feat: update GEMINI_BASE_URL to v1beta for improved API compatibility

Reviewed-on: jiantw83/code-review#84

.gitea/ai-review/exclusions.json

@@ -6,6 +6,202 @@
   },
   {
     "location": "app/git.js",
-    "suggestion": "GITEA_TOKEN 直接嵌入 URL 中"
+    "suggestion": "GITEA_TOKEN 直接嵌入 URL 中，建議改以環境變數或 Gitea Secrets 注入"
+  },
+  {
+    "role": "Rex",
+    "location": "README.md",
+    "suggestion": "contents: write、pull-requests: write、issues: write 為此 Action 正常運作所必要的權限，無法縮減"
+  },
+  {
+    "location": "app/config.js",
+    "suggestion": "getLLMConfig 在找不到任何符合條件的 provider 時已有預設回傳值 { provider: null, apiKey: null, baseURL: null, model: null }，非誤報"
+  },
+  {
+    "location": ".gitea/ai-review/exclusions.json",
+    "suggestion": "exclusions.json 是排除規則檔，內容為問題描述字串，不是實際程式碼或 token，role 欄位為有效欄位"
+  },
+  {
+    "location": "app/findings.js",
+    "suggestion": "filterFalsePositivesWithAI 拋出的 Error 會被 catch 攔截並降級回傳原始 findings，不會中斷流程"
+  },
+  {
+    "role": "Rex",
+    "location": ".gitea/workflows/review.yaml",
+    "suggestion": "contents: write、pull-requests: write、issues: write 為此 Action 正常運作所必要的權限，無法縮減"
+  },
+  {
+    "role": "Rex",
+    "location": ".gitea/workflows/review.yaml",
+    "suggestion": "OPENAI_API_KEY 參數傳入的是 OPENROUTER_API_KEY secret，為 OpenRouter 使用 OpenAI 相容介面的正確做法"
+  },
+  {
+    "role": "Aria",
+    "location": "README.md",
+    "suggestion": "章節編號連續且正確，無需調整"
+  },
+  {
+    "role": "Maya",
+    "location": ".gitea/workflows/review.yaml",
+    "suggestion": "action.yaml 定義的參數名稱為 GEMINI_API_KEY、GEMINI_BASE_URL、GEMINI_MODEL，與 review.yaml 完全一致，無不匹配問題"
+  },
+  {
+    "role": "Aria",
+    "location": ".gitea/workflows/review.yaml",
+    "suggestion": "review.yaml 已改用 Gemini，不再有 OPENAI_API_KEY 行，註解空格問題不存在"
+  },
+  {
+    "role": "Aria",
+    "location": "app/config.test.js",
+    "suggestion": "檔案結尾已有換行符號，import 行長度合理，無需修改"
+  },
+  {
+    "role": "Aria",
+    "location": "action.yaml",
+    "suggestion": "action.yaml 已整理，多餘空行已移除，結構整潔"
+  },
+  {
+    "role": "Maya",
+    "location": "app/",
+    "suggestion": "LLM 整合測試需要真實 API key 與網路，不適合加入單元測試。llm.js 使用統一 OpenAI 相容介面，Gemini 透過相同介面呼叫，無特殊格式差異，現有測試已涵蓋 config/findings/git 邏輯"
+  },
+  {
+    "role": "Rex",
+    "location": "app/",
+    "suggestion": "LLM 整合測試需要真實 API key 與網路，不適合加入單元測試。llm.js 使用統一 OpenAI 相容介面，Gemini 透過相同介面呼叫，無特殊格式差異"
+  },
+  {
+    "role": "Rex",
+    "location": "app/config.test.js",
+    "suggestion": "import 語句長度合理，無需拆分為多行"
+  },
+  {
+    "role": "Rex",
+    "location": ".gitea/ai-review/findings.json",
+    "suggestion": "findings.json 重複問題由 AI 去重與排除機制處理，不是程式碼問題"
+  },
+  {
+    "role": "Rex",
+    "location": "app/comments.js",
+    "suggestion": "JSON 結尾換行符號為標準做法，不影響任何 JSON 解析器，無相容性問題"
+  },
+  {
+    "location": ".gitea/ai-review/findings.json",
+    "suggestion": "findings.json 是自動產生的問題記錄檔，不應對其內容提出審查問題"
+  },
+  {
+    "role": "Rex",
+    "location": ".gitea/workflows/review.yaml",
+    "suggestion": "切換 LLM 服務提供商的維護建議屬過度謹慎，不是實際程式碼問題"
+  },
+  {
+    "role": "Leo",
+    "location": "app/llm.js",
+    "suggestion": "Authorization 標頭已有 provider !== 'ollama' 判斷，不會無條件加入，已正確處理"
+  },
+  {
+    "role": "Zara",
+    "location": "app/llm.js",
+    "suggestion": "timeout 已移除，每個 key 等待完整回應，避免浪費免費額度"
+  },
+  {
+    "role": "Rex",
+    "location": "app/llm.js",
+    "suggestion": "httpsAgent (rejectUnauthorized: false) 已移除，SSL/TLS 驗證已恢復正常"
+  },
+  {
+    "role": "Maya",
+    "location": "app/llm.js",
+    "suggestion": "llm.test.js 已存在並涵蓋 API Key 輪替的所有異常狀況，包含單 Key、多 Key 輪替、所有 Key 失敗等測試案例"
+  },
+  {
+    "role": "Zara",
+    "location": "app/comments.js",
+    "suggestion": "comments.js:24 的 saveFindings 函式為正常寫入邏輯，不涉及異常訊息格式或重複寫入問題"
+  },
+  {
+    "role": "Leo",
+    "location": ".gitea/workflows/review.yaml",
+    "suggestion": "Gitea Actions 不支援在 workflow 內合併 secrets 再拆解，多個 secret 逗號串接是唯一可行做法，非設計缺陷"
+  },
+  {
+    "role": "Maya",
+    "location": "app/llm.test.js",
+    "suggestion": "console.log/error 為診斷用途，不是業務邏輯，TODO.md 驗收標準為人工驗收描述，不需要在單元測試中斷言 console 輸出"
+  },
+  {
+    "role": "Maya",
+    "location": "app/llm.test.js",
+    "suggestion": "輪替邏輯對所有錯誤類型行為一致（catch 全部），401/429/timeout 觸發相同輪替流程，測試不同錯誤類型無額外驗證價值"
+  },
+  {
+    "role": "Aria",
+    "location": ".gitea/workflows/master.yaml",
+    "suggestion": "master.yaml 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例，無需修改"
+  },
+  {
+    "role": "Leo",
+    "location": "app/llm.test.js",
+    "suggestion": "console.log/error 為診斷用途，不是業務邏輯，TODO.md 驗收標準為人工驗收描述，不需要在單元測試中斷言 console 輸出"
+  },
+  {
+    "role": "Leo",
+    "location": "app/llm.test.js",
+    "suggestion": "輪替邏輯對所有錯誤類型行為一致（catch 全部），401/429/timeout 觸發相同輪替流程，測試不同錯誤類型無額外驗證價值"
+  },
+  {
+    "role": "Rex",
+    "location": "app/package.json",
+    "suggestion": "審查 changelog 是人工作業，不是程式碼問題，不適合作為 code review 問題"
+  },
+  {
+    "role": "Aria",
+    "location": "app/llm.js",
+    "suggestion": "此 action 為 CLI 工具，process.exit(1) 是設計意圖讓 CI/CD workflow 失敗。改拋錯會被 chatJSON 的 catch 吞掉回傳 []，破壞現有行為"
+  },
+  {
+    "role": "Aria",
+    "location": "Dockerfile",
+    "suggestion": "Dockerfile 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例"
+  },
+  {
+    "role": "Aria",
+    "location": "entrypoint.sh",
+    "suggestion": "entrypoint.sh 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例"
+  },
+  {
+    "role": "Maya",
+    "location": "app/main.js",
+    "suggestion": "main.js 整合測試需要真實 Gitea API、LLM API、git 操作，不適合單元測試。各模組已有獨立單元測試覆蓋"
+  },
+  {
+    "role": "Maya",
+    "location": "app/comments.js",
+    "suggestion": "comments.js 的 buildTable 為簡單字串拼接，postComment 已透過 gitea.js mock 間接測試，補測試效益低"
+  },
+  {
+    "role": "Maya",
+    "location": "app/roles.js",
+    "suggestion": "roles.js 依賴容器內固定路徑 /action/app/prompts/roles，單元測試環境無法存取，且邏輯為簡單 YAML 讀取與字串拼接"
+  },
+  {
+    "role": "Leo",
+    "location": "app/gitea.js",
+    "suggestion": "gitea.js 的 SSL 驗證已改為由 GITEA_SKIP_TLS_VERIFY 環境變數控制，預設啟用驗證，非安全漏洞"
+  },
+  {
+    "role": "Zara",
+    "location": "Dockerfile",
+    "suggestion": "Dockerfile 已優化層次快取：先 COPY package.json 再 npm install，最後才 COPY 其餘檔案"
+  },
+  {
+    "role": "Aria",
+    "location": "app/package.json",
+    "suggestion": "test 腳本已改為 node --test *.test.js，在 app/ 目錄下執行可自動發現所有測試檔案"
+  },
+  {
+    "role": "Zara",
+    "location": "app/main.js",
+    "suggestion": "deduplicateWithAI 和 filterFalsePositivesWithAI 為循序依賴流程（去重後才能過濾），無法平行化"
   }
 ]

