Add unified CI pipeline, review prompts, and PR template

[loothero]

Summary

• Replace 3 separate workflow files (claude-code-review.yml, claude.yml, test-contract.yml) with a single unified pr-ci.yml pipeline
• Add domain-specific AI review prompts for Cairo contracts, React client, indexer, and general CI/infra changes
• Add standardized PR template for consistent PR descriptions

Details

New: .github/workflows/pr-ci.yml

Unified CI pipeline with:

• Path-filtered jobs (contracts, client, indexer, dojo)
• Dual AI review (Claude + Codex) with domain-specific prompts
• Coverage reporting
• Dependency caching
• Draft PR skipping

New: .github/prompts/

Domain-specific review instructions:

• cairo-review.md — Cairo/Starknet contract review
• client-review.md — React/frontend review
• indexer-review.md — Indexer/API review
• general-purpose.md — CI/workflow/infra review

New: .github/pull_request_template.md

Standardized PR template with sections for summary, test plan, and checklist.

Removed

• .github/workflows/claude-code-review.yml — superseded by claude-review jobs in pr-ci.yml
• .github/workflows/claude.yml — interactive @claude trigger (removed)
• .github/workflows/test-contract.yml — superseded by contracts-lint + contracts-test jobs

Test plan

• Verify PR CI workflow triggers correctly on new PRs
• Confirm path filters route to correct jobs (contracts/, client/, etc.)
• Validate AI review prompts load correctly in review jobs
• Check PR template renders on new PR creation

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Introduced standardized code review guidance across domains (Cairo, frontend, indexer/API).
  • Added comprehensive PR template with structured validation and review routing.

• Chores

  • Consolidated CI/CD pipeline with per-component testing, linting, and integrated automated code reviews.
  • Removed legacy workflows in favor of unified PR-based CI harness.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
summit	Ready	Preview, Comment	Feb 14, 2026 5:31pm

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions workflows are being reorganized to consolidate CI/CD automation. Old Claude-specific workflows are removed and replaced with a unified PR-centered CI pipeline. New review prompts and a PR template define structured review expectations for different components (contracts, client, indexer/API).

Changes

Cohort / File(s)	Summary
Review Prompts & PR Template .github/prompts/cairo-review.md, .github/prompts/client-review.md, .github/prompts/general-purpose.md, .github/prompts/indexer-review.md, .github/pull_request_template.md	Introduces domain-specific code review personas, scoped review boundaries, detailed checklists (security, idioms, testing, performance), and structured PR metadata collection. PR template routes reviews to appropriate reviewers based on touched areas.
Consolidated PR CI Workflow .github/workflows/pr-ci.yml	Adds comprehensive GitHub Actions workflow with path-based component detection, per-component CI pipelines (lint, build, test, coverage for contracts, client, indexer, API), integrated Claude/Codex review automation, blocking checks for CRITICAL/HIGH findings, and cross-job dependency orchestration.
Removed Legacy Workflows .github/workflows/claude-code-review.yml, .github/workflows/claude.yml, .github/workflows/test-contract.yml	Deletes three standalone workflows: generic Claude code review trigger, Claude Code integration, and contract-specific test pipeline, consolidated into the new pr-ci.yml.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Poem

🐰✨ Hopping through workflows, we dance and we sway,
Reviews now aligned with prompts on display,
Contracts and clients and indexers too,
Each path has its purpose, each check rings true!
From Claude to Codex, the magic takes flight,
PR-CI ensures quality shines oh so bright! 🌟

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Merge Conflict Detection	⚠️ Warning	⚠️ Unable to check for merge conflicts: Failed to fetch base branch: From https://github.com/Provable-Games/summit ! [rejected] main -> main (non-fast-forward) + 3dd7a30...343fec5 main -> origin/main (forced update)

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary changes: adding a unified CI pipeline, review prompts, and PR template, which are the core deliverables of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/github-workflows-and-prompts

⚔️ Resolve merge conflicts (beta)

• Auto-commit resolved conflicts to branch feat/github-workflows-and-prompts
• Create stacked PR with resolved conflicts
• Post resolved changes as copyable diffs in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @loothero, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refines the project's development workflow by centralizing continuous integration processes, introducing specialized AI-driven code review guidelines for different technology stacks, and standardizing the pull request submission format. These changes are designed to improve code quality, streamline reviews, and foster greater consistency throughout the codebase.

