fix: enhance suggestions in exclusions.json for clarity and accuracy; update filterFalsePositivesWithAI to accept exclusions

Co-authored-by: Copilot <copilot@github.com>

.gitea/ai-review/exclusions.json

@@ -0,0 +1,28 @@
+[
+  {
+    "role": "Rex",
+    "location": "app/git.js",
+    "suggestion": "請避免將敏感資料（如 GITEA_TOKEN）直接寫入環境變數"
+  },
+  {
+    "location": "app/git.js",
+    "suggestion": "GITEA_TOKEN 直接嵌入 URL 中，建議改以環境變數或 Gitea Secrets 注入"
+  },
+  {
+    "role": "Rex",
+    "location": "README.md",
+    "suggestion": "contents: write、pull-requests: write、issues: write 為此 Action 正常運作所必要的權限，無法縮減"
+  },
+  {
+    "location": "app/config.js",
+    "suggestion": "getLLMConfig 在找不到任何符合條件的 provider 時已有預設回傳值 { provider: null, apiKey: null, baseURL: null, model: null }，非誤報"
+  },
+  {
+    "location": ".gitea/ai-review/exclusions.json",
+    "suggestion": "exclusions.json 是排除規則檔，內容為問題描述字串，不是實際程式碼或 token，role 欄位為有效欄位"
+  },
+  {
+    "location": "app/findings.js",
+    "suggestion": "filterFalsePositivesWithAI 拋出的 Error 會被 catch 攔截並降級回傳原始 findings，不會中斷流程"
+  }
+]

.gitea/ai-review/findings.json

@@ -1 +1,247 @@
-[]
+[
+  {
+    "level": "critical",
+    "role": "Aria",
+    "location": ".gitea/ai-review/exclusions.json",
+    "suggestion": "新增的條目包含 `role` 欄位，但目前的 JSON schema 只接受 `location` 與 `suggestion`，此欄位會導致驗證失敗，請移除或更新 schema。",
+    "is_new": false
+  },
+  {
+    "level": "critical",
+    "role": "Aria",
+    "location": ".gitea/ai-review/exclusions.json:12",
+    "suggestion": "移除 `role` 欄位，JSON schema 只接受 `location` 與 `suggestion`，保留這兩個欄位即可，避免驗證失敗。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Leo",
+    "location": "app/config.js:5",
+    "suggestion": "目前使用硬編碼的 `checks` 陣列來管理所有 LLM provider，未來若要新增或移除 provider 必須直接修改程式碼，易產生重複與維護負擔。建議將 provider 設定抽離至外部 JSON/YAML 檔或使用可擴充的資料結構，並在程式中載入，提升模組化與可維護性。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Rex",
+    "location": ".gitea/workflows/review.yaml:33",
+    "suggestion": "工作流程目前授予 contents、pull‑requests、issues 三項 write 權限，過於寬鬆。建議依實際需求僅授予 read 或最小必要的 write 權限，以降低被濫用的風險。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Rex",
+    "location": ".gitea/workflows/review.yaml:35",
+    "suggestion": "將 OPENAI_API_KEY 參數改為使用正確的 secret 名稱（如 OPENROUTER_API_KEY）時，請確保工作流程文件中不會同時暴露兩個不同的 secret 名稱，以免因名稱錯誤導致金鑰未傳入或意外洩漏。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": ".gitea/workflows/review.yaml:33",
+    "suggestion": "在 `OPENAI_API_KEY` 後的註解前應保留一個空格，以符合常見的 YAML 註解風格：`... ${{ secrets.OPENROUTER_API_KEY }}  # OpenRouter 使用 OpenAI 相容介面，以 OPENAI_API_KEY 傳入`。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "README.md",
+    "suggestion": "文件中章節編號不連續（例如 `### 2. OpenRouter` 後直接跳到 `### 3. Anthropic Claude`），建議重新編號或使用一致的標題層級，以提升可讀性與維護性。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "app/config.js",
+    "suggestion": "`checks` 陣列的每一行過長，超過 120 個字元，建議拆成多行並對齊欄位，以符合程式碼可讀性與行長限制的慣例。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "app/config.js",
+    "suggestion": "`amazonq` 那一行的空格對齊與其他項目不一致，請統一使用單一個空格分隔欄位，或使用對齊工具保持列的垂直對齊。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Leo",
+    "location": "app/config.js:12",
+    "suggestion": "目前使用硬編碼的 `checks` 陣列管理所有 LLM provider，未來若要新增或移除 provider 必須直接修改程式碼，易產生重複與維護負擔。建議將 provider 設定抽離至外部 JSON/YAML 檔或使用可擴充的資料結構，於程式中載入，以提升模組化與可維護性。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Zara",
+    "location": "app/config.js:12",
+    "suggestion": "改用映射表（Map）或物件儲存 provider 設定，並以 O(1) 方式查找符合條件的項目，減少每次呼叫時的線性掃描成本。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Rex",
+    "location": ".gitea/workflows/review.yaml:33-35",
+    "suggestion": "工作流程目前授予 contents、pull‑requests、issues 三項 write 權限過於寬鬆。建議依實際需求僅授予 read 或最小必要的 write 權限，降低被濫用的風險。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Rex",
+    "location": ".gitea/workflows/review.yaml:33",
+    "suggestion": "將 OPENAI_API_KEY 參數改為使用正確的 secret 名稱（如 OPENROUTER_API_KEY）時，請確保工作流程檔案中不會同時暴露兩個不同的 secret 名稱，以免因名稱錯誤導致金鑰未傳入或意外洩漏。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Rex",
+    "location": "app/config.js:12",
+    "suggestion": "在判斷 API 金鑰是否有效時，應先檢查 key 是否為非空字串，避免空字串被誤認為有效金鑰而發送請求。可改為 `if (key && key.trim() && baseURL) …`。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": ".gitea/ai-review/exclusions.json",
+    "suggestion": "檔案最後缺少換行符號，請在檔案結尾加入一個空白換行，以符合 POSIX 標準。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": ".gitea/ai-review/findings.json",
+    "suggestion": "檔案最後缺少換行符號，請在檔案結尾加入一個空白換行。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "app/config.js:12-13",
+    "suggestion": "`checks` 陣列每一行超過 120 個字元，請拆成多行並對齊欄位，以符合常見的行長限制。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "app/config.js:13",
+    "suggestion": "`amazonq` 那一行的空格對齊與其他項目不一致，請統一使用單一個空格分隔欄位或使用對齊工具保持列的垂直對齊。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "app/config.test.js",
+    "suggestion": "檔案最後缺少換行符號，請在檔案結尾加入空白換行。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "README.md:28",
+    "suggestion": "文件中章節編號不連續（例如 `### 2. OpenRouter` 後直接跳到 `### 3. Anthropic Claude`），請重新編號或使用自動編號方式，保持編號連續。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "README.md:42",
+    "suggestion": "標題層級使用不一致，部分章節使用 `### 1.`、`### 2.`，而後面的章節直接跳到 `### 3.`，建議統一使用相同層級的 Markdown 標題，並在每個標題後留一個空行以提升可讀性。",
+    "is_new": false
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "action.yaml:72-99",
+    "suggestion": "大量移除的輸入欄位留下多行空白與註解，請整理檔案結構，移除不必要的空行與註解，保持檔案整潔。",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Zara",
+    "location": "app/config.js",
+    "suggestion": "對於未設定 API 金鑰的 provider（如 ollama），可提前返回快取的預設設定，避免每次呼叫都進行條件檢查。",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Rex",
+    "location": "README.md:28",
+    "suggestion": "文件中列出的權限說明應與實際 workflow 中的 permissions 保持一致，並提醒使用者僅在必要時授予 write 權限，避免在 CI/CD 環境中過度授權。",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Rex",
+    "location": "app/config.js:12",
+    "suggestion": "在取得 LLM 設定時，若 key 為空字串仍會被視為有效。建議在判斷前先檢查 key 是否為非空字串，以防止意外使用空的 API 金鑰發送請求。",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Aria",
+    "location": "app/config.test.js",
+    "suggestion": "匯入語句過長，建議改寫為多行匯入，例如：\n```js\nimport {\n  describe,\n  it,\n  beforeEach,\n  afterEach\n} from 'node:test';\n```",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Aria",
+    "location": "app/config.test.js",
+    "suggestion": "`ENV_KEYS` 陣列過長，建議分行列舉，每行放置一個環境變數，以提升可讀性。",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Aria",
+    "location": "app/findings.js",
+    "suggestion": "錯誤訊息 `AI 回傳空陣列或非陣列` 可簡化為 `AI 回傳的結果不是有效的非空陣列`，讓訊息更清晰。",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Leo",
+    "location": "app/config.js:12",
+    "suggestion": "`checks` 陣列的每一行過長，超過 120 個字元，建議拆成多行並對齊欄位，以符合程式碼可讀性與行長限制的慣例。",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Leo",
+    "location": "app/findings.js:151",
+    "suggestion": "函式內使用 `console.log` 輸出過濾結果，可能在正式環境產生過多日誌。建議改以 logger 並提供可設定的 log level，或在非除錯模式下移除此輸出。",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Leo",
+    "location": "app/config.test.js:1",
+    "suggestion": "匯入語句過長，建議改寫為多行匯入，以提升可讀性，例如：\n```js\nimport {\n  describe,\n  it,\n  beforeEach,\n  afterEach\n} from 'node:test';\n```",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Leo",
+    "location": "app/config.test.js:9",
+    "suggestion": "`ENV_KEYS` 陣列過長，建議分行列舉，每行放置一個環境變數，以提升可讀性與維護性。",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Aria",
+    "location": "app/config.test.js:1",
+    "suggestion": "匯入語句過長，建議改寫為多行匯入，例如：\n```js\nimport {\n  describe,\n  it,\n  beforeEach,\n  afterEach\n} from 'node:test';\n```",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Aria",
+    "location": "app/config.test.js:7",
+    "suggestion": "`ENV_KEYS` 陣列過長，建議每行放置一個環境變數，分行列舉以提升可讀性。",
+    "is_new": false
+  },
+  {
+    "level": "info",
+    "role": "Aria",
+    "location": ".gitea/workflows/review.yaml:33",
+    "suggestion": "在 `OPENAI_API_KEY` 後的註解前保留一個空格，以符合常見的 YAML 註解風格：`... ${{ secrets.OPENROUTER_API_KEY }}  # OpenRouter 使用 OpenAI 相容介面，以 OPENAI_API_KEY 傳入`。",
+    "is_new": false
+  }
+]

