feat(wizard): Phase 22 — CLI wizard parity with web + sub-package split

[cemililik]

Summary

Closes the parity gap between forgelm --wizard (CLI) and the in-browser site/js/wizard.js documented in docs/analysis/code_reviews/2026-05-07_cli_wizard_ux_analysis.md + -2.md. 20 original findings (G1-G20) and 5 independent findings (I1-I5) verified against current code; this PR addresses the actionable subset.

What's in this PR

CLI wizard (forgelm/wizard/)

• Adım sırası refactor (I1): compliance.risk_classification artık evaluation.safety'den önce soruluyor. v0.5.5'te tersine sıralı olduğu için F-compliance-110 strict-tier auto-coercion'ı yapısal olarak imkansızdı.
• Trainer hyperparameter'ları (G1): DPO / SimPO / KTO / ORPO / GRPO için per-trainer knob'lar (dpo_beta, simpo_beta+gamma, kto_beta, orpo_beta, grpo_*).
• PEFT method genişliği (G2): 6 strateji kartı (QLoRA / LoRA / DoRA / PiSSA / rsLoRA / GaLore).
• GaLore varyantları (G9): 6 optimizer (3 base + 3 _layerwise).
• RoPE tipleri (G10): linear / dynamic / yarn + longrope (4-of-4).
• LoRA r schema parite (G11): DEFAULT_LORA_R 16 → 8.
• Compliance derinliği (G5): EU AI Act Madde 9 (risk_assessment), Madde 10 (data.governance), Madde 11+Annex IV §1, Madde 12+17 (monitoring), GDPR Madde 5(1)(e)+17 (retention), evaluation.benchmark, evaluation.llm_judge, synthetic blokları.
• High-risk auto-coercion (G8): strict tier seçildiğinde safety.enabled + require_human_approval otomatik True; F-compliance-110 schema-side gate'in front-stop'u.
• Webhook tek-prompt (G15): literal URL veya env:VAR_NAME; urlparse validation; HTTP uyarıyla kabul.
• Safety probe path fix (G16): importlib.resources.files("forgelm.safety_prompts") ile bundled probe set — pip install regression'u kapatıyor.
• Persistence (G6): \$XDG_CACHE_HOME/forgelm/wizard_state.yaml snapshot (schema-versioned).
• Step-diff preview (G7): her adım sonrası + key: value / ~ key: before → after.
• Beginner / expert toggle (G13): beginner mode tutorial paragrafları.
• Use-case integration (G12): quickstart-template listesi full wizard Step 2'de.
• Navigation (G3): back/b + reset/r token'ları.
• POPULAR_MODELS parite (G14): web wizard preset kartlarıyla aynı.
• Full YAML preview summary (G17): _print_wizard_summary artık tam YAML dump ediyor.

Web wizard

• I2: site/js/wizard.js header comment "7 step" → "9 step" + correct list.
• I4: USE_CASE_PRESETS keys aligned with forgelm/quickstart.py::TEMPLATES (code-copilot → code-assistant, medical-tr → medical-qa-tr).

Mimari

forgelm/wizard.py (976 LOC monolit) → forgelm/wizard/ sub-package:

Submodule	LOC	Sorumluluk
_io.py	213	primitive prompt'lar + nav token'ları + hardware detection
_state.py	290	_WizardState, persistence, summary, schema-default constant'lar
_collectors.py	688	tüm _collect_* + strategy + use-case preset registry
_byod.py	333	Phase 11.5/12.5 BYOD + quickstart prelude
_orchestrator.py	566	step defs + driver + coercion + run_wizard
__init__.py	176	re-export shim (backward compat)

Hiçbir submodule warn-threshold'u (1000 LOC) aşmıyor.

Docs

• docs/design/wizard_mode.md — 9-adım flow rewrite (I5).
• docs/reference/architecture.md + -tr.md — sub-package referansı.
• docs/guides/quickstart.md + -tr.md — wizard akış güncellemesi.
• docs/roadmap/phase-11-5-backlog.md — link fix (_byod.py).
• CHANGELOG.md — [Unreleased] ### Added Phase 22 entry.

Tests

Yeni: tests/test_wizard_phase22.py — 55 test (webhook parsing, safety probe path, trainer hyperparams, navigation, strict-tier coercion, persistence, step diff, use-case parity, schema-default parity).

Güncellenen: tests/test_wizard_phase11.py (3 _print_wizard_summary test'i yeni dict API), tests/test_phase12_5.py (3 patch hedefi sub-package binding'ine).

i18n kararı

CLI wizard English-only kalıyor (operatör explicit talebi). Web wizard'ın 6-dil katalogu korundu.

