release: development → main — Phase 22 wizard modernisation + site honesty pass-5

[cemililik]

Summary

Promotes 17 commits from development to main, covering two merged feature PRs, the working-memory documentation policy, and a release-preparation pass.

• PR feat(wizard): Phase 22 — CLI wizard parity with web + sub-package split #40 (Phase 22 wizard modernisation) — CLI wizard parity with the in-browser wizard, sub-package split (forgelm/wizard/), schema-driven defaults SOT (tools/generate_wizard_defaults.py + _defaults.json), idempotent re-run via --wizard-start-from <yaml>, and 5 review absorption cycles (PR-A through PR-E + 18 verified findings sweep).
• PR fix(site): pass-5 closure — site-vs-code honesty sweep + i18n parity #41 (site honesty pass-5) — Closed 11 CRITICAL + 10 HIGH + 9 MEDIUM + 7 LOW findings from the pass-4 site-vs-code audit. Brings de/fr/es/zh i18n to full parity (731 keys each, was 689) by translating the 42-key compliance/governance gap. Eliminates ghost YAML keys (compliance.config_hash, compliance.human_approval), ghost CLI flags (--model-card), and stale paths (forgelm/data_audit.py).
• Working-memory directories policy (commit 46d2518) — docs/marketing/ and docs/analysis/ are now strictly gitignored with zero exceptions; new tools/check_no_analysis_refs.py CI guard prevents public-tree citations into either directory.
• Release-prep refresh (commit ecf3dcc) — added after the initial PR description: nightly pip-audit --ignore-vuln CVE-2026-1839 stop-gap with documented rationale + remove-after condition (closes #37); CHANGELOG [Unreleased] rewritten in public-facing style (grouped by user-visible capability, no internal review-cycle / wave-N / round-N terminology); docs/roadmap.md + roadmap-tr.md add Phase 22 + site sweep rows; docs/roadmap/releases.md marks v0.5.5 as "Merged on main; PyPI tag deferred" and adds an "upcoming PyPI release" section that surfaces the 0.5.6 vs 0.6.0 version-slot decision for the maintainer.

What changed (high level)

• 17 commits, 88 files
• ~7283 insertions / ~8656 deletions (deletions dominated by the unversioning of 11 working-memory files under docs/analysis/)
• New CI guards: check_no_analysis_refs.py, check_wizard_defaults_sync.py, generate_wizard_defaults.py (generator), check_anchor_resolution.py hardening
• Expanded test coverage: tests/test_wizard_phase22.py (1759 new lines), updates to test_cli_phase10.py, test_phase12_5.py, test_wizard_phase11.py
• Wizard module: forgelm/wizard/ package split (orchestrator, state, collectors, BYOD, IO, defaults JSON)
• New CLI surface bits: --wizard-start-from, refreshed _exit_codes.py (EXIT_WIZARD_CANCELLED = 5), updated _parser.py
• pyproject.toml: package data inclusion for forgelm.wizard/_defaults.json
• .github/workflows/nightly.yml: --ignore-vuln CVE-2026-1839 flag added to the pip-audit step

Test plan

• All 14 documentation / parity / consistency CI guards pass on the development tip (verified during PR fix(site): pass-5 closure — site-vs-code honesty sweep + i18n parity #41 closure + post-ecf3dcc re-run)
• ruff check + format clean across forgelm/ tools/ tests/
• forgelm --config config_template.yaml --dry-run ✓
• PR feat(wizard): Phase 22 — CLI wizard parity with web + sub-package split #40 merged into development after 5 review cycles + independent verification
• PR fix(site): pass-5 closure — site-vs-code honesty sweep + i18n parity #41 merged after independent reviewer verdict + 4 inline-review absorption + i18n drift fix
• Codacy + SonarCloud Quality Gates passing on the development tip
• Two independent reviewer passes on this development→main PR — both APPROVE with NIT-level notes (no blockers)
• Final maintainer pass + tag-version decision (0.5.6 vs 0.6.0) before tag push

Notes

• No version bump in this PR. pyproject.toml stays at 0.5.5. The version-slot decision for the upcoming tagged release is documented in docs/roadmap/releases.md ("Next PyPI release") with rationale on each side.
• The CHANGELOG [Unreleased] section is the staging area for the upcoming PyPI release. Once the version-slot decision is made, the [Unreleased] header gets promoted to the chosen version (## [0.5.6] or ## [0.6.0]) with the release date, the version is bumped in pyproject.toml, and the tag push triggers publish.yml to PyPI.
• Sourcery's review on PR fix(site): pass-5 closure — site-vs-code honesty sweep + i18n parity #41 was skipped due to its 150K-character diff limit — this PR is much larger, so expect the same skip here.

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Interactive configuration wizard now supports idempotent reruns via --wizard-start-from, resumable state persistence across sessions, and 9-step guided flow with parity to in-browser wizard.
  • New wizard-cancellation exit code (5) distinguishes user-cancelled sessions from successful completion.
  • Cross-tab wizard synchronization enables state sharing across browser windows.

• Improvements

  • Windows platform support now documented across site and CLI.
  • Enhanced mobile wizard experience with scrollable YAML pane.
  • Exit code contract extended to include wizard-specific outcomes.

• Documentation

  • Quickstart guides expanded with detailed wizard step descriptions (multi-language).
  • Architecture and design documents updated to reflect modernized wizard structure.
  • CLI reference documentation includes new --wizard-start-from flag and exit codes.

[qodo-code-review]

ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one.

[sourcery-ai]

Sorry @cemililik, your pull request is larger than the review limit of 150000 diff characters

[coderabbitai]

Warning

Rate limit exceeded

@cemililik has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 16 minutes and 50 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 41b9c249-2fbf-479f-b443-70c16fc2abe0

📥 Commits

Reviewing files that changed from the base of the PR and between 2dce74e and 851f087.

📒 Files selected for processing (5)

• docs/design/wizard_mode.md
• forgelm/wizard/_byod.py
• forgelm/wizard/_collectors.py
• forgelm/wizard/_orchestrator.py
• tools/check_no_analysis_refs.py

📝 Walkthrough

Walkthrough

Phase 22 CLI wizard modernization: the monolithic forgelm/wizard.py is replaced by a forgelm/wizard/ package (orchestrator, collectors, I/O, state), schema-driven wizard defaults are generated and bundled, a CI guard ensures defaults sync, a new exit code EXIT_WIZARD_CANCELLED = 5 and --wizard-start-from flag enable idempotent runs, and docs/tests/site content updated to reflect a 9-step wizard and working‑memory policies.

