refactor: add new suggestion for comments.js and enhance filterDiff tests for better coverage

refactor: streamline JSON file reading logic and improve error handling in findings.js and git.js
chore: update ai-review findings [skip ci]
2026-05-13 01:18:21 +00:00 · 2026-05-13 01:16:34 +00:00 · 2026-05-13 01:14:09 +00:00 · 2026-05-13 01:12:20 +00:00 · 2026-05-13 01:08:04 +00:00 · 2026-05-13 01:06:11 +00:00
17 changed files with 390 additions and 181 deletions
@@ -149,6 +149,11 @@
    "location": "app/llm.test.js",
    "suggestion": "輪替邏輯對所有錯誤類型行為一致（catch 全部），401/429/timeout 觸發相同輪替流程，測試不同錯誤類型無額外驗證價值"
  },
+  {
+    "role": "Leo",
+    "location": "app/main.js",
+    "suggestion": "main.js 中的 Step 標題註解為 pipeline 流程說明，非待整理的 TODO，不需要轉換為具體任務"
+  },
  {
    "role": "Rex",
    "location": "app/package.json",
@@ -158,5 +163,55 @@
    "role": "Aria",
    "location": "app/llm.js",
    "suggestion": "此 action 為 CLI 工具，process.exit(1) 是設計意圖讓 CI/CD workflow 失敗。改拋錯會被 chatJSON 的 catch 吞掉回傳 []，破壞現有行為"
+  },
+  {
+    "role": "Aria",
+    "location": "Dockerfile",
+    "suggestion": "Dockerfile 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例"
+  },
+  {
+    "role": "Aria",
+    "location": "entrypoint.sh",
+    "suggestion": "entrypoint.sh 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例"
+  },
+  {
+    "role": "Maya",
+    "location": "app/main.js",
+    "suggestion": "main.js 整合測試需要真實 Gitea API、LLM API、git 操作，不適合單元測試。各模組已有獨立單元測試覆蓋"
+  },
+  {
+    "role": "Maya",
+    "location": "app/comments.js",
+    "suggestion": "comments.js 的 buildTable 為簡單字串拼接，postComment 已透過 gitea.js mock 間接測試，補測試效益低"
+  },
+  {
+    "role": "Maya",
+    "location": "app/roles.js",
+    "suggestion": "roles.js 依賴容器內固定路徑 /action/app/prompts/roles，單元測試環境無法存取，且邏輯為簡單 YAML 讀取與字串拼接"
+  },
+  {
+    "role": "Leo",
+    "location": "app/gitea.js",
+    "suggestion": "gitea.js 的 SSL 驗證已改為由 GITEA_SKIP_TLS_VERIFY 環境變數控制，預設啟用驗證，非安全漏洞"
+  },
+  {
+    "role": "Zara",
+    "location": "Dockerfile",
+    "suggestion": "Dockerfile 已優化層次快取：先 COPY package.json 再 npm install，最後才 COPY 其餘檔案"
+  },
+  {
+    "role": "Aria",
+    "location": "app/package.json",
+    "suggestion": "test 腳本已改為 node --test *.test.js，在 app/ 目錄下執行可自動發現所有測試檔案"
+  },
+  {
+    "role": "Zara",
+    "location": "app/main.js",
+    "suggestion": "deduplicateWithAI 和 filterFalsePositivesWithAI 為循序依賴流程（去重後才能過濾），無法平行化"
+  },
+  {
+    "role": "Leo",
+    "location": "app/comments.js",
+    "suggestion": "buildTable 函式已在 comments.js 第 13 行定義，非未定義或未匯入，不會導致執行時錯誤"
  }
 ]
@@ -1,9 +1,16 @@
 [
  {
-    "level": "info",
+    "level": "critical",
    "role": "Leo",
-    "location": "app/package.json",
-    "suggestion": "在 `app/package.json` 中，`axios` 和 `openai` 等函式庫進行了版本更新，特別是 `openai` 從 `4.28.0` 升級到 `4.104.0`。為了確保長期維護的穩定性和安全性，建議審查這些函式庫的發行說明（changelog），以了解是否有任何重大變更、安全修補或已知漏洞，並確認這些更新不會引入不預期的行為或技術債。",
+    "location": "app/comments.js:66",
+    "suggestion": "`buildTable` 函式在此檔案中被呼叫，但未見其定義或匯入。這將導致執行時錯誤。請確保 `buildTable` 函式已被正確定義或從其他模組匯入，以確保程式碼的正確執行。",
+    "is_new": true
+  },
+  {
+    "level": "warning",
+    "role": "Maya",
+    "location": "app/gitea.js:11, app/main.js:42-45",
+    "suggestion": "`filterDiff` 函數的邏輯已從正規表達式比對改為 `startsWith`，並將其呼叫從 `getPRDiff` 移至 `main.js`。雖然 `startsWith` 可能更高效精確，但這是一個行為變更與職責重分配。請確保為 `filterDiff` 函數撰寫足夠的單元測試，以驗證：\n1. 正確過濾 `.gitea/` 路徑下的檔案。\n2. 不會錯誤過濾非 `.gitea/` 路徑下的檔案。\n3. 處理空 diff 內容。\n4. 處理僅包含 `.gitea/` 檔案的 diff 內容（應返回空字串）。",
    "is_new": true
  }
 ]
@@ -26,12 +26,12 @@ jobs:
        tag_name: v${{ steps.version.outputs.version }}
        target_commitish: ${{ github.head_ref }}
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    needs: [version]
    steps:
    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@v${{ needs.version.outputs.version }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@v${{ needs.version.outputs.version }}
      with:
        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
        GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
@@ -1,4 +1,4 @@
-FROM alpine
+FROM alpine:3.20

 RUN apk add --no-cache bash nodejs npm git \
    && node --version \
@@ -7,10 +7,11 @@ RUN apk add --no-cache bash nodejs npm git \

 WORKDIR /action

+COPY app/package.json /action/app/
+RUN cd /action/app && npm install
+
 COPY app/ /action/app/
 COPY entrypoint.sh /entrypoint.sh
-
-RUN cd /action/app && npm install && \
-    chmod +x /entrypoint.sh
+RUN chmod +x /entrypoint.sh

 ENTRYPOINT ["/entrypoint.sh"]
@@ -22,6 +22,8 @@
 4. 盡量將應用程式放在 ./app，修改 entrypoint.sh 與 Dockerfile 讓程式可以正常運行
 5. 將提示詞放到 ./app/prompts 內供程式讀取
