Release / v2.96.0 and v2.96.1

.github/workflows/general-review.yml

@@ -0,0 +1,36 @@
+name: PR Agent - General Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, labeled]
+  issue_comment:
+    types: [created]
+  workflow_dispatch:
+
+jobs:
+  review:
+    if: >-
+      (github.event.action == 'labeled' && github.event.label.name == 'review') ||
+      github.event_name == 'workflow_dispatch' ||
+      (github.event.sender.type != 'Bot' && 
+      github.event_name == 'issue_comment' &&
+      contains(github.event.comment.body, '/review'))
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Run General PR Agent
+        uses: The-PR-Agent/pr-agent@main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OPENROUTER__KEY: ${{ secrets.OPENROUTER__KEY }}
+          CONFIG__MODEL: "openrouter/moonshotai/kimi-k2.6"
+          # Without auto_review=true we cannot have triggers such as
+          # workflow_dispatch and PR label
+          github_action_config.auto_review: "true"
+          github_action_config.auto_describe: "false"
+          github_action_config.auto_improve: "false"

.github/workflows/security-review.yml

@@ -0,0 +1,68 @@
+name: PR Agent - Security Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, labeled]
+  issue_comment:
+    types: [created]
+  workflow_dispatch:
+
+jobs:
+  security_review:
+    if: >-
+      (github.event.action == 'labeled' && github.event.label.name == 'security-review') ||
+      github.event_name == 'workflow_dispatch' ||
+      (github.event.sender.type != 'Bot' && 
+      github.event_name == 'issue_comment' &&
+      contains(github.event.comment.body, '/security-review'))
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v6
+
+      # PR-Agent does not recognize "/security-review" as a native command.
+      # We rewrite the event JSON so the agent sees "/review" instead.
+      # How this works is:
+      # 1. Only this workflow runs because of the if statement
+      # 2. It replaces /security-review with /review
+      # 3. It replaces the extra instructions
+      - name: Rewrite event payload for PR-Agent
+        if: github.event_name == 'issue_comment'
+        run: |
+          jq '(.comment.body // "") |= sub("/security-review"; "/review"; "i")' \
+            "$GITHUB_EVENT_PATH" > "$GITHUB_EVENT_PATH.tmp" && \
+          mv "$GITHUB_EVENT_PATH.tmp" "$GITHUB_EVENT_PATH"
+
+      - name: Run Security PR Agent
+        uses: The-PR-Agent/pr-agent@main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OPENROUTER__KEY: ${{ secrets.OPENROUTER__KEY }}
+          CONFIG__MODEL: "openrouter/anthropic/claude-opus-4.7"
+          # Without auto_review=true we cannot have triggers such as
+          # workflow_dispatch and PR label
+          github_action_config.auto_review: "true"
+          github_action_config.auto_describe: "false"
+          github_action_config.auto_improve: "false"
+          PR_REVIEWER__EXTRA_INSTRUCTIONS: |
+           You are reviewing changes in a security-sensitive Web3 browser extension wallet. Focus exclusively on security, privacy, and compliance risks. Ignore style, performance, or general quality issues unless they have direct security impact.
+
+            Key areas to examine:
+            - Sensitive data exposure or hard-coded secrets
+            - Insecure deserialization, cryptographic issues
+            - Improper access control
+            - Input validation, sanitization, and output encoding
+            - Logging of sensitive information
+            - Changes in key areas like: keystore, signing logic, encryption and safety features
+            - Edge cases in features that ensure the security of the user (e.g., phishing detection, transaction safety checks, etc.)
+
+            For every finding:
+            - State the severity (Critical / High / Medium / Low)
+            - Quote the exact vulnerable code
+            - Explain the risk clearly
+            - Provide concrete remediation steps or code fixes
+
+            Be thorough and precise.

.github/workflows/tests.yml

@@ -11,11 +11,14 @@ on:
       - v2
       - main
       - 'release/*'
+    types: [opened, synchronize, reopened, ready_for_review]
 jobs:
   tests:
     name: Tests
     runs-on: ubuntu-latest
     environment: tests
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false || github.event_name == 'workflow_dispatch'
+
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
     steps:

.pr_agent.toml

@@ -0,0 +1,98 @@
+[config]
+response_language = "en"
+
+# ─────────────────────────────────────────────
+# Token & Cost Guardrails
+# ─────────────────────────────────────────────
+# Cap context for OpenRouter models (safety net for large PRs).
+# The models support 256k+; we clamp to 256k
+# to prevent runaway costs while leaving room for deep reviews.
+custom_model_max_tokens = 256000
+
+# Increase timeout from default 120s → 300s (5 min).
+# Security reviews with large diffs on heavy models need headroom.
+ai_timeout = 300
+
+# If a diff is too large, clip it rather than skipping entirely.
+large_patch_policy = "clip"
+
+# ─────────────────────────────────────────────
+# Ignore Patterns
+# ─────────────────────────────────────────────
+[ignore]
+glob = [
+    # Lockfiles
+    "**/*.lock",
+    "**/package-lock.json",
+    "**/yarn.lock",
+
+    # Build artifacts & deps
+    "artifacts/**",
+    "cache/**",
+    "coverage/**",
+    "node_modules/**",
+    "dist/**",
+    "patches/**",
+
+    # Minified assets
+    "**/*.min.js",
+    "**/*.min.css",
+
+    # Logs
+    "*.log",
+
+    # Tests
+    "**/*.test.ts",
+    "**/*.spec.ts",
+    "**/*.test.js",
+    "**/*.spec.js",
+
+    # Generated / declaration files
+    "**/*.d.ts",
+
+    # CI/CD
+    "**/.github/**",
+]
+
+# ─────────────────────────────────────────────
+# General Review Settings (/review)
+# ─────────────────────────────────────────────
+[pr_reviewer]
+extra_instructions = """
+You are reviewing changes in a security-sensitive Web3 browser extension wallet.
+
+Focus on the diff in front of you and assess it for correctness, security, reliability, and maintainability.
+
+Prioritize issues such as:
+- Requests without error handling and timeouts
+- Inefficient algorithms or data structures
+- Inconsistent naming conventions or formatting
+- Unnecessary complexity or duplication
+- Missing comments or documentation for complex logic
+- Unhandled exceptions and edge cases
+- Swallowed errors and edge case return statements that should at least log an error
+
+Be constructive, concise, and actionable. Keep feedback grounded in the actual changes rather than using a fixed checklist.
+"""
+
+# UX: update the same comment on re-run instead of posting a new one.
+persistent_comment = true
+
+# Post a final "Review completed" message so devs know the agent is done.
+final_update_message = true
+
+# Publish even when there are no major findings (avoids silent failures).
+publish_output_no_suggestions = true
+
+# Enable built-in security sub-section even in general reviews (defense in depth).
+require_security_review = true
+
+# Also scan for missing tests, TODOs, and ticket references.
+require_tests_review = true
+require_todo_scan = true
+require_estimate_effort_to_review = true
+require_ticket_analysis_review = true
+
+# Keep the review header but suppress noisy help text.
+enable_intro_text = true
+enable_help_text = false