chore: CodeRabbit triage for v0.2.2

[github-actions]

CodeRabbit Triage: v0.2.2

Metric	Value	Δ vs Previous
PRs analyzed	7	-23 ↓
Critical issues	17	-6 ↓
Major issues	57	-63 ↓
Issues per PR	10.6	+5.8 ↑
Coverage gaps	65	-60 ↓

Trend

Release	Date	PRs	Critical	Major	Per PR	Gaps
v0.2.0	2026-04-10	30	23	120	4.8	125
v0.2.2	2026-04-21	7	17	57	10.6	65

Top Uncovered Patterns

1. Critical: InboxMessageAPI endpoints use /projects routes instead of inbox-message-specific paths. (3 occurrences, impact: 12) — sdk
2. Add resource limits and pin DB image to immutable digest. (3 occurrences, impact: 10) — manifests
3. Paginate both project and per-project session fetches. (2 occurrences, impact: 7) — cli, other
4. Reject all mixed auth-field combinations, not just httpToken + gitcookiesContent. (2 occurrences, impact: 6) — backend
5. Thread the request-scoped K8s client into these Secret helpers. (2 occurrences, impact: 6) — backend
6. Add explicit timeout to all Gerrit proxy fetch calls (1 occurrences, impact: 4) — frontend
7. Fix Gerrit response-shape parsing (currently breaks instance extraction) (1 occurrences, impact: 4) — runner
8. Do not keep stale Gerrit config after fetch failures (1 occurrences, impact: 4) — runner
9. Serialize credential refresh/cleanup across concurrent runs. (1 occurrences, impact: 4) — runner
10. Fix namespace mismatch in CP_TOKEN_URL (1 occurrences, impact: 4) — manifests

Recommended Guardrails

CLAUDE.md Conventions

• Critical: InboxMessageAPI endpoints use /projects routes instead of inbox-message-specific paths.: Enforce via convention (needs specific rule)
• Add resource limits and pin DB image to immutable digest.: Enforce via convention (needs specific rule)
• Paginate both project and per-project session fetches.: Enforce via convention (needs specific rule)
• Reject all mixed auth-field combinations, not just httpToken + gitcookiesContent.: Enforce via convention (needs specific rule)
• Thread the request-scoped K8s client into these Secret helpers.: Enforce via convention (needs specific rule)
• Add explicit timeout to all Gerrit proxy fetch calls: Enforce via convention (needs specific rule)
• Fix Gerrit response-shape parsing (currently breaks instance extraction): Enforce via convention (needs specific rule)
• Do not keep stale Gerrit config after fetch failures: Enforce via convention (needs specific rule)
• Serialize credential refresh/cleanup across concurrent runs.: Enforce via convention (needs specific rule)
• Fix namespace mismatch in CP_TOKEN_URL: Enforce via convention (needs specific rule)

Hookify Rules

• PreToolUse hook for critical: inboxmessageapi endpoints use /projects routes instead of inbox-message-specific paths. enforcement in TypeScript code
• PreToolUse hook for add resource limits and pin db image to immutable digest. enforcement in TypeScript code
• PreToolUse hook for paginate both project and per-project session fetches. enforcement in TypeScript code
• PreToolUse hook for reject all mixed auth-field combinations, not just httptoken + gitcookiescontent. enforcement in Go code
• PreToolUse hook for thread the request-scoped k8s client into these secret helpers. enforcement in Go code
• PreToolUse hook for add explicit timeout to all gerrit proxy fetch calls enforcement in TypeScript code
• PreToolUse hook for fix gerrit response-shape parsing (currently breaks instance extraction) enforcement in Python code
• PreToolUse hook for do not keep stale gerrit config after fetch failures enforcement in Python code
• PreToolUse hook for serialize credential refresh/cleanup across concurrent runs. enforcement in Python code
• PreToolUse hook for fix namespace mismatch in cp_token_url enforcement in TypeScript code

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	454a937
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69e976f93d073e000846ff65