ci: add smart PR workflow automation

[ndycode]

Summary

• add a required ci.yml workflow with smart change detection, required-pr, and workflow linting
• add advisory coverage, compatibility, and dependency-audit lanes plus a PR governance workflow and docs link checker script
• update contributor and testing docs to explain the required vs advisory CI lanes
• follow up on workflow and docs-check review hardening, including repo metadata fallback, rename-aware change detection, live label reads, governance body sanitization/serialization, shortcut-reference parsing, and CommonMark fence stripping

Testing

• npm run docs:check
• npm run lint
• npm run typecheck
• npm run build
• npm test
• Not applicable

Docs Impact

• README or docs updated
• No docs changes needed

Compliance Confirmation

• This change stays within the repository scope and OpenAI Terms of Service expectations.
• This change uses official authentication flows only and does not add bypass, scraping, or credential-sharing behavior.
• I updated tests and documentation when the change affected users, maintainers, or repository behavior.
• No auth, request-routing, or storage paths changed.
• I manually tested with a real ChatGPT Plus/Pro account.
• Maintainers can apply the maintainer-live-verified label after independent live verification.

Notes

• Linked issue: none.
• Follow-up work or rollout notes: npm run test:coverage and npm run audit:ci remain advisory because the current baseline still fails the global coverage threshold and reports the existing hono audit issue. This PR also touches .github/pull_request_template.md, so the exempt label is needed for the existing pr-quality workflow.

Summary by CodeRabbit

Release Notes

• Documentation

  • README updated with testing badge and additional contributing resources.
  • Expanded testing documentation with detailed test scenarios and maintainer verification requirements.
  • Improved documentation link validation.

• Tests

  • Added comprehensive test suite for documentation link verification.

• Chores

  • Enhanced CI/CD workflows with improved change detection and conditional job execution.
  • Updated PR templates and governance workflows for compliance tracking.

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

this PR introduces a complete CI/PR automation layer: a required ci.yml workflow with smart rename-aware change detection and a hardened required-pr aggregate gate, advisory pr-advisory.yml lanes for coverage, compat-matrix, and dependency audit, a pr-governance.yml workflow that validates the PR template and manages live-verification labels via pull_request_target, a docs-check.js link validator using only node built-ins, and accompanying docs/template updates.

• all prior review thread issues are addressed: changes and detect-dependency-change both have timeout-minutes: 10, required-pr fails fast when CHANGES_RESULT != "success", HTML comments are stripped before link extraction, and scripts/ci/ changes now trigger docs_changed=true
• pr-governance.yml correctly avoids checking out PR head ref under pull_request_target, uses live label reads via github.paginate, and serialises runs (cancel-in-progress: false) to prevent label race conditions — no windows filesystem or token-safety paths are touched by this PR
• advisory lanes (coverage, compat-matrix, dependency-audit) lack an equivalent DETECT_RESULT guard: if detect-dependency-change fails or is cancelled, all three advisory jobs are silently skipped with no step summary written; since these are unrequired this does not block merge, but silent skips are hard to debug
• getSectionContent in the governance script builds a RegExp from an unescaped heading string — benign with today's hardcoded callers but a latent injection risk if the function is reused
• test/docs-check.test.ts retry cleanup is intentionally broad (retries all errors, not just Windows transient ones), which could leave orphaned tmp/docs-check-* dirs on Windows runners if the retry budget is exhausted by a non-transient error; low severity given runner teardown

Confidence Score: 4/5

• safe to merge — no auth, request-routing, or storage paths changed; previous blocking issues from review threads are resolved
• the required gate hardening (CHANGES_RESULT check, timeouts) and governance workflow correctness (pull_request_target without head checkout, live label reads, serialised concurrency) are all solid. the remaining issues are advisory-lane visibility and a latent regex-injection in a helper function — neither blocks the required CI path or introduces a token/filesystem safety risk on windows
• pr-advisory.yml (silent skip on detect failure) and pr-governance.yml (unescaped regex in getSectionContent)

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	new required CI workflow with smart change detection, conditional job gates, and a hardened required-pr aggregate check; previous thread issues (missing timeout, CHANGES_RESULT guard) are resolved
.github/workflows/pr-advisory.yml	adds advisory coverage, compat-matrix, and dependency-audit lanes; detect-dependency-change has a timeout but downstream jobs lack a result guard — a failed detection job silently skips all advisory lanes with no summary output
.github/workflows/pr-governance.yml	uses pull_request_target with issues: write to manage labels and validate PR template; correctly avoids checking out PR head ref; getSectionContent builds regex with unescaped heading string — benign today but latent if reused
scripts/ci/docs-check.js	comprehensive markdown link checker using only Node built-ins; HTML comment stripping, shortcut-reference parsing, rename-aware change detection, and repo-slug fallback are all present and correct
test/docs-check.test.ts	good coverage of unit and subprocess paths including Windows-specific EPERM/EBUSY retry logic; cleanup retries all errors (not just transient Windows ones), which could leave orphaned tmp dirs on Windows CI runners under unusual conditions
.github/pull_request_template.md	adds typecheck, docs:check, Docs Impact section, and live-verification checklist items aligned with the new pr-governance workflow requirements
CONTRIBUTING.md	updated to document the required vs advisory CI lane split and explain required-pr and pr-governance as the two branch-protection gates
package.json	adds docs:check and audit:ci scripts; no auth, request-routing, or storage paths changed; dependency versions unchanged

Sequence Diagram

sequenceDiagram
    participant PR as Pull Request
    participant CH as changes job
    participant CJ as code jobs<br/>(lint/typecheck/build/unit-linux/unit-windows)
    participant DS as docs-sanity
    participant AL as actionlint
    participant RP as required-pr gate
    participant PG as pr-governance<br/>(pull_request_target)
    participant AD as advisory lanes<br/>(coverage/compat/audit)

    PR->>CH: trigger on pull_request
    CH->>CH: classify changed files<br/>(code / docs / workflow)
    CH-->>CJ: code_changed=true
    CH-->>DS: docs_changed=true
    CH-->>AL: workflow_changed=true
    CJ-->>RP: result
    DS-->>RP: result
    AL-->>RP: result
    CH-->>RP: CHANGES_RESULT (fail-fast if not success)
    RP->>RP: evaluate gates<br/>exit 1 on any failure
    Note over RP: branch-protection required check

    PR->>AD: trigger (advisory, not required)
    AD->>AD: detect-dependency-change
    AD-->>AD: coverage / compat-matrix / dependency-audit<br/>(continue-on-error: true)

    PR->>PG: pull_request_target<br/>(opened/edited/labeled/sync)
    PG->>PG: fetch live labels via paginate
    PG->>PG: strip code blocks + HTML comments
    PG->>PG: validate template sections + checkboxes
    PG->>PG: detect risky paths (auth/request/storage)
    PG-->>PR: add/remove needs-live-verification label
    PG-->>PR: fail if template incomplete
    Note over PG: branch-protection required check

Loading

Comments Outside Diff (4)

1. scripts/ci/docs-check.js, line 244-248 (link)

   Tilde-fenced code blocks not stripped before link extraction

   extractMarkdownLinks only strips triple-backtick fences but not ~~~ (tilde) fences, which are valid CommonMark code blocks. any link inside a tilde-fenced block is still extracted and validated:

   ~~~bash
   [example](./missing-file.md)
   ~~~

   this would cause a false failure in docs-sanity for anyone using tilde fences. the stripMarkdownCode in pr-governance.yml correctly handles both fence characters — the same fix is needed here.

   |~~~)[\s\S]*?(?:```|~~~)/g, "\n")
   .replace(/[^\n]+`/g, "`code`");

2. .github/workflows/pr-governance.yml, line 292-296 (link)

   core.summary.write() failure silences governance failures

   await core.summary.addRaw(...).write() is awaited before the core.setFailed call. if the GitHub step-summary API is transiently unavailable, write() throws, the exception propagates, and core.setFailed is never reached. the caller sees a generic network error rather than the compliance failures accumulated in failures[], making governance silent exactly when it should be loudest.

   wrapping the summary write in a try/catch with a fallback console.log preserves governance signal even when the summary endpoint is down:

   try {
     await core.summary.addRaw(summaryLines.join("\n")).write();
   } catch (summaryError) {
     console.warn("Failed to write step summary:", summaryError?.message ?? summaryError);
     console.log(summaryLines.join("\n"));
   }
   
   if (failures.length > 0) {
     core.setFailed(failures.join("\n"));
   }

3. scripts/ci/docs-check.js, line 243-247 (link)

   non-greedy fence pattern can prematurely close code blocks

   the pattern (?:\{3}|{3})[\s\S]*?(?:`{3}|{3})` is non-greedy and doesn't track fence-char identity. if a fenced code block's body contains a run of exactly 3 backticks (common in contributing/readme docs that demonstrate markdown syntax), the non-greedy match closes early at that interior sequence and everything after it — still inside the real block — is exposed to link extraction. a broken-link reference that appears after the interior triple-backtick will be extracted and reported as a false failure.

   example that triggers it:

   ```
   Use fenced blocks like:
   ```yaml
   key: value
   ```
   The link [guide](./missing.md) is here.
   ```

   the regex closes the outer block at the inner ```, so [guide](./missing.md) is extracted and validated.

   pr-governance.yml's stripMarkdownCode already handles this correctly with a line-by-line state machine that tracks fence char and length. the same approach should be used here.

   no test case in docs-check.test.ts covers code blocks whose bodies contain 3 backtick/tilde sequences.

4. .github/workflows/pr-advisory.yml, line 104-108 (link)

   No failure-propagation guard for detect-dependency-change

   unlike required-pr in ci.yml (which now correctly fails fast when CHANGES_RESULT != "success"), the advisory downstream jobs (coverage, compat-matrix, dependency-audit) only gate on the outputs, not on the job result. if detect-dependency-change is cancelled or errors out, all three advisory jobs are silently skipped with no indication in the run summary.

   since these lanes are explicitly advisory this won't break the required gate, but it does mean a hung or crashed detect-dependency-change job produces a deceptively clean advisory run. consider adding a needs.detect-dependency-change.result == 'success' guard to each advisory if: condition, or a dedicated advisory summary step, so transient runner failures are visible.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: pr-governance.yml
Line: 123-125

Comment:
**Unescaped heading string used in regex**

`getSectionContent` builds a `RegExp` from the raw `heading` argument without escaping it. today's callers pass hardcoded strings (`"Docs Impact"`, `"Compliance Confirmation"`) that contain no regex-special chars, so this is benign. but if the function is ever reused with an arbitrary heading string (e.g. one containing `.` or `()`), the regex will silently misfire.

```suggestion
            function getSectionContent(markdown, heading) {
              const escapedHeading = heading.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
              const headingPattern = new RegExp(`^## ${escapedHeading}\\s*$`, "m");
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: .github/workflows/pr-advisory.yml
Line: 104-108

Comment:
**No failure-propagation guard for `detect-dependency-change`**

unlike `required-pr` in `ci.yml` (which now correctly fails fast when `CHANGES_RESULT != "success"`), the advisory downstream jobs (`coverage`, `compat-matrix`, `dependency-audit`) only gate on the outputs, not on the job result. if `detect-dependency-change` is cancelled or errors out, all three advisory jobs are silently skipped with no indication in the run summary.

since these lanes are explicitly advisory this won't break the required gate, but it does mean a hung or crashed `detect-dependency-change` job produces a deceptively clean advisory run. consider adding a `needs.detect-dependency-change.result == 'success'` guard to each advisory `if:` condition, or a dedicated advisory summary step, so transient runner failures are visible.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: test/docs-check.test.ts
Line: 18-33

Comment:
**Windows temp cleanup silently swallows errors after exhausting retries**

`cleanupTempRoot` retries on any error (not just transient EPERM/EBUSY/EACCES) and logs a warning on final failure — which is intentionally non-fatal. the asymmetry with `runDocsCheckSubprocess`, which only retries windows transient errors, means a genuine non-transient cleanup failure (e.g., permissions on a CI-managed runner dir) will silently leave orphaned `tmp/docs-check-*` dirs under the workspace. these are excluded from git and cleaned by the runner, but they could accumulate across retried CI jobs in the same workflow run. low severity given the `force: true` flag and runner teardown, but worth tracking if you see workspace bloat on the windows compat-matrix lane.

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: d4974b5}

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds three GitHub Actions workflows for CI, advisory, and governance; a Markdown docs link checker and tests; expands the PR template and CONTRIBUTING guidance for testing/compliance; updates ESLint ignores and adds a docs-check npm script; and wires conditional CI gating based on detected change classifications.

Changes

Cohort / File(s)	Summary
Workflows .github/workflows/ci.yml, .github/workflows/pr-advisory.yml, .github/workflows/pr-governance.yml	Add three orchestration workflows: change-detection gate (code/docs/workflow), conditional job matrices (lint/typecheck/build/tests/docs/actionlint), advisory jobs (coverage/compat/dependency-audit), and a governance job that validates PR body, detects risky paths, and manages live-verification labels.
PR Template & Contribution Guide .github/pull_request_template.md, CONTRIBUTING.md	Expand PR template with Testing, Docs Impact, and Compliance Confirmation checkboxes (including npm run typecheck and npm run docs:check) and update CONTRIBUTING with CI lanes, gatekeeper roles, and local validation commands.
Docs / README README.md, docs/development/CONFIG_FIELDS.md, docs/development/TESTING.md	Add Tests badge and contributing links in README, swap a doc link in CONFIG_FIELDS.md, and substantially expand TESTING.md with CI lanes, test scenarios, normalization edge cases, and maintainer branch-protection guidance.
Docs Link Validator & Tests scripts/ci/docs-check.js, test/docs-check.test.ts	Add a Node.js markdown link validator (exports extractMarkdownLinks and validateLink) that resolves local targets and validates workflow-badge targets; add extensive Vitest tests covering many link/fixture edge cases.
Tooling / Config eslint.config.js, package.json	Add coverage/** to ESLint ignore list and add docs:check npm script (node scripts/ci/docs-check.js).
PR Template (explicit file) .github/pull_request_template.md	Insert new checklist items for typecheck/docs:check, add Docs Impact and Compliance Confirmation sections, and instructions for manual/maintainer live verification and labels.

Sequence Diagram(s)

sequenceDiagram
    participant PR as Pull Request / Push
    participant GHA as GitHub Actions
    participant Detect as Detect Changes Job
    participant Jobs as Conditional Jobs
    participant Gate as required-pr Gate
    participant Status as PR Status

    PR->>GHA: Trigger workflow (pull_request / push / schedule)
    GHA->>Detect: Run detect changes job
    Detect->>Detect: Classify diffs → docs_changed, code_changed, workflow_changed
    Detect->>Jobs: Emit flags

    par Conditional execution
        Jobs->>Jobs: If code_changed → lint, typecheck, build, unit tests
        Jobs->>Jobs: If docs_changed → docs-sanity (docs:check)
        Jobs->>Jobs: If workflow_changed → actionlint
    end

    Jobs->>Gate: Report statuses
    Gate->>Gate: Aggregate required checks
    Gate->>Status: Set PR pass/fail status
    Status->>PR: Display gating result

Loading

sequenceDiagram
    participant PR as PR Event
    participant PG as PR Governance Job
    participant GH as GitHub API
    participant Risk as Risk Analyzer
    participant Valid as PR Body Validator
    participant Label as Label Manager
    participant Summary as Job Summary

    PR->>PG: Trigger on pull_request_target
    PG->>GH: Fetch changed files and PR body
    GH->>Risk: Provide file list
    Risk->>Risk: Match risky patterns (auth, request, storage, etc.)
    Risk->>PG: Set live_verification_required flag

    PG->>Valid: Parse PR body for required sections and checkboxes
    Valid->>Valid: Validate compliance and live verification consistency

    alt live_verification_required != label state
        PG->>Label: Create/update `needs-live-verification` label
        Label->>GH: Attach/remove label as needed
    end

    Valid->>Summary: Build findings summary
    Summary->>GH: Write job summary
    PG->>PG: Fail job if validation failures exist

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 I hopped through diffs with eager eyes,

Labels, links, and checks in tidy ties,
Workflows hum and docs get plucked,
Tests await where links were tucked,
A joyful thump — the pipeline flies!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: add smart PR workflow automation' accurately summarizes the main changes in the PR, which add required and advisory CI workflows, PR governance automation, and supporting docs/scripts.
Description check	✅ Passed	The pull request description includes all required sections from the template: Summary, Testing, Docs Impact, and Compliance Confirmation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/pr-workflow-automation

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

2 issues found across 11 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="scripts/ci/docs-check.js">

<violation number="1" location="scripts/ci/docs-check.js:56">
P2: Non-markdown file arguments can crash the docs checker because they are passed to `walkMarkdownFiles` as if they were directories.</violation>
</file>

<file name=".github/workflows/ci.yml">

<violation number="1" location=".github/workflows/ci.yml:69">
P2: Docs change detection is too narrow for `test/` and can skip `docs-sanity` for markdown files like `test/AGENTS.md`.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[Copilot]

Pull request overview

Adds a required CI workflow with change detection and governance checks, plus an advisory workflow lane and a docs-link checker, and updates docs/templates to reflect the new CI model.

Changes:

• Introduces required CI workflow with change classification, required check aggregation, and workflow linting
• Adds PR Governance (template/compliance enforcement) and PR Advisory (coverage/compat/audit) workflows
• Adds docs:check script to validate local markdown links and workflow badge targets; updates contributor/testing docs and PR template

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
scripts/ci/docs-check.js	New Node script to validate Markdown local links and GitHub Actions workflow badge/link targets
package.json	Adds docs:check script entry
eslint.config.js	Ignores coverage/** in ESLint
docs/development/TESTING.md	Documents required vs advisory CI lanes; updates “See Also” links
docs/development/CONFIG_FIELDS.md	Updates cross-reference link to testing/CI guidance
README.md	Adds CI workflow badge/link
CONTRIBUTING.md	Updates contributor checklist to include new validation commands and live verification expectations
.github/workflows/pr-governance.yml	Adds PR template/compliance/live-verification enforcement via pull_request_target
.github/workflows/pr-advisory.yml	Adds advisory lanes for coverage, compat matrix, and dependency audit with change detection
.github/workflows/ci.yml	Adds required CI with smart change detection and required check aggregation
.github/pull_request_template.md	Expands testing checklist and adds docs impact + live verification checkboxes

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

.github/workflows/ci.yml (1)

208-224: Consider adding npm ci for future-proofing.

The docs-sanity job skips npm ci because docs-check.js currently only uses Node.js built-ins. This works now but could break if the script ever adds npm dependencies.

If you want to keep the job fast, the current approach is acceptable. Otherwise, consider adding the install step for consistency with other jobs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 208 - 224, The docs-sanity job
currently runs "npm run docs:check" without installing dependencies, which may
break if docs-check.js later requires packages; add an install step (run "npm
ci") in the docs-sanity job before the "Verify markdown links and CI badge
targets" step so that the environment matches other jobs and ensures
reproducible installs for the "npm run docs:check" command.

test/docs-check.test.ts (1)

3-11: Test covers the critical parentheses edge case.

The test validates the specific hardening mentioned in the PR commits for markdown parsing. Consider expanding coverage in a follow-up to include additional edge cases:

• Code block exclusion (links inside fenced blocks should be ignored)
• Angle-bracket targets: [text](<url with spaces>)
• Links with title text: [text](url "title")
• Image links: ![alt](image.png)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/docs-check.test.ts` around lines 3 - 11, The test using
extractMarkdownLinks currently validates parentheses-inside-link-targets but
should be extended to cover additional edge cases: add assertions in the "keeps
balanced parentheses inside markdown link targets" test (or a new test in the
same suite) that verify links are ignored in fenced code blocks, that
angle-bracket targets like [text](<url with spaces>) are parsed correctly, that
links with title text like [text](url "title") return the url without the title,
and that image links like ![alt](image.png) are excluded or handled as expected
by extractMarkdownLinks; update the test cases to include examples for each of
these scenarios referencing the extractMarkdownLinks import and the existing
test structure so the parser hardening is fully covered.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pr-governance.yml:
- Around line 61-65: The workflow currently only uses complianceChecked to gate
failure; update the pr-governance job to enforce all compliance checkboxes by
evaluating noLiveRequiredChecked, manualLiveChecked, and maintainerLiveChecked
alongside complianceChecked (and any additional checkbox patterns introduced in
the PR template) and fail when any of them is false. Locate the regex-derived
booleans (complianceChecked, noLiveRequiredChecked, manualLiveChecked,
maintainerLiveChecked) and change the condition that decides success/failure to
require all of them (e.g., logical AND of these variables or explicit checks),
ensuring the job reports failure if any of the required assertions is unchecked.
- Around line 64-65: The maintainer verification is being read from the PR body
via the regex that sets maintainerLiveChecked (and similarly later at lines
115-121), which the PR author can edit; change the logic to use a
maintainer-controlled signal instead (for example check for a repo label like
"maintainer-verified" or a GitHub review/approval from a user in the MAINTAINERS
list) rather than the PR body text. Update the code that currently tests body
with /- \[x\] Maintainer live verification completed\./i.test(body) to instead
query the PR's labels or reviews and set maintainerLiveChecked based on the
presence of that label or an authenticated maintainer approval; apply the same
change to the duplicate check at the later location so both places rely on the
trusted signal.
- Around line 41-50: The risky-path detector only checks file.filename, so
renames that move files out of risky directories bypass detection; update the
logic that builds changedFiles/riskyPaths to consider both file.filename and
file.previous_filename (when present) from the pulls.listFiles response: for
each file object (referenced by changedFiles and the riskyMatchers array),
collect both names into the list you filter, then evaluate
riskyMatchers.some(...) against both filename and previous_filename to ensure
moves out of lib/auth/, lib/request/, lib/storage (and index.ts) still trigger
liveVerificationRequired.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 208-224: The docs-sanity job currently runs "npm run docs:check"
without installing dependencies, which may break if docs-check.js later requires
packages; add an install step (run "npm ci") in the docs-sanity job before the
"Verify markdown links and CI badge targets" step so that the environment
matches other jobs and ensures reproducible installs for the "npm run
docs:check" command.

In `@test/docs-check.test.ts`:
- Around line 3-11: The test using extractMarkdownLinks currently validates
parentheses-inside-link-targets but should be extended to cover additional edge
cases: add assertions in the "keeps balanced parentheses inside markdown link
targets" test (or a new test in the same suite) that verify links are ignored in
fenced code blocks, that angle-bracket targets like [text](<url with spaces>)
are parsed correctly, that links with title text like [text](url "title") return
the url without the title, and that image links like ![alt](image.png) are
excluded or handled as expected by extractMarkdownLinks; update the test cases
to include examples for each of these scenarios referencing the
extractMarkdownLinks import and the existing test structure so the parser
hardening is fully covered.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ea8eaccb-7c36-4cfb-b504-59a9e8e4282b

📥 Commits

Reviewing files that changed from the base of the PR and between 05109fa and 4d90271.

📒 Files selected for processing (12)

• .github/pull_request_template.md
• .github/workflows/ci.yml
• .github/workflows/pr-advisory.yml
• .github/workflows/pr-governance.yml
• CONTRIBUTING.md
• README.md
• docs/development/CONFIG_FIELDS.md
• docs/development/TESTING.md
• eslint.config.js
• package.json
• scripts/ci/docs-check.js
• test/docs-check.test.ts

[cubic-dev-ai]

2 issues found across 4 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="scripts/ci/docs-check.js">

<violation number="1" location="scripts/ci/docs-check.js:23">
P2: `normalizeLinkTarget` can leave `<...>` wrappers on valid link destinations that include a title, causing false "Missing local target" failures.</violation>
</file>

<file name=".github/workflows/pr-advisory.yml">

<violation number="1" location=".github/workflows/pr-advisory.yml:71">
P3: Docs-only detection misses non-whitelisted root `*.md` files, so markdown-only PRs (e.g. `AGENTS.md`) still run expensive advisory jobs.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (3)

.github/workflows/pr-governance.yml (3)

64-68: ⚠️ Potential issue | 🟠 Major

Two compliance assertions from the PR template are never enforced.

.github/pull_request_template.md adds the official-auth and tests/docs checkboxes, but this job only parses and fails on the first compliance line. A PR can leave those unchecked and still get a green pr-governance result.

Also applies to: 114-116

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-governance.yml around lines 64 - 68, The PR governance
job only checks complianceChecked and the live-related flags; add regex tests
for the two missing checkboxes from the template (official-auth and tests/docs)
and include them in the overall failure condition so the job fails when either
is unchecked. Concretely, add constants like officialAuthChecked = /- \[x\]
Official auth required and documented\./i.test(body) and testsDocsChecked = /-
\[x\] Tests\/docs updated\/added as needed\./i.test(body) (use the exact
checkbox text from the PR template), then update the pass/fail logic that
currently uses complianceChecked, noLiveRequiredChecked, manualLiveChecked, and
maintainerLiveChecked to also require officialAuthChecked and testsDocsChecked;
ensure the job logs which checkbox is missing and exits non‑zero when any
required box is not checked.

---

68-68: ⚠️ Potential issue | 🟠 Major

Use a maintainer-owned signal for maintainer verification.

maintainerLiveChecked comes from the PR body, so the author can tick it themselves and satisfy the required gate without any maintainer action. Gate this on something the PR author cannot edit, like a label or maintainer review.

Also applies to: 118-123

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-governance.yml at line 68, The current
maintainerLiveChecked boolean is derived from the PR body (the regex on body),
which the author can edit; replace that check with an authority-bound signal
such as a maintainer-owned label or an official maintainer review. Specifically,
update the logic that sets maintainerLiveChecked to instead inspect
context.payload.pull_request.labels for a maintainer verification label (e.g.,
"maintainer-verified") or check reviews for an APPROVED review from a user in
your MAINTAINERS list (or a review with a "maintainer" team membership), and
apply the same change to the duplicate logic referenced around lines 118-123 so
both places rely on the immutable maintainer-owned signal rather than the PR
body.

---

44-54: ⚠️ Potential issue | 🟠 Major

Include renamed-from paths in the risky matcher.

A PR can move lib/auth/..., lib/request/..., or lib/storage... out of a risky path and clear liveVerificationRequired, because this only inspects file.filename. Match against both file.filename and file.previous_filename from pulls.listFiles.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-governance.yml around lines 44 - 54, The risky-path
check only tests file.filename, allowing renames to bypass detection; update the
logic that builds riskyPaths (which uses changedFiles, riskyMatchers,
riskyPaths, and liveVerificationRequired) to test both file.filename and
file.previous_filename from the files list returned by pulls.listFiles (falling
back to undefined safely), i.e., when filtering run riskyMatchers.some(...)
against both names so renames still count as risky and liveVerificationRequired
is set appropriately.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pr-governance.yml:
- Around line 72-84: The ensureLabel() function needs to tolerate a race when
two PRs both get a 404 and try to create the same repo-scoped label; update the
error handling in ensureLabel() (around github.rest.issues.getLabel and
github.rest.issues.createLabel) so that when createLabel throws a 422 (label
already exists) you swallow/ignore that specific error and continue, but still
rethrow any other errors (i.e., catch errors from createLabel, if error.status
=== 422 || error.message includes 'already_exists' return/continue, otherwise
throw).

In `@scripts/ci/docs-check.js`:
- Around line 239-242: The current check resolves rawPath to resolvedPath and
then tests existence, but doesn't prevent paths that escape the repository;
modify the logic in the code that computes resolvedPath (using path.resolve) to
first compute rel = path.relative(ROOT, resolvedPath) and reject any target
where rel starts with '..' or is an absolute escape (e.g., rel === '' and
resolvedPath outside ROOT), returning an error like "Target escapes repository
root" before calling exists(resolvedPath); keep the exists(resolvedPath) call
only after the boundary check so functions like exists and symbols resolvedPath,
rawPath, ROOT, path.relative are used as described.

---

Duplicate comments:
In @.github/workflows/pr-governance.yml:
- Around line 64-68: The PR governance job only checks complianceChecked and the
live-related flags; add regex tests for the two missing checkboxes from the
template (official-auth and tests/docs) and include them in the overall failure
condition so the job fails when either is unchecked. Concretely, add constants
like officialAuthChecked = /- \[x\] Official auth required and
documented\./i.test(body) and testsDocsChecked = /- \[x\] Tests\/docs
updated\/added as needed\./i.test(body) (use the exact checkbox text from the PR
template), then update the pass/fail logic that currently uses
complianceChecked, noLiveRequiredChecked, manualLiveChecked, and
maintainerLiveChecked to also require officialAuthChecked and testsDocsChecked;
ensure the job logs which checkbox is missing and exits non‑zero when any
required box is not checked.
- Line 68: The current maintainerLiveChecked boolean is derived from the PR body
(the regex on body), which the author can edit; replace that check with an
authority-bound signal such as a maintainer-owned label or an official
maintainer review. Specifically, update the logic that sets
maintainerLiveChecked to instead inspect context.payload.pull_request.labels for
a maintainer verification label (e.g., "maintainer-verified") or check reviews
for an APPROVED review from a user in your MAINTAINERS list (or a review with a
"maintainer" team membership), and apply the same change to the duplicate logic
referenced around lines 118-123 so both places rely on the immutable
maintainer-owned signal rather than the PR body.
- Around line 44-54: The risky-path check only tests file.filename, allowing
renames to bypass detection; update the logic that builds riskyPaths (which uses
changedFiles, riskyMatchers, riskyPaths, and liveVerificationRequired) to test
both file.filename and file.previous_filename from the files list returned by
pulls.listFiles (falling back to undefined safely), i.e., when filtering run
riskyMatchers.some(...) against both names so renames still count as risky and
liveVerificationRequired is set appropriately.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 50699a6c-2fd2-4ca8-b783-97f3a616faf8

📥 Commits

Reviewing files that changed from the base of the PR and between 4d90271 and 18ec2e3.

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• .github/workflows/pr-advisory.yml
• .github/workflows/pr-governance.yml
• scripts/ci/docs-check.js
• test/docs-check.test.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/ci.yml
• test/docs-check.test.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/ci/docs-check.js`:
- Around line 215-235: getWorkflowPathFromUrl currently treats any
github.com/actions/workflows URL as a local workflow; change it to only return a
workflow filename when the URL path includes the current repository owner/name.
Update getWorkflowPathFromUrl to parse pathname with a regex like
/^\/([^/]+)\/([^/]+)\/actions\/workflows\/([^/]+)(?:\/badge\.svg)?$/ to capture
owner, repo, and workflowFile, then compare owner/repo against the current
repository (use process.env.GITHUB_REPOSITORY if available or a repository
constant used by this script) and only return the workflowFile when they match;
keep validateLink behavior but rely on the updated getWorkflowPathFromUrl to
avoid flagging external repo badges as missing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 450bb52a-7294-40f3-9496-d2dbb8d86875

📥 Commits

Reviewing files that changed from the base of the PR and between 18ec2e3 and 44e2b19.

📒 Files selected for processing (6)

• .github/pull_request_template.md
• .github/workflows/pr-advisory.yml
• .github/workflows/pr-governance.yml
• CONTRIBUTING.md
• scripts/ci/docs-check.js
• test/docs-check.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/pull_request_template.md

[cubic-dev-ai]

1 issue found across 4 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="scripts/ci/docs-check.js">

<violation number="1" location="scripts/ci/docs-check.js:225">
P2: Normalize owner/repo casing before comparing, otherwise same-repo workflow URLs with different case bypass workflow validation.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/pr-governance.yml (1)

142-144: Consider specifying which sections are missing in the error message.

The current message doesn't tell contributors which specific sections they need to add, making it harder to fix.

📝 Suggested improvement

+            const sectionNames = ["Summary", "Testing", "Docs Impact", "Compliance Confirmation", "Notes"];
+            const missingSectionNames = missingSections.map((pattern, i) => sectionNames[i] || pattern.toString());
             if (missingSections.length > 0) {
-              failures.push("PR description is missing one or more required template sections.");
+              failures.push(`PR description is missing required sections: ${missingSectionNames.join(", ")}.`);
             }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-governance.yml around lines 142 - 144, When pushing the
failure into failures, include the actual missing section names from
missingSections so contributors know what to add; replace the static message in
the block that checks if (missingSections.length > 0) (the failures.push call)
with a message that appends or interpolates missingSections.join(', ') (or
formatted list) into the error string so it reads something like "PR description
is missing required template sections: X, Y, Z."

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/pr-governance.yml:
- Around line 142-144: When pushing the failure into failures, include the
actual missing section names from missingSections so contributors know what to
add; replace the static message in the block that checks if
(missingSections.length > 0) (the failures.push call) with a message that
appends or interpolates missingSections.join(', ') (or formatted list) into the
error string so it reads something like "PR description is missing required
template sections: X, Y, Z."

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a43f4a85-4e40-4f46-98d9-fdcf13b61173

📥 Commits

Reviewing files that changed from the base of the PR and between 44e2b19 and ec4e852.

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• .github/workflows/pr-advisory.yml
• .github/workflows/pr-governance.yml
• scripts/ci/docs-check.js
• test/docs-check.test.ts

🚧 Files skipped from review as they are similar to previous changes (4)

• scripts/ci/docs-check.js
• .github/workflows/pr-advisory.yml
• .github/workflows/ci.yml
• test/docs-check.test.ts

[ndycode]

@coderabbitai review
@greptile @cubic review

[cubic-dev-ai]

@coderabbitai review
@greptile @cubic review

@ndycode I have started the AI code review. It will take a few minutes to complete.

[coderabbitai]

@ndycode: Kicking off a fresh review of the current head now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cubic-dev-ai]

No issues found across 12 files

[ndycode]

@coderabbitai review
@greptile @cubic review

[cubic-dev-ai]

@coderabbitai review
@greptile @cubic review

@ndycode I have started the AI code review. It will take a few minutes to complete.

[coderabbitai]

@ndycode: Kicking off a fresh review of the current head now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/pr-governance.yml">

<violation number="1" location=".github/workflows/pr-governance.yml:41">
P1: The markdown stripping is incomplete, so governance checkboxes can still be spoofed inside valid code syntax (e.g., `~~~` fenced blocks or multi-backtick code spans).</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

2 issues found across 12 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="docs/development/TESTING.md">

<violation number="1" location="docs/development/TESTING.md:42">
P3: Update the advisory-matrix description to include the Windows Node 18 lane so the testing guide matches the actual workflow.</violation>
</file>

<file name=".github/workflows/pr-governance.yml">

<violation number="1" location=".github/workflows/pr-governance.yml:40">
P1: Compliance checkbox validation can be bypassed via HTML comments because comment content is not stripped before regex checks.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[ndycode]

Addressed the remaining governance/docs review items in f305221 and re-ran the full local validation set:

• npm run docs:check
• npm run lint
• npm run typecheck
• npm run build
• npm test

Reset the PR body back to the human-maintained summary for current head f305221.

@coderabbitai review
@greptile @cubic review

[cubic-dev-ai]

Addressed the remaining governance/docs review items in f305221 and re-ran the full local validation set:

• npm run docs:check
• npm run lint
• npm run typecheck
  ...

@ndycode I have started the AI code review. It will take a few minutes to complete.

[coderabbitai]

@ndycode: Thanks for addressing the remaining governance/docs review items in f305221 and for running the full local validation suite (docs:check, lint, typecheck, build, and test). I'll kick off a fresh review against the current head now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cubic-dev-ai]

2 issues found across 12 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/pr-governance.yml">

<violation number="1" location=".github/workflows/pr-governance.yml:20">
P2: The concurrency key is too specific: including `github.event.action` prevents stale governance runs for the same PR from being canceled.</violation>
</file>

<file name="scripts/ci/docs-check.js">

<violation number="1" location="scripts/ci/docs-check.js:270">
P2: `extractMarkdownLinks` misses shortcut reference links (`[label]`), so those links are not validated and broken docs links can slip through.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[ndycode]

Addressed the shortcut-reference docs-check gap in d16b767 and re-ran the full local validation set:

• npm run docs:check
• npm run lint
• npm run typecheck
• npm run build
• npm test

Refreshed the PR body for current head d16b767.

@greptile @cubic review

[cubic-dev-ai]

Addressed the shortcut-reference docs-check gap in d16b767 and re-ran the full local validation set:

• npm run docs:check
• npm run lint
• npm run typecheck
  ...

@ndycode I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

2 issues found across 12 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="scripts/ci/docs-check.js">

<violation number="1" location="scripts/ci/docs-check.js:251">
P1: The shortcut-reference regex is too permissive and matches inline/full-reference links, which can cause false broken-link failures in docs-check.</violation>
</file>

<file name=".github/workflows/pr-governance.yml">

<violation number="1" location=".github/workflows/pr-governance.yml:20">
P2: Concurrency is partitioned by event action, so governance runs for the same PR can execute in parallel and race on label updates/state checks.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[ndycode]

Addressed the remaining governance/docs-check review items in 2681483:

• serialized pr-governance per PR to avoid cross-action label races without canceling in-flight invalidation runs
• tightened shortcut-reference parsing so inline/full-reference links do not false-match as shortcut references
• added regression coverage for the parser edge case

Re-ran the full local validation set on the committed head:

• npm run docs:check
• npm run lint
• npm run typecheck
• npm run build
• npm test

Reset the PR body back to the human-maintained summary for current head 2681483.

@coderabbitai review
@cubic-dev-ai
@greptile-apps review

[coderabbitai]

@ndycode: Thanks for addressing the remaining governance/docs-check items in 2681483 — the serialized concurrency for pr-governance to prevent label races, the tightened shortcut-reference parsing to avoid false-matches on inline/full-reference links, and the regression coverage for that parser edge case all look like solid hardening steps. I'll kick off a fresh review against the current head now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[ndycode]

Addressed the remaining fresh governance review item in 4d1be96:

• hardened PR-body fenced-code parsing so longer CommonMark closing fences cannot leak compliance checkboxes through pr-governance

Re-ran the local validation set on the committed head:

• npm run docs:check
• npm run lint
• npm run typecheck
• npm run build
• npm test

Reset the PR body back to the human-maintained summary for current head 4d1be96.

@coderabbitai review
@cubic-dev-ai
@greptile-apps review

[coderabbitai]

@ndycode: Thanks for addressing the fenced-code parsing hardening in 4d1be96 — closing the CommonMark longer-fence leak in pr-governance is a solid correctness fix. Confirmed you re-ran the full local validation suite (docs:check, lint, typecheck, build, and test). Kicking off a fresh review against the current head now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 245-247: The CI job invoking the docs-check script uses "npm run
docs:check", but docs-check.js contains an isDirectRun guard that checks
process.argv[1] against __filename so main() never runs when launched via npm;
update the workflow step that currently runs npm run docs:check to invoke the
script directly with Node (e.g., run node ./scripts/ci/docs-check.js) so the
isDirectRun check passes and main() executes, ensuring the markdown link/CI
badge validation actually runs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bad10035-39c7-467e-8c41-32849c519255

📥 Commits

Reviewing files that changed from the base of the PR and between ec4e852 and 4d1be96.

📒 Files selected for processing (6)

• .github/workflows/ci.yml
• .github/workflows/pr-advisory.yml
• .github/workflows/pr-governance.yml
• docs/development/TESTING.md
• scripts/ci/docs-check.js
• test/docs-check.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• test/docs-check.test.ts