Highlights

• Unified CI Pipeline: Replaced three separate workflow files (claude-code-review.yml, claude.yml, test-contract.yml) with a single unified pr-ci.yml pipeline (though the pr-ci.yml file itself is not included in this patch, its impact is the removal of the old workflows).
• Domain-Specific AI Review Prompts: Added new AI review prompts tailored for Cairo contracts, React client, indexer, and general CI/infra changes to enhance automated code review quality.
• Standardized PR Template: Introduced a new pull request template to ensure consistent and comprehensive PR descriptions across the project.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .github/prompts/cairo-review.md
  • Added a comprehensive review prompt for Cairo/Starknet contracts, covering security, idioms, testing, and gas optimization.
• .github/prompts/client-review.md
  • Added a detailed review prompt for React/TypeScript frontend applications, focusing on type safety, React lifecycle, Cartridge Controller integration, query optimization, and UX reliability.
• .github/prompts/general-purpose.md
  • Added a general-purpose review prompt for CI/workflow/infra changes, emphasizing correctness, reliability, performance, and maintainability.
• .github/prompts/indexer-review.md
  • Added a specialized review prompt for Apibara Starknet indexers and Drizzle/PostgreSQL data modeling, focusing on data correctness, stream efficiency, event decoding, reorg safety, and schema management.
• .github/pull_request_template.md
  • Added a new pull request template to standardize PR descriptions, including sections for summary, scope, change type, validation, risk, breaking changes, assumptions, exceptions, workarounds, and reviewer notes.
• .github/workflows/claude-code-review.yml
  • Removed, as its functionality is now superseded by claude-review jobs within the new unified CI pipeline.
• .github/workflows/claude.yml
  • Removed, as the interactive @claude trigger mechanism is no longer in use.
• .github/workflows/test-contract.yml
  • Removed, as its testing responsibilities are now handled by contracts-lint and contracts-test jobs in the new unified CI pipeline.

Ignored Files

• Ignored by pattern: .github/workflows/** (4)
  • .github/workflows/claude-code-review.yml
  • .github/workflows/claude.yml
  • .github/workflows/pr-ci.yml
  • .github/workflows/test-contract.yml

Activity

• The pull request description outlines the intent and changes, including the replacement of three workflow files with a new unified pr-ci.yml pipeline, the addition of domain-specific AI review prompts, and a standardized PR template. It also includes a test plan for verification.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a set of excellent, domain-specific AI review prompts and a comprehensive pull request template. The prompts are detailed and well-structured, which will greatly improve the quality and consistency of automated reviews. The PR template is also thorough and will help standardize contributions. I've made a few minor suggestions to improve consistency in terminology across the new files and to enhance clarity in the PR template's scope section. Overall, this is a fantastic addition to the repository's tooling.

[gemini-code-assist]

For consistency with the new PR template (pull_request_template.md) and common English usage, 'Work Arounds' should be a single word: 'Workarounds'.

Suggested change

	In addition to the above, please pay particular attention to the Assumptions, Exceptions, and Work Arounds listed in the PR. Independently verify all assumptions listed and certify that any and all exceptions and work arounds cannot be addressed using simpler methods.
	In addition to the above, please pay particular attention to the Assumptions, Exceptions, and Workarounds listed in the PR. Independently verify all assumptions listed and certify that any and all exceptions and workarounds cannot be addressed using simpler methods.

[gemini-code-assist]

A minor terminology inconsistency: 'Work Arounds' should be 'Workarounds' to match the PR template and standard spelling.

Suggested change

	In addition to the above, please pay particular attention to the Assumptions, Exceptions, and Work Arounds listed in the PR. Independently verify all assumptions listed and certify that any and all exceptions and work arounds cannot be addressed using simpler methods.
	In addition to the above, please pay particular attention to the Assumptions, Exceptions, and Workarounds listed in the PR. Independently verify all assumptions listed and certify that any and all exceptions and workarounds cannot be addressed using simpler methods.

[gemini-code-assist]

To maintain consistency across all new templates and prompts, please change 'Work Arounds' to 'Workarounds'.

Suggested change

	In addition to the above, please pay particular attention to the Assumptions, Exceptions, and Work Arounds listed in the PR. Independently verify all assumptions listed and certify that any and all exceptions and work arounds cannot be addressed using simpler methods.
	In addition to the above, please pay particular attention to the Assumptions, Exceptions, and Workarounds listed in the PR. Independently verify all assumptions listed and certify that any and all exceptions and workarounds cannot be addressed using simpler methods.

