            logger.warning("Failed to parse JSON response, using defaults")
+            return {
+                "is_valid": True,
+                "confidence": 0.5,
+                "reasoning": "Failed to parse AI response",
+                "suggested_splits": None,
+                "common_theme": "",
+            }

Committable suggestion skipped: line range outside the PR's diff.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Role cache has no expiration - stale permissions possible.

The _role_cache dictionary caches user roles indefinitely. If a user's role changes (e.g., promoted to collaborator), the cache will serve stale data until the process restarts.

🔎 Proposed fix - add TTL-based cache

+from datetime import datetime, timedelta
+
+@dataclass
+class CachedRole:
+    role: GitHubRole
+    cached_at: datetime
+
 class GitHubPermissionChecker:
     ...
+    CACHE_TTL_SECONDS = 300  # 5 minutes
+
     def __init__(self, ...):
         ...
-        self._role_cache: dict[str, GitHubRole] = {}
+        self._role_cache: dict[str, CachedRole] = {}

     async def get_user_role(self, username: str) -> GitHubRole:
         # Check cache first
         if username in self._role_cache:
-            return self._role_cache[username]
+            cached = self._role_cache[username]
+            if (datetime.now() - cached.cached_at).total_seconds() < self.CACHE_TTL_SECONDS:
+                return cached.role
+            del self._role_cache[username]

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In apps/backend/runners/github/permissions.py around lines 96-97, the
_role_cache currently stores GitHubRole entries indefinitely which can return
stale permissions; change it to a TTL-based cache by storing per-key metadata
(role and insertion timestamp) or replacing the dict with a TTL cache (e.g.,
cachetools.TTLCache) and set a reasonable expiration (e.g., few minutes); update
all read/write logic to check timestamps or rely on TTLCache eviction so entries
older than the TTL are refreshed from the API, and ensure thread-safety if
accessed concurrently.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Broad exception handling masks specific errors.

Using bare except Exception catches all errors including unexpected ones. Consider catching specific exceptions (e.g., API errors, network errors) to provide better error messages and avoid masking bugs.

Also applies to: 266-267, 269-270, 282-283

🤖 Prompt for AI Agents

In apps/backend/runners/github/permissions.py around lines 250-251 (and
similarly at 266-267, 269-270, 282-283), the code uses broad `except Exception`
handlers which mask specific API/network errors; replace these with targeted
exception handling by catching the specific exceptions raised by the GitHub
client and network layer (e.g., HTTPError/requests.exceptions.RequestException
or the library's ApiError/BadCredentialsError/NotFound exceptions), log the
exception type and message for diagnostics, and only fall back to the “not a
collaborator” behavior on the expected 404/permission-related error; for other
exceptions re-raise or handle them appropriately (with retries or clearer error
logs) so unexpected errors are not silently swallowed.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

GitHub REST API /repos/{repo}/contributors endpoint pagination

💡 Result:

Short summary:

• Endpoint: GET /repos/{owner}/{repo}/contributors. It supports pagination via the query parameters per_page (max 100, default 30) and page. [1]
• Use the response Link header to traverse pages (contains rel="next", "prev", "first", "last"). If Link is absent, all results fit on one page. [2]
• Notes: results are cached and sorted by commit count; only the first 500 author emails are linked to GitHub users (others appear anonymous); you can include anonymous contributors with anon=1/true. [1]

Sources: [1] GitHub REST API — List repository contributors. [2] Using pagination in the REST API.

---

The /repos/{repo}/contributors endpoint uses pagination with a default limit of 30 results per page. For repositories with many contributors, the current implementation will only check the first page, potentially missing users who appear beyond that. Consider using the per_page parameter (max 100) or handling the pagination via the response Link header to increase coverage.

Additionally, note that only the first 500 author emails are linked to GitHub users; beyond that, contributors appear as anonymous accounts.

🤖 Prompt for AI Agents

In apps/backend/runners/github/permissions.py around lines 273 to 281, the call
to /repos/{repo}/contributors only fetches the default first page (30) so users
beyond that page can be missed; update the logic to handle pagination by either
adding per_page=100 and iterating subsequent pages or by following the response
Link header until no next page, checking each page for the username and
short-circuiting when found, then set self._role_cache[username] and return;
also handle anonymous/unnamed contributors (skip None/log) and ensure errors
from paging are handled gracefully.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Same silent exception handling issue in close_pr.

Apply consistent logging for debugging visibility.

🤖 Prompt for AI Agents

In apps/backend/runners/github/providers/github_provider.py around lines 200 to
206, the except block in close_pr silently swallows exceptions; update it to
catch the exception as a variable (e.g. "except Exception as e") and log the
error with the module/class logger (use self._logger.exception(...) or
logging.getLogger(__name__).exception(...)) including context like pr_number and
comment, then return False; this retains the False return while providing
consistent, detailed logging for debugging.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Inconsistent error handling: close_issue swallows exceptions but create_issue propagates them.

This inconsistency makes error handling unpredictable for callers.

Consider adopting a consistent strategy: either all operations return success/failure booleans with logging, or all propagate exceptions with meaningful error types.

🤖 Prompt for AI Agents

In apps/backend/runners/github/providers/github_provider.py around lines 311 to
317, close_issue currently swallows all exceptions and returns False, which is
inconsistent with create_issue that lets exceptions propagate; remove the broad
try/except so errors bubble up like create_issue (or alternatively replace it
with targeted exception handling that re-raises after logging), ensure any
awaited calls remain awaited, and update any callers/tests if needed to expect
exceptions instead of boolean failure.

[coderabbitai]

Review continued from previous batch...

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Singleton pattern with class variable has thread-safety issues.

get_instance checks and sets _instance without locking, which could cause race conditions in multi-threaded environments where multiple instances get created.

🔎 Proposed fix

+import threading
+
 class AuditLogger:
+    _lock = threading.Lock()
     _instance: AuditLogger | None = None

     @classmethod
     def get_instance(
         cls,
         log_dir: Path | None = None,
         **kwargs,
     ) -> AuditLogger:
         """Get or create singleton instance."""
-        if cls._instance is None:
-            cls._instance = cls(log_dir=log_dir, **kwargs)
+        if cls._instance is None:
+            with cls._lock:
+                # Double-check locking
+                if cls._instance is None:
+                    cls._instance = cls(log_dir=log_dir, **kwargs)
         return cls._instance

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In apps/backend/runners/github/audit.py around lines 222 to 231, the singleton
get_instance method accesses and assigns the class variable _instance without
synchronization, which can produce race conditions in multi-threaded contexts;
add a class-level threading.Lock (e.g., _lock = threading.Lock()) and wrap the
instance-creation section with that lock (use a with cls._lock: block and
perform a second check of cls._instance inside it to avoid duplicate creation),
and ensure threading is imported and the lock is used whenever _instance is set.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Audit log writes don't flush or sync.

Critical audit entries could be lost if the process crashes before the OS flushes buffers to disk.

🔎 Proposed fix for critical audit entries

     def _write_entry(self, entry: AuditEntry) -> None:
         """Write an entry to the log file."""
         if not self.enabled:
             return

         self._rotate_if_needed()

         try:
             log_file = self._get_log_file_path()
             with open(log_file, "a") as f:
                 f.write(entry.to_json() + "\n")
+                f.flush()
+                # For critical entries, could add: os.fsync(f.fileno())
         except Exception as e:
             logger.error(f"Failed to write audit log: {e}")

🤖 Prompt for AI Agents

In apps/backend/runners/github/audit.py around lines 370 to 375, the audit log
write currently just writes to the file and relies on OS buffering which can
lose critical entries on a crash; after calling f.write(entry.to_json() + "\n")
call f.flush() and then os.fsync(f.fileno()) to force the data to disk, and
ensure os is imported at the top of the file; keep the existing try/except but
perform the flush/fsync inside the try so failures are logged by the existing
logger.error.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

query_logs reads all files on every query.