Changes

Phase 22 CLI Wizard Refactor & Modernization

Layer / File(s)	Summary
Schema Markup forgelm/config.py	Tagged multiple fields with json_schema_extra={"wizard": True} so generator can extract schema-driven wizard defaults.
Core Wizard Package forgelm/wizard/__init__.py, forgelm/wizard/_io.py, forgelm/wizard/_state.py	Added forgelm.wizard subpackage: _io.py adds navigation tokens and prompting primitives; _state.py implements XDG-aware atomic snapshot persistence, migrations, step-diff helpers, and loads bundled defaults. __init__ re-exports public API for compatibility.
Wizard Collectors forgelm/wizard/_collectors.py	New centralized collectors for webhook, safety, trainer hyperparameters, RoPE scaling, GaLore, compliance (Article 9/10/11), retention/monitoring, evaluation, synthetic data, and use-case/strategy selection.
BYOD & Quickstart Prelude forgelm/wizard/_byod.py	BYOD helpers: dataset-path validation, optional directory ingestion, optional JSONL audit, and quickstart-template prelude that can bypass full wizard.
Step Machine Orchestrator forgelm/wizard/_orchestrator.py	Nine-step state-machine driver (welcome→use-case→model→strategy→trainer→dataset→training-params→compliance→evaluation) with strict-tier auto-coercion, back/reset handling, eager snapshot persistence, run_wizard_full(start_from=...) entry, validation-on-exit, overwrite-safe saving, and WizardOutcome.
Schema-Derived Defaults forgelm/wizard/_defaults.json, tools/generate_wizard_defaults.py	Generator walks ForgeConfig to collect wizard-flagged defaults and emits forgelm/wizard/_defaults.json and site/js/wizard_defaults.js (deterministic ordering, CI-friendly output).
Defaults Sync Guard tools/check_wizard_defaults_sync.py, tests/test_check_wizard_defaults_sync.py	CI guard regenerates defaults and diffs against committed JSON/JS; tests added to assert guard behavior on drift/missing targets and generator edge cases.
CLI Exit Code & Public Export forgelm/cli/_exit_codes.py, forgelm/cli/__init__.py	New public constant EXIT_WIZARD_CANCELLED = 5 added and re-exported; included in public exit-code set.
CLI Argument Parser forgelm/cli/_parser.py	New --wizard-start-from PATH flag documented and wired into parser.
CLI Wizard Dispatcher forgelm/cli/_wizard.py	Dispatcher now calls run_wizard_full(start_from=...) and handles WizardOutcome: exit 5 on cancellation, set args.config and continue if start_training, or exit 0 for YAML-only completion.
Packaging & Asset Bundling pyproject.toml	Bundled forgelm.wizard/_defaults.json as package data for wheel distributions.
Web Wizard Parity site/js/wizard.js, site/js/wizard_defaults.js	Browser wizard updated to 9-step flow; reads window.WIZARD_DEFAULTS via wd() helper; emits model.max_length, extended safety block, new inputs; cross-tab state sync via storage events; new generated wizard_defaults.js.
Mobile CSS Responsive site/css/style.css	Clamped .wizard-yaml-output to max-height: 38vh with overflow:auto for mobile YAML accordion.
Code Quality & CI Config .codacy.yaml, .github/workflows/nightly.yml, .markdownlint.json	Added Codacy exclusions for generated files, updated nightly pip-audit invocation to ignore CVE-2026-1839 (with comments), and disabled MD013 (line-length) in markdownlint.
Working-Memory Policy & Guards .gitignore, tools/check_no_analysis_refs.py, tools/check_yaml_snippets.py, tools/check_anchor_resolution.py	Simplified .gitignore to docs/marketing/ and docs/analysis/; added tools/check_no_analysis_refs.py to fail CI on public-tree references into gitignored working-memory directories; updated other tools to skip these directories consistently.
Docs: Architecture, Design, Standards docs/*	Rewrote architecture/design docs to show wizard/ package and 9-step flow; added working-memory rules to documentation standards; updated exit-code contracts and human-approval key to evaluation.require_human_approval.
Site Content & Examples site/*.html	Updated site pages (index, quickstart, features, compliance, contact, privacy, terms) to reflect 9-step wizard, defaults asset inclusion, Windows OS disclosure, updated compliance mappings and config example.
Analysis Docs Cleanup docs/analysis/code_reviews/*.md	Removed multiple legacy multi-agent review prompt/report files from docs/analysis/code_reviews/.
Changelog & Release Notes CHANGELOG.md, docs/roadmap/releases.md, CLAUDE.md	Expanded [Unreleased] with Phase 22 changes and fixes; documented v0.5.5 merged with deferred PyPI tag and next-release bundle; added check_wizard_defaults_sync.py to verification steps; strengthened docs/analysis/ usage rules.
Tests & Test Fixtures tests/test_wizard_phase22.py, tests/test_cli_phase10.py, tests/test_phase12_5.py, tests/test_wizard_phase11.py, tests/conftest.py	Large Phase 22 test suite (coverage: webhook parsing, safety probes, navigation tokens, hyperparams, strict-tier coercion, XDG persistence, step diffs, schema validation, preflight checklist, migration skeleton, PR‑D regressions). CLI tests updated to assert WizardOutcome handling; conftest autouse fixture isolates XDG cache for wizard tests.
Supporting Tools tools/*, README.md	Added generator and checker tools; README updated to show wizard/ sub-package and bundled _defaults.json.

Sequence Diagram(s)

sequenceDiagram
participant User as User (tty)
participant CLI as forgelm CLI
participant Orch as wizard Orchestrator
participant State as XDG Wizard State
participant Trainer as Training Pipeline

User->>CLI: forgelm --wizard [--wizard-start-from path]
CLI->>Orch: run_wizard_full(start_from=path)
Orch->>State: _load_wizard_state() / load start_from YAML
Orch->>User: prompt steps (welcome → ... → evaluation)
User->>Orch: answers / navigation tokens
Orch->>State: _save_wizard_state() after each step (atomic write)
alt cancelled / non-tty / decline-to-save
Orch-->>CLI: WizardOutcome(cancelled=True)
CLI->>User: exit with EXIT_WIZARD_CANCELLED (5)
else produced YAML (maybe start_training)
Orch->>State: _save_config_to_file()
Orch-->>CLI: WizardOutcome(config_path, start_training)
CLI->>Trainer: if start_training True, set args.config and run pipeline
CLI->>User: exit with EXIT_SUCCESS (0)
end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~55 minutes

Possibly related PRs

• cemililik/ForgeLM#40: Implements the same Phase‑22 CLI wizard refactor (forgelm/wizard.py → forgelm/wizard/ sub-package), including orchestrator, state, collectors, tooling, and tests.
• cemililik/ForgeLM#38: Overlaps heavily with Phase‑22 wizard changes (exit-code, --wizard-start-from, defaults generator, site/docs updates).
• cemililik/ForgeLM#9: Related earlier work on the interactive wizard/quickstart integration and package-level wiring.

