feat: add thunder-deep-review skill and advisory CI review proposal#1003
feat: add thunder-deep-review skill and advisory CI review proposal#1003ital0 wants to merge 27 commits into
Conversation
- House-rules + 80 architecture-invariant reviewer (read-only, diff-scoped) - Unignore .claude/skills/thunder-deep-review in .gitignore so it tracks
- powersync-sync-reviewer: guards two-PR flow, sync-rule parity, _journal integrity - react-effect-reviewer: enforces useEffect discipline from CLAUDE.md
- Plan, architecture, and deterministic orchestrator for posting deep-review findings as inline PR comments alongside Cursor Bugbot; humans still merge - Includes 3-model adversarial debate notes and CODEOWNERS rationale
Semgrep Security ScanNo security issues found. |
|
Preview environment deployed 🚀
Stack: Auto-destroys on PR close/merge. Login via the bundled Keycloak realm — |
PR Metrics
Updated Fri, 19 Jun 2026 16:51:43 GMT · run #1977 |
- Encode the project's testing-doc rules into the review skill: the mock.module shared-module ban, DI/PGlite test pattern, fake timers, console suppression, and bun-test cwd expectations. - Add references/testing-rules.md as the canonical source for these. - Drop the invented R-BRACES heuristic that had no basis in the docs.
- Rework thunder-deep-review.yml and review-orchestrator.mjs to call the Anthropic public API directly: drop AWS/OIDC/Bedrock auth, run on ubuntu-latest, auth via the ANTHROPIC_API_KEY secret, and pin the model id with zero placeholders left to fill in. - Fix 7 bugs in the orchestrator surfaced while wiring the workflow.
- Remove the architecture write-ups, debate notes, plan, readme, and CODEOWNERS note from drafts/bot-review. - Keep only the functional workflow and orchestrator in the PR.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- move workflow + orchestrator from drafts/bot-review to real .github paths - allow-list Skill+Task in claude_args so the review skill loads at runtime - add MPL license header to orchestrator (license:check passes)
- claude-code-action crashed with ENOENT statx on .claude/commands/thunderbot
- repo commits .claude/{commands,agents}/thunderbot* as symlinks into a
local-only .thunderbot/ dir absent in CI, leaving them dangling
- Claude SDK project-config scan of .claude/ crashes on broken links
- add a pre-step that removes ONLY dangling symlinks, leaving real files intact
…y model never silent-no-ops
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
🔭 thunder-deep-review (advisory)
Complements the other bots — surfaces only what they did not flag. Never approves, never requests changes, never gates merge.
head: cd9a155f1181 · mode: deep · deferred 12 item(s) already reported by other bots (best-effort dedup)
There was a problem hiding this comment.
🔭 thunder-deep-review (advisory)
Complements the other bots — surfaces only what they did not flag. Never approves, never requests changes, never gates merge.
head: 4f145a07ee2e · mode: deep · deferred 16 item(s) already reported by other bots (best-effort dedup)
…ew parses as JSON
…ministic file cap
There was a problem hiding this comment.
🔭 thunder-deep-review (advisory)
Complements the other bots — surfaces only what they did not flag. Never approves, never requests changes, never gates merge.
head: db68895908ce · mode: deep · deferred 13 item(s) already reported by other bots (best-effort dedup)
There was a problem hiding this comment.
🔭 thunder-deep-review (advisory)
Complements the other bots — surfaces only what they did not flag. Never approves, never requests changes, never gates merge.
head: 9b5097d0f6c2 · mode: deep · deferred 13 item(s) already reported by other bots (best-effort dedup)
…deep-review The claude-code-action SDK (claude-agent-sdk 0.3.181) names the subagent-spawn tool `Agent` in newer type defs and `Task` in the legacy alias. In headless DEFAULT permission mode a tool whose name is not allow-listed is silently denied, which would collapse the skill's sub-reviewer fan-out to a single pass. List both names so the fan-out works regardless of SDK version.
Dedup only suppressed findings matching an OPEN own-thread, so when a teammate manually resolved one of the bot's comments (deeming it intentional) the hash left the open set and the unchanged code made the bot repost it every push. fetchOwnThreads now returns resolvedByLogin and runPost suppresses findings whose hash matches a HUMAN-resolved own-thread. Bot-self-resolved threads are left out so a fixed-then-regressed finding can still re-post.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ff272ea. Configure here.
| log('post: reopened event — skipping thread resolution.'); | ||
| } else if (findings.length === 0) { | ||
| log('post: model returned no findings — skipping thread resolution (no fix signal).'); | ||
| } else { |
There was a problem hiding this comment.
Empty findings skip resolve
Medium Severity
When the model returns a valid {"findings":[]} after a successful run, the post phase skips auto-resolving open review threads. Fixed issues can stay open indefinitely if the model has nothing new to add, which breaks the intended cross-push convergence.
Reviewed by Cursor Bugbot for commit ff272ea. Configure here.
There was a problem hiding this comment.
🔭 thunder-deep-review (advisory)
Complements the other bots — surfaces only what they did not flag. Never approves, never requests changes, never gates merge.
head: ff272ea179f3 · mode: deep · deferred 14 item(s) already reported by other bots (best-effort dedup)
1 participant
Note
Medium Risk
New workflow uses
ANTHROPIC_API_KEYandpull-requests: writeon same-repo PRs; misconfiguration could leak spend or spam reviews, but fork PRs are excluded and the bot is explicitly non-gating.Overview
Adds an advisory PR review stack that complements Cursor Bugbot: a read-only
thunder-deep-reviewClaude skill (house rules, 80 architecture invariants, heuristics, testing standards) pluspowersync-sync-reviewerandreact-effect-reviewersubagents for high-risk domains.CI introduces
thunder-deep-review.ymlandreview-orchestrator.mjs, which owns all GitHub I/O (poll Bugbot, build a skip-list from its comments, fetch the real PR diff via the API, post oneCOMMENTreview with inline findings). The model step only returns structured JSON via--json-schema; it does not post or write files. Reviews are comment-only (no approve/request-changes), gated to same-repo non-draft PRs, debounced, and fail-soft on orchestrator errors..gitignoreis updated so.claude/skills/thunder-deep-review/**is tracked while other.claudecontent stays local.Reviewed by Cursor Bugbot for commit ff272ea. Bugbot is set up for automated code reviews on this repo. Configure here.