 6. API Key 支援逗號分隔傳入多個，隨機順序各嘗試一次，全部失敗則 exit 1
+7. 讀取 Git Diff 時排除 `.gitea/` 資料夾內的所有檔案，避免 AI 分析 workflow 設定等非業務程式碼
+8. 階段五完成後驗證 `findings.json` 與 `exclusions.json` 是否為合法 JSON 格式，格式錯誤時先嘗試重置為空陣列並備份原檔，修正失敗才 exit 1

 # 使用說明

@@ -29,19 +31,26 @@
 2. 在 `.gitea/workflows` 資料夾中建立 `ai-review.yaml'
 3. 在 `ai-review.yaml` 中填入以下內容(選擇一個使用)：

+> **權限說明**：此 Action 需要 `contents: write`（寫入 findings.json）、`pull-requests: write`（發佈 PR comment）、`issues: write`（發佈 issue comment）三項權限，為正常運作所必要，無法縮減。
+
 ### 1. OpenAI
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    steps:
    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}  # 支援逗號分隔多個 Key
        OPENAI_BASE_URL: https://api.openai.com/v1
@@ -55,16 +64,21 @@ jobs:
 ### 2. OpenRouter
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    steps:
    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
        OPENAI_API_KEY: ${{ secrets.OPENROUTER_API_KEY }},${{ secrets.OPENROUTER_API_KEY_1 }}
        OPENAI_BASE_URL: https://openrouter.ai/api/v1
@@ -78,16 +92,21 @@ jobs:
 ### 3. Anthropic Claude
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    steps:
    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
        CLAUDE_API_KEY: ${{ secrets.CLAUDE_API_KEY }}  # 支援逗號分隔多個 Key
        CLAUDE_BASE_URL: https://api.anthropic.com/v1
@@ -100,16 +119,21 @@ jobs:
 ### 4. Google Gemini
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    steps:
    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
        GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
@@ -123,16 +147,21 @@ jobs:
 ### 5. Amazon Q
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    steps:
    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
        AMAZONQ_API_KEY: ${{ secrets.AMAZONQ_API_KEY }}  # 支援逗號分隔多個 Key
        AMAZONQ_BASE_URL: https://q.api.aws
@@ -146,22 +175,26 @@ jobs:

 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    steps:
    - name: AI Code Review
-        uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+        uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
        with:
          OLLAMA_BASE_URL: https://ollama.jsc.idv.me/v1
          OLLAMA_MODEL: ${{ vars.OLLAMA_MODEL }}
    permissions:
      contents: write
      pull-requests: write
-
      issues: write
 ```
@@ -3,43 +3,49 @@
 ## 階段一：基本流程串接
 - 目標：確保 action 可以被觸發，pipeline 各步驟依序執行，log 出每個主要階段的進入與完成。
 - 驗收：log 中能看到每個階段（如「Step1: pipeline start」、「Step2: findings merge」等）明確訊息，且流程能走完（即使還沒產生 findings）。
- 完成
+- 未驗收

-## 階段二：Findings 產生與合併
+## 階段二：Git Diff 排除 .gitea/ 資料夾
+- 目標：讀取 Git Diff 時排除 `.gitea/` 資料夾內的所有檔案，避免 AI 分析 workflow 設定等非業務程式碼。
+- 驗收：PR 中有 `.gitea/` 路徑的變更時，diff 內容不包含該路徑的區塊，AI 分析結果不含 `.gitea/` 相關問題。
+- 未驗收
+
+## 階段三：Findings 產生與合併
 - 目標：各角色（style/security/performance/maintainability/testing）能產生 findings，並正確合併新舊 findings。
 - 驗收：log 中能看到每個角色 findings 數量、合併後 findings 統計，並有「Step3: merged findings total=...」等訊息。
- 完成
+- 未驗收

-## 階段三：AI 去重與角色確認
+## 階段四：AI 去重與角色確認
 - 目標：嘗試呼叫 LLM 進行 findings 去重與角色確認，API 額度不足時要有降級處理 log。
 - 驗收：log 中能看到 deduplication/resolution confirmation 成功或失敗（如 402），降級時有「保留所有問題」等明確訊息。
- 完成
+- 未驗收

-## 階段四：AI 排除問題過濾
+## 階段五：AI 排除問題過濾
 - 目標：讀取排除問題檔案（`.gitea/ai-review/exclusions.json`）進行規則過濾，並呼叫 AI 判斷剩餘問題是否為誤報或不適用，兩層過濾後產生最終問題清單。
 - 驗收：log 中能看到排除問題檔案讀取成功或不存在的訊息、規則過濾數量變化，以及「AI 誤報過濾: N -> M 筆」或降級訊息。
- 完成
+- 未驗收

-## 階段五：findings 寫入與 comment 發布
+## 階段六：findings 寫入與 comment 發布
 - 目標：`.gitea/ai-review/findings.json` 正確寫入，comment 發布順序正確（舊問題→非嚴重→嚴重），每步有 log。
 - 驗收：log 中能看到 `.gitea/ai-review/findings.json` 寫入、comment sync 的詳細訊息與順序。
- 完成
+- 未驗收

-## 階段六：記憶區 commit/push 與錯誤處理
+## 階段七：階段六後驗證 JSON 格式
+- 目標：階段六完成後驗證 `findings.json` 與 `exclusions.json` 是否為合法 JSON 格式，格式錯誤時先嘗試重置為空陣列並備份原檔，修正失敗才 exit 1。
+- 驗收：log 中能看到兩個檔案的驗證結果（成功或失敗），格式錯誤時有「嘗試修正」訊息與備份路徑，修正失敗時 workflow 狀態為失敗。
+- 未驗收
+
+## 階段八：記憶區 commit/push 與錯誤處理
 - 目標：記憶區能成功 commit/push，錯誤時有明確 log，流程結束有總結訊息。
 - 驗收：log 有「persisted findings」、「commit=...」、「push=...」等訊息，錯誤時有「Runner failed: ...」等明確錯誤說明。
- 完成
+- 未驗收

-## 階段七：阻擋嚴重問題 PR（第 8 點）
+## 階段九：阻擋嚴重問題 PR（第 8 點）
 - 目標：如果 PR 問題表格中有嚴重（critical）問題，workflow 需直接 exit 1，不讓流程成功。
 - 驗收：log 中能看到「critical 問題存在，workflow 結束（exit 1）」等明確訊息，且 workflow 狀態為失敗。
- 完成
+- 未驗收

-## 階段八：API Key 輪替
+## 階段十：API Key 輪替
 - 目標：所有平台的 API Key 支援逗號分隔傳入多個，隨機順序各嘗試一次，單一 Key 失敗時自動換下一個，全部失敗則 exit 1。
 - 驗收：log 中能看到「key[N/M] 失敗」等訊息，換 key 後繼續執行；傳入單一 Key 時行為與原本相同；全部 Key 失敗時 log「所有 API Key 均失敗，終止流程」且 workflow 狀態為失敗。
- 完成
-
---
-
-所有階段驗收通過。
+- 未驗收
@@ -12,6 +12,10 @@ inputs:
  GITEA_REPOSITORY:
    description: 'Gitea Repository (owner/repo)'
    required: false
+  GITEA_SKIP_TLS_VERIFY:
+    description: '跳過 Gitea SSL/TLS 憑證驗證（自簽憑證時使用）'
+    required: false
+    default: 'false'
  PR_NUMBER:
    description: 'Pull Request Number'
    required: false
@@ -80,6 +84,7 @@ runs:
    GITEA_TOKEN: ${{ inputs.GITEA_TOKEN || secrets.GITEA_TOKEN }}
    GITEA_SERVER_URL: ${{ inputs.GITEA_SERVER_URL || gitea.server_url }}
    GITEA_REPOSITORY: ${{ inputs.GITEA_REPOSITORY || gitea.repository }}
+    GITEA_SKIP_TLS_VERIFY: ${{ inputs.GITEA_SKIP_TLS_VERIFY }}
    PR_NUMBER: ${{ inputs.PR_NUMBER || gitea.event.pull_request.number }}
    PR_HEAD_BRANCH: ${{ inputs.PR_HEAD_BRANCH || gitea.event.pull_request.head.ref }}
    PR_BASE_BRANCH: ${{ inputs.PR_BASE_BRANCH || gitea.event.pull_request.base.ref }}
@@ -63,7 +63,7 @@ export async function postNewCriticalComments(findings) {
    return;
  }
  for (const f of criticals) {
-    const body = `## 🚨 嚴重問題\n\n| 審查員 | 位置 | 建議 |\n|--------|------|------|\n| ${f.role} | ${f.location} | ${f.suggestion} |`;
+    const body = `## 🚨 嚴重問題\n\n${buildTable([f])}`;
    await postComment(body);
    console.log(`  ✅ 嚴重問題 comment 發布: [${f.role}] ${f.location}`);
  }
@@ -1,6 +1,7 @@
 export const GITEA_TOKEN = process.env.GITEA_TOKEN || '';
 export const GITEA_SERVER_URL = process.env.GITEA_SERVER_URL || 'https://gitea.com';
 export const GITEA_REPOSITORY = process.env.GITEA_REPOSITORY || '';
+export const GITEA_SKIP_TLS_VERIFY = process.env.GITEA_SKIP_TLS_VERIFY === 'true';
 export const PR_NUMBER = process.env.PR_NUMBER || '';
 export const PR_HEAD_BRANCH = process.env.PR_HEAD_BRANCH || '';
 export const PR_BASE_BRANCH = process.env.PR_BASE_BRANCH || '';
@@ -11,7 +11,6 @@ const LEVELS = ['critical', 'warning', 'info'];
 export async function analyzeWithRole(role, diff) {
  console.log(`  [${role.name}] 開始分析...`);
  const findings = await chatJSON(role.system_prompt, `以下是 Git Diff 內容：\n\n${diff}`);
-  // 確保每筆都有必要欄位，並標記為新問題
  const valid = findings.filter(f => f.level && f.role && f.location && f.suggestion)
    .map(f => ({ ...f, is_new: true }));
  console.log(`  [${role.name}] 找到 ${valid.length} 個問題`);
@@ -19,28 +18,33 @@ export async function analyzeWithRole(role, diff) {
 }

 /**
- * 讀取舊 findings（從 workspace 的 FINDINGS_PATH）
+ * 讀取 JSON 陣列檔案，失敗或不存在時回傳空陣列
 */
-export function loadOldFindings(workspace) {
-  const fullPath = path.join(workspace, FINDINGS_PATH);
+function readJSONArray(fullPath, label) {
  if (!fs.existsSync(fullPath)) {
-    console.log('  舊 findings 檔案不存在，視為空');
+    console.log(`  ${label}檔案不存在，視為空`);
    return [];
  }
  try {
    const data = JSON.parse(fs.readFileSync(fullPath, 'utf8'));
-    const old = (Array.isArray(data) ? data : []).map(f => ({ ...f, is_new: false }));
-    console.log(`  讀取舊 findings: ${old.length} 筆`);
-    return old;
+    return Array.isArray(data) ? data : [];
  } catch (e) {
-    console.log(`  ⚠️  讀取舊 findings 失敗: ${e.message}，視為空`);
+    console.log(`  ⚠️  讀取${label}失敗: ${e.message}，視為空`);
    return [];
  }
 }

+/**
+ * 讀取舊 findings（從 workspace 的 FINDINGS_PATH）
+ */
+export function loadOldFindings(workspace) {
+  const old = readJSONArray(path.join(workspace, FINDINGS_PATH), '舊 findings ').map(f => ({ ...f, is_new: false }));
+  console.log(`  讀取舊 findings: ${old.length} 筆`);
+  return old;
+}
+
 /**
 * 合併新舊 findings，以 (role + location + suggestion前50字) 為 key 去除重複
- * 舊問題保留，新問題若與舊問題重複則捨棄
 */
 export function mergeFindings(oldFindings, newFindings) {
  const key = f => `${f.role}|${f.location}|${String(f.suggestion).slice(0, 50)}`;
@@ -63,8 +67,17 @@ export function sortByLevel(findings) {
 }

 /**
- * 呼叫 LLM 進行語意去重，回傳去重後的 findings
- * 失敗時降級回傳原始 findings
+ * AI 呼叫失敗時的統一降級處理
+ */
+function fallback(label, findings, e) {
+  const status = e.response?.status;
+  const reason = (status === 402 || status === 429) ? `${status} 額度/限流` : e.message;
+  console.log(`  ⚠️  ${label}失敗（${reason}），降級：保留所有問題`);
+  return findings;
+}
+
+/**
+ * 呼叫 LLM 進行語意去重，失敗時降級回傳原始 findings
 */
 export async function deduplicateWithAI(findings) {
  if (findings.length === 0) return findings;
@@ -74,45 +87,25 @@ export async function deduplicateWithAI(findings) {
 保留等級較高的版本，優先保留 critical > warning > info。
 只回傳去重後的 JSON 陣列，不要有其他文字。`;

-  const userContent = `以下是問題清單，請去除語意重複的項目：\n\n${JSON.stringify(findings, null, 2)}`;
-
  try {
-    const result = await chatJSON(systemPrompt, userContent);
+    const result = await chatJSON(systemPrompt, `以下是問題清單，請去除語意重複的項目：\n\n${JSON.stringify(findings, null, 2)}`);
    if (Array.isArray(result) && result.length > 0) {
      console.log(`  AI 去重: ${findings.length} -> ${result.length} 筆`);
      return result;
    }
    throw new Error('AI 回傳空陣列');
  } catch (e) {
-    const status = e.response?.status;
-    if (status === 402 || status === 429) {
-      console.log(`  ⚠️  AI 去重失敗（${status} 額度/限流），降級：保留所有問題`);
-    } else {
-      console.log(`  ⚠️  AI 去重失敗（${e.message}），降級：保留所有問題`);
-    }
-    return findings;
+    return fallback('AI 去重', findings, e);
  }
 }

 /**
 * 讀取排除問題檔案（從 workspace 的 EXCLUSIONS_PATH）
- * 格式：[{ role, location, suggestion }]，欄位可部分省略，省略表示萬用
 */
 export function loadExclusions(workspace) {
-  const fullPath = path.join(workspace, EXCLUSIONS_PATH);
-  if (!fs.existsSync(fullPath)) {
-    console.log('  排除問題檔案不存在，跳過過濾');
-    return [];
-  }
-  try {
-    const data = JSON.parse(fs.readFileSync(fullPath, 'utf8'));
-    const exclusions = Array.isArray(data) ? data : [];
-    console.log(`  讀取排除問題: ${exclusions.length} 筆`);
-    return exclusions;
-  } catch (e) {
-    console.log(`  ⚠️  讀取排除問題失敗: ${e.message}，跳過過濾`);
-    return [];
-  }
+  const exclusions = readJSONArray(path.join(workspace, EXCLUSIONS_PATH), '排除問題');
+  console.log(`  讀取排除問題: ${exclusions.length} 筆`);
+  return exclusions;
 }

 /**
@@ -125,17 +118,14 @@ export function applyExclusions(findings, exclusions) {
  const filtered = findings.filter(f => !exclusions.some(ex => {
    const fPath = String(f.location).split(':')[0];
    const exPath = ex.location ? String(ex.location).split(':')[0] : null;
-    return (!exPath || fPath === exPath) &&
-           (!ex.role || ex.role === f.role);
+    return (!exPath || fPath === exPath) && (!ex.role || ex.role === f.role);
  }));
  console.log(`  排除過濾: ${before} -> ${filtered.length} 筆（排除 ${before - filtered.length} 筆）`);
  return filtered;
 }

 /**
- * 呼叫 AI 判斷哪些問題是誤報或不需處理，回傳需保留的 findings
- * exclusions 為已知誤報清單，供 AI 參考判斷
- * 失敗時降級回傳原始 findings
+ * 呼叫 AI 判斷哪些問題是誤報或不需處理，失敗時降級回傳原始 findings
 */
 export async function filterFalsePositivesWithAI(findings, exclusions = []) {
  if (findings.length === 0) return findings;
@@ -152,22 +142,14 @@ export async function filterFalsePositivesWithAI(findings, exclusions = []) {
 3. 與已知誤報清單語意相近的問題（檔案路徑相同且建議內容相似）
 只回傳需要保留的問題 JSON 陣列，不要有其他文字。${exclusionHint}`;

-  const userContent = `請判斷以下問題清單，移除誤報或不需處理的問題：\n\n${JSON.stringify(findings, null, 2)}`;
-
  try {
-    const result = await chatJSON(systemPrompt, userContent);
+    const result = await chatJSON(systemPrompt, `請判斷以下問題清單，移除誤報或不需處理的問題：\n\n${JSON.stringify(findings, null, 2)}`);
    if (Array.isArray(result) && result.length > 0) {
      console.log(`  AI 誤報過濾: ${findings.length} -> ${result.length} 筆`);
      return result;
    }
    throw new Error('AI 回傳空陣列或非陣列');
  } catch (e) {
-    const status = e.response?.status;
-    if (status === 402 || status === 429) {
-      console.log(`  ⚠️  AI 誤報過濾失敗（${status} 額度/限流），降級：保留所有問題`);
-    } else {
-      console.log(`  ⚠️  AI 誤報過濾失敗（${e.message}），降級：保留所有問題`);
-    }
-    return findings;
+    return fallback('AI 誤報過濾', findings, e);
  }
 }
@@ -3,6 +3,8 @@ import fs from 'fs';
 import path from 'path';
 import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH } from './config.js';

+const remoteUrl = `${GITEA_SERVER_URL.replace(/\/$/, '')}/${GITEA_REPOSITORY}.git`;
+
 function makeRunner(spawn) {
  return function run(args, cwd, env) {
    const opts = { cwd, encoding: 'utf8' };
@@ -14,20 +16,25 @@ function makeRunner(spawn) {
  };
 }

+function withAskpass(workspace, fn) {
+  const askpassScript = path.join(workspace, '.git-askpass.sh');
+  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
+  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
+  try {
+    return fn(credEnv);
+  } finally {
+    try { fs.unlinkSync(askpassScript); } catch {}
+  }
+}
+
 /**
 * Clone PR head branch to workspace/repo (idempotent)
 */
 export function cloneRepo(workspace, _spawnSync = spawnSync) {
  const run = makeRunner(_spawnSync);
-  const baseUrl = GITEA_SERVER_URL.replace(/\/$/, '');
-  const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`;
  const repoDir = path.join(workspace, 'repo');

-  const askpassScript = path.join(workspace, '.git-askpass.sh');
-  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
-  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
-
-  try {
+  return withAskpass(workspace, credEnv => {
    if (!fs.existsSync(repoDir)) {
      run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv);
      console.log(`  ✅ repo cloned to ${repoDir}`);
@@ -36,57 +43,39 @@ export function cloneRepo(workspace, _spawnSync = spawnSync) {
      run(['checkout', PR_HEAD_BRANCH], repoDir);
      console.log(`  ✅ repo already exists, fetched latest`);
    }
-  } finally {
-    try { fs.unlinkSync(askpassScript); } catch {}
-  }
-  return repoDir;
+    return repoDir;
+  });
 }

 export async function commitAndPush(workspace, _spawnSync = spawnSync) {
  const run = makeRunner(_spawnSync);

-  const baseUrl = GITEA_SERVER_URL.replace(/\/$/, '');
-  const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`;
-  const repoDir = path.join(workspace, 'repo');
-
-  // Write a temporary askpass script that reads the token from an env var,
-  // so the token value never appears in the script file itself
-  const askpassScript = path.join(workspace, '.git-askpass.sh');
-  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
-
-  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
-
  try {
-    if (!fs.existsSync(repoDir)) {
-      run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv);
-    }
+    const repoDir = cloneRepo(workspace, _spawnSync);

-    run(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir);
-    run(['config', 'user.name', 'AI Review Bot'], repoDir);
-    run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv);
-    run(['checkout', PR_HEAD_BRANCH], repoDir);
+    await withAskpass(workspace, async credEnv => {
+      run(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir);
+      run(['config', 'user.name', 'AI Review Bot'], repoDir);

-    // 將 findings.json 從 workspace 複製到 clone 的 repo
-    const srcFindings = path.join(workspace, FINDINGS_PATH);
-    const destFindings = path.join(repoDir, FINDINGS_PATH);
-    fs.mkdirSync(path.dirname(destFindings), { recursive: true });
-    fs.copyFileSync(srcFindings, destFindings);
+      const srcFindings = path.join(workspace, FINDINGS_PATH);
+      const destFindings = path.join(repoDir, FINDINGS_PATH);
+      fs.mkdirSync(path.dirname(destFindings), { recursive: true });
+      fs.copyFileSync(srcFindings, destFindings);

-    run(['add', FINDINGS_PATH], repoDir);
+      run(['add', FINDINGS_PATH], repoDir);

-    const status = run(['status', '--porcelain'], repoDir);
-    if (!status) {
-      console.log('  findings.json 無變更，跳過 commit');
-      return;
-    }
+      const status = run(['status', '--porcelain'], repoDir);
+      if (!status) {
+        console.log('  findings.json 無變更，跳過 commit');
+        return;
+      }

-    const out = run(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir);
-    const commitHash = out.match(/\[.+ ([a-f0-9]+)\]/)?.[1] || 'unknown';
-    run(['push', remoteUrl, PR_HEAD_BRANCH], repoDir, credEnv);
-    console.log(`  ✅ persisted findings  commit=${commitHash}  push=${PR_HEAD_BRANCH}`);
+      const out = run(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir);
+      const commitHash = out.match(/\[.+ ([a-f0-9]+)\]/)?.[1] || 'unknown';
+      run(['push', remoteUrl, PR_HEAD_BRANCH], repoDir, credEnv);
+      console.log(`  ✅ persisted findings  commit=${commitHash}  push=${PR_HEAD_BRANCH}`);
+    });
  } catch (e) {
    console.log(`  ⚠️  Runner failed: commit/push 失敗: ${e.message}`);
-  } finally {
-    try { fs.unlinkSync(askpassScript); } catch {}
  }
 }
@@ -1,8 +1,8 @@
 import axios from 'axios';
 import https from 'https';
-import { GITEA_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, PR_NUMBER } from './config.js';
+import { GITEA_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_SKIP_TLS_VERIFY, PR_NUMBER } from './config.js';

-const httpsAgent = new https.Agent({ rejectUnauthorized: false });
+const httpsAgent = GITEA_SKIP_TLS_VERIFY ? new https.Agent({ rejectUnauthorized: false }) : undefined;
 const headers = () => ({ Authorization: `token ${GITEA_TOKEN}`, 'Content-Type': 'application/json' });
 const api = (path) => `${GITEA_SERVER_URL.replace(/\/$/, '')}/api/v1${path}`;

@@ -11,6 +11,16 @@ export async function getPRDiff() {
  return resp.data;
 }

+/**
+ * 過濾 diff 內容，移除路徑符合 excludePrefixes 的區塊。
+ * 每個區塊以 "diff --git a/<prefix>" 開頭判斷，使用 startsWith 精確比對前綴。
+ */
+export function filterDiff(diff, excludePrefixes) {
+  return diff.split(/(?=^diff --git )/m)
+    .filter(block => !excludePrefixes.some(p => block.startsWith(`diff --git a/${p}`)))
+    .join('');
+}
+
 export async function postComment(body) {
  const resp = await axios.post(api(`/repos/${GITEA_REPOSITORY}/issues/${PR_NUMBER}/comments`), { body }, { headers: headers(), timeout: 30000, httpsAgent });
  return resp.data;
@@ -0,0 +1,89 @@
+import { describe, it, afterEach, mock } from 'node:test';
+import assert from 'node:assert/strict';
+import axios from 'axios';
+
+afterEach(() => mock.restoreAll());
+
+describe('gitea', async () => {
+  const { getPRDiff, filterDiff, postComment } = await import('./gitea.js');
+
+  it('getPRDiff calls Gitea diff API with Authorization header', async () => {
+    let capturedUrl, capturedOpts;
+    mock.method(axios, 'get', async (url, opts) => {
+      capturedUrl = url;
+      capturedOpts = opts;
+      return { data: 'diff content' };
+    });
+    const result = await getPRDiff();
+    assert.equal(result, 'diff content');
+    assert.ok(capturedUrl.includes('/api/v1/repos/'));
+    assert.ok(capturedUrl.endsWith('.diff'));
+    assert.ok(capturedOpts.headers['Authorization'].startsWith('token '));
+    assert.equal(capturedOpts.headers['Content-Type'], 'application/json');
+  });
+
+  it('postComment calls Gitea issues comments API with body', async () => {
+    let capturedUrl, capturedBody, capturedOpts;
+    mock.method(axios, 'post', async (url, body, opts) => {
+      capturedUrl = url;
+      capturedBody = body;
+      capturedOpts = opts;
+      return { data: { id: 1 } };
+    });
+    const result = await postComment('hello world');
+    assert.deepEqual(result, { id: 1 });
+    assert.ok(capturedUrl.includes('/api/v1/repos/'));
+    assert.ok(capturedUrl.endsWith('/comments'));
+    assert.equal(capturedBody.body, 'hello world');
+    assert.ok(capturedOpts.headers['Authorization'].startsWith('token '));
+  });
+
+  it('does not set httpsAgent by default (GITEA_SKIP_TLS_VERIFY not true)', async () => {
+    let capturedOpts;
+    mock.method(axios, 'get', async (_url, opts) => {
+      capturedOpts = opts;
+      return { data: '' };
+    });
+    await getPRDiff();
+    assert.equal(capturedOpts.httpsAgent, undefined);
+  });
+
+  it('getPRDiff propagates axios errors', async () => {
+    mock.method(axios, 'get', async () => { throw new Error('network error'); });
+    await assert.rejects(() => getPRDiff(), /network error/);
+  });
+
+  it('postComment propagates axios errors', async () => {
+    mock.method(axios, 'post', async () => { throw new Error('api error'); });
+    await assert.rejects(() => postComment('test'), /api error/);
+  });
+});
+
+describe('filterDiff', async () => {
+  const { filterDiff } = await import('./gitea.js');
+
+  const block = (file) => `diff --git a/${file} b/${file}\n--- a/${file}\n+++ b/${file}\n@@ -1 +1 @@\n-old\n+new\n`;
+
+  it('filters out .gitea/ blocks', () => {
+    const diff = block('.gitea/workflows/review.yaml') + block('src/index.js');
+    const result = filterDiff(diff, ['.gitea/']);
+    assert.ok(!result.includes('.gitea/'));
+    assert.ok(result.includes('src/index.js'));
+  });
+
+  it('does not filter non-.gitea/ blocks', () => {
+    const diff = block('src/index.js') + block('README.md');
+    const result = filterDiff(diff, ['.gitea/']);
+    assert.equal(result, diff);
+  });
+
+  it('returns empty string when all blocks are excluded', () => {
+    const diff = block('.gitea/workflows/review.yaml') + block('.gitea/ai-review/findings.json');
+    const result = filterDiff(diff, ['.gitea/']);
+    assert.equal(result, '');
+  });
+
+  it('returns empty string for empty diff', () => {
+    assert.equal(filterDiff('', ['.gitea/']), '');
+  });
+});
@@ -29,12 +29,11 @@ export async function chat(systemPrompt, userContent) {
 }

 export async function chatJSON(systemPrompt, userContent) {
+  const text = await chat(systemPrompt, userContent);
  try {
-    let text = await chat(systemPrompt, userContent);
-    text = text.trim().replace(/^```[^\n]*\n?/, '').replace(/```$/, '').trim();
-    return JSON.parse(text);
+    return JSON.parse(text.trim().replace(/^```[^\n]*\n?/, '').replace(/```$/, '').trim());
  } catch (e) {
-    console.log(`  [LLM] 解析失敗: ${e.message}`);
+    console.log(`  [LLM] JSON 解析失敗: ${e.message}`);
    return [];
  }
 }
@@ -1,6 +1,8 @@
-import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig } from './config.js';
+import fs from 'fs';
+import path from 'path';
+import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig, FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js';
 import { loadRoles, getRoleIntro } from './roles.js';
-import { getPRDiff, postComment } from './gitea.js';
+import { getPRDiff, filterDiff, postComment } from './gitea.js';
 import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js';
 import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js';
 import { cloneRepo, commitAndPush } from './git.js';
@@ -13,7 +15,6 @@ async function main() {
  console.log(`  repo=${GITEA_REPOSITORY}  PR=#${PR_NUMBER}`);
  console.log(`  ${PR_HEAD_BRANCH} -> ${PR_BASE_BRANCH}`);

-  // 偵測 LLM
  const { provider, baseURL, model } = getLLMConfig();
  if (!provider) {
    console.error('❌ 未設定任何 LLM API Key，請檢查 action inputs');
@@ -21,11 +22,9 @@ async function main() {
  }
  console.log(`  LLM: provider=${provider}  model=${model}  base_url=${baseURL}`);

-  // 載入角色
  const roles = loadRoles();
  console.log(`  已載入 ${roles.length} 個角色: [${roles.map(r => r.name).join(', ')}]`);

-  // 取得 PR diff
  let diff;
  try {
    diff = await getPRDiff();
@@ -40,7 +39,6 @@ async function main() {
    process.exit(0);
  }

-  // 發布角色介紹 comment
  try {
    const intro = getRoleIntro(roles) + `\n\n> 🔍 服務：${provider}  模型：${model}`;
    await postComment(intro);
@@ -48,23 +46,32 @@ async function main() {
  } catch (e) {
    console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
  }
-  console.log('  Step1 完成');

-  // Step2: 各角色分析 diff 產生新 findings
-  console.log('\n📊 Step2: Findings 產生');
+  // Step2: 排除 .gitea/ 資料夾內的所有檔案
+  console.log('\n🗂️  Step2: Git Diff 過濾');
+  diff = filterDiff(diff, ['.gitea/']);
+  console.log(`  排除 .gitea/ 後 diff 長度: ${diff.length} 字元`);
+
+  if (!diff.trim()) {
+    console.log('  ⚠️  過濾後 diff 為空，無需審查');
+    process.exit(0);
+  }
+
+  // Step3: 各角色分析 diff 產生新 findings
+  console.log('\n📊 Step3: Findings 產生');
+  const results = await Promise.allSettled(roles.map(role => analyzeWithRole(role, diff)));
  const newFindings = [];
-  for (const role of roles) {
-    try {
-      const found = await analyzeWithRole(role, diff);
-      newFindings.push(...found);
-    } catch (e) {
-      console.log(`  ⚠️  [${role.name}] 分析失敗（跳過）: ${e.message}`);
+  for (let i = 0; i < results.length; i++) {
+    if (results[i].status === 'fulfilled') {
+      newFindings.push(...results[i].value);
+    } else {
+      console.log(`  ⚠️  [${roles[i].name}] 分析失敗（跳過）: ${results[i].reason?.message}`);
    }
  }
-  console.log(`  Step2 完成: 新 findings 總計 ${newFindings.length} 筆`);
+  console.log(`  Step3 完成: 新 findings 總計 ${newFindings.length} 筆`);

-  // Step3: 讀取舊 findings，合併去重（含 AI 語意去重）
-  console.log('\n🔀 Step3: Findings 合併');
+  // Step4: 讀取舊 findings，合併去重（含 AI 語意去重）
+  console.log('\n🔀 Step4: Findings 合併');
  // Clone repo 以讀取舊 findings 與排除清單
  let repoDir;
  try {
@@ -74,39 +81,64 @@ async function main() {
  }
  const oldFindings = loadOldFindings(repoDir || WORKSPACE);
  const mergedFindings = mergeFindings(oldFindings, newFindings);
-  console.log(`  Step3 merged findings total=${mergedFindings.length}`);
+  console.log(`  Step4 merged findings total=${mergedFindings.length}`);

-  console.log('\n🤖 Step3b: AI 語意去重');
+  console.log('\n🤖 Step4b: AI 語意去重');
  const deduped = await deduplicateWithAI(mergedFindings);
  const sorted = sortByLevel(deduped);
-  console.log(`  Step3b dedup findings total=${sorted.length} (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`);
+  console.log(`  Step4b dedup findings total=${sorted.length} (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`);

-  // Step4: 讀取排除問題檔案，過濾 PR 問題表格，並請 AI 判斷誤報
-  console.log('\n🚫 Step4: AI 排除問題過濾');
+  // Step5: 讀取排除問題檔案，過濾 PR 問題表格，並請 AI 判斷誤報
+  console.log('\n🚫 Step5: AI 排除問題過濾');
+  // 輸入至 findings 用於 AI 誤報過濾，exclusions 同時作為已知誤報參考
  const exclusions = loadExclusions(repoDir || WORKSPACE);
  const ruleFiltered = applyExclusions(sorted, exclusions);
  const filtered = await filterFalsePositivesWithAI(ruleFiltered, exclusions);
-  console.log(`  Step4 完成: findings total=${filtered.length}`);
+  console.log(`  Step5 完成: findings total=${filtered.length}`);

-  // Step5: 寫入 findings.json，依序發布 comment
-  console.log('\n📝 Step5: Findings 寫入與 Comment 發布');
+  // Step6: 寫入 findings.json，依序發布 comment
+  console.log('\n📝 Step6: Findings 寫入與 Comment 發布');
  saveFindings(WORKSPACE, filtered);
-
  try {
    await postOldFindingsComment(filtered);
    await postNewNonCriticalComment(filtered);
    await postNewCriticalComments(filtered);
-    console.log('  Step5 完成');
+    console.log('  Step6 完成');
  } catch (e) {
    console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
  }

-  // Step6: commit/push findings.json 到來源分支
-  console.log('\n💾 Step6: 記憶區 Commit/Push');
+  // Step7: 驗證 findings.json 與 exclusions.json 為合法 JSON
+  console.log('\n🔎 Step7: JSON 格式驗證');
+  for (const relPath of [FINDINGS_PATH, EXCLUSIONS_PATH]) {
+    const fullPath = path.join(repoDir || WORKSPACE, relPath);
+    if (!fs.existsSync(fullPath)) {
+      console.log(`  ⚠️  ${relPath} 不存在，跳過驗證`);
+      continue;
+    }
+    try {
+      JSON.parse(fs.readFileSync(fullPath, 'utf8'));
+      console.log(`  ✅ ${relPath} JSON 格式正確`);
+    } catch (e) {
+      console.error(`  ❌ ${relPath} JSON 格式錯誤: ${e.message}，嘗試修正...`);
+      try {
+        const backupPath = fullPath + '.bak';
+        fs.copyFileSync(fullPath, backupPath);
+        fs.writeFileSync(fullPath, '[]\n', 'utf8');
+        console.log(`  ✅ ${relPath} 已重置為空陣列（原檔備份至 ${relPath}.bak）`);
+      } catch (repairErr) {
+        console.error(`  ❌ ${relPath} 修正失敗: ${repairErr.message}`);
+        process.exit(1);
+      }
+    }
+  }
+
+  // Step8: commit/push findings.json 到來源分支
+  console.log('\n💾 Step8: 記憶區 Commit/Push');
  await commitAndPush(WORKSPACE);

-  // Step7: 有 critical 問題則 exit 1
-  console.log('\n🚦 Step7: 嚴重問題檢查');
+  // Step9: 有 critical 問題則 exit 1
+  console.log('\n🚦 Step9: 嚴重問題檢查');
  const criticalCount = filtered.filter(f => f.level === 'critical').length;
  if (criticalCount > 0) {
    console.log(`  ❌ 發現 ${criticalCount} 個嚴重問題，workflow 結束（exit 1）`);
@@ -114,7 +146,6 @@ async function main() {
    process.exit(1);
  }
  console.log('  ✅ 無嚴重問題');
-
  console.log('\n✅ Pipeline 完成');
  console.log('='.repeat(60));
 }
@@ -3,7 +3,7 @@
  "version": "1.0.0",
  "type": "module",
  "scripts": {
-    "test": "node --test git.test.js config.test.js llm.test.js"
+    "test": "node --test *.test.js"
  },
  "dependencies": {
    "axios": "^1.6.7",
@@ -1,8 +1,9 @@
 import fs from 'fs';
 import path from 'path';
+import { fileURLToPath } from 'url';
 import yaml from 'js-yaml';

-const ROLES_DIR = '/action/app/prompts/roles';
+const ROLES_DIR = path.join(fileURLToPath(import.meta.url), '..', 'prompts', 'roles');

 export function loadRoles() {
  return fs.readdirSync(ROLES_DIR)
Author	SHA1	Message	Date
jiantw83	fade942267	refactor: add new suggestion for comments.js and enhance filterDiff tests for better coverage	2026-05-13 01:18:21 +00:00
jiantw83	4834396652	refactor: streamline JSON file reading logic and improve error handling in findings.js and git.js	2026-05-13 01:16:34 +00:00
AI Review Bot	0108a05886	chore: update ai-review findings [skip ci]	2026-05-13 01:14:09 +00:00
jiantw83	6db660f872	refactor: update TODO stages to reflect current status and improve clarity; modify diff filtering logic in gitea.js and main.js	2026-05-13 01:12:20 +00:00
jiantw83	45468d89d3	refactor: reorganize TODO stages for clarity and update section titles	2026-05-13 01:08:04 +00:00
jiantw83	6c6680fd3e	feat: enhance JSON format validation with backup and reset mechanism on error	2026-05-13 01:06:11 +00:00
jiantw83	49a02ebb6b	feat: add JSON format validation for findings and exclusions after processing	2026-05-13 01:02:33 +00:00
AI Review Bot	37cf5f82fa	chore: update ai-review findings [skip ci]	2026-05-13 00:51:30 +00:00
jiantw83	fd854649db	refactor: improve comment formatting and streamline AI handling in findings processing	2026-05-13 00:49:23 +00:00
jiantw83	de8de251ba	feat: exclude .gitea/ directory from Git Diff analysis and update TODO	2026-05-13 00:41:12 +00:00
admin	fe7381c36e	更新 README.md	2026-05-12 10:22:02 +00:00
admin	abfd594bb2	更新 .gitea/workflows/review.yaml	2026-05-12 10:21:27 +00:00
admin	8878165a81	更新 .gitea/workflows/review.yaml	2026-05-12 10:19:32 +00:00
admin	818342d27b	更新 README.md	2026-05-12 10:19:10 +00:00
Jeffery	d95213334b	feat: add concurrency settings and branch ignore for pull request workflows	2026-05-12 18:17:14 +08:00
jiantw83	ea64c5f063	Merge pull request 'feat: 使用 kiro 重構 ai code review' (#85 ) from feat/refactor/main into develop Reviewed-on: jiantw83/code-review#85	2026-05-12 10:06:38 +00:00
AI Review Bot	931481179a	chore: update ai-review findings [skip ci]	2026-05-12 10:02:45 +00:00
jiantw83	52fa3acf18	feat: update GEMINI_BASE_URL to v1beta for improved API compatibility	2026-05-12 09:58:43 +00:00
jiantw83	c751a53d43	feat: enhance exclusions.json with new suggestions and refactor roles.js for dynamic path resolution	2026-05-12 09:57:33 +00:00
jiantw83	2aba414d36	feat: update GEMINI_BASE_URL to use v1 endpoint in workflow and documentation	2026-05-12 09:52:42 +00:00
AI Review Bot	d565b79feb	chore: update ai-review findings [skip ci]	2026-05-12 09:50:51 +00:00
jiantw83	81d5e3ff13	feat: update exclusions.json suggestions and refactor Dockerfile for improved npm installation	2026-05-12 09:40:56 +00:00
jiantw83	1ccc2cd560	feat: add GITEA_SKIP_TLS_VERIFY support for skipping SSL/TLS verification in Gitea integration	2026-05-12 09:37:51 +00:00
AI Review Bot	c815c30088	chore: update ai-review findings [skip ci]	2026-05-12 09:31:01 +00:00