[gemini-code-assist]

The descriptions for ui/** and client/** are a bit ambiguous and could be confusing for developers. 'React client' and 'frontend client' are very similar. To improve clarity, consider making these descriptions more distinct based on the actual contents of these directories. For example, you could use something like (UI components) for ui/** and (Main application) for client/** if that reflects the structure.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 42fff3fc75

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove nonexistent client test commands

The client-test job invokes pnpm test:parity and pnpm test:coverage, but client/package.json only defines dev, build, lint, preview, and serve scripts. For any PR touching client/**, this will fail with ERR_PNPM_NO_SCRIPT, blocking merges even when the code is otherwise valid.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Use lockfile-compatible install command for indexer

The lint path for indexer runs pnpm install --frozen-lockfile in indexer/, but this project has indexer/package-lock.json and no indexer/pnpm-lock.yaml. In this configuration, pnpm exits with ERR_PNPM_NO_LOCKFILE, so indexer-related PRs fail before linting or tests can run.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Replace undefined indexer test scripts

The indexer-test job calls pnpm test:parity and pnpm test:coverage, but indexer/package.json does not define either script. Even after fixing dependency installation, indexer PRs will still fail with ERR_PNPM_NO_SCRIPT, so this workflow cannot validate indexer changes as written.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Let general review jobs run without app-specific lint jobs

The general-review job is gated by needs: [changes, contracts-lint, client-lint, indexer-api-lint], but those lint jobs are conditionally skipped when only infra/docs files change. That causes general-only PRs (the exact target of this job) to skip the general review entirely, so non-domain changes can merge without the intended review gate.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 7

🤖 Fix all issues with AI agents

In @.github/prompts/cairo-review.md:
- Line 3: Replace the stale workflow filename reference "
.github/workflows/codex-review.yml " with the correct "
.github/workflows/pr-ci.yml " in .github/prompts/cairo-review.md (the SCOPE
BOUNDARY line) and make the same replacement in indexer-review.md where the same
stale reference exists; also search both prompt files for any other occurrences
of "codex-review.yml" and update them to "pr-ci.yml" to keep the scope boundary
references consistent.

In @.github/pull_request_template.md:
- Around line 38-56: Update the PR template entries that reference npm and the
ui folder: replace the example command and checklist lines that say "cd ui &&
npm run lint" / "cd ui && npm run build" and the example "# cd ui && npm run
lint && npm run build" with the project's pnpm equivalents and correct folder
"client" (use "cd client && pnpm lint" and "cd client && pnpm build"), ensuring
the example command and the two checklist items are updated accordingly so
contributors run pnpm in the client folder.

In @.github/workflows/pr-ci.yml:
- Around line 1032-1034: The workflow jobs claude-review-general and
codex-review-general are incorrectly gated on domain-specific lint jobs
(contracts-lint, client-lint, indexer-api-lint); open the job definitions for
the jobs named claude-review-general and codex-review-general and remove
contracts-lint, client-lint, and indexer-api-lint from their needs arrays so the
general-review jobs only depend on the changes job and the conditional if:
needs.changes.outputs.general_review == 'true', ensuring the general review runs
for its intended file scope even when those domain lint jobs fail.
- Around line 298-322: The job named api-test currently only runs a build (the
Build step that runs `pnpm build`) so CI misleadingly claims to run tests;
either add a proper test step (e.g., add a step after Install dependencies that
runs `pnpm test` or the appropriate API test command) or rename the job to
api-build and update any references (including the final pr-ci aggregation) to
match; if you intend to defer tests, add a clear TODO comment in the job header
noting tests are not present.
- Around line 450-454: The current step "Inject OAuth session" writes the secret
with shell-expanded echo which breaks or leaks if the JSON contains quotes;
replace that pattern by passing the secret into the runner as an environment
variable (use the existing secret name CODEX_AUTH_DOT_JSON) and write it to
~/.codex/auth.json with a single-quoted heredoc in the run step to avoid shell
interpretation. Update the step that defines name "Inject OAuth session" (and
the three other identical occurrences) to set env: CODEX_AUTH_DOT_JSON: ${{
secrets.CODEX_AUTH_DOT_JSON }} and then use a heredoc to create
~/.codex/auth.json from ${CODEX_AUTH_DOT_JSON} with file permissions set to 600.
Ensure you update all four occurrences that currently use echo '${{
secrets.CODEX_AUTH_DOT_JSON }}'.
- Around line 1-9: Add a top-level guard to the "changes" job to skip draft PRs:
detect the PR draft flag (github.event.pull_request.draft) and only run the
changes job when it is false; update the job definition for changes to include
an if condition like `if: github.event.pull_request.draft == false` so
opened/synchronize events from draft PRs do not trigger the pipeline while still
allowing the ready_for_review transition to run the workflow.
- Around line 495-510: The CI step using the Codex CLI calls npx -y
`@openai/codex`@0.98.0 exec --full-auto with -c 'model="gpt-5.3-codex"' and -c
'model_reasoning_effort="high"'; replace the undocumented -c usage and the
model_reasoning_effort parameter by passing the model via the documented --model
(or -m) flag (e.g., --model gpt-5.3-codex) and remove any model_reasoning_effort
setting, while keeping the existing output handling to /tmp/review.txt and the
failure fallback logic intact.

🧹 Nitpick comments (2)

.github/workflows/pr-ci.yml (2)

229-257: actions/setup-node called twice in the same job with different cache paths.

When both indexer_ci and api are true, setup-node@v4 runs twice (lines 231 and 246) with different cache-dependency-path values. The second invocation's cache configuration will override the first, so the indexer's pnpm store may not be warmed. Consider either splitting into two jobs or using a single setup-node step with a combined cache path.

Option: combined cache-dependency-path

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: pnpm
+         cache-dependency-path: |
+           indexer/pnpm-lock.yaml
+           api/pnpm-lock.yaml

---

394-428: Claude comment polling has a tight 60s window and a loose username regex.

The blocking-findings check polls for the Claude review comment up to 6 × 10s = 60s. If the Claude action takes longer (large diffs, API delays), the step fails with a hard error, blocking the entire pipeline. The username regex test("claude") could also match unrelated bots.

Consider:

• Increasing MAX_ATTEMPTS or SLEEP_SECONDS (e.g., 12 × 15s = 3 min).
• Tightening the username match (e.g., test("^claude\\[bot\\]$")), or use an exact string comparison.
• Adding a graceful fallback: warn instead of fail when the comment isn't found, since the Claude action itself is a separate step that already signals its own success/failure.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Stale workflow file reference.

Line 3 references .github/workflows/codex-review.yml, but no such file exists in this PR. The actual workflow is .github/workflows/pr-ci.yml. This same stale reference also appears in indexer-review.md (line 3). Updating these avoids confusion for anyone tracing where scope boundaries are enforced.

Proposed fix

-SCOPE BOUNDARY (from `.github/workflows/codex-review.yml`)
+SCOPE BOUNDARY (from `.github/workflows/pr-ci.yml`)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	SCOPE BOUNDARY (from `.github/workflows/codex-review.yml`)
	SCOPE BOUNDARY (from `.github/workflows/pr-ci.yml`)

🧰 Tools

🪛 LanguageTool

[uncategorized] ~3-~3: The official name of this software platform is spelled with a capital “H”.
Context: ... they reach main. SCOPE BOUNDARY (from .github/workflows/codex-review.yml) - Review ...

(GITHUB)

🤖 Prompt for AI Agents

In @.github/prompts/cairo-review.md at line 3, Replace the stale workflow
filename reference " .github/workflows/codex-review.yml " with the correct "
.github/workflows/pr-ci.yml " in .github/prompts/cairo-review.md (the SCOPE
BOUNDARY line) and make the same replacement in indexer-review.md where the same
stale reference exists; also search both prompt files for any other occurrences
of "codex-review.yml" and update them to "pr-ci.yml" to keep the scope boundary
references consistent.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Template references npm but the project uses pnpm.

Lines 40, 53, and 54 use npm run commands, but the CI pipeline and project tooling consistently use pnpm. This could confuse contributors.

Proposed fix

 ```bash
 # example:
-# cd ui && npm run lint && npm run build
+# cd client && pnpm lint && pnpm build

Area-specific verification

If contracts/** changed

• cd contracts && scarb build
• cd contracts && scarb test (or targeted tests listed below)
• Security-sensitive paths (auth, external calls, arithmetic, state transitions) reviewed

If ui/** or client/** changed

-- [ ] cd ui && npm run lint
-- [ ] cd ui && npm run build
+- [ ] cd client && pnpm lint
+- [ ] cd client && pnpm build

• Manual smoke test completed for impacted routes/states
• Visual evidence attached for UI changes (screenshots/GIF)

</details>

Based on learnings: "Validate frontend changes with 'pnpm build' and 'pnpm lint' before submitting PRs, plus a quick UI smoke test."

<details>
<summary>🤖 Prompt for AI Agents</summary>

In @.github/pull_request_template.md around lines 38 - 56, Update the PR
template entries that reference npm and the ui folder: replace the example
command and checklist lines that say "cd ui && npm run lint" / "cd ui && npm run
build" and the example "# cd ui && npm run lint && npm run build" with the
project's pnpm equivalents and correct folder "client" (use "cd client && pnpm
lint" and "cd client && pnpm build"), ensuring the example command and the two
checklist items are updated accordingly so contributors run pnpm in the client
folder.

</details>

<!-- fingerprinting:phantom:medusa:phoenix -->

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Draft PR skip is missing.

The PR objectives state the workflow should skip for draft PRs, but there is no guard. The ready_for_review trigger handles transitions from draft to ready, but opened and synchronize still fire for draft PRs, running the full pipeline unnecessarily.

Add a top-level condition on the changes job (which gates all others):

Proposed fix

   changes:
+    if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest

🤖 Prompt for AI Agents

In @.github/workflows/pr-ci.yml around lines 1 - 9, Add a top-level guard to the
"changes" job to skip draft PRs: detect the PR draft flag
(github.event.pull_request.draft) and only run the changes job when it is false;
update the job definition for changes to include an if condition like `if:
github.event.pull_request.draft == false` so opened/synchronize events from
draft PRs do not trigger the pipeline while still allowing the ready_for_review
transition to run the workflow.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

api-test job has no test step — only builds.

The job is named api-test and is listed in the final pr-ci aggregation, but it only runs pnpm build (line 322). If this is intentional because no API tests exist yet, consider either renaming the job to api-build or adding a TODO comment. As-is, CI appears to validate API tests when it doesn't.

🤖 Prompt for AI Agents

In @.github/workflows/pr-ci.yml around lines 298 - 322, The job named api-test
currently only runs a build (the Build step that runs `pnpm build`) so CI
misleadingly claims to run tests; either add a proper test step (e.g., add a
step after Install dependencies that runs `pnpm test` or the appropriate API
test command) or rename the job to api-build and update any references
(including the final pr-ci aggregation) to match; if you intend to defer tests,
add a clear TODO comment in the job header noting tests are not present.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Secret written via shell expansion is fragile — risk of breakage or partial leakage.

echo '${{ secrets.CODEX_AUTH_DOT_JSON }}' is expanded by GitHub Actions before the shell sees it. If the JSON secret contains single quotes, backticks, or other shell metacharacters, the command breaks and may partially echo to logs. This pattern is repeated at lines 689, 925, and 1162.

Use an env-var + heredoc approach to avoid shell interpretation:

Proposed fix (apply to all 4 occurrences)

      - name: Inject OAuth session
+       env:
+         CODEX_AUTH_JSON: ${{ secrets.CODEX_AUTH_DOT_JSON }}
        run: |
          mkdir -p ~/.codex
-         echo '${{ secrets.CODEX_AUTH_DOT_JSON }}' > ~/.codex/auth.json
+         printf '%s' "$CODEX_AUTH_JSON" > ~/.codex/auth.json
          chmod 600 ~/.codex/auth.json

🤖 Prompt for AI Agents

In @.github/workflows/pr-ci.yml around lines 450 - 454, The current step "Inject
OAuth session" writes the secret with shell-expanded echo which breaks or leaks
if the JSON contains quotes; replace that pattern by passing the secret into the
runner as an environment variable (use the existing secret name
CODEX_AUTH_DOT_JSON) and write it to ~/.codex/auth.json with a single-quoted
