Skip to content

fix(#2054): patch review summary when body contradicts findings#2055

Closed
fullsend-ai-coder[bot] wants to merge 1 commit into
mainfrom
agent/2054-review-summary-consistency
Closed

fix(#2054): patch review summary when body contradicts findings#2055
fullsend-ai-coder[bot] wants to merge 1 commit into
mainfrom
agent/2054-review-summary-consistency

Conversation

@fullsend-ai-coder

Copy link
Copy Markdown
Contributor

When the review agent produces an agent-result.json where the body says "No findings" but the action is request-changes and the findings array contains critical or high severity items, the sticky comment would mislead reviewers into thinking the review was clean.

Add ensureBodyFindingsConsistency() which runs after parsing the review result. It detects the contradiction (body contains "No findings", action maps to REQUEST_CHANGES, and critical/high findings exist) and replaces the "No findings" text with a bullet-point summary of the significant findings. The function is conservative: it only triggers when all three conditions are met, leaving approve, comment, and lower-severity-only scenarios untouched.

Nine test cases cover: basic patching, multiple findings with filtering of low-severity items, no-op for accurate bodies, no-op for approve/comment actions, no-op for empty findings, nil safety, findings without file locations, and the reject action alias.

Note: pre-commit could not run due to Go module cache permission errors in the sandbox (infrastructure issue, not code issue).


Closes #2054

Post-script verification

  • Branch is not main/master (agent/2054-review-summary-consistency)
  • Secret scan passed (gitleaks — 0433cbeba7695157165aadefe6c9d8d587eeba88..HEAD)
  • Pre-commit hooks passed (authoritative run on runner)
  • Tests ran inside sandbox

When the review agent produces an agent-result.json where the body
says "No findings" but the action is request-changes and the findings
array contains critical or high severity items, the sticky comment
would mislead reviewers into thinking the review was clean.

Add ensureBodyFindingsConsistency() which runs after parsing the
review result. It detects the contradiction (body contains "No
findings", action maps to REQUEST_CHANGES, and critical/high findings
exist) and replaces the "No findings" text with a bullet-point
summary of the significant findings. The function is conservative:
it only triggers when all three conditions are met, leaving approve,
comment, and lower-severity-only scenarios untouched.

Nine test cases cover: basic patching, multiple findings with
filtering of low-severity items, no-op for accurate bodies, no-op
for approve/comment actions, no-op for empty findings, nil safety,
findings without file locations, and the reject action alias.

Note: pre-commit could not run due to Go module cache permission
errors in the sandbox (infrastructure issue, not code issue).

Closes #2054
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

Site preview

Preview: https://5766cb17-site.fullsend-ai.workers.dev

Commit: b3fac20dffd1568c84f3fa99a86bf1c5ada706f2

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 9, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:05 AM UTC · Completed 8:16 AM UTC
Commit: ba204cb · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

Review

Findings

Medium

  • [scope-exceeded] internal/cli/postreview.go:84 — The PR addresses the symptom (inconsistent "No findings" text) by patching in the CLI layer rather than fixing the root cause in the review agent's summary generation step (pr-review skill step 7). Issue Review agent summary comment should reflect inline findings and verdict #2054 item 3 authorizes a consistency check, but the fix location means the CLI is now responsible for correcting content generated by a different component. Consider documenting this as a temporary mitigation and filing a follow-up to fix summary generation at the source.

  • [architectural-conflict] internal/cli/postreview.go:88 — The consistency patch is placed in the CLI post-review command, which is responsible for posting review results to GitHub. The review body is generated by the pr-review skill. Patching the body in the CLI layer creates a separation of concerns issue. See also: [scope-exceeded] finding at this location.

Low

  • [injection-vuln] internal/cli/postreview.go:545ensureBodyFindingsConsistency uses regexp.ReplaceAllString with a replacement string built from ReviewFinding fields. Go's regexp package interprets $ sequences in the replacement as capture-group backreferences — any $0 or $1 in a finding's Description or Category would silently expand to an empty string, causing content truncation. Use ReplaceAllLiteralString instead, which treats the replacement as a literal string.

  • [edge-case] internal/cli/postreview.go:545noFindingsRe.ReplaceAllString replaces every occurrence of "No findings" in the body. If the body contains the phrase more than once (e.g., in a details block and main section), the findings summary will be duplicated. Consider replacing only the first match.

  • [edge-case] internal/cli/postreview.go:540 — When a ReviewFinding has an empty Description, the generated bullet point ends with : (colon-space) and nothing else. Cosmetic but unguarded.

  • [design-smell] internal/cli/postreview.go:486 — The function uses a hardcoded regex to detect "No findings" text. This is inherently brittle — it assumes a specific English phrase and could match legitimate uses of the phrase in a different context. A structured sentinel marker (e.g., <!-- NO_FINDINGS -->) would be more reliable long-term.

  • [code-organization] internal/cli/postreview.go:489 — The noFindingsRe regex variable is declared immediately before its consumer function, breaking the established pattern where package-level regex variables are grouped at the top of the file (lines 22–24: hexSHARe, reasonRe, hunkHeaderRe).

@ralphbean

Copy link
Copy Markdown
Member

I think we need a different approach here — left some thoughts on #2054.

@ralphbean ralphbean closed this Jun 11, 2026
@fullsend-ai-retro

fullsend-ai-retro Bot commented Jun 11, 2026

Copy link
Copy Markdown

🤖 Finished Retro · ✅ Success · Started 4:53 PM UTC · Completed 5:03 PM UTC
Commit: b3fac20 · View workflow run →

@fullsend-ai-retro

Copy link
Copy Markdown

Retro: PR #2055fix(#2054): patch review summary when body contradicts findings

Timeline

  1. Retro bot filed #2054 after observing the review agent on konflux-ci/konflux-ci#7193 post a summary saying "No findings" while submitting CHANGES_REQUESTED with critical inline comments.
  2. Triage bot (run 27191791696) gave a thorough two-part recommendation: (a) add a consistency gate in postreview.go that validates body against action/findings and rejects or synthesizes a corrected summary, and (b) update skills/pr-review/SKILL.md to instruct the review agent to never say "No findings" when action is request-changes.
  3. Code bot (run 27192081426) implemented only part (a), and chose a regex-based body-patching approach (regexp.ReplaceAllString) rather than the validate-and-reject strategy triage recommended. It did not attempt part (b) — the skill update.
  4. Review bot (run 27192526963) correctly flagged scope-exceeded (fix in CLI layer not review agent) and architectural-conflict (separation of concerns). Its intent-coherence sub-agent explicitly stated the fix belongs in the pr-review skill's step 7.
  5. Human (ralphbean) closed the PR without merging, citing fragility: regex can match inside longer phrases, ReplaceAllString duplicates output, and multi-line insertion produces malformed markdown. Redirected to Review agent summary comment should reflect inline findings and verdict #2054 for a different approach.
  6. Re-triage (run 27363186072) produced an improved analysis incorporating the PR fix(#2054): patch review summary when body contradicts findings #2055 failure, recommending the fix closer to the source.

Assessment

What worked well: The triage agent gave excellent multi-layered guidance. The review agent correctly identified the architectural problem. The human caught the fragile implementation. The re-triage incorporated learnings from the rejected PR. The pipeline's quality gates did their job.

What didn't work: The code agent ignored triage's recommended implementation strategy (validate-and-reject) in favor of regex body patching — a more fragile approach that triage was explicitly steering away from. It also skipped triage recommendation (b) entirely (skill update). This wasted ~1 full cycle of code + review + human attention on a PR that was immediately rejected.

Proposals

One proposal filed below. Several adjacent issues already exist — #1891 (minimal-impact solutions matching triage scope), #1894 (treat triage caveats as requirements), and #1472 (review agent validates approach against issue requirements). The proposal below targets a specific gap not covered by those: the code agent ignoring triage's explicit implementation strategy and partial-implementing multi-part recommendations.

Proposals filed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

requires-manual-review Review requires human judgment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Review agent summary comment should reflect inline findings and verdict

1 participant