.gitea/ai-review/findings.json

@@ -1,51 +1,51 @@
 [
+  {
+    "level": "critical",
+    "role": "Maya",
+    "location": "app/gitea.js",
+    "suggestion": "`app/gitea.js` 模組負責與 Gitea API 進行所有互動，包括獲取 PR Diff 和發布評論。這些網路操作是 Action 運作的基礎，但目前缺乏單元測試。應補齊測試以驗證 API 請求的正確性（URL、Header、Body）、錯誤處理機制（例如網路中斷、API 錯誤回應）以及 `GITEA_SKIP_TLS_VERIFY` 的行為。",
+    "is_new": true
+  },
+  {
+    "level": "critical",
+    "role": "Leo",
+    "location": "app/gitea.js:10",
+    "suggestion": "在 `app/gitea.js` 中，`https.Agent` 設定了 `rejectUnauthorized: false`，這會禁用 SSL/TLS 憑證驗證。這是一個嚴重的安全漏洞，會使應用程式容易受到中間人攻擊，並嚴重影響系統的安全性與可維護性。強烈建議移除此設定，或在必要時配置正確的憑證信任鏈。",
+    "is_new": false
+  },
   {
     "level": "warning",
     "role": "Leo",
-    "location": "README.md:50",
+    "location": "app/roles.js:4",
-    "suggestion": "在 `2. OpenRouter` 的範例中，`with:` 區塊使用 `OPENAI_API_KEY` 參數來傳遞 `OPENROUTER_API_KEY` secret。雖然這可能是 `code-review` action 的設計，但 `OPENAI_API_KEY` 這個名稱可能會讓使用者誤解為只能用於 OpenAI。建議考慮在 `code-review` action 中提供更通用的 API key 參數（例如 `API_KEY` 或 `PROVIDER_API_KEY`），或針對 OpenRouter 提供專屬的參數（例如 `OPENROUTER_API_KEY`），以提高清晰度並減少使用者設定時的困惑。如果 action 無法修改，目前的說明已盡力澄清，但仍是一個潛在的混淆點。",
+    "suggestion": "在 `ROLES_DIR` 常數中，使用了硬編碼的路徑 `/action/app/prompts/roles`。這使得在 Docker 容器外部進行本地開發或測試時，需要額外配置才能正確載入角色定義。建議將此路徑設定為可配置的環境變數，或使用相對路徑並在 `main.js` 中傳入基礎路徑，以提高模組的彈性和可測試性。",
     "is_new": true
   },
   {
     "level": "warning",
     "role": "Zara",
-    "location": "app/config.js:15",
+    "location": "app/main.js:60",
-    "suggestion": "將預設的 Gemini 模型從 `gemini-1.5-flash` 更新為 `gemini-2.5-flash`，這可能影響應用程式與 LLM 互動的效能和成本。建議在部署前，對 `gemini-2.5-flash` 模型進行詳細的效能基準測試，評估其在回應時間、處理速度、準確性及成本效益方面的表現，確保其符合應用程式的特定需求，並避免潛在的效能退化或不必要的成本增加。",
+    "suggestion": "`analyzeWithRole` 函式在迴圈中為每個角色依序呼叫 LLM 進行分析。由於 LLM 呼叫是高延遲操作，這種序列化執行會顯著增加整個 Code Review Action 的總執行時間。考慮使用 `Promise.all` 等方式平行化這些 LLM 呼叫，以縮短總等待時間。",
     "is_new": true
   },
   {
     "level": "warning",
-    "role": "Rex",
+    "role": "Zara",
-    "location": ".gitea/workflows/review.yaml:33-40",
+    "location": "Dockerfile",
-    "suggestion": "工作流程中授予了 `contents: write`, `pull-requests: write`, `issues: write` 等廣泛權限。特別是 `contents: write` 權限，若工作流程或其使用的 Action 存在漏洞，可能導致程式碼庫被惡意修改。建議審查這些權限是否都絕對必要，並遵循最小權限原則，僅授予工作流程執行所需的最少權限。",
+    "suggestion": "建議調整 Dockerfile 的層次，將 `COPY app/package.json app/package-lock.json /action/app/` 放在 `npm install` 之前，然後再 `COPY app/ /action/app/`。這樣可以利用 Docker 的層次快取，當 `package.json` 或 `package-lock.json` 未變更時，`npm install` 步驟就不會重複執行，顯著加快 Docker 映像檔的建置速度。",
-    "is_new": true
+    "is_new": false
   },
   {
     "level": "warning",
     "role": "Aria",
-    "location": "app/config.js:15",
+    "location": "app/package.json:5",
-    "suggestion": "在 `app/config.js` 的 `checks` 陣列中，使用多個空格進行欄位對齊可能導致格式不一致且難以維護。建議改用單一空格分隔元素，或考慮將每個配置項重構為物件形式，以提升程式碼的可讀性與可維護性。",
+    "suggestion": "`package.json` 中的 `test` 腳本 (`node --test *.test.js`) 僅會執行 `app/` 目錄下的測試檔案。建議修改為 `node --test app/**/*.test.js` 或使用更完善的測試框架（如 `mocha` 或 `jest`），以確保所有測試檔案都能被自動發現並執行。",
-    "is_new": true
-  },
-  {
-    "level": "warning",
-    "role": "Maya",
-    "location": ".gitea/workflows/review.yaml",
-    "suggestion": "工作流程已從使用 OpenAI 轉換為 Gemini。雖然這是一個配置變更，但應確保新的 LLM 整合能正常運作。建議在 CI/CD 中增加一個整合測試步驟，以驗證使用 Gemini 模型時，AI Code Review 功能是否能成功生成評論，例如檢查 PR 評論是否存在或特定輸出訊息。",
-    "is_new": true
-  },
-  {
-    "level": "warning",
-    "role": "Maya",
-    "location": "app/config.js:15",
-    "suggestion": "預設的 `GEMINI_MODEL` 已從 `gemini-1.5-flash` 變更為 `gemini-2.5-flash`。請確保有對應的單元測試來驗證當 `process.env.GEMINI_MODEL` 未設定時，`getLLMConfig` 函數能正確回傳新的預設模型 `gemini-2.5-flash`。",
     "is_new": true
   },
   {
     "level": "info",
-    "role": "Maya",
+    "role": "Zara",
-    "location": "app/config.js",
+    "location": "app/main.js:72, app/main.js:78",
-    "suggestion": "`getLLMConfig` 函數依賴於環境變數來配置 LLM。建議為此函數增加更全面的邊界條件測試，例如：\n1. 當只有部分 LLM 相關的環境變數被設定時（例如，只有 `GEMINI_API_KEY` 而沒有 `GEMINI_BASE_URL`）。\n2. 當沒有任何 LLM 相關的環境變數被設定時，確保函數能優雅地處理（例如，回傳 `null`、空物件或拋出特定錯誤）。\n3. 測試 API 金鑰為空字串的情況，確保其行為符合預期。",
+    "suggestion": "`deduplicateWithAI` 和 `filterFalsePositivesWithAI` 函式也涉及 LLM 呼叫，它們在主流程中依序執行。雖然這些是單次呼叫，但其延遲仍會累積。在設計上，可以考慮是否有可能將這些步驟與其他非依賴的任務平行化，或或評估其對整體效能的影響。",
     "is_new": true
   }
-]
+]