Test plan

• pytest tests/ --ignore=tests/test_compliance.py — 1487 pass, 14 skip, 0 fail (5:49)
• pytest tests/test_wizard_*.py tests/test_phase12_5.py — 108 pass, 0 fail
• 8/8 doc CI guards green (bilingual_parity, anchor_resolution, cli_help_consistency, yaml_snippets, audit_event_catalog, library_api_doc, doc_numerical_claims, bilingual_code_blocks)
• ruff check forgelm/wizard/ + ruff format --check — temiz
• tools/check_module_size.py — 0 over fail-threshold; 5 grandfathered (unchanged)
• forgelm --config config_template.yaml --dry-run — başarılı
• End-to-end smoke: SFT/DPO/GRPO YAML'larının ForgeConfig.model_validate()'i geçtiği doğrulandı; high-risk auto-coerced config schema'ya uyum sağlıyor
• Notebooks: 0 etkilenen (grep -rn "from forgelm import wizard")
• CLI dispatcher (forgelm/cli/_wizard.py) ve pyproject.toml packages.find glob'u sub-package'ı otomatik kapsıyor

Reviewing

Independent review prompt prepared at /tmp/review-agent-prompt.md (içerik PR commit message'ında özetlenmiş).

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features

  • Enhanced interactive configuration wizard with 9-step flow, keyboard navigation (back/reset controls), webhook URL parsing, safety probe resolution, and XDG-aware state persistence.
  • Added compliance metadata and strict-tier auto-gating configuration in wizard.
  • Introduced step-diff previewing and beginner/expert verbosity toggling.

• Changed

  • Minimum required torch version bumped from 2.1.0 to 2.3.0.

• Documentation

  • Updated wizard architecture and design documentation to reflect new 9-step flow and modernized capabilities.

• Tests

  • Added comprehensive test coverage for Phase 22 wizard modernization.

[qodo-code-review]

ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one.

[sourcery-ai]

Sorry @cemililik, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 56db7ed8-e686-4fd0-8afc-afff9b9b7f2b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/phase22-wizard-modernisation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Not up to standards ⛔

🔴 Issues 5 high · 2 medium · 3 minor

Alerts:
⚠ 10 issues (≤ 0 issues of at least minor severity)

Results:
10 new issues

Category	Results
BestPractice	1 minor
ErrorProne	5 high
Security	2 medium 1 minor
Comprehensibility	1 minor

View in Codacy

🟢 Metrics 671 complexity · 2 duplication

Metric	Results
Complexity	671
Duplication	2

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[gemini-code-assist]

Code Review

This pull request refactors the forgelm/wizard.py monolith into a modular sub-package forgelm/wizard/ and modernizes the CLI wizard to achieve parity with the web wizard's 9-step flow. It introduces support for advanced training configurations, compliance metadata, and improved dataset ingestion and auditing. The review feedback highlights opportunities to enforce mandatory compliance fields, fix index validation in menu prompts, correct default index logic for model selection, and ensure consistent UTF-8 encoding for file operations.

[gemini-code-assist]

Under the EU AI Act, Article 9 risk management evidence is mandatory for high-risk and unacceptable systems. The intended_use field should be enforced as non-empty using _prompt_required when is_strict is true, rather than allowing an empty default.

References

1. EU AI Act Article 9(2)(a) requires documentation of the intended purpose of the system. ^(link)
2. High-risk AI systems must have a risk management system that includes documentation of intended use and foreseeable misuse.

[gemini-code-assist]

Article 10 data governance evidence is mandatory for strict risk tiers. When mandatory is true, the collection_method, annotation_process, and known_biases fields should be enforced as non-empty using _prompt_required.

References

1. EU AI Act Article 10 requires documentation of data collection, annotation, and bias assessment. ^(link)
2. High-risk AI systems must use high-quality datasets and have appropriate data governance and management practices.

[gemini-code-assist]

The _collect_compliance_metadata function collects the risk classification at the end of the block. For high-risk or unacceptable tiers, Article 11 and Annex IV §1 require specific provider and system metadata. To ensure compliance and provide a better user experience (matching the web wizard's behavior), the risk classification should be prompted first. This allows the function to use _prompt_required for mandatory fields when a strict tier is selected.