For large log directories with many files, this could be slow. Consider adding date-based filtering at the file level before opening.

 for log_file in sorted(self.log_dir.glob("audit_*.jsonl"), reverse=True):
+    # Extract date from filename and skip files outside date range
+    if since:
+        file_date_str = log_file.stem.split("_")[1]  # audit_YYYY-MM-DD
+        try:
+            file_date = datetime.strptime(file_date_str, "%Y-%m-%d").replace(tzinfo=timezone.utc)
+            if file_date < since.replace(hour=0, minute=0, second=0, microsecond=0):
+                continue
+        except ValueError:
+            pass  # Fall through to read file

🤖 Prompt for AI Agents

In apps/backend/runners/github/audit.py around lines 586 to 640, query_logs
currently opens every audit_*.jsonl file which is inefficient for large log
dirs; update the loop to skip files that cannot contain entries after the
optional since cutoff by checking file-level date information before opening
(e.g., parse a date from the filename if present or use file.stat().st_mtime /
os.path.getmtime), compare that to the since datetime (convert mtime to datetime
with timezone awareness), and only open files whose modification time or parsed
filename date is >= since; keep the existing in-file filtering, preserve sort
order and limit behavior, and ensure you handle cases where since is None by
falling back to processing all files and still catch and log exceptions as
before.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Decorator doesn't preserve function signature or docstring.

The audit_operation decorator replaces the original function without @functools.wraps, losing metadata.

🔎 Proposed fix

+import functools
+
 def audit_operation(
     action_start: AuditAction,
     action_complete: AuditAction,
     action_failed: AuditAction,
     **kwargs,
 ):
     """Decorator for auditing function calls."""

     def decorator(func):
+        @functools.wraps(func)
         async def async_wrapper(*args, **func_kwargs):
             audit = get_audit_logger()
             with audit.operation(
                 action_start=action_start,
                 action_complete=action_complete,
                 action_failed=action_failed,
                 **kwargs,
             ) as ctx:
                 return await func(*args, audit_context=ctx, **func_kwargs)

+        @functools.wraps(func)
         def sync_wrapper(*args, **func_kwargs):

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	def decorator(func):
	async def async_wrapper(*args, **func_kwargs):
	audit = get_audit_logger()
	with audit.operation(
	action_start=action_start,
	action_complete=action_complete,
	action_failed=action_failed,
	**kwargs,
	) as ctx:
	return await func(*args, audit_context=ctx, **func_kwargs)
	def sync_wrapper(*args, **func_kwargs):
	audit = get_audit_logger()
	with audit.operation(
	action_start=action_start,
	action_complete=action_complete,
	action_failed=action_failed,
	**kwargs,
	) as ctx:
	return func(*args, audit_context=ctx, **func_kwargs)
	import asyncio
	if asyncio.iscoroutinefunction(func):
	return async_wrapper
	return sync_wrapper
	def decorator(func):
	@functools.wraps(func)
	async def async_wrapper(*args, **func_kwargs):
	audit = get_audit_logger()
	with audit.operation(
	action_start=action_start,
	action_complete=action_complete,
	action_failed=action_failed,
	**kwargs,
	) as ctx:
	return await func(*args, audit_context=ctx, **func_kwargs)
	@functools.wraps(func)
	def sync_wrapper(*args, **func_kwargs):
	audit = get_audit_logger()
	with audit.operation(
	action_start=action_start,
	action_complete=action_complete,
	action_failed=action_failed,
	**kwargs,
	) as ctx:
	return func(*args, audit_context=ctx, **func_kwargs)
	import asyncio
	if asyncio.iscoroutinefunction(func):
	return async_wrapper
	return sync_wrapper

🤖 Prompt for AI Agents

In apps/backend/runners/github/audit.py around lines 711 to 736, the
audit_operation decorator defines async_wrapper and sync_wrapper but does not
preserve the original function's name, docstring, or metadata; wrap both
wrappers with functools.wraps(func) (and import functools if not already
imported) so the decorator preserves the original function signature/metadata,
i.e. apply @functools.wraps(func) above async_wrapper and sync_wrapper (or call
functools.wraps(func)(wrapper) when returning) and ensure the functools import
is present.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

updated_at is set after writing to disk, not before.

The file is written with the old updated_at timestamp, then the field is updated. This means the persisted data doesn't reflect the actual save time.

🔎 Proposed fix

 def save(self, github_dir: Path) -> None:
     """Save batch to disk."""
+    self.updated_at = datetime.now(timezone.utc).isoformat()
+    
     batches_dir = github_dir / "batches"
     batches_dir.mkdir(parents=True, exist_ok=True)

     batch_file = batches_dir / f"batch_{self.batch_id}.json"
     with open(batch_file, "w") as f:
         json.dump(self.to_dict(), f, indent=2)
-
-    self.updated_at = datetime.now(timezone.utc).isoformat()

🤖 Prompt for AI Agents

In apps/backend/runners/github/batch_issues.py around lines 140 to 149, the code
updates self.updated_at only after writing the batch JSON to disk so the
persisted file contains the old timestamp; move the line that sets
self.updated_at = datetime.now(timezone.utc).isoformat() to immediately before
serializing/writing the file so the updated_at field is set to the current UTC
time before calling json.dump, ensuring the file reflects the real save time.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

record_outcome uses repo parameter but doesn't validate it matches the stored outcome.