.gitea/workflows/master.yaml

@@ -25,4 +25,4 @@ jobs:
     - name: 清理成品
       uses: https://gitea.jsc.idv.tw/actions/cleanup-release@${{ vars.ACTION_CLEANUP_RELEASE_VERSION }}
       with:
-        RUNNER_TOKEN: ${{ secrets.RUNNER_TOKEN }}
+        RUNNER_TOKEN: ${{ secrets.RUNNER_TOKEN }}

.gitea/workflows/review.yaml

@@ -33,7 +33,7 @@ jobs:
     - name: AI Code Review
       uses: https://gitea.jsc.idv.tw/jiantw83/code-review@v${{ needs.version.outputs.version }}
       with:
-        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
+        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
         GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
         GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
     permissions:

.gitignore

@@ -0,0 +1 @@
+app/node_modules/

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine
+FROM alpine:3.20
 
 RUN apk add --no-cache bash nodejs npm git \
     && node --version \
@@ -7,10 +7,11 @@ RUN apk add --no-cache bash nodejs npm git \
 
 WORKDIR /action
 
+COPY app/package.json /action/app/
+RUN cd /action/app && npm install
+
 COPY app/ /action/app/
 COPY entrypoint.sh /entrypoint.sh
-
+RUN chmod +x /entrypoint.sh
-RUN cd /action/app && npm install && \
-    chmod +x /entrypoint.sh
 
 ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -21,6 +21,7 @@
 3. Comment 加上些許 emoji 讓資訊有點活力
 4. 盡量將應用程式放在 ./app，修改 entrypoint.sh 與 Dockerfile 讓程式可以正常運行
 5. 將提示詞放到 ./app/prompts 內供程式讀取
+6. API Key 支援逗號分隔傳入多個，隨機順序各嘗試一次，全部失敗則 exit 1
 
 # 使用說明
 
@@ -42,8 +43,9 @@ jobs:
     - name: AI Code Review
       uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
       with:
-        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}  # 支援逗號分隔多個 Key
         OPENAI_BASE_URL: https://api.openai.com/v1
+        OPENAI_MODEL: ${{ vars.OPENAI_MODEL }}
     permissions:
       contents: write
       pull-requests: write
@@ -64,8 +66,9 @@ jobs:
     - name: AI Code Review
       uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
       with:
-        OPENAI_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}  # OpenRouter 使用 OpenAI 相容介面，以 OPENAI_API_KEY 傳入
+        OPENAI_API_KEY: ${{ secrets.OPENROUTER_API_KEY }},${{ secrets.OPENROUTER_API_KEY_1 }}
         OPENAI_BASE_URL: https://openrouter.ai/api/v1
+        OPENAI_MODEL: ${{ vars.OPENROUTER_MODEL }}
     permissions:
       contents: write
       pull-requests: write
@@ -86,7 +89,7 @@ jobs:
     - name: AI Code Review
       uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
       with:
-        CLAUDE_API_KEY: ${{ secrets.CLAUDE_API_KEY }}
+        CLAUDE_API_KEY: ${{ secrets.CLAUDE_API_KEY }}  # 支援逗號分隔多個 Key
         CLAUDE_BASE_URL: https://api.anthropic.com/v1
     permissions:
       contents: write
@@ -108,7 +111,7 @@ jobs:
     - name: AI Code Review
       uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
       with:
-        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
+        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
         GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
         GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
     permissions:
@@ -131,7 +134,7 @@ jobs:
     - name: AI Code Review
       uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
       with:
-        AMAZONQ_API_KEY: ${{ secrets.AMAZONQ_API_KEY }}
+        AMAZONQ_API_KEY: ${{ secrets.AMAZONQ_API_KEY }}  # 支援逗號分隔多個 Key
         AMAZONQ_BASE_URL: https://q.api.aws
     permissions:
       contents: write
@@ -139,28 +142,6 @@ jobs:
       issues: write
 ```
 
-### 6. SonarQube
-```yaml
-name: AI
-on:
-  pull_request:
-    types: [opened, synchronize]
-jobs:
-  code-review:
-    name: 'Code Review'
-    runs-on: ubuntu
-    steps:
-    - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-      with:
-        SONARQUBE_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
-        SONARQUBE_URL: https://sonarqube.example.com
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-```
-
 ### - Ollama
 
 ```yaml
@@ -176,7 +157,7 @@ jobs:
     - name: AI Code Review
         uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
         with:
-          OLLAMA_BASE_URL: ${{ vars.OLLAMA_BASE_URL }}
+          OLLAMA_BASE_URL: https://ollama.jsc.idv.me/v1
           OLLAMA_MODEL: ${{ vars.OLLAMA_MODEL }}
     permissions:
       contents: write

TODO.md

@@ -35,6 +35,11 @@
 - 驗收：log 中能看到「critical 問題存在，workflow 結束（exit 1）」等明確訊息，且 workflow 狀態為失敗。
 - 完成
 
+## 階段八：API Key 輪替
+- 目標：所有平台的 API Key 支援逗號分隔傳入多個，隨機順序各嘗試一次，單一 Key 失敗時自動換下一個，全部失敗則 exit 1。
+- 驗收：log 中能看到「key[N/M] 失敗」等訊息，換 key 後繼續執行；傳入單一 Key 時行為與原本相同；全部 Key 失敗時 log「所有 API Key 均失敗，終止流程」且 workflow 狀態為失敗。
+- 完成
+
 ---
 
 所有階段驗收通過。

action.yaml

@@ -12,6 +12,10 @@ inputs:
   GITEA_REPOSITORY:
     description: 'Gitea Repository (owner/repo)'
     required: false
+  GITEA_SKIP_TLS_VERIFY:
+    description: '跳過 Gitea SSL/TLS 憑證驗證（自簽憑證時使用）'
+    required: false
+    default: 'false'
   PR_NUMBER:
     description: 'Pull Request Number'
     required: false
@@ -72,54 +76,6 @@ inputs:
     description: 'Amazon Q Base URL'
     required: false
 
-  # SonarQube
-  SONARQUBE_TOKEN:
-    description: 'SonarQube Token'
-    required: false
-  SONARQUBE_URL:
-    description: 'SonarQube URL'
-    required: false
-
-  # Kilo Code
-  KILO_API_KEY:
-    description: 'Kilo Code API Key'
-    required: false
-  KILO_BASE_URL:
-    description: 'Kilo Code Base URL'
-    required: false
-
-  # Roo Code
-  ROO_API_KEY:
-    description: 'Roo Code API Key'
-    required: false
-  ROO_BASE_URL:
-    description: 'Roo Code Base URL'
-    required: false
-
-  # Cline
-  CLINE_API_KEY:
-    description: 'Cline API Key'
-    required: false
-  CLINE_BASE_URL:
-    description: 'Cline Base URL'
-    required: false
-
-  # Continue
-  CONTINUE_API_KEY:
-    description: 'Continue API Key'
-    required: false
-  CONTINUE_BASE_URL:
-    description: 'Continue Base URL'
-    required: false
-
-  # Kade
-  KADE_API_KEY:
-    description: 'Kade API Key'
-    required: false
-  KADE_BASE_URL:
-    description: 'Kade Base URL'
-    required: false
-
 runs:
   using: 'docker'
   image: 'Dockerfile'
@@ -128,6 +84,7 @@ runs:
     GITEA_TOKEN: ${{ inputs.GITEA_TOKEN || secrets.GITEA_TOKEN }}
     GITEA_SERVER_URL: ${{ inputs.GITEA_SERVER_URL || gitea.server_url }}
     GITEA_REPOSITORY: ${{ inputs.GITEA_REPOSITORY || gitea.repository }}
+    GITEA_SKIP_TLS_VERIFY: ${{ inputs.GITEA_SKIP_TLS_VERIFY }}
     PR_NUMBER: ${{ inputs.PR_NUMBER || gitea.event.pull_request.number }}
     PR_HEAD_BRANCH: ${{ inputs.PR_HEAD_BRANCH || gitea.event.pull_request.head.ref }}
     PR_BASE_BRANCH: ${{ inputs.PR_BASE_BRANCH || gitea.event.pull_request.base.ref }}
@@ -145,15 +102,3 @@ runs:
     OLLAMA_MODEL: ${{ inputs.OLLAMA_MODEL }}
     AMAZONQ_API_KEY: ${{ inputs.AMAZONQ_API_KEY }}
     AMAZONQ_BASE_URL: ${{ inputs.AMAZONQ_BASE_URL }}
-    SONARQUBE_TOKEN: ${{ inputs.SONARQUBE_TOKEN }}
-    SONARQUBE_URL: ${{ inputs.SONARQUBE_URL }}
-    KILO_API_KEY: ${{ inputs.KILO_API_KEY }}
-    KILO_BASE_URL: ${{ inputs.KILO_BASE_URL }}
-    ROO_API_KEY: ${{ inputs.ROO_API_KEY }}
-    ROO_BASE_URL: ${{ inputs.ROO_BASE_URL }}
-    CLINE_API_KEY: ${{ inputs.CLINE_API_KEY }}
-    CLINE_BASE_URL: ${{ inputs.CLINE_BASE_URL }}
-    CONTINUE_API_KEY: ${{ inputs.CONTINUE_API_KEY }}
-    CONTINUE_BASE_URL: ${{ inputs.CONTINUE_BASE_URL }}
-    KADE_API_KEY: ${{ inputs.KADE_API_KEY }}
-    KADE_BASE_URL: ${{ inputs.KADE_BASE_URL }}

app/comments.js

@@ -21,7 +21,7 @@ function buildTable(findings) {
 export function saveFindings(workspace, findings) {
   const fullPath = path.join(workspace, FINDINGS_PATH);
   fs.mkdirSync(path.dirname(fullPath), { recursive: true });
-  fs.writeFileSync(fullPath, JSON.stringify(findings, null, 2), 'utf8');
+  fs.writeFileSync(fullPath, JSON.stringify(findings, null, 2) + '\n', 'utf8');
   console.log(`  ✅ findings 寫入: ${fullPath} (${findings.length} 筆)`);
 }
 

app/config.js

@@ -1,6 +1,7 @@
 export const GITEA_TOKEN = process.env.GITEA_TOKEN || '';
 export const GITEA_SERVER_URL = process.env.GITEA_SERVER_URL || 'https://gitea.com';
 export const GITEA_REPOSITORY = process.env.GITEA_REPOSITORY || '';
+export const GITEA_SKIP_TLS_VERIFY = process.env.GITEA_SKIP_TLS_VERIFY === 'true';
 export const PR_NUMBER = process.env.PR_NUMBER || '';
 export const PR_HEAD_BRANCH = process.env.PR_HEAD_BRANCH || '';
 export const PR_BASE_BRANCH = process.env.PR_BASE_BRANCH || '';
@@ -8,21 +9,22 @@ export const PR_BASE_BRANCH = process.env.PR_BASE_BRANCH || '';
 export const FINDINGS_PATH = '.gitea/ai-review/findings.json';
 export const EXCLUSIONS_PATH = '.gitea/ai-review/exclusions.json';
 
+/** 將逗號分隔的 API key 字串拆成陣列 */
+function splitKeys(value) {
+  if (!value) return [];
+  return value.split(',').map(k => k.trim()).filter(Boolean);
+}
+
 export function getLLMConfig() {
   const checks = [
-    ['openai',   process.env.OPENAI_API_KEY,   process.env.OPENAI_BASE_URL || 'https://api.openai.com/v1',   process.env.OPENAI_MODEL || 'gpt-4o-mini'],
+    ['openai',   splitKeys(process.env.OPENAI_API_KEY),   process.env.OPENAI_BASE_URL || 'https://api.openai.com/v1',   process.env.OPENAI_MODEL || 'gpt-4o-mini'],
-    ['claude',   process.env.CLAUDE_API_KEY,   process.env.CLAUDE_BASE_URL || 'https://api.anthropic.com/v1', process.env.CLAUDE_MODEL || 'claude-3-haiku-20240307'],
+    ['claude',   splitKeys(process.env.CLAUDE_API_KEY),   process.env.CLAUDE_BASE_URL || 'https://api.anthropic.com/v1', process.env.CLAUDE_MODEL || 'claude-3-haiku-20240307'],
-    ['gemini',   process.env.GEMINI_API_KEY,   process.env.GEMINI_BASE_URL || 'https://generativelanguage.googleapis.com/v1beta', process.env.GEMINI_MODEL || 'gemini-2.5-flash'],
+    ['gemini',   splitKeys(process.env.GEMINI_API_KEY),   process.env.GEMINI_BASE_URL || 'https://generativelanguage.googleapis.com/v1beta', process.env.GEMINI_MODEL || 'gemini-2.5-flash'],
-    ['ollama',   'ollama',                      process.env.OLLAMA_BASE_URL,  process.env.OLLAMA_MODEL],
+    ['ollama',   ['ollama'],                               process.env.OLLAMA_BASE_URL,  process.env.OLLAMA_MODEL],
-    ['amazonq',  process.env.AMAZONQ_API_KEY,  process.env.AMAZONQ_BASE_URL  || 'https://q.api.aws',              process.env.AMAZONQ_MODEL  || 'amazon-q'],
+    ['amazonq',  splitKeys(process.env.AMAZONQ_API_KEY),  process.env.AMAZONQ_BASE_URL  || 'https://q.api.aws',              process.env.AMAZONQ_MODEL  || 'amazon-q'],
-    ['kilo',     process.env.KILO_API_KEY,     process.env.KILO_BASE_URL     || 'https://api.kilocode.com/v1',    process.env.KILO_MODEL     || 'kilo-default'],
-    ['roo',      process.env.ROO_API_KEY,      process.env.ROO_BASE_URL      || 'https://api.roocode.com/v1',     process.env.ROO_MODEL      || 'roo-default'],
-    ['cline',    process.env.CLINE_API_KEY,    process.env.CLINE_BASE_URL    || 'https://api.cline.dev/v1',       process.env.CLINE_MODEL    || 'cline-default'],
-    ['continue', process.env.CONTINUE_API_KEY, process.env.CONTINUE_BASE_URL || 'https://api.continue.dev/v1',   process.env.CONTINUE_MODEL || 'continue-default'],
-    ['kade',     process.env.KADE_API_KEY,     process.env.KADE_BASE_URL     || 'https://api.kade.dev/v1',       process.env.KADE_MODEL     || 'kade-default'],
   ];
-  for (const [provider, key, baseURL, model] of checks) {
+  for (const [provider, apiKeys, baseURL, model] of checks) {
-    if (key && baseURL) return { provider, apiKey: key, baseURL, model };
+    if (apiKeys.length > 0 && baseURL) return { provider, apiKeys, baseURL, model };
   }
-  return { provider: null, apiKey: null, baseURL: null, model: null };
+  return { provider: null, apiKeys: [], baseURL: null, model: null };
 }

