feat: 自动开发管道 Phase A — 状态机编排 + 流式卡片 + 记忆系统

[lishuceo]

Summary

• 新增 /dev <task> 命令触发多步自动开发管道（plan → plan_review → implement → code_review → push）
• 各阶段独立 system prompt，review 支持 APPROVED/REJECTED 解析 + 失败自动重试（最多 2 轮）
• 流式卡片实时更新 + 管道阶段进度卡片，跨会话记忆系统（session_summaries 独立表）
• 健壮性加固：TOCTOU 并发保护、fail-closed 审查策略、MAX_ITERATIONS 循环保护、回调异常容错

Changes

• src/pipeline/ — 新增 orchestrator 状态机、types、prompts
• src/feishu/event-handler.ts — /dev 命令处理 + acquireSession 并发保护
• src/feishu/message-builder.ts — buildPipelineCard 管道进度卡片
• src/claude/executor.ts — 重构为 options 对象模式，支持 systemPromptOverride
• src/session/ — 新增 session_summaries 表，30 天自动清理

Test plan

• 122 个测试全部通过（新增 50+ 个 orchestrator / streaming card / database 测试）
• 端到端验证：飞书发送 /dev <task> 触发完整管道流程
• 验证并发保护：同一会话连续发送两条 /dev 命令，第二条应被拒绝

🤖 Generated with Claude Code

[claude]

Claude finished @lishuceo's task in 1m 54s —— View job

---

Code Review: Auto Development Pipeline (Phase A)

• Check for previous review comments
• Read full PR diff and understand changes
• Review src/pipeline/orchestrator.ts
• Review src/pipeline/types.ts and src/pipeline/prompts.ts
• Review src/claude/executor.ts changes
• Review src/feishu/event-handler.ts changes
• Review src/feishu/message-builder.ts changes
• Review src/session/database.ts and src/session/manager.ts changes
• Review test files
• Post inline comments and summary

---

⚠️ Issues Found

#	Severity	File	Confidence	Description
1	🟡 warning	src/feishu/event-handler.ts:396-408	85	acquireSession TOCTOU is still racy — check + set are two separate DB calls with no atomic CAS. Two concurrent requests can both read idle before either writes busy.
2	🟡 warning	src/pipeline/orchestrator.ts:136	80	Mixed mutation pattern — state.totalCostUsd is mutated in-place, then the same state is spread into a new object. Works today but fragile for future changes.
3	🟡 warning	src/feishu/event-handler.ts:537-544	78	/dev pipeline bypasses the per-chat task queue (taskQueue), while regular messages go through it. This creates an inconsistency in ordering guarantees.
4	🟡 warning	src/pipeline/orchestrator.ts:365-385	82	parseVerdict full-text fallback uses includes('APPROVED') which could match substrings (e.g., "NOT APPROVED"). The fail-closed default mitigates risk, but a word-boundary regex would be more precise.

Overall Assessment

This is a well-structured addition. The state machine design is clean, the separation of system prompts per role is good, and the test coverage (600+ lines of orchestrator tests) is thorough with good edge-case coverage for retries, failures, and callback resilience.

Strengths:

• Fail-closed review strategy (unparseable verdict → REJECTED) is the right security posture
• MAX_ITERATIONS loop guard prevents runaway pipelines
• Callback error resilience (try/catch around onPhaseChange) prevents card update failures from killing the pipeline
• Session summaries surviving session cleanup is well-designed and tested
• The executor refactor to options-object pattern is a clean improvement

The issues above are all warnings, not blockers. The most impactful one to address would be #1 (the acquireSession atomicity), since the PR explicitly calls out TOCTOU as a goal. A single UPDATE ... WHERE status != 'busy' with a changes check would make it truly atomic.

[claude]

Claude finished @lishuceo's task in 1m 50s —— View job

---

Re-review: Auto Development Pipeline (Phase A)

• Check previous review comments against latest commits
• Read current diff and understand new changes
• Review each changed file in full context
• Post findings and summary

---

Previous Issues Status

#	Issue	Status	Details
1	acquireSession TOCTOU race	✅ Fixed	Now uses atomic UPDATE ... WHERE status != 'busy' via tryAcquire() with changes === 1 check (database.ts:114-116, database.ts:204-207)
2	Mixed totalCostUsd mutation	✅ Fixed	Now computed as a local const variable and passed in spread object (orchestrator.ts:136)
3	/dev bypasses task queue	⚪ Acknowledged	Still bypasses taskQueue, but atomic CAS makes it safe. Architectural inconsistency remains, not a bug
4	parseVerdict substring matching	✅ Fixed	Now uses word-boundary regex /\bAPPROVED\b/i (orchestrator.ts:388)

3 of 4 previous issues resolved.

New Commits Review

Reviewed the fix commit 9812b92 across all 12 changed files. No new issues found above the confidence threshold (≥75).

✅ Approved

The fix commit cleanly addresses the three actionable review findings. The atomic CAS pattern for acquireSession is the correct approach — single SQL UPDATE with a WHERE guard and changes check, which is truly atomic at the SQLite level even with concurrent await points. The mutation elimination and word-boundary regex are straightforward, correct fixes.

The remaining task-queue bypass (issue #3) is a deliberate design choice with adequate concurrency protection and doesn't warrant blocking the PR.

[claude]

Claude finished @lishuceo's task in 1m 47s —— View job

---

Re-review: Auto Development Pipeline (Phase A)

• Check previous review comments and resolve fixed threads
• Read current diff and understand latest changes
• Review each changed file in full context
• Post findings and summary

---

Previous Issues Status

#	Issue	Status	Details
1	acquireSession TOCTOU race	✅ Resolved	Atomic CAS via tryAcquire() with UPDATE ... WHERE status != 'busy' and changes === 1 check
2	totalCostUsd mutation pattern	✅ Resolved	Now computed as local const in all phase methods
3	/dev bypasses task queue	✅ Resolved	Acknowledged as design choice; atomic CAS provides adequate concurrency protection
4	parseVerdict substring matching	✅ Resolved	Now uses word-boundary regex \bAPPROVED\b

All 4 previous review threads resolved.

New Issues

No new issues found at confidence ≥ 75.

✅ Approved

All three actionable findings from the previous review have been cleanly fixed in commit 9812b92. The latest push (bff82e1, merge of main) introduces no new concerns — it's a clean merge of the workspace cache + agent restart work from PR #9.

Code quality summary:

• State machine orchestrator is well-designed with clean phase transitions and immutable state updates
• Atomic CAS for session locking is correctly implemented at the SQLite level
• Fail-closed review strategy, MAX_ITERATIONS loop guard, and callback error resilience are all solid
• Streaming card updates with throttling (3s / 500 chars) and failure circuit breaker (3 strikes) are well thought out
• Session summaries table is properly independent from session cleanup lifecycle
• Test coverage is thorough (600+ lines of orchestrator tests with edge cases)