heredoc in the run step to avoid shell interpretation. Update the step that
defines name "Inject OAuth session" (and the three other identical occurrences)
to set env: CODEX_AUTH_DOT_JSON: ${{ secrets.CODEX_AUTH_DOT_JSON }} and then use
a heredoc to create ~/.codex/auth.json from ${CODEX_AUTH_DOT_JSON} with file
permissions set to 600. Ensure you update all four occurrences that currently
use echo '${{ secrets.CODEX_AUTH_DOT_JSON }}'.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

@openai/codex npm package version 0.98.0

💡 Result:

@openai/codex v0.98.0 (released Feb 5, 2026) introduces GPT‑5.3‑Codex and makes Steer mode stable and enabled by default, plus includes multiple fixes (resume behavior, model switching/instructions, token pre‑estimation, cloud reloads, and UI consistency). [1]

To install that exact version:

npm i -g `@openai/codex`@0.98.0

Security status: Snyk lists 0.98.0 as the latest version and reports no known vulnerabilities affecting 0.98.0. [2]

Sources: [1] [2]

---

🌐 Web query:

gpt-5.3-codex OpenAI model

💡 Result:

GPT‑5.3‑Codex is OpenAI’s newest “agentic” coding model for Codex—positioned as more capable than GPT‑5.2‑Codex, combining stronger coding performance with improved reasoning/professional knowledge, and reported as ~25% faster. It’s designed to handle longer-running, tool-using tasks (research, debugging, deployment, evaluation) while you can steer it interactively during execution. [1]

Availability: OpenAI says GPT‑5.3‑Codex is available on paid ChatGPT plans everywhere you can use Codex (app, CLI, IDE extension, web). OpenAI also notes they’re working to enable API access “soon.” [1]

Related model: GPT‑5.3‑Codex‑Spark is a smaller, ultra-low-latency “real-time coding” variant released as a research preview, initially for ChatGPT Pro users; OpenAI says it delivers >1000 tokens/sec on Cerebras hardware, is text-only, and has a 128k context window. [2]

Sources:
[1] OpenAI – “Introducing GPT‑5.3‑Codex” (Feb 5, 2026). (openai.com)
[2] OpenAI – “Introducing GPT‑5.3‑Codex‑Spark” (Feb 12, 2026). (openai.com)

Citations:

• 1: https://openai.com/index/introducing-gpt-5-3-codex/?utm_source=openai
• 2: https://openai.com/index/introducing-gpt-5-3-codex-spark/?utm_source=openai

---

🌐 Web query:

@openai/codex CLI flags exec full-auto documentation

💡 Result:

Where the docs are

• Codex CLI overview + links to “Scripting Codex” (the exec command) live on the official Codex CLI page. (help.openai.com)
• The open-source repo README explains what Full Auto does (sandboxed, network-disabled; changes approval/sandbox defaults). (github.com)

codex exec (headless / CI) flags (incl. --full-auto)

These are the key flags documented for the codex exec subcommand: (deepwiki.com)

• codex exec "…": run a single non-interactive Codex session and exit. (deepwiki.com)
• --full-auto: enables automatic execution with a workspace-write sandbox (i.e., allow edits in the workspace). (deepwiki.com)
• --sandbox, -s <read-only|workspace-write|danger-full-access>: pick sandbox policy explicitly. (deepwiki.com)
• --model, -m <model>: choose the model. (deepwiki.com)
• --cd, -C <dir>: set working directory. (deepwiki.com)
• --json: stream events as JSONL. (deepwiki.com)
• --output-last-message, -o <file>: write the final agent message to a file. (deepwiki.com)
• --output-schema <file>: provide a JSON schema for a structured final response. (deepwiki.com)
• --include-plan-tool: enable experimental plan tracking. (deepwiki.com)

What “full auto” means (behavioral note)

• In the CLI generally, Full Auto runs autonomously inside a sandbox that’s scoped to the working directory and is network-disabled by default. (github.com)

Examples

# Default headless run (read-only sandbox by default)
codex exec "summarize this repo"

# Allow workspace edits (full-auto convenience)
codex exec --full-auto "fix the failing tests"

# JSONL streaming + write final message to a file
codex exec --json -o result.txt --full-auto "bump dependencies safely"

# Explicit sandbox + working dir
codex exec -C ./subproject -s workspace-write "refactor this package"

Citations:

• 1: https://help.openai.com/en/articles/11096431-openai-codex-ci-getting-started
• 2: https://github.com/quad-coders/openai-codex
• 3: https://deepwiki.com/openai/codex/4.2-command-execution-pipeline?utm_source=openai
• 4: https://deepwiki.com/openai/codex/4.2-command-execution-pipeline?utm_source=openai
• 5: https://deepwiki.com/openai/codex/4.2-command-execution-pipeline?utm_source=openai
• 6: https://deepwiki.com/openai/codex/4.2-command-execution-pipeline?utm_source=openai
• 7: https://deepwiki.com/openai/codex/4.2-command-execution-pipeline?utm_source=openai
• 8: https://deepwiki.com/openai/codex/4.2-command-execution-pipeline?utm_source=openai
• 9: https://deepwiki.com/openai/codex/4.2-command-execution-pipeline?utm_source=openai
• 10: https://deepwiki.com/openai/codex/4.2-command-execution-pipeline?utm_source=openai
• 11: https://deepwiki.com/openai/codex/4.2-command-execution-pipeline?utm_source=openai
• 12: https://deepwiki.com/openai/codex/4.2-command-execution-pipeline?utm_source=openai
• 13: https://github.com/quad-coders/openai-codex

---

Use --model flag instead of -c for model selection; model_reasoning_effort parameter is not documented.

The code uses -c 'model="gpt-5.3-codex"' and -c 'model_reasoning_effort="high"', but the Codex CLI documentation shows the proper flag to select a model is --model (or -m). The -c flag and the model_reasoning_effort parameter are not documented in the official CLI. Change to:

npx -y `@openai/codex`@0.98.0 exec --full-auto \
  --model gpt-5.3-codex \
  -o /tmp/review.txt \
  "$(cat /tmp/prompt.txt)" 2>&1

The model_reasoning_effort parameter has no documented equivalent in the CLI and should be removed.

🤖 Prompt for AI Agents

In @.github/workflows/pr-ci.yml around lines 495 - 510, The CI step using the
Codex CLI calls npx -y `@openai/codex`@0.98.0 exec --full-auto with -c
'model="gpt-5.3-codex"' and -c 'model_reasoning_effort="high"'; replace the
undocumented -c usage and the model_reasoning_effort parameter by passing the
model via the documented --model (or -m) flag (e.g., --model gpt-5.3-codex) and
remove any model_reasoning_effort setting, while keeping the existing output
handling to /tmp/review.txt and the failure fallback logic intact.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

General review jobs are unnecessarily gated on domain-specific lint jobs.

claude-review-general and codex-review-general depend on contracts-lint, client-lint, and indexer-api-lint. If any of those lint jobs fail (e.g., a Cairo formatting error), the general review — which explicitly covers files outside those domains — is blocked and won't run.

Remove the domain lint jobs from needs since the general review scope excludes those paths:

Proposed fix

  claude-review-general:
-   needs: [changes, contracts-lint, client-lint, indexer-api-lint]
+   needs: [changes]
    if: needs.changes.outputs.general_review == 'true'

  codex-review-general:
-   needs: [changes, contracts-lint, client-lint, indexer-api-lint]
+   needs: [changes]
    if: needs.changes.outputs.general_review == 'true'

Also applies to: 1141-1143

🤖 Prompt for AI Agents

In @.github/workflows/pr-ci.yml around lines 1032 - 1034, The workflow jobs
claude-review-general and codex-review-general are incorrectly gated on
domain-specific lint jobs (contracts-lint, client-lint, indexer-api-lint); open
the job definitions for the jobs named claude-review-general and
codex-review-general and remove contracts-lint, client-lint, and
indexer-api-lint from their needs arrays so the general-review jobs only depend
on the changes job and the conditional if: needs.changes.outputs.general_review
== 'true', ensuring the general review runs for its intended file scope even
when those domain lint jobs fail.

[Copilot]

Pull request overview

This PR consolidates the repo’s PR automation by replacing multiple GitHub Actions workflows with a single path-filtered PR CI pipeline, and adds standardized AI review prompts plus a PR template to improve review consistency.

Changes:

• Replaced separate contract testing / Claude workflows with a unified .github/workflows/pr-ci.yml.
• Added domain-specific review prompts under .github/prompts/.
• Added a standardized pull request template.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 14 comments.

Show a summary per file

File	Description
.github/workflows/pr-ci.yml	New unified PR CI workflow with path filters, lint/build/test jobs, and dual AI review/comment gating.
.github/workflows/test-contract.yml	Removed legacy contracts formatting/testing workflow (superseded by pr-ci.yml).
.github/workflows/claude.yml	Removed interactive @claude trigger workflow.
.github/workflows/claude-code-review.yml	Removed legacy Claude PR review workflow (superseded by pr-ci.yml review jobs).
.github/prompts/cairo-review.md	Added Cairo/Starknet contract review prompt for AI reviewers.
.github/prompts/client-review.md	Added frontend review prompt for AI reviewers.
.github/prompts/indexer-review.md	Added indexer/API review prompt for AI reviewers.
.github/prompts/general-purpose.md	Added general engineering/CI/infra review prompt for AI reviewers.
.github/pull_request_template.md	Added standardized PR template/checklists to normalize PR descriptions and validation info.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Cairo prompt’s scope boundary references .github/workflows/codex-review.yml, but that workflow file does not exist in this PR (the unified workflow is pr-ci.yml). Update the reference so reviewers aren’t pointed at a non-existent workflow when trying to understand scope/routing.

[Copilot]

This prompt’s scope mentions ui/** and ui/src/generated/*, but the repository has no ui/ directory. This can misroute review attention and create confusion; update the scope to match the actual frontend package path(s) used in the repo (e.g., client/**, and any generated-code paths that actually exist).

Suggested change

	Scope: review changes under `ui/**` and `client/**`. Treat `ui/src/generated/*` as generated code; do not request manual edits there unless generation is clearly out of sync with source contracts.
	Scope: review changes under `client/**`.

[Copilot]

The contracts path filter does not include .tool-versions, even though the contracts jobs use it to set Scarb/SNFoundry versions. A PR that changes .tool-versions (and nothing under contracts/**) would skip contracts-lint/contracts-test, potentially missing breakage. Consider including .tool-versions (and any other shared toolchain files) in the contracts filter.

Suggested change

	- "contracts/**"
	- "contracts/**"
	- ".tool-versions"

[Copilot]

PR description mentions “Draft PR skipping”, but this workflow triggers on pull_request events without checking github.event.pull_request.draft. As a result, opened/synchronize events on draft PRs will still run CI. If the intent is to skip drafts, add a workflow/job-level condition to gate on draft == false (or limit event types accordingly).

[Copilot]

The previous test-contract.yml workflow ran on push to main, but the new unified workflow only runs on pull_request. If direct pushes/merges to main can occur without required PR checks, this removes a safety net. Consider adding a push trigger for main (or confirm branch protection guarantees PR CI always runs before merging).

Suggested change

	concurrency:
	group: pr-ci-${{ github.event.pull_request.number }}
	push:
	branches:
	- main
	concurrency:
	group: pr-ci-${{ github.event.pull_request.number || github.ref_name || github.run_id }}

[Copilot]

indexer-api-lint configures Node cache with cache-dependency-path: indexer/pnpm-lock.yaml, but the repo does not have indexer/pnpm-lock.yaml (indexer has package-lock.json only). In addition, pnpm install --frozen-lockfile will fail without a pnpm lockfile. Either add/commit an indexer pnpm-lock.yaml (and standardize on pnpm) or switch these steps to npm (or the package manager actually used by indexer).

Suggested change

	cache: pnpm
	cache-dependency-path: indexer/pnpm-lock.yaml
	- name: Lint indexer
	if: needs.changes.outputs.indexer_ci == 'true'
	run: |
	cd indexer
	pnpm install --frozen-lockfile
	pnpm exec tsc --noEmit
	cache: npm
	cache-dependency-path: indexer/package-lock.json
	- name: Lint indexer
	if: needs.changes.outputs.indexer_ci == 'true'
	run: |
	cd indexer
	npm ci
	npx tsc --noEmit

[Copilot]

The Lint indexer step runs pnpm install --frozen-lockfile, but indexer currently does not have a pnpm-lock.yaml and will error. Align the workflow with the indexer’s lockfile/package manager (or add the missing pnpm lockfile).

[Copilot]

indexer-test uses pnpm with --frozen-lockfile and configures pnpm caching via indexer/pnpm-lock.yaml, but the indexer directory does not contain a pnpm lockfile. This will break installs and/or caching. Either commit indexer/pnpm-lock.yaml (and use pnpm consistently) or switch this job to npm/yarn with the corresponding lockfile.

[Copilot]

indexer-test runs pnpm test:parity / pnpm test:coverage, but indexer/package.json does not define these scripts. This job will fail unless the scripts are added or the workflow is updated to the indexer’s real test/coverage commands (or removed if the indexer has no tests).

Suggested change

	- name: Run parity test
	run: pnpm test:parity
	- name: Run tests with coverage
	run: pnpm test:coverage
	- name: Upload coverage to Codecov
	uses: codecov/codecov-action@v4
	with:
	file: ./indexer/coverage/lcov.info
	flags: indexer
	token: ${{ secrets.CODECOV_TOKEN }}

[Copilot]

This template references a ui/** package, but the repository structure only includes client/ (no ui/ directory). This makes the scope checklist and later frontend guidance inaccurate; update the template to match the actual package paths used in the repo/CI (and ensure all other ui/** mentions in this file are corrected as well).