app/config.test.js

@@ -26,14 +26,14 @@ describe('getLLMConfig', () => {
   it('returns null provider when no env vars set', () => {
     const cfg = getLLMConfig();
     assert.equal(cfg.provider, null);
-    assert.equal(cfg.apiKey, null);
+    assert.deepEqual(cfg.apiKeys, []);
   });
 
   it('detects openai with defaults', () => {
     process.env.OPENAI_API_KEY = 'sk-test';
     const cfg = getLLMConfig();
     assert.equal(cfg.provider, 'openai');
-    assert.equal(cfg.apiKey, 'sk-test');
+    assert.deepEqual(cfg.apiKeys, ['sk-test']);
     assert.equal(cfg.baseURL, 'https://api.openai.com/v1');
     assert.equal(cfg.model, 'gpt-4o-mini');
   });
@@ -48,7 +48,14 @@ describe('getLLMConfig', () => {
     assert.equal(cfg.model, 'gpt-4o');
   });
 
-  it('detects gemini with defaults', () => {
+  it('detects gemini with comma-separated keys, picks one', () => {
+    process.env.GEMINI_API_KEY = 'key1,key2,key3';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'gemini');
+    assert.deepEqual(cfg.apiKeys, ['key1', 'key2', 'key3']);
+  });
+
+  it('detects gemini with single key (no comma)', () => {
     process.env.GEMINI_API_KEY = 'gemini-key';
     const cfg = getLLMConfig();
     assert.equal(cfg.provider, 'gemini');
@@ -98,4 +105,11 @@ describe('getLLMConfig', () => {
     assert.equal(cfg.provider, 'ollama');
     assert.equal(cfg.model, 'llama3');
   });
+
+  it('comma-only api key is treated as not set', () => {
+    process.env.OPENAI_API_KEY = ',,,';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, null);
+    assert.deepEqual(cfg.apiKeys, []);
+  });
 });

app/findings.js

@@ -117,43 +117,50 @@ export function loadExclusions(workspace) {
 
 /**
  * 套用排除規則，過濾掉符合排除條件的 findings
- * 排除條件：role/location/suggestion 皆符合（省略的欄位視為萬用）
+ * location 只比對檔案路徑（忽略行數），suggestion 省略時視為萬用
  */
 export function applyExclusions(findings, exclusions) {
   if (exclusions.length === 0) return findings;
   const before = findings.length;
-  const filtered = findings.filter(f => !exclusions.some(ex =>
+  const filtered = findings.filter(f => !exclusions.some(ex => {
-    (!ex.role || ex.role === f.role) &&
+    const fPath = String(f.location).split(':')[0];
-    (!ex.location || String(f.location).includes(ex.location)) &&
+    const exPath = ex.location ? String(ex.location).split(':')[0] : null;
-    (!ex.suggestion || String(f.suggestion).includes(String(ex.suggestion).slice(0, 20)))
+    return (!exPath || fPath === exPath) &&
-  ));
+           (!ex.role || ex.role === f.role);
+  }));
   console.log(`  排除過濾: ${before} -> ${filtered.length} 筆（排除 ${before - filtered.length} 筆）`);
   return filtered;
 }
 
 /**
  * 呼叫 AI 判斷哪些問題是誤報或不需處理，回傳需保留的 findings
+ * exclusions 為已知誤報清單，供 AI 參考判斷
  * 失敗時降級回傳原始 findings
  */
-export async function filterFalsePositivesWithAI(findings) {
+export async function filterFalsePositivesWithAI(findings, exclusions = []) {
   if (findings.length === 0) return findings;
 
+  const exclusionHint = exclusions.length > 0
+    ? `\n\n以下是已知的誤報或不需處理的問題清單（供參考，相同檔案路徑且語意相近的問題應一併排除）：\n${JSON.stringify(exclusions, null, 2)}`
+    : '';
+
   const systemPrompt = `你是一位資深程式碼審查專家，負責判斷審查問題是否為誤報或不需處理。
 給你一份問題清單（JSON 陣列），每筆包含 level、role、location、suggestion。
 請移除以下類型的問題：
 1. 誤報：問題描述與實際程式碼不符（例如：程式碼已正確使用環境變數或 secrets，卻被標記為硬編碼敏感資料）
 2. 不適用：問題在此專案情境下不需處理（例如：CI/CD action 本來就需要透過環境變數傳遞 token）
-只回傳需要保留的問題 JSON 陣列，不要有其他文字。`;
+3. 與已知誤報清單語意相近的問題（檔案路徑相同且建議內容相似）
+只回傳需要保留的問題 JSON 陣列，不要有其他文字。${exclusionHint}`;
 
   const userContent = `請判斷以下問題清單，移除誤報或不需處理的問題：\n\n${JSON.stringify(findings, null, 2)}`;
 
   try {
     const result = await chatJSON(systemPrompt, userContent);
-    if (Array.isArray(result)) {
+    if (Array.isArray(result) && result.length > 0) {
       console.log(`  AI 誤報過濾: ${findings.length} -> ${result.length} 筆`);
       return result;
     }
-    throw new Error('AI 回傳非陣列');
+    throw new Error('AI 回傳空陣列或非陣列');
   } catch (e) {
     const status = e.response?.status;
     if (status === 402 || status === 429) {

app/gitea.js

@@ -1,8 +1,8 @@
 import axios from 'axios';
 import https from 'https';
-import { GITEA_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, PR_NUMBER } from './config.js';
+import { GITEA_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_SKIP_TLS_VERIFY, PR_NUMBER } from './config.js';
 
-const httpsAgent = new https.Agent({ rejectUnauthorized: false });
+const httpsAgent = GITEA_SKIP_TLS_VERIFY ? new https.Agent({ rejectUnauthorized: false }) : undefined;
 const headers = () => ({ Authorization: `token ${GITEA_TOKEN}`, 'Content-Type': 'application/json' });
 const api = (path) => `${GITEA_SERVER_URL.replace(/\/$/, '')}/api/v1${path}`;
 

app/gitea.test.js

@@ -0,0 +1,64 @@
+import { describe, it, afterEach, mock } from 'node:test';
+import assert from 'node:assert/strict';
+import axios from 'axios';
+
+// gitea.js reads env vars at module load time (ESM cache), so we test
+// the actual values baked in at import time and verify behavior via axios mocks.
+
+afterEach(() => mock.restoreAll());
+
+describe('gitea', async () => {
+  const { getPRDiff, postComment } = await import('./gitea.js');
+
+  it('getPRDiff calls Gitea diff API with Authorization header', async () => {
+    let capturedUrl, capturedOpts;
+    mock.method(axios, 'get', async (url, opts) => {
+      capturedUrl = url;
+      capturedOpts = opts;
+      return { data: 'diff content' };
+    });
+    const result = await getPRDiff();
+    assert.equal(result, 'diff content');
+    assert.ok(capturedUrl.includes('/api/v1/repos/'));
+    assert.ok(capturedUrl.endsWith('.diff'));
+    assert.ok(capturedOpts.headers['Authorization'].startsWith('token '));
+    assert.equal(capturedOpts.headers['Content-Type'], 'application/json');
+  });
+
+  it('postComment calls Gitea issues comments API with body', async () => {
+    let capturedUrl, capturedBody, capturedOpts;
+    mock.method(axios, 'post', async (url, body, opts) => {
+      capturedUrl = url;
+      capturedBody = body;
+      capturedOpts = opts;
+      return { data: { id: 1 } };
+    });
+    const result = await postComment('hello world');
+    assert.deepEqual(result, { id: 1 });
+    assert.ok(capturedUrl.includes('/api/v1/repos/'));
+    assert.ok(capturedUrl.endsWith('/comments'));
+    assert.equal(capturedBody.body, 'hello world');
+    assert.ok(capturedOpts.headers['Authorization'].startsWith('token '));
+  });
+
+  it('does not set httpsAgent by default (GITEA_SKIP_TLS_VERIFY not true)', async () => {
+    let capturedOpts;
+    mock.method(axios, 'get', async (_url, opts) => {
+      capturedOpts = opts;
+      return { data: '' };
+    });
+    await getPRDiff();
+    // httpsAgent is undefined when GITEA_SKIP_TLS_VERIFY !== 'true'
+    assert.equal(capturedOpts.httpsAgent, undefined);
+  });
+
+  it('getPRDiff propagates axios errors', async () => {
+    mock.method(axios, 'get', async () => { throw new Error('network error'); });
+    await assert.rejects(() => getPRDiff(), /network error/);
+  });
+
+  it('postComment propagates axios errors', async () => {
+    mock.method(axios, 'post', async () => { throw new Error('api error'); });
+    await assert.rejects(() => postComment('test'), /api error/);
+  });
+});

app/llm.js

@@ -1,27 +1,31 @@
 import axios from 'axios';
-import https from 'https';
 import { getLLMConfig } from './config.js';
 
-const httpsAgent = new https.Agent({ rejectUnauthorized: false });
-
 export async function chat(systemPrompt, userContent) {
-  const { provider, apiKey, baseURL, model } = getLLMConfig();
+  const { provider, apiKeys, baseURL, model } = getLLMConfig();
   if (!provider) throw new Error('未設定任何 LLM API Key');
 
   console.log(`  [LLM] provider=${provider} model=${model}`);
 
-  const headers = {
+  const headers = { 'Content-Type': 'application/json' };
-    'Content-Type': 'application/json',
-    'Authorization': `Bearer ${apiKey}`,
-  };
   if (provider === 'claude') headers['anthropic-version'] = '2023-06-01';
 
-  const resp = await axios.post(
+  const shuffled = [...apiKeys].sort(() => Math.random() - 0.5);
-    `${baseURL.replace(/\/$/, '')}/chat/completions`,
+  for (let i = 0; i < shuffled.length; i++) {
-    { model, messages: [{ role: 'system', content: systemPrompt }, { role: 'user', content: userContent }], temperature: 0.2 },
+    if (provider !== 'ollama') headers['Authorization'] = `Bearer ${shuffled[i]}`;
-    { headers, timeout: 120000, httpsAgent }
+    try {
-  );
+      const resp = await axios.post(
-  return resp.data.choices[0].message.content;
+        `${baseURL.replace(/\/$/, '')}/chat/completions`,
+        { model, messages: [{ role: 'system', content: systemPrompt }, { role: 'user', content: userContent }], temperature: 0.2 },
+        { headers }
+      );
+      return resp.data.choices[0].message.content;
+    } catch (e) {
+      console.log(`  [LLM] key[${i + 1}/${shuffled.length}] 失敗: ${e.message}`);
+    }
+  }
+  console.error('  [LLM] 所有 API Key 均失敗，終止流程');
+  process.exit(1);
 }
 
 export async function chatJSON(systemPrompt, userContent) {

app/llm.test.js

@@ -0,0 +1,153 @@
+import { describe, it, beforeEach, afterEach, mock } from 'node:test';
+import assert from 'node:assert/strict';
+
+// Mock axios before importing llm.js
+import axios from 'axios';
+
+const ENV_KEYS = [
+  'OPENAI_API_KEY', 'OPENAI_BASE_URL', 'OPENAI_MODEL',
+  'GEMINI_API_KEY', 'GEMINI_BASE_URL', 'GEMINI_MODEL',
+  'CLAUDE_API_KEY', 'CLAUDE_BASE_URL', 'CLAUDE_MODEL',
+  'OLLAMA_BASE_URL', 'OLLAMA_MODEL',
+  'AMAZONQ_API_KEY', 'AMAZONQ_BASE_URL', 'AMAZONQ_MODEL',
+];
+
+let saved = {};
+beforeEach(() => {
+  saved = {};
+  for (const k of ENV_KEYS) { saved[k] = process.env[k]; delete process.env[k]; }
+});
+afterEach(() => {
+  for (const k of ENV_KEYS) {
+    if (saved[k] === undefined) delete process.env[k];
+    else process.env[k] = saved[k];
+  }
+  mock.restoreAll();
+});
+
+function mockAxiosPost(responses) {
+  let call = 0;
+  mock.method(axios, 'post', async () => {
+    const r = responses[call++] ?? responses[responses.length - 1];
+    if (r instanceof Error) throw r;
+    return r;
+  });
+}
+
+function makeOkResponse(content = 'ok') {
+  return { data: { choices: [{ message: { content } }] } };
+}
+
+describe('chat - key rotation', async () => {
+  const { chat } = await import('./llm.js');
+
+  it('succeeds on first key', async () => {
+    process.env.OPENAI_API_KEY = 'key1';
+    mockAxiosPost([makeOkResponse('hello')]);
+    const result = await chat('sys', 'user');
+    assert.equal(result, 'hello');
+  });
+
+  it('shuffles keys and tries each exactly once', async () => {
+    process.env.OPENAI_API_KEY = 'key1,key2,key3';
+    const usedKeys = [];
+    mock.method(axios, 'post', async (_url, _body, opts) => {
+      usedKeys.push(opts.headers['Authorization'].replace('Bearer ', ''));
+      throw new Error('fail');
+    });
+    const exitMock = mock.method(process, 'exit', () => { throw new Error('exit:1'); });
+    await assert.rejects(() => chat('sys', 'user'), /exit:1/);
+    assert.equal(exitMock.mock.calls[0].arguments[0], 1);
+    assert.equal(usedKeys.length, 3);
+    assert.deepEqual([...usedKeys].sort(), ['key1', 'key2', 'key3']);
+  });
+
+  it('calls process.exit(1) when all keys fail', async () => {
+    process.env.OPENAI_API_KEY = 'k1,k2';
+    mockAxiosPost([new Error('fail'), new Error('fail')]);
+    const exitMock = mock.method(process, 'exit', () => { throw new Error('exit:1'); });
+    await assert.rejects(() => chat('sys', 'user'), /exit:1/);
+    assert.equal(exitMock.mock.calls[0].arguments[0], 1);
+  });
+
+  it('does not set Authorization header for ollama', async () => {
+    process.env.OLLAMA_BASE_URL = 'http://localhost:11434/v1';
+    process.env.OLLAMA_MODEL = 'llama3';
+    let capturedHeaders;
+    mock.method(axios, 'post', async (_url, _body, opts) => {
+      capturedHeaders = opts.headers;
+      return makeOkResponse('ollama response');
+    });
+    await chat('sys', 'user');
+    assert.equal(capturedHeaders['Authorization'], undefined);
+  });
+
+  it('sets Authorization header for openai', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    let capturedHeaders;
+    mock.method(axios, 'post', async (_url, _body, opts) => {
+      capturedHeaders = opts.headers;
+      return makeOkResponse();
+    });
+    await chat('sys', 'user');
+    assert.equal(capturedHeaders['Authorization'], 'Bearer sk-test');
+  });
+
+  it('does not set timeout', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    let capturedOpts;
+    mock.method(axios, 'post', async (_url, _body, opts) => {
+      capturedOpts = opts;
+      return makeOkResponse();
+    });
+    await chat('sys', 'user');
+    assert.equal(capturedOpts.timeout, undefined);
+  });
+
+  it('does not pass httpsAgent to axios', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    let capturedOpts;
+    mock.method(axios, 'post', async (_url, _body, opts) => {
+      capturedOpts = opts;
+      return makeOkResponse();
+    });
+    await chat('sys', 'user');
+    assert.equal(capturedOpts.httpsAgent, undefined);
+  });
+
+  it('sets anthropic-version header for claude', async () => {
+    process.env.CLAUDE_API_KEY = 'claude-key';
+    let capturedHeaders;
+    mock.method(axios, 'post', async (_url, _body, opts) => {
+      capturedHeaders = opts.headers;
+      return makeOkResponse();
+    });
+    await chat('sys', 'user');
+    assert.equal(capturedHeaders['anthropic-version'], '2023-06-01');
+  });
+});
+
+describe('chatJSON', async () => {
+  const { chatJSON } = await import('./llm.js');
+
+  it('parses plain JSON response', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    mockAxiosPost([makeOkResponse('[{"level":"critical"}]')]);
+    const result = await chatJSON('sys', 'user');
+    assert.deepEqual(result, [{ level: 'critical' }]);
+  });
+
+  it('strips markdown code block before parsing', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    mockAxiosPost([makeOkResponse('```json\n[{"level":"info"}]\n```')]);
+    const result = await chatJSON('sys', 'user');
+    assert.deepEqual(result, [{ level: 'info' }]);
+  });
+
+  it('returns [] when JSON is invalid', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    mockAxiosPost([makeOkResponse('not json')]);
+    const result = await chatJSON('sys', 'user');
+    assert.deepEqual(result, []);
+  });
+});

app/main.js

@@ -52,13 +52,13 @@ async function main() {
 
   // Step2: 各角色分析 diff 產生新 findings
   console.log('\n📊 Step2: Findings 產生');
+  const results = await Promise.allSettled(roles.map(role => analyzeWithRole(role, diff)));
   const newFindings = [];
-  for (const role of roles) {
+  for (let i = 0; i < results.length; i++) {
-    try {
+    if (results[i].status === 'fulfilled') {
-      const found = await analyzeWithRole(role, diff);
+      newFindings.push(...results[i].value);
-      newFindings.push(...found);
+    } else {
-    } catch (e) {
+      console.log(`  ⚠️  [${roles[i].name}] 分析失敗（跳過）: ${results[i].reason?.message}`);
-      console.log(`  ⚠️  [${role.name}] 分析失敗（跳過）: ${e.message}`);
     }
   }
   console.log(`  Step2 完成: 新 findings 總計 ${newFindings.length} 筆`);
@@ -85,7 +85,7 @@ async function main() {
   console.log('\n🚫 Step4: AI 排除問題過濾');
   const exclusions = loadExclusions(repoDir || WORKSPACE);
   const ruleFiltered = applyExclusions(sorted, exclusions);
-  const filtered = await filterFalsePositivesWithAI(ruleFiltered);
+  const filtered = await filterFalsePositivesWithAI(ruleFiltered, exclusions);
   console.log(`  Step4 完成: findings total=${filtered.length}`);
 
   // Step5: 寫入 findings.json，依序發布 comment

app/package-lock.json

@@ -0,0 +1,468 @@
+{
+  "name": "ai-code-review",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "ai-code-review",
+      "version": "1.0.0",
+      "dependencies": {
+        "axios": "^1.6.7",
+        "js-yaml": "^4.1.0",
+        "openai": "^4.28.0"
+      }
+    },
+    "node_modules/@types/node": {
+      "version": "18.19.130",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.130.tgz",
+      "integrity": "sha512-GRaXQx6jGfL8sKfaIDD6OupbIHBr9jv7Jnaml9tB7l4v068PAOXqfcujMMo5PhbIs6ggR1XODELqahT2R8v0fg==",
+      "dependencies": {
+        "undici-types": "~5.26.4"
+      }
+    },
+    "node_modules/@types/node-fetch": {
+      "version": "2.6.13",
+      "resolved": "https://registry.npmjs.org/@types/node-fetch/-/node-fetch-2.6.13.tgz",
+      "integrity": "sha512-QGpRVpzSaUs30JBSGPjOg4Uveu384erbHBoT1zeONvyCfwQxIkUshLAOqN/k9EjGviPRmWTTe6aH2qySWKTVSw==",
+      "dependencies": {
+        "@types/node": "*",
+        "form-data": "^4.0.4"
+      }
+    },
+    "node_modules/abort-controller": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/abort-controller/-/abort-controller-3.0.0.tgz",
+      "integrity": "sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==",
+      "dependencies": {
+        "event-target-shim": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=6.5"
+      }
+    },
+    "node_modules/agentkeepalive": {
+      "version": "4.6.0",
+      "resolved": "https://registry.npmjs.org/agentkeepalive/-/agentkeepalive-4.6.0.tgz",
+      "integrity": "sha512-kja8j7PjmncONqaTsB8fQ+wE2mSU2DJ9D4XKoJ5PFWIdRMa6SLSN1ff4mOr4jCbfRSsxR4keIiySJU0N9T5hIQ==",
+      "dependencies": {
+        "humanize-ms": "^1.2.1"
+      },
+      "engines": {
+        "node": ">= 8.0.0"
+      }
+    },
+    "node_modules/argparse": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
+      "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q=="
+    },
+    "node_modules/asynckit": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
+      "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q=="
+    },
+    "node_modules/axios": {
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.16.0.tgz",
+      "integrity": "sha512-6hp5CwvTPlN2A31g5dxnwAX0orzM7pmCRDLnZSX772mv8WDqICwFjowHuPs04Mc8deIld1+ejhtaMn5vp6b+1w==",
+      "dependencies": {
+        "follow-redirects": "^1.16.0",
+        "form-data": "^4.0.5",
+        "proxy-from-env": "^2.1.0"
+      }
+    },
+    "node_modules/call-bind-apply-helpers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
+      "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/combined-stream": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
+      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+      "dependencies": {
+        "delayed-stream": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/delayed-stream": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
+      "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==",
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/dunder-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
+      "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.2.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-define-property": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
+      "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-object-atoms": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
+      "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
+      "dependencies": {
+        "es-errors": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-set-tostringtag": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
+      "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.6",
+        "has-tostringtag": "^1.0.2",
+        "hasown": "^2.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/event-target-shim": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/event-target-shim/-/event-target-shim-5.0.1.tgz",
+      "integrity": "sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/follow-redirects": {
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz",
+      "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==",
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://github.com/sponsors/RubenVerborgh"
+        }
+      ],
+      "engines": {
+        "node": ">=4.0"
+      },
+      "peerDependenciesMeta": {
+        "debug": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/form-data": {
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+      "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
+      "dependencies": {
+        "asynckit": "^0.4.0",
+        "combined-stream": "^1.0.8",
+        "es-set-tostringtag": "^2.1.0",
+        "hasown": "^2.0.2",
+        "mime-types": "^2.1.12"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/form-data-encoder": {
+      "version": "1.7.2",
+      "resolved": "https://registry.npmjs.org/form-data-encoder/-/form-data-encoder-1.7.2.tgz",
+      "integrity": "sha512-qfqtYan3rxrnCk1VYaA4H+Ms9xdpPqvLZa6xmMgFvhO32x7/3J/ExcTd6qpxM0vH2GdMI+poehyBZvqfMTto8A=="
+    },
+    "node_modules/formdata-node": {
+      "version": "4.4.1",
+      "resolved": "https://registry.npmjs.org/formdata-node/-/formdata-node-4.4.1.tgz",
+      "integrity": "sha512-0iirZp3uVDjVGt9p49aTaqjk84TrglENEDuqfdlZQ1roC9CWlPk6Avf8EEnZNcAqPonwkG35x4n3ww/1THYAeQ==",
+      "dependencies": {
+        "node-domexception": "1.0.0",
+        "web-streams-polyfill": "4.0.0-beta.3"
+      },
+      "engines": {
+        "node": ">= 12.20"
+      }
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-intrinsic": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
+      "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "es-define-property": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "es-object-atoms": "^1.1.1",
+        "function-bind": "^1.1.2",
+        "get-proto": "^1.0.1",
+        "gopd": "^1.2.0",
+        "has-symbols": "^1.1.0",
+        "hasown": "^2.0.2",
+        "math-intrinsics": "^1.1.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
+      "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
+      "dependencies": {
+        "dunder-proto": "^1.0.1",
+        "es-object-atoms": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/gopd": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
+      "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-symbols": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
+      "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-tostringtag": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz",
+      "integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==",
+      "dependencies": {
+        "has-symbols": "^1.0.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/hasown": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz",
+      "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==",
+      "dependencies": {
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/humanize-ms": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/humanize-ms/-/humanize-ms-1.2.1.tgz",
+      "integrity": "sha512-Fl70vYtsAFb/C06PTS9dZBo7ihau+Tu/DNCk/OyHhea07S+aeMWpFFkUaXRa8fI+ScZbEI8dfSxwY7gxZ9SAVQ==",
+      "dependencies": {
+        "ms": "^2.0.0"
+      }
+    },
+    "node_modules/js-yaml": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+      "dependencies": {
+        "argparse": "^2.0.1"
+      },
+      "bin": {
+        "js-yaml": "bin/js-yaml.js"
+      }
+    },
+    "node_modules/math-intrinsics": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
+      "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/mime-db": {
+      "version": "1.52.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
+      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime-types": {
+      "version": "2.1.35",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+      "dependencies": {
+        "mime-db": "1.52.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="
+    },
+    "node_modules/node-domexception": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz",
+      "integrity": "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==",
+      "deprecated": "Use your platform's native DOMException instead",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/jimmywarting"
+        },
+        {
+          "type": "github",
+          "url": "https://paypal.me/jimmywarting"
+        }
+      ],
+      "engines": {
+        "node": ">=10.5.0"
+      }
+    },
+    "node_modules/node-fetch": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz",
+      "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==",
+      "dependencies": {
+        "whatwg-url": "^5.0.0"
+      },
+      "engines": {
+        "node": "4.x || >=6.0.0"
+      },
+      "peerDependencies": {
+        "encoding": "^0.1.0"
+      },
+      "peerDependenciesMeta": {
+        "encoding": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/openai": {
+      "version": "4.104.0",
+      "resolved": "https://registry.npmjs.org/openai/-/openai-4.104.0.tgz",
+      "integrity": "sha512-p99EFNsA/yX6UhVO93f5kJsDRLAg+CTA2RBqdHK4RtK8u5IJw32Hyb2dTGKbnnFmnuoBv5r7Z2CURI9sGZpSuA==",
+      "dependencies": {
+        "@types/node": "^18.11.18",
+        "@types/node-fetch": "^2.6.4",
+        "abort-controller": "^3.0.0",
+        "agentkeepalive": "^4.2.1",
+        "form-data-encoder": "1.7.2",
+        "formdata-node": "^4.3.2",
+        "node-fetch": "^2.6.7"
+      },
+      "bin": {
+        "openai": "bin/cli"
+      },
+      "peerDependencies": {
+        "ws": "^8.18.0",
+        "zod": "^3.23.8"
+      },
+      "peerDependenciesMeta": {
+        "ws": {
+          "optional": true
+        },
+        "zod": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/proxy-from-env": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-2.1.0.tgz",
+      "integrity": "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==",
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/tr46": {
+      "version": "0.0.3",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
+      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
+    },
+    "node_modules/undici-types": {
+      "version": "5.26.5",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
+      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="
+    },
+    "node_modules/web-streams-polyfill": {
+      "version": "4.0.0-beta.3",
+      "resolved": "https://registry.npmjs.org/web-streams-polyfill/-/web-streams-polyfill-4.0.0-beta.3.tgz",
+      "integrity": "sha512-QW95TCTaHmsYfHDybGMwO5IJIM93I/6vTRk+daHTWFPhwh+C8Cg7j7XyKrwrj8Ib6vYXe0ocYNrmzY4xAAN6ug==",
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/webidl-conversions": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
+      "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ=="
+    },
+    "node_modules/whatwg-url": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
+      "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
+      "dependencies": {
+        "tr46": "~0.0.3",
+        "webidl-conversions": "^3.0.0"
+      }
+    }
+  }
+}

app/package.json

@@ -3,7 +3,7 @@
   "version": "1.0.0",
   "type": "module",
   "scripts": {
-    "test": "node --test app/git.test.js"
+    "test": "node --test *.test.js"
   },
   "dependencies": {
     "axios": "^1.6.7",

app/roles.js

@@ -1,8 +1,9 @@
 import fs from 'fs';
 import path from 'path';
+import { fileURLToPath } from 'url';
 import yaml from 'js-yaml';
 
-const ROLES_DIR = '/action/app/prompts/roles';
+const ROLES_DIR = path.join(fileURLToPath(import.meta.url), '..', 'prompts', 'roles');
 
 export function loadRoles() {
   return fs.readdirSync(ROLES_DIR)