The repo parameter is used for saving, but the method doesn't verify that it matches review_outcome.repo. This could cause data to be saved to the wrong file.

🔎 Proposed fix

     def record_outcome(
         self,
         repo: str,
         review_id: str,
         outcome: OutcomeType,
         time_to_outcome: timedelta | None = None,
         author_response: AuthorResponse = AuthorResponse.UNKNOWN,
     ) -> ReviewOutcome | None:
         if review_id not in self._outcomes:
             return None

         review_outcome = self._outcomes[review_id]
+        if review_outcome.repo != repo:
+            logger.warning(f"Repo mismatch: expected {review_outcome.repo}, got {repo}")
+            return None
+        
         review_outcome.actual_outcome = outcome

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if review_id not in self._outcomes:
	return None
	review_outcome = self._outcomes[review_id]
	review_outcome.actual_outcome = outcome
	review_outcome.time_to_outcome = time_to_outcome
	review_outcome.author_response = author_response
	review_outcome.outcome_recorded_at = datetime.now(timezone.utc)
	self._save_outcomes(repo)
	return review_outcome
	if review_id not in self._outcomes:
	return None
	review_outcome = self._outcomes[review_id]
	if review_outcome.repo != repo:
	logger.warning(f"Repo mismatch: expected {review_outcome.repo}, got {repo}")
	return None
	review_outcome.actual_outcome = outcome
	review_outcome.time_to_outcome = time_to_outcome
	review_outcome.author_response = author_response
	review_outcome.outcome_recorded_at = datetime.now(timezone.utc)
	self._save_outcomes(repo)
	return review_outcome

🤖 Prompt for AI Agents

In apps/backend/runners/github/learning.py around lines 393 to 404, the method
updates a stored review outcome but uses the incoming repo parameter for
persisting without verifying it matches review_outcome.repo; add a validation
step that compares repo to review_outcome.repo and if they differ raise an
exception (e.g., ValueError) or log and return None, otherwise proceed to call
self._save_outcomes with the correct repo (preferably use review_outcome.repo
for saving to avoid accidental writes to the wrong file).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Exception handling for JSON decode is incomplete.

The get_state method catches json.JSONDecodeError and KeyError, but OnboardingState.from_dict could raise ValueError (from enum conversion) or TypeError (from datetime parsing).

🔎 Proposed fix

         if self.state_file.exists():
             try:
                 with open(self.state_file) as f:
                     data = json.load(f)
                     self._state = OnboardingState.from_dict(data)
-            except (json.JSONDecodeError, KeyError):
+            except (json.JSONDecodeError, KeyError, ValueError, TypeError) as e:
+                logger.warning(f"Failed to load onboarding state, starting fresh: {e}")
                 self._state = OnboardingState(repo=self.repo)

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In apps/backend/runners/github/onboarding.py around lines 303 to 312, the
get_state exception handling only catches json.JSONDecodeError and KeyError but
OnboardingState.from_dict can also raise ValueError (e.g., enum conversion) or
TypeError (e.g., datetime parsing); update the except clause to also catch
ValueError and TypeError and handle them the same way (reset self._state =
OnboardingState(repo=self.repo)), optionally logging the original exception for
diagnostics before resetting.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Swallowing exceptions silently loses debugging context.

The merge_pr method catches all exceptions and returns False, making it impossible to distinguish between different failure modes (permission denied, merge conflicts, network errors, etc.).

🔎 Proposed fix

+import logging
+
+logger = logging.getLogger(__name__)
+
 async def merge_pr(
     self,
     pr_number: int,
     merge_method: str = "merge",
     commit_title: str | None = None,
 ) -> bool:
     """Merge a pull request."""
     cmd = ["pr", "merge", str(pr_number)]

     if merge_method == "squash":
         cmd.append("--squash")
     elif merge_method == "rebase":
         cmd.append("--rebase")
     else:
         cmd.append("--merge")

     if commit_title:
         cmd.extend(["--subject", commit_title])

     cmd.append("--yes")

     try:
         await self._gh_client._run_gh_command(cmd)
         return True
-    except Exception:
+    except Exception as e:
+        logger.warning(f"Failed to merge PR #{pr_number}: {e}")
         return False

🤖 Prompt for AI Agents

In apps/backend/runners/github/providers/github_provider.py around lines 188 to
192, the merge_pr method currently swallows all exceptions and returns False,
losing debugging context; change the except to capture the exception (except
Exception as e), log the full error and stack trace via the class logger or
process logger (including context like PR id and command), and then return False
(or re-raise only for fatal/unexpected cases) so failures are observable and
actionable; ensure the logger call includes the exception object/traceback
rather than just a string.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Parsing issue URL to extract number is fragile.

If gh issue create output format changes or returns unexpected output (error message, empty string), the URL parsing will fail with an unclear exception.

🔎 Proposed fix

     result = await self._gh_client._run_gh_command(cmd)

     # Parse the issue URL to get the number
     # gh issue create outputs the URL
     url = result.strip()
-    number = int(url.split("/")[-1])
+    try:
+        number = int(url.split("/")[-1])
+    except (ValueError, IndexError) as e:
+        raise ValueError(f"Failed to parse issue number from output: {url!r}") from e

     return await self.fetch_issue(number)

🤖 Prompt for AI Agents

In apps/backend/runners/github/providers/github_provider.py around lines 296 to
303, the code naively splits the raw output of `gh issue create` to extract the
issue number which is fragile and will break on empty/unexpected output; update
the implementation to either (preferred) change the gh command to request
structured output (e.g. use `--json number` or `--json url,number`) and parse
JSON to obtain the number reliably, or (if keeping string output) validate that
`result` is non-empty, trim it, run a robust regex (e.g. match a trailing
`/\d+`), convert to int inside a try/except, and on failure log the full
`result` and raise a clear, descriptive exception so callers get actionable info
instead of an unclear traceback.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Returning current time as fallback for invalid datetime is misleading.

When parsing fails, returning datetime.now(timezone.utc) makes it appear the entity was just created/updated, which could lead to incorrect time-based filtering or sorting.

🔎 Proposed fix

 def _parse_datetime(self, dt_str: str | None) -> datetime:
     """Parse ISO datetime string."""
     if not dt_str:
-        return datetime.now(timezone.utc)
+        # Return epoch as a sentinel for "unknown" rather than misleading "now"
+        return datetime(1970, 1, 1, tzinfo=timezone.utc)
     try:
         return datetime.fromisoformat(dt_str.replace("Z", "+00:00"))
     except (ValueError, AttributeError):
-        return datetime.now(timezone.utc)
+        return datetime(1970, 1, 1, tzinfo=timezone.utc)

Alternatively, consider making the return type datetime | None and handling missing timestamps explicitly upstream.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	def _parse_datetime(self, dt_str: str | None) -> datetime:
	"""Parse ISO datetime string."""
	if not dt_str:
	return datetime.now(timezone.utc)
	try:
	return datetime.fromisoformat(dt_str.replace("Z", "+00:00"))
	except (ValueError, AttributeError):
	return datetime.now(timezone.utc)
	def _parse_datetime(self, dt_str: str | None) -> datetime:
	"""Parse ISO datetime string."""
	if not dt_str:
	# Return epoch as a sentinel for "unknown" rather than misleading "now"
	return datetime(1970, 1, 1, tzinfo=timezone.utc)
	try:
	return datetime.fromisoformat(dt_str.replace("Z", "+00:00"))
	except (ValueError, AttributeError):
	return datetime(1970, 1, 1, tzinfo=timezone.utc)

🤖 Prompt for AI Agents

In apps/backend/runners/github/providers/github_provider.py around lines 511 to
518 the function currently returns datetime.now(timezone.utc) on missing/invalid
input which falsely indicates a recent timestamp; change the signature to return
datetime | None, return None when dt_str is falsy or parsing fails (do not
swallow errors into "now"), and update all call sites to handle None explicitly
(e.g., skip/ignore, use a fallback only where semantically correct, or log the
missing timestamp) so time-based filtering/sorting remains accurate.