refactor: optimize AI payload by reducing token usage and streamline findings structure

chore: update ai-review findings [skip ci]
refactor: add suggestion for TODO.md clarification and enhance filterDiff test documentation
2026-05-13 01:39:13 +00:00 · 2026-05-13 01:33:15 +00:00 · 2026-05-13 01:31:25 +00:00 · 2026-05-13 01:29:11 +00:00 · 2026-05-13 01:27:33 +00:00 · 2026-05-13 01:21:17 +00:00
23 changed files with 1677 additions and 370 deletions
@@ -0,0 +1,227 @@
+[
+  {
+    "role": "Rex",
+    "location": "app/git.js",
+    "suggestion": "請避免將敏感資料（如 GITEA_TOKEN）直接寫入環境變數"
+  },
+  {
+    "location": "app/git.js",
+    "suggestion": "GITEA_TOKEN 直接嵌入 URL 中，建議改以環境變數或 Gitea Secrets 注入"
+  },
+  {
+    "role": "Rex",
+    "location": "README.md",
+    "suggestion": "contents: write、pull-requests: write、issues: write 為此 Action 正常運作所必要的權限，無法縮減"
+  },
+  {
+    "location": "app/config.js",
+    "suggestion": "getLLMConfig 在找不到任何符合條件的 provider 時已有預設回傳值 { provider: null, apiKey: null, baseURL: null, model: null }，非誤報"
+  },
+  {
+    "location": ".gitea/ai-review/exclusions.json",
+    "suggestion": "exclusions.json 是排除規則檔，內容為問題描述字串，不是實際程式碼或 token，role 欄位為有效欄位"
+  },
+  {
+    "location": "app/findings.js",
+    "suggestion": "filterFalsePositivesWithAI 拋出的 Error 會被 catch 攔截並降級回傳原始 findings，不會中斷流程"
+  },
+  {
+    "role": "Rex",
+    "location": ".gitea/workflows/review.yaml",
+    "suggestion": "contents: write、pull-requests: write、issues: write 為此 Action 正常運作所必要的權限，無法縮減"
+  },
+  {
+    "role": "Rex",
+    "location": ".gitea/workflows/review.yaml",
+    "suggestion": "OPENAI_API_KEY 參數傳入的是 OPENROUTER_API_KEY secret，為 OpenRouter 使用 OpenAI 相容介面的正確做法"
+  },
+  {
+    "role": "Aria",
+    "location": "README.md",
+    "suggestion": "章節編號連續且正確，無需調整"
+  },
+  {
+    "role": "Maya",
+    "location": ".gitea/workflows/review.yaml",
+    "suggestion": "action.yaml 定義的參數名稱為 GEMINI_API_KEY、GEMINI_BASE_URL、GEMINI_MODEL，與 review.yaml 完全一致，無不匹配問題"
+  },
+  {
+    "role": "Aria",
+    "location": ".gitea/workflows/review.yaml",
+    "suggestion": "review.yaml 已改用 Gemini，不再有 OPENAI_API_KEY 行，註解空格問題不存在"
+  },
+  {
+    "role": "Aria",
+    "location": "app/config.test.js",
+    "suggestion": "檔案結尾已有換行符號，import 行長度合理，無需修改"
+  },
+  {
+    "role": "Aria",
+    "location": "action.yaml",
+    "suggestion": "action.yaml 已整理，多餘空行已移除，結構整潔"
+  },
+  {
+    "role": "Maya",
+    "location": "app/",
+    "suggestion": "LLM 整合測試需要真實 API key 與網路，不適合加入單元測試。llm.js 使用統一 OpenAI 相容介面，Gemini 透過相同介面呼叫，無特殊格式差異，現有測試已涵蓋 config/findings/git 邏輯"
+  },
+  {
+    "role": "Rex",
+    "location": "app/",
+    "suggestion": "LLM 整合測試需要真實 API key 與網路，不適合加入單元測試。llm.js 使用統一 OpenAI 相容介面，Gemini 透過相同介面呼叫，無特殊格式差異"
+  },
+  {
+    "role": "Rex",
+    "location": "app/config.test.js",
+    "suggestion": "import 語句長度合理，無需拆分為多行"
+  },
+  {
+    "role": "Rex",
+    "location": ".gitea/ai-review/findings.json",
+    "suggestion": "findings.json 重複問題由 AI 去重與排除機制處理，不是程式碼問題"
+  },
+  {
+    "role": "Rex",
+    "location": "app/comments.js",
+    "suggestion": "JSON 結尾換行符號為標準做法，不影響任何 JSON 解析器，無相容性問題"
+  },
+  {
+    "location": ".gitea/ai-review/findings.json",
+    "suggestion": "findings.json 是自動產生的問題記錄檔，不應對其內容提出審查問題"
+  },
+  {
+    "role": "Rex",
+    "location": ".gitea/workflows/review.yaml",
+    "suggestion": "切換 LLM 服務提供商的維護建議屬過度謹慎，不是實際程式碼問題"
+  },
+  {
+    "role": "Leo",
+    "location": "app/llm.js",
+    "suggestion": "Authorization 標頭已有 provider !== 'ollama' 判斷，不會無條件加入，已正確處理"
+  },
+  {
+    "role": "Zara",
+    "location": "app/llm.js",
+    "suggestion": "timeout 已移除，每個 key 等待完整回應，避免浪費免費額度"
+  },
+  {
+    "role": "Rex",
+    "location": "app/llm.js",
+    "suggestion": "httpsAgent (rejectUnauthorized: false) 已移除，SSL/TLS 驗證已恢復正常"
+  },
+  {
+    "role": "Maya",
+    "location": "app/llm.js",
+    "suggestion": "llm.test.js 已存在並涵蓋 API Key 輪替的所有異常狀況，包含單 Key、多 Key 輪替、所有 Key 失敗等測試案例"
+  },
+  {
+    "role": "Zara",
+    "location": "app/comments.js",
+    "suggestion": "comments.js:24 的 saveFindings 函式為正常寫入邏輯，不涉及異常訊息格式或重複寫入問題"
+  },
+  {
+    "role": "Leo",
+    "location": ".gitea/workflows/review.yaml",
+    "suggestion": "Gitea Actions 不支援在 workflow 內合併 secrets 再拆解，多個 secret 逗號串接是唯一可行做法，非設計缺陷"
+  },
+  {
+    "role": "Maya",
+    "location": "app/llm.test.js",
+    "suggestion": "console.log/error 為診斷用途，不是業務邏輯，TODO.md 驗收標準為人工驗收描述，不需要在單元測試中斷言 console 輸出"
+  },
+  {
+    "role": "Maya",
+    "location": "app/llm.test.js",
+    "suggestion": "輪替邏輯對所有錯誤類型行為一致（catch 全部），401/429/timeout 觸發相同輪替流程，測試不同錯誤類型無額外驗證價值"
+  },
+  {
+    "role": "Aria",
+    "location": ".gitea/workflows/master.yaml",
+    "suggestion": "master.yaml 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例，無需修改"
+  },
+  {
+    "role": "Leo",
+    "location": "app/llm.test.js",
+    "suggestion": "console.log/error 為診斷用途，不是業務邏輯，TODO.md 驗收標準為人工驗收描述，不需要在單元測試中斷言 console 輸出"
+  },
+  {
+    "role": "Leo",
+    "location": "app/llm.test.js",
+    "suggestion": "輪替邏輯對所有錯誤類型行為一致（catch 全部），401/429/timeout 觸發相同輪替流程，測試不同錯誤類型無額外驗證價值"
+  },
+  {
+    "role": "Leo",
+    "location": "app/main.js",
+    "suggestion": "main.js 中的 Step 標題註解為 pipeline 流程說明，非待整理的 TODO，不需要轉換為具體任務"
+  },
+  {
+    "role": "Rex",
+    "location": "app/package.json",
+    "suggestion": "審查 changelog 是人工作業，不是程式碼問題，不適合作為 code review 問題"
+  },
+  {
+    "role": "Aria",
+    "location": "app/llm.js",
+    "suggestion": "此 action 為 CLI 工具，process.exit(1) 是設計意圖讓 CI/CD workflow 失敗。改拋錯會被 chatJSON 的 catch 吞掉回傳 []，破壞現有行為"
+  },
+  {
+    "role": "Aria",
+    "location": "Dockerfile",
+    "suggestion": "Dockerfile 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例"
+  },
+  {
+    "role": "Aria",
+    "location": "entrypoint.sh",
+    "suggestion": "entrypoint.sh 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例"
+  },
+  {
+    "role": "Maya",
+    "location": "app/main.js",
+    "suggestion": "main.js 整合測試需要真實 Gitea API、LLM API、git 操作，不適合單元測試。各模組已有獨立單元測試覆蓋"
+  },
+  {
+    "role": "Maya",
+    "location": "app/comments.js",
+    "suggestion": "comments.js 的 buildTable 為簡單字串拼接，postComment 已透過 gitea.js mock 間接測試，補測試效益低"
+  },
+  {
+    "role": "Maya",
+    "location": "app/roles.js",
+    "suggestion": "roles.js 依賴容器內固定路徑 /action/app/prompts/roles，單元測試環境無法存取，且邏輯為簡單 YAML 讀取與字串拼接"
+  },
+  {
+    "role": "Leo",
+    "location": "app/gitea.js",
+    "suggestion": "gitea.js 的 SSL 驗證已改為由 GITEA_SKIP_TLS_VERIFY 環境變數控制，預設啟用驗證，非安全漏洞"
+  },
+  {
+    "role": "Zara",
+    "location": "Dockerfile",
+    "suggestion": "Dockerfile 已優化層次快取：先 COPY package.json 再 npm install，最後才 COPY 其餘檔案"
+  },
+  {
+    "role": "Aria",
+    "location": "app/package.json",
+    "suggestion": "test 腳本已改為 node --test *.test.js，在 app/ 目錄下執行可自動發現所有測試檔案"
+  },
+  {
+    "role": "Zara",
+    "location": "app/main.js",
+    "suggestion": "deduplicateWithAI 和 filterFalsePositivesWithAI 為循序依賴流程（去重後才能過濾），無法平行化"
+  },
+  {
+    "role": "Leo",
+    "location": "app/comments.js",
+    "suggestion": "buildTable 函式已在 comments.js 第 13 行定義，非未定義或未匯入，不會導致執行時錯誤"
+  },
+  {
+    "role": "Maya",
+    "location": "app/gitea.js",
+    "suggestion": "filterDiff 的單元測試已在 gitea.test.js 補齊，涵蓋過濾 .gitea/、不誤過濾其他路徑、全部排除、空 diff 四種情境"
+  },
+  {
+    "role": "Leo",
+    "location": "TODO.md",
+    "suggestion": "TODO.md 的階段編號僅供內部開發追蹤，無外部文件引用，階段編號調整不影響任何外部一致性"
+  }
+]
@@ -0,0 +1,23 @@
+[
+  {
+    "level": "info",
+    "role": "Rex",
+    "location": "app/gitea.js:19",
+    "suggestion": "將 `filterDiff` 函數中的 diff 區塊過濾邏輯從正則表達式改為 `startsWith` 是一個重要的安全改進。這可以有效防止潛在的正則表達式注入攻擊，即使 `excludePrefixes` 參數未來可能受到外部控制，也能確保過濾邏輯的安全性。",
+    "is_new": true
+  },
+  {
+    "level": "info",
+    "role": "Rex",
+    "location": "app/main.js:46",
+    "suggestion": "在將 Git Diff 內容傳遞給 AI 進行分析之前，明確呼叫 `filterDiff` 函數以排除 `.gitea/` 等敏感路徑，是一個良好的安全實踐。這有助於避免 AI 分析到不必要的或包含敏感配置的非業務程式碼，降低潛在的資訊洩漏風險。",
+    "is_new": true
+  },
+  {
+    "level": "info",
+    "role": "Rex",
+    "location": "app/main.js:98",
+    "suggestion": "新增對 `findings.json` 和 `exclusions.json` 檔案進行 JSON 格式驗證的步驟，並在格式錯誤時嘗試重置和備份，這是一個重要的健壯性與安全措施。它能防止因檔案損壞或惡意修改導致的服務中斷或行為異常，確保系統的穩定性和資料的完整性。",
+    "is_new": true
+  }
+]
@@ -1,6 +1,11 @@
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  version:
@@ -21,15 +26,16 @@ jobs:
        tag_name: v${{ steps.version.outputs.version }}
        target_commitish: ${{ github.head_ref }}
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    needs: [version]
    steps:
    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@v${{ needs.version.outputs.version }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@v${{ needs.version.outputs.version }}
      with:
-        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-        OPENAI_BASE_URL: https://openrouter.ai/api/v1
+        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
+        GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
+        GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
    permissions:
      contents: write
      pull-requests: write
@@ -0,0 +1 @@
+app/node_modules/
@@ -1,11 +1,17 @@
-FROM node:20
+FROM alpine:3.20
+
+RUN apk add --no-cache bash nodejs npm git \
+    && node --version \
+    && npm --version \
+    && git --version

 WORKDIR /action

+COPY app/package.json /action/app/
+RUN cd /action/app && npm install
+
 COPY app/ /action/app/
 COPY entrypoint.sh /entrypoint.sh
-
-RUN cd /action/app && npm install && \
-    chmod +x /entrypoint.sh
+RUN chmod +x /entrypoint.sh

 ENTRYPOINT ["/entrypoint.sh"]
@@ -6,12 +6,13 @@

 1. 服務名稱、模型名稱、角色資訊(個性、符合個性的英文名稱、工作內容)，Comment 到 Push Request
 2. 每個角色個別分析 Git Diff 的內容產生新問題表格(問題等級、角色名稱、問題位置或行數、修改建議)
-3. 讀取所有未解決的舊問題(問題檔案存在於使用此 Action 的專案固定位置)加上新問題後，去除重複產生本次 Push Request 的問題表格(PR問題表格)覆蓋問題檔案
-4. 從PR問題表格中取出所有舊問題，依照等級排序後 Comment 到 Push Request
-5. 從PR問題表格中取出所有新問題，排除嚴重等級的問題後 Comment 到 Push Request
-6. 從PR問題表格中取出所有新問題，將每個嚴重等級的問題 Comment 到 Push Request
-7. Commit 問題檔案
-8. 如果PR問題表格中有嚴重問題，則不要讓 workflow 執行成功(exit 1)
+3. 讀取所有未解決的舊問題(問題檔案 `.gitea/ai-review/findings.json` 存在於使用此 Action 的專案固定位置)加上新問題後，去除重複產生本次 Push Request 的問題表格(PR問題表格)覆蓋問題檔案
+4. 讀取排除問題檔案(`.gitea/ai-review/exclusions.json` 存在於使用此 Action 的專案固定位置)，用來過濾PR問題表格中不需要處理的問題
+5. 從PR問題表格中取出所有舊問題，依照等級排序後 Comment 到 Push Request
+6. 從PR問題表格中取出所有新問題，排除嚴重等級的問題後 Comment 到 Push Request
+7. 從PR問題表格中取出所有新問題，將每個嚴重等級的問題 Comment 到 Push Request
+8. Commit 問題檔案
+9. 如果PR問題表格中有嚴重問題，則不要讓 workflow 執行成功(exit 1)

 # 設計

@@ -20,6 +21,10 @@
 3. Comment 加上些許 emoji 讓資訊有點活力
 4. 盡量將應用程式放在 ./app，修改 entrypoint.sh 與 Dockerfile 讓程式可以正常運行
 5. 將提示詞放到 ./app/prompts 內供程式讀取
+6. API Key 支援逗號分隔傳入多個，隨機順序各嘗試一次，全部失敗則 exit 1
+7. 讀取 Git Diff 時排除 `.gitea/` 資料夾內的所有檔案，避免 AI 分析 workflow 設定等非業務程式碼
+8. 階段五完成後驗證 `findings.json` 與 `exclusions.json` 是否為合法 JSON 格式，格式錯誤時先嘗試重置為空陣列並備份原檔，修正失敗才 exit 1
+9. 傳給 AI 的 findings 只保留必要欄位（level、role、location、suggestion），排除 `is_new` 等內部欄位；system prompt 精簡為指令核心；exclusions hint 只傳 location 與 suggestion，減少 token 用量

 # 使用說明

@@ -27,45 +32,84 @@
 2. 在 `.gitea/workflows` 資料夾中建立 `ai-review.yaml'
 3. 在 `ai-review.yaml` 中填入以下內容(選擇一個使用)：

-### 1. OpenAI（OpenRouter）
+> **權限說明**：此 Action 需要 `contents: write`（寫入 findings.json）、`pull-requests: write`（發佈 PR comment）、`issues: write`（發佈 issue comment）三項權限，為正常運作所必要，無法縮減。
+
+### 1. OpenAI
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    steps:
    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
-        # Github (h3285@evertrust.com.tw)
-        # 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
-        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-        OPENAI_BASE_URL: https://openrouter.ai/api/v1