[gemini-code-assist]

The _prompt_choice function does not validate if the user-provided index is within the positive bounds of the options list. If a user enters 0, Python's negative indexing will return the last element of the list (options[-1]), which is counter-intuitive for a 1-based menu and may lead to unintended configuration choices.

Suggested change

	return options[idx - 1]
	if 1 <= idx <= len(options):
	return options[idx - 1]
	return options[default - 1]

[gemini-code-assist]

The logic for determining default_idx in the model selection step clobbers the user's current choice if it is not present in the POPULAR_MODELS list (e.g., a model preselected by a use-case template like code-assistant). It should default to the 'Custom' option index when a non-popular model is already set in the state.

Suggested change

	if preset_default and preset_default in POPULAR_MODELS:
	default_idx = POPULAR_MODELS.index(preset_default) + 1
	else:
	default_idx = 1
	if preset_default:
	if preset_default in POPULAR_MODELS:
	default_idx = POPULAR_MODELS.index(preset_default) + 1
	else:
	default_idx = len(options) # Default to 'Custom'
	else:
	default_idx = 1

[gemini-code-assist]

The configuration file should be written using UTF-8 encoding to ensure portability and correct handling of non-ASCII characters (e.g., in provider names or intended purposes), consistent with how the wizard state is saved.

Suggested change

	try:
	try:
	with open(requested_filename, "w", encoding="utf-8") as f:

[coderabbitai]

Actionable comments posted: 13

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/design/wizard_mode.md`:
- Around line 33-79: The ordered list entries (markers "0." through "9.") in the
wizard flow block use two spaces after the list marker which triggers MD030;
update each ordered-list line to use a single space after the numeric marker
(e.g., change "0.  **Quickstart..." to "0. **Quickstart...") so the markdownlint
warning is resolved while keeping the exact text and formatting of the list
items (refer to the numbered entries in the wizard flow block).

In `@docs/reference/architecture.md`:
- Line 149: Update the heading and corresponding section text in
docs/reference/architecture.md so the wizard component reads and is titled
"wizard/" (reflecting the forgelm/wizard/ sub-package) instead of "wizard.py",
and make the identical change in docs/reference/architecture-tr.md to keep EN/TR
mirrors consistent; also scan the wizard section for any remaining monolithic
phrasing (e.g., references to a single-file implementation) and adjust wording
to reference the package layout and functions like _offer_ingest_for_directory
and _offer_audit_for_jsonl where the doc currently implies a monolith.

In `@forgelm/wizard/_byod.py`:
- Around line 80-83: The printed shell hints use raw interpolated paths
(variable resolved) inside _print calls, which breaks for paths with
spaces/metacharacters; update each occurrence (the _print call around the first
snippet and the other hints at the locations mentioned) to wrap the path with
shlex.quote(resolved) (import shlex if not present) so the displayed commands
are safely quoted and copy-pastable; ensure every formatted string that inserts
resolved (and any similar path variables) uses shlex.quote(...) in the f-strings
for the three occurrences referenced.
- Around line 194-209: The prompt currently accepts any non-directory string as
valid; change _prompt_dataset_path_with_ingest_offer to reuse the quickstart
validation flow: after reading raw, set candidate = Path(raw).expanduser(); if
candidate.is_dir() keep the _offer_ingest_for_directory path; else if
candidate.exists() and candidate.is_file() and candidate.suffix.lower() in
(".jsonl", ".json") call _offer_audit_for_jsonl(candidate.resolve()) and return
the resolved path; else if candidate.exists() but is not a valid JSONL, surface
an error and continue; if candidate does not exist, call the existing
_validate_local_jsonl(...) (or the project’s HF-id fallback helper) to validate
whether raw is a valid local JSONL or a Hugging Face dataset id and only return
raw when that validation succeeds, otherwise show an error and loop. Ensure you
reference and reuse _offer_ingest_for_directory, _offer_audit_for_jsonl, and
_validate_local_jsonl in the updated logic.