"Nine steps to config delight,
Snapshots rescued from Ctrl‑C's bite,
Schema defaults synced and true,
Windows welcome (and macOS too!),
Wizard state persists the night." 🐰✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch development

[codacy-production]

Not up to standards ⛔

🔴 Issues 5 high · 2 medium · 2 minor

Alerts:
⚠ 9 issues (≤ 0 issues of at least minor severity)

Results:
9 new issues

Category	Results
BestPractice	1 minor
ErrorProne	5 high
Security	2 medium 1 minor

View in Codacy

🟢 Metrics 709 complexity · 2 duplication

Metric	Results
Complexity	709
Duplication	2

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[gemini-code-assist]

Code Review

This pull request modernizes the interactive configuration wizard by splitting it into a sub-package, aligning it with the web-based wizard, and introducing an idempotent re-run feature via the --wizard-start-from flag. It also implements strict CI guards to prevent documentation drift and references to gitignored working-memory directories. Feedback identifies a logic flaw in the idempotent re-run flow where previously enabled features, such as auto-revert or safety evaluation, cannot be disabled through the prompts. Improvements are also suggested for ensuring atomic writes of the final configuration file and gating the training start prompt on successful schema validation of the generated YAML.

[gemini-code-assist]

The logic for auto_revert in an idempotent re-run is flawed. If auto_revert was previously enabled (auto_revert_default is True) and the operator answers "no" to the prompt, the if block is skipped and the elif block is also skipped (because not auto_revert_default is False). Since evaluation is a deepcopy of the existing config, auto_revert remains True, ignoring the operator's choice to disable it. To fix this, explicitly remove the keys if the user answers "no".

    if _prompt_yes_no(
        "Enable auto-revert (discard model if quality drops)?",
        default=auto_revert_default,
    ):
        evaluation["auto_revert"] = True
        existing_max_loss = existing_evaluation.get("max_acceptable_loss")
        # P14: when auto-revert is on but no explicit threshold is given,
        # emit the web wizard's safe ``2.0`` default rather than leaving
        # the field unset.  Mirrors ``site/js/wizard.js:163`` so the
        # two surfaces produce equivalent YAMLs for the same answers.
        prompt_default = str(existing_max_loss) if existing_max_loss is not None else ""
        max_loss = _prompt("Max acceptable loss (leave empty for default 2.0)", prompt_default)
        if max_loss.strip():
            try:
                evaluation["max_acceptable_loss"] = float(max_loss)
            except ValueError:
                _print(f"  '{max_loss}' is not a number; using default 2.0.")
                evaluation["max_acceptable_loss"] = 2.0
        else:
            evaluation["max_acceptable_loss"] = 2.0
    else:
        evaluation.pop("auto_revert", None)
        evaluation.pop("max_acceptable_loss", None)

[gemini-code-assist]

As noted above, if the operator answers "no" to the safety evaluation prompt, the existing safety block should be removed from the configuration to allow disabling the feature during an idempotent re-run.

Suggested change

	if safety:
	evaluation["safety"] = safety
	if safety:
	evaluation["safety"] = safety
	else:
	evaluation.pop("safety", None)

[gemini-code-assist]

As noted above, if the operator answers "no" to the benchmark evaluation prompt, the existing benchmark block should be removed from the configuration.

Suggested change

	if benchmark:
	evaluation["benchmark"] = benchmark
	if benchmark:
	evaluation["benchmark"] = benchmark
	else:
	evaluation.pop("benchmark", None)

[gemini-code-assist]

As noted above, if the operator answers "no" to the LLM-as-Judge prompt, the existing llm_judge block should be removed from the configuration.

Suggested change

	evaluation["llm_judge"] = judge
	if evaluation:
	if judge:
	evaluation["llm_judge"] = judge
	else:
	evaluation.pop("llm_judge", None)

[gemini-code-assist]

The final configuration file is saved using a direct open(..., "w") call, which is not atomic. If the wizard is overwriting an existing config (supported via --wizard-start-from) and the write fails (e.g., disk full, power loss), the original file will be corrupted or lost. Consider using the same atomic write pattern (temp file + os.replace) implemented in _save_wizard_state to ensure the integrity of the operator's configuration files.

[gemini-code-assist]

Most section collectors (like _collect_monitoring, _collect_retention, _collect_benchmark, etc.) do not accept existing values from the loaded configuration. When an operator iterates on an existing config via --wizard-start-from and chooses to reconfigure a section, they are forced to re-type every field from scratch because the prompts use hardcoded defaults. To improve the UX of idempotent re-runs, these collectors should accept an existing dictionary and use its values as prompt defaults, mirroring the pattern used in _collect_data_governance.

[gemini-code-assist]

The "Start training now?" prompt is offered even if the generated configuration fails schema validation. Since ForgeConfig validation failures are fatal for the trainer, starting a run with an invalid config is guaranteed to fail. Consider making _validate_generated_config return a boolean and using it to gate the training start prompt.

Suggested change

	_validate_generated_config(config_filename)
	_clear_wizard_state()
	if _prompt_yes_no("Start training now?", default=False):
	valid = _validate_generated_config(config_filename)
	_clear_wizard_state()
	if valid and _prompt_yes_no("Start training now?", default=False):

[gemini-code-assist]

Change the return type to bool to allow the caller to gate training start on successful validation.

Suggested change

	def _validate_generated_config(config_filename: str) -> None:
	def _validate_generated_config(config_filename: str) -> bool:

[gemini-code-assist]

Return False on validation failure and True on success.

Suggested change

	_print(" ✓ Schema validation passed.")
	return False
	_print(" ✓ Schema validation passed.")
	return True

[coderabbitai]

Actionable comments posted: 16

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docs/usermanuals/en/reference/cli.md (1)

205-214: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing exit code 5 documentation — bilingual parity violation.

The Turkish CLI reference (docs/usermanuals/tr/reference/cli.md line 210) documents exit code 5 (wizard cancelled), but this English version does not include it in the exit codes table. As per coding guidelines, user-facing docs must be bilingual mirrors.

➕ Proposed fix: Add exit code 5 to the table

 | 3 | Auto-revert / regression |
 | 4 | Awaiting human approval (training pipeline) |
+| 5 | Wizard cancelled | `forgelm --wizard` exited without writing YAML (Ctrl+C, non-tty rejection, save refusal) — distinct from `0` so CI can distinguish "wizard completed" from "wizard wrote nothing" |
 | 130 | User interrupted (Ctrl+C) |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/usermanuals/en/reference/cli.md` around lines 205 - 214, The English CLI
exit codes table is missing exit code 5 present in the Turkish version; update
the table in docs/usermanuals/en/reference/cli.md to include a new row for "5 |
Wizard cancelled" (matching the Turkish description) so both language docs
remain in parity; ensure the new entry follows the same table formatting and
update the "See [Exit Codes]" reference only if needed.

docs/usermanuals/tr/reference/exit-codes.md (1)

113-113: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Bilingual parity issue — compatibility range not updated.

The compatibility guarantee still states "Exit kodları 0-4" (exit codes 0-4) but should be "0-5" to match the English version and include the newly documented exit code 5. The English version (line 113 in docs/usermanuals/en/reference/exit-codes.md) correctly states "Exit codes 0-5 are stable."

📝 Proposed fix

-Exit kodları 0-4 sürümler arası kararlıdır. Yeni kodlar eklenebilir (5, 6, …) ama mevcutların semantiği değişmez.
+Exit kodları 0-5 sürümler arası kararlıdır. Yeni kodlar eklenebilir (6, 7, …) ama mevcutların semantiği değişmez.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/usermanuals/tr/reference/exit-codes.md` at line 113, The Turkish text
still reads "Exit kodları 0-4" but must match the English doc and include the
new stable code 5; update the sentence containing "Exit kodları 0-4" to "Exit
kodları 0-5" (preserve the rest of the sentence and punctuation) so the
bilingual parity and the documented compatibility range align with the English
version.

🧹 Nitpick comments (1)

tools/check_no_analysis_refs.py (1)

144-144: 💤 Low value

Optional: simplify set comprehension.

The comprehension {p for p in files} can be simplified to set(files) for better readability, as flagged by SonarCloud.

♻️ Proposed refactor

-        return sorted({p for p in files})
+        return sorted(set(files))

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/check_no_analysis_refs.py` at line 144, Replace the set comprehension
in the return of the function that currently uses "sorted({p for p in files})"
with "sorted(set(files))" to improve readability; locate the return statement in
tools/check_no_analysis_refs.py (the line returning sorted({p for p in files}))
and change it to use set(files) instead of the comprehension.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Around line 9-16: Update the CHANGELOG entry to soften the claim about CLI/web
parity: replace "same 9-step flow as the in-browser wizard" with wording like
"same nine user-visible stages and same generated YAML" (or similar) and note
that internal step IDs/trainer–model order may differ as documented in
forgelm/wizard/_orchestrator.py; ensure the sentence about the wizard module
split remains but remove the stronger parity wording.
- Around line 108-119: Replace the explicit mentions of the gitignored paths
'docs/marketing/' and 'docs/analysis/' in the CHANGELOG entry with the generic
term "working-memory directories"; update the sentence that currently reads
those paths to instead read something like "working-memory directories
(gitignored) are now strictly ignored..." and keep the rest of the paragraph
intact, ensuring any subsequent references (e.g.,
`docs/standards/documentation.md`, `tools/check_no_analysis_refs.py`, `_EXEMPT`)
remain unchanged.

In `@docs/design/wizard_mode.md`:
- Around line 15-16: The doc introduces a new public exit code symbol
EXIT_WIZARD_CANCELLED = 5 which violates the repository's public exit-code
contract (0–4); either remove or mark EXIT_WIZARD_CANCELLED as internal/private
(not part of the public contract) and revert public documentation to the
approved contract, or update the central contract docs in
docs/standards/error-handling.md to include the new code and ensure all
wrappers/CI are updated; locate usages/definitions of EXIT_WIZARD_CANCELLED and
the wizard_mode.md text and either change the symbol to an internal-only
constant or coordinate a contract update in the standards document to keep the
public API consistent.
- Around line 47-105: The documentation's implemented flow for
forgelm/wizard::run_wizard is out of sync with site/js/wizard.js; update the
steps in docs/design/wizard_mode.md to match the browser order (welcome →
use-case → trainer → model → dataset → training → compliance → operations →
review), remove the standalone Strategy step or explicitly note its relocation
into Model/Training UI, and add the missing Review step and any moved Trainer
details so the text and the listed step numbers/names align exactly with
site/js/wizard.js (reference run_wizard, Strategy, Trainer, and the
Review/Operations step names when editing).

In `@docs/reference/architecture-tr.md`:
- Around line 148-149: The heading "### `wizard/`" is missing the required blank
line after it; insert a single blank line immediately after the `### `wizard/``
heading so the following paragraph (starting with "Etkileşimli CLI
sihirbazı...") is separated as per docs/standards and markdownlint MD022
expectations.

In `@docs/reference/architecture.md`:
- Around line 148-149: Missing blank line before the "### `wizard/`" heading;
add a single empty line immediately above the "### `wizard/`" heading in
docs/reference/architecture.md so the markdown linter recognizes the heading
separation and preserves readability (locate the "### `wizard/`" heading text
and insert one blank line directly before it).

In `@forgelm/cli/_exit_codes.py`:
- Around line 15-31: Remove EXIT_WIZARD_CANCELLED from the public contract: keep
the constant (EXIT_WIZARD_CANCELLED) for internal use but do not include it in
the _PUBLIC_EXIT_CODES frozenset so the public contract remains 0–4; update the
nearby comment to note that EXIT_WIZARD_CANCELLED is internal-only and not part
of the exported contract, and ensure only EXIT_SUCCESS, EXIT_CONFIG_ERROR,
EXIT_TRAINING_ERROR, EXIT_EVAL_FAILURE, and EXIT_AWAITING_APPROVAL remain in
_PUBLIC_EXIT_CODES.

In `@forgelm/wizard/_byod.py`:
- Around line 351-355: The printed follow-up shell commands use quickstart_path
unquoted which will break when the path contains spaces; update the two _print
calls that display the suggested commands (the ones referencing quickstart_path
and the "Running: forgelm --config ..." / "forgelm --config ..." messages) to
wrap/quote the quickstart_path (e.g., with single quotes) so the printed
commands are valid shell invocations even when quickstart_path contains spaces.

