Skip to content

feat(workflows): re-land orch-review workflow + add /orch-review command#2400

Open
pythonstrup wants to merge 3 commits into
affaan-m:mainfrom
pythonstrup:feat/orch-review-relaunch
Open

feat(workflows): re-land orch-review workflow + add /orch-review command#2400
pythonstrup wants to merge 3 commits into
affaan-m:mainfrom
pythonstrup:feat/orch-review-relaunch

Conversation

@pythonstrup

Copy link
Copy Markdown
Contributor

What Changed

Re-lands the orch-review native Workflow (#2363, reverted by #2393) and fixes the root cause that forced the revert, plus adds the /orch-review command surface — all in one PR so main stays green this time.

Why the eslint ignore (not a source fix)

#2393 reverted #2363 because, after the dependabot batch, the Lint job runs eslint . and the workflow script fails to parse. Workflow DSL scripts use both top-level export const meta (ESM-only syntax) and top-level return result (the runtime wraps the script in an async function, so the result is captured from the return). No single eslint sourceType can parse a file with both:

sourceType export top-level return
module ❌ parse error
commonjs (repo default) ❌ parse error

Both are mandated by the Workflow runtime, so neither can be removed, and a fatal parse error can't be silenced with an inline eslint-disable. Excluding the file type is the correct, generalizable fix (it covers all future *.workflow.* files), which is why the maintainer recommended it.

Testing Done

Type of Change

  • feat: New feature

Notes

  • Supersedes feat(commands): add /orch-review surface for the orch-review workflow #2397 (command-only), which referenced the reverted workflow file and is being closed in favor of this.
  • Unrelated to this PR: main currently also has an npm ci lockfile drift (eslint 9 in lock vs 10 in package.json) and a missing PyYAML in the Python Tests job. Those break install/test for all PRs and need a separate maintainer fix; this PR does not touch package-lock.json or Python deps.

Follow-ups (not in this PR)

  • i18n mirrors under docs/<locale>/commands/orch-review.md (not CI-enforced).
  • Wiring /orch-review into the orch-pipeline Review phase as the native option.

🤖 Generated with Claude Code

Re-lands affaan-m#2363 (reverted by affaan-m#2393 to unbreak main's lint) and fixes the
root cause so it stays green:

- Restore workflows/orch-review.workflow.js + workflows/README.md.
- eslint.config.js: ignore 'workflows/**/*.workflow.*' and '.claude/workflows/**'
  per the maintainer's note in affaan-m#2393. Workflow DSL scripts use both top-level
  export (ESM) and top-level return (the runtime wraps them in an async fn),
  which no single eslint sourceType can parse — they must be excluded, not
  lint-fixed. 'npx eslint .' is green with this ignore.
- Add commands/orch-review.md (the /orch-review surface) + regenerate
  docs/COMMAND-REGISTRY.json.

Supersedes affaan-m#2397 (command-only), which referenced the reverted workflow.
@ecc-tools

ecc-tools Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f3cdec98-eaa9-473f-9a70-6063e52ba769

📥 Commits

Reviewing files that changed from the base of the PR and between b2f78ce and b130ed3.

📒 Files selected for processing (1)
  • workflows/orch-review.workflow.js
📜 Recent review details
⏰ Context from checks skipped due to timeout. (16)
  • GitHub Check: GitGuardian Security Checks
  • GitHub Check: Greptile Review
  • GitHub Check: Test (macos-latest, Node 22.x, pnpm)
  • GitHub Check: Test (macos-latest, Node 20.x, pnpm)
  • GitHub Check: Test (macos-latest, Node 18.x, pnpm)
  • GitHub Check: Test (macos-latest, Node 18.x, bun)
  • GitHub Check: Test (windows-latest, Node 22.x, pnpm)
  • GitHub Check: Test (macos-latest, Node 22.x, bun)
  • GitHub Check: Test (ubuntu-latest, Node 20.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 22.x, bun)
  • GitHub Check: Test (ubuntu-latest, Node 18.x, bun)
  • GitHub Check: Test (windows-latest, Node 20.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 22.x, pnpm)
  • GitHub Check: Test (windows-latest, Node 18.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 20.x, bun)
  • GitHub Check: Test (ubuntu-latest, Node 18.x, pnpm)
🧰 Additional context used
📓 Path-based instructions (15)
**/*.{js,ts,jsx,tsx,py,java,cs,go,rb,php,scala,kt}

📄 CodeRabbit inference engine (.cursor/rules/common-coding-style.md)

**/*.{js,ts,jsx,tsx,py,java,cs,go,rb,php,scala,kt}: Always create new objects, never mutate existing ones. Use immutable patterns to prevent hidden side effects and enable safe concurrency
Organize code into many small files (200-400 lines typical, 800 lines max) organized by feature/domain rather than by type
Always handle errors explicitly at every level and never silently swallow errors
Always validate all user input before processing at system boundaries
Use schema-based validation where available
Fail fast with clear error messages when validation fails
Never trust external data (API responses, user input, file content)
Ensure code is readable and well-named
Keep functions small (less than 50 lines)
Keep files focused (less than 800 lines)
Avoid deep nesting (more than 4 levels)
Do not use hardcoded values; use constants or configuration instead

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php,swift,kt,rs,c,cpp,h,hpp}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

No hardcoded secrets (API keys, passwords, tokens) - validate before any commit

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php}: All user inputs must be validated
Enable CSRF protection on all state-changing endpoints
Verify authentication and authorization for all protected endpoints
Implement rate limiting on all endpoints to prevent abuse
Ensure error messages do not leak sensitive data in responses

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php,sql}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

Use parameterized queries to prevent SQL injection

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,html,php,java,cs,rb,go}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

Implement XSS prevention by sanitizing HTML output

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php,swift,kt,rs,c,cpp,h,hpp,properties,yml,yaml,json,env,config}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

NEVER hardcode secrets in source code - ALWAYS use environment variables or a secret manager

Files:

  • workflows/orch-review.workflow.js
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript-coding-style.md)

**/*.{ts,tsx,js,jsx}: Use spread operator for immutable updates in TypeScript/JavaScript instead of direct mutation
Use async/await with try-catch for error handling in TypeScript/JavaScript
Use Zod for schema-based input validation in TypeScript/JavaScript
No console.log statements in production code; use proper logging libraries instead

**/*.{ts,tsx,js,jsx}: Auto-format JavaScript/TypeScript files using Prettier after edit
Warn about console.log statements in edited files
Check all modified files for console.log statements before session ends

**/*.{ts,tsx,js,jsx}: Use the ApiResponse interface pattern with generic type parameter: interface ApiResponse<T> { success: boolean; data?: T; error?: string; meta?: { total: number; page: number; limit: number; } }
Implement custom React hooks following the pattern: export a named function with use prefix, generic type parameters, and proper useEffect cleanup for side effects

**/*.{ts,tsx,js,jsx}: Never hardcode secrets; always use environment variables for sensitive credentials like API keys
Throw an error when required environment variables are not configured to fail fast and ensure security prerequisites are met

Use Playwright as the E2E testing framework for critical user flows in TypeScript/JavaScript

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{js,ts,jsx,tsx}: Always create new objects and never mutate in place; return new copies instead
Keep files between 200–400 lines typical, with a maximum of 800 lines
Extract helpers when a file exceeds 200 lines
Handle errors explicitly at every level; never swallow errors silently
Validate all user input before processing; use schema-based validation where available
Never trust external data (API responses, file content, query params); always validate
All user inputs must be validated and sanitized
Error messages must be scrubbed of sensitive internals
Use readable, well-named identifiers in all code
Keep functions under 50 lines
Keep files under 800 lines
Avoid nesting deeper than 4 levels
Implement comprehensive error handling in all code
Do not hardcode values; use constants or environment configuration instead
Do not use in-place mutation; always return new objects or state

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,json,env*}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Do not hardcode secrets, API keys, passwords, or tokens

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{js,ts}: Use parameterized queries for all database writes (no string interpolation)
Auth/authz must be checked server-side for every sensitive path
Rate limiting must be applied to all public endpoints

Files:

  • workflows/orch-review.workflow.js
**/*.{jsx,tsx,js,ts}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

HTML output must be sanitized where applicable

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,env*}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Required environment variables must be validated at startup

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,go,rs,kt,cpp,c,fs}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{js,ts,jsx,tsx,py,java,go,rs,kt,cpp,c,fs}: Write tests before implementation using TDD workflow: write failing test (RED), implement minimal code (GREEN), then refactor (IMPROVE)
Keep functions small (<50 lines) and files focused (<800 lines, typical 200-400 lines)
Avoid deep nesting (>4 levels)

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,go,rs,kt}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{js,ts,jsx,tsx,py,java,go,rs,kt}: Never mutate existing objects; always create new objects with changes applied (Immutability requirement)
Handle errors at every level; provide user-friendly messages in UI code and detailed context in server-side logs
Ensure error messages don't leak sensitive data

Files:

  • workflows/orch-review.workflow.js
**/*.{jsx,tsx,html,js,ts}

📄 CodeRabbit inference engine (AGENTS.md)

Sanitize HTML output to prevent XSS vulnerabilities

Files:

  • workflows/orch-review.workflow.js
🔇 Additional comments (1)
workflows/orch-review.workflow.js (1)

266-266: Still classify low-confidence isReal=true verdicts as uncertain.

uncertain only includes low-confidence isReal=false verdicts, so low-confidence positive verifier results can still inflate confirmed and undercount uncertain. This matches the previously flagged verifier classification issue.

Also applies to: 291-293


📝 Walkthrough

Summary by CodeRabbit

  • New Features
    • Added an orch-review command with documented local vs PR review workflows.
    • Introduced a native review workflow that produces structured verdicts with blocking vs advisory findings and review statistics.
  • Bug Fixes
    • Strengthened fail-closed behavior to prevent “approve” on incomplete or failed reviews; workflow errors are surfaced without implying approval.
  • Documentation
    • Documented the orch-review command and updated the command registry.
    • Added workflow documentation for the “ECC native workflows (pilot)” review gate, including expected inputs/outputs.
  • Chores
    • Expanded ESLint ignores for workflow-related paths.

Walkthrough

Adds workflows/orch-review.workflow.js for parallel review, deduplication, adversarial verification, and fail-closed verdict assembly, plus the matching command spec, registry entry, pilot README, and ESLint ignore updates.

Changes

orch-review Workflow and Command

Layer / File(s) Summary
Workflow constants, schemas, prompts, and input validation
workflows/orch-review.workflow.js
Defines workflow metadata, language and security dimension selection inputs, reviewer output schemas, prompt builders, and fail-closed argument parsing with haystack construction.
Dimension review, deduplication, and verification
workflows/orch-review.workflow.js
Runs parallel dimension reviews, records per-dimension failures, deduplicates findings by normalized evidence, verifies CRITICAL and HIGH findings, and partitions outcomes into blocking and advisory results.
orch-review command spec and supporting docs
commands/orch-review.md, docs/COMMAND-REGISTRY.json, workflows/README.md, eslint.config.js
Defines Local and PR modes, diff and changedFiles gathering, workflow invocation, output reporting, fail-closed handling, operational edge cases, command registry updates, pilot README content, and ESLint ignore paths for workflow files.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant orch-review Command
  participant orch-review.workflow.js
  participant DimensionReviewers
  participant AdversarialVerifier

  User->>orch-review Command: run in Local or PR mode
  orch-review Command->>orch-review Command: gather diff + changedFiles
  orch-review Command->>orch-review.workflow.js: invoke(diff, language?, changedFiles?)
  orch-review.workflow.js->>orch-review.workflow.js: validate input and select dimensions
  orch-review.workflow.js->>DimensionReviewers: parallel review requests
  DimensionReviewers-->>orch-review.workflow.js: findings or failure/null
  orch-review.workflow.js->>orch-review.workflow.js: deduplicate findings
  orch-review.workflow.js->>AdversarialVerifier: verify CRITICAL/HIGH findings
  AdversarialVerifier-->>orch-review.workflow.js: confirmed | refuted | unverified
  orch-review.workflow.js-->>orch-review Command: verdict, blocking, advisory, incomplete, stats
  orch-review Command-->>User: report results
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

  • affaan-m/ECC#2363: Introduces the same orch-review workflow and pilot documentation shape that this PR extends with the command spec and registry entry.
  • affaan-m/ECC#2393: Directly conflicts with workflows/orch-review.workflow.js and its exported meta, which this PR adds back.

Suggested reviewers

  • affaan-m
  • daltino

Poem

A diff arrives with careful grace,
Three gates inspect it face to face.
Findings split, then skeptics test the flame,
No clean approve if any steps fall lame.
🔍 The review hums, and verdicts find their name.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: re-landing the orch-review workflow and adding the /orch-review command.
Description check ✅ Passed The description accurately describes the workflow re-land, lint fix, command surface, and validation steps in this PR.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Biome (2.5.1)
workflows/orch-review.workflow.js

File contains syntax errors that prevent linting: Line 280: Illegal return statement outside of a function

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@greptile-apps

greptile-apps Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR re-lands the native orch-review workflow and adds a slash-command entry point. The main changes are:

  • Restored workflows/orch-review.workflow.js and its workflow README.
  • Added /orch-review for local and GitHub PR diff review.
  • Updated ESLint ignores for workflow DSL files.
  • Regenerated the command registry for the new command.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
workflows/orch-review.workflow.js Restores the native review workflow with input validation, review fan-out, deduplication, and fail-closed verification handling.
commands/orch-review.md Adds the slash-command surface for collecting diffs and invoking the workflow.
eslint.config.js Adds workflow DSL paths to the ESLint ignore list.
docs/COMMAND-REGISTRY.json Updates the registry counts and adds the new orch-review command.
workflows/README.md Documents the native workflow pilot, invocation shape, result contract, and follow-up work.

Reviews (3): Last reviewed commit: "style(workflows): apply formatter to orc..." | Re-trigger Greptile

Comment thread workflows/orch-review.workflow.js
Comment thread commands/orch-review.md

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 9

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@commands/orch-review.md`:
- Line 81: The stats example is incomplete and does not match the workflow
return contract; update the example used in orch-review.md to include the
missing confirmed, unverified, and refuted fields alongside dimensions, failed,
raw, and unique so it reflects the full shape returned by the workflow. Use the
stats contract referenced by the workflow to locate the example and keep the
field names consistent with the returned object.
- Line 110: The wording in the reviewer concurrency note is too verbose; update
the phrase used in orch-review.md from “Very large diff” to a cleaner
alternative like “Large diff” or “Extremely large diff.” Keep the rest of the
guidance about workflow-capped reviewer concurrency unchanged.

In `@eslint.config.js`:
- Line 6: The ESLint ignore list in the config currently excludes workflow files
entirely, which lets parser or globals issues in workflow definitions escape
linting. Update the workflow handling around the config’s ignores so
`workflows/**/*.workflow.*` and the mirrored `.claude/workflows/**` copy still
get a workflow-specific validation pass before being excluded, and keep the
relevant logic near the `ignores` entry in `eslint.config.js` so it is easy to
find.

In `@workflows/orch-review.workflow.js`:
- Around line 116-120: The verifier flow in verifyPrompt and the downstream
result classification should fail closed for low-confidence cases. Update the
logic so uncertainty in the verifier does not automatically become a
refuted/advisory outcome; instead, treat ambiguous or low-confidence results as
blocking, especially for CRITICAL/HIGH findings. Use the existing verifyPrompt
return path and the classification code around the false-verdict handling to
distinguish “confidently false” from “uncertain” and preserve blocking behavior
when confidence is not strong enough.
- Around line 157-166: The dimension assembly in orchestrator logic is mutating
existing arrays/objects, which violates the immutable-update rule; update the
logic around the dimension construction and dedup/merge path in
orch-review.workflow.js to build new arrays/objects instead of using push or
direct property assignment. Replace in-place updates in the dimension setup and
any later merge logic (including the prev.dimensions and prev.severity handling)
with non-mutating patterns that return fresh values while preserving the
existing behavior of the reviewer selection and security trigger flow.
- Around line 149-154: Validate each entry in input.changedFiles before
constructing the security trigger haystack in orch-review.workflow.js: the
existing Array.isArray check in the changedFiles guard only verifies the
container, not its contents. Add a per-item validation step in the same input
validation block (or immediately before building haystack) to ensure every entry
is a string path, and reject non-string objects like { path: "auth.js" } with a
clear error. Then build haystack from the validated string paths only, using the
existing diff and changedFiles handling.
- Around line 104-128: The prompt builders in reviewPrompt and verifyPrompt
treat raw diff text as plain instructions, which leaves them open to
prompt-injection from untrusted diff content. Harden both functions by wrapping
the diff in explicit data delimiters and adding clear instructions that the diff
is untrusted input to be evaluated only as data, not followed as directives;
update the prompt strings in reviewPrompt and verifyPrompt to preserve this
separation.
- Around line 73-81: The schema in orch-review.workflow.js is missing
enforcement for blocker proof on HIGH/CRITICAL findings, so update the JSON
schema definition to require proof and a non-empty value when severity is HIGH
or CRITICAL. Adjust the schema around the properties for severity and proof so
the contract is enforced by validation, not only by the prompt, and keep the
existing required fields like title, severity, file, and evidence intact.

In `@workflows/README.md`:
- Around line 55-58: The follow-up list in README is outdated because the
`/orch-review` command is already included in this PR via
commands/orch-review.md and docs/COMMAND-REGISTRY.json. Update the “Not in this
PR” bullets to remove the command itself and keep only the remaining missing
work, such as the skill trigger, mirrored i18n docs, surface tests, and
installer/manifest wiring; use the existing `/orch-review` and
docs/COMMAND-REGISTRY.json entries to locate the related change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 39118479-0e06-4f09-9569-62f6852a596b

📥 Commits

Reviewing files that changed from the base of the PR and between 81af407 and 9e4b175.

📒 Files selected for processing (5)
  • commands/orch-review.md
  • docs/COMMAND-REGISTRY.json
  • eslint.config.js
  • workflows/README.md
  • workflows/orch-review.workflow.js
📜 Review details
⏰ Context from checks skipped due to timeout. (15)
  • GitHub Check: Greptile Review
  • GitHub Check: Test (macos-latest, Node 20.x, bun)
  • GitHub Check: Test (macos-latest, Node 20.x, pnpm)
  • GitHub Check: Test (macos-latest, Node 22.x, pnpm)
  • GitHub Check: Test (windows-latest, Node 22.x, pnpm)
  • GitHub Check: Test (macos-latest, Node 18.x, pnpm)
  • GitHub Check: Test (macos-latest, Node 18.x, bun)
  • GitHub Check: Test (ubuntu-latest, Node 20.x, bun)
  • GitHub Check: Test (ubuntu-latest, Node 22.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 18.x, bun)
  • GitHub Check: Test (windows-latest, Node 18.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 20.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 22.x, bun)
  • GitHub Check: Test (windows-latest, Node 20.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 18.x, pnpm)
🧰 Additional context used
📓 Path-based instructions (19)
**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php,swift,kt,rs,c,cpp,h,hpp,properties,yml,yaml,json,env,config}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

NEVER hardcode secrets in source code - ALWAYS use environment variables or a secret manager

Files:

  • docs/COMMAND-REGISTRY.json
  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,json,env*}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Do not hardcode secrets, API keys, passwords, or tokens

Files:

  • docs/COMMAND-REGISTRY.json
  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,cs,go,rb,php,scala,kt}

📄 CodeRabbit inference engine (.cursor/rules/common-coding-style.md)

**/*.{js,ts,jsx,tsx,py,java,cs,go,rb,php,scala,kt}: Always create new objects, never mutate existing ones. Use immutable patterns to prevent hidden side effects and enable safe concurrency
Organize code into many small files (200-400 lines typical, 800 lines max) organized by feature/domain rather than by type
Always handle errors explicitly at every level and never silently swallow errors
Always validate all user input before processing at system boundaries
Use schema-based validation where available
Fail fast with clear error messages when validation fails
Never trust external data (API responses, user input, file content)
Ensure code is readable and well-named
Keep functions small (less than 50 lines)
Keep files focused (less than 800 lines)
Avoid deep nesting (more than 4 levels)
Do not use hardcoded values; use constants or configuration instead

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php,swift,kt,rs,c,cpp,h,hpp}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

No hardcoded secrets (API keys, passwords, tokens) - validate before any commit

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php}: All user inputs must be validated
Enable CSRF protection on all state-changing endpoints
Verify authentication and authorization for all protected endpoints
Implement rate limiting on all endpoints to prevent abuse
Ensure error messages do not leak sensitive data in responses

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php,sql}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

Use parameterized queries to prevent SQL injection

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,html,php,java,cs,rb,go}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

Implement XSS prevention by sanitizing HTML output

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript-coding-style.md)

**/*.{ts,tsx,js,jsx}: Use spread operator for immutable updates in TypeScript/JavaScript instead of direct mutation
Use async/await with try-catch for error handling in TypeScript/JavaScript
Use Zod for schema-based input validation in TypeScript/JavaScript
No console.log statements in production code; use proper logging libraries instead

**/*.{ts,tsx,js,jsx}: Auto-format JavaScript/TypeScript files using Prettier after edit
Warn about console.log statements in edited files
Check all modified files for console.log statements before session ends

**/*.{ts,tsx,js,jsx}: Use the ApiResponse interface pattern with generic type parameter: interface ApiResponse<T> { success: boolean; data?: T; error?: string; meta?: { total: number; page: number; limit: number; } }
Implement custom React hooks following the pattern: export a named function with use prefix, generic type parameters, and proper useEffect cleanup for side effects

**/*.{ts,tsx,js,jsx}: Never hardcode secrets; always use environment variables for sensitive credentials like API keys
Throw an error when required environment variables are not configured to fail fast and ensure security prerequisites are met

Use Playwright as the E2E testing framework for critical user flows in TypeScript/JavaScript

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
{package.json,*.config.js,scripts/**/*.js}

📄 CodeRabbit inference engine (CLAUDE.md)

Package manager detection should support npm, pnpm, yarn, and bun, with configuration via CLAUDE_PACKAGE_MANAGER environment variable or project config.

Files:

  • eslint.config.js
**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{js,ts,jsx,tsx}: Always create new objects and never mutate in place; return new copies instead
Keep files between 200–400 lines typical, with a maximum of 800 lines
Extract helpers when a file exceeds 200 lines
Handle errors explicitly at every level; never swallow errors silently
Validate all user input before processing; use schema-based validation where available
Never trust external data (API responses, file content, query params); always validate
All user inputs must be validated and sanitized
Error messages must be scrubbed of sensitive internals
Use readable, well-named identifiers in all code
Keep functions under 50 lines
Keep files under 800 lines
Avoid nesting deeper than 4 levels
Implement comprehensive error handling in all code
Do not hardcode values; use constants or environment configuration instead
Do not use in-place mutation; always return new objects or state

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{js,ts}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{js,ts}: Use parameterized queries for all database writes (no string interpolation)
Auth/authz must be checked server-side for every sensitive path
Rate limiting must be applied to all public endpoints

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{jsx,tsx,js,ts}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

HTML output must be sanitized where applicable

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{js,ts,env*}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Required environment variables must be validated at startup

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,go,rs,kt,cpp,c,fs}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{js,ts,jsx,tsx,py,java,go,rs,kt,cpp,c,fs}: Write tests before implementation using TDD workflow: write failing test (RED), implement minimal code (GREEN), then refactor (IMPROVE)
Keep functions small (<50 lines) and files focused (<800 lines, typical 200-400 lines)
Avoid deep nesting (>4 levels)

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,go,rs,kt}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{js,ts,jsx,tsx,py,java,go,rs,kt}: Never mutate existing objects; always create new objects with changes applied (Immutability requirement)
Handle errors at every level; provide user-friendly messages in UI code and detailed context in server-side logs
Ensure error messages don't leak sensitive data

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
**/*.{jsx,tsx,html,js,ts}

📄 CodeRabbit inference engine (AGENTS.md)

Sanitize HTML output to prevent XSS vulnerabilities

Files:

  • eslint.config.js
  • workflows/orch-review.workflow.js
commands/**/*.md

📄 CodeRabbit inference engine (CLAUDE.md)

Commands should be formatted as Markdown with description frontmatter.

Files:

  • commands/orch-review.md
{agents,skills,commands}/**/*.md

📄 CodeRabbit inference engine (CLAUDE.md)

Use lowercase filenames with hyphens (e.g., python-reviewer.md, tdd-workflow.md) for agents, skills, and commands.

Files:

  • commands/orch-review.md
{skills,commands,agents,rules}/**

⚙️ CodeRabbit configuration file

{skills,commands,agents,rules}/**: Focus on prompt-injection resilience, tool-permission scope, destructive action guards, and secret exfiltration risks.

Files:

  • commands/orch-review.md
🪛 Biome (2.5.1)
workflows/orch-review.workflow.js

[error] 247-254: Illegal return statement outside of a function

(parse)

🪛 LanguageTool
workflows/README.md

[grammar] ~18-~18: Use a hyphen to join words.
Context: ...ted* on uncertainty. MEDIUM/LOW pass through as advisory. The Review→Verify ...

(QB_NEW_EN_HYPHEN)


[style] ~20-~20: Consider an alternative for the overused word “exactly”.
Context: ...berate: deduping before verification is exactly the case the Workflow guidance calls a ...

(EXACTLY_PRECISELY)

commands/orch-review.md

[style] ~110-~110: As an alternative to the over-used intensifier ‘very’, consider replacing this phrase.
Context: ...ainst a checked-out branch instead. - Very large diff: the workflow caps reviewer conc...

(EN_WEAK_ADJECTIVE)

🔇 Additional comments (3)
docs/COMMAND-REGISTRY.json (1)

3-3: LGTM!

Also applies to: 620-628, 1023-1023

workflows/README.md (1)

1-53: LGTM!

Also applies to: 59-60

workflows/orch-review.workflow.js (1)

247-254: 📐 Maintainability & Code Quality

No change needed for workflow DSL files workflows/**/*.workflow.* is already excluded in eslint.config.js, and CI only runs eslint + markdownlint; no Biome parser is configured for this path.

			> Likely an incorrect or invalid review comment.
Comment thread commands/orch-review.md Outdated
Comment thread commands/orch-review.md Outdated
Comment thread eslint.config.js
Comment thread workflows/orch-review.workflow.js
Comment thread workflows/orch-review.workflow.js
Comment thread workflows/orch-review.workflow.js Outdated
Comment thread workflows/orch-review.workflow.js
Comment thread workflows/orch-review.workflow.js Outdated
Comment thread workflows/README.md
- Verifier uncertainty no longer demotes blockers (Greptile P1 + CodeRabbit):
  isReal=false only refutes when confidence >= 0.8; low-confidence 'false'
  is treated as uncertain and kept blocking (fail closed).
- Treat the diff (and finding text) as untrusted input in both review and
  verify prompts; ignore embedded directives (prompt-injection hardening).
- Validate changedFiles entries are strings, not just that it is an array.
- Enforce proof for HIGH/CRITICAL in FINDINGS_SCHEMA, not only in the prompt.
- Remove in-place mutation in dimension build + dedup merge (immutable).
- /orch-review: extract & validate a numeric PR id before shelling out to gh.
- Docs: complete the stats example, soften wording, refresh follow-up list.
@ecc-tools

ecc-tools Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
commands/orch-review.md (1)

6-12: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Add required description frontmatter.

This command spec is missing the YAML frontmatter required by the project convention. Add a description field so tooling and discovery can present the command correctly.

+---
+description: "Surface for workflows/orch-review.workflow.js — runs parallel dimension reviews with deduplication and adversarial verification."
+---
+
 # /orch-review

As per coding guidelines, commands should be formatted as Markdown with description frontmatter.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@commands/orch-review.md` around lines 6 - 12, Add the required YAML
frontmatter to the /orch-review command spec so it follows the project’s
Markdown command convention. Update the top of the document to include a
description field alongside the existing command metadata, keeping the rest of
the orch-review content intact. Use the /orch-review command definition as the
place to add the frontmatter so tooling and discovery can identify it correctly.

Source: Coding guidelines

♻️ Duplicate comments (1)
workflows/orch-review.workflow.js (1)

119-142: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Escape untrusted block delimiters before embedding diff/finding text.

The prompt marks the diff as untrusted, but raw diff/finding fields can still contain ----- END DIFF ----- or newline directives and break out of the intended data block. Encode or escape these fields before interpolation.

Proposed hardening
+function untrustedBlock(label, value) {
+  const endMarker = `----- END ${label} -----`;
+  const escaped = String(value).split(endMarker).join(`----- ESCAPED END ${label} -----`);
+  return [`----- BEGIN ${label} (untrusted) -----`, escaped, endMarker].join('\n');
+}
+
 function reviewPrompt(dimensionLabel, diff) {
@@
-    '----- BEGIN DIFF (untrusted) -----',
-    diff,
-    '----- END DIFF -----'
+    untrustedBlock('DIFF', diff)
@@
-    `Finding (${finding.severity}) in ${finding.file}: ${finding.title}`,
-    `Claimed evidence: ${finding.evidence}`,
-    finding.proof ? `Claimed proof: ${finding.proof}` : '',
+    untrustedBlock('FINDING', JSON.stringify({
+      severity: finding.severity,
+      file: finding.file,
+      title: finding.title,
+      evidence: finding.evidence,
+      proof: finding.proof || undefined
+    }, null, 2)),
@@
-    '----- BEGIN DIFF (untrusted) -----',
-    diff,
-    '----- END DIFF -----'
+    untrustedBlock('DIFF', diff)

As per coding guidelines, “Never trust external data (API responses, user input, file content).”

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workflows/orch-review.workflow.js` around lines 119 - 142, The prompt
assembly in verifyPrompt is still interpolating untrusted finding/diff content
directly into the block delimiters, so escape or encode those fields before
joining the string. Update the prompt-building logic in
orchestr-review.workflow.js around verifyPrompt (and any helper that injects
diff/finding text) so embedded newline directives or delimiter-like text cannot
break out of the intended untrusted section.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@workflows/orch-review.workflow.js`:
- Around line 29-31: Update the verdict classification in the workflow so
low-confidence `isReal=true` results are treated as uncertain rather than
confirmed. In the logic around `classifyFindings` and the stats aggregation that
currently counts every `isReal` verdict as confirmed, add a confidence check so
uncertain `isReal` findings are routed into `blocking.uncertain` (or the
equivalent uncertain bucket) and only high-confidence `isReal` findings
increment `stats.confirmed`; then make sure `stats.uncertain` and
`stats.confirmed` stay consistent with that split.

---

Outside diff comments:
In `@commands/orch-review.md`:
- Around line 6-12: Add the required YAML frontmatter to the /orch-review
command spec so it follows the project’s Markdown command convention. Update the
top of the document to include a description field alongside the existing
command metadata, keeping the rest of the orch-review content intact. Use the
/orch-review command definition as the place to add the frontmatter so tooling
and discovery can identify it correctly.

---

Duplicate comments:
In `@workflows/orch-review.workflow.js`:
- Around line 119-142: The prompt assembly in verifyPrompt is still
interpolating untrusted finding/diff content directly into the block delimiters,
so escape or encode those fields before joining the string. Update the
prompt-building logic in orchestr-review.workflow.js around verifyPrompt (and
any helper that injects diff/finding text) so embedded newline directives or
delimiter-like text cannot break out of the intended untrusted section.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: afe4699e-4f08-4035-8506-8d50c2ef067a

📥 Commits

Reviewing files that changed from the base of the PR and between 9e4b175 and b2f78ce.

📒 Files selected for processing (3)
  • commands/orch-review.md
  • workflows/README.md
  • workflows/orch-review.workflow.js
📜 Review details
⏰ Context from checks skipped due to timeout. (11)
  • GitHub Check: Greptile Review
  • GitHub Check: Test (macos-latest, Node 22.x, bun)
  • GitHub Check: Test (windows-latest, Node 22.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 18.x, bun)
  • GitHub Check: Test (windows-latest, Node 20.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 22.x, bun)
  • GitHub Check: Test (windows-latest, Node 18.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 18.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 20.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 22.x, pnpm)
  • GitHub Check: Test (ubuntu-latest, Node 20.x, bun)
🧰 Additional context used
📓 Path-based instructions (18)
commands/**/*.md

📄 CodeRabbit inference engine (CLAUDE.md)

Commands should be formatted as Markdown with description frontmatter.

Files:

  • commands/orch-review.md
{agents,skills,commands}/**/*.md

📄 CodeRabbit inference engine (CLAUDE.md)

Use lowercase filenames with hyphens (e.g., python-reviewer.md, tdd-workflow.md) for agents, skills, and commands.

Files:

  • commands/orch-review.md
{skills,commands,agents,rules}/**

⚙️ CodeRabbit configuration file

{skills,commands,agents,rules}/**: Focus on prompt-injection resilience, tool-permission scope, destructive action guards, and secret exfiltration risks.

Files:

  • commands/orch-review.md
**/*.{js,ts,jsx,tsx,py,java,cs,go,rb,php,scala,kt}

📄 CodeRabbit inference engine (.cursor/rules/common-coding-style.md)

**/*.{js,ts,jsx,tsx,py,java,cs,go,rb,php,scala,kt}: Always create new objects, never mutate existing ones. Use immutable patterns to prevent hidden side effects and enable safe concurrency
Organize code into many small files (200-400 lines typical, 800 lines max) organized by feature/domain rather than by type
Always handle errors explicitly at every level and never silently swallow errors
Always validate all user input before processing at system boundaries
Use schema-based validation where available
Fail fast with clear error messages when validation fails
Never trust external data (API responses, user input, file content)
Ensure code is readable and well-named
Keep functions small (less than 50 lines)
Keep files focused (less than 800 lines)
Avoid deep nesting (more than 4 levels)
Do not use hardcoded values; use constants or configuration instead

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php,swift,kt,rs,c,cpp,h,hpp}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

No hardcoded secrets (API keys, passwords, tokens) - validate before any commit

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php}: All user inputs must be validated
Enable CSRF protection on all state-changing endpoints
Verify authentication and authorization for all protected endpoints
Implement rate limiting on all endpoints to prevent abuse
Ensure error messages do not leak sensitive data in responses

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php,sql}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

Use parameterized queries to prevent SQL injection

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,html,php,java,cs,rb,go}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

Implement XSS prevention by sanitizing HTML output

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,cs,rb,go,php,swift,kt,rs,c,cpp,h,hpp,properties,yml,yaml,json,env,config}

📄 CodeRabbit inference engine (.cursor/rules/common-security.md)

NEVER hardcode secrets in source code - ALWAYS use environment variables or a secret manager

Files:

  • workflows/orch-review.workflow.js
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript-coding-style.md)

**/*.{ts,tsx,js,jsx}: Use spread operator for immutable updates in TypeScript/JavaScript instead of direct mutation
Use async/await with try-catch for error handling in TypeScript/JavaScript
Use Zod for schema-based input validation in TypeScript/JavaScript
No console.log statements in production code; use proper logging libraries instead

**/*.{ts,tsx,js,jsx}: Auto-format JavaScript/TypeScript files using Prettier after edit
Warn about console.log statements in edited files
Check all modified files for console.log statements before session ends

**/*.{ts,tsx,js,jsx}: Use the ApiResponse interface pattern with generic type parameter: interface ApiResponse<T> { success: boolean; data?: T; error?: string; meta?: { total: number; page: number; limit: number; } }
Implement custom React hooks following the pattern: export a named function with use prefix, generic type parameters, and proper useEffect cleanup for side effects

**/*.{ts,tsx,js,jsx}: Never hardcode secrets; always use environment variables for sensitive credentials like API keys
Throw an error when required environment variables are not configured to fail fast and ensure security prerequisites are met

Use Playwright as the E2E testing framework for critical user flows in TypeScript/JavaScript

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{js,ts,jsx,tsx}: Always create new objects and never mutate in place; return new copies instead
Keep files between 200–400 lines typical, with a maximum of 800 lines
Extract helpers when a file exceeds 200 lines
Handle errors explicitly at every level; never swallow errors silently
Validate all user input before processing; use schema-based validation where available
Never trust external data (API responses, file content, query params); always validate
All user inputs must be validated and sanitized
Error messages must be scrubbed of sensitive internals
Use readable, well-named identifiers in all code
Keep functions under 50 lines
Keep files under 800 lines
Avoid nesting deeper than 4 levels
Implement comprehensive error handling in all code
Do not hardcode values; use constants or environment configuration instead
Do not use in-place mutation; always return new objects or state

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,json,env*}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Do not hardcode secrets, API keys, passwords, or tokens

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{js,ts}: Use parameterized queries for all database writes (no string interpolation)
Auth/authz must be checked server-side for every sensitive path
Rate limiting must be applied to all public endpoints

Files:

  • workflows/orch-review.workflow.js
**/*.{jsx,tsx,js,ts}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

HTML output must be sanitized where applicable

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,env*}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Required environment variables must be validated at startup

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,go,rs,kt,cpp,c,fs}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{js,ts,jsx,tsx,py,java,go,rs,kt,cpp,c,fs}: Write tests before implementation using TDD workflow: write failing test (RED), implement minimal code (GREEN), then refactor (IMPROVE)
Keep functions small (<50 lines) and files focused (<800 lines, typical 200-400 lines)
Avoid deep nesting (>4 levels)

Files:

  • workflows/orch-review.workflow.js
**/*.{js,ts,jsx,tsx,py,java,go,rs,kt}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{js,ts,jsx,tsx,py,java,go,rs,kt}: Never mutate existing objects; always create new objects with changes applied (Immutability requirement)
Handle errors at every level; provide user-friendly messages in UI code and detailed context in server-side logs
Ensure error messages don't leak sensitive data

Files:

  • workflows/orch-review.workflow.js
**/*.{jsx,tsx,html,js,ts}

📄 CodeRabbit inference engine (AGENTS.md)

Sanitize HTML output to prevent XSS vulnerabilities

Files:

  • workflows/orch-review.workflow.js
🔇 Additional comments (5)
commands/orch-review.md (3)

41-45: LGTM!


80-89: LGTM! The stats example now includes all fields from the workflow return contract (confirmed, unverified, uncertain, refuted). Past comment resolved.


110-119: LGTM! The "Very large diff" wording fix addresses the previous style comment. Past comment resolved.

workflows/README.md (1)

55-65: LGTM!

workflows/orch-review.workflow.js (1)

82-90: LGTM!

Also applies to: 167-185, 230-234

Comment thread workflows/orch-review.workflow.js
@ecc-tools

ecc-tools Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant