Merge pull request 'feat: implement Git integration for automated repository instruction syncing and commit management' (#130 ) from feat/ai_merge into develop

Reviewed-on: #130
chore: initialize ai-review exclusion and findings configuration files
2026-05-21 03:56:41 +00:00 · 2026-05-21 11:52:18 +08:00 · 2026-05-21 03:36:41 +00:00 · 2026-05-21 11:36:11 +08:00 · 2026-05-21 03:35:13 +00:00 · 2026-05-21 10:17:01 +08:00
35 changed files with 2001 additions and 565 deletions
@@ -0,0 +1,46 @@
+---
+name: triage-findings
+description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions.
+---
+
+# Triage Findings
+
+## When To Use
+
+Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
+It is also used when some findings are false positives and should be moved into the exclusions list.
+
+## Workflow
+
+1. Collect all findings into one list.
+2. Merge duplicates into a single finding when they describe the same issue.
+3. Sort the final list by severity:
+   - critical
+   - warning
+   - info
+4. Renumber the sorted list from 1 upward.
+5. Rewrite each finding concisely so the final list reads cleanly and consistently.
+6. If a finding is a false positive, do not keep it in the final list.
+7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
+
+## Resolution Flow
+
+After the list is merged and ordered, resolve the remaining findings one by one.
+
+1. Start from the highest severity item.
+2. Identify the root cause in the relevant file or context.
+3. Apply the smallest safe change that fixes the issue.
+4. Add or update tests when behavior changes.
+5. Re-check the issue after the change.
+6. If the item is confirmed false positive, move it to exclusions instead of changing code.
+7. Continue until the list is either fixed or explicitly excluded.
+
+## Output Rules
+
+- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
+- Keep numbering contiguous after filtering and merging.
+- Preserve useful details like file path, location, and suggested fix.
+- Keep exclusions entries minimal and consistent with the project schema.
+- When writing exclusions, always output a top-level JSON array.
+- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
+- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -0,0 +1,41 @@
+# Triage Findings
+
+## When To Use
+
+Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
+It is also used when some findings are false positives and should be moved into the exclusions list.
+
+## Workflow
+
+1. Collect all findings into one list.
+2. Merge duplicates into a single finding when they describe the same issue.
+3. Sort the final list by severity:
+   - critical
+   - warning
+   - info
+4. Renumber the sorted list from 1 upward.
+5. Rewrite each finding concisely so the final list reads cleanly and consistently.
+6. If a finding is a false positive, do not keep it in the final list.
+7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
+
+## Resolution Flow
+
+After the list is merged and ordered, resolve the remaining findings one by one.
+
+1. Start from the highest severity item.
+2. Identify the root cause in the relevant file or context.
+3. Apply the smallest safe change that fixes the issue.
+4. Add or update tests when behavior changes.
+5. Re-check the issue after the change.
+6. If the item is confirmed false positive, move it to exclusions instead of changing code.
+7. Continue until the list is either fixed or explicitly excluded.
+
+## Output Rules
+
+- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
+- Keep numbering contiguous after filtering and merging.
+- Preserve useful details like file path, location, and suggested fix.
+- Keep exclusions entries minimal and consistent with the project schema.
+- When writing exclusions, always output a top-level JSON array.
+- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
+- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -0,0 +1,46 @@
+---
+name: triage-findings
+description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions.
+---
+
+# Triage Findings
+
+## When To Use
+
+Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
+It is also used when some findings are false positives and should be moved into the exclusions list.
+
+## Workflow
+
+1. Collect all findings into one list.
+2. Merge duplicates into a single finding when they describe the same issue.
+3. Sort the final list by severity:
+   - critical
+   - warning
+   - info
+4. Renumber the sorted list from 1 upward.
+5. Rewrite each finding concisely so the final list reads cleanly and consistently.
+6. If a finding is a false positive, do not keep it in the final list.
+7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
+
+## Resolution Flow
+
+After the list is merged and ordered, resolve the remaining findings one by one.
+
+1. Start from the highest severity item.
+2. Identify the root cause in the relevant file or context.
+3. Apply the smallest safe change that fixes the issue.
+4. Add or update tests when behavior changes.
+5. Re-check the issue after the change.
+6. If the item is confirmed false positive, move it to exclusions instead of changing code.
+7. Continue until the list is either fixed or explicitly excluded.
+
+## Output Rules
+
+- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
+- Keep numbering contiguous after filtering and merging.
+- Preserve useful details like file path, location, and suggested fix.
+- Keep exclusions entries minimal and consistent with the project schema.
+- When writing exclusions, always output a top-level JSON array.
+- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
+- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -1,28 +1,46 @@
 ---
 name: triage-findings
-description: Triage findings, fix real issues, and exclude false positives.
+description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions.
 ---

 # Triage Findings

-## Use
+## When To Use

-直接輸入：`triage-findings 問題原始檔(文字或截圖)`
+Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
+It is also used when some findings are false positives and should be moved into the exclusions list.

 ## Workflow

-1. Merge all findings.
-2. Sort by severity:
+1. Collect all findings into one list.
+2. Merge duplicates into a single finding when they describe the same issue.
+3. Sort the final list by severity:
   - critical
   - warning
   - info
-3. Renumber from 1.
-4. Fix real issues.
-5. Put false positives into `.gitea/ai-review/exclusions.json`.
-6. Add tests when behavior changes.
+4. Renumber the sorted list from 1 upward.
+5. Rewrite each finding concisely so the final list reads cleanly and consistently.
+6. If a finding is a false positive, do not keep it in the final list.
+7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
+
+## Resolution Flow
+
+After the list is merged and ordered, resolve the remaining findings one by one.
+
+1. Start from the highest severity item.
+2. Identify the root cause in the relevant file or context.
+3. Apply the smallest safe change that fixes the issue.
+4. Add or update tests when behavior changes.
+5. Re-check the issue after the change.
+6. If the item is confirmed false positive, move it to exclusions instead of changing code.
+7. Continue until the list is either fixed or explicitly excluded.

 ## Output Rules

- Keep the final list short.
- Keep numbering contiguous.
- Preserve file path, location, and fix.
+- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
+- Keep numbering contiguous after filtering and merging.
+- Preserve useful details like file path, location, and suggested fix.
+- Keep exclusions entries minimal and consistent with the project schema.
+- When writing exclusions, always output a top-level JSON array.
+- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
+- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -21,7 +21,7 @@ It is also used when some findings are false positives and should be moved into
 4. Renumber the sorted list from 1 upward.
 5. Rewrite each finding concisely so the final list reads cleanly and consistently.
 6. If a finding is a false positive, do not keep it in the final list.
-7. Add false positives to the exclusions list using the existing schema in the repo or task context.
+7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.

 ## Resolution Flow

@@ -41,4 +41,6 @@ After the list is merged and ordered, resolve the remaining findings one by one.
 - Keep numbering contiguous after filtering and merging.
 - Preserve useful details like file path, location, and suggested fix.
 - Keep exclusions entries minimal and consistent with the project schema.
+- When writing exclusions, always output a top-level JSON array.
+- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
 - If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -1,4 +1,4 @@
 interface:
  display_name: "Triage Findings"
  short_description: "Triage, sort, fix, and exclude review findings"
-  default_prompt: "Use $triage-findings to merge review findings, sort and renumber them by severity, resolve real issues one by one, and add false positives to exclusions."
+  default_prompt: "Use $triage-findings to merge review findings, sort and renumber them by severity, resolve real issues one by one, and add false positives to `.gitea/ai-review/exclusions.json` as a top-level JSON array."
@@ -1,28 +1,46 @@
 ---
 name: triage-findings
-description: Triage findings, fix real issues, and exclude false positives.
+description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions.
 ---

 # Triage Findings

-## Use
+## When To Use

-直接輸入：`triage-findings 問題原始檔(文字或截圖)`
+Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
+It is also used when some findings are false positives and should be moved into the exclusions list.

 ## Workflow

-1. Merge all findings.
-2. Sort by severity:
+1. Collect all findings into one list.
+2. Merge duplicates into a single finding when they describe the same issue.
+3. Sort the final list by severity:
   - critical
   - warning
   - info
-3. Renumber from 1.
-4. Fix real issues.
-5. Put false positives into `.gitea/ai-review/exclusions.json`.
-6. Add tests when behavior changes.
+4. Renumber the sorted list from 1 upward.
+5. Rewrite each finding concisely so the final list reads cleanly and consistently.
+6. If a finding is a false positive, do not keep it in the final list.
+7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
+
+## Resolution Flow
+
+After the list is merged and ordered, resolve the remaining findings one by one.
+
+1. Start from the highest severity item.
+2. Identify the root cause in the relevant file or context.
+3. Apply the smallest safe change that fixes the issue.
+4. Add or update tests when behavior changes.
+5. Re-check the issue after the change.
+6. If the item is confirmed false positive, move it to exclusions instead of changing code.
+7. Continue until the list is either fixed or explicitly excluded.