In `@forgelm/wizard/_collectors.py`:
- Around line 343-367: Collectors like _collect_rope_scaling currently overwrite
any existing advanced settings by always recomputing defaults; change them to
preserve loaded values unless the user explicitly chooses to recompute: in
_collect_rope_scaling check for an existing rope_scaling value (or accept an
optional existing parameter), if present show it and prompt "Keep existing RoPE
scaling?" (default yes) and return the existing dict if the user keeps it,
otherwise only then compute new rope_factor and type; apply the same pattern to
the GaLore-related collectors referenced at 394-412 (check for existing galore_*
tuning, prompt to keep vs recompute, and only compute defaults when creating new
or when user confirms recompute).
- Around line 258-335: The _collect_trainer_hyperparameters helper currently
always uses schema literals as prompt defaults, which causes reruns started from
an existing config to overwrite prior per-trainer knobs; change
_collect_trainer_hyperparameters to accept an optional existing TrainingConfig
(or plain dict) and use its trainer-specific fields as the prompt defaults
(e.g., use existing.dpo_beta, simpo_gamma, kto_beta, orpo_beta,
grpo_num_generations, grpo_max_completion_length, grpo_reward_model) instead of
the hard-coded numbers/strings, and update the caller (_step_trainer) to pass
the loaded config when available so Enter preserves prior values.
- Around line 200-250: The helper _collect_safety_config currently rebuilds the
safety block with hardcoded defaults and overwrites loaded settings; change it
to accept an optional existing_safety: Optional[Dict[str, Any]] parameter
(seeded from _step_evaluation) and use existing_safety values as the defaults
for prompts (e.g., classifier default, test_prompts default, scoring default,
max_safety_regression default, min_safety_score/min_classifier_confidence, and
severity_thresholds), and when a prompt returns empty/unchanged preserve the
existing field instead of replacing it; ensure you only add new keys when the
user explicitly provides new values and keep existing
track_categories/severity_thresholds if not modified.

In `@forgelm/wizard/_orchestrator.py`:
- Around line 1015-1018: The call to _validate_generated_config(config_filename)
currently only logs errors so the flow still prompts to start training even when
validation failed; change _validate_generated_config to return a boolean success
flag (True on valid, False on invalid) and update the caller in the block around
_validate_generated_config, _clear_wizard_state, and _prompt_yes_no so it checks
the returned flag and skips the prompt/short-circuits the immediate training
branch when validation returned False (i.e., only call _prompt_yes_no("Start
training now?", default=False) and print the forgelm command when
_validate_generated_config(...) returned success).

In `@site/js/wizard.js`:
- Around line 2026-2030: The new wizard row uses hard-coded English strings for
the label and hint (created in maxLengthRow via el(..., text: 'Max sequence
length') and el(..., text: 'Tokens per training example...')), so wrap those
strings with the translation helper (tr(...)) like the other wizard fields and
add corresponding keys/entries to the locales file(s) used by the wizard
training UI; update the label and hint usages (referencing maxLengthRow and
maxLengthInput) to use the new locale keys to ensure proper translation.
- Around line 1244-1278: The storage handler must treat e.newValue === null
(remote reset/delete) as an explicit reset: inside the
window.addEventListener('storage', ...) callback (the block that checks e.key
!== STORAGE_KEY and uses loadState(), state, and render()), detect if e.newValue
=== null and in that case clear the in-memory state object (delete all keys from
state), set any derived state to its empty/default form if applicable, then call
render() so the visible wizard reflects the reset; keep the existing try/catch
and console.warn behavior for other errors and still return early when modal has
'hidden'.

In `@tests/test_wizard_phase22.py`:
- Around line 1592-1611: The test test_auto_revert_default_reflects_existing
currently uses a non-specific assertion that will always pass; update it to
assert the exact expected outcome after operator explicitly answers "no" to
auto-revert: replace the loose check on
state.config["evaluation"].get("auto_revert") in (True, False) with a precise
assertion that the value is False (e.g., assert
state.config["evaluation"].get("auto_revert") is False) so that the behavior of
_WizardState/config after wizard._orchestrator._step_evaluation is properly
verified.

In `@tools/check_anchor_resolution.py`:
- Around line 327-333: The help text promises that passing "--exclude ''" will
scan everything but _resolve_excludes currently filters out empty values and
thus falls back to the default excludes; update _resolve_excludes so that it
distinguishes "no --exclude given" (keep defaults) from " --exclude given with
an explicit empty string" (treat as an explicit override to use an empty exclude
set), i.e. stop dropping empty-string entries when the user explicitly provided
excludes and return an empty set in that case; key symbol: _resolve_excludes.

---

Outside diff comments:
In `@docs/usermanuals/en/reference/cli.md`:
- Around line 205-214: The English CLI exit codes table is missing exit code 5
present in the Turkish version; update the table in
docs/usermanuals/en/reference/cli.md to include a new row for "5 | Wizard
cancelled" (matching the Turkish description) so both language docs remain in
parity; ensure the new entry follows the same table formatting and update the
"See [Exit Codes]" reference only if needed.

In `@docs/usermanuals/tr/reference/exit-codes.md`:
- Line 113: The Turkish text still reads "Exit kodları 0-4" but must match the
English doc and include the new stable code 5; update the sentence containing
"Exit kodları 0-4" to "Exit kodları 0-5" (preserve the rest of the sentence and
punctuation) so the bilingual parity and the documented compatibility range
align with the English version.

---

Nitpick comments:
In `@tools/check_no_analysis_refs.py`:
- Line 144: Replace the set comprehension in the return of the function that
currently uses "sorted({p for p in files})" with "sorted(set(files))" to improve
readability; locate the return statement in tools/check_no_analysis_refs.py (the
line returning sorted({p for p in files})) and change it to use set(files)
instead of the comprehension.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5ea8c55e-ca8f-4526-b5b7-c65350c8e168

📥 Commits

Reviewing files that changed from the base of the PR and between ba8ffce and ecf3dcc.

📒 Files selected for processing (88)