In `@forgelm/wizard/_collectors.py`:
- Around line 151-153: The default for webhook start notifications is wrong;
change the call that sets the default for "notify_on_start" so it matches the
web wizard (set to False) instead of True; specifically update the line that
calls section.setdefault("notify_on_start", True) to
section.setdefault("notify_on_start", False) while leaving the other keys
("notify_on_success", "notify_on_failure") unchanged to keep parity across
surfaces.
- Around line 412-424: When mandatory=True, _collect_data_governance currently
still allows empty strings for "collection_method", "annotation_process", and
"known_biases"; change the prompts so those three fields are required when
mandatory is True by re-prompting until a non-empty response (e.g., loop on
_prompt for "collection_method", "annotation_process", and "known_biases" when
mandatory) or by using a required/validate parameter if _prompt supports it;
ensure the rest of the function returns the same keys ("collection_method",
"annotation_process", "known_biases", "personal_data_included",
"dpia_completed") but with non-empty values for the three text fields when
mandatory is set.
- Around line 389-405: The strict-tier branch currently treats Article 9 fields
as optional — ensure when is_strict is True that intended_use,
foreseeable_misuse and mitigation_measures cannot be empty by re-prompting or
validating input: for intended_use, replace the single _prompt call with logic
that loops (or validates) until a non-empty string is returned when is_strict is
True (still allow empty when False); for foreseeable_misuse and
mitigation_measures, use _prompt_optional_list but enforce at least one item
when is_strict is True by re-prompting until the returned list is non-empty;
keep vulnerable_groups_considered behavior unchanged. Target the calls to
_prompt("Article 9(2)(a): intended_use", ""), _prompt_optional_list("Article
9(2)(b): foreseeable_misuse — list at least one realistic misuse"), and
_prompt_optional_list("Article 9(2)(c): mitigation_measures the deployer
applies") and add the minimal loop/validation around them keyed to is_strict.

In `@forgelm/wizard/_io.py`:
- Around line 191-193: The CUDA VRAM lookup uses
torch.cuda.get_device_properties(0).total_mem which doesn't exist and raises an
AttributeError; update the VRAM calculation in the block that sets
info["vram_gb"] (the code using torch.cuda.get_device_properties in
forgelm/wizard/_io.py) to use the correct attribute total_memory and keep the
same rounding/GB conversion so info["vram_gb"] =
round(torch.cuda.get_device_properties(0).total_memory / (1024**3), 1).

In `@forgelm/wizard/_orchestrator.py`:
- Around line 500-511: The WizardBack handler fails to restore the prior config
snapshot so partial mutations leak into persisted state; when catching
WizardBack in the block that calls step.runner, restore state.config from the
previously saved prev_config (deep copy) before decrementing state.current_step
and before calling _persist_state, and ensure any changes to
state.completed_steps still reflect the rolled-back step (use prev_config to
decide if completed_steps needs adjustment); update the exception branch around
step.runner, prev_config, state.config, WizardBack, state.current_step,
state.completed_steps and _persist_state accordingly.
- Around line 512-515: The except block handling WizardReset should not return a
new _WizardState() because that makes _run_full_wizard() treat the reset as a
completed run; instead after calling _clear_wizard_state() re-raise WizardReset
so the reset propagates to the caller and triggers the restart flow. Change the
except WizardReset block to call _clear_wizard_state() and then "raise" (not
"return _WizardState()") so _run_full_wizard and surrounding logic can handle
restarting correctly.

In `@tests/test_wizard_phase22.py`:
- Around line 299-304: The current test
test_load_returns_none_on_corrupt_snapshot uses a string that PyYAML can parse,
so update the written snapshot content to an unambiguously invalid YAML string
(e.g., an unbalanced bracket or a lone colon line) so the parser throws
yaml.YAMLError; keep using wizard._wizard_state_path() to create the file and
assert wizard._load_wizard_state() is None so the corrupt-YAML except branch is
exercised.
- Around line 88-96: The tests are inconsistent: wizard._parse_webhook_value
currently raises ValueError with "must use `https://`" for unknown schemes while
http:// is accepted with a warning; update the ValueError text in
wizard._parse_webhook_value to state the real rule (e.g., "must use http:// or
https://") and then update the test test_unknown_scheme_rejected to expect that
new message so the rejection for ftp:// matches the acceptance behavior for
http://; references: function wizard._parse_webhook_value and test
test_unknown_scheme_rejected.
- Around line 104-120: Tests TestDefaultSafetyProbesPath
(test_resolves_to_packaged_jsonl and test_path_is_absolute_or_resolvable) make
unconditional on-disk assertions against the path returned by
wizard._default_safety_probes_path, which will fail in source-only checkouts;
either mock importlib.resources.files (or the resource lookup used by
wizard._default_safety_probes_path / pkgutil.get_data) to return a temporary
file path or gate the tests with pytest.mark.skipif that checks the resource
exists before asserting Path(...).is_file() so the tests do not assume
package-data is present in non-installed/dev environments.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 09191bc6-c98c-4257-a2a8-64ad91848f51

📥 Commits

Reviewing files that changed from the base of the PR and between 755eaf7 and 52b113d.

