Conversation
MCP tools now auto-detect which repo a call is for based on file paths in the params (filePath, path, targetPath, target, moduleId). This eliminates the need for explicit switchRepo calls before querying a different repo. - Add repo_resolver.go with extractPathHint() and resolveRepoForPath() - Add engine_cache.go with getOrCreateEngine() and ensureActiveEngine() - Hook auto-resolution into handleCallTool dispatch - Initialize engine cache in all server constructors - Remove IsMultiRepoMode() gates from listRepos/switchRepo/getActiveRepo - Remove TODO skips in cmd/ckb/mcp.go Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Upgrade Go from 1.24.12 to 1.24.13 to fix crypto/tls vulnerability (GO-2026-4337) - Add repo_resolver_test.go with tests for extractPathHint and resolveRepoForPath - Add engine_cache_test.go with tests for ensureActiveEngine, getOrCreateEngine, evictLRULocked Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds #nosec G115 annotations with safety justifications to 38 integer conversions across 13 files. All are provably safe: fd conversions (uintptr->int), SCIP protobuf coordinates (int32->int), and small SQL values (int64->int). Unblocks Security Gate on PR #131. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix actual bugs in telemetry/matcher.go and compression/truncation.go where int values were incorrectly converted to rune (producing garbage Unicode). Use strconv.Itoa instead. Annotate remaining G115 false positives: time.Duration conversions, SCIP coordinates, and small enum/percentage casts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All flagged file operations use internally-constructed paths (from filepath.Join, config dirs, CLI flags) — not untrusted user input. Also fixes gofmt alignment in symbols.go. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CI excludes G304/G306 but flags G703 (taint-based path traversal) and G122 (filepath.Walk TOCTOU). Update all annotations to match the actual rules being reported. Add missing annotations for setup.go:472, refresh.go:269, and prepare_move.go:141. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Update go.mod from 1.24.13 to 1.26.0 (latest stable, fixes GO-2026-4597/4599/4600 stdlib vulns flagged by govulncheck) - Add G703 (taint-based path traversal) to gosec exclude list, consistent with G304 already being excluded for the same reason (all file paths are internally constructed from trusted sources) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
feat: Auto-resolve active repository from file paths in MCP tool params
…cked files in repo state - Update index metadata (commit hash, repo state ID) after incremental indexing so freshness checks stay in sync - Exclude untracked files from repo dirty state and repo state ID to avoid false "stale" signals from temp/editor files - Add continue on stale index in watch loop to keep retrying Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bumps the go-deps group with 2 updates: [golang.org/x/crypto](https://github.com/golang/crypto) and [modernc.org/sqlite](https://gitlab.com/cznic/sqlite). Updates `golang.org/x/crypto` from 0.47.0 to 0.48.0 - [Commits](golang/crypto@v0.47.0...v0.48.0) Updates `modernc.org/sqlite` from 1.44.3 to 1.45.0 - [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.44.3...v1.45.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.48.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: modernc.org/sqlite dependency-version: 1.45.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps ... Signed-off-by: dependabot[bot] <support@github.com>
Implements comprehensive PR review with parallel quality gates: - Engine core (review.go): orchestrates breaking, secrets, tests, complexity, coupling, hotspots, risk, and critical-path checks - CLI command (cmd/ckb/review.go): human, markdown, github-actions formats - MCP tool (reviewPR): full InputSchema, added to PresetReview - HTTP API (POST /review/pr): GET/POST with policy overrides - Config section (ReviewConfig): repo-level policy defaults - Complexity delta (review_complexity.go): tree-sitter before/after comparison - Coupling gaps (review_coupling.go): co-change analysis for missing files - 15 tests covering integration (real git repos) and unit tests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
PR split suggestion via connected component analysis on module affinity + coupling graph. Change classification (new/refactor/ moved/churn/config/test/generated) with review priority. Review effort estimation based on LOC, file switches, module context switches, and critical file overhead. Per-cluster reviewer assignment from ownership data. New files: - review_split.go: BFS-based clustering, coupling edge enrichment - review_classify.go: 8 categories with confidence + priority - review_effort.go: time estimation with complexity tiers - review_reviewers.go: per-cluster reviewer scoping Wired into ReviewPR response (SplitSuggestion, ChangeBreakdown, ReviewEffort, ClusterReviewers). CLI formatters updated for human and markdown output. 16 new tests, 31 total. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… 4-7 Batch 4 — Code Health & Baseline: - 8-factor weighted health score (cyclomatic, cognitive, LOC, churn, coupling, bus factor, age, coverage) - Per-file health deltas with A-F grading, wired as parallel check - Finding baselines: save/load/list/compare with SHA256 fingerprinting - CLI: ckb review baseline save/list/diff Batch 5 — Industrial/Compliance: - Traceability check: configurable regex patterns for ticket IDs in commits/branches - Reviewer independence enforcement: author exclusion, critical-path escalation - Compliance evidence export format (--format=compliance) - Git adapter: GetCommitRange() for commit-range queries Batch 6 — CI/CD & Output Formats: - SARIF v2.1.0 output with partialFingerprints, fixes, rules - CodeClimate JSON output for GitLab Code Quality - GitHub Action (action/ckb-review/action.yml) with PR comments and SARIF upload - GitLab CI template (ci/gitlab-ckb-review.yml) with code quality job Batch 7 — Tests & Golden Files: - 6 golden-file tests for all output formats (human, markdown, sarif, codeclimate, github-actions, json) - 19 format unit tests (SARIF, CodeClimate, GitHub Actions, human, markdown, compliance) - 16 health/baseline tests, 10 traceability/independence tests - Fixed map iteration order in formatters for deterministic output Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds dedicated review-tests job that runs: - Review engine unit/integration tests (82 tests across batches 1-7) - Format output tests (SARIF, CodeClimate, GitHub Actions, compliance) - Golden-file tests with staleness check for testdata/review/ Build job now gates on review-tests passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Serialize complexity/health/hotspots/risk checks into single goroutine to prevent go-tree-sitter cgo SIGABRT from concurrent parser use - Fix SARIF v2.1.0: use RelatedLocations for suggestions instead of non-compliant empty Fixes (requires artifactChanges) - Add path traversal prevention on baseline tags (regex validation) - Fix matchGlob silent truncation for patterns with 3+ ** wildcards - Add GHA annotation escaping (%, \r, \n) and markdown pipe escaping - Fix double file close in calculateBaseFileHealth - Fix err.Error() != "EOF" to err != io.EOF in HTTP handler - Fix errcheck violations across format tests and batch tests - Update MCP preset/budget test counts for new reviewPR tool - Reformat all files with gofmt - Add compliance golden file Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- action.yml: Pass all inputs via env vars to prevent script injection - action.yml: Generate JSON/GHA/markdown in single pass (was 3 runs) - action.yml: Use env vars for github.repository/PR number in comment step - Score: Cap per-check deductions at 20 points so noisy checks (coupling with 100+ co-change warnings) don't floor the score at 0 - Human format: Fix grade+filename concatenation (missing space) - Effort: Fix comment claiming 400 LOC/hr (code uses 300/500) - Classify: Remove dead code path (Additions==0 && Deletions==0 already caught by total==0 above), remove unreachable .github map entry - Baseline: Fix misleading "symlink" comment (it's a copy) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Health check was the main bottleneck — for each file it computed churn, coupling, bus factor, and age scores TWICE (before + after) despite these being branch-independent (identical values, zero delta). Changes: - Compute repo-level metrics once per file via repoMetrics struct, pass to both calculateFileHealth and calculateBaseFileHealth - Cap health check at 30 files (was unbounded) - Reduce coupling gap file limit from 30 to 20 - Reduce split coupling lookup limit from 30 to 20 - Add ctx.Err() checks in all per-file loops (health, complexity, coupling, split) so cancellation is respected between iterations For a 39-file PR this cuts ~156 git subprocess calls (4 metrics × 39 files that were duplicated) and caps the total file processing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add ckb review CLI examples and reviewPR MCP tool to CLAUDE.md - Fix reviewPR description: list all 14 checks, say "concurrently where safe" - Reuse single complexity.Analyzer in health check (avoids 60+ cgo allocs) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- New pr-review job in CI: runs on PRs after build, posts comment, emits GHA annotations, writes job summary - New examples/github-actions/pr-review.yml documenting full usage - Update examples README: add pr-review, mark pr-analysis as legacy - Fix action.yml misleading comment, route exit code through env var Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move Key Risks section after the checks table so the markdown flows as: checks → narrative → findings. Enable git-blame fallback in reviewer suggestions so repos without CODEOWNERS still get suggested reviewers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- ci.yml: Move pull-requests:write from workflow-level to pr-review job only (other jobs no longer get unnecessary PR write access) - build-matrix.yml: Set cancel-in-progress:false (runs on main push only, cancelling artifact builds on rapid merges loses artifacts) - action/ckb-review: Pin upload-sarif to SHA @b1bff81...dcd061c8 (v4), was floating @V3 tag — inconsistent with all other pinned actions - Update golden for Top Risks section reorder Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- go.mod: Require Go 1.26.1 to resolve GO-2026-4599 through GO-2026-4602 (crypto/x509 cert validation, net/url IPv6 parsing, os.Root escape) - ci.yml: Align download-artifact SHA to 018cc2cf... matching nfr.yml and security-gate.yml (caught by cicheck consistency test) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The "Fail on review verdict" step referenced ${SCORE} without declaring
it in the env block. Reviewers field now omits from JSON when empty
instead of emitting "reviewers": null.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Four fixes for large-PR noise: 1. New files no longer count as "degraded" — baseline is 0 (not 100), so the delta reflects actual health, not a fake drop from perfect. 2. Total score deduction capped at 80 (floor of 20/100) — prevents 5+ checks from each hitting their per-check cap and zeroing the score. 3. Cluster output capped at 10 in both human and markdown formatters, with "... and N more" overflow. 4. Health output filters unchanged files, separates degraded/improved/new in markdown, and caps displayed entries at 10. Also bumps trivy-action from 0.33.1 to 0.35.0 (install was failing). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
getFileHotspotScore called GetHotspots (git + tree-sitter) once per changed file inside SummarizePR — replaced with getHotspotScoreMap that fetches once and returns a lookup map. getSuggestedReviewers called GetOwnership with IncludeBlame per file — capped to 30 lookups (blame only first 10) so large PRs don't trigger hundreds of git-blame subprocesses. Also includes: narrative/PRTier fields, finding tiers, adaptive output for large PRs, BlockBreaking/BlockSecrets config rename, golden test updates. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Accepts a SARIF v2.1.0 file (e.g., from golangci-lint) and suppresses CKB findings that share the same file:line with the lint report. This prevents CKB from flagging what the linter already catches — an instant credibility loss per the code review research. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…cope into review Add three new review checks backed by existing analyzers: - dead-code: SCIP-based unused code detection in changed files - test-gaps: tree-sitter-based untested function detection (serialized) - blast-radius: fan-out analysis via AnalyzeImpact (opt-in via --max-fanout) Add invocation modes: --staged for index diff, --scope/positional arg for path-prefix or symbol-name filtering. Add explain hints on findings.
…cores Three targeted optimizations to reduce ckb review wall-clock time: 1. Cache hotspot scores: pre-compute once via SkipComplexity option (avoids tree-sitter on 50+ files), share between hotspot and risk checks. Replace SummarizePR call in risk check with direct calculatePRRisk using data already available in ReviewPR. 2. Batch git in health check: replace 4 × N per-file git calls (120+ subprocesses for 30 files) with one git log --name-only for churn/age/coupling and a 5-worker parallel git blame pool. 3. Break serialized block: add tsMu on Engine, run all 5 former serialized checks as independent goroutines that lock only around tree-sitter calls. Git subprocess work in one check overlaps with tree-sitter in another.
… unclamped risk
- Secrets: detect Go struct field declarations (Token string) and
config key→variable assignments ("token": rawToken) as false
positives in isLikelyFalsePositive().
- Coupling: skip CI/config paths (.github/, ci/, *.yml, *.lock) on
both source and target side of co-change analysis — they always
co-change and produce noise, not actionable review signal.
- Risk: clamp score to [0, 1] in calculatePRRisk. Previously factors
could sum above 1.0 on large PRs (e.g. 0.3+0.3+0.3+0.2 = 1.1).
- sortFindings: sort by tier (1→2→3) first, then severity, then path. Previously sorted by severity only, so a coupling warning could push a breaking-change error out of the top-10 budget cap. - Reviewer routing: add ExpertiseArea (top directory per reviewer), IsAuthor conflict detection (author sorted last), and richer Reason text. Add GetHeadAuthorEmail to git adapter for author lookup.
Formatter fixes: - Drop score from header, show file/line counts instead - Collapse passing checks into single line (✓ a · b · c) - Filter summary-restatement findings (Large PR, High churn, etc.) - Group co-change findings per file (Usually changed with: a, b, c) - Cap absurd effort estimates (>480min → "not feasible as single PR") - Collapse health section for large PRs (one-liner summary) - Clean reviewer emails (strip domain, no @ prefix for emails) - Wrap narrative text at 72 chars with consistent indent - Suppress SCIP stale warnings in human format (errors only) - Priority-sort findings by tier+severity before budget cap - Fix co-change false positives from basename vs full path mismatch CI/action updates: - Add dead-code, test-gaps, blast-radius to available checks list - Add max-fanout, dead-code-confidence, test-gap-lines action inputs - Drop score from GitHub step summary (verdict + findings suffice)
- Move architecture SVG to docs/plans/, update Responsibility→Complexity to reflect what's actually wired - Add image reference in review-cicd.md spec - Update CLAUDE.md check count and list (14→17)
The pr-review job was skipped when any upstream job (lint, test, security, build) failed, preventing the review comment from being posted on the PR. This is exactly when the review comment is most needed. Use always() so the job runs regardless of upstream status, with a fallback build step when the artifact isn't available. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…tests - Fix coupling threshold comment (said 70%, code uses 30%) - Remove phantom coverage weight (never computed, inflated other factors) - Redistribute weights: cyclomatic 20→25%, age 10→15%, total = 1.0 - Apply neutral-pessimistic penalty when tree-sitter can't parse (binary files no longer get artificially high health scores) - Add warning log when git is unavailable for health metrics - Add format constants (FormatMarkdown, FormatGitHubActions, etc.) and use them consistently in review.go switch dispatch - Unify display caps across human/markdown formatters (10 findings, 10 clusters) via shared constants - Add API handler tests (9 tests covering GET, POST, policy overrides, method validation, edge cases) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ng review checks Phase 1 — Enhance existing checks: - Blast-radius defaults to informational mode (info, not skip) when maxFanOut=0 - Health scores now include Confidence (0-1) and Parseable fields - Coupling check suppresses new files, downgrades append-only to info Phase 2 — New analysis capabilities: - Comment/code drift detection (numeric mismatch in const blocks) - Dead constant detection via symbol reference counting - Test-gaps cross-references coverage reports (LCOV/Cobertura) Phase 3 — Meta-analysis: - Format consistency check flags divergent literals between Human/Markdown pairs Schema version bumped to 8.3, check count 17→19.
Five improvements to the review engine: Phase 1 — HoldTheLine enforcement: post-filter findings to only changed lines when enabled (default), using unified diff parsing. Eliminates pre-existing issue noise on maintenance branches. Phase 2 — Bug-pattern detection: 10 tree-sitter AST rules (defer-in-loop, unreachable-code, empty-error-branch, unchecked-type-assert, self-assignment, nil-after-deref, identical-branches, shadowed-err, discarded-error, missing-defer-close) with CGO/stub build split. Phase 3 — SCIP-enhanced rules: discarded-error uses LikelyReturnsError heuristic, missing-defer-close detects unclosed resources. Receiver-type allowlist suppresses false positives on strings.Builder and bytes.Buffer. Phase 4 — Differential analysis: bug-pattern findings compared against base branch via git-show + AST re-parse, only new issues reported. Count-based dedup handles duplicate patterns correctly. Phase 5 — LLM narrative: optional --llm flag calls Anthropic API for Claude-powered review summary, falling back to deterministic narrative. Quality improvements: per-rule score cap (max 10pts/rule), confidence field on findings, smarter narrative preferring actionable checks, corpus tests validating all 10 rules with zero false positives on clean code. Schema version 8.3 → 8.4, 19 → 20 checks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Noise reduction (258 → 19 findings): - Receiver-type allowlist for discarded-error (Builder, Buffer, Hash) - Framework symbol filter for blast-radius (skip variables/constants, works across Go/C++/Java/Python via SCIP symbol kinds) - Hotspot findings capped to top 10 by churn score - Complexity findings require +5 cyclomatic delta minimum - Per-rule score cap (maxPerRule=10) prevents one noisy rule from tanking the score - Confidence field on findings for downstream filtering Multi-provider LLM narrative (--llm flag): - Auto-detects GEMINI_API_KEY or ANTHROPIC_API_KEY from environment - Self-enrichment: CKB verifies its own findings via findReferences and analyzeImpact before sending to LLM - LLM narrative corrects CKB false positives (FormatSARIF dead-code) MCP tool improvements: - reviewPR: compact mode (~1k tokens vs ~30k), staged/scope params - Updated tool description (20 checks, not 14) - compactReviewResponse strips to verdict + active checks + top 10 Integration: - /review skill orchestrates CKB + LLM with drill-down workflow - Updated /review-pr to use CKB when available - Version corrected to 8.2.0 throughout Docs: three-scenario comparison (LLM alone vs CKB alone vs CKB+LLM) with measured tokens, findings, and honest false-positive accounting.
- Dead-code: add grep verification in both SCIP and constant-scan paths to catch cross-file references SCIP misses (fixes FormatSARIF FP) - Test-gaps: cap findings at 10 with file:line details, exempt from HoldTheLine filtering (file-level concern, not line-level) - Config merge: remove == 0 guard on DeadCodeMinConfidence and TestGapMinLines so config file values override defaults - Skill: make MCP-first, CLI as documented last resort - MCP tool: document index caching advantage for drill-down calls
LLM integration: - Triage field on enriched findings (confirmed/likely-fp/verify) - System prompt instructs LLM to respect triage and explain FPs - Validated by industry research (Datadog: 92% → 6.3% FP rate) PR posting: - --post flag posts markdown review as PR comment via gh CLI - Non-fatal: prints warning on failure, doesn't block review output Feedback learning: - DismissalStore at .ckb/review-dismissals.json - Users dismiss findings by rule+file (global or file-specific) - Filtered in review pipeline after HoldTheLine Skill distribution: - ckb setup --tool=claude-code installs /ckb-review skill to ~/.claude/commands/ckb-review.md alongside MCP server config - Interactive ckb setup prompts "Install /ckb-review skill? [Y/n]" when Claude Code is selected (default: yes) - Skill embedded in binary, auto-updates on re-run ADR-001: Documents review-LLM integration architecture decision with industry comparison and alternatives considered.
Bugs fixed:
- daemon.go: followLogs() deadlocked on EOF (select{} → sleep+poll),
file.Seek error silently ignored → now returns error
- handlers_review.go: context.Background() → context.WithTimeout
using request context (5 min timeout, respects client cancellation)
- review.go: err shadow at line 267 (postErr)
- setup.go: err shadow at line 215 (skillErr)
All 4 were found by CKB's own review engine + LLM semantic review
during development. CKB review now reports 0 findings on its own code.
Added: README PR Review section, marketing docs (executive summary,
benchmarks, use cases, quickstart, CI integration, how-it-helps-llm).
Updated findings.md and advantages.md with final run data.
feat: Unified PR review engine (ckb review)
Bumps the actions group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `6.0.0` | `7.0.0` | | [actions/download-artifact](https://github.com/actions/download-artifact) | `6.0.0` | `8.0.1` | | [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment) | `2.9.4` | `3.0.2` | | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | `6.4.0` | `7.0.0` | | [aquasecurity/setup-trivy](https://github.com/aquasecurity/setup-trivy) | `9ea583eb67910444b1f64abf338bd2e105a0a93d` | `3fb12ec12f41e471780db15c232d5dd185dcb514` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.33.0` | `4.34.1` | | [actions/attest-sbom](https://github.com/actions/attest-sbom) | `2.4.0` | `4.1.0` | Updates `actions/upload-artifact` from 6.0.0 to 7.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b7c566a...bbbca2d) Updates `actions/download-artifact` from 6.0.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@018cc2c...3e5f45b) Updates `marocchino/sticky-pull-request-comment` from 2.9.4 to 3.0.2 - [Release notes](https://github.com/marocchino/sticky-pull-request-comment/releases) - [Commits](marocchino/sticky-pull-request-comment@7737449...70d2764) Updates `goreleaser/goreleaser-action` from 6.4.0 to 7.0.0 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@e435ccd...ec59f47) Updates `aquasecurity/setup-trivy` from 9ea583eb67910444b1f64abf338bd2e105a0a93d to 3fb12ec12f41e471780db15c232d5dd185dcb514 - [Release notes](https://github.com/aquasecurity/setup-trivy/releases) - [Commits](aquasecurity/setup-trivy@9ea583e...3fb12ec) Updates `github/codeql-action` from 4.33.0 to 4.34.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b1bff81...3869755) Updates `actions/attest-sbom` from 2.4.0 to 4.1.0 - [Release notes](https://github.com/actions/attest-sbom/releases) - [Changelog](https://github.com/actions/attest-sbom/blob/main/RELEASE.md) - [Commits](actions/attest-sbom@bd218ad...c604332) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: marocchino/sticky-pull-request-comment dependency-version: 3.0.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: goreleaser/goreleaser-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: aquasecurity/setup-trivy dependency-version: 3fb12ec12f41e471780db15c232d5dd185dcb514 dependency-type: direct:production dependency-group: actions - dependency-name: github/codeql-action dependency-version: 4.34.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/attest-sbom dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
NFR Tests ✅ 39 unchangedComparing PR against main branch (dynamic baseline). Regressions: 0 ✅ Thresholds: WARN ≥ +5% • FAIL ≥ +10% All scenarios
* = new scenario, compared against static baseline |
🟢 Change Impact Analysis
Blast Radius: 0 modules, 0 files, 0 unique callers Generated by CKB |
|
CKB review failed to generate output. |
…lop/actions-7c65c3a8d0 ci(deps): bump the actions group across 1 directory with 7 updates
…go-deps-965fc4389c fix(deps): bump the go-deps group with 2 updates
|
CKB review failed to generate output. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #169 +/- ##
=======================================
+ Coverage 45.5% 47.9% +2.3%
=======================================
Files 365 395 +30
Lines 61829 66886 +5057
=======================================
+ Hits 28169 32066 +3897
- Misses 31758 32572 +814
- Partials 1902 2248 +346
Flags with carried forward coverage won't be shown. Click here to find out more. 📢 Thoughts on this report? Let us know! 🚀 New features to boost your workflow:
|
- gofmt: fix formatting in 8 files - errcheck: handle json encode/decode errors in LLM test - unused: remove old checkHotspots and checkRiskScore (replaced by checkHotspotsWithScores and checkRiskScoreFast) - gosec G301/G306: tighten dismissals.go permissions (0750/0600)
|
CKB review failed to generate output. |
|
CKB review failed to generate output. |
|
CKB review failed to generate output. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CKB v8.2.0 adds a unified PR review engine (
ckb review) with 20 quality checks, bug pattern detection, LLM integration, and CI support.Highlights
ckb review --ciwith exit codes, SARIF upload, PR comment postingreviewPR(compact: true)returns ~1k tokens for AI consumers/ckb-reviewinstalled viackb setup --tool=claude-code--llmflag with Gemini and Anthropic support.ckb/review-dismissals.jsonfor feedback learningBug Fixes
followLogs()deadlock on EOFStats
Test plan
go build ./...passesgo test ./...passes (except pre-existing flaky repostate test)ckb review --base=mainproduces 0 false positives on its own code🤖 Generated with Claude Code