• .claude/skills/cut-release/SKILL.md
• .claude/skills/sync-bilingual-docs/SKILL.md
• .codacy.yaml
• .github/workflows/nightly.yml
• .gitignore
• .markdownlint.json
• CHANGELOG.md
• CLAUDE.md
• README.md
• docs/analysis/code_reviews/closure-plan-202604300906.md
• docs/analysis/code_reviews/foundation-pr-review-prompt.md
• docs/analysis/code_reviews/ghost-features-analysis-20260502.md
• docs/analysis/code_reviews/master-review-opus-202604300906.md
• docs/analysis/code_reviews/wave2a-round2-review-prompt.md
• docs/analysis/code_reviews/wave2b-final-merge-review-prompt.md
• docs/analysis/code_reviews/wave3-followup-review-prompt.md
• docs/analysis/code_reviews/wave3-review-prompt.md
• docs/analysis/code_reviews/wave4-followup-review-prompt.md
• docs/analysis/code_reviews/wave4-review-prompt.md
• docs/analysis/code_reviews/wave5-review-prompt.md
• docs/design/data_audit_cli_split.md
• docs/design/gdpr_erasure.md
• docs/design/iso27001_soc2_alignment.md
• docs/design/wizard_mode.md
• docs/guides/quickstart-tr.md
• docs/guides/quickstart.md
• docs/product_strategy-tr.md
• docs/product_strategy.md
• docs/reference/architecture-tr.md
• docs/reference/architecture.md
• docs/reference/usage-tr.md
• docs/reference/usage.md
• docs/roadmap-tr.md
• docs/roadmap.md
• docs/roadmap/phase-11-5-backlog.md
• docs/roadmap/phase-12-6-closure-cycle.md
• docs/roadmap/phase-12-data-curation-maturity.md
• docs/roadmap/releases.md
• docs/standards/architecture.md
• docs/standards/coding.md
• docs/standards/documentation.md
• docs/standards/localization.md
• docs/usermanuals/en/compliance/gdpr.md
• docs/usermanuals/en/compliance/human-approval-gate.md
• docs/usermanuals/en/reference/cli.md
• docs/usermanuals/en/reference/exit-codes.md
• docs/usermanuals/tr/compliance/gdpr.md
• docs/usermanuals/tr/compliance/human-approval-gate.md
• docs/usermanuals/tr/reference/cli.md
• docs/usermanuals/tr/reference/exit-codes.md
• forgelm/cli/__init__.py
• forgelm/cli/_exit_codes.py
• forgelm/cli/_parser.py
• forgelm/cli/_wizard.py
• forgelm/config.py
• forgelm/wizard.py
• forgelm/wizard/__init__.py
• forgelm/wizard/_byod.py
• forgelm/wizard/_collectors.py
• forgelm/wizard/_defaults.json
• forgelm/wizard/_io.py
• forgelm/wizard/_orchestrator.py
• forgelm/wizard/_state.py
• pyproject.toml
• site/compliance.html
• site/contact.html
• site/css/style.css
• site/features.html
• site/guide.html
• site/index.html
• site/js/translations.js
• site/js/wizard.js
• site/js/wizard_defaults.js
• site/privacy.html
• site/quickstart.html
• site/terms.html
• tests/conftest.py
• tests/test_check_bilingual_parity.py
• tests/test_check_wizard_defaults_sync.py
• tests/test_cli_phase10.py
• tests/test_phase12_5.py
• tests/test_wizard_phase11.py
• tests/test_wizard_phase22.py
• tools/check_anchor_resolution.py
• tools/check_no_analysis_refs.py
• tools/check_wizard_defaults_sync.py
• tools/check_yaml_snippets.py
• tools/generate_wizard_defaults.py

💤 Files with no reviewable changes (12)

• docs/analysis/code_reviews/wave3-followup-review-prompt.md
• docs/analysis/code_reviews/ghost-features-analysis-20260502.md
• docs/analysis/code_reviews/wave4-followup-review-prompt.md
• docs/analysis/code_reviews/wave2a-round2-review-prompt.md
• docs/analysis/code_reviews/foundation-pr-review-prompt.md
• docs/analysis/code_reviews/master-review-opus-202604300906.md
• docs/standards/localization.md
• docs/analysis/code_reviews/wave3-review-prompt.md
• docs/analysis/code_reviews/wave5-review-prompt.md
• forgelm/wizard.py
• docs/analysis/code_reviews/wave2b-final-merge-review-prompt.md
• docs/analysis/code_reviews/wave4-review-prompt.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Don't introduce a new public exit code here without updating the contract.

This doc advertises EXIT_WIZARD_CANCELLED = 5, but the repo’s public exit-code contract is still 0/1/2/3/4. Unless that contract changed in the same release, this is a compatibility break for wrappers and CI that only handle the documented range. As per coding guidelines, "Error paths must follow docs/standards/error-handling.md with exit codes 0/1/2/3/4 as a public contract".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/design/wizard_mode.md` around lines 15 - 16, The doc introduces a new
public exit code symbol EXIT_WIZARD_CANCELLED = 5 which violates the
repository's public exit-code contract (0–4); either remove or mark
EXIT_WIZARD_CANCELLED as internal/private (not part of the public contract) and
revert public documentation to the approved contract, or update the central
contract docs in docs/standards/error-handling.md to include the new code and
ensure all wrappers/CI are updated; locate usages/definitions of
EXIT_WIZARD_CANCELLED and the wizard_mode.md text and either change the symbol
to an internal-only constant or coordinate a contract update in the standards
document to keep the public API consistent.

[cemililik]

Both review verdicts (APPROVE with NITs) absorbed. Single concrete action taken:

§1 / §5 NIT — PR description undercount (16 → 17 commits, 4th bucket missing). PR description updated to reflect:

• 17 commits, 88 files, ~7283 insertions / ~8656 deletions
• Added 4th bucket entry for ecf3dcc chore(release-prep): nightly CVE ignore + CHANGELOG/roadmap refresh (the post-prompt commit landing the issue #37 stop-gap and the public-facing CHANGELOG/roadmap rewrite)

Other findings — no action needed (confirmed by both reviewers as non-blocking):

• §3 (reviewer 1) — pytest subset coverage threshold. Pre-existing on origin/main (the --cov-fail-under=40 floor in pyproject.toml applies globally; subset runs naturally fall under it). Full pytest tests/ passes the floor cleanly. Not a regression.
• §5 (reviewer 1) — PR fix(site): pass-5 closure — site-vs-code honesty sweep + i18n parity #41 follow-up commits without dedicated CHANGELOG bullets. Per the prompt's own guidance, follow-up fixes to a parent feature already documented in CHANGELOG are acceptable as un-bulleted. The site-honesty work is captured under the "Site copy now matches the live code surface" entry in [Unreleased] → ### Changed.

Both reviewers explicitly recommend APPROVE / merge. No blockers.

[cemililik]

External-scanner verdict — both Quality Gates fail on pre-existing intentional fixtures

Cross-checked the failing scanner outputs against the silencing baseline established in 40120d8 chore(scanners): silence Codacy + SonarCloud false positives (the commit that audited PR #40's scanner findings).

SonarCloud — all 10 hotspots verified pre-existing false positives

Fetched via the SonarCloud hotspot API. Every entry is LOW severity and lives in test files where the literal IS the test's load-bearing assertion:

tests/test_wizard_phase22.py:90    LOW  ftp://...     (test_unknown_scheme_rejected — verifies SSRF rejection)
tests/test_wizard_phase22.py:93-94 LOW  http://...    (test_http_warning_but_accepted — wizard parser surface)
tests/test_wizard_phase22.py:830   LOW  169.254.169.254 (TestWebhookSSRFPreflight — IMDS rejection)
tests/test_wizard_phase22.py:834   LOW  10.0.0.5      (TestWebhookSSRFPreflight — RFC1918 rejection)
tests/test_wizard_phase22.py:924   LOW  tmp_path      (pytest stdlib fixture)
tests/test_wizard_phase22.py:929   LOW  tmp_path      (pytest stdlib fixture)
tests/test_cli_phase10.py:383      LOW  tmp_path      (pytest stdlib fixture)
tests/test_cli_phase10.py:422      LOW  tmp_path      (pytest stdlib fixture)
tests/test_cli_phase10.py:425      LOW  tmp_path      (pytest stdlib fixture)

These are the exact 8 patterns documented as Safe / Reviewed in 40120d8 for PR #40, plus 2 additional tmp_path lines in test_cli_phase10.py that follow the same documented-as-safe pattern. Suppressing them in code would either disable the SonarCloud rule project-wide (loses signal on production code) or add inline comments that confuse the test-source-as-spec pattern.