📒 Files selected for processing (18)

• CHANGELOG.md
• docs/design/wizard_mode.md
• docs/guides/quickstart-tr.md
• docs/guides/quickstart.md
• docs/reference/architecture-tr.md
• docs/reference/architecture.md
• docs/roadmap/phase-11-5-backlog.md
• forgelm/wizard.py
• forgelm/wizard/__init__.py
• forgelm/wizard/_byod.py
• forgelm/wizard/_collectors.py
• forgelm/wizard/_io.py
• forgelm/wizard/_orchestrator.py
• forgelm/wizard/_state.py
• site/js/wizard.js
• tests/test_phase12_5.py
• tests/test_wizard_phase11.py
• tests/test_wizard_phase22.py

💤 Files with no reviewable changes (1)

• forgelm/wizard.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Error message "must use \https://`"` is inconsistent with HTTP being accepted.

test_unknown_scheme_rejected (Line 89) asserts that ftp:// raises ValueError with the message "must use \https://`", but test_http_warning_but_accepted(Lines 92–96) showshttp://is silently accepted with only a warning. An operator who hits theftp://rejection would read the error as "only HTTPS is allowed", then be surprised to findhttp://works. The error message should reflect the actual acceptance rule — e.g.,"must use https:// or http://"`.

🐛 Suggested test correction to match the intended error message fix

     def test_unknown_scheme_rejected(self):
-        with pytest.raises(ValueError, match="must use `https://`"):
+        with pytest.raises(ValueError, match="must use `https://` or `http://`"):
             wizard._parse_webhook_value("ftp://example.com/hook")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	def test_unknown_scheme_rejected(self):
	with pytest.raises(ValueError, match="must use `https://`"):
	wizard._parse_webhook_value("ftp://example.com/hook")
	def test_http_warning_but_accepted(self, capsys):
	section = wizard._parse_webhook_value("http://hooks.example.com/x")
	assert section == {"url": "http://hooks.example.com/x"}
	captured = capsys.readouterr().out
	assert "uses HTTP, not HTTPS" in captured
	def test_unknown_scheme_rejected(self):
	with pytest.raises(ValueError, match="must use `https://` or `http://`"):
	wizard._parse_webhook_value("ftp://example.com/hook")
	def test_http_warning_but_accepted(self, capsys):
	section = wizard._parse_webhook_value("http://hooks.example.com/x")
	assert section == {"url": "http://hooks.example.com/x"}
	captured = capsys.readouterr().out
	assert "uses HTTP, not HTTPS" in captured

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_wizard_phase22.py` around lines 88 - 96, The tests are
inconsistent: wizard._parse_webhook_value currently raises ValueError with "must
use `https://`" for unknown schemes while http:// is accepted with a warning;
update the ValueError text in wizard._parse_webhook_value to state the real rule
(e.g., "must use http:// or https://") and then update the test
test_unknown_scheme_rejected to expect that new message so the rejection for
ftp:// matches the acceptance behavior for http://; references: function
wizard._parse_webhook_value and test test_unknown_scheme_rejected.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

"not: valid: yaml: at: all" may be parsed as valid YAML, silently exercising version-mismatch rather than corrupt-data handling.

PyYAML parses not: valid: yaml: at: all as {"not": "valid: yaml: at: all"} (the first : starts a block mapping; the remainder is a scalar value). If the parser succeeds, _load_wizard_state returns None due to a version-mismatch check, not because the except yaml.YAMLError branch was reached. The corrupt-YAML code path goes untested.

Use a string that is unambiguously unparseable:

🛡️ Proposed fix

-        path.write_text("not: valid: yaml: at: all", encoding="utf-8")
+        # Tabs in block mappings are illegal in YAML; this guarantees a ScannerError.
+        path.write_text("key:\n\t- value", encoding="utf-8")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_wizard_phase22.py` around lines 299 - 304, The current test
test_load_returns_none_on_corrupt_snapshot uses a string that PyYAML can parse,
so update the written snapshot content to an unambiguously invalid YAML string
(e.g., an unbalanced bracket or a lone colon line) so the parser throws
yaml.YAMLError; keep using wizard._wizard_state_path() to create the file and
assert wizard._load_wizard_state() is None so the corrupt-YAML except branch is
exercised.

[cemililik]

Reviewer findings — resolution summary (HEAD: 9fe85df)

This thread accumulated automated review feedback from coderabbitai, gemini-code-assist, codacy, and sonarqube on the original Phase 22 commit (52b113d). The branch has since landed three follow-up commits that address every actionable finding plus the Independent Review of cycle-3 + F1.

Commit chain on this PR

Commit	Scope	Validation
52b113d	Phase 22 — CLI wizard parity-with-web modernisation (sub-package split + 25 review findings G1-G20 + I1-I5)	65 wizard tests
c0dd57a	Phase 22 review-cycle 1 — 18 PR-#40 review findings (commit msg + cycle-1 audit)	1544 passed
7d08bba	docs(changelog): cycle-1 documentation	(docs only)
9c32fe9	Phase 22 review-cycle 2 — 17 newly-discovered parity / UX gaps (P1-P18, B1-B3, C1-C2, D1-D2, E1, E4)	1573 passed
5667885	review-cycle 3 — 11 cycle-2 audit findings (A3, A4, F3, C16, G30, B11, C3, E2, E22-24, A9, F27, B10)	1573 passed
91d5726	F1 — schema-driven wizard defaults SOT (8 fields, generator + CI guard, Python + JS consumers)	1590 passed
9fe85df	review-cycle 3 follow-up — generator hardening (B1, B2, C2), state parity warning (B5), CI guard fail-path tests (G2), dispatcher test hardening (G3), README + docs (F3, A3, B7)	1597 passed

Per-comment status

coderabbitai (13 inline on 52b113d) — all addressed:

• MD030 list markers (docs/design/wizard_mode.md) → c0dd57a
• architecture.md wizard.py → wizard/ heading → c0dd57a
• shlex.quote BYOD shell hints → c0dd57a
• BYOD path validation → c0dd57a
• notify_on_start web-parity default → c0dd57a
• Article 9 strict-tier non-empty enforcement → c0dd57a
• Article 10 strict-tier non-empty enforcement → c0dd57a
• total_mem → total_memory → c0dd57a (note: cycle-2 audit verified the field was always total_memory; the "fix" was overcorrection — no functional bug existed)
• WizardBack restore prev_config → c0dd57a
• WizardReset re-loop instead of return → c0dd57a
• HTTP/HTTPS error message consistency → c0dd57a
• Safety probe path source-only env → resolved (probes file IS shipped at forgelm/safety_prompts/default_probes.jsonl)
• Corrupt YAML test → resolved (PyYAML actually raises ScannerError on the test string; cycle-2 verified)

gemini-code-assist (6 inline on 52b113d) — all addressed:

• Article 9 + 10 mandatory-field enforcement → c0dd57a
• risk_classification collected first → c0dd57a
• _prompt_choice negative-idx guard → c0dd57a
• Model-selection default_idx preservation → c0dd57a
• UTF-8 encoding for config files → c0dd57a

codacy + sonarqube summaries on 52b113d — current HEAD addresses everything they flagged in scope. Repo-wide bandit shows 0 HIGH severity in wizard sub-package; pre-existing B615 (HF Hub unpinned downloads) is project-wide and intentional, not in this PR's scope.

Independent Review of cycle-3 + F1 — top-5 follow-ups all in 9fe85df:

• B1: generator unwraps Optional[BaseModel]
• B2: PydanticUndefined identity comparison
• C2: JSON-serialisable contract documented
• B5: schema↔fallback drift WARNING
• G2: CI guard fail-path test (7 tests)
• G3: dispatcher test asserts model_validate
• A3, B7, F3: doc + cosmetic

Roadmap reshuffle (explicit)

• B4 (--wizard-from-yaml) — REMOVED from consideration. Politik çelişki ("config-driven is the identity") + B3 (non-tty refusal + quickstart hand-off) closed the gap.
• E3 (--wizard --start-from <yaml>) — bound to F1's metadata flags + JSON shape; deferred until needed.

Validation at HEAD 9fe85df

• ruff check + format clean (187 files)
• 9 doc guards green: bilingual_parity, anchor_resolution, cli_help_consistency, yaml_snippets, audit_event_catalog, library_api_doc, doc_numerical_claims, bilingual_code_blocks, wizard_defaults_sync (new)
• module_size: 6 grandfathered modules over warn-threshold; 0 over fail-threshold (1500)
• 1597 passed, 14 skipped (full pytest)
• bandit -ll repo-wide: 0 HIGH / 19 MEDIUM (all pre-existing B615 HF Hub unpinned, project-wide, intentional)
• forgelm --config config_template.yaml --dry-run green

Ready for human review.

[sonarqubecloud]

Quality Gate failed

Failed conditions
10 Security Hotspots
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE