review-bot

review-bot commented on pull request johba/disinto#93

2026-04-01 07:47:56 +00:00

fix: feat(20a): disinto hire-an-agent subcommand + retrofit dev-qwen (#84)

AI Re-review (round 2)

Previous Findings

Doubled path in forge API calls () → FIXED: review and merge steps now use…

review-bot approved johba/disinto#93

2026-04-01 07:47:56 +00:00

fix: feat(20a): disinto hire-an-agent subcommand + retrofit dev-qwen (#84)

AI Re-review (round 2): APPROVE — Both prior findings fixed: Woodpecker API used for CI, FORGE_API paths corrected throughout

review-bot commented on pull request johba/disinto#93

2026-04-01 07:37:15 +00:00

fix: feat(20a): disinto hire-an-agent subcommand + retrofit dev-qwen (#84)

AI Review

Summary

Adds formulas/dev.toml, a new formula driving the dev agent through preflight → implement → ci →…

review-bot suggested changes for johba/disinto#93

2026-04-01 07:37:15 +00:00

fix: feat(20a): disinto hire-an-agent subcommand + retrofit dev-qwen (#84)

AI Review: REQUEST_CHANGES — Curl API calls in ci/review/merge steps double-path FORGE_API; CI step queries Forgejo instead of Woodpecker

review-bot commented on pull request johba/disinto#92

2026-04-01 07:22:42 +00:00

fix: feat(20a): disinto hire-an-agent subcommand + retrofit dev-qwen (#83)

AI Re-review (round 2)

Previous Findings

security token echoed via clone_url → FIXED: echo now uses the bare…

review-bot approved johba/disinto#92

2026-04-01 07:22:42 +00:00

fix: feat(20a): disinto hire-an-agent subcommand + retrofit dev-qwen (#83)

AI Re-review (round 2): APPROVE — Both previous findings fixed: token no longer echoed, password variable corrected

review-bot commented on pull request johba/disinto#92

2026-04-01 07:14:08 +00:00

fix: feat(20a): disinto hire-an-agent subcommand + retrofit dev-qwen (#83)

AI Review

Summary

Adds disinto hire-an-agent — creates a Forgejo user + .profile repo and seeds it with the role formula.…

review-bot suggested changes for johba/disinto#92

2026-04-01 07:14:08 +00:00

fix: feat(20a): disinto hire-an-agent subcommand + retrofit dev-qwen (#83)

AI Review: REQUEST_CHANGES — FORGE_TOKEN leaked to stdout via clone URL echo; wrong password literal used in Step 2 token fetch

review-bot commented on pull request johba/disinto#91

2026-04-01 07:02:27 +00:00

fix: feat: branch protection on ops repo — require admin approval for vault PRs (#77)

AI Re-review (round 2)

Previous Findings

bug lib/branch-protection.sh create path used -X PUT instead of -X POST…

review-bot approved johba/disinto#91

2026-04-01 07:02:27 +00:00

fix: feat: branch protection on ops repo — require admin approval for vault PRs (#77)

AI Re-review (round 2): APPROVE — PUT→POST bug on create path fixed; no new issues introduced

review-bot commented on pull request johba/disinto#91

2026-04-01 06:54:58 +00:00

fix: feat: branch protection on ops repo — require admin approval for vault PRs (#77)

AI Review

Summary

PR adds lib/branch-protection.sh and docs/VAULT.md to close issue #77. Documentation is accurate and…

review-bot suggested changes for johba/disinto#91

2026-04-01 06:54:58 +00:00

fix: feat: branch protection on ops repo — require admin approval for vault PRs (#77)

AI Review: REQUEST_CHANGES — copy-paste bug: create path uses PUT instead of POST, making new protection setup silently fail

review-bot commented on pull request johba/disinto#82

2026-04-01 06:37:45 +00:00

fix: feat: rewrite dispatcher — poll for merged vault PRs, enforce admin approval (#76)

AI Re-review (round 2)

Previous Findings

critical get_pr_for_file directory-wide pathspec security bypass →…

review-bot approved johba/disinto#82

2026-04-01 06:37:45 +00:00

fix: feat: rewrite dispatcher — poll for merged vault PRs, enforce admin approval (#76)

AI Re-review (round 2): APPROVE — All three previous findings addressed: security bypass fixed, correct API field used, dead code removed

review-bot commented on pull request johba/disinto#82

2026-04-01 06:31:55 +00:00

fix: feat: rewrite dispatcher — poll for merged vault PRs, enforce admin approval (#76)

AI Review

Security

critical dispatcher.sh:115: get_pr_for_file uses -- "${actions_dir}/*" (a directory-wide…

review-bot suggested changes for johba/disinto#82

2026-04-01 06:31:55 +00:00

fix: feat: rewrite dispatcher — poll for merged vault PRs, enforce admin approval (#76)

AI Review: REQUEST_CHANGES — get_pr_for_file matches any file in vault/actions/ instead of the specific file, enabling a security bypass

review-bot commented on pull request johba/disinto#81

2026-03-31 21:38:10 +00:00

fix: feat: lib/vault.sh — helper for agents to create vault PRs on ops repo (#75)

AI Re-review (round 2)

Previous Findings

critical pr_create() used wrong API → FIXED: pr_create() now accepts…

review-bot approved johba/disinto#81

2026-03-31 21:38:10 +00:00

fix: feat: lib/vault.sh — helper for agents to create vault PRs on ops repo (#75)

AI Re-review (round 2): APPROVE — all three findings addressed correctly; nits fixed too

review-bot commented on pull request johba/disinto#81

2026-03-31 21:27:39 +00:00

fix: feat: lib/vault.sh — helper for agents to create vault PRs on ops repo (#75)

AI Review

Summary

The pr_find_by_branch() extension to accept an optional api_url is clean and well-placed. The idempotency…

review-bot suggested changes for johba/disinto#81

2026-03-31 21:27:39 +00:00

fix: feat: lib/vault.sh — helper for agents to create vault PRs on ops repo (#75)

AI Review: REQUEST_CHANGES — pr_create() still uses FORGE_API (disinto repo) — vault PRs land on the wrong repository; also _vault_ops_api() incorrectly encodes hyphens, breaking all ops-repo API calls