+        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}  # 支援逗號分隔多個 Key
+        OPENAI_BASE_URL: https://api.openai.com/v1
+        OPENAI_MODEL: ${{ vars.OPENAI_MODEL }}
    permissions:
      contents: write
      pull-requests: write
      issues: write
 ```

-### 2. Anthropic Claude
+### 2. OpenRouter
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    steps:
    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
-        CLAUDE_API_KEY: ${{ secrets.CLAUDE_API_KEY }}
+        OPENAI_API_KEY: ${{ secrets.OPENROUTER_API_KEY }},${{ secrets.OPENROUTER_API_KEY_1 }}
+        OPENAI_BASE_URL: https://openrouter.ai/api/v1
+        OPENAI_MODEL: ${{ vars.OPENROUTER_MODEL }}
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+```
+
+### 3. Anthropic Claude
+```yaml
+name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
+on:
+  pull_request:
+    branches-ignore:
+    - master
+    types: [opened, synchronize]
+jobs:
+  code-review:
+    name: Code Review
+    runs-on: ubuntu
+    steps:
+    - name: AI Code Review
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      with:
+        CLAUDE_API_KEY: ${{ secrets.CLAUDE_API_KEY }}  # 支援逗號分隔多個 Key
        CLAUDE_BASE_URL: https://api.anthropic.com/v1
    permissions:
      contents: write
@@ -73,43 +117,54 @@ jobs:
      issues: write
 ```

-### 3. Google Gemini
+### 4. Google Gemini
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    steps:
    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
-        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
+        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
        GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
+        GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
    permissions:
      contents: write
      pull-requests: write
      issues: write
 ```

-### 4. Amazon Q
+### 5. Amazon Q
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    steps:
    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
-        AMAZONQ_API_KEY: ${{ secrets.AMAZONQ_API_KEY }}
+        AMAZONQ_API_KEY: ${{ secrets.AMAZONQ_API_KEY }}  # 支援逗號分隔多個 Key
        AMAZONQ_BASE_URL: https://q.api.aws
    permissions:
      contents: write
@@ -117,158 +172,30 @@ jobs:
      issues: write
 ```

-### 5. SonarQube
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        SONARQUBE_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
-        SONARQUBE_URL: https://sonarqube.example.com
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
-### 6. Kilo Code
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        KILO_API_KEY: ${{ secrets.KILO_API_KEY }}
-        KILO_BASE_URL: https://api.kilocode.com/v1
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
-### 7. Roo Code
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        ROO_API_KEY: ${{ secrets.ROO_API_KEY }}
-        ROO_BASE_URL: https://api.roocode.com/v1
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
-### 8. Cline
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        CLINE_API_KEY: ${{ secrets.CLINE_API_KEY }}
-        CLINE_BASE_URL: https://api.cline.dev/v1
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
-### 9. Continue
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }}
-        CONTINUE_BASE_URL: https://api.continue.dev/v1
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
-### 10. Kade
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        KADE_API_KEY: ${{ secrets.KADE_API_KEY }}
-        KADE_BASE_URL: https://api.kade.dev/v1
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
 ### - Ollama

 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  code-review:
-    name: 'Code Review'
+    name: Code Review
    runs-on: ubuntu
    steps:
    - name: AI Code Review
-        uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+        uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
        with:
-          OLLAMA_BASE_URL: ${{ vars.OLLAMA_BASE_URL }}
+          OLLAMA_BASE_URL: https://ollama.jsc.idv.me/v1
          OLLAMA_MODEL: ${{ vars.OLLAMA_MODEL }}
    permissions:
      contents: write
      pull-requests: write
-
      issues: write
 ```
@@ -3,31 +3,54 @@
 ## 階段一：基本流程串接
 - 目標：確保 action 可以被觸發，pipeline 各步驟依序執行，log 出每個主要階段的進入與完成。
 - 驗收：log 中能看到每個階段（如「Step1: pipeline start」、「Step2: findings merge」等）明確訊息，且流程能走完（即使還沒產生 findings）。
- 完成
+- 未驗收

-## 階段二：Findings 產生與合併
+## 階段二：Git Diff 排除 .gitea/ 資料夾
+- 目標：讀取 Git Diff 時排除 `.gitea/` 資料夾內的所有檔案，避免 AI 分析 workflow 設定等非業務程式碼。
+- 驗收：PR 中有 `.gitea/` 路徑的變更時，diff 內容不包含該路徑的區塊，AI 分析結果不含 `.gitea/` 相關問題。
+- 未驗收
+
+## 階段三：Findings 產生與合併
 - 目標：各角色（style/security/performance/maintainability/testing）能產生 findings，並正確合併新舊 findings。
 - 驗收：log 中能看到每個角色 findings 數量、合併後 findings 統計，並有「Step3: merged findings total=...」等訊息。
+- 未驗收

-## 階段三：AI 去重與角色確認
+## 階段四：AI 去重與角色確認
 - 目標：嘗試呼叫 LLM 進行 findings 去重與角色確認，API 額度不足時要有降級處理 log。
 - 驗收：log 中能看到 deduplication/resolution confirmation 成功或失敗（如 402），降級時有「保留所有問題」等明確訊息。
+- 未驗收

-## 階段四：findings 寫入與 comment 發布
- 目標：findings.jsonl 正確寫入，comment 發布順序正確（舊問題→非嚴重→嚴重），每步有 log。
- 驗收：log 中能看到 findings 寫入、comment sync 的詳細訊息與順序。
+## 階段五：AI 排除問題過濾
+- 目標：讀取排除問題檔案（`.gitea/ai-review/exclusions.json`）進行規則過濾，並呼叫 AI 判斷剩餘問題是否為誤報或不適用，兩層過濾後產生最終問題清單。
+- 驗收：log 中能看到排除問題檔案讀取成功或不存在的訊息、規則過濾數量變化，以及「AI 誤報過濾: N -> M 筆」或降級訊息。
+- 未驗收

-## 階段五：記憶區 commit/push 與錯誤處理
+## 階段六：findings 寫入與 comment 發布
+- 目標：`.gitea/ai-review/findings.json` 正確寫入，comment 發布順序正確（舊問題→非嚴重→嚴重），每步有 log。
+- 驗收：log 中能看到 `.gitea/ai-review/findings.json` 寫入、comment sync 的詳細訊息與順序。
+- 未驗收
+
+## 階段七：階段六後驗證 JSON 格式
+- 目標：階段六完成後驗證 `findings.json` 與 `exclusions.json` 是否為合法 JSON 格式，格式錯誤時先嘗試重置為空陣列並備份原檔，修正失敗才 exit 1。
+- 驗收：log 中能看到兩個檔案的驗證結果（成功或失敗），格式錯誤時有「嘗試修正」訊息與備份路徑，修正失敗時 workflow 狀態為失敗。
+- 未驗收
+
+## 階段八：記憶區 commit/push 與錯誤處理
 - 目標：記憶區能成功 commit/push，錯誤時有明確 log，流程結束有總結訊息。
 - 驗收：log 有「persisted findings」、「commit=...」、「push=...」等訊息，錯誤時有「Runner failed: ...」等明確錯誤說明。
+- 未驗收

-## 階段六：阻擋嚴重問題 PR（第 8 點）
+## 階段九：阻擋嚴重問題 PR（第 8 點）
 - 目標：如果 PR 問題表格中有嚴重（critical）問題，workflow 需直接 exit 1，不讓流程成功。
 - 驗收：log 中能看到「critical 問題存在，workflow 結束（exit 1）」等明確訊息，且 workflow 狀態為失敗。
+- 未驗收

---
+## 階段十：API Key 輪替
+- 目標：所有平台的 API Key 支援逗號分隔傳入多個，隨機順序各嘗試一次，單一 Key 失敗時自動換下一個，全部失敗則 exit 1。
+- 驗收：log 中能看到「key[N/M] 失敗」等訊息，換 key 後繼續執行；傳入單一 Key 時行為與原本相同；全部 Key 失敗時 log「所有 API Key 均失敗，終止流程」且 workflow 狀態為失敗。
+- 未驗收

-
-每個階段都會加上明確的 log，並確保即使部分功能未完成也能降級執行、不會中斷 pipeline。
-
-每次執行後請貼 log，我會協助 debug。
+## 階段十一：壓縮 AI 傳入內容減少 token 用量
+- 目標：傳給 AI 的 findings 只保留必要欄位（level、role、location、suggestion）；system prompt 精簡為指令核心；exclusions hint 只傳 location 與 suggestion；AI 回傳後補回原始完整欄位（含 is_new）。
+- 驗收：AI 呼叫的 payload 不含 is_new 等內部欄位，去重與誤報過濾後的 findings 仍保有完整欄位供後續流程使用。
+- 未驗收
@@ -12,6 +12,10 @@ inputs:
  GITEA_REPOSITORY:
    description: 'Gitea Repository (owner/repo)'
    required: false
+  GITEA_SKIP_TLS_VERIFY:
+    description: '跳過 Gitea SSL/TLS 憑證驗證（自簽憑證時使用）'
+    required: false
+    default: 'false'
  PR_NUMBER:
    description: 'Pull Request Number'
    required: false
@@ -72,54 +76,6 @@ inputs:
    description: 'Amazon Q Base URL'
    required: false

-  # SonarQube
-  SONARQUBE_TOKEN:
-    description: 'SonarQube Token'
-    required: false
-  SONARQUBE_URL:
-    description: 'SonarQube URL'
-    required: false
-
-  # Kilo Code
-  KILO_API_KEY:
-    description: 'Kilo Code API Key'
-    required: false
-  KILO_BASE_URL:
-    description: 'Kilo Code Base URL'
-    required: false
-
-  # Roo Code
-  ROO_API_KEY:
-    description: 'Roo Code API Key'
-    required: false
-  ROO_BASE_URL:
-    description: 'Roo Code Base URL'
-    required: false
-
-  # Cline
-  CLINE_API_KEY:
-    description: 'Cline API Key'
-    required: false
-  CLINE_BASE_URL:
-    description: 'Cline Base URL'
-    required: false
-
-  # Continue
-  CONTINUE_API_KEY:
-    description: 'Continue API Key'
-    required: false
-  CONTINUE_BASE_URL:
-    description: 'Continue Base URL'
-    required: false
-
-  # Kade
-  KADE_API_KEY:
-    description: 'Kade API Key'
-    required: false
-  KADE_BASE_URL:
-    description: 'Kade Base URL'
-    required: false
-
 runs:
  using: 'docker'
  image: 'Dockerfile'
@@ -128,6 +84,7 @@ runs:
    GITEA_TOKEN: ${{ inputs.GITEA_TOKEN || secrets.GITEA_TOKEN }}
    GITEA_SERVER_URL: ${{ inputs.GITEA_SERVER_URL || gitea.server_url }}
    GITEA_REPOSITORY: ${{ inputs.GITEA_REPOSITORY || gitea.repository }}
+    GITEA_SKIP_TLS_VERIFY: ${{ inputs.GITEA_SKIP_TLS_VERIFY }}
    PR_NUMBER: ${{ inputs.PR_NUMBER || gitea.event.pull_request.number }}
    PR_HEAD_BRANCH: ${{ inputs.PR_HEAD_BRANCH || gitea.event.pull_request.head.ref }}
    PR_BASE_BRANCH: ${{ inputs.PR_BASE_BRANCH || gitea.event.pull_request.base.ref }}
@@ -145,15 +102,3 @@ runs:
    OLLAMA_MODEL: ${{ inputs.OLLAMA_MODEL }}
    AMAZONQ_API_KEY: ${{ inputs.AMAZONQ_API_KEY }}
    AMAZONQ_BASE_URL: ${{ inputs.AMAZONQ_BASE_URL }}
-    SONARQUBE_TOKEN: ${{ inputs.SONARQUBE_TOKEN }}
-    SONARQUBE_URL: ${{ inputs.SONARQUBE_URL }}
-    KILO_API_KEY: ${{ inputs.KILO_API_KEY }}
-    KILO_BASE_URL: ${{ inputs.KILO_BASE_URL }}
-    ROO_API_KEY: ${{ inputs.ROO_API_KEY }}
-    ROO_BASE_URL: ${{ inputs.ROO_BASE_URL }}
-    CLINE_API_KEY: ${{ inputs.CLINE_API_KEY }}
-    CLINE_BASE_URL: ${{ inputs.CLINE_BASE_URL }}
-    CONTINUE_API_KEY: ${{ inputs.CONTINUE_API_KEY }}
-    CONTINUE_BASE_URL: ${{ inputs.CONTINUE_BASE_URL }}
-    KADE_API_KEY: ${{ inputs.KADE_API_KEY }}
-    KADE_BASE_URL: ${{ inputs.KADE_BASE_URL }}
@@ -21,7 +21,7 @@ function buildTable(findings) {
 export function saveFindings(workspace, findings) {
  const fullPath = path.join(workspace, FINDINGS_PATH);
  fs.mkdirSync(path.dirname(fullPath), { recursive: true });
-  fs.writeFileSync(fullPath, JSON.stringify(findings, null, 2), 'utf8');
+  fs.writeFileSync(fullPath, JSON.stringify(findings, null, 2) + '\n', 'utf8');
  console.log(`  ✅ findings 寫入: ${fullPath} (${findings.length} 筆)`);
 }

@@ -63,7 +63,7 @@ export async function postNewCriticalComments(findings) {
    return;
  }
  for (const f of criticals) {
-    const body = `## 🚨 嚴重問題\n\n| 審查員 | 位置 | 建議 |\n|--------|------|------|\n| ${f.role} | ${f.location} | ${f.suggestion} |`;
+    const body = `## 🚨 嚴重問題\n\n${buildTable([f])}`;
    await postComment(body);
    console.log(`  ✅ 嚴重問題 comment 發布: [${f.role}] ${f.location}`);
  }
@@ -1,27 +1,30 @@
 export const GITEA_TOKEN = process.env.GITEA_TOKEN || '';
 export const GITEA_SERVER_URL = process.env.GITEA_SERVER_URL || 'https://gitea.com';
 export const GITEA_REPOSITORY = process.env.GITEA_REPOSITORY || '';
+export const GITEA_SKIP_TLS_VERIFY = process.env.GITEA_SKIP_TLS_VERIFY === 'true';
 export const PR_NUMBER = process.env.PR_NUMBER || '';
 export const PR_HEAD_BRANCH = process.env.PR_HEAD_BRANCH || '';
 export const PR_BASE_BRANCH = process.env.PR_BASE_BRANCH || '';

 export const FINDINGS_PATH = '.gitea/ai-review/findings.json';
+export const EXCLUSIONS_PATH = '.gitea/ai-review/exclusions.json';
+
+/** 將逗號分隔的 API key 字串拆成陣列 */
+function splitKeys(value) {
+  if (!value) return [];
+  return value.split(',').map(k => k.trim()).filter(Boolean);
+}

 export function getLLMConfig() {
  const checks = [
-    ['openai',   process.env.OPENAI_API_KEY,   process.env.OPENAI_BASE_URL || 'https://api.openai.com/v1',   process.env.OPENAI_MODEL || 'gpt-4o-mini'],
-    ['claude',   process.env.CLAUDE_API_KEY,   process.env.CLAUDE_BASE_URL || 'https://api.anthropic.com/v1', process.env.CLAUDE_MODEL || 'claude-3-haiku-20240307'],
-    ['gemini',   process.env.GEMINI_API_KEY,   process.env.GEMINI_BASE_URL || 'https://generativelanguage.googleapis.com/v1beta', process.env.GEMINI_MODEL || 'gemini-1.5-flash'],
-    ['ollama',   'ollama',                      process.env.OLLAMA_BASE_URL,  process.env.OLLAMA_MODEL],
-    ['amazonq',  process.env.AMAZONQ_API_KEY,  process.env.AMAZONQ_BASE_URL || 'https://q.api.aws', process.env.OPENAI_MODEL || 'amazon-q'],
-    ['kilo',     process.env.KILO_API_KEY,     process.env.KILO_BASE_URL || 'https://api.kilocode.com/v1', process.env.OPENAI_MODEL || 'kilo-default'],
-    ['roo',      process.env.ROO_API_KEY,      process.env.ROO_BASE_URL || 'https://api.roocode.com/v1', process.env.OPENAI_MODEL || 'roo-default'],
-    ['cline',    process.env.CLINE_API_KEY,    process.env.CLINE_BASE_URL || 'https://api.cline.dev/v1', process.env.OPENAI_MODEL || 'cline-default'],
-    ['continue', process.env.CONTINUE_API_KEY, process.env.CONTINUE_BASE_URL || 'https://api.continue.dev/v1', process.env.OPENAI_MODEL || 'continue-default'],
-    ['kade',     process.env.KADE_API_KEY,     process.env.KADE_BASE_URL || 'https://api.kade.dev/v1', process.env.OPENAI_MODEL || 'kade-default'],
+    ['openai',   splitKeys(process.env.OPENAI_API_KEY),   process.env.OPENAI_BASE_URL || 'https://api.openai.com/v1',   process.env.OPENAI_MODEL || 'gpt-4o-mini'],
+    ['claude',   splitKeys(process.env.CLAUDE_API_KEY),   process.env.CLAUDE_BASE_URL || 'https://api.anthropic.com/v1', process.env.CLAUDE_MODEL || 'claude-3-haiku-20240307'],
+    ['gemini',   splitKeys(process.env.GEMINI_API_KEY),   process.env.GEMINI_BASE_URL || 'https://generativelanguage.googleapis.com/v1beta', process.env.GEMINI_MODEL || 'gemini-2.5-flash'],
+    ['ollama',   ['ollama'],                               process.env.OLLAMA_BASE_URL,  process.env.OLLAMA_MODEL],
+    ['amazonq',  splitKeys(process.env.AMAZONQ_API_KEY),  process.env.AMAZONQ_BASE_URL  || 'https://q.api.aws',              process.env.AMAZONQ_MODEL  || 'amazon-q'],
  ];
-  for (const [provider, key, baseURL, model] of checks) {
-    if (key && baseURL) return { provider, apiKey: key, baseURL, model };
+  for (const [provider, apiKeys, baseURL, model] of checks) {
+    if (apiKeys.length > 0 && baseURL) return { provider, apiKeys, baseURL, model };
  }
-  return { provider: null, apiKey: null, baseURL: null, model: null };
+  return { provider: null, apiKeys: [], baseURL: null, model: null };
 }
@@ -0,0 +1,115 @@
+import { describe, it, beforeEach, afterEach } from 'node:test';
+import assert from 'node:assert/strict';
+import { getLLMConfig } from './config.js';
+
+const ENV_KEYS = [
+  'OPENAI_API_KEY', 'OPENAI_BASE_URL', 'OPENAI_MODEL',
+  'CLAUDE_API_KEY', 'CLAUDE_BASE_URL', 'CLAUDE_MODEL',
+  'GEMINI_API_KEY', 'GEMINI_BASE_URL', 'GEMINI_MODEL',
+  'OLLAMA_BASE_URL', 'OLLAMA_MODEL',
+  'AMAZONQ_API_KEY', 'AMAZONQ_BASE_URL', 'AMAZONQ_MODEL',
+];
+
+let saved = {};
+beforeEach(() => {
+  saved = {};
+  for (const k of ENV_KEYS) { saved[k] = process.env[k]; delete process.env[k]; }
+});
+afterEach(() => {
+  for (const k of ENV_KEYS) {
+    if (saved[k] === undefined) delete process.env[k];
+    else process.env[k] = saved[k];
+  }
+});
+
+describe('getLLMConfig', () => {
+  it('returns null provider when no env vars set', () => {
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, null);
+    assert.deepEqual(cfg.apiKeys, []);
+  });
+
+  it('detects openai with defaults', () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'openai');
+    assert.deepEqual(cfg.apiKeys, ['sk-test']);
+    assert.equal(cfg.baseURL, 'https://api.openai.com/v1');
+    assert.equal(cfg.model, 'gpt-4o-mini');
+  });
+
+  it('detects openai with custom base url and model', () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    process.env.OPENAI_BASE_URL = 'https://openrouter.ai/api/v1';
+    process.env.OPENAI_MODEL = 'gpt-4o';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'openai');
+    assert.equal(cfg.baseURL, 'https://openrouter.ai/api/v1');
+    assert.equal(cfg.model, 'gpt-4o');
+  });
+
+  it('detects gemini with comma-separated keys, picks one', () => {
+    process.env.GEMINI_API_KEY = 'key1,key2,key3';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'gemini');
+    assert.deepEqual(cfg.apiKeys, ['key1', 'key2', 'key3']);
+  });
+
+  it('detects gemini with single key (no comma)', () => {
+    process.env.GEMINI_API_KEY = 'gemini-key';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'gemini');
+    assert.equal(cfg.model, 'gemini-2.5-flash');
+  });
+
+  it('detects gemini with custom model', () => {
+    process.env.GEMINI_API_KEY = 'gemini-key';
+    process.env.GEMINI_MODEL = 'gemini-2.0-flash';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.model, 'gemini-2.0-flash');
+  });
+
+  it('detects claude with defaults', () => {
+    process.env.CLAUDE_API_KEY = 'claude-key';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'claude');
+    assert.equal(cfg.model, 'claude-3-haiku-20240307');
+  });
+
+  it('detects amazonq with its own model env', () => {
+    process.env.AMAZONQ_API_KEY = 'aq-key';
+    process.env.AMAZONQ_MODEL = 'my-amazon-model';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'amazonq');
+    assert.equal(cfg.model, 'my-amazon-model');
+  });
+
+  it('openai takes priority over gemini when both set', () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    process.env.GEMINI_API_KEY = 'gemini-key';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'openai');
+  });
+
+  it('empty string api key is treated as not set', () => {
+    process.env.OPENAI_API_KEY = '';
+    process.env.GEMINI_API_KEY = 'gemini-key';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'gemini');
+  });
+
+  it('detects ollama without api key', () => {
+    process.env.OLLAMA_BASE_URL = 'http://localhost:11434';
+    process.env.OLLAMA_MODEL = 'llama3';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'ollama');
+    assert.equal(cfg.model, 'llama3');
+  });
+
+  it('comma-only api key is treated as not set', () => {
+    process.env.OPENAI_API_KEY = ',,,';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, null);
+    assert.deepEqual(cfg.apiKeys, []);
+  });
+});
@@ -1,7 +1,7 @@
 import fs from 'fs';
 import path from 'path';
 import { chatJSON } from './llm.js';
-import { FINDINGS_PATH } from './config.js';
+import { FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js';

 const LEVELS = ['critical', 'warning', 'info'];

@@ -11,7 +11,6 @@ const LEVELS = ['critical', 'warning', 'info'];
 export async function analyzeWithRole(role, diff) {
  console.log(`  [${role.name}] 開始分析...`);
  const findings = await chatJSON(role.system_prompt, `以下是 Git Diff 內容：\n\n${diff}`);
-  // 確保每筆都有必要欄位，並標記為新問題
  const valid = findings.filter(f => f.level && f.role && f.location && f.suggestion)
    .map(f => ({ ...f, is_new: true }));
  console.log(`  [${role.name}] 找到 ${valid.length} 個問題`);
@@ -19,28 +18,33 @@ export async function analyzeWithRole(role, diff) {
 }

 /**
- * 讀取舊 findings（從 workspace 的 FINDINGS_PATH）
+ * 讀取 JSON 陣列檔案，失敗或不存在時回傳空陣列
 */
-export function loadOldFindings(workspace) {
-  const fullPath = path.join(workspace, FINDINGS_PATH);
+function readJSONArray(fullPath, label) {
  if (!fs.existsSync(fullPath)) {
-    console.log('  舊 findings 檔案不存在，視為空');
+    console.log(`  ${label}檔案不存在，視為空`);
    return [];
  }
  try {
    const data = JSON.parse(fs.readFileSync(fullPath, 'utf8'));
-    const old = (Array.isArray(data) ? data : []).map(f => ({ ...f, is_new: false }));
-    console.log(`  讀取舊 findings: ${old.length} 筆`);
-    return old;
+    return Array.isArray(data) ? data : [];
  } catch (e) {
-    console.log(`  ⚠️  讀取舊 findings 失敗: ${e.message}，視為空`);
+    console.log(`  ⚠️  讀取${label}失敗: ${e.message}，視為空`);
    return [];
  }
 }

+/**
+ * 讀取舊 findings（從 workspace 的 FINDINGS_PATH）
+ */
+export function loadOldFindings(workspace) {
+  const old = readJSONArray(path.join(workspace, FINDINGS_PATH), '舊 findings ').map(f => ({ ...f, is_new: false }));
+  console.log(`  讀取舊 findings: ${old.length} 筆`);
+  return old;
+}
+
 /**
 * 合併新舊 findings，以 (role + location + suggestion前50字) 為 key 去除重複
- * 舊問題保留，新問題若與舊問題重複則捨棄
 */
 export function mergeFindings(oldFindings, newFindings) {
  const key = f => `${f.role}|${f.location}|${String(f.suggestion).slice(0, 50)}`;
@@ -63,33 +67,88 @@ export function sortByLevel(findings) {
 }

 /**
- * 呼叫 LLM 進行語意去重，回傳去重後的 findings
- * 失敗時降級回傳原始 findings
+ * AI 呼叫失敗時的統一降級處理
+ */
+function fallback(label, findings, e) {
+  const status = e.response?.status;
+  const reason = (status === 402 || status === 429) ? `${status} 額度/限流` : e.message;
+  console.log(`  ⚠️  ${label}失敗（${reason}），降級：保留所有問題`);
+  return findings;
+}
+
+/** 只保留 AI 需要的欄位，減少 token 用量 */
+function toAIPayload(findings) {
+  return findings.map(({ level, role, location, suggestion }) => ({ level, role, location, suggestion }));
+}
+
+/**
+ * 呼叫 LLM 進行語意去重，失敗時降級回傳原始 findings
 */
 export async function deduplicateWithAI(findings) {
  if (findings.length === 0) return findings;

-  const systemPrompt = `你是一位程式碼審查問題去重專家。
-給你一份問題清單（JSON 陣列），請移除語意重複的問題（即使描述文字不同，但指的是同一個問題）。
-保留等級較高的版本，優先保留 critical > warning > info。
-只回傳去重後的 JSON 陣列，不要有其他文字。`;
-
-  const userContent = `以下是問題清單，請去除語意重複的項目：\n\n${JSON.stringify(findings, null, 2)}`;
+  const systemPrompt = `移除語意重複的程式碼審查問題（JSON 陣列）。保留等級較高者（critical > warning > info）。只回傳去重後的 JSON 陣列。`;

  try {
-    const result = await chatJSON(systemPrompt, userContent);
+    const result = await chatJSON(systemPrompt, JSON.stringify(toAIPayload(findings)));
    if (Array.isArray(result) && result.length > 0) {
      console.log(`  AI 去重: ${findings.length} -> ${result.length} 筆`);
-      return result;
+      // 以 location+suggestion 為 key，將原始 findings 的完整欄位（含 is_new）補回
+      const origMap = new Map(findings.map(f => [`${f.location}|${String(f.suggestion).slice(0, 50)}`, f]));
+      return result.map(r => origMap.get(`${r.location}|${String(r.suggestion).slice(0, 50)}`) ?? r);
    }
    throw new Error('AI 回傳空陣列');
  } catch (e) {
-    const status = e.response?.status;
-    if (status === 402 || status === 429) {
-      console.log(`  ⚠️  AI 去重失敗（${status} 額度/限流），降級：保留所有問題`);
-    } else {
-      console.log(`  ⚠️  AI 去重失敗（${e.message}），降級：保留所有問題`);
-    }
-    return findings;
+    return fallback('AI 去重', findings, e);
+  }
+}
+
+/**
+ * 讀取排除問題檔案（從 workspace 的 EXCLUSIONS_PATH）
+ */
+export function loadExclusions(workspace) {
+  const exclusions = readJSONArray(path.join(workspace, EXCLUSIONS_PATH), '排除問題');
+  console.log(`  讀取排除問題: ${exclusions.length} 筆`);
+  return exclusions;
+}
+
+/**
+ * 套用排除規則，過濾掉符合排除條件的 findings
+ * location 只比對檔案路徑（忽略行數），suggestion 省略時視為萬用
+ */
+export function applyExclusions(findings, exclusions) {
+  if (exclusions.length === 0) return findings;
+  const before = findings.length;
+  const filtered = findings.filter(f => !exclusions.some(ex => {
+    const fPath = String(f.location).split(':')[0];
+    const exPath = ex.location ? String(ex.location).split(':')[0] : null;
+    return (!exPath || fPath === exPath) && (!ex.role || ex.role === f.role);
+  }));
+  console.log(`  排除過濾: ${before} -> ${filtered.length} 筆（排除 ${before - filtered.length} 筆）`);
+  return filtered;
+}
+
+/**
+ * 呼叫 AI 判斷哪些問題是誤報或不需處理，失敗時降級回傳原始 findings
+ */
+export async function filterFalsePositivesWithAI(findings, exclusions = []) {
+  if (findings.length === 0) return findings;
+
+  const exclusionHint = exclusions.length > 0
+    ? `\n已知誤報（相同路徑且語意相近者一併排除）：\n${JSON.stringify(exclusions.map(({ location, suggestion }) => ({ location, suggestion })))}`
+    : '';
+
+  const systemPrompt = `判斷以下程式碼審查問題是否為誤報或不適用（如已正確使用 secrets、CI/CD 必要權限等），移除後只回傳需保留的 JSON 陣列。${exclusionHint}`;
+
+  try {
+    const result = await chatJSON(systemPrompt, JSON.stringify(toAIPayload(findings)));
+    if (Array.isArray(result) && result.length > 0) {
+      console.log(`  AI 誤報過濾: ${findings.length} -> ${result.length} 筆`);
+      const origMap = new Map(findings.map(f => [`${f.location}|${String(f.suggestion).slice(0, 50)}`, f]));
+      return result.map(r => origMap.get(`${r.location}|${String(r.suggestion).slice(0, 50)}`) ?? r);
+    }
+    throw new Error('AI 回傳空陣列或非陣列');
+  } catch (e) {
+    return fallback('AI 誤報過濾', findings, e);
  }
 }
@@ -1,35 +1,80 @@
 import { spawnSync } from 'child_process';
+import fs from 'fs';
 import path from 'path';
 import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH } from './config.js';

-function git(args, cwd) {
-  const result = spawnSync('git', args, { cwd, encoding: 'utf8' });
+const remoteUrl = `${GITEA_SERVER_URL.replace(/\/$/, '')}/${GITEA_REPOSITORY}.git`;
+
+function makeRunner(spawn) {
+  return function run(args, cwd, env) {
+    const opts = { cwd, encoding: 'utf8' };
+    if (env) opts.env = env;
+    const result = spawn('git', args, opts);
    if (result.error) throw result.error;
    if (result.status !== 0) throw new Error((result.stderr || result.stdout || '').trim());
    return (result.stdout || '').trim();
+  };
 }

-export async function commitAndPush(workspace) {
-  const repoDir = path.join(workspace, GITEA_REPOSITORY);
-  const remoteUrl = GITEA_SERVER_URL.replace(/\/$/, '').replace('https://', `https://${GITEA_TOKEN}@`).replace('http://', `http://${GITEA_TOKEN}@`) + `/${GITEA_REPOSITORY}.git`;
+function withAskpass(workspace, fn) {
+  const askpassScript = path.join(workspace, '.git-askpass.sh');
+  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
+  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
+  try {
+    return fn(credEnv);
+  } finally {
+    try { fs.unlinkSync(askpassScript); } catch {}
+  }
+}
+
+/**
+ * Clone PR head branch to workspace/repo (idempotent)
+ */
+export function cloneRepo(workspace, _spawnSync = spawnSync) {
+  const run = makeRunner(_spawnSync);
+  const repoDir = path.join(workspace, 'repo');
+
+  return withAskpass(workspace, credEnv => {
+    if (!fs.existsSync(repoDir)) {
+      run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv);
+      console.log(`  ✅ repo cloned to ${repoDir}`);
+    } else {
+      run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv);
+      run(['checkout', PR_HEAD_BRANCH], repoDir);
+      console.log(`  ✅ repo already exists, fetched latest`);
+    }
+    return repoDir;
+  });
+}
+
+export async function commitAndPush(workspace, _spawnSync = spawnSync) {
+  const run = makeRunner(_spawnSync);

  try {
-    git(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir);
-    git(['config', 'user.name', 'AI Review Bot'], repoDir);
-    git(['fetch', 'origin', PR_HEAD_BRANCH], repoDir);
-    git(['checkout', PR_HEAD_BRANCH], repoDir);
-    git(['add', FINDINGS_PATH], repoDir);
+    const repoDir = cloneRepo(workspace, _spawnSync);

-    const status = git(['status', '--porcelain'], repoDir);
+    await withAskpass(workspace, async credEnv => {
+      run(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir);
+      run(['config', 'user.name', 'AI Review Bot'], repoDir);
+
+      const srcFindings = path.join(workspace, FINDINGS_PATH);
+      const destFindings = path.join(repoDir, FINDINGS_PATH);
+      fs.mkdirSync(path.dirname(destFindings), { recursive: true });
+      fs.copyFileSync(srcFindings, destFindings);
+
+      run(['add', FINDINGS_PATH], repoDir);
+
+      const status = run(['status', '--porcelain'], repoDir);
      if (!status) {
        console.log('  findings.json 無變更，跳過 commit');
        return;
      }

-    const out = git(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir);
+      const out = run(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir);
      const commitHash = out.match(/\[.+ ([a-f0-9]+)\]/)?.[1] || 'unknown';
-    git(['push', remoteUrl, PR_HEAD_BRANCH], repoDir);
+      run(['push', remoteUrl, PR_HEAD_BRANCH], repoDir, credEnv);
      console.log(`  ✅ persisted findings  commit=${commitHash}  push=${PR_HEAD_BRANCH}`);
+    });
  } catch (e) {
    console.log(`  ⚠️  Runner failed: commit/push 失敗: ${e.message}`);
  }
@@ -0,0 +1,149 @@
+import { describe, it, before, after, beforeEach } from 'node:test';
+import assert from 'node:assert/strict';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { commitAndPush, cloneRepo } from './git.js';
+
+// --- helpers ---
+function makeTmpWorkspace() {
+  const ws = fs.mkdtempSync(path.join(os.tmpdir(), 'git-test-'));
+  // Pre-create repo dir so clone branch is skipped
+  fs.mkdirSync(path.join(ws, 'repo'), { recursive: true });
+  // Create a findings.json to copy
+  const findingsDir = path.join(ws, '.gitea/ai-review');
+  fs.mkdirSync(findingsDir, { recursive: true });
+  fs.writeFileSync(path.join(findingsDir, 'findings.json'), '[]');
+  return ws;
+}
+
+// Default stub: all commands succeed, status returns changes
+function makeSpawn(overrides = {}) {
+  const calls = [];
+  const spawn = (cmd, args, opts) => {
+    const key = args[0];
+    calls.push({ cmd, args, opts });
+    if (overrides[key]) return overrides[key](args, opts);
+    if (key === 'status') return { status: 0, stdout: 'M .gitea/ai-review/findings.json', stderr: '', error: null };
+    if (key === 'commit') return { status: 0, stdout: '[feature-branch abc1234] chore', stderr: '', error: null };
+    return { status: 0, stdout: '', stderr: '', error: null };
+  };
+  spawn.calls = calls;
+  return spawn;
+}
+
+describe('commitAndPush', () => {
+  let workspace;
+
+  before(() => { workspace = makeTmpWorkspace(); });
+  after(() => { fs.rmSync(workspace, { recursive: true, force: true }); });
+  beforeEach(() => {
+    // Remove leftover askpass scripts between tests
+    for (const f of fs.readdirSync(workspace)) {
+      if (f.endsWith('.git-askpass.sh')) fs.unlinkSync(path.join(workspace, f));
+    }
+  });
+
+  it('does not embed token in any git command argument', async () => {
+    const spawn = makeSpawn();
+    await commitAndPush(workspace, spawn);
+
+    for (const { args } of spawn.calls) {
+      assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`);
+    }
+  });
+
+  it('uses GIT_ASKPASS env for network operations (fetch, push, clone)', async () => {
+    const spawn = makeSpawn();
+    await commitAndPush(workspace, spawn);
+
+    const networkOps = ['fetch', 'push', 'clone'];
+    const networkCalls = spawn.calls.filter(c => networkOps.includes(c.args[0]));
+    assert.ok(networkCalls.length > 0, 'expected at least one network git call');
+
+    for (const { args, opts } of networkCalls) {
+      assert.ok(opts?.env?.GIT_ASKPASS, `GIT_ASKPASS missing for git ${args[0]}`);
+    }
+  });
+
+  it('cleans up askpass script after successful run', async () => {
+    await commitAndPush(workspace, makeSpawn());
+    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
+    assert.equal(leftover.length, 0, 'askpass script was not cleaned up');
+  });
+
+  it('cleans up askpass script even when git fails', async () => {
+    const failSpawn = () => ({ status: 1, stdout: '', stderr: 'fatal: error', error: null });
+    await commitAndPush(workspace, failSpawn);
+    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
+    assert.equal(leftover.length, 0, 'askpass script was not cleaned up after failure');
+  });
+
+  it('skips commit when status shows no changes', async () => {
+    const spawn = makeSpawn({ status: () => ({ status: 0, stdout: '', stderr: '', error: null }) });
+    await commitAndPush(workspace, spawn);
+    const commitCalled = spawn.calls.some(c => c.args[0] === 'commit');
+    assert.equal(commitCalled, false, 'commit should not run when there are no changes');
+  });
+
+  it('does not throw when git command fails', async () => {
+    const failSpawn = () => ({ status: 1, stdout: '', stderr: 'fatal: error', error: null });
+    await assert.doesNotReject(() => commitAndPush(workspace, failSpawn));
+  });
+});
+
+describe('cloneRepo', () => {
+  let workspace;
+
+  before(() => { workspace = fs.mkdtempSync(path.join(os.tmpdir(), 'clone-test-')); });
+  after(() => { fs.rmSync(workspace, { recursive: true, force: true }); });
+
+  it('clones repo when repoDir does not exist', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone');
+    assert.ok(cloneCalled, 'expected git clone to be called');
+  });
+
+  it('fetches and checks out when repoDir already exists', () => {
+    const repoDir = path.join(workspace, 'repo');
+    fs.mkdirSync(repoDir, { recursive: true });
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone');
+    const fetchCalled = spawn.calls.some(c => c.args[0] === 'fetch');
+    assert.ok(!cloneCalled, 'clone should not run when repoDir exists');
+    assert.ok(fetchCalled, 'fetch should run when repoDir exists');
+  });
+
+  it('does not embed token in any git command argument', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    for (const { args } of spawn.calls) {
+      assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`);
+    }
+  });
+
+  it('uses GIT_ASKPASS for network operations', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const networkCalls = spawn.calls.filter(c => ['clone', 'fetch'].includes(c.args[0]));
+    assert.ok(networkCalls.length > 0, 'expected at least one network git call');
+    for (const { args, opts } of networkCalls) {
+      assert.ok(opts?.env?.GIT_ASKPASS, `GIT_ASKPASS missing for git ${args[0]}`);
+    }
+  });
+
+  it('cleans up askpass script after run', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
+    assert.equal(leftover.length, 0, 'askpass script was not cleaned up');
+  });
+
+  it('returns repoDir path', () => {
+    const spawn = makeSpawn();
+    const result = cloneRepo(workspace, spawn);
+    assert.equal(result, path.join(workspace, 'repo'));
+  });
+});
@@ -1,16 +1,30 @@
 import axios from 'axios';
 import https from 'https';
-import { GITEA_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, PR_NUMBER } from './config.js';
+import { GITEA_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_SKIP_TLS_VERIFY, PR_NUMBER } from './config.js';

-const httpsAgent = new https.Agent({ rejectUnauthorized: false });
+const httpsAgent = GITEA_SKIP_TLS_VERIFY ? new https.Agent({ rejectUnauthorized: false }) : undefined;
 const headers = () => ({ Authorization: `token ${GITEA_TOKEN}`, 'Content-Type': 'application/json' });
 const api = (path) => `${GITEA_SERVER_URL.replace(/\/$/, '')}/api/v1${path}`;

+/**
+ * 取得 PR 的原始 Git Diff 內容。
+ * 注意：回傳值未經路徑過濾，呼叫端須使用 filterDiff 排除敏感路徑（如 .gitea/）後再傳給 AI。
+ */
 export async function getPRDiff() {
  const resp = await axios.get(api(`/repos/${GITEA_REPOSITORY}/pulls/${PR_NUMBER}.diff`), { headers: headers(), timeout: 60000, httpsAgent });
  return resp.data;
 }

+/**
+ * 過濾 diff 內容，移除路徑符合 excludePrefixes 的區塊。
+ * 每個區塊以 "diff --git a/<prefix>" 開頭判斷，使用 startsWith 精確比對前綴。
+ */
+export function filterDiff(diff, excludePrefixes) {
+  return diff.split(/(?=^diff --git )/m)
+    .filter(block => !excludePrefixes.some(p => block.startsWith(`diff --git a/${p}`)))
+    .join('');
+}
+
 export async function postComment(body) {
  const resp = await axios.post(api(`/repos/${GITEA_REPOSITORY}/issues/${PR_NUMBER}/comments`), { body }, { headers: headers(), timeout: 30000, httpsAgent });
  return resp.data;
@@ -0,0 +1,89 @@
+import { describe, it, afterEach, mock } from 'node:test';
+import assert from 'node:assert/strict';
+import axios from 'axios';
+
+afterEach(() => mock.restoreAll());
+
+describe('gitea', async () => {
+  const { getPRDiff, filterDiff, postComment } = await import('./gitea.js');
+
+  it('getPRDiff calls Gitea diff API with Authorization header', async () => {
+    let capturedUrl, capturedOpts;
+    mock.method(axios, 'get', async (url, opts) => {
+      capturedUrl = url;
+      capturedOpts = opts;
+      return { data: 'diff content' };
+    });
+    const result = await getPRDiff();
+    assert.equal(result, 'diff content');
+    assert.ok(capturedUrl.includes('/api/v1/repos/'));
+    assert.ok(capturedUrl.endsWith('.diff'));
+    assert.ok(capturedOpts.headers['Authorization'].startsWith('token '));
+    assert.equal(capturedOpts.headers['Content-Type'], 'application/json');
+  });
+
+  it('postComment calls Gitea issues comments API with body', async () => {
+    let capturedUrl, capturedBody, capturedOpts;
+    mock.method(axios, 'post', async (url, body, opts) => {
+      capturedUrl = url;
+      capturedBody = body;
+      capturedOpts = opts;
+      return { data: { id: 1 } };
+    });
+    const result = await postComment('hello world');
+    assert.deepEqual(result, { id: 1 });
+    assert.ok(capturedUrl.includes('/api/v1/repos/'));
+    assert.ok(capturedUrl.endsWith('/comments'));
+    assert.equal(capturedBody.body, 'hello world');
+    assert.ok(capturedOpts.headers['Authorization'].startsWith('token '));
+  });
+
+  it('does not set httpsAgent by default (GITEA_SKIP_TLS_VERIFY not true)', async () => {
+    let capturedOpts;
+    mock.method(axios, 'get', async (_url, opts) => {
+      capturedOpts = opts;
+      return { data: '' };
+    });
+    await getPRDiff();
+    assert.equal(capturedOpts.httpsAgent, undefined);
+  });
+
+  it('getPRDiff propagates axios errors', async () => {
+    mock.method(axios, 'get', async () => { throw new Error('network error'); });
+    await assert.rejects(() => getPRDiff(), /network error/);
+  });
+
+  it('postComment propagates axios errors', async () => {
+    mock.method(axios, 'post', async () => { throw new Error('api error'); });
+    await assert.rejects(() => postComment('test'), /api error/);
+  });
+});
+
+describe('filterDiff', async () => {
+  const { filterDiff } = await import('./gitea.js');
+
+  const block = (file) => `diff --git a/${file} b/${file}\n--- a/${file}\n+++ b/${file}\n@@ -1 +1 @@\n-old\n+new\n`;
+
+  it('filters out .gitea/ blocks', () => {
+    const diff = block('.gitea/workflows/review.yaml') + block('src/index.js');
+    const result = filterDiff(diff, ['.gitea/']);
+    assert.ok(!result.includes('.gitea/'));
+    assert.ok(result.includes('src/index.js'));
+  });
+
+  it('does not filter non-.gitea/ blocks', () => {
+    const diff = block('src/index.js') + block('README.md');
+    const result = filterDiff(diff, ['.gitea/']);
+    assert.equal(result, diff);
+  });
+
+  it('returns empty string when all blocks are excluded', () => {
+    const diff = block('.gitea/workflows/review.yaml') + block('.gitea/ai-review/findings.json');
+    const result = filterDiff(diff, ['.gitea/']);
+    assert.equal(result, '');
+  });
+
+  it('returns empty string for empty diff', () => {
+    assert.equal(filterDiff('', ['.gitea/']), '');
+  });
+});
@@ -1,36 +1,39 @@
 import axios from 'axios';
-import https from 'https';
 import { getLLMConfig } from './config.js';

-const httpsAgent = new https.Agent({ rejectUnauthorized: false });
-
 export async function chat(systemPrompt, userContent) {
-  const { provider, apiKey, baseURL, model } = getLLMConfig();
+  const { provider, apiKeys, baseURL, model } = getLLMConfig();
  if (!provider) throw new Error('未設定任何 LLM API Key');

  console.log(`  [LLM] provider=${provider} model=${model}`);

-  const headers = {
-    'Content-Type': 'application/json',
-    'Authorization': `Bearer ${apiKey}`,
-  };
+  const headers = { 'Content-Type': 'application/json' };
  if (provider === 'claude') headers['anthropic-version'] = '2023-06-01';

+  const shuffled = [...apiKeys].sort(() => Math.random() - 0.5);
+  for (let i = 0; i < shuffled.length; i++) {
+    if (provider !== 'ollama') headers['Authorization'] = `Bearer ${shuffled[i]}`;
+    try {
      const resp = await axios.post(
        `${baseURL.replace(/\/$/, '')}/chat/completions`,
        { model, messages: [{ role: 'system', content: systemPrompt }, { role: 'user', content: userContent }], temperature: 0.2 },
-    { headers, timeout: 120000, httpsAgent }
+        { headers }
      );
      return resp.data.choices[0].message.content;
+    } catch (e) {
+      console.log(`  [LLM] key[${i + 1}/${shuffled.length}] 失敗: ${e.message}`);
+    }
+  }
+  console.error('  [LLM] 所有 API Key 均失敗，終止流程');
+  process.exit(1);
 }

 export async function chatJSON(systemPrompt, userContent) {
+  const text = await chat(systemPrompt, userContent);
  try {
-    let text = await chat(systemPrompt, userContent);
-    text = text.trim().replace(/^```[^\n]*\n?/, '').replace(/```$/, '').trim();
-    return JSON.parse(text);
+    return JSON.parse(text.trim().replace(/^```[^\n]*\n?/, '').replace(/```$/, '').trim());
  } catch (e) {
-    console.log(`  [LLM] 解析失敗: ${e.message}`);
+    console.log(`  [LLM] JSON 解析失敗: ${e.message}`);
    return [];
  }
 }
@@ -0,0 +1,153 @@
+import { describe, it, beforeEach, afterEach, mock } from 'node:test';
+import assert from 'node:assert/strict';
+
+// Mock axios before importing llm.js
+import axios from 'axios';
+
+const ENV_KEYS = [
+  'OPENAI_API_KEY', 'OPENAI_BASE_URL', 'OPENAI_MODEL',
+  'GEMINI_API_KEY', 'GEMINI_BASE_URL', 'GEMINI_MODEL',
+  'CLAUDE_API_KEY', 'CLAUDE_BASE_URL', 'CLAUDE_MODEL',
+  'OLLAMA_BASE_URL', 'OLLAMA_MODEL',
+  'AMAZONQ_API_KEY', 'AMAZONQ_BASE_URL', 'AMAZONQ_MODEL',
+];
+
+let saved = {};
+beforeEach(() => {
+  saved = {};
+  for (const k of ENV_KEYS) { saved[k] = process.env[k]; delete process.env[k]; }
+});
+afterEach(() => {
+  for (const k of ENV_KEYS) {
+    if (saved[k] === undefined) delete process.env[k];
+    else process.env[k] = saved[k];
+  }
+  mock.restoreAll();
+});
+
+function mockAxiosPost(responses) {
+  let call = 0;
+  mock.method(axios, 'post', async () => {
+    const r = responses[call++] ?? responses[responses.length - 1];
+    if (r instanceof Error) throw r;
+    return r;
+  });
+}
+
+function makeOkResponse(content = 'ok') {
+  return { data: { choices: [{ message: { content } }] } };
+}
+
+describe('chat - key rotation', async () => {
+  const { chat } = await import('./llm.js');
+
+  it('succeeds on first key', async () => {
+    process.env.OPENAI_API_KEY = 'key1';
+    mockAxiosPost([makeOkResponse('hello')]);
+    const result = await chat('sys', 'user');
+    assert.equal(result, 'hello');
+  });
+
+  it('shuffles keys and tries each exactly once', async () => {
+    process.env.OPENAI_API_KEY = 'key1,key2,key3';
+    const usedKeys = [];
+    mock.method(axios, 'post', async (_url, _body, opts) => {
+      usedKeys.push(opts.headers['Authorization'].replace('Bearer ', ''));
+      throw new Error('fail');
+    });
+    const exitMock = mock.method(process, 'exit', () => { throw new Error('exit:1'); });
+    await assert.rejects(() => chat('sys', 'user'), /exit:1/);
+    assert.equal(exitMock.mock.calls[0].arguments[0], 1);
+    assert.equal(usedKeys.length, 3);
+    assert.deepEqual([...usedKeys].sort(), ['key1', 'key2', 'key3']);
+  });
+
+  it('calls process.exit(1) when all keys fail', async () => {
+    process.env.OPENAI_API_KEY = 'k1,k2';
+    mockAxiosPost([new Error('fail'), new Error('fail')]);
+    const exitMock = mock.method(process, 'exit', () => { throw new Error('exit:1'); });
+    await assert.rejects(() => chat('sys', 'user'), /exit:1/);
+    assert.equal(exitMock.mock.calls[0].arguments[0], 1);
+  });
+
+  it('does not set Authorization header for ollama', async () => {
+    process.env.OLLAMA_BASE_URL = 'http://localhost:11434/v1';
+    process.env.OLLAMA_MODEL = 'llama3';
+    let capturedHeaders;
+    mock.method(axios, 'post', async (_url, _body, opts) => {
+      capturedHeaders = opts.headers;
+      return makeOkResponse('ollama response');
+    });
+    await chat('sys', 'user');
+    assert.equal(capturedHeaders['Authorization'], undefined);
+  });
+
+  it('sets Authorization header for openai', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    let capturedHeaders;
+    mock.method(axios, 'post', async (_url, _body, opts) => {
+      capturedHeaders = opts.headers;
+      return makeOkResponse();
+    });
+    await chat('sys', 'user');
+    assert.equal(capturedHeaders['Authorization'], 'Bearer sk-test');
+  });
+
+  it('does not set timeout', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    let capturedOpts;
+    mock.method(axios, 'post', async (_url, _body, opts) => {
+      capturedOpts = opts;
+      return makeOkResponse();
+    });
+    await chat('sys', 'user');
+    assert.equal(capturedOpts.timeout, undefined);
+  });
+
+  it('does not pass httpsAgent to axios', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    let capturedOpts;
+    mock.method(axios, 'post', async (_url, _body, opts) => {
+      capturedOpts = opts;
+      return makeOkResponse();
+    });
+    await chat('sys', 'user');
+    assert.equal(capturedOpts.httpsAgent, undefined);
+  });
+
+  it('sets anthropic-version header for claude', async () => {
+    process.env.CLAUDE_API_KEY = 'claude-key';
+    let capturedHeaders;
+    mock.method(axios, 'post', async (_url, _body, opts) => {
+      capturedHeaders = opts.headers;
+      return makeOkResponse();
+    });
+    await chat('sys', 'user');
+    assert.equal(capturedHeaders['anthropic-version'], '2023-06-01');
+  });
+});
+
+describe('chatJSON', async () => {
+  const { chatJSON } = await import('./llm.js');
+
+  it('parses plain JSON response', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    mockAxiosPost([makeOkResponse('[{"level":"critical"}]')]);
+    const result = await chatJSON('sys', 'user');
+    assert.deepEqual(result, [{ level: 'critical' }]);
+  });
+
+  it('strips markdown code block before parsing', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    mockAxiosPost([makeOkResponse('```json\n[{"level":"info"}]\n```')]);
+    const result = await chatJSON('sys', 'user');
+    assert.deepEqual(result, [{ level: 'info' }]);
+  });
+
+  it('returns [] when JSON is invalid', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    mockAxiosPost([makeOkResponse('not json')]);
+    const result = await chatJSON('sys', 'user');
+    assert.deepEqual(result, []);
+  });
+});
@@ -1,9 +1,11 @@
-import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig } from './config.js';
+import fs from 'fs';
+import path from 'path';
+import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig, FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js';
 import { loadRoles, getRoleIntro } from './roles.js';
-import { getPRDiff, postComment } from './gitea.js';
-import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI } from './findings.js';
+import { getPRDiff, filterDiff, postComment } from './gitea.js';
+import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js';
 import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js';
-import { commitAndPush } from './git.js';
+import { cloneRepo, commitAndPush } from './git.js';

 const WORKSPACE = process.env.GITHUB_WORKSPACE || '/workspace';

@@ -13,7 +15,6 @@ async function main() {
  console.log(`  repo=${GITEA_REPOSITORY}  PR=#${PR_NUMBER}`);
  console.log(`  ${PR_HEAD_BRANCH} -> ${PR_BASE_BRANCH}`);

-  // 偵測 LLM
  const { provider, baseURL, model } = getLLMConfig();
  if (!provider) {
    console.error('❌ 未設定任何 LLM API Key，請檢查 action inputs');
@@ -21,12 +22,9 @@ async function main() {
  }
  console.log(`  LLM: provider=${provider}  model=${model}  base_url=${baseURL}`);

-  // 載入角色
  const roles = loadRoles();
  console.log(`  已載入 ${roles.length} 個角色: [${roles.map(r => r.name).join(', ')}]`);

-  // 取得 PR diff
-  console.log('\n📋 Step1: 取得 PR Diff');
  let diff;
  try {
    diff = await getPRDiff();
@@ -41,8 +39,6 @@ async function main() {
    process.exit(0);
  }

-  // 發布角色介紹 comment
-  console.log('\n💬 Step1: 發布角色介紹 Comment');
  try {
    const intro = getRoleIntro(roles) + `\n\n> 🔍 服務：${provider}  模型：${model}`;
    await postComment(intro);
@@ -51,58 +47,105 @@ async function main() {
    console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
  }

-  // Step2: 各角色分析 diff 產生新 findings
-  console.log('\n📊 Step2: Findings 產生');
+  // Step2: 排除 .gitea/ 資料夾內的所有檔案
+  console.log('\n🗂️  Step2: Git Diff 過濾');
+  diff = filterDiff(diff, ['.gitea/']);
+  console.log(`  排除 .gitea/ 後 diff 長度: ${diff.length} 字元`);
+
+  if (!diff.trim()) {
+    console.log('  ⚠️  過濾後 diff 為空，無需審查');
+    process.exit(0);
+  }
+
+  // Step3: 各角色分析 diff 產生新 findings
+  console.log('\n📊 Step3: Findings 產生');
+  const results = await Promise.allSettled(roles.map(role => analyzeWithRole(role, diff)));
  const newFindings = [];
-  for (const role of roles) {
+  for (let i = 0; i < results.length; i++) {
+    if (results[i].status === 'fulfilled') {
+      newFindings.push(...results[i].value);
+    } else {
+      console.log(`  ⚠️  [${roles[i].name}] 分析失敗（跳過）: ${results[i].reason?.message}`);
+    }
+  }
+  console.log(`  Step3 完成: 新 findings 總計 ${newFindings.length} 筆`);
+
+  // Step4: 讀取舊 findings，合併去重（含 AI 語意去重）
+  console.log('\n🔀 Step4: Findings 合併');
+  // Clone repo 以讀取舊 findings 與排除清單
+  let repoDir;
  try {
-      const found = await analyzeWithRole(role, diff);
-      newFindings.push(...found);
+    repoDir = cloneRepo(WORKSPACE);
  } catch (e) {
-      console.log(`  ⚠️  [${role.name}] 分析失敗（跳過）: ${e.message}`);
+    console.log(`  ⚠️  clone repo 失敗（繼續執行）: ${e.message}`);
  }
-  }
-  console.log(`  Step2 完成: 新 findings 總計 ${newFindings.length} 筆`);
-
-  // Step3: 讀取舊 findings，合併去重
-  console.log('\n🔀 Step3: Findings 合併');
-  const oldFindings = loadOldFindings(WORKSPACE);
+  const oldFindings = loadOldFindings(repoDir || WORKSPACE);
  const mergedFindings = mergeFindings(oldFindings, newFindings);
-  console.log(`  Step3 merged findings total=${mergedFindings.length}`);
+  console.log(`  Step4 merged findings total=${mergedFindings.length}`);

-  // Step3b: AI 語意去重
-  console.log('\n🤖 Step3b: AI 語意去重');
+  console.log('\n🤖 Step4b: AI 語意去重');
  const deduped = await deduplicateWithAI(mergedFindings);
  const sorted = sortByLevel(deduped);
-  console.log(`  Step3b dedup findings total=${sorted.length} (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`);
+  console.log(`  Step4b dedup findings total=${sorted.length} (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`);

-  // Step4: 寫入 findings.json，依序發布 comment
-  console.log('\n📝 Step4: Findings 寫入與 Comment 發布');
-  saveFindings(WORKSPACE, sorted);
+  // Step5: 讀取排除問題檔案，過濾 PR 問題表格，並請 AI 判斷誤報
+  console.log('\n🚫 Step5: AI 排除問題過濾');
+  // 輸入至 findings 用於 AI 誤報過濾，exclusions 同時作為已知誤報參考
+  const exclusions = loadExclusions(repoDir || WORKSPACE);
+  const ruleFiltered = applyExclusions(sorted, exclusions);
+  const filtered = await filterFalsePositivesWithAI(ruleFiltered, exclusions);
+  console.log(`  Step5 完成: findings total=${filtered.length}`);

+  // Step6: 寫入 findings.json，依序發布 comment
+  console.log('\n📝 Step6: Findings 寫入與 Comment 發布');
+  saveFindings(WORKSPACE, filtered);
  try {
-    await postOldFindingsComment(sorted);
-    await postNewNonCriticalComment(sorted);
-    await postNewCriticalComments(sorted);
-    console.log('  Step4 完成');
+    await postOldFindingsComment(filtered);
+    await postNewNonCriticalComment(filtered);
+    await postNewCriticalComments(filtered);
+    console.log('  Step6 完成');
  } catch (e) {
    console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
  }

-  // Step5: commit/push findings.json 到來源分支
-  console.log('\n💾 Step5: 記憶區 Commit/Push');
+  // Step7: 驗證 findings.json 與 exclusions.json 為合法 JSON
+  console.log('\n🔎 Step7: JSON 格式驗證');
+  for (const relPath of [FINDINGS_PATH, EXCLUSIONS_PATH]) {
+    const fullPath = path.join(repoDir || WORKSPACE, relPath);
+    if (!fs.existsSync(fullPath)) {
+      console.log(`  ⚠️  ${relPath} 不存在，跳過驗證`);
+      continue;
+    }
+    try {
+      JSON.parse(fs.readFileSync(fullPath, 'utf8'));
+      console.log(`  ✅ ${relPath} JSON 格式正確`);
+    } catch (e) {
+      console.error(`  ❌ ${relPath} JSON 格式錯誤: ${e.message}，嘗試修正...`);
+      try {
+        const backupPath = fullPath + '.bak';
+        fs.copyFileSync(fullPath, backupPath);
+        fs.writeFileSync(fullPath, '[]\n', 'utf8');
+        console.log(`  ✅ ${relPath} 已重置為空陣列（原檔備份至 ${relPath}.bak）`);
+      } catch (repairErr) {
+        console.error(`  ❌ ${relPath} 修正失敗: ${repairErr.message}`);
+        process.exit(1);
+      }
+    }
+  }
+
+  // Step8: commit/push findings.json 到來源分支
+  console.log('\n💾 Step8: 記憶區 Commit/Push');
  await commitAndPush(WORKSPACE);

-  // Step6: 有 critical 問題則 exit 1
-  console.log('\n🚦 Step6: 嚴重問題檢查');
-  const criticalCount = sorted.filter(f => f.level === 'critical').length;
+  // Step9: 有 critical 問題則 exit 1
+  console.log('\n🚦 Step9: 嚴重問題檢查');
+  const criticalCount = filtered.filter(f => f.level === 'critical').length;
  if (criticalCount > 0) {
    console.log(`  ❌ 發現 ${criticalCount} 個嚴重問題，workflow 結束（exit 1）`);
    console.log('='.repeat(60));
    process.exit(1);
  }
  console.log('  ✅ 無嚴重問題');
-
  console.log('\n✅ Pipeline 完成');
  console.log('='.repeat(60));
 }
@@ -0,0 +1,468 @@
+{
+  "name": "ai-code-review",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "ai-code-review",
+      "version": "1.0.0",
+      "dependencies": {
+        "axios": "^1.6.7",
+        "js-yaml": "^4.1.0",
+        "openai": "^4.28.0"
+      }
+    },
+    "node_modules/@types/node": {
+      "version": "18.19.130",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.130.tgz",
+      "integrity": "sha512-GRaXQx6jGfL8sKfaIDD6OupbIHBr9jv7Jnaml9tB7l4v068PAOXqfcujMMo5PhbIs6ggR1XODELqahT2R8v0fg==",
+      "dependencies": {
+        "undici-types": "~5.26.4"
+      }
+    },
+    "node_modules/@types/node-fetch": {
+      "version": "2.6.13",
+      "resolved": "https://registry.npmjs.org/@types/node-fetch/-/node-fetch-2.6.13.tgz",
+      "integrity": "sha512-QGpRVpzSaUs30JBSGPjOg4Uveu384erbHBoT1zeONvyCfwQxIkUshLAOqN/k9EjGviPRmWTTe6aH2qySWKTVSw==",
+      "dependencies": {
+        "@types/node": "*",
+        "form-data": "^4.0.4"
+      }
+    },
+    "node_modules/abort-controller": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/abort-controller/-/abort-controller-3.0.0.tgz",
+      "integrity": "sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==",
+      "dependencies": {
+        "event-target-shim": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=6.5"
+      }
+    },
+    "node_modules/agentkeepalive": {
+      "version": "4.6.0",
+      "resolved": "https://registry.npmjs.org/agentkeepalive/-/agentkeepalive-4.6.0.tgz",
+      "integrity": "sha512-kja8j7PjmncONqaTsB8fQ+wE2mSU2DJ9D4XKoJ5PFWIdRMa6SLSN1ff4mOr4jCbfRSsxR4keIiySJU0N9T5hIQ==",
+      "dependencies": {
+        "humanize-ms": "^1.2.1"
+      },
+      "engines": {
+        "node": ">= 8.0.0"
+      }
+    },
+    "node_modules/argparse": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
+      "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q=="
+    },
+    "node_modules/asynckit": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
+      "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q=="
+    },
+    "node_modules/axios": {
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.16.0.tgz",
+      "integrity": "sha512-6hp5CwvTPlN2A31g5dxnwAX0orzM7pmCRDLnZSX772mv8WDqICwFjowHuPs04Mc8deIld1+ejhtaMn5vp6b+1w==",
+      "dependencies": {
+        "follow-redirects": "^1.16.0",
+        "form-data": "^4.0.5",
+        "proxy-from-env": "^2.1.0"
+      }
+    },
+    "node_modules/call-bind-apply-helpers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
+      "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/combined-stream": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
+      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+      "dependencies": {
+        "delayed-stream": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/delayed-stream": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
+      "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==",
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/dunder-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
+      "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.2.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-define-property": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
+      "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-object-atoms": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
+      "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
+      "dependencies": {
+        "es-errors": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-set-tostringtag": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
+      "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.6",
+        "has-tostringtag": "^1.0.2",
+        "hasown": "^2.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/event-target-shim": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/event-target-shim/-/event-target-shim-5.0.1.tgz",
+      "integrity": "sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/follow-redirects": {
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz",
+      "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==",
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://github.com/sponsors/RubenVerborgh"
+        }
+      ],
+      "engines": {
+        "node": ">=4.0"
+      },
+      "peerDependenciesMeta": {
+        "debug": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/form-data": {
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+      "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
+      "dependencies": {
+        "asynckit": "^0.4.0",
+        "combined-stream": "^1.0.8",
+        "es-set-tostringtag": "^2.1.0",
+        "hasown": "^2.0.2",
+        "mime-types": "^2.1.12"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/form-data-encoder": {
+      "version": "1.7.2",
+      "resolved": "https://registry.npmjs.org/form-data-encoder/-/form-data-encoder-1.7.2.tgz",
+      "integrity": "sha512-qfqtYan3rxrnCk1VYaA4H+Ms9xdpPqvLZa6xmMgFvhO32x7/3J/ExcTd6qpxM0vH2GdMI+poehyBZvqfMTto8A=="
+    },
+    "node_modules/formdata-node": {
+      "version": "4.4.1",
+      "resolved": "https://registry.npmjs.org/formdata-node/-/formdata-node-4.4.1.tgz",
+      "integrity": "sha512-0iirZp3uVDjVGt9p49aTaqjk84TrglENEDuqfdlZQ1roC9CWlPk6Avf8EEnZNcAqPonwkG35x4n3ww/1THYAeQ==",
+      "dependencies": {
+        "node-domexception": "1.0.0",
+        "web-streams-polyfill": "4.0.0-beta.3"
+      },
+      "engines": {
+        "node": ">= 12.20"
+      }
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-intrinsic": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
+      "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "es-define-property": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "es-object-atoms": "^1.1.1",
+        "function-bind": "^1.1.2",
+        "get-proto": "^1.0.1",
+        "gopd": "^1.2.0",
+        "has-symbols": "^1.1.0",
+        "hasown": "^2.0.2",
+        "math-intrinsics": "^1.1.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
+      "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
+      "dependencies": {
+        "dunder-proto": "^1.0.1",
+        "es-object-atoms": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/gopd": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
+      "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-symbols": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
+      "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-tostringtag": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz",
+      "integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==",
+      "dependencies": {
+        "has-symbols": "^1.0.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/hasown": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz",
+      "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==",
+      "dependencies": {
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/humanize-ms": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/humanize-ms/-/humanize-ms-1.2.1.tgz",
+      "integrity": "sha512-Fl70vYtsAFb/C06PTS9dZBo7ihau+Tu/DNCk/OyHhea07S+aeMWpFFkUaXRa8fI+ScZbEI8dfSxwY7gxZ9SAVQ==",
+      "dependencies": {
+        "ms": "^2.0.0"
+      }
+    },
+    "node_modules/js-yaml": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+      "dependencies": {
+        "argparse": "^2.0.1"
+      },
+      "bin": {
+        "js-yaml": "bin/js-yaml.js"
+      }
+    },
+    "node_modules/math-intrinsics": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
+      "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/mime-db": {
+      "version": "1.52.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
+      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime-types": {
+      "version": "2.1.35",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+      "dependencies": {
+        "mime-db": "1.52.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="
+    },
+    "node_modules/node-domexception": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz",
+      "integrity": "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==",
+      "deprecated": "Use your platform's native DOMException instead",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/jimmywarting"
+        },
+        {
+          "type": "github",
+          "url": "https://paypal.me/jimmywarting"
+        }
+      ],
+      "engines": {
+        "node": ">=10.5.0"
+      }
+    },
+    "node_modules/node-fetch": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz",
+      "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==",
+      "dependencies": {
+        "whatwg-url": "^5.0.0"
+      },
+      "engines": {
+        "node": "4.x || >=6.0.0"
+      },
+      "peerDependencies": {
+        "encoding": "^0.1.0"
+      },
+      "peerDependenciesMeta": {
+        "encoding": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/openai": {
+      "version": "4.104.0",
+      "resolved": "https://registry.npmjs.org/openai/-/openai-4.104.0.tgz",
+      "integrity": "sha512-p99EFNsA/yX6UhVO93f5kJsDRLAg+CTA2RBqdHK4RtK8u5IJw32Hyb2dTGKbnnFmnuoBv5r7Z2CURI9sGZpSuA==",
+      "dependencies": {
+        "@types/node": "^18.11.18",
+        "@types/node-fetch": "^2.6.4",
+        "abort-controller": "^3.0.0",
+        "agentkeepalive": "^4.2.1",
+        "form-data-encoder": "1.7.2",
+        "formdata-node": "^4.3.2",
+        "node-fetch": "^2.6.7"
+      },
+      "bin": {
+        "openai": "bin/cli"
+      },
+      "peerDependencies": {
+        "ws": "^8.18.0",
+        "zod": "^3.23.8"
+      },
+      "peerDependenciesMeta": {
+        "ws": {
+          "optional": true
+        },
+        "zod": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/proxy-from-env": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-2.1.0.tgz",
+      "integrity": "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==",
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/tr46": {
+      "version": "0.0.3",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
+      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
+    },
+    "node_modules/undici-types": {
+      "version": "5.26.5",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
+      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="
+    },
+    "node_modules/web-streams-polyfill": {
+      "version": "4.0.0-beta.3",
+      "resolved": "https://registry.npmjs.org/web-streams-polyfill/-/web-streams-polyfill-4.0.0-beta.3.tgz",
+      "integrity": "sha512-QW95TCTaHmsYfHDybGMwO5IJIM93I/6vTRk+daHTWFPhwh+C8Cg7j7XyKrwrj8Ib6vYXe0ocYNrmzY4xAAN6ug==",
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/webidl-conversions": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
+      "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ=="
+    },
+    "node_modules/whatwg-url": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
+      "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
+      "dependencies": {
+        "tr46": "~0.0.3",
+        "webidl-conversions": "^3.0.0"
+      }
+    }
+  }
+}
@@ -2,6 +2,9 @@
  "name": "ai-code-review",
  "version": "1.0.0",
  "type": "module",
+  "scripts": {
+    "test": "node --test *.test.js"
+  },
  "dependencies": {
    "axios": "^1.6.7",
    "js-yaml": "^4.1.0",
@@ -1,8 +1,9 @@
 import fs from 'fs';
 import path from 'path';
+import { fileURLToPath } from 'url';
 import yaml from 'js-yaml';

-const ROLES_DIR = '/action/app/prompts/roles';
+const ROLES_DIR = path.join(fileURLToPath(import.meta.url), '..', 'prompts', 'roles');

 export function loadRoles() {
  return fs.readdirSync(ROLES_DIR)
@@ -12,9 +13,13 @@ export function loadRoles() {
 }

 export function getRoleIntro(roles) {
-  const lines = ['## 🤖 AI Code Review 團隊', ''];
+  const lines = [
+    '## 🤖 AI Code Review 團隊', '',
+    '| 👤 名稱 | 🎯 職責 | 🧠 個性 |',
+    '|--------|--------|--------|',
+  ];
  for (const r of roles) {
-    lines.push(`- **${r.name}** (${r.role})：${r.personality}`);
+    lines.push(`| **${r.name}** | ${r.role} | ${r.personality} |`);
  }
  return lines.join('\n');
 }
Author	SHA1	Message	Date
jiantw83	5876154dbb	refactor: optimize AI payload by reducing token usage and streamline findings structure	2026-05-13 01:39:13 +00:00
AI Review Bot	0e0cd252b0	chore: update ai-review findings [skip ci]	2026-05-13 01:33:15 +00:00
jiantw83	fcc8d59f7a	refactor: add suggestion for TODO.md clarification and enhance filterDiff test documentation	2026-05-13 01:31:25 +00:00
AI Review Bot	a92b6440ff	chore: update ai-review findings [skip ci]	2026-05-13 01:29:11 +00:00
jiantw83	8d8ace636e	refactor: add new suggestion for filterDiff unit tests and update getPRDiff documentation for clarity	2026-05-13 01:27:33 +00:00
AI Review Bot	fdeceee52f	chore: update ai-review findings [skip ci]	2026-05-13 01:21:17 +00:00
jiantw83	fade942267	refactor: add new suggestion for comments.js and enhance filterDiff tests for better coverage	2026-05-13 01:18:21 +00:00
jiantw83	4834396652	refactor: streamline JSON file reading logic and improve error handling in findings.js and git.js	2026-05-13 01:16:34 +00:00
AI Review Bot	0108a05886	chore: update ai-review findings [skip ci]	2026-05-13 01:14:09 +00:00
jiantw83	6db660f872	refactor: update TODO stages to reflect current status and improve clarity; modify diff filtering logic in gitea.js and main.js	2026-05-13 01:12:20 +00:00
jiantw83	45468d89d3	refactor: reorganize TODO stages for clarity and update section titles	2026-05-13 01:08:04 +00:00
jiantw83	6c6680fd3e	feat: enhance JSON format validation with backup and reset mechanism on error	2026-05-13 01:06:11 +00:00
jiantw83	49a02ebb6b	feat: add JSON format validation for findings and exclusions after processing	2026-05-13 01:02:33 +00:00
AI Review Bot	37cf5f82fa	chore: update ai-review findings [skip ci]	2026-05-13 00:51:30 +00:00
jiantw83	fd854649db	refactor: improve comment formatting and streamline AI handling in findings processing	2026-05-13 00:49:23 +00:00
jiantw83	de8de251ba	feat: exclude .gitea/ directory from Git Diff analysis and update TODO	2026-05-13 00:41:12 +00:00
admin	fe7381c36e	更新 README.md	2026-05-12 10:22:02 +00:00
admin	abfd594bb2	更新 .gitea/workflows/review.yaml	2026-05-12 10:21:27 +00:00
admin	8878165a81	更新 .gitea/workflows/review.yaml	2026-05-12 10:19:32 +00:00
admin	818342d27b	更新 README.md	2026-05-12 10:19:10 +00:00
Jeffery	d95213334b	feat: add concurrency settings and branch ignore for pull request workflows	2026-05-12 18:17:14 +08:00
jiantw83	ea64c5f063	Merge pull request 'feat: 使用 kiro 重構 ai code review' (#85 ) from feat/refactor/main into develop Reviewed-on: jiantw83/code-review#85	2026-05-12 10:06:38 +00:00
AI Review Bot	931481179a	chore: update ai-review findings [skip ci]	2026-05-12 10:02:45 +00:00
jiantw83	52fa3acf18	feat: update GEMINI_BASE_URL to v1beta for improved API compatibility	2026-05-12 09:58:43 +00:00
jiantw83	c751a53d43	feat: enhance exclusions.json with new suggestions and refactor roles.js for dynamic path resolution	2026-05-12 09:57:33 +00:00
jiantw83	2aba414d36	feat: update GEMINI_BASE_URL to use v1 endpoint in workflow and documentation	2026-05-12 09:52:42 +00:00
AI Review Bot	d565b79feb	chore: update ai-review findings [skip ci]	2026-05-12 09:50:51 +00:00
jiantw83	81d5e3ff13	feat: update exclusions.json suggestions and refactor Dockerfile for improved npm installation	2026-05-12 09:40:56 +00:00
jiantw83	1ccc2cd560	feat: add GITEA_SKIP_TLS_VERIFY support for skipping SSL/TLS verification in Gitea integration	2026-05-12 09:37:51 +00:00
AI Review Bot	c815c30088	chore: update ai-review findings [skip ci]	2026-05-12 09:31:01 +00:00
jiantw83	91816c700e	Merge pull request 'feat: support multiple API keys for LLM providers, allowing automatic key rotation on failure' (#84 ) from feat/refactor/mulit_api_key into feat/refactor/main Reviewed-on: jiantw83/code-review#84	2026-05-12 09:25:46 +00:00
AI Review Bot	d9acf3b0b7	chore: update ai-review findings [skip ci]	2026-05-12 09:25:14 +00:00
jiantw83	9650162a67	feat: extend GEMINI_API_KEY support to include additional keys and update suggestions in exclusions.json	2026-05-12 09:21:32 +00:00
AI Review Bot	3fa5504e9a	chore: update ai-review findings [skip ci]	2026-05-12 09:13:49 +00:00
jiantw83	b6aa37201a	feat: add test for handling comma-only API key in getLLMConfig	2026-05-12 09:01:54 +00:00
AI Review Bot	a296c594d3	chore: update ai-review findings [skip ci]	2026-05-12 08:45:24 +00:00
jiantw83	95929fdced	feat: add suggestions for master.yaml and llm.test.js to improve code quality and testing practices	2026-05-12 08:41:23 +00:00
AI Review Bot	af195b9c3b	chore: update ai-review findings [skip ci]	2026-05-12 08:36:23 +00:00
jiantw83	b149508dab	feat: enhance exclusions.json with additional suggestions and add chatJSON tests for JSON response handling	2026-05-12 08:29:24 +00:00
jiantw83	bb18147cab	feat: update exclusions.json with additional suggestions and refine master.yaml for cleaner token handling	2026-05-12 08:29:24 +00:00
AI Review Bot	b3c868ceec	chore: update ai-review findings [skip ci]	2026-05-12 08:23:00 +00:00
jiantw83	a6df5c4f43	feat: refactor API key handling to shuffle keys and attempt each once	2026-05-12 08:17:49 +00:00
jiantw83	e28c6ea5a3	feat: update AI Code Review workflow to use Gemini API keys and configuration	2026-05-12 08:05:37 +00:00
jiantw83	4a631bc62a	feat: support multiple OpenAI API keys in AI Code Review workflow	2026-05-12 08:04:44 +00:00
jiantw83	710b9a1bb5	feat: update AI Code Review workflow to use OpenAI API instead of Gemini API	2026-05-12 07:47:28 +00:00
jiantw83	2ced37f54f	feat: refactor LLM API handling, add tests for key rotation and update package files	2026-05-12 07:38:38 +00:00
AI Review Bot	328d6b2100	chore: update ai-review findings [skip ci]	2026-05-12 07:18:00 +00:00
jiantw83	1b7aeedfdb	feat: support multiple API keys for LLM providers, allowing automatic key rotation on failure	2026-05-12 07:09:20 +00:00
AI Review Bot	50f422f0d3	chore: update ai-review findings [skip ci]	2026-05-12 06:49:07 +00:00
jiantw83	c3533bdfb6	Merge pull request 'feat/refactor/kiro/fix' (#83 ) from feat/refactor/kiro/fix into feat/refactor/main Reviewed-on: jiantw83/code-review#83	2026-05-12 06:48:18 +00:00
AI Review Bot	7578bee5d3	chore: update ai-review findings [skip ci]	2026-05-12 06:47:39 +00:00
jiantw83	8a8612b46d	fix: update findings.json to remove redundant warnings and ensure consistency with exclusions.json	2026-05-12 06:46:51 +00:00
AI Review Bot	e3b4c7f8d4	chore: update ai-review findings [skip ci]	2026-05-12 06:32:21 +00:00
jiantw83	fdcb9f04de	fix: update suggestions in exclusions.json to clarify handling of findings and LLM service provider maintenance	2026-05-12 06:29:43 +00:00
jiantw83	e3596eb710	fix: add duplicate suggestion for LLM integration tests in exclusions.json	2026-05-12 06:28:34 +00:00
AI Review Bot	83943b8dda	chore: update ai-review findings [skip ci]	2026-05-12 06:24:11 +00:00
jiantw83	234a8a829f	fix: update suggestion in exclusions.json for LLM integration tests to clarify API key requirements	2026-05-12 06:21:24 +00:00
AI Review Bot	b164fe855e	chore: update ai-review findings [skip ci]	2026-05-12 06:15:35 +00:00
jiantw83	16cb1966f0	fix: update GEMINI_API_KEY in review.yaml to use the correct secret	2026-05-12 06:11:12 +00:00
jiantw83	8d3f5e3a45	fix: update GEMINI_API_KEY in review.yaml to use the correct secret	2026-05-12 06:06:30 +00:00
AI Review Bot	85ff61e98f	chore: update ai-review findings [skip ci]	2026-05-12 06:03:48 +00:00
jiantw83	4bace91d3d	fix: add suggestions for LLM integration tests and code structure improvements in exclusions.json; ensure findings.json is saved with a newline	2026-05-12 06:03:30 +00:00
AI Review Bot	e541cee83f	chore: update ai-review findings [skip ci]	2026-05-12 05:54:43 +00:00
jiantw83	95802c422b	fix: update suggestions in exclusions.json and findings.json for clarity and consistency with GEMINI API	2026-05-12 05:54:25 +00:00
jiantw83	bf7b8f843b	fix: add suggestion for GEMINI API parameter consistency in review.yaml	2026-05-12 05:50:46 +00:00
AI Review Bot	e88e586ac6	chore: update ai-review findings [skip ci]	2026-05-12 05:48:20 +00:00
jiantw83	6921ca05ec	fix: update AI Code Review step to use GEMINI API instead of OpenRouter	2026-05-12 05:47:09 +00:00
AI Review Bot	8046708f00	chore: update ai-review findings [skip ci]	2026-05-12 05:37:32 +00:00
jiantw83	58fdbdd965	fix: enhance exclusions.json suggestions for clarity; remove unnecessary lines in action.yaml	2026-05-12 05:37:07 +00:00
jiantw83	8ad7ae51a4	Merge pull request 'feat/refactor/kiro/fix' (#80 ) from feat/refactor/kiro/fix into feat/refactor/main Reviewed-on: jiantw83/code-review#80	2026-05-12 05:00:48 +00:00
AI Review Bot	19efa8a8de	chore: update ai-review findings [skip ci]	2026-05-12 04:20:55 +00:00
jiantw83	5ef9ab81ff	fix: enhance suggestions in exclusions.json for clarity and accuracy; update filterFalsePositivesWithAI to accept exclusions	2026-05-12 04:20:35 +00:00
AI Review Bot	24ae565e38	chore: update ai-review findings [skip ci]	2026-05-12 04:06:08 +00:00
jiantw83	33c0357165	fix: update suggestions in exclusions.json for clarity and accuracy	2026-05-12 04:05:49 +00:00
AI Review Bot	4f631ef9b8	chore: update ai-review findings [skip ci]	2026-05-12 03:48:43 +00:00
jiantw83	76c5160915	fix: add additional suggestions for AI review exclusions in exclusions.json	2026-05-12 03:42:57 +00:00
AI Review Bot	a479ccdd54	chore: update ai-review findings [skip ci]	2026-05-12 03:37:41 +00:00
jiantw83	c7a2a3cfc7	fix: update AI Code Review step to use OpenRouter API instead of OpenAI	2026-05-12 03:28:17 +00:00
jiantw83	cf8dd629b2	fix: update AI Code Review step to use OpenAI API instead of Gemini	2026-05-12 03:25:39 +00:00
jiantw83	2c59ce1bc1	fix: enhance error handling in filterFalsePositivesWithAI to check for empty array response	2026-05-12 03:23:44 +00:00
jiantw83	878d8a5bb4	fix: update OLLAMA_BASE_URL to a specific endpoint in README.md	2026-05-12 03:23:44 +00:00
AI Review Bot	e9874e61fe	chore: update ai-review findings [skip ci]	2026-05-12 03:19:47 +00:00
jiantw83	940d03bc6e	fix: add suggestion for necessary permissions in README.md for Action functionality	2026-05-12 03:18:04 +00:00
jiantw83	23ceb84073	fix: add OPENAI_MODEL variable to OpenAI and OpenRouter job configurations	2026-05-12 03:17:06 +00:00
AI Review Bot	c16e07bddd	chore: update ai-review findings [skip ci]	2026-05-12 03:11:29 +00:00
jiantw83	66a75f135f	refactor: remove unused API keys and configurations from action and config files	2026-05-12 03:08:08 +00:00
AI Review Bot	d73d360051	chore: update ai-review findings [skip ci]	2026-05-12 03:07:13 +00:00
jiantw83	4b382b4183	fix: update README for OpenRouter API compatibility and add tests for LLM configuration	2026-05-12 03:04:12 +00:00
AI Review Bot	f8e24844e8	chore: update ai-review findings [skip ci]	2026-05-12 03:01:32 +00:00
jiantw83	c2e56e4bb2	fix: update GEMINI model version in configuration and workflows	2026-05-12 02:59:22 +00:00
jiantw83	774b78d84e	fix: update AI Code Review to use GEMINI API and base URL	2026-05-12 02:56:34 +00:00
jiantw83	fd91ed4e5a	fix: update OPENAI_BASE_URL to use the correct API endpoint	2026-05-12 02:54:27 +00:00
jiantw83	43e990cb30	fix: update workflow section in README for clarity and correct numbering	2026-05-12 02:53:19 +00:00
jiantw83	3861d288fb	Merge pull request 'fix: update role introduction formatting to use table layout' (#78 ) from feat/refactor/kiro/fix into feat/refactor/main Reviewed-on: jiantw83/code-review#78	2026-05-12 02:48:24 +00:00
jiantw83	6bf805b453	fix: update role introduction formatting to use table layout	2026-05-12 02:47:48 +00:00
jiantw83	990ef7c847	Merge pull request 'docs: update README and TODO for clarity on file paths' (#77 ) from feat/refactor/kiro/fix into feat/refactor/main Reviewed-on: jiantw83/code-review#77	2026-05-12 02:44:12 +00:00
jiantw83	181a0ccf68	docs: update README and TODO for clarity on file paths	2026-05-12 02:43:21 +00:00
AI Review Bot	8a4932bbd4	chore: update ai-review findings [skip ci]	2026-05-12 02:30:14 +00:00
jiantw83	d230b5f445	fix: add Leo/Zara false positive exclusion; add cloneRepo unit tests	2026-05-12 02:30:14 +00:00
AI Review Bot	dafadcd6b2	chore: update ai-review findings [skip ci]	2026-05-12 02:30:14 +00:00
AI Review Bot	d631c25f37	chore: update ai-review findings [skip ci]	2026-05-12 02:30:14 +00:00
jiantw83	0825f8ebbe	refactor: rename Step4 to AI 排除問題過濾	2026-05-12 02:30:14 +00:00
AI Review Bot	93aa6864f5	chore: update ai-review findings [skip ci]	2026-05-12 02:30:14 +00:00
jiantw83	7b8d71cf87	docs: update TODO stage4 description and fix findings filename typo	2026-05-12 02:30:14 +00:00
jiantw83	a0e69b4e82	feat: add AI false positive filtering in Step4	2026-05-12 02:30:14 +00:00
jiantw83	78c0854145	fix: use includes matching for exclusions location and suggestion	2026-05-12 02:30:14 +00:00
AI Review Bot	433b595165	chore: update ai-review findings [skip ci]	2026-05-12 02:30:14 +00:00
jiantw83	80f56b74e5	fix: clone repo before Step3/4 to read findings and exclusions from head branch	2026-05-12 02:30:14 +00:00
AI Review Bot	b9a6bebbe4	chore: update ai-review findings [skip ci]	2026-05-12 02:30:14 +00:00
jiantw83	58bea7951d	chore: add exclusions for Rex false positive on git.js token handling	2026-05-12 02:30:14 +00:00
jiantw83	eba21ade27	docs: mark all TODO stages complete	2026-05-12 02:30:14 +00:00
jiantw83	bb7fa425db	fix: align flow with README, add Step4 exclusions filter, fix step numbers	2026-05-12 02:30:14 +00:00
jiantw83	2460652b49	refactor: reorganize TODO stages for clarity and accuracy in workflow steps Co-authored-by: Copilot <copilot@github.com>	2026-05-12 02:30:14 +00:00
jiantw83	6a526294b9	refactor: update processing steps in README for clarity and accuracy	2026-05-12 02:30:14 +00:00
jiantw83	8ee9239edb	refactor: remove outdated AI Code configurations for Kilo, Roo, Cline, Continue, and Kade	2026-05-12 02:30:14 +00:00
AI Review Bot	d327cf40d4	chore: update ai-review findings [skip ci]	2026-05-12 02:30:14 +00:00
jiantw83	6c7278e996	fix: update askpass script to securely read token from env var	2026-05-12 02:30:14 +00:00
AI Review Bot	d282779f68	chore: update ai-review findings [skip ci]	2026-05-12 02:30:14 +00:00
jiantw83	59509ae963	feat: refactor commitAndPush to use a runner function and improve token security; add tests for git operations	2026-05-12 02:30:14 +00:00
AI Review Bot	a4b87f9108	chore: update ai-review findings [skip ci]	2026-05-11 14:11:43 +00:00
jiantw83	09533ff741	feat: 改用分支名稱鎖定 review 工作流	2026-05-11 14:10:57 +00:00
AI Review Bot	e217b18c62	chore: update ai-review findings [skip ci]	2026-05-11 14:09:25 +00:00
jiantw83	cd0ced1b7f	feat: 同時只能有一個 review.yaml 執行	2026-05-11 14:08:40 +00:00
AI Review Bot	65cf45c558	chore: update ai-review findings [skip ci]	2026-05-11 14:06:55 +00:00
AI Review Bot	09c78835e7	chore: update ai-review findings [skip ci]	2026-05-11 14:06:17 +00:00
jiantw83	ec05ce7869	feat: 調整設定的順序	2026-05-11 14:06:09 +00:00
jiantw83	323be94a72	feat: master 不會觸發 review.yaml	2026-05-11 14:04:32 +00:00
AI Review Bot	d7336dbe6c	chore: update ai-review findings [skip ci]	2026-05-11 13:55:46 +00:00
jiantw83	c1f8aa3c72	feat: git 操作 clone 的 repo	2026-05-11 13:54:44 +00:00
jiantw83	8a28d1f1ef	test: 修正路徑	2026-05-11 13:50:54 +00:00
jiantw83	d04f4dd2bb	feat: 回復使用 spawnSync 執行指令	2026-05-11 13:47:40 +00:00
jiantw83	f5cf5950bd	refactor: 改用 execSync	2026-05-11 13:29:31 +00:00
jiantw83	eae73092ad	fix: streamline commitAndPush function by removing redundant code and improving error handling	2026-05-11 10:53:59 +00:00
jiantw83	69624a542e	fix: refactor commitAndPush function to improve clarity and maintainability	2026-05-11 10:50:16 +00:00
jiantw83	8aa273b8bd	fix: add bash to Dockerfile dependencies	2026-05-11 10:46:58 +00:00
jiantw83	00458d4eb2	fix: switch Dockerfile base image to alpine and install dependencies using apk	2026-05-11 10:43:58 +00:00
jiantw83	894ece033b	fix: Dockerfile 加入 git 安裝驗證，git.js 改回 git binary	2026-05-11 10:34:23 +00:00
jiantw83	fe2a513fbb	fix: 修正 findings.json 路徑重複問題	2026-05-11 10:31:43 +00:00
jiantw83	2193bdd4d6	fix: 改回 Gitea API commit，修正 URL encode 與 JSON.stringify	2026-05-11 10:30:07 +00:00