 ## Output Rules

- Keep the final list short.
- Keep numbering contiguous.
- Preserve file path, location, and fix.
+- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
+- Keep numbering contiguous after filtering and merging.
+- Preserve useful details like file path, location, and suggested fix.
+- Keep exclusions entries minimal and consistent with the project schema.
+- When writing exclusions, always output a top-level JSON array.
+- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
+- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -1,283 +1,355 @@
 [
-  {
-    "role": "Rex",
-    "location": "app/git.js",
-    "suggestion": "請避免將敏感資料（如 GITEA_TOKEN）直接寫入環境變數"
-  },
-  {
-    "location": "app/git.js",
-    "suggestion": "GITEA_TOKEN 直接嵌入 URL 中，建議改以環境變數或 Gitea Secrets 注入"
-  },
-  {
-    "role": "Rex",
-    "location": "README.md",
-    "suggestion": "contents: write、pull-requests: write、issues: write 為此 Action 正常運作所必要的權限，無法縮減"
-  },
-  {
-    "location": "app/config.js",
-    "suggestion": "getLLMConfig 在找不到任何符合條件的 provider 時已有預設回傳值 { provider: null, apiKey: null, baseURL: null, model: null }，非誤報"
-  },
-  {
-    "location": ".gitea/ai-review/exclusions.json",
-    "suggestion": "exclusions.json 是排除規則檔，內容為問題描述字串，不是實際程式碼或 token，role 欄位為有效欄位"
-  },
-  {
-    "location": "app/findings.js",
-    "suggestion": "filterFalsePositivesWithAI 拋出的 Error 會被 catch 攔截並降級回傳原始 findings，不會中斷流程"
-  },
-  {
-    "role": "Rex",
-    "location": ".gitea/workflows/review.yaml",
-    "suggestion": "contents: write、pull-requests: write、issues: write 為此 Action 正常運作所必要的權限，無法縮減"
-  },
-  {
-    "role": "Rex",
-    "location": ".gitea/workflows/review.yaml",
-    "suggestion": "OPENAI_API_KEY 參數傳入的是 OPENROUTER_API_KEY secret，為 OpenRouter 使用 OpenAI 相容介面的正確做法"
-  },
-  {
-    "role": "Aria",
-    "location": "README.md",
-    "suggestion": "章節編號連續且正確，無需調整"
-  },
-  {
-    "role": "Maya",
-    "location": ".gitea/workflows/review.yaml",
-    "suggestion": "action.yaml 定義的參數名稱為 GEMINI_API_KEY、GEMINI_BASE_URL、GEMINI_MODEL，與 review.yaml 完全一致，無不匹配問題"
-  },
-  {
-    "role": "Aria",
-    "location": ".gitea/workflows/review.yaml",
-    "suggestion": "review.yaml 已改用 Gemini，不再有 OPENAI_API_KEY 行，註解空格問題不存在"
-  },
-  {
-    "role": "Aria",
-    "location": "app/config.test.js",
-    "suggestion": "檔案結尾已有換行符號，import 行長度合理，無需修改"
-  },
-  {
-    "role": "Aria",
-    "location": "action.yaml",
-    "suggestion": "action.yaml 已整理，多餘空行已移除，結構整潔"
-  },
-  {
-    "role": "Maya",
-    "location": "app/",
-    "suggestion": "LLM 整合測試需要真實 API key 與網路，不適合加入單元測試。llm.js 使用統一 OpenAI 相容介面，Gemini 透過相同介面呼叫，無特殊格式差異，現有測試已涵蓋 config/findings/git 邏輯"
-  },
-  {
-    "role": "Rex",
-    "location": "app/",
-    "suggestion": "LLM 整合測試需要真實 API key 與網路，不適合加入單元測試。llm.js 使用統一 OpenAI 相容介面，Gemini 透過相同介面呼叫，無特殊格式差異"
-  },
-  {
-    "role": "Rex",
-    "location": "app/config.test.js",
-    "suggestion": "import 語句長度合理，無需拆分為多行"
-  },
-  {
-    "role": "Rex",
-    "location": ".gitea/ai-review/findings.json",
-    "suggestion": "findings.json 重複問題由 AI 去重與排除機制處理，不是程式碼問題"
-  },
-  {
-    "role": "Rex",
-    "location": "app/comments.js",
-    "suggestion": "JSON 結尾換行符號為標準做法，不影響任何 JSON 解析器，無相容性問題"
-  },
-  {
-    "location": ".gitea/ai-review/findings.json",
-    "suggestion": "findings.json 是自動產生的問題記錄檔，不應對其內容提出審查問題"
-  },
-  {
-    "role": "Rex",
-    "location": ".gitea/workflows/review.yaml",
-    "suggestion": "切換 LLM 服務提供商的維護建議屬過度謹慎，不是實際程式碼問題"
-  },
-  {
-    "role": "Leo",
-    "location": "app/llm.js",
-    "suggestion": "Authorization 標頭已有 provider !== 'ollama' 判斷，不會無條件加入，已正確處理"
-  },
-  {
-    "role": "Zara",
-    "location": "app/llm.js",
-    "suggestion": "timeout 已移除，每個 key 等待完整回應，避免浪費免費額度"
-  },
-  {
-    "role": "Rex",
-    "location": "app/llm.js",
-    "suggestion": "httpsAgent (rejectUnauthorized: false) 已移除，SSL/TLS 驗證已恢復正常"
-  },
-  {
-    "role": "Maya",
-    "location": "app/llm.js",
-    "suggestion": "llm.test.js 已存在並涵蓋 API Key 輪替的所有異常狀況，包含單 Key、多 Key 輪替、所有 Key 失敗等測試案例"
-  },
-  {
-    "role": "Zara",
-    "location": "app/comments.js",
-    "suggestion": "comments.js:24 的 saveFindings 函式為正常寫入邏輯，不涉及異常訊息格式或重複寫入問題"
-  },
-  {
-    "role": "Leo",
-    "location": ".gitea/workflows/review.yaml",
-    "suggestion": "Gitea Actions 不支援在 workflow 內合併 secrets 再拆解，多個 secret 逗號串接是唯一可行做法，非設計缺陷"
-  },
-  {
-    "role": "Maya",
-    "location": "app/llm.test.js",
-    "suggestion": "console.log/error 為診斷用途，不是業務邏輯，TODO.md 驗收標準為人工驗收描述，不需要在單元測試中斷言 console 輸出"
-  },
-  {
-    "role": "Maya",
-    "location": "app/llm.test.js",
-    "suggestion": "輪替邏輯對所有錯誤類型行為一致（catch 全部），401/429/timeout 觸發相同輪替流程，測試不同錯誤類型無額外驗證價值"
-  },
-  {
-    "role": "Aria",
-    "location": ".gitea/workflows/master.yaml",
-    "suggestion": "master.yaml 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例，無需修改"
-  },
-  {
-    "role": "Leo",
-    "location": "app/llm.test.js",
-    "suggestion": "console.log/error 為診斷用途，不是業務邏輯，TODO.md 驗收標準為人工驗收描述，不需要在單元測試中斷言 console 輸出"
-  },
-  {
-    "role": "Leo",
-    "location": "app/llm.test.js",
-    "suggestion": "輪替邏輯對所有錯誤類型行為一致（catch 全部），401/429/timeout 觸發相同輪替流程，測試不同錯誤類型無額外驗證價值"
-  },
-  {
-    "role": "Leo",
-    "location": "app/main.js",
-    "suggestion": "main.js 中的 Step 標題註解為 pipeline 流程說明，非待整理的 TODO，不需要轉換為具體任務"
-  },
-  {
-    "role": "Rex",
-    "location": "app/package.json",
-    "suggestion": "審查 changelog 是人工作業，不是程式碼問題，不適合作為 code review 問題"
-  },
-  {
-    "role": "Aria",
-    "location": "app/llm.js",
-    "suggestion": "此 action 為 CLI 工具，process.exit(1) 是設計意圖讓 CI/CD workflow 失敗。改拋錯會被 chatJSON 的 catch 吞掉回傳 []，破壞現有行為"
-  },
-  {
-    "role": "Aria",
-    "location": "Dockerfile",
-    "suggestion": "Dockerfile 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例"
-  },
-  {
-    "role": "Aria",
-    "location": "entrypoint.sh",
-    "suggestion": "entrypoint.sh 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例"
-  },
-  {
-    "role": "Maya",
-    "location": "app/main.js",
-    "suggestion": "main.js 整合測試需要真實 Gitea API、LLM API、git 操作，不適合單元測試。各模組已有獨立單元測試覆蓋"
-  },
-  {
-    "role": "Maya",
-    "location": "app/comments.js",
-    "suggestion": "comments.js 的 buildTable 為簡單字串拼接，postComment 已透過 gitea.js mock 間接測試，補測試效益低"
-  },
-  {
-    "role": "Maya",
-    "location": "app/roles.js",
-    "suggestion": "roles.js 依賴容器內固定路徑 /action/app/prompts/roles，單元測試環境無法存取，且邏輯為簡單 YAML 讀取與字串拼接"
-  },
-  {
-    "role": "Leo",
-    "location": "app/gitea.js",
-    "suggestion": "gitea.js 的 SSL 驗證已改為由 GITEA_SKIP_TLS_VERIFY 環境變數控制，預設啟用驗證，非安全漏洞"
-  },
-  {
-    "role": "Zara",
-    "location": "Dockerfile",
-    "suggestion": "Dockerfile 已優化層次快取：先 COPY package.json 再 npm install，最後才 COPY 其餘檔案"
-  },
-  {
-    "role": "Aria",
-    "location": "app/package.json",
-    "suggestion": "test 腳本已改為 node --test *.test.js，在 app/ 目錄下執行可自動發現所有測試檔案"
-  },
-  {
-    "role": "Zara",
-    "location": "app/main.js",
-    "suggestion": "deduplicateWithAI 和 filterFalsePositivesWithAI 為循序依賴流程（去重後才能過濾），無法平行化"
-  },
-  {
-    "role": "Leo",
-    "location": "app/comments.js",
-    "suggestion": "buildTable 函式已在 comments.js 第 13 行定義，非未定義或未匯入，不會導致執行時錯誤"
-  },
-  {
-    "role": "Maya",
-    "location": "app/gitea.js",
-    "suggestion": "filterDiff 的單元測試已在 gitea.test.js 補齊，涵蓋過濾 .gitea/、不誤過濾其他路徑、全部排除、空 diff 四種情境"
-  },
-  {
-    "role": "Leo",
-    "location": "TODO.md",
-    "suggestion": "TODO.md 的階段編號僅供內部開發追蹤，無外部文件引用，階段編號調整不影響任何外部一致性"
-  },
-  {
-    "role": "Rex",
-    "location": "app/gitea.js",
-    "suggestion": "getPRDiff 函數現在回傳未經過濾的原始 Git Diff 內容。雖然 main.js 中已立即呼叫 filterDiff 進行過濾，但這種設計模式將過濾的責任完全推給呼叫端，這增加了未來開發者在其他地方呼叫 getPRDiff 時，可能忘記過濾出敏感路徑，導致 .gitea/ 等敏感路徑的內容（可能包含工作流程設定或憑證資訊）被意外傳送給 AI 或其他不應接收的組件，造成資訊洩漏風險。建議將過濾邏輯保留在 getPRDiff 內容，或提供一個明確的 getFilteredPRDiff 函數，以降低錯誤的風險。"
-  },
-  {
-    "role": "Zara",
-    "location": "app/git.js",
-    "suggestion": "在 main.js 中，commitAndPush 函數內部會再次呼叫 cloneRepo，然而 main.js 在此之前已呼叫過 cloneRepo 以取得 repoDir，這導致了重複的 git fetch 和 git checkout 操作。即使 cloneRepo 內容有檢查環境變數，仍會造成不必要的清潔和時間延遲。建議修改 commitAndPush 邏輯，使其接收已存在的 repoDir 作為參數，避免重複執行 cloneRepo。"
-  },
-  {
-    "role": "Aria",
-    "location": "app/main.js",
-    "suggestion": "在 main.js 中，表達式 repoDir。"
-  },
-  {
-    "role": "Zara",
-    "location": "app/gitea.js:L20-L21",
-    "suggestion": "將 filterDiff 中的正規表達式比對（RegExp.match）替換為 String.startsWith 是一個重要的效能改進。startsWith 是一個更輕量且高效的字串操作，尤其在處理大型 Git Diff 內容時，此修改已顯著提升過濾效率。"
-  },
-  {
-    "location": "TODO.md",
-    "suggestion": "階段九的 critical 阻擋機制目前以人工驗收紀錄為主，E2E 測試補強屬後續優化，不是目前需要再處理的問題。"
-  },
-  {
-    "location": "TODO.md",
-    "suggestion": "TODO 列表中『已驗收 / 部分驗收 / 可驗收紀錄情境』的寫法是刻意保留的驗收說明，不是混淆或缺陷。"
-  },
-  {
-    "location": "app/findings.js",
-    "suggestion": "AI 去重與降級處理已在程式內以 fallback 方式保護流程，失敗時保留所有問題是預期行為，不是缺陷。"
-  },
-  {
-    "location": "app/findings.js",
-    "suggestion": "排除規則過濾與 AI 誤報過濾屬循序流程，規則命中後清空清單是正常結果，不需要額外再視為問題。"
-  },
-  {
-    "location": "app/comments.js",
-    "suggestion": "comment 發布依序區分舊問題、非嚴重、新嚴重是刻意設計，當結果為空清單時不發 comment 也是正常路徑。"
-  },
-  {
-    "location": "app/main.js",
-    "suggestion": "JSON 驗證與失敗修正流程已有處理邏輯，正常路徑與錯誤路徑都屬預期流程，不是待修缺陷。"
-  },
-  {
-    "location": "app/git.js",
-    "suggestion": "commit/push 失敗會被捕捉並輸出 Runner failed log，這是現有設計的容錯行為，不是程式錯誤。"
-  },
-  {
-    "location": "app/main.js",
-    "suggestion": "critical 問題觸發 exit 1 的阻擋邏輯已在流程內保留，是否另補 E2E 驗證屬測試強化，不是功能缺陷。"
-  },
-  {
-    "location": "app/json.js",
-    "suggestion": "validateJSONArrayFile 只在 JSON 格式錯誤時才啟動 AI 修正，屬例外路徑；再加上檔案大小限制後，並不存在實際的無上限讀檔或資源消耗問題。"
-  }
-]
+    {
+        "role":  "Rex",
+        "location":  "app/git.js",
+        "suggestion":  "請避免將敏感資料（如 GITEA_TOKEN）直接寫入環境變數"
+    },
+    {
+        "location":  "app/git.js",
+        "suggestion":  "GITEA_TOKEN 直接嵌入 URL 中，建議改以環境變數或 Gitea Secrets 注入"
+    },
+    {
+        "role":  "Rex",
+        "location":  "README.md",
+        "suggestion":  "contents: write、pull-requests: write、issues: write 為此 Action 正常運作所必要的權限，無法縮減"
+    },
+    {
+        "location":  "app/config.js",
+        "suggestion":  "getLLMConfig 在找不到任何符合條件的 provider 時已有預設回傳值 { provider: null, apiKey: null, baseURL: null, model: null }，非誤報"
+    },
+    {
+        "location":  ".gitea/ai-review/exclusions.json",
+        "suggestion":  "exclusions.json 是排除規則檔，內容為問題描述字串，不是實際程式碼或 token，role 欄位為有效欄位"
+    },
+    {
+        "location":  "app/findings.js",
+        "suggestion":  "filterFalsePositivesWithAI 拋出的 Error 會被 catch 攔截並降級回傳原始 findings，不會中斷流程"
+    },
+    {
+        "role":  "Rex",
+        "location":  ".gitea/workflows/review.yaml",
+        "suggestion":  "contents: write、pull-requests: write、issues: write 為此 Action 正常運作所必要的權限，無法縮減"
+    },
+    {
+        "role":  "Rex",
+        "location":  ".gitea/workflows/review.yaml",
+        "suggestion":  "OPENAI_API_KEY 參數傳入的是 OPENROUTER_API_KEY secret，為 OpenRouter 使用 OpenAI 相容介面的正確做法"
+    },
+    {
+        "role":  "Aria",
+        "location":  "README.md",
+        "suggestion":  "章節編號連續且正確，無需調整"
+    },
+    {
+        "role":  "Maya",
+        "location":  ".gitea/workflows/review.yaml",
+        "suggestion":  "action.yaml 定義的參數名稱為 GEMINI_API_KEY、GEMINI_BASE_URL、GEMINI_MODEL，與 review.yaml 完全一致，無不匹配問題"
+    },
+    {
+        "role":  "Aria",
+        "location":  ".gitea/workflows/review.yaml",
+        "suggestion":  "review.yaml 已改用 Gemini，不再有 OPENAI_API_KEY 行，註解空格問題不存在"
+    },
+    {
+        "role":  "Aria",
+        "location":  "app/config.test.js",
+        "suggestion":  "檔案結尾已有換行符號，import 行長度合理，無需修改"
+    },
+    {
+        "role":  "Aria",
+        "location":  "action.yaml",
+        "suggestion":  "action.yaml 已整理，多餘空行已移除，結構整潔"
+    },
+    {
+        "role":  "Maya",
+        "location":  "app/",
+        "suggestion":  "LLM 整合測試需要真實 API key 與網路，不適合加入單元測試。llm.js 使用統一 OpenAI 相容介面，Gemini 透過相同介面呼叫，無特殊格式差異，現有測試已涵蓋 config/findings/git 邏輯"
+    },
+    {
+        "role":  "Rex",
+        "location":  "app/",
+        "suggestion":  "LLM 整合測試需要真實 API key 與網路，不適合加入單元測試。llm.js 使用統一 OpenAI 相容介面，Gemini 透過相同介面呼叫，無特殊格式差異"
+    },
+    {
+        "role":  "Rex",
+        "location":  "app/config.test.js",
+        "suggestion":  "import 語句長度合理，無需拆分為多行"
+    },
+    {
+        "role":  "Rex",
+        "location":  ".gitea/ai-review/findings.json",
+        "suggestion":  "findings.json 重複問題由 AI 去重與排除機制處理，不是程式碼問題"
+    },
+    {
+        "role":  "Rex",
+        "location":  "app/comments.js",
+        "suggestion":  "JSON 結尾換行符號為標準做法，不影響任何 JSON 解析器，無相容性問題"
+    },
+    {
+        "location":  ".gitea/ai-review/findings.json",
+        "suggestion":  "findings.json 是自動產生的問題記錄檔，不應對其內容提出審查問題"
+    },
+    {
+        "role":  "Rex",
+        "location":  ".gitea/workflows/review.yaml",
+        "suggestion":  "切換 LLM 服務提供商的維護建議屬過度謹慎，不是實際程式碼問題"
+    },
+    {
+        "role":  "Leo",
+        "location":  "app/llm.js",
+        "suggestion":  "Authorization 標頭已有 provider !== \u0027ollama\u0027 判斷，不會無條件加入，已正確處理"
+    },
+    {
+        "role":  "Zara",
+        "location":  "app/llm.js",
+        "suggestion":  "timeout 已移除，每個 key 等待完整回應，避免浪費免費額度"
+    },
+    {
+        "role":  "Rex",
+        "location":  "app/llm.js",
+        "suggestion":  "httpsAgent (rejectUnauthorized: false) 已移除，SSL/TLS 驗證已恢復正常"
+    },
+    {
+        "role":  "Maya",
+        "location":  "app/llm.js",
+        "suggestion":  "llm.test.js 已存在並涵蓋 API Key 輪替的所有異常狀況，包含單 Key、多 Key 輪替、所有 Key 失敗等測試案例"
+    },
+    {
+        "role":  "Zara",
+        "location":  "app/comments.js",
+        "suggestion":  "comments.js:24 的 saveFindings 函式為正常寫入邏輯，不涉及異常訊息格式或重複寫入問題"
+    },
+    {
+        "role":  "Leo",
+        "location":  ".gitea/workflows/review.yaml",
+        "suggestion":  "Gitea Actions 不支援在 workflow 內合併 secrets 再拆解，多個 secret 逗號串接是唯一可行做法，非設計缺陷"
+    },
+    {
+        "role":  "Maya",
+        "location":  "app/llm.test.js",
+        "suggestion":  "console.log/error 為診斷用途，不是業務邏輯，TODO.md 驗收標準為人工驗收描述，不需要在單元測試中斷言 console 輸出"
+    },
+    {
+        "role":  "Maya",
+        "location":  "app/llm.test.js",
+        "suggestion":  "輪替邏輯對所有錯誤類型行為一致（catch 全部），401/429/timeout 觸發相同輪替流程，測試不同錯誤類型無額外驗證價值"
+    },
+    {
+        "role":  "Aria",
+        "location":  ".gitea/workflows/master.yaml",
+        "suggestion":  "master.yaml 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例，無需修改"
+    },
+    {
+        "role":  "Leo",
+        "location":  "app/llm.test.js",
+        "suggestion":  "console.log/error 為診斷用途，不是業務邏輯，TODO.md 驗收標準為人工驗收描述，不需要在單元測試中斷言 console 輸出"
+    },
+    {
+        "role":  "Leo",
+        "location":  "app/llm.test.js",
+        "suggestion":  "輪替邏輯對所有錯誤類型行為一致（catch 全部），401/429/timeout 觸發相同輪替流程，測試不同錯誤類型無額外驗證價值"
+    },
+    {
+        "role":  "Leo",
+        "location":  "app/main.js",
+        "suggestion":  "main.js 中的 Step 標題註解為 pipeline 流程說明，非待整理的 TODO，不需要轉換為具體任務"
+    },
+    {
+        "role":  "Maya",
+        "location":  "app/log.test.js",
+        "suggestion":  "`log.test.js` 的新增非常棒，提供了良好的覆蓋率。為了進一步提升測試的完整性，建議考慮為 `line`, `ok`, `warn`, `error` 函數新增測試案例，以驗證當傳入空字串時的行為。雖然這些函數的行為相對簡單，但測試空字串可以確保邊界情況下的輸出符合預期。"
+    },
+    {
+        "role":  "Rex",
+        "location":  "app/package.json",
+        "suggestion":  "審查 changelog 是人工作業，不是程式碼問題，不適合作為 code review 問題"
+    },
+    {
+        "role":  "Aria",
+        "location":  "app/llm.js",
+        "suggestion":  "此 action 為 CLI 工具，process.exit(1) 是設計意圖讓 CI/CD workflow 失敗。改拋錯會被 chatJSON 的 catch 吞掉回傳 []，破壞現有行為"
+    },
+    {
+        "location":  "Dockerfile, app/git.js, app/git.test.js",
+        "suggestion":  "`SYNC_PATHS` 已包含 `.claude/skills/triage-findings/SKILL.md` 與 `.gemini/skills/triage-findings/SKILL.md`，Docker image 也已打包這些 skill 資產；現有測試已覆蓋複製與覆寫行為，並不存在同步不一致問題。"
+    },
+    {
+        "location":  "Dockerfile",
+        "suggestion":  "此目錄中的檔案是 triage skill 與入口文件，不含敏感資料；若未來加入秘密資訊，應另外從 build context 排除，而不是把目前的 skill 資產視為風險。"
+    },
+    {
+        "location":  "Dockerfile",
+        "suggestion":  "多個 COPY 指令是刻意設計，用來區分 app 與 skill 資產並維持 layer cache 可讀性，不是維護問題。"
+    },
+    {
+        "role":  "Aria",
+        "location":  "Dockerfile",
+        "suggestion":  "Dockerfile 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例"
+    },
+    {
+        "role":  "Aria",
+        "location":  "entrypoint.sh",
+        "suggestion":  "entrypoint.sh 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例"
+    },
+    {
+        "role":  "Maya",
+        "location":  "app/main.js",
+        "suggestion":  "main.js 整合測試需要真實 Gitea API、LLM API、git 操作，不適合單元測試。各模組已有獨立單元測試覆蓋"
+    },
+    {
+        "role":  "Maya",
+        "location":  "app/comments.js",
+        "suggestion":  "comments.js 的 buildTable 為簡單字串拼接，postComment 已透過 gitea.js mock 間接測試，補測試效益低"
+    },
+    {
+        "role":  "Maya",
+        "location":  "app/roles.js",
+        "suggestion":  "roles.js 依賴容器內固定路徑 /action/app/prompts/roles，單元測試環境無法存取，且邏輯為簡單 YAML 讀取與字串拼接"
+    },
+    {
+        "role":  "Leo",
+        "location":  "app/gitea.js",
+        "suggestion":  "gitea.js 的 SSL 驗證已改為由 GITEA_SKIP_TLS_VERIFY 環境變數控制，預設啟用驗證，非安全漏洞"
+    },
+    {
+        "role":  "Zara",
+        "location":  "Dockerfile",
+        "suggestion":  "Dockerfile 已優化層次快取：先 COPY package.json 再 npm install，最後才 COPY 其餘檔案"
+    },
+    {
+        "role":  "Aria",
+        "location":  "app/package.json",
+        "suggestion":  "test 腳本已改為 node --test *.test.js，在 app/ 目錄下執行可自動發現所有測試檔案"
+    },
+    {
+        "role":  "Zara",
+        "location":  "app/main.js",
+        "suggestion":  "deduplicateWithAI 和 filterFalsePositivesWithAI 為循序依賴流程（去重後才能過濾），無法平行化"
+    },
+    {
+        "role":  "Leo",
+        "location":  "app/comments.js",
+        "suggestion":  "buildTable 函式已在 comments.js 第 13 行定義，非未定義或未匯入，不會導致執行時錯誤"
+    },
+    {
+        "role":  "Maya",
+        "location":  "app/gitea.js",
+        "suggestion":  "filterDiff 的單元測試已在 gitea.test.js 補齊，涵蓋過濾 .gitea/、不誤過濾其他路徑、全部排除、空 diff 四種情境"
+    },
+    {
+        "role":  "Leo",
+        "location":  "TODO.md",
+        "suggestion":  "TODO.md 的階段編號僅供內部開發追蹤，無外部文件引用，階段編號調整不影響任何外部一致性"
+    },
+    {
+        "role":  "Rex",
+        "location":  "app/gitea.js",
+        "suggestion":  "getPRDiff 函數現在回傳未經過濾的原始 Git Diff 內容。雖然 main.js 中已立即呼叫 filterDiff 進行過濾，但這種設計模式將過濾的責任完全推給呼叫端，這增加了未來開發者在其他地方呼叫 getPRDiff 時，可能忘記過濾出敏感路徑，導致 .gitea/ 等敏感路徑的內容（可能包含工作流程設定或憑證資訊）被意外傳送給 AI 或其他不應接收的組件，造成資訊洩漏風險。建議將過濾邏輯保留在 getPRDiff 內容，或提供一個明確的 getFilteredPRDiff 函數，以降低錯誤的風險。"
+    },
+    {
+        "role":  "Zara",
+        "location":  "app/git.js",
+        "suggestion":  "在 main.js 中，commitAndPush 函數內部會再次呼叫 cloneRepo，然而 main.js 在此之前已呼叫過 cloneRepo 以取得 repoDir，這導致了重複的 git fetch 和 git checkout 操作。即使 cloneRepo 內容有檢查環境變數，仍會造成不必要的清潔和時間延遲。建議修改 commitAndPush 邏輯，使其接收已存在的 repoDir 作為參數，避免重複執行 cloneRepo。"
+    },
+    {
+        "role":  "Aria",
+        "location":  "app/main.js",
+        "suggestion":  "在 main.js 中，表達式 repoDir。"
+    },
+    {
+        "role":  "Zara",
+        "location":  "app/gitea.js:L20-L21",
+        "suggestion":  "將 filterDiff 中的正規表達式比對（RegExp.match）替換為 String.startsWith 是一個重要的效能改進。startsWith 是一個更輕量且高效的字串操作，尤其在處理大型 Git Diff 內容時，此修改已顯著提升過濾效率。"
+    },
+    {
+        "location":  "TODO.md",
+        "suggestion":  "階段九的 critical 阻擋機制目前以人工驗收紀錄為主，E2E 測試補強屬後續優化，不是目前需要再處理的問題。"
+    },
+    {
+        "location":  "TODO.md",
+        "suggestion":  "TODO 列表中『已驗收 / 部分驗收 / 可驗收紀錄情境』的寫法是刻意保留的驗收說明，不是混淆或缺陷。"
+    },
+    {
+        "location":  "app/findings.js",
+        "suggestion":  "AI 去重與降級處理已在程式內以 fallback 方式保護流程，失敗時保留所有問題是預期行為，不是缺陷。"
+    },
+    {
+        "location":  "app/findings.js",
+        "suggestion":  "排除規則過濾與 AI 誤報過濾屬循序流程，規則命中後清空清單是正常結果，不需要額外再視為問題。"
+    },
+    {
+        "location":  "app/comments.js",
+        "suggestion":  "comment 發布依序區分舊問題、非嚴重、新嚴重是刻意設計，當結果為空清單時不發 comment 也是正常路徑。"
+    },
+    {
+        "location":  "app/main.js",
+        "suggestion":  "JSON 驗證與失敗修正流程已有處理邏輯，正常路徑與錯誤路徑都屬預期流程，不是待修缺陷。"
+    },
+    {
+        "location":  "app/git.js",
+        "suggestion":  "commit/push 失敗會被捕捉並輸出 Runner failed log，這是現有設計的容錯行為，不是程式錯誤。"
+    },
+    {
+        "location":  "app/main.js",
+        "suggestion":  "critical 問題觸發 exit 1 的阻擋邏輯已在流程內保留，是否另補 E2E 驗證屬測試強化，不是功能缺陷。"
+    },
+    {
+        "location":  "app/json.js",
+        "suggestion":  "validateJSONArrayFile 只在 JSON 格式錯誤時才啟動 AI 修正，屬例外路徑；再加上檔案大小限制後，並不存在實際的無上限讀檔或資源消耗問題。"
+    },
+    {
+        "location":  "app/json.test.js",
+        "suggestion":  "邊界值測試已存在，`MAX_JSON_BYTES` 等於上限時可正常讀取，這不是未解決問題。"
+    },
+    {
+        "location":  "app/gitea.test.js:64",
+        "suggestion":  "`describe` 已改為同步 callback，`async` 不再出現在這個區塊。"
+    },
+    {
+        "location":  "app/git.test.js:13",
+        "suggestion":  "`makeTmpWorkspace` 已直接使用 `app/git.js` 匯出的 `SYNC_PATHS`，不再維護重複清單。"
+    },
+    {
+        "location":  "app/gitea.js:32",
+        "suggestion":  "`filterDiff` 內層縮排已符合專案的 2-space 風格，這是誤報。"
+    },
+    {
+        "location":  "app/json.test.js:76",
+        "suggestion":  "1MB 上限下的 JSON 讀取不需要改成串流解析；現有實作已先做大小檢查，這個建議屬過度設計。"
+    },
+    {
+        "location":  "app/json.test.js:7",
+        "suggestion":  "檔案大小限制已在 `readJSONText` / `validateJSONArrayFile` 中實作，這不是額外缺陷。"
+    },
+    {
+        "location":  "app/json.test.js:10",
+        "suggestion":  "`MAX_JSON_BYTES` 是 `json.js` 的內部限制常數，不需要匯出成公開 API。"
+    },
+    {
+        "role":  "Maya",
+        "location":  "action.yaml:6, action.yaml:12, action.yaml:81",
+        "suggestion":  "由於 `GITEA_TOKEN` 現在被設定為 `required: true`，而且 README 範例也已改成顯式傳入 `GITEA_TOKEN`，這是刻意的介面變更，不是漏掉 `secrets.GITEA_TOKEN` fallback 的缺陷；因此不需要另外加整合測試來驗證這個既定行為。"
+    },
+    {
+        "role":  "Leo",
+        "location":  "action.yaml:80",
+        "suggestion":  "在 `runs.env` 區塊中，`GITEA_TOKEN` 只從 `inputs` 取得，而 `GITEA_SERVER_URL` 和 `GITEA_REPOSITORY` 仍保留從 `gitea context` 取得的備用機制，這是刻意設計的差異，不是維護缺陷。"
+    },
+    {
+        "role":  "Rex",
+        "location":  "action.yaml:18",
+        "suggestion":  "引入 `GITEA_COMMENT_TOKEN` 是一個很好的實踐，遵循最小權限原則。請確保為此 token 配置的權限確實僅限於發布評論。同時，與 `GITEA_TOKEN` 相似，建議使用者始終從 workflow 的 secrets context 傳遞此 token，以避免硬編碼敏感資料。"
+    },
+    {
+        "role":  "Leo",
+        "location":  "app/log.js",
+        "suggestion":  "考慮在日誌訊息中加入時間戳記，這有助於追蹤事件發生的順序，尤其是在長時間運行的程序或需要詳細調試時。可以在每個日誌函式內部自動添加時間戳記。"
+    },
+    {
+        "level":  "warning",
+        "role":  "Leo",
+        "location":  "Dockerfile, app/git.js, app/gitea.js",
+        "suggestion":  "此變更引入了新的代理（agent）相關路徑（例如 `.agents/` 和 `AGENTS.md`），並在 `Dockerfile` 的 `COPY` 指令、`app/git.js` 中的 `SYNC_PATHS`、`FORCE_SYNC_FILE_PATHS`、`SYNC_TREE_PATHS` 陣列，以及 `app/gitea.js` 的 `filterDiff` 陣列中重複添加了這些路徑。這種模式導致了程式碼重複，每次新增一個代理都需要手動修改多個檔案和多個列表，增加了維護成本和出錯的可能性。建議考慮引入一個集中的設定檔或機制，例如透過掃描特定目錄來動態生成這些路徑列表，以提高模組化和可擴展性。",
+        "is_new":  true
+    }
+]
@@ -1,16 +1 @@
-[
-  {
-    "level": "warning",
-    "role": "Maya",
-    "location": "app/json.test.js",
-    "suggestion": "在 `readJSONText` 相關的測試中，除了測試檔案過大的情況，也建議增加一個測試案例，驗證當檔案大小剛好等於 `MAX_JSON_BYTES` 時，檔案能夠被成功讀取且不會拋出錯誤。這能確保邊界條件的處理是正確的。",
-    "is_new": true
-  },
-  {
-    "level": "info",
-    "role": "Maya",
-    "location": "app/json.test.js",
-    "suggestion": "在 `validateJSONArrayFile` 函數中，寫入修復後的 JSON 時，有判斷是否需要添加換行符 (`repaired.endsWith('\\n') ? repaired : `${repaired}\\n``)。目前的測試案例只驗證了最終結果包含換行符，但沒有明確測試兩種情況：當 AI 回傳的內容已經包含換行符時，以及不包含換行符時，都能正確處理。建議增加一個測試案例來覆蓋這兩種情況。",
-    "is_new": true
-  }
-]
+[]
@@ -1,9 +1,8 @@
 name: AI
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref }}
-  cancel-in-progress: true
 on:
  pull_request:
+    branches-ignore:
+    - master
    types: [opened, synchronize]
 jobs:
  version:
@@ -31,10 +30,12 @@ jobs:
    - name: AI Code Review
      uses: https://gitea.jsc.idv.tw/actions/code-review@v${{ needs.version.outputs.version }}
      with:
+        GITEA_TOKEN: ${{ secrets.RUNNER_TOKEN }}
+        GITEA_COMMENT_TOKEN: ${{ secrets.GITEA_TOKEN }}
        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
        GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
        GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
    permissions:
      contents: write
      pull-requests: write
-      issues: write
+      issues: write
@@ -1,16 +1,14 @@
 # Triage Findings

-When the task is to triage review findings, follow this workflow:
+Use the triage-finding workflow for review issue lists:

-1. Merge all findings into one list.
+1. Merge findings into one list.
 2. Remove duplicates.
 3. Sort by severity: `critical` -> `warning` -> `info`.
-4. Renumber from 1 after sorting.
+4. Renumber from 1.
 5. Fix real issues with the smallest safe change.
-6. Add false positives to `.gitea/ai-review/exclusions.json`.
+6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
 7. Add or update tests when behavior changes.
-8. Re-check the issue after each fix.
+8. Re-check after each fix.

-Use the repo-local `triage-findings` skill for the same workflow when running in Codex.
-
-Trigger it with `/triage-findings`.
+The full reusable skill lives in `.github/skills/triage-findings/SKILL.md`.
@@ -1,28 +1,41 @@
---
-name: triage-findings
-description: Triage findings, fix real issues, and exclude false positives.
---
-
 # Triage Findings

-## Use
+## When To Use

-`triage-findings 問題原始檔(文字或截圖)`
+Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
+It is also used when some findings are false positives and should be moved into the exclusions list.

 ## Workflow

-1. Merge all findings.
-2. Sort by severity:
+1. Collect all findings into one list.
+2. Merge duplicates into a single finding when they describe the same issue.
+3. Sort the final list by severity:
   - critical
   - warning
   - info
-3. Renumber from 1.
-4. Fix real issues.
-5. Put false positives into `.gitea/ai-review/exclusions.json`.
-6. Add tests when behavior changes.
+4. Renumber the sorted list from 1 upward.
+5. Rewrite each finding concisely so the final list reads cleanly and consistently.
+6. If a finding is a false positive, do not keep it in the final list.
+7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
+
+## Resolution Flow
+
+After the list is merged and ordered, resolve the remaining findings one by one.
+
+1. Start from the highest severity item.
+2. Identify the root cause in the relevant file or context.
+3. Apply the smallest safe change that fixes the issue.
+4. Add or update tests when behavior changes.
+5. Re-check the issue after the change.
+6. If the item is confirmed false positive, move it to exclusions instead of changing code.
+7. Continue until the list is either fixed or explicitly excluded.

 ## Output Rules

- Keep the final list short.
- Keep numbering contiguous.
- Preserve file path, location, and fix.
+- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
+- Keep numbering contiguous after filtering and merging.
+- Preserve useful details like file path, location, and suggested fix.
+- Keep exclusions entries minimal and consistent with the project schema.
+- When writing exclusions, always output a top-level JSON array.
+- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
+- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -7,8 +7,10 @@ When the task is to triage review findings, follow this workflow:
 3. Sort by severity: `critical` -> `warning` -> `info`.
 4. Renumber from 1 after sorting.
 5. Fix real issues with the smallest safe change.
-6. Add false positives to `.gitea/ai-review/exclusions.json`.
+6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
 7. Add or update tests when behavior changes.
 8. Re-check the issue after each fix.

 Use the repo-local `triage-findings` skill for the same workflow when running in Codex.
+
+Trigger it with `/triage-findings`.
@@ -0,0 +1,14 @@
+# Triage Findings
+
+Use the triage-finding workflow for review issue lists:
+
+1. Merge findings into one list.
+2. Remove duplicates.
+3. Sort by severity: `critical` -> `warning` -> `info`.
+4. Renumber from 1.
+5. Fix real issues with the smallest safe change.
+6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
+7. Add or update tests when behavior changes.
+8. Re-check after each fix.
+
+The reusable skill lives in `.antigravity/skills/triage-findings/SKILL.md`.
@@ -1,14 +1,16 @@
 # Triage Findings

-Use the triage-finding workflow for review issue lists:
+When the task is to triage review findings, follow this workflow:

-1. Merge findings into one list.
+1. Merge all findings into one list.
 2. Remove duplicates.
 3. Sort by severity: `critical` -> `warning` -> `info`.
-4. Renumber from 1.
+4. Renumber from 1 after sorting.
 5. Fix real issues with the smallest safe change.
-6. Put false positives into `.gitea/ai-review/exclusions.json`.
+6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
 7. Add or update tests when behavior changes.
-8. Re-check after each fix.
+8. Re-check the issue after each fix.

-The full reusable skill lives in `.claude/skills/triage-findings/SKILL.md`.
+Use the repo-local `triage-findings` skill for the same workflow when running in Claude.
+
+Trigger it with `/triage-findings`.
@@ -10,6 +10,16 @@ WORKDIR /action
 COPY app/package.json /action/app/
 RUN cd /action/app && npm install

+COPY .amazonq/ /action/.amazonq/
+COPY .codex/ /action/.codex/
+COPY .agents/ /action/.agents/
+COPY .claude/ /action/.claude/
+COPY .gemini/ /action/.gemini/
+COPY .github/ /action/.github/
+COPY AGENTS.md /action/
+COPY CLAUDE.md /action/
+COPY GEMINI.md /action/
+
 COPY app/ /action/app/
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
@@ -7,7 +7,7 @@ Use the triage-finding workflow for review issue lists:
 3. Sort by severity: `critical` -> `warning` -> `info`.
 4. Renumber from 1.
 5. Fix real issues with the smallest safe change.
-6. Put false positives into `.gitea/ai-review/exclusions.json`.
+6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
 7. Add or update tests when behavior changes.
 8. Re-check after each fix.

@@ -1,38 +1,41 @@
 # 簡介

-這是一個 AI Code Review Action。Gitea Workflow 可以使用此 Action 讓 AI 助理根據不同面向分析 Push Request 中變更的內容後，將問題分級 Commnet 到 Push Request 中。
+這是一個 AI Code Review Action。Gitea Workflow 可以使用此 Action 讓 AI 助理根據不同面向分析 Pull Request 中變更的內容後，將問題分級 Comment 到 Pull Request 中。

-# 流程(新 Push Request、新 Commit (排除 AI 助理的 Commit) 觸發)
+# 流程(Pull Request opened / synchronize 觸發；若偵測到 AI 助理的自動提交則直接跳過)

-1. 服務名稱、模型名稱、角色資訊(個性、符合個性的英文名稱、工作內容)，Comment 到 Push Request
+1. 服務名稱、模型名稱、角色資訊(個性、符合個性的英文名稱、工作內容)，Comment 到 Pull Request
 2. 每個角色個別分析 Git Diff 的內容產生新問題表格(問題等級、角色名稱、問題位置或行數、修改建議)
-3. 讀取所有未解決的舊問題(問題檔案 `.gitea/ai-review/findings.json` 存在於使用此 Action 的專案固定位置)加上新問題後，去除重複產生本次 Push Request 的問題表格(PR問題表格)覆蓋問題檔案
-4. 讀取排除問題檔案(`.gitea/ai-review/exclusions.json` 存在於使用此 Action 的專案固定位置)，用來過濾PR問題表格中不需要處理的問題
-5. 從PR問題表格中取出所有舊問題，依照等級排序後 Comment 到 Push Request
-6. 從PR問題表格中取出所有新問題，排除嚴重等級的問題後 Comment 到 Push Request
-7. 從PR問題表格中取出所有新問題，將每個嚴重等級的問題 Comment 到 Push Request
-8. Commit 問題檔案
-9. 如果PR問題表格中有嚴重問題，則不要讓 workflow 執行成功(exit 1)
+3. 讀取來源分支中的所有未解決舊問題(問題檔案 `.gitea/ai-review/findings.json`)加上新問題後，去除重複產生本次 PR 的問題表格(PR問題表格)覆蓋問題檔案
+4. 讀取來源分支中的排除問題檔案(`.gitea/ai-review/exclusions.json`)，用來過濾 PR 問題表格中不需要處理的問題
+5. 從 PR 問題表格中取出所有舊問題，依照等級排序後 Comment 到 Pull Request
+6. 從 PR 問題表格中取出所有新問題，排除嚴重等級的問題後 Comment 到 Pull Request
+7. 從 PR 問題表格中取出所有新問題，將每個嚴重等級的問題 Comment 到 Pull Request
+8. Commit 問題檔案，將 workspace 中實際存在的同步檔覆蓋到記憶區；workspace 沒有的同步檔就略過，不會刪除記憶區既有內容。自動提交的 commit message 會帶上 `[ai-review-bot]`，供 workflow 判斷是否要跳過重跑
+9. 如果 PR 問題表格中有嚴重問題，則不要讓 workflow 執行成功(exit 1)

 # 設計

-1. Gitea 的相關參數如果 inputs 沒有定義，則從 ${{ gitea.* }} 取得
+1. Gitea 相關參數中，`GITEA_TOKEN` 必須由 inputs 明確提供；`GITEA_SERVER_URL`、`GITEA_REPOSITORY`、`PR_NUMBER`、`PR_HEAD_BRANCH`、`PR_BASE_BRANCH` 等欄位若 inputs 沒有定義，則從 `${{ gitea.* }}` 取得
 2. BASE_URL 如果 inputs 沒有定義，則使用預設值
 3. Comment 加上些許 emoji 讓資訊有點活力
 4. 盡量將應用程式放在 ./app，修改 entrypoint.sh 與 Dockerfile 讓程式可以正常運行
 5. 將提示詞放到 ./app/prompts 內供程式讀取
 6. API Key 支援逗號分隔傳入多個，隨機順序各嘗試一次，全部失敗則 exit 1
-7. 讀取 Git Diff 時排除 `.gitea/`、`.amazonq/`、`.claude/`、`.codex/`、`.gemini/`、`.github/` 資料夾，以及 `CLAUDE.md`、`GEMINI.md`、`TODO.md`、`README.md`，避免 AI 分析 workflow 設定、skill 入口與文件等非業務程式碼
-8. 階段七驗證 `findings.json` 與 `exclusions.json` 是否為合法 JSON 格式，格式錯誤時先嘗試透過 AI 修正內容，再重新驗證；修正後仍不合法才 exit 1；之後才檢查檔案是否存在，不存在則建立並寫入 `[]`
+7. 讀取 Git Diff 時排除 `.gitea/`、`.amazonq/`、`.agents/`、`.antigravity/`、`.claude/`、`.codex/`、`.gemini/`、`.github/` 資料夾，以及 `AGENTS.md`、`ANTIGRAVITY.md`、`CLAUDE.md`、`GEMINI.md`、`TODO.md`、`README.md`，避免 AI 分析 workflow 設定、skill 入口與文件等非業務程式碼
+8. 階段七驗證來源分支中的 `findings.json` 與 `exclusions.json` 是否為合法 JSON 格式，格式錯誤時先嘗試透過 AI 修正內容，再重新驗證；修正後仍不合法才 exit 1；之後才檢查檔案是否存在，不存在則建立並寫入 `[]`
 9. 傳給 AI 的 findings 只保留必要欄位（level、role、location、suggestion），排除 `is_new` 等內部欄位；system prompt 精簡為指令核心；exclusions hint 只傳 location 與 suggestion，減少 token 用量
+10. 執行時會額外記錄來源分支狀態、`findings.json` / `exclusions.json` 的檔案路徑、大小、mtime 與 raw/normalized 筆數，方便追查讀檔與分支內容不一致的問題

 # 使用說明

 1. 在 Gitea 專案中建立 `.gitea/workflows` 資料夾
-2. 在 `.gitea/workflows` 資料夾中建立 `ai-review.yaml'
+2. 在 `.gitea/workflows` 資料夾中建立 `ai-review.yaml`
 3. 在 `ai-review.yaml` 中填入以下內容(選擇一個使用)：

-> **權限說明**：此 Action 需要 `contents: write`（寫入 findings.json）、`pull-requests: write`（發佈 PR comment）、`issues: write`（發佈 issue comment）三項權限，為正常運作所必要，無法縮減。
+> **自動提交排除說明**：此 Action 會將自己的 commit message 標記為 `[ai-review-bot][success]` 或 `[ai-review-bot][failure]`，而且 action 執行時會先透過 Gitea API 檢查這次觸發的 PR head commit（優先用 `pull_request.head.sha`）是否含有這個 marker，若有就直接成功結束，避免 bot commit 造成重複觸發。若外層 workflow 也能先檢查一次，效果最好。
+
+> **權限說明**：此 Action 需要 `contents: write`（寫入 findings.json）、`pull-requests: write`（發佈 PR comment）、`issues: write`（發佈 issue comment）三項權限，為正常運作所必要，無法縮減。若你想讓 comment 用不同權限的 token，可額外傳 `GITEA_COMMENT_TOKEN`，其餘 Gitea 操作仍使用 `GITEA_TOKEN`。

 ### 1. OpenAI
 ```yaml
@@ -53,6 +56,8 @@ jobs:
    - name: AI Code Review
      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
+        GITEA_TOKEN: ${{ secrets.RUNNER_TOKEN }}
+        GITEA_COMMENT_TOKEN: ${{ secrets.GITEA_TOKEN }}
        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}  # 支援逗號分隔多個 Key
        OPENAI_BASE_URL: https://api.openai.com/v1
        OPENAI_MODEL: ${{ vars.OPENAI_MODEL }}
@@ -81,6 +86,8 @@ jobs:
    - name: AI Code Review
      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
+        GITEA_TOKEN: ${{ secrets.RUNNER_TOKEN }}
+        GITEA_COMMENT_TOKEN: ${{ secrets.GITEA_TOKEN }}
        OPENAI_API_KEY: ${{ secrets.OPENROUTER_API_KEY }},${{ secrets.OPENROUTER_API_KEY_1 }}
        OPENAI_BASE_URL: https://openrouter.ai/api/v1
        OPENAI_MODEL: ${{ vars.OPENROUTER_MODEL }}
@@ -109,6 +116,8 @@ jobs:
    - name: AI Code Review
      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
+        GITEA_TOKEN: ${{ secrets.RUNNER_TOKEN }}
+        GITEA_COMMENT_TOKEN: ${{ secrets.GITEA_TOKEN }}
        CLAUDE_API_KEY: ${{ secrets.CLAUDE_API_KEY }}  # 支援逗號分隔多個 Key
        CLAUDE_BASE_URL: https://api.anthropic.com/v1
    permissions:
@@ -136,6 +145,8 @@ jobs:
    - name: AI Code Review
      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
+        GITEA_TOKEN: ${{ secrets.RUNNER_TOKEN }}
+        GITEA_COMMENT_TOKEN: ${{ secrets.GITEA_TOKEN }}
        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
        GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
        GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
@@ -164,6 +175,8 @@ jobs:
    - name: AI Code Review
      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
+        GITEA_TOKEN: ${{ secrets.RUNNER_TOKEN }}
+        GITEA_COMMENT_TOKEN: ${{ secrets.GITEA_TOKEN }}
        AMAZONQ_API_KEY: ${{ secrets.AMAZONQ_API_KEY }}  # 支援逗號分隔多個 Key
        AMAZONQ_BASE_URL: https://q.api.aws
    permissions:
@@ -172,7 +185,7 @@ jobs:
      issues: write
 ```

-### - Ollama
+### 6. Ollama

 ```yaml
 name: AI
@@ -190,10 +203,12 @@ jobs:
    runs-on: ubuntu
    steps:
    - name: AI Code Review
-        uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
-        with:
-          OLLAMA_BASE_URL: https://ollama.jsc.idv.me/v1
-          OLLAMA_MODEL: ${{ vars.OLLAMA_MODEL }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      with:
+        GITEA_TOKEN: ${{ secrets.RUNNER_TOKEN }}
+        GITEA_COMMENT_TOKEN: ${{ secrets.GITEA_TOKEN }}
+        OLLAMA_BASE_URL: https://ollama.jsc.idv.me/v1
+        OLLAMA_MODEL: ${{ vars.OLLAMA_MODEL }}
    permissions:
      contents: write
      pull-requests: write
@@ -220,6 +235,7 @@ Copilot：`/triage-findings 問題原始檔(文字或截圖)`
 Claude：直接輸入 `triage-findings 問題原始檔(文字或截圖)`
 Gemini：直接輸入 `triage-findings 問題原始檔(文字或截圖)`
 Amazon Q：直接輸入 `triage-findings 問題原始檔(文字或截圖)`
+Antigravity：直接輸入 `triage-findings 問題原始檔(文字或截圖)`

 ### 適用情境

@@ -227,4 +243,4 @@ Amazon Q：直接輸入 `triage-findings 問題原始檔(文字或截圖)`

 ### 版本包含

-提交時一併包含 `triage-findings` skill 與各平台入口檔；已存在檔案一律覆蓋，同步到最新內容。
+提交時一併包含 `triage-findings` skill 與各平台入口檔；其中 `AGENTS.md`、`ANTIGRAVITY.md`、`CLAUDE.md`、`GEMINI.md` 會在目標專案已存在時先做規則化合併，並在可用 LLM 時再用 AI 輔助檢查是否有遺失任何 skill、command 或規則；其餘同步檔則以來源覆蓋；若 workspace 沒有某個同步檔，記憶區會保留原檔，不做刪除。`findings.json` 與 `exclusions.json` 都從使用此 action 的存取庫來源分支讀取，而不是從 action 本地 workspace 讀取。寫入 `.gitea/ai-review/exclusions.json` 時，盡量保留原始問題文字的語言與語意，避免過度改寫。未來若新增任何 skill 或新增其他平台的 skill 入口，必須同時把對應檔案複製進 Docker image，並把同步清單更新到會使用此 action 的目標專案，避免 action 與目標專案內容脫節。
@@ -2,35 +2,35 @@

 ## 階段一：基本流程串接
 - 目標：確保 action 可以被觸發，pipeline 各步驟依序執行，log 出每個主要階段的進入與完成。
- 驗收：log 中能看到每個階段（如「Step1: pipeline start」、「Step2: findings merge」等）明確訊息，且流程能走完（即使還沒產生 findings）。
+- 驗收：log 中能看到每個階段（如「Step1: Pipeline 啟動」、「Step2: Findings 產生」、「Step3: Findings 合併」等）明確訊息，且流程能走完（即使還沒產生 findings）。
 - 已驗收：`code-review` job 的 log 已完整出現 `Step1` 到 `Step8`，並以 `Pipeline 完成` 結束。

 ## 階段二：Git Diff 排除 .gitea/ 資料夾
- 目標：讀取 Git Diff 時排除 `.gitea/` 資料夾內的所有檔案，以及 `.amazonq/`、`.claude/`、`.codex/`、`.gemini/`、`.github/`、`CLAUDE.md`、`GEMINI.md`、`TODO.md`、`README.md`，避免 AI 分析 workflow 設定、skill 入口與文件等非業務程式碼。
+- 目標：讀取 Git Diff 時排除 `.gitea/` 資料夾內的所有檔案，以及 `.amazonq/`、`.antigravity/`、`.claude/`、`.codex/`、`.gemini/`、`.github/`、`ANTIGRAVITY.md`、`CLAUDE.md`、`GEMINI.md`、`TODO.md`、`README.md`，避免 AI 分析 workflow 設定、skill 入口與文件等非業務程式碼。
 - 驗收：PR 中有上述路徑或檔案的變更時，diff 內容不包含該區塊，AI 分析結果不含這些路徑相關問題。
 - 已驗收：`app/gitea.js` 已在取得 diff 時過濾 `.gitea/` 區塊，且相關單元測試已覆蓋。

 ## 階段三：Findings 產生與合併
 - 目標：各角色（style/security/performance/maintainability/testing）能產生 findings，並正確合併新舊 findings。
- 驗收：log 中能看到每個角色 findings 數量、合併後 findings 統計，並有「Step3: merged findings total=...」等訊息。
- 已驗收：log 已顯示 5 個角色皆有分析結果，並出現 `Step3 merged findings total=13`。
+- 驗收：log 中能看到每個角色 findings 數量、合併後 findings 統計，並有「Step3 merged findings total=...」等訊息。
+- 已驗收：log 已顯示 5 個角色皆有分析結果，並出現 `Step3 merged findings total=...` 與去重統計訊息。

-## 階段四：AI 去重與角色確認
- 目標：嘗試呼叫 LLM 進行 findings 去重與角色確認，API 額度不足時要有降級處理 log。
- 驗收：log 中能看到 deduplication/resolution confirmation 成功或失敗（如 402），降級時有「保留所有問題」等明確訊息。
+## 階段四：AI 語意去重
+- 目標：嘗試呼叫 LLM 進行 findings 語意去重，API 額度不足時要有降級處理 log。
+- 驗收：log 中能看到 `AI 去重: N -> M 筆` 的成功訊息，或在失敗時出現 `AI 去重失敗（...），降級：保留所有問題` 之類的明確訊息。
 - 已驗收：log 已出現 `AI 去重: 13 -> 11 筆`，且程式具備失敗時保留所有問題的降級處理。

 ## 階段五：AI 排除問題過濾
- 目標：讀取排除問題檔案（`.gitea/ai-review/exclusions.json`）進行規則過濾，並呼叫 AI 判斷剩餘問題是否為誤報或不適用，兩層過濾後產生最終問題清單。
- 驗收：log 中能看到排除問題檔案讀取成功或不存在的訊息、規則過濾數量變化，以及「AI 誤報過濾: N -> M 筆」或降級訊息。
- 部分驗收：log 已顯示 `讀取排除問題: 50 筆` 與 `排除過濾: 11 -> 0 筆`，但這次未進入 `AI 誤報過濾: N -> M 筆` 的正向路徑。
- 可驗收紀錄情境：當 `排除過濾` 後仍保留 1 筆以上 findings 時，log 會出現 `AI 誤報過濾: N -> M 筆`；若 API 額度不足或回傳失敗，則會出現 `AI 誤報過濾失敗（...），降級：保留所有問題`。
+- 目標：讀取排除問題檔案（`.gitea/ai-review/exclusions.json`）時先去除重複條目、整理成語意群組摘要；若檔案不是頂層陣列格式，需主動修正成正確格式，再進行規則過濾並呼叫 AI 判斷剩餘問題是否為誤報或不適用，兩層過濾後產生最終問題清單。
+- 驗收：log 中能看到排除問題檔案讀取成功或不存在的訊息、重複排除條目的整理摘要、格式修正訊息、規則過濾數量變化，以及「AI 誤報過濾: N -> M 筆」或降級訊息。
+- 已驗收：`app/findings.js` 會先整理與去重 exclusions，再進行規則過濾與 AI 誤報過濾；若格式不是頂層陣列，會先修正為陣列後再繼續流程。
+- 補充紀錄：當 `排除過濾` 後仍保留 findings 時，log 會出現 `AI 誤報過濾: N -> M 筆`；若 API 額度不足或回傳失敗，則會出現 `AI 誤報過濾失敗（...），降級：保留所有問題`。

 ## 階段六：findings 寫入與 comment 發布
 - 目標：`.gitea/ai-review/findings.json` 正確寫入，comment 發布順序正確（舊問題→非嚴重→嚴重），每步有 log。
 - 驗收：log 中能看到 `.gitea/ai-review/findings.json` 寫入、comment sync 的詳細訊息與順序。
- 部分驗收：`findings.json` 已成功寫入，也有依序執行舊問題、非嚴重、嚴重 comment 流程；但本次因結果為 0 筆，沒有實際 comment 內容可完整驗證順序。
- 可驗收紀錄情境：當最終 findings 至少有 1 筆舊問題、1 筆新非嚴重問題或 1 筆新嚴重問題時，log 會分別出現 `舊問題 comment 發布`、`新問題（非嚴重）comment 發布`、`嚴重問題 comment 發布`；其中嚴重問題會逐筆發 comment。
+- 已驗收：`findings.json` 會被正確寫入，且 comment 流程會依序嘗試舊問題、非嚴重新問題與嚴重新問題三段。
+- 補充紀錄：當最終 findings 沒有對應類型時，會以 `無舊問題，跳過`、`無新的非嚴重問題，跳過`、`無新的嚴重問題，跳過` 的方式略過；若有問題，則會分別發布對應 comment。

 ## 階段七：階段六後驗證 JSON 格式
 - 目標：階段六完成後驗證 `findings.json` 與 `exclusions.json` 是否為合法 JSON 格式，格式錯誤時先嘗試透過 AI 修正內容，再重新驗證；修正後仍不合法才 exit 1；之後才檢查檔案是否存在，不存在則建立並寫入 `[]`。
@@ -38,15 +38,15 @@
 - 已驗收：log 已明確顯示 `.gitea/ai-review/findings.json` 與 `.gitea/ai-review/exclusions.json` 都是 `JSON 格式正確`。

 ## 階段八：記憶區 commit/push 與錯誤處理
- 目標：記憶區能成功 commit/push，且一併包含 `triage-findings` skill 與各平台入口檔；skill 檔案已存在時一律以來源覆蓋，達到同步效果；錯誤時有明確 log，流程結束有總結訊息。
- 驗收：log 有「persisted findings」、「commit=...」、「push=...」等訊息，且能看出 skill 相關檔案已一併提交並被覆蓋同步；錯誤時有「Runner failed: ...」等明確錯誤說明。
- 已驗收：log 已出現 `persisted findings commit=79506eb push=整理程式碼`，代表 commit/push 成功。
+- 目標：記憶區能成功 commit/push，且一併包含 `triage-findings` skill 與各平台入口檔；`AGENTS.md`、`ANTIGRAVITY.md`、`CLAUDE.md`、`GEMINI.md` 在目標專案已存在時會先做規則化合併，並在可用 LLM 時再做 AI 輔助檢查以避免遺失 skill、command 或規則；其餘同步檔則以來源覆蓋；workspace 沒有的同步檔則保留記憶區既有內容，不做刪除；錯誤時有明確 log，流程結束有總結訊息。
+- 驗收：log 有「persisted findings」、「commit=...」、「push=...」等訊息，且能看出四個入口檔會先規則合併、再由 AI 輔助檢查，其他同步檔會被來源覆蓋；當 workspace 缺少某個同步檔時，記憶區中的對應檔案不會被刪除；錯誤時有「Runner failed: ...」等明確錯誤說明。
+- 已驗收：commit/push 成功時會出現 `persisted findings commit=... push=... review_outcome=...`，且同步規則與缺檔不刪除的行為都有單元測試覆蓋。

 ## 階段九：阻擋嚴重問題 PR（第 8 點）
 - 目標：如果 PR 問題表格中有嚴重（critical）問題，workflow 需直接 exit 1，不讓流程成功。
 - 驗收：log 中能看到「critical 問題存在，workflow 結束（exit 1）」等明確訊息，且 workflow 狀態為失敗。
- 部分驗收：這次 log 顯示 `✅ 無嚴重問題`，因此只驗到正常放行路徑；`exit 1` 的阻擋分支仍需另一次含 critical 的 PR log 驗證。
- 可驗收紀錄情境：只要 `Step8` 出現 `發現 X 個嚴重問題，workflow 結束（exit 1）`，且 job 以失敗結束，就能驗收這一項；如果該次 PR 的 `filtered` 清單含 `critical`，就應該會看到這段 log。
+- 已驗收：`app/main.js` 會在 Step8 檢查 `critical` 數量，若大於 0 就直接 `process.exit(1)`；因此只要最終 findings 含有 critical，workflow 就會失敗。
+- 補充紀錄：`Step8` 的退出訊息屬於預期行為，不代表 Step7 commit/push 失敗。

 ## 階段十：API Key 輪替
 - 目標：所有平台的 API Key 支援逗號分隔傳入多個，隨機順序各嘗試一次，單一 Key 失敗時自動換下一個，全部失敗則 exit 1。
@@ -5,6 +5,9 @@ inputs:
  # Gitea 相關（可從 gitea context 自動取得）
  GITEA_TOKEN:
    description: 'Gitea API Token'
+    required: true
+  GITEA_COMMENT_TOKEN:
+    description: 'Gitea API Token for posting comments only'
    required: false
  GITEA_SERVER_URL:
    description: 'Gitea Server URL'
@@ -80,12 +83,14 @@ runs:
  using: 'docker'
  image: 'Dockerfile'
  env:
-    # Gitea context（優先用 inputs，否則從 gitea context 取）
-    GITEA_TOKEN: ${{ inputs.GITEA_TOKEN || secrets.GITEA_TOKEN }}
+    # Gitea context（改為只從 inputs 取得）
+    GITEA_TOKEN: ${{ inputs.GITEA_TOKEN }}
+    GITEA_COMMENT_TOKEN: ${{ inputs.GITEA_COMMENT_TOKEN }}
    GITEA_SERVER_URL: ${{ inputs.GITEA_SERVER_URL || gitea.server_url }}
    GITEA_REPOSITORY: ${{ inputs.GITEA_REPOSITORY || gitea.repository }}
    GITEA_SKIP_TLS_VERIFY: ${{ inputs.GITEA_SKIP_TLS_VERIFY }}
    PR_NUMBER: ${{ inputs.PR_NUMBER || gitea.event.pull_request.number }}
+    PR_HEAD_SHA: ${{ inputs.PR_HEAD_SHA || gitea.event.pull_request.head.sha }}
    PR_HEAD_BRANCH: ${{ inputs.PR_HEAD_BRANCH || gitea.event.pull_request.head.ref }}
    PR_BASE_BRANCH: ${{ inputs.PR_BASE_BRANCH || gitea.event.pull_request.base.ref }}
    # LLM
@@ -2,6 +2,7 @@ import fs from 'fs';
 import path from 'path';
 import { postComment } from './gitea.js';
 import { FINDINGS_PATH } from './config.js';
+import { ok, line } from './log.js';

 const LEVEL_EMOJI = { critical: '🔴', warning: '🟡', info: '🔵' };
 const LEVEL_LABEL = { critical: '嚴重', warning: '警告', info: '建議' };
@@ -16,13 +17,19 @@ function buildTable(findings) {
 }

 /**
- * 寫入 findings.json 到 workspace
+ * 寫入 findings.json。
+ * 預設寫到 workspace；若提供 mirrorDir，則同步寫入另一份供 repo commit 使用。
 */
-export function saveFindings(workspace, findings) {
-  const fullPath = path.join(workspace, FINDINGS_PATH);
-  fs.mkdirSync(path.dirname(fullPath), { recursive: true });
-  fs.writeFileSync(fullPath, JSON.stringify(findings, null, 2) + '\n', 'utf8');
-  console.log(`  ✅ findings 寫入: ${fullPath} (${findings.length} 筆)`);
+export function saveFindings(workspace, findings, mirrorDir = null) {
+  const targets = [workspace];
+  if (mirrorDir && mirrorDir !== workspace) targets.push(mirrorDir);
+
+  for (const targetDir of targets) {
+    const fullPath = path.join(targetDir, FINDINGS_PATH);
+    fs.mkdirSync(path.dirname(fullPath), { recursive: true });
+    fs.writeFileSync(fullPath, JSON.stringify(findings, null, 2) + '\n', 'utf8');
+    ok(`findings 寫入: ${fullPath} (${findings.length} 筆)`);
+  }
 }

 /**
@@ -31,12 +38,12 @@ export function saveFindings(workspace, findings) {
 export async function postOldFindingsComment(findings) {
  const old = findings.filter(f => !f.is_new);
  if (old.length === 0) {
-    console.log('  無舊問題，跳過');
+    line('無舊問題，跳過');
    return;
  }
  const body = `## 📋 舊有未解決問題（${old.length} 筆）\n\n${buildTable(old)}`;
  await postComment(body);
-  console.log(`  ✅ 舊問題 comment 發布 (${old.length} 筆)`);
+  ok(`舊問題 comment 發布 (${old.length} 筆)`);
 }

 /**
@@ -45,12 +52,12 @@ export async function postOldFindingsComment(findings) {
 export async function postNewNonCriticalComment(findings) {
  const items = findings.filter(f => f.is_new && f.level !== 'critical');
  if (items.length === 0) {
-    console.log('  無新的非嚴重問題，跳過');
+    line('無新的非嚴重問題，跳過');
    return;
  }
  const body = `## 🔍 新發現問題（${items.length} 筆）\n\n${buildTable(items)}`;
  await postComment(body);
-  console.log(`  ✅ 新問題（非嚴重）comment 發布 (${items.length} 筆)`);
+  ok(`新問題（非嚴重）comment 發布 (${items.length} 筆)`);
 }

 /**
@@ -59,12 +66,12 @@ export async function postNewNonCriticalComment(findings) {
 export async function postNewCriticalComments(findings) {
  const criticals = findings.filter(f => f.is_new && f.level === 'critical');
  if (criticals.length === 0) {
-    console.log('  無新的嚴重問題，跳過');
+    line('無新的嚴重問題，跳過');
    return;
  }
  for (const f of criticals) {
    const body = `## 🚨 嚴重問題\n\n${buildTable([f])}`;
    await postComment(body);
-    console.log(`  ✅ 嚴重問題 comment 發布: [${f.role}] ${f.location}`);
+    ok(`嚴重問題 comment 發布: [${f.role}] ${f.location}`);
  }
 }
@@ -0,0 +1,75 @@
+import { describe, it, afterEach } from 'node:test';
+import assert from 'node:assert/strict';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { saveFindings } from './comments.js';
+import { FINDINGS_PATH } from './config.js';
+
+describe('saveFindings', () => {
+  const tempDirs = [];
+  const makeTempDir = prefix => {
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), prefix));
+    tempDirs.push(dir);
+    return dir;
+  };
+
+  it('writes findings to workspace and mirror dirs when provided', () => {
+    const workspace = makeTempDir('findings-ws-');
+    const mirrorDir = makeTempDir('findings-mirror-');
+    const findings = [{ level: 'warning', role: 'Leo', location: 'file.js:1', suggestion: 'test' }];
+
+    saveFindings(workspace, findings, mirrorDir);
+
+    const workspaceText = fs.readFileSync(path.join(workspace, FINDINGS_PATH), 'utf8');
+    const mirrorText = fs.readFileSync(path.join(mirrorDir, FINDINGS_PATH), 'utf8');
+    assert.equal(workspaceText, JSON.stringify(findings, null, 2) + '\n');
+    assert.equal(mirrorText, JSON.stringify(findings, null, 2) + '\n');
+  });
+
+  it('writes only to workspace when mirrorDir is omitted', () => {
+    const workspace = makeTempDir('findings-ws-');
+    const findings = [{ level: 'info', role: 'Maya', location: 'file.js:2', suggestion: 'note' }];
+
+    saveFindings(workspace, findings);
+
+    const workspaceText = fs.readFileSync(path.join(workspace, FINDINGS_PATH), 'utf8');
+    assert.equal(workspaceText, JSON.stringify(findings, null, 2) + '\n');
+  });
+
+  it('does not duplicate writes when mirrorDir matches workspace', () => {
+    const workspace = makeTempDir('findings-same-');
+    const findings = [];
+    const writeCalls = [];
+    const originalWriteFileSync = fs.writeFileSync;
+
+    fs.writeFileSync = (...args) => {
+      writeCalls.push(args[0]);
+      return originalWriteFileSync(...args);
+    };
+
+    try {
+      saveFindings(workspace, findings, workspace);
+    } finally {
+      fs.writeFileSync = originalWriteFileSync;
+    }
+
+    assert.equal(writeCalls.length, 1);
+    assert.equal(writeCalls[0], path.join(workspace, FINDINGS_PATH));
+  });
+
+  it('writes an empty JSON array when findings is empty', () => {
+    const workspace = makeTempDir('findings-empty-');
+
+    saveFindings(workspace, []);
+
+    const workspaceText = fs.readFileSync(path.join(workspace, FINDINGS_PATH), 'utf8');
+    assert.equal(workspaceText, '[]\n');
+  });
+
+  afterEach(() => {
+    while (tempDirs.length > 0) {
+      fs.rmSync(tempDirs.pop(), { recursive: true, force: true });
+    }
+  });
+});
@@ -1,8 +1,10 @@
 export const GITEA_TOKEN = process.env.GITEA_TOKEN || '';
+export const GITEA_COMMENT_TOKEN = process.env.GITEA_COMMENT_TOKEN || '';
 export const GITEA_SERVER_URL = process.env.GITEA_SERVER_URL || 'https://gitea.com';
 export const GITEA_REPOSITORY = process.env.GITEA_REPOSITORY || '';
 export const GITEA_SKIP_TLS_VERIFY = process.env.GITEA_SKIP_TLS_VERIFY === 'true';
 export const PR_NUMBER = process.env.PR_NUMBER || '';
+export const PR_HEAD_SHA = process.env.PR_HEAD_SHA || '';
 export const PR_HEAD_BRANCH = process.env.PR_HEAD_BRANCH || '';
 export const PR_BASE_BRANCH = process.env.PR_BASE_BRANCH || '';

@@ -2,6 +2,7 @@ import fs from 'fs';
 import path from 'path';
 import { chatJSON } from './llm.js';
 import { FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js';
+import { line, ok, warn } from './log.