.gitea/workflows/review.yaml

@@ -1,6 +1,11 @@
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
   pull_request:
+    branches-ignore:
+    - master
     types: [opened, synchronize]
 jobs:
   version:
@@ -28,8 +33,9 @@ jobs:
     - name: AI Code Review
       uses: https://gitea.jsc.idv.tw/jiantw83/code-review@v${{ needs.version.outputs.version }}
       with:
-        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        OPENAI_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}  # OpenRouter 使用 OpenAI 相容介面，以 OPENAI_API_KEY 傳入
         OPENAI_BASE_URL: https://openrouter.ai/api/v1
+        OPENAI_MODEL: ${{ vars.OPENROUTER_MODEL }}
     permissions:
       contents: write
       pull-requests: write

Dockerfile

@@ -1,8 +1,9 @@
-FROM node:20-slim
+FROM alpine
 
-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apk add --no-cache bash nodejs npm git \
-    git \
+    && node --version \
-    && rm -rf /var/lib/apt/lists/*
+    && npm --version \
+    && git --version
 
 WORKDIR /action
 

README.md

@@ -6,12 +6,13 @@
 
 1. 服務名稱、模型名稱、角色資訊(個性、符合個性的英文名稱、工作內容)，Comment 到 Push Request
 2. 每個角色個別分析 Git Diff 的內容產生新問題表格(問題等級、角色名稱、問題位置或行數、修改建議)
-3. 讀取所有未解決的舊問題(問題檔案存在於使用此 Action 的專案固定位置)加上新問題後，去除重複產生本次 Push Request 的問題表格(PR問題表格)覆蓋問題檔案
+3. 讀取所有未解決的舊問題(問題檔案 `.gitea/ai-review/findings.json` 存在於使用此 Action 的專案固定位置)加上新問題後，去除重複產生本次 Push Request 的問題表格(PR問題表格)覆蓋問題檔案
-4. 從PR問題表格中取出所有舊問題，依照等級排序後 Comment 到 Push Request
+4. 讀取排除問題檔案(`.gitea/ai-review/exclusions.json` 存在於使用此 Action 的專案固定位置)，用來過濾PR問題表格中不需要處理的問題
-5. 從PR問題表格中取出所有新問題，排除嚴重等級的問題後 Comment 到 Push Request
+5. 從PR問題表格中取出所有舊問題，依照等級排序後 Comment 到 Push Request
-6. 從PR問題表格中取出所有新問題，將每個嚴重等級的問題 Comment 到 Push Request
+6. 從PR問題表格中取出所有新問題，排除嚴重等級的問題後 Comment 到 Push Request
-7. Commit 問題檔案
+7. 從PR問題表格中取出所有新問題，將每個嚴重等級的問題 Comment 到 Push Request
-8. 如果PR問題表格中有嚴重問題，則不要讓 workflow 執行成功(exit 1)
+8. Commit 問題檔案
+9. 如果PR問題表格中有嚴重問題，則不要讓 workflow 執行成功(exit 1)
 
 # 設計
 
@@ -27,7 +28,7 @@
 2. 在 `.gitea/workflows` 資料夾中建立 `ai-review.yaml'
 3. 在 `ai-review.yaml` 中填入以下內容(選擇一個使用)：
 
-### 1. OpenAI（OpenRouter）
+### 1. OpenAI
 ```yaml
 name: AI
 on:
@@ -41,17 +42,39 @@ jobs:
     - name: AI Code Review
       uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
       with:
-        # Github (h3285@evertrust.com.tw)
-        # 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
         OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-        OPENAI_BASE_URL: https://openrouter.ai/api/v1
+        OPENAI_BASE_URL: https://api.openai.com/v1
+        OPENAI_MODEL: ${{ vars.OPENAI_MODEL }}
     permissions:
       contents: write
       pull-requests: write
       issues: write
 ```
 
-### 2. Anthropic Claude
+### 2. OpenRouter
+```yaml
+name: AI
+on:
+  pull_request:
+    types: [opened, synchronize]
+jobs:
+  code-review:
+    name: 'Code Review'
+    runs-on: ubuntu
+    steps:
+    - name: AI Code Review
+      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      with:
+        OPENAI_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}  # OpenRouter 使用 OpenAI 相容介面，以 OPENAI_API_KEY 傳入
+        OPENAI_BASE_URL: https://openrouter.ai/api/v1
+        OPENAI_MODEL: ${{ vars.OPENROUTER_MODEL }}
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+```
+
+### 3. Anthropic Claude
 ```yaml
 name: AI
 on:
@@ -73,7 +96,7 @@ jobs:
       issues: write
 ```
 
-### 3. Google Gemini
+### 4. Google Gemini
 ```yaml
 name: AI
 on:
@@ -89,13 +112,14 @@ jobs:
       with:
         GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
         GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
+        GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
     permissions:
       contents: write
       pull-requests: write
       issues: write
 ```
 
-### 4. Amazon Q
+### 5. Amazon Q
 ```yaml
 name: AI
 on:
@@ -117,138 +141,6 @@ jobs:
       issues: write
 ```
 
-### 5. SonarQube
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        SONARQUBE_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
-        SONARQUBE_URL: https://sonarqube.example.com
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
-### 6. Kilo Code
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        KILO_API_KEY: ${{ secrets.KILO_API_KEY }}
-        KILO_BASE_URL: https://api.kilocode.com/v1
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
-### 7. Roo Code
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        ROO_API_KEY: ${{ secrets.ROO_API_KEY }}
-        ROO_BASE_URL: https://api.roocode.com/v1
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
-### 8. Cline
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        CLINE_API_KEY: ${{ secrets.CLINE_API_KEY }}
-        CLINE_BASE_URL: https://api.cline.dev/v1
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
-### 9. Continue
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }}
-        CONTINUE_BASE_URL: https://api.continue.dev/v1
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
-### 10. Kade
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        KADE_API_KEY: ${{ secrets.KADE_API_KEY }}
-        KADE_BASE_URL: https://api.kade.dev/v1
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
 ### - Ollama
 
 ```yaml
@@ -264,7 +156,7 @@ jobs:
     - name: AI Code Review
         uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
         with:
-          OLLAMA_BASE_URL: ${{ vars.OLLAMA_BASE_URL }}
+          OLLAMA_BASE_URL: https://ollama.jsc.idv.me/v1
           OLLAMA_MODEL: ${{ vars.OLLAMA_MODEL }}
     permissions:
       contents: write

TODO.md

@@ -8,26 +8,33 @@
 ## 階段二：Findings 產生與合併
 - 目標：各角色（style/security/performance/maintainability/testing）能產生 findings，並正確合併新舊 findings。
 - 驗收：log 中能看到每個角色 findings 數量、合併後 findings 統計，並有「Step3: merged findings total=...」等訊息。
+- 完成
 
 ## 階段三：AI 去重與角色確認
 - 目標：嘗試呼叫 LLM 進行 findings 去重與角色確認，API 額度不足時要有降級處理 log。
 - 驗收：log 中能看到 deduplication/resolution confirmation 成功或失敗（如 402），降級時有「保留所有問題」等明確訊息。
+- 完成
 
-## 階段四：findings 寫入與 comment 發布
+## 階段四：AI 排除問題過濾
-- 目標：findings.jsonl 正確寫入，comment 發布順序正確（舊問題→非嚴重→嚴重），每步有 log。
+- 目標：讀取排除問題檔案（`.gitea/ai-review/exclusions.json`）進行規則過濾，並呼叫 AI 判斷剩餘問題是否為誤報或不適用，兩層過濾後產生最終問題清單。
-- 驗收：log 中能看到 findings 寫入、comment sync 的詳細訊息與順序。
+- 驗收：log 中能看到排除問題檔案讀取成功或不存在的訊息、規則過濾數量變化，以及「AI 誤報過濾: N -> M 筆」或降級訊息。
+- 完成
 
-## 階段五：記憶區 commit/push 與錯誤處理
+## 階段五：findings 寫入與 comment 發布
+- 目標：`.gitea/ai-review/findings.json` 正確寫入，comment 發布順序正確（舊問題→非嚴重→嚴重），每步有 log。
+- 驗收：log 中能看到 `.gitea/ai-review/findings.json` 寫入、comment sync 的詳細訊息與順序。
+- 完成
+
+## 階段六：記憶區 commit/push 與錯誤處理
 - 目標：記憶區能成功 commit/push，錯誤時有明確 log，流程結束有總結訊息。
 - 驗收：log 有「persisted findings」、「commit=...」、「push=...」等訊息，錯誤時有「Runner failed: ...」等明確錯誤說明。
+- 完成
 
-## 階段六：阻擋嚴重問題 PR（第 8 點）
+## 階段七：阻擋嚴重問題 PR（第 8 點）
 - 目標：如果 PR 問題表格中有嚴重（critical）問題，workflow 需直接 exit 1，不讓流程成功。
 - 驗收：log 中能看到「critical 問題存在，workflow 結束（exit 1）」等明確訊息，且 workflow 狀態為失敗。
+- 完成
 
 ---
 
-每個階段都會加上明確的 log，並確保即使部分功能未完成也能降級執行、不會中斷 pipeline。
+所有階段驗收通過。
-
-每次執行後請貼 log，我會協助 debug。
-

action.yaml

@@ -72,53 +72,7 @@ inputs:
     description: 'Amazon Q Base URL'
     required: false
 
-  # SonarQube
-  SONARQUBE_TOKEN:
-    description: 'SonarQube Token'
-    required: false
-  SONARQUBE_URL:
-    description: 'SonarQube URL'
-    required: false
 
-  # Kilo Code
-  KILO_API_KEY:
-    description: 'Kilo Code API Key'
-    required: false
-  KILO_BASE_URL:
-    description: 'Kilo Code Base URL'
-    required: false
-
-  # Roo Code
-  ROO_API_KEY:
-    description: 'Roo Code API Key'
-    required: false
-  ROO_BASE_URL:
-    description: 'Roo Code Base URL'
-    required: false
-
-  # Cline
-  CLINE_API_KEY:
-    description: 'Cline API Key'
-    required: false
-  CLINE_BASE_URL:
-    description: 'Cline Base URL'
-    required: false
-
-  # Continue
-  CONTINUE_API_KEY:
-    description: 'Continue API Key'
-    required: false
-  CONTINUE_BASE_URL:
-    description: 'Continue Base URL'
-    required: false
-
-  # Kade
-  KADE_API_KEY:
-    description: 'Kade API Key'
-    required: false
-  KADE_BASE_URL:
-    description: 'Kade Base URL'
-    required: false
 
 runs:
   using: 'docker'
@@ -145,15 +99,3 @@ runs:
     OLLAMA_MODEL: ${{ inputs.OLLAMA_MODEL }}
     AMAZONQ_API_KEY: ${{ inputs.AMAZONQ_API_KEY }}
     AMAZONQ_BASE_URL: ${{ inputs.AMAZONQ_BASE_URL }}
-    SONARQUBE_TOKEN: ${{ inputs.SONARQUBE_TOKEN }}
-    SONARQUBE_URL: ${{ inputs.SONARQUBE_URL }}
-    KILO_API_KEY: ${{ inputs.KILO_API_KEY }}
-    KILO_BASE_URL: ${{ inputs.KILO_BASE_URL }}
-    ROO_API_KEY: ${{ inputs.ROO_API_KEY }}
-    ROO_BASE_URL: ${{ inputs.ROO_BASE_URL }}
-    CLINE_API_KEY: ${{ inputs.CLINE_API_KEY }}
-    CLINE_BASE_URL: ${{ inputs.CLINE_BASE_URL }}
-    CONTINUE_API_KEY: ${{ inputs.CONTINUE_API_KEY }}
-    CONTINUE_BASE_URL: ${{ inputs.CONTINUE_BASE_URL }}
-    KADE_API_KEY: ${{ inputs.KADE_API_KEY }}
-    KADE_BASE_URL: ${{ inputs.KADE_BASE_URL }}

app/config.js

@@ -6,19 +6,15 @@ export const PR_HEAD_BRANCH = process.env.PR_HEAD_BRANCH || '';
 export const PR_BASE_BRANCH = process.env.PR_BASE_BRANCH || '';
 
 export const FINDINGS_PATH = '.gitea/ai-review/findings.json';
+export const EXCLUSIONS_PATH = '.gitea/ai-review/exclusions.json';
 
 export function getLLMConfig() {
   const checks = [
     ['openai',   process.env.OPENAI_API_KEY,   process.env.OPENAI_BASE_URL || 'https://api.openai.com/v1',   process.env.OPENAI_MODEL || 'gpt-4o-mini'],
     ['claude',   process.env.CLAUDE_API_KEY,   process.env.CLAUDE_BASE_URL || 'https://api.anthropic.com/v1', process.env.CLAUDE_MODEL || 'claude-3-haiku-20240307'],
-    ['gemini',   process.env.GEMINI_API_KEY,   process.env.GEMINI_BASE_URL || 'https://generativelanguage.googleapis.com/v1beta', process.env.GEMINI_MODEL || 'gemini-1.5-flash'],
+    ['gemini',   process.env.GEMINI_API_KEY,   process.env.GEMINI_BASE_URL || 'https://generativelanguage.googleapis.com/v1beta', process.env.GEMINI_MODEL || 'gemini-2.5-flash'],
     ['ollama',   'ollama',                      process.env.OLLAMA_BASE_URL,  process.env.OLLAMA_MODEL],
-    ['amazonq',  process.env.AMAZONQ_API_KEY,  process.env.AMAZONQ_BASE_URL || 'https://q.api.aws', process.env.OPENAI_MODEL || 'amazon-q'],
+    ['amazonq',  process.env.AMAZONQ_API_KEY,  process.env.AMAZONQ_BASE_URL  || 'https://q.api.aws',              process.env.AMAZONQ_MODEL  || 'amazon-q'],
-    ['kilo',     process.env.KILO_API_KEY,     process.env.KILO_BASE_URL || 'https://api.kilocode.com/v1', process.env.OPENAI_MODEL || 'kilo-default'],
-    ['roo',      process.env.ROO_API_KEY,      process.env.ROO_BASE_URL || 'https://api.roocode.com/v1', process.env.OPENAI_MODEL || 'roo-default'],
-    ['cline',    process.env.CLINE_API_KEY,    process.env.CLINE_BASE_URL || 'https://api.cline.dev/v1', process.env.OPENAI_MODEL || 'cline-default'],
-    ['continue', process.env.CONTINUE_API_KEY, process.env.CONTINUE_BASE_URL || 'https://api.continue.dev/v1', process.env.OPENAI_MODEL || 'continue-default'],
-    ['kade',     process.env.KADE_API_KEY,     process.env.KADE_BASE_URL || 'https://api.kade.dev/v1', process.env.OPENAI_MODEL || 'kade-default'],
   ];
   for (const [provider, key, baseURL, model] of checks) {
     if (key && baseURL) return { provider, apiKey: key, baseURL, model };

app/config.test.js

@@ -0,0 +1,101 @@
+import { describe, it, beforeEach, afterEach } from 'node:test';
+import assert from 'node:assert/strict';
+import { getLLMConfig } from './config.js';
+
+const ENV_KEYS = [
+  'OPENAI_API_KEY', 'OPENAI_BASE_URL', 'OPENAI_MODEL',
+  'CLAUDE_API_KEY', 'CLAUDE_BASE_URL', 'CLAUDE_MODEL',
+  'GEMINI_API_KEY', 'GEMINI_BASE_URL', 'GEMINI_MODEL',
+  'OLLAMA_BASE_URL', 'OLLAMA_MODEL',
+  'AMAZONQ_API_KEY', 'AMAZONQ_BASE_URL', 'AMAZONQ_MODEL',
+];
+
+let saved = {};
+beforeEach(() => {
+  saved = {};
+  for (const k of ENV_KEYS) { saved[k] = process.env[k]; delete process.env[k]; }
+});
+afterEach(() => {
+  for (const k of ENV_KEYS) {
+    if (saved[k] === undefined) delete process.env[k];
+    else process.env[k] = saved[k];
+  }
+});
+
+describe('getLLMConfig', () => {
+  it('returns null provider when no env vars set', () => {
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, null);
+    assert.equal(cfg.apiKey, null);
+  });
+
+  it('detects openai with defaults', () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'openai');
+    assert.equal(cfg.apiKey, 'sk-test');
+    assert.equal(cfg.baseURL, 'https://api.openai.com/v1');
+    assert.equal(cfg.model, 'gpt-4o-mini');
+  });
+
+  it('detects openai with custom base url and model', () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    process.env.OPENAI_BASE_URL = 'https://openrouter.ai/api/v1';
+    process.env.OPENAI_MODEL = 'gpt-4o';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'openai');
+    assert.equal(cfg.baseURL, 'https://openrouter.ai/api/v1');
+    assert.equal(cfg.model, 'gpt-4o');
+  });
+
+  it('detects gemini with defaults', () => {
+    process.env.GEMINI_API_KEY = 'gemini-key';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'gemini');
+    assert.equal(cfg.model, 'gemini-2.5-flash');
+  });
+
+  it('detects gemini with custom model', () => {
+    process.env.GEMINI_API_KEY = 'gemini-key';
+    process.env.GEMINI_MODEL = 'gemini-2.0-flash';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.model, 'gemini-2.0-flash');
+  });
+
+  it('detects claude with defaults', () => {
+    process.env.CLAUDE_API_KEY = 'claude-key';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'claude');
+    assert.equal(cfg.model, 'claude-3-haiku-20240307');
+  });
+
+  it('detects amazonq with its own model env', () => {
+    process.env.AMAZONQ_API_KEY = 'aq-key';
+    process.env.AMAZONQ_MODEL = 'my-amazon-model';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'amazonq');
+    assert.equal(cfg.model, 'my-amazon-model');
+  });
+
+  it('openai takes priority over gemini when both set', () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    process.env.GEMINI_API_KEY = 'gemini-key';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'openai');
+  });
+
+  it('empty string api key is treated as not set', () => {
+    process.env.OPENAI_API_KEY = '';
+    process.env.GEMINI_API_KEY = 'gemini-key';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'gemini');
+  });
+
+  it('detects ollama without api key', () => {
+    process.env.OLLAMA_BASE_URL = 'http://localhost:11434';
+    process.env.OLLAMA_MODEL = 'llama3';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'ollama');
+    assert.equal(cfg.model, 'llama3');
+  });
+});

app/findings.js

@@ -1,7 +1,7 @@
 import fs from 'fs';
 import path from 'path';
 import { chatJSON } from './llm.js';
-import { FINDINGS_PATH } from './config.js';
+import { FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js';
 
 const LEVELS = ['critical', 'warning', 'info'];
 
@@ -93,3 +93,81 @@ export async function deduplicateWithAI(findings) {
     return findings;
   }
 }
+
+/**
+ * 讀取排除問題檔案（從 workspace 的 EXCLUSIONS_PATH）
+ * 格式：[{ role, location, suggestion }]，欄位可部分省略，省略表示萬用
+ */
+export function loadExclusions(workspace) {
+  const fullPath = path.join(workspace, EXCLUSIONS_PATH);
+  if (!fs.existsSync(fullPath)) {
+    console.log('  排除問題檔案不存在，跳過過濾');
+    return [];
+  }
+  try {
+    const data = JSON.parse(fs.readFileSync(fullPath, 'utf8'));
+    const exclusions = Array.isArray(data) ? data : [];
+    console.log(`  讀取排除問題: ${exclusions.length} 筆`);
+    return exclusions;
+  } catch (e) {
+    console.log(`  ⚠️  讀取排除問題失敗: ${e.message}，跳過過濾`);
+    return [];
+  }
+}
+
+/**
+ * 套用排除規則，過濾掉符合排除條件的 findings
+ * location 只比對檔案路徑（忽略行數），suggestion 省略時視為萬用
+ */
+export function applyExclusions(findings, exclusions) {
+  if (exclusions.length === 0) return findings;
+  const before = findings.length;
+  const filtered = findings.filter(f => !exclusions.some(ex => {
+    const fPath = String(f.location).split(':')[0];
+    const exPath = ex.location ? String(ex.location).split(':')[0] : null;
+    return (!exPath || fPath === exPath) &&
+           (!ex.role || ex.role === f.role);
+  }));
+  console.log(`  排除過濾: ${before} -> ${filtered.length} 筆（排除 ${before - filtered.length} 筆）`);
+  return filtered;
+}
+
+/**
+ * 呼叫 AI 判斷哪些問題是誤報或不需處理，回傳需保留的 findings
+ * exclusions 為已知誤報清單，供 AI 參考判斷
+ * 失敗時降級回傳原始 findings
+ */
+export async function filterFalsePositivesWithAI(findings, exclusions = []) {
+  if (findings.length === 0) return findings;
+
+  const exclusionHint = exclusions.length > 0
+    ? `\n\n以下是已知的誤報或不需處理的問題清單（供參考，相同檔案路徑且語意相近的問題應一併排除）：\n${JSON.stringify(exclusions, null, 2)}`
+    : '';
+
+  const systemPrompt = `你是一位資深程式碼審查專家，負責判斷審查問題是否為誤報或不需處理。
+給你一份問題清單（JSON 陣列），每筆包含 level、role、location、suggestion。
+請移除以下類型的問題：
+1. 誤報：問題描述與實際程式碼不符（例如：程式碼已正確使用環境變數或 secrets，卻被標記為硬編碼敏感資料）
+2. 不適用：問題在此專案情境下不需處理（例如：CI/CD action 本來就需要透過環境變數傳遞 token）
+3. 與已知誤報清單語意相近的問題（檔案路徑相同且建議內容相似）
+只回傳需要保留的問題 JSON 陣列，不要有其他文字。${exclusionHint}`;
+
+  const userContent = `請判斷以下問題清單，移除誤報或不需處理的問題：\n\n${JSON.stringify(findings, null, 2)}`;
+
+  try {
+    const result = await chatJSON(systemPrompt, userContent);
+    if (Array.isArray(result) && result.length > 0) {
+      console.log(`  AI 誤報過濾: ${findings.length} -> ${result.length} 筆`);
+      return result;
+    }
+    throw new Error('AI 回傳空陣列或非陣列');
+  } catch (e) {
+    const status = e.response?.status;
+    if (status === 402 || status === 429) {
+      console.log(`  ⚠️  AI 誤報過濾失敗（${status} 額度/限流），降級：保留所有問題`);
+    } else {
+      console.log(`  ⚠️  AI 誤報過濾失敗（${e.message}），降級：保留所有問題`);
+    }
+    return findings;
+  }
+}

app/git.js

@@ -1,25 +1,92 @@
+import { spawnSync } from 'child_process';
 import fs from 'fs';
 import path from 'path';
-import { commitFile } from './gitea.js';
+import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH } from './config.js';
-import { FINDINGS_PATH } from './config.js';
+
+function makeRunner(spawn) {
+  return function run(args, cwd, env) {
+    const opts = { cwd, encoding: 'utf8' };
+    if (env) opts.env = env;
+    const result = spawn('git', args, opts);
+    if (result.error) throw result.error;
+    if (result.status !== 0) throw new Error((result.stderr || result.stdout || '').trim());
+    return (result.stdout || '').trim();
+  };
+}
 
 /**
- * 透過 Gitea API 將 findings.json push 到來源分支（不需要 git binary）
+ * Clone PR head branch to workspace/repo (idempotent)
  */
-export async function commitAndPush(workspace) {
+export function cloneRepo(workspace, _spawnSync = spawnSync) {
+  const run = makeRunner(_spawnSync);
+  const baseUrl = GITEA_SERVER_URL.replace(/\/$/, '');
+  const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`;
+  const repoDir = path.join(workspace, 'repo');
+
+  const askpassScript = path.join(workspace, '.git-askpass.sh');
+  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
+  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
+
   try {
-    const fullPath = path.join(workspace, FINDINGS_PATH);
+    if (!fs.existsSync(repoDir)) {
-    const content = fs.readFileSync(fullPath, 'utf8');
+      run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv);
-    console.log(`  [debug] FINDINGS_PATH=${FINDINGS_PATH} branch=${process.env.PR_HEAD_BRANCH} token=${process.env.GITEA_TOKEN ? '***' : 'EMPTY'}`);
+      console.log(`  ✅ repo cloned to ${repoDir}`);
-    const result = await commitFile(
+    } else {
-      FINDINGS_PATH,
+      run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv);
-      content,
+      run(['checkout', PR_HEAD_BRANCH], repoDir);
-      'chore: update ai-review findings [skip ci]'
+      console.log(`  ✅ repo already exists, fetched latest`);
-    );
+    }
-    const commitHash = result.commit?.sha?.slice(0, 7) || 'unknown';
+  } finally {
-    console.log(`  ✅ persisted findings  commit=${commitHash}  push=${process.env.PR_HEAD_BRANCH}`);
+    try { fs.unlinkSync(askpassScript); } catch {}
+  }
+  return repoDir;
+}
+
+export async function commitAndPush(workspace, _spawnSync = spawnSync) {
+  const run = makeRunner(_spawnSync);
+
+  const baseUrl = GITEA_SERVER_URL.replace(/\/$/, '');
+  const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`;
+  const repoDir = path.join(workspace, 'repo');
+
+  // Write a temporary askpass script that reads the token from an env var,
+  // so the token value never appears in the script file itself
+  const askpassScript = path.join(workspace, '.git-askpass.sh');
+  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
+
+  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
+
+  try {
+    if (!fs.existsSync(repoDir)) {
+      run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv);
+    }
+
+    run(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir);
+    run(['config', 'user.name', 'AI Review Bot'], repoDir);
+    run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv);
+    run(['checkout', PR_HEAD_BRANCH], repoDir);
+
+    // 將 findings.json 從 workspace 複製到 clone 的 repo
+    const srcFindings = path.join(workspace, FINDINGS_PATH);
+    const destFindings = path.join(repoDir, FINDINGS_PATH);
+    fs.mkdirSync(path.dirname(destFindings), { recursive: true });
+    fs.copyFileSync(srcFindings, destFindings);
+
+    run(['add', FINDINGS_PATH], repoDir);
+
+    const status = run(['status', '--porcelain'], repoDir);
+    if (!status) {
+      console.log('  findings.json 無變更，跳過 commit');
+      return;
+    }
+
+    const out = run(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir);
+    const commitHash = out.match(/\[.+ ([a-f0-9]+)\]/)?.[1] || 'unknown';
+    run(['push', remoteUrl, PR_HEAD_BRANCH], repoDir, credEnv);
+    console.log(`  ✅ persisted findings  commit=${commitHash}  push=${PR_HEAD_BRANCH}`);
   } catch (e) {
-    const detail = e.response?.data ? JSON.stringify(e.response.data) : e.message;
+    console.log(`  ⚠️  Runner failed: commit/push 失敗: ${e.message}`);
-    console.log(`  ⚠️  Runner failed: commit/push 失敗: ${e.response?.status || ''} ${detail}`);
+  } finally {
+    try { fs.unlinkSync(askpassScript); } catch {}
   }
 }

app/git.test.js

@@ -0,0 +1,149 @@
+import { describe, it, before, after, beforeEach } from 'node:test';
+import assert from 'node:assert/strict';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { commitAndPush, cloneRepo } from './git.js';
+
+// --- helpers ---
+function makeTmpWorkspace() {
+  const ws = fs.mkdtempSync(path.join(os.tmpdir(), 'git-test-'));
+  // Pre-create repo dir so clone branch is skipped
+  fs.mkdirSync(path.join(ws, 'repo'), { recursive: true });
+  // Create a findings.json to copy
+  const findingsDir = path.join(ws, '.gitea/ai-review');
+  fs.mkdirSync(findingsDir, { recursive: true });
+  fs.writeFileSync(path.join(findingsDir, 'findings.json'), '[]');
+  return ws;
+}
+
+// Default stub: all commands succeed, status returns changes
+function makeSpawn(overrides = {}) {
+  const calls = [];
+  const spawn = (cmd, args, opts) => {
+    const key = args[0];
+    calls.push({ cmd, args, opts });
+    if (overrides[key]) return overrides[key](args, opts);
+    if (key === 'status') return { status: 0, stdout: 'M .gitea/ai-review/findings.json', stderr: '', error: null };
+    if (key === 'commit') return { status: 0, stdout: '[feature-branch abc1234] chore', stderr: '', error: null };
+    return { status: 0, stdout: '', stderr: '', error: null };
+  };
+  spawn.calls = calls;
+  return spawn;
+}
+
+describe('commitAndPush', () => {
+  let workspace;
+
+  before(() => { workspace = makeTmpWorkspace(); });
+  after(() => { fs.rmSync(workspace, { recursive: true, force: true }); });
+  beforeEach(() => {
+    // Remove leftover askpass scripts between tests
+    for (const f of fs.readdirSync(workspace)) {
+      if (f.endsWith('.git-askpass.sh')) fs.unlinkSync(path.join(workspace, f));
+    }
+  });
+
+  it('does not embed token in any git command argument', async () => {
+    const spawn = makeSpawn();
+    await commitAndPush(workspace, spawn);
+
+    for (const { args } of spawn.calls) {
+      assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`);
+    }
+  });
+
+  it('uses GIT_ASKPASS env for network operations (fetch, push, clone)', async () => {
+    const spawn = makeSpawn();
+    await commitAndPush(workspace, spawn);
+
+    const networkOps = ['fetch', 'push', 'clone'];
+    const networkCalls = spawn.calls.filter(c => networkOps.includes(c.args[0]));
+    assert.ok(networkCalls.length > 0, 'expected at least one network git call');
+
+    for (const { args, opts } of networkCalls) {
+      assert.ok(opts?.env?.GIT_ASKPASS, `GIT_ASKPASS missing for git ${args[0]}`);
+    }
+  });
+
+  it('cleans up askpass script after successful run', async () => {
+    await commitAndPush(workspace, makeSpawn());
+    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
+    assert.equal(leftover.length, 0, 'askpass script was not cleaned up');
+  });
+
+  it('cleans up askpass script even when git fails', async () => {
+    const failSpawn = () => ({ status: 1, stdout: '', stderr: 'fatal: error', error: null });
+    await commitAndPush(workspace, failSpawn);
+    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
+    assert.equal(leftover.length, 0, 'askpass script was not cleaned up after failure');
+  });
+
+  it('skips commit when status shows no changes', async () => {
+    const spawn = makeSpawn({ status: () => ({ status: 0, stdout: '', stderr: '', error: null }) });
+    await commitAndPush(workspace, spawn);
+    const commitCalled = spawn.calls.some(c => c.args[0] === 'commit');
+    assert.equal(commitCalled, false, 'commit should not run when there are no changes');
+  });
+
+  it('does not throw when git command fails', async () => {
+    const failSpawn = () => ({ status: 1, stdout: '', stderr: 'fatal: error', error: null });
+    await assert.doesNotReject(() => commitAndPush(workspace, failSpawn));
+  });
+});
+
+describe('cloneRepo', () => {
+  let workspace;
+
+  before(() => { workspace = fs.mkdtempSync(path.join(os.tmpdir(), 'clone-test-')); });
+  after(() => { fs.rmSync(workspace, { recursive: true, force: true }); });
+
+  it('clones repo when repoDir does not exist', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone');
+    assert.ok(cloneCalled, 'expected git clone to be called');
+  });
+
+  it('fetches and checks out when repoDir already exists', () => {
+    const repoDir = path.join(workspace, 'repo');
+    fs.mkdirSync(repoDir, { recursive: true });
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone');
+    const fetchCalled = spawn.calls.some(c => c.args[0] === 'fetch');
+    assert.ok(!cloneCalled, 'clone should not run when repoDir exists');
+    assert.ok(fetchCalled, 'fetch should run when repoDir exists');
+  });
+
+  it('does not embed token in any git command argument', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    for (const { args } of spawn.calls) {
+      assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`);
+    }
+  });
+
+  it('uses GIT_ASKPASS for network operations', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const networkCalls = spawn.calls.filter(c => ['clone', 'fetch'].includes(c.args[0]));
+    assert.ok(networkCalls.length > 0, 'expected at least one network git call');
+    for (const { args, opts } of networkCalls) {
+      assert.ok(opts?.env?.GIT_ASKPASS, `GIT_ASKPASS missing for git ${args[0]}`);
+    }
+  });
+
+  it('cleans up askpass script after run', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
+    assert.equal(leftover.length, 0, 'askpass script was not cleaned up');
+  });
+
+  it('returns repoDir path', () => {
+    const spawn = makeSpawn();
+    const result = cloneRepo(workspace, spawn);
+    assert.equal(result, path.join(workspace, 'repo'));
+  });
+});

app/gitea.js

@@ -1,6 +1,6 @@
 import axios from 'axios';
 import https from 'https';
-import { GITEA_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH } from './config.js';
+import { GITEA_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, PR_NUMBER } from './config.js';
 
 const httpsAgent = new https.Agent({ rejectUnauthorized: false });
 const headers = () => ({ Authorization: `token ${GITEA_TOKEN}`, 'Content-Type': 'application/json' });
@@ -15,40 +15,3 @@ export async function postComment(body) {
   const resp = await axios.post(api(`/repos/${GITEA_REPOSITORY}/issues/${PR_NUMBER}/comments`), { body }, { headers: headers(), timeout: 30000, httpsAgent });
   return resp.data;
 }
-
-/**
- * 透過 Gitea API 建立或更新檔案（不需要 git binary）
- */
-export async function commitFile(filePath, content, message) {
-  const encoded = Buffer.from(content).toString('base64');
-  const url = api(`/repos/${GITEA_REPOSITORY}/contents/${filePath}`);
-
-  // 先嘗試取得現有檔案的 SHA
-  let sha;
-  try {
-    const existing = await axios.get(`${url}?ref=${PR_HEAD_BRANCH}`, { headers: headers(), httpsAgent, timeout: 15000 });
-    sha = existing.data.sha;
-    console.log(`  [debug] 取得現有檔案 SHA=${sha}`);
-  } catch (e) {
-    console.log(`  [debug] 檔案不存在，將建立新檔案: ${e.response?.status || e.message}`);
-    sha = undefined;
-  }
-
-  const payload = {
-    message,
-    content: encoded,
-    branch: PR_HEAD_BRANCH,
-    ...(sha ? { sha } : {}),
-  };
-
-  console.log(`  [debug] ${sha ? 'PUT' : 'POST'} ${url} branch=${PR_HEAD_BRANCH}`);
-  const resp = await axios.request({
-    method: sha ? 'put' : 'post',
-    url,
-    headers: headers(),
-    httpsAgent,
-    timeout: 30000,
-    data: payload,
-  });
-  return resp.data;
-}

app/main.js

@@ -1,9 +1,9 @@
 import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig } from './config.js';
 import { loadRoles, getRoleIntro } from './roles.js';
 import { getPRDiff, postComment } from './gitea.js';
-import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI } from './findings.js';
+import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js';
 import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js';
-import { commitAndPush } from './git.js';
+import { cloneRepo, commitAndPush } from './git.js';
 
 const WORKSPACE = process.env.GITHUB_WORKSPACE || '/workspace';
 
@@ -26,7 +26,6 @@ async function main() {
   console.log(`  已載入 ${roles.length} 個角色: [${roles.map(r => r.name).join(', ')}]`);
 
   // 取得 PR diff
-  console.log('\n📋 Step1: 取得 PR Diff');
   let diff;
   try {
     diff = await getPRDiff();
@@ -42,7 +41,6 @@ async function main() {
   }
 
   // 發布角色介紹 comment
-  console.log('\n💬 Step1: 發布角色介紹 Comment');
   try {
     const intro = getRoleIntro(roles) + `\n\n> 🔍 服務：${provider}  模型：${model}`;
     await postComment(intro);
@@ -50,6 +48,7 @@ async function main() {
   } catch (e) {
     console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
   }
+  console.log('  Step1 完成');
 
   // Step2: 各角色分析 diff 產生新 findings
   console.log('\n📊 Step2: Findings 產生');
@@ -64,38 +63,51 @@ async function main() {
   }
   console.log(`  Step2 完成: 新 findings 總計 ${newFindings.length} 筆`);
 
-  // Step3: 讀取舊 findings，合併去重
+  // Step3: 讀取舊 findings，合併去重（含 AI 語意去重）
   console.log('\n🔀 Step3: Findings 合併');
-  const oldFindings = loadOldFindings(WORKSPACE);
+  // Clone repo 以讀取舊 findings 與排除清單
+  let repoDir;
+  try {
+    repoDir = cloneRepo(WORKSPACE);
+  } catch (e) {
+    console.log(`  ⚠️  clone repo 失敗（繼續執行）: ${e.message}`);
+  }
+  const oldFindings = loadOldFindings(repoDir || WORKSPACE);
   const mergedFindings = mergeFindings(oldFindings, newFindings);
   console.log(`  Step3 merged findings total=${mergedFindings.length}`);
 
-  // Step3b: AI 語意去重
   console.log('\n🤖 Step3b: AI 語意去重');
   const deduped = await deduplicateWithAI(mergedFindings);
   const sorted = sortByLevel(deduped);
   console.log(`  Step3b dedup findings total=${sorted.length} (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`);
 
-  // Step4: 寫入 findings.json，依序發布 comment
+  // Step4: 讀取排除問題檔案，過濾 PR 問題表格，並請 AI 判斷誤報
-  console.log('\n📝 Step4: Findings 寫入與 Comment 發布');
+  console.log('\n🚫 Step4: AI 排除問題過濾');
-  saveFindings(WORKSPACE, sorted);
+  const exclusions = loadExclusions(repoDir || WORKSPACE);
+  const ruleFiltered = applyExclusions(sorted, exclusions);
+  const filtered = await filterFalsePositivesWithAI(ruleFiltered, exclusions);
+  console.log(`  Step4 完成: findings total=${filtered.length}`);
+
+  // Step5: 寫入 findings.json，依序發布 comment
+  console.log('\n📝 Step5: Findings 寫入與 Comment 發布');
+  saveFindings(WORKSPACE, filtered);
 
   try {
-    await postOldFindingsComment(sorted);
+    await postOldFindingsComment(filtered);
-    await postNewNonCriticalComment(sorted);
+    await postNewNonCriticalComment(filtered);
-    await postNewCriticalComments(sorted);
+    await postNewCriticalComments(filtered);
-    console.log('  Step4 完成');
+    console.log('  Step5 完成');
   } catch (e) {
     console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
   }
 
-  // Step5: commit/push findings.json 到來源分支
+  // Step6: commit/push findings.json 到來源分支
-  console.log('\n💾 Step5: 記憶區 Commit/Push');
+  console.log('\n💾 Step6: 記憶區 Commit/Push');
   await commitAndPush(WORKSPACE);
 
-  // Step6: 有 critical 問題則 exit 1
+  // Step7: 有 critical 問題則 exit 1
-  console.log('\n🚦 Step6: 嚴重問題檢查');
+  console.log('\n🚦 Step7: 嚴重問題檢查');
-  const criticalCount = sorted.filter(f => f.level === 'critical').length;
+  const criticalCount = filtered.filter(f => f.level === 'critical').length;
   if (criticalCount > 0) {
     console.log(`  ❌ 發現 ${criticalCount} 個嚴重問題，workflow 結束（exit 1）`);
     console.log('='.repeat(60));

app/package.json

@@ -2,6 +2,9 @@
   "name": "ai-code-review",
   "version": "1.0.0",
   "type": "module",
+  "scripts": {
+    "test": "node --test app/git.test.js"
+  },
   "dependencies": {
     "axios": "^1.6.7",
     "js-yaml": "^4.1.0",

app/roles.js

@@ -12,9 +12,13 @@ export function loadRoles() {
 }
 
 export function getRoleIntro(roles) {
-  const lines = ['## 🤖 AI Code Review 團隊', ''];
+  const lines = [
+    '## 🤖 AI Code Review 團隊', '',
+    '| 👤 名稱 | 🎯 職責 | 🧠 個性 |',
+    '|--------|--------|--------|',
+  ];
   for (const r of roles) {
-    lines.push(`- **${r.name}** (${r.role})：${r.personality}`);
+    lines.push(`| **${r.name}** | ${r.role} | ${r.personality} |`);
   }
   return lines.join('\n');
 }