Five guardrail checks as independent GitHub Actions workflows:
- Scope enforcement: flags files changed outside task scope
- Test-to-code ratio: enforces configurable test line threshold
- Dependency changes: detects unjustified new dependencies
- API surface changes: language-aware export/route detection
- Commit messages: conventional commit format validation

Each uses Check Run API with approval override support.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Workflow triggers on PR review submission, parses comments,
creates child issues with severity labels, links as sub-issues,
and sets blocking dependencies for critical findings.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Three parallel reviewer agents (correctness, tests, architecture)
triggered on PR open/sync via claude -p. Shared context resolution
job parses Fixes #N. Supports workflow_dispatch for re-triggering.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Gates PR merges by evaluating blocking sub-issues, running
claude-based re-review assessments with configurable cycle cap,
and triggering pr-review.yml when re-review is warranted.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

163 tests covering all workflow files:
- Python tests for test-ratio, human-review, and pr-review workflows
- Shell tests for scope and commit-message guardrails
- YAML syntax, structural, and logic validation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

The scope enforcement guardrail was only extracting file paths from the
parent issue body. In practice, file paths are listed in child task
issues created during planning. Now queries all sub-issues via GraphQL
and collects file paths from parent + children.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

actions/github-script@v7 does not include js-yaml, causing both the
dependency-changes and test-ratio guardrails to crash with
"Cannot find module 'js-yaml'". Replace with simple line-based config
parsing matching the pattern used by the scope guardrail. Also fixes
the dependency-changes config path which was reading from a top-level
key instead of under the guardrails: section.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Replace manual `npm install && claude -p` with anthropics/claude-code-action@v1.
Slim reviewer prompts to just pass context (base branch, parent issue) and
point at skill files — the skills already contain the full review process,
severity labels, and issue filing instructions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

claude-code-action with CLAUDE_CODE_OAUTH_TOKEN needs id-token:write
to fetch an OIDC token for authentication.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Implements #37: Created 10 shared library modules in .github/agent-workflow/scripts/lib/
with comprehensive test suites. Each module exports pure functions for common workflow logic:
- config.js: Parse guardrail YAML configuration
- approval.js: Check for non-stale PR approvals
- fixes-parser.js: Extract Fixes #N references
- file-patterns.js: Test/code/dependency file detection
- commit-validator.js: Conventional commit validation
- scope-matcher.js: File path extraction and scope matching
- api-patterns.js: API surface change detection
- patch-parser.js: Unified diff line number parsing
- severity.js: Review comment severity detection
- pr-body.js: Idempotent PR body section replacement

Implements #38: Extracted inline JavaScript from 8 workflow files into standalone scripts:
- guardrail-scope.js, guardrail-test-ratio.js, guardrail-dependencies.js
- guardrail-commits.js, guardrail-api-surface.js
- orchestrator-check.js, human-review.js, pr-context.js

Also added Node.js LTS to devcontainer for test execution.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Updated remaining 6 workflow YAML files to use extracted scripts:
- guardrail-dependencies.yml → guardrail-dependencies.js
- guardrail-commits.yml → guardrail-commits.js
- guardrail-api-surface.yml → guardrail-api-surface.js
- orchestrator-check.yml → orchestrator-check.js
- human-review.yml → human-review.js
- pr-review.yml → pr-context.js

All 8 workflows now use thin YAML shells that require() standalone scripts,
eliminating 1,800+ lines of duplicated inline JavaScript.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

- Created tests/validate-workflows.js with 11 tests for YAML structure validation
- Moved lib module tests from .github/agent-workflow/scripts/lib/ to tests/lib/
  with updated import paths (52 tests total for lib modules)
- Deleted old Python and shell tests that only did keyword grep validation
- Added package-lock.json from npm install
- Updated .gitignore to exclude node_modules

Test results: 51/53 passing (2 failing tests reveal pre-existing bugs in lib modules)

Total test coverage: 53 tests
- 11 workflow structure validation tests
- 42 lib module unit tests

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Added .github/workflows/ci.yml that:
- Runs on PRs and pushes to main
- Sets up Node.js LTS with npm cache
- Installs dependencies and runs npm test
- Reports test results

Note: This CI workflow is specific to the agent-workflow repo itself
and should NOT be copied to target repos when install.sh is created.
The installer should exclude:
- .github/workflows/ci.yml
- tests/
- root package.json and package-lock.json

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

- file-patterns: Fix isTestFile to match paths starting with "tests/"
  Changed /(^|\/)tests?\// to match "tests/" at start of path or after slash
- fixes-parser: Make regex truly case-insensitive using /i flag
  Changed /[Ff]ixes/ to /fixes/gi for proper case-insensitive matching

Fixes the 2 failing tests in the CI (now 53/53 passing)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

The resolve-context job was trying to require() the pr-context.js script
without checking out the repository first, causing MODULE_NOT_FOUND errors.

Added checkout step with sparse-checkout for .github/agent-workflow to
the resolve-context job so the script file is available.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Enables issue scope definitions to use glob patterns (* and **):
- Single wildcard (*) matches files in same directory
- Double wildcard (**) matches files recursively
- Examples: `lib/*.js`, `.github/**/*.yml`

Implementation:
- Updated extractFilePaths() to capture glob patterns
- Added globToRegex() converter with placeholder approach to avoid
  regex conflicts during pattern replacement
- Enhanced isInScope() to detect and match glob patterns
- Added 7 comprehensive tests for glob functionality

Also fixes guardrail-test-ratio to count test files in addition to
code files for accurate line totals.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Both workflows were missing the initial checkout step, causing
MODULE_NOT_FOUND errors when trying to require the script files.

Added sparse-checkout for .github/agent-workflow to both workflows.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Remove the separate config.yaml configuration file and config.js parser.
Configuration now lives directly in each workflow file's env: block
(CONCLUSION, THRESHOLD, RE_REVIEW_CYCLE_CAP). To disable a guardrail,
delete its workflow file.

Also change approval-override conclusion from success to neutral so
overridden checks remain visibly flagged in the checks tab.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Replace custom regex-based commit validation with industry-standard
@commitlint/config-conventional. Reduces maintenance burden and provides
better error messages.

Changes:
- Use commitlint CLI in workflow instead of custom JS
- Add commitlint.config.js extending conventional preset
- Remove guardrail-commits.js and commit-validator.js
- Remove commit-validator.test.js

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Remove insecure keyword-matching bypass logic. Any dependency file
modification now requires human review via PR approval.

The previous implementation allowed bypassing the check by including
words like "introduced" anywhere in the PR description, providing
false security. This change makes the guardrail honest and effective.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Delete workflow that auto-converted PR comments to issues. This created
issue spam and duplicate tracking. Human review comments should be
addressed directly by /work, not converted to separate issues.

Next: integrate PR comment handling into coordinator/implementer skills
with auto-resolution when comments are addressed.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>