The Safe / Reviewed marks made on PR #40's SonarCloud view do not transfer automatically to PR #42's view — that's a SonarCloud cross-PR artefact, not a code regression. Suggested action: re-mark as Safe on the PR #42 dashboard (one-click per hotspot) or set a per-folder rule exemption for tests/.

Codacy — 10 issues (5 high · 2 medium · 3 minor)

Codacy doesn't expose an unauthenticated PR-issue API. From the categorical breakdown (5 ErrorProne · 2 Security medium · 1 Security minor · 1 BestPractice · 1 Comprehensibility), and given:

• All 7 Codacy HIGH findings from PR feat(wizard): Phase 22 — CLI wizard parity with web + sub-package split #40 were silenced in-tree in 40120d8 — the markers are still present on the development tip:
  • 5× # noqa: F401 -- re-export for tests in forgelm/wizard/__init__.py:62, 75, 103, 122, 151
  • 1× # nosec B105 -- enum-style discriminator in forgelm/wizard/_collectors.py:713
  • .codacy.yaml excludes site/js/wizard_defaults.js + forgelm/wizard/_defaults.json (generated artefacts)
  • .markdownlint.json disables MD013 for prose docs
• PR fix(site): pass-5 closure — site-vs-code honesty sweep + i18n parity #41 (against development, same code as PR release: development → main — Phase 22 wizard modernisation + site honesty pass-5 #42's head) was green on Codacy — implying the in-tree silencing IS working on a per-PR basis when the diff base already contains the silencing context.

PR #42's 5 high is most likely the same class of findings re-rendered against a baseline (main) that lacks the silencing context. The in-tree markers will land on main once the merge happens, so the main branch's continuous-scan view will go green after merge.

If any of the 10 Codacy issues is a genuinely new pattern (i.e. something that landed in a commit other than 40120d8's domain), please share the dashboard list and I'll triage each one in-tree.

Verdict

• All other checks green: ruff ✓, ruff format ✓, all 4 test-matrix Python versions ✓, lint ✓, validate ✓, CodeRabbit ✓, 14 internal CI guards ✓, dry-run ✓.
• Two human-style review verdicts above both recommend APPROVE with NIT-level notes only.
• mergeable: MERGEABLE; only blocker is the Quality Gate state, which is the documented cross-PR scanner-view artefact.

No code-level action recommended. Maintainer call: re-mark Safe on SonarCloud's PR #42 view, or merge with the failing Quality Gate on the rationale that the underlying findings are documented + intentional.

[cemililik]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

docs/design/wizard_mode.md (1)

8-8: 💤 Low value

Remove blank lines inside blockquotes to fix markdown lint warnings.

Multiple linters flag blank lines inside blockquotes (MD028). While this doesn't affect functionality, it breaks markdown formatting conventions.

📝 Proposed fix

Remove the blank line at line 8 (between the two blockquote paragraphs in the status note) and line 19 (between the review-cycle 2 and PR-D blockquote paragraphs), or break them into separate blockquote blocks if the visual separation is intentional.

Also applies to: 19-19

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/design/wizard_mode.md` at line 8, Remove the blank lines inside
blockquotes that trigger MD028: in the "status note" blockquote (between the two
quote paragraphs) and in the blockquote containing "review-cycle 2" and "PR-D"
(the blank line between those quote paragraphs); either delete those empty lines
so the paragraphs remain in a single blockquote or split them into separate
blockquote blocks if intentional spacing is desired, ensuring the blockquote
markers (">") directly precede each paragraph line.

forgelm/wizard/_collectors.py (1)

619-637: 💤 Low value

Extract Article 10 prompt strings to reduce duplication.

The same prompt strings appear three times each in the strict vs non-strict branches. Extracting them as module-level constants improves maintainability.

♻️ Proposed extraction

+_ARTICLE_10_COLLECTION_METHOD = "Article 10(2)(b): how was data collected?"
+_ARTICLE_10_ANNOTATION = "Article 10(2)(b): annotation methodology"
+_ARTICLE_10_BIASES = "Article 10(2)(f): known_biases"
+
 def _collect_data_governance(
     ...
     if mandatory:
         ...
         collection_method = (
-            _prompt("Article 10(2)(b): how was data collected?", existing["collection_method"])
+            _prompt(_ARTICLE_10_COLLECTION_METHOD, existing["collection_method"])
             if existing.get("collection_method")
-            else _prompt_required("Article 10(2)(b): how was data collected?")
+            else _prompt_required(_ARTICLE_10_COLLECTION_METHOD)
         )
         # ... similar for annotation_process and known_biases
     else:
-        collection_method = _prompt("Article 10(2)(b): how was data collected?", existing.get("collection_method", ""))
+        collection_method = _prompt(_ARTICLE_10_COLLECTION_METHOD, existing.get("collection_method", ""))

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@forgelm/wizard/_collectors.py` around lines 619 - 637, The prompt text
literals for Article 10 are duplicated across the strict/non-strict branches;
extract them into module-level constants (e.g., ARTICLE10_COLLECTION_PROMPT,
ARTICLE10_ANNOTATION_PROMPT, ARTICLE10_KNOWN_BIASES_PROMPT) and replace the
inline strings used with _prompt and _prompt_required in the collection_method,
annotation_process, and known_biases assignments so both branches reference the
same constants; keep existing calls to _prompt and _prompt_required unchanged,
only substitute the literal strings with the new constants and update any
imports/exports if needed.

forgelm/wizard/_byod.py (1)

112-122: 💤 Low value

Redundant exception classes in chained except.

PermissionError and IsADirectoryError are subclasses of OSError, so catching them separately alongside OSError is redundant — the OSError handler already covers them. The same pattern appears at line 175. This is harmless but slightly confusing.

♻️ Proposed simplification

-    except (FileNotFoundError, ValueError) as exc:
-        _print(f"  Ingest failed: {exc}")
-        return None
-    except (PermissionError, IsADirectoryError, OSError) as exc:
-        _print(f"  Ingest failed due to filesystem error: {exc} — check permissions or output path.")
-        return None
+    except (FileNotFoundError, ValueError) as exc:
+        _print(f"  Ingest failed: {exc}")
+        return None
+    except OSError as exc:
+        _print(f"  Ingest failed due to filesystem error: {exc} — check permissions or output path.")
+        return None

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@forgelm/wizard/_byod.py` around lines 112 - 122, The except clause currently
catches (PermissionError, IsADirectoryError, OSError) which is redundant because
PermissionError and IsADirectoryError are subclasses of OSError; change the
tuple to just (OSError,) to simplify the handler while keeping behavior the
same, and apply the same simplification to the repeated handler later (the
similar except tuple at line 175) so both places only catch OSError as exc.

forgelm/wizard/_orchestrator.py (1)

982-990: 💤 Low value

Consider renaming the fallback variable to avoid shadowing the class name.

The pattern ForgeConfig = None when the import fails works but triggers static analysis warnings about naming conventions. A clearer alternative uses a distinct name.

♻️ Alternative pattern

     try:
         from ..config import ForgeConfig
+        _forge_config_cls = ForgeConfig
     except ImportError:  # pragma: no cover — config always present
-        ForgeConfig = None  # type: ignore[assignment]
-    if ForgeConfig is not None:
+        _forge_config_cls = None
+    if _forge_config_cls is not None:
         try:
-            ForgeConfig.model_validate(data)
+            _forge_config_cls.model_validate(data)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@forgelm/wizard/_orchestrator.py` around lines 982 - 990, The code currently
assigns ForgeConfig = None on import failure which shadows the imported class
name and triggers static-analysis warnings; change the fallback variable to a
distinct identifier (e.g., _ForgeConfig or ForgeConfigModule) and update the
subsequent conditional and validation call accordingly so you check the new
identifier (e.g., if _ForgeConfig is not None) and call its model_validate
method name (e.g., _ForgeConfig.model_validate(data)) to preserve behavior
without shadowing the class name.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tools/check_no_analysis_refs.py`:
- Around line 49-51: The current _PROHIBITED_RE only matches
docs/(analysis|marketing)/ or relative refs when followed by a hardcoded set of
subfolders, so paths like "analysis/new_topic/..." slip through; update
_PROHIBITED_RE to match any reference to analysis or marketing subtrees (e.g.,
match docs/(analysis|marketing)/ and also (?:^|[^A-Za-z./])(analysis|marketing)/
followed by any path segment) so it flags arbitrary subfolders instead of just
the fixed list—modify the regex in tools/check_no_analysis_refs.py where
_PROHIBITED_RE is defined to broaden the second alternative to allow any
following path component.
- Around line 151-154: The current except block around
path.read_text(encoding="utf-8") swallows OSError/UnicodeDecodeError and returns
no findings (false-green); change it to fail-closed by recording the error into
the findings list instead of silently returning: catch (OSError,
UnicodeDecodeError) and append a finding that includes the path (path) and the
exception message (str(e)) or otherwise raise the exception so CI fails; update
the handler around path.read_text to use the findings list (findings) or
re-raise to ensure unreadable files produce a visible failure.

---

Nitpick comments:
In `@docs/design/wizard_mode.md`:
- Line 8: Remove the blank lines inside blockquotes that trigger MD028: in the
"status note" blockquote (between the two quote paragraphs) and in the
blockquote containing "review-cycle 2" and "PR-D" (the blank line between those
quote paragraphs); either delete those empty lines so the paragraphs remain in a
single blockquote or split them into separate blockquote blocks if intentional
spacing is desired, ensuring the blockquote markers (">") directly precede each
paragraph line.

In `@forgelm/wizard/_byod.py`:
- Around line 112-122: The except clause currently catches (PermissionError,
IsADirectoryError, OSError) which is redundant because PermissionError and
IsADirectoryError are subclasses of OSError; change the tuple to just (OSError,)
to simplify the handler while keeping behavior the same, and apply the same
simplification to the repeated handler later (the similar except tuple at line
175) so both places only catch OSError as exc.

In `@forgelm/wizard/_collectors.py`:
- Around line 619-637: The prompt text literals for Article 10 are duplicated
across the strict/non-strict branches; extract them into module-level constants
(e.g., ARTICLE10_COLLECTION_PROMPT, ARTICLE10_ANNOTATION_PROMPT,
ARTICLE10_KNOWN_BIASES_PROMPT) and replace the inline strings used with _prompt
and _prompt_required in the collection_method, annotation_process, and
known_biases assignments so both branches reference the same constants; keep
existing calls to _prompt and _prompt_required unchanged, only substitute the
literal strings with the new constants and update any imports/exports if needed.

In `@forgelm/wizard/_orchestrator.py`:
- Around line 982-990: The code currently assigns ForgeConfig = None on import
failure which shadows the imported class name and triggers static-analysis
warnings; change the fallback variable to a distinct identifier (e.g.,
_ForgeConfig or ForgeConfigModule) and update the subsequent conditional and
validation call accordingly so you check the new identifier (e.g., if
_ForgeConfig is not None) and call its model_validate method name (e.g.,
_ForgeConfig.model_validate(data)) to preserve behavior without shadowing the
class name.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a7b694a1-f100-44b5-beaf-6c88d3390125

📥 Commits

Reviewing files that changed from the base of the PR and between ecf3dcc and 2dce74e.

📒 Files selected for processing (18)

• CHANGELOG.md
• docs/design/wizard_mode.md
• docs/reference/architecture-tr.md
• docs/reference/architecture.md
• docs/roadmap/releases.md
• docs/standards/error-handling.md
• docs/usermanuals/en/reference/cli.md
• docs/usermanuals/tr/reference/cli.md
• docs/usermanuals/tr/reference/exit-codes.md
• forgelm/wizard/_byod.py
• forgelm/wizard/_collectors.py
• forgelm/wizard/_orchestrator.py
• forgelm/wizard/_state.py
• site/js/translations.js
• site/js/wizard.js
• tests/test_wizard_phase22.py
• tools/check_anchor_resolution.py
• tools/check_no_analysis_refs.py

✅ Files skipped from review due to trivial changes (6)

• docs/standards/error-handling.md
• docs/reference/architecture.md
• docs/reference/architecture-tr.md
• docs/roadmap/releases.md
• tools/check_anchor_resolution.py
• CHANGELOG.md

🚧 Files skipped from review as they are similar to previous changes (4)

• docs/usermanuals/en/reference/cli.md
• docs/usermanuals/tr/reference/exit-codes.md
• site/js/wizard.js
• forgelm/wizard/_state.py

[sonarqubecloud]

Quality Gate failed

Failed conditions
10 Security Hotspots
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE