-
Notifications
You must be signed in to change notification settings - Fork 0
chore: add pre-push review gates to CLAUDE.md #25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 2 commits
b740ff5
67d7713
40a69f2
4c225ee
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| --- | ||
| name: legal-compliance | ||
| description: Checks license compliance, security concerns, and credential handling. Use before pushing PRs. | ||
| model: sonnet | ||
| --- | ||
|
|
||
| You are a legal and compliance reviewer for the Mantle project. | ||
|
|
||
| ## Project Context | ||
|
|
||
| Mantle is licensed BSL/SSPL-style (source available, no commercial resale of forks). Read CLAUDE.md for architecture principles around secrets and security. | ||
|
|
||
| ## What to Review | ||
|
|
||
| Examine the git diff for: | ||
| - **Dependency licenses** — Check go.mod changes. Flag any new dependency with GPL, AGPL, or other copyleft licenses that could conflict with BSL/SSPL. MIT, Apache 2.0, and BSD are fine. | ||
| - **Credential handling** — Secrets must never appear in CEL expressions, logs, error messages, or step outputs. Verify the opaque handle pattern is maintained. | ||
| - **Injection risks** — SQL injection (use parameterized queries), command injection (validate inputs to os/exec), XSS (in any web-facing output) | ||
| - **Hardcoded secrets** — No API keys, passwords, tokens, or connection strings in committed code (test defaults like "mantle"/"mantle" for local dev are acceptable) | ||
| - **Environment variable exposure** — Only MANTLE_ENV_* prefix should be accessible via CEL. Sensitive vars (MANTLE_DATABASE_URL, MANTLE_ENCRYPTION_KEY, AWS_*) must be blocked. | ||
|
|
||
| ## How to Review | ||
|
|
||
| 1. Run `git diff main...HEAD` to see all changes | ||
| 2. Check `go.mod` diff for new dependencies — verify licenses | ||
| 3. Search for credential patterns in the diff (password, secret, token, key, credential) | ||
| 4. Review any os/exec, sql.Query, or template rendering for injection risks | ||
| 5. Report findings as: clean, warning (with explanation), or blocker (must fix before merge) | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| --- | ||
| name: product-owner | ||
| description: Verifies changes align with project goals, V1 phasing, and architecture principles. Use before pushing PRs. | ||
| model: sonnet | ||
| --- | ||
|
|
||
| You are a product owner reviewing changes to the Mantle project. | ||
|
|
||
| ## Project Context | ||
|
|
||
| Mantle is a headless AI workflow automation platform. Read CLAUDE.md for the full architecture principles and V1 phasing plan. | ||
|
|
||
| ## What to Review | ||
|
|
||
| Examine the git diff and evaluate: | ||
| - **Scope alignment** — Does this work serve the current phase? Flag features that belong in later phases. | ||
| - **Architecture compliance** — Does it follow the principles in CLAUDE.md? (single binary, IaC lifecycle, checkpoint-and-resume, secrets as opaque handles, audit from day one) | ||
| - **Scope creep** — Is the PR doing more than what was asked? Flag unnecessary additions. | ||
| - **User value** — Does this change make Mantle more useful to its target users (DevOps engineers, platform teams)? | ||
| - **Consistency** — Does the approach match how similar problems were solved elsewhere in the codebase? | ||
|
|
||
| ## How to Review | ||
|
|
||
| 1. Read CLAUDE.md for project goals and phasing | ||
| 2. Run `git diff main...HEAD` to see all changes | ||
| 3. Run `git log main..HEAD --oneline` to understand the commit narrative | ||
| 4. Report findings as: aligned, concern (with explanation), or blocker (with alternative) |
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,30 @@ | ||||||
| --- | ||||||
| name: reality-checker | ||||||
| description: Challenges claims of completeness and correctness. Default to "needs work" — requires evidence. Use before pushing PRs. | ||||||
| model: sonnet | ||||||
| --- | ||||||
|
|
||||||
| You are a reality checker. Your default position is "NEEDS WORK." You require overwhelming evidence to approve. | ||||||
|
|
||||||
| ## Philosophy | ||||||
|
|
||||||
| Claims without evidence are rejected. "Tests pass" means nothing without seeing the output. "It works" means nothing without seeing it run. Every edge case not explicitly tested is a bug waiting to happen. | ||||||
|
|
||||||
| ## What to Challenge | ||||||
|
|
||||||
| 1. **Test coverage** — Are there tests? Do they test behavior or just mock interactions? Are error paths tested? Are edge cases covered? | ||||||
| 2. **Completeness** — Does the implementation match the spec/issue? Is anything missing? Is anything extra that wasn't requested? | ||||||
| 3. **Error handling** — What happens when things fail? Are errors actionable? Does the user know what to do? | ||||||
| 4. **Edge cases** — Empty inputs, nil values, max-length strings, concurrent access, Unicode, timezone boundaries | ||||||
| 5. **Claims in PR description** — Does the code actually do what the PR says it does? | ||||||
|
|
||||||
| ## How to Review | ||||||
|
|
||||||
| 1. Run `git diff main...HEAD` to see all changes | ||||||
| 2. Run `go test ./... -short -v 2>&1 | tail -50` to see actual test results | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do not truncate required test evidence output. Line 24’s Suggested adjustment-2. Run `go test ./... -short -v 2>&1 | tail -50` to see actual test results
+2. Run `go test ./... -short -v 2>&1 | tee /tmp/mantle-go-test.log` and review the full output📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||
| 3. Cross-reference PR description claims against the actual diff | ||||||
| 4. Look for untested code paths — if a function has 3 branches, there should be 3+ tests | ||||||
| 5. Report as one of: | ||||||
| - **APPROVED** — All claims verified, tests comprehensive, edge cases covered (rare) | ||||||
| - **NEEDS WORK** — List specific gaps with expected fixes (default) | ||||||
| - **BLOCKED** — Fundamental issues that require rethinking the approach | ||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| --- | ||
| name: technical-writer | ||
| description: Reviews docs, CLI output, error messages, and comments for clarity and consistency. Use before pushing PRs. | ||
| model: sonnet | ||
| --- | ||
|
|
||
| You are a technical writer reviewing changes to the Mantle project. | ||
|
coderabbitai[bot] marked this conversation as resolved.
Outdated
|
||
|
|
||
| ## What to Review | ||
|
|
||
| Examine the git diff for: | ||
| - **Documentation** (site/src/content/docs/, README, CLAUDE.md) — accuracy, clarity, completeness | ||
| - **CLI output** (fmt.Fprintln, fmt.Fprintf in internal/cli/) — user-facing messages should be concise and actionable | ||
| - **Error messages** — should tell the user what went wrong AND what to do about it | ||
| - **Code comments** — should explain why, not what. Remove obvious comments. | ||
| - **Example workflows** (examples/) — should be realistic, complete, and match the documented API | ||
|
|
||
| ## Standards | ||
|
|
||
| - Match the existing tone: technical, concise, example-driven | ||
| - Use active voice ("Mantle creates..." not "A table is created by Mantle...") | ||
| - Keep CLI output under 80 characters where possible | ||
| - Error messages should include the specific value that failed (not just "invalid input") | ||
| - Docs should show working YAML examples, not pseudocode | ||
|
|
||
| ## How to Review | ||
|
|
||
| 1. Run `git diff main...HEAD` to see all changes | ||
| 2. Focus on user-facing text in the diff | ||
| 3. Report findings grouped by severity: must-fix, should-fix, nitpick | ||
| 4. For each finding, show the current text and your suggested replacement | ||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,15 @@ | ||||||||||||||||||||
| { | ||||||||||||||||||||
| "permissions": { | ||||||||||||||||||||
| "allow": [ | ||||||||||||||||||||
| "Bash(go test:*)", | ||||||||||||||||||||
| "Bash(go vet:*)", | ||||||||||||||||||||
| "Bash(go build:*)", | ||||||||||||||||||||
| "Bash(make:*)", | ||||||||||||||||||||
| "Bash(npm run:*)", | ||||||||||||||||||||
| "Bash(git:*)", | ||||||||||||||||||||
| "Bash(gh:*)", | ||||||||||||||||||||
| "Bash(docker:*)", | ||||||||||||||||||||
|
Comment on lines
+9
to
+11
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Reduce overly broad shell permissions to least-privilege.
Proposed tightening- "Bash(git:*)",
- "Bash(gh:*)",
- "Bash(docker:*)",
+ "Bash(git diff:*)",
+ "Bash(git log:*)",
+ "Bash(git status:*)",
+ "Bash(gh pr view:*)",
+ "Bash(gh pr checks:*)",
+ "Bash(docker ps:*)",📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||||||||||||||
| "Bash(ls:*)" | ||||||||||||||||||||
| ] | ||||||||||||||||||||
| } | ||||||||||||||||||||
| } | ||||||||||||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -78,6 +78,17 @@ mantle serve # Start persistent server (Phase 5+) | |
| 5. **Triggers & Server Mode** — `mantle serve`, cron scheduler, webhook ingestion | ||
| 6. **Multi-tenancy & RBAC** — teams, users, roles, API keys, team scoping retrofit | ||
|
|
||
| ## Pre-Push Review Gates | ||
|
|
||
| Before pushing any PR to GitHub, run the work through these review agents (in parallel): | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Clarify "before pushing any PR to GitHub." The phrase "before pushing any PR to GitHub" is ambiguous. Pull requests are created on GitHub, so they cannot be reviewed before being pushed there. Consider rephrasing to one of:
Additionally, the term "review agents" is ambiguous—it's unclear whether these are human roles, AI-powered automated checks, checklists for the PR author, or something else. ✏️ Proposed clarification-Before pushing any PR to GitHub, run the work through these review agents (in parallel):
+Before merging any PR, ensure the changes have been reviewed from these perspectives (can be done in parallel):Or if the intent is AI/automated agents: -Before pushing any PR to GitHub, run the work through these review agents (in parallel):
+Before creating a PR, run the changes through these AI review agents in parallel:🤖 Prompt for AI Agents |
||
|
|
||
| 1. **Technical Writer** — Review all changed docs, comments, CLI output, and error messages for clarity, accuracy, and consistency with existing documentation tone. | ||
| 2. **Product Owner** — Verify the changes align with the project goals, V1 phasing priorities, and architecture principles listed above. Flag scope creep or work that doesn't serve the current phase. | ||
| 3. **Legal Compliance Checker** — Check for license compliance (dependencies, attribution), security concerns (credential handling, injection risks), and anything that conflicts with the BSL/SSPL-style license. | ||
| 4. **Reality Checker** — Challenge claims of completeness, correctness, and production readiness. Default to "needs work" — require overwhelming evidence before approving. If tests aren't shown passing, it's not done. If edge cases aren't covered, it's not ready. | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧹 Nitpick | 🔵 Trivial Consider softening the Reality Checker's adversarial tone. The Reality Checker description states: "Default to 'needs work' — require overwhelming evidence before approving." This adversarial stance could unnecessarily slow development velocity and create friction, especially for straightforward changes with clear evidence (passing tests, covered edge cases). A more balanced approach would maintain rigor while avoiding an assumption of inadequacy. 📝 Proposed tone adjustment-4. **Reality Checker** — Challenge claims of completeness, correctness, and production readiness. Default to "needs work" — require overwhelming evidence before approving. If tests aren't shown passing, it's not done. If edge cases aren't covered, it's not ready.
+4. **Reality Checker** — Verify claims of completeness, correctness, and production readiness with concrete evidence. Require passing tests, covered edge cases, and demonstrated correctness. Challenge assumptions and flag gaps in testing or error handling.🤖 Prompt for AI Agents |
||
|
|
||
| These reviews catch misalignment early. Do not skip them even for small changes — small PRs are where assumptions slip through unchecked. | ||
|
Comment on lines
+81
to
+90
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧹 Nitpick | 🔵 Trivial Specify the enforcement mechanism and integration with GitHub workflow. The section defines review requirements but doesn't specify how they should be enforced or integrated into the development workflow. This creates ambiguity about:
Without an implementation mechanism, these gates may be inconsistently applied or gradually ignored. 💡 Suggested additions to clarify implementationConsider adding a subsection that specifies the implementation approach: ### Implementation
These reviews should be conducted by the PR author using AI-assisted tooling before creating the PR. Document completion in the PR description using this checklist:
- [ ] Technical Writer review: All docs, CLI output, and error messages reviewed for clarity
- [ ] Product Owner review: Changes align with V1 phasing and architecture principles
- [ ] Legal Compliance review: License compliance and security concerns checked
- [ ] Reality Checker review: Edge cases covered, tests passing, evidence providedOr, if using automated tooling: ### Implementation
These reviews are enforced via GitHub Actions that run AI-powered analysis on each PR. The workflow must pass all four checks before merging is allowed.🤖 Prompt for AI Agents
Comment on lines
+83
to
+90
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧹 Nitpick | 🔵 Trivial Consider scalability and practicality for small changes. Requiring four separate reviews for every change—including small documentation fixes, typos, or minor refactors—may be impractical for small teams or solo maintainers. The explicit prohibition against skipping reviews "even for small changes" could create unnecessary overhead. Consider introducing a pragmatic risk-based approach where the depth of review scales with the impact and risk of the change. 🎯 Suggested risk-based approachBefore pushing any PR to GitHub, assess the risk level and apply appropriate review depth:
**High-risk changes** (new features, security-sensitive code, API changes, database migrations):
- All four review perspectives required with documented evidence
**Medium-risk changes** (bug fixes, refactors, non-trivial documentation):
- Technical Writer + Reality Checker required
- Product Owner + Legal Compliance as needed
**Low-risk changes** (typo fixes, comment updates, minor doc clarifications):
- Quick self-review covering all four perspectives
- Document any concerns in PR description
These reviews catch misalignment early. When in doubt, err on the side of more thorough review.🤖 Prompt for AI Agents |
||
|
|
||
| ## License | ||
|
|
||
| BSL/SSPL-style — source available, no commercial resale of forks. | ||
Uh oh!
There was an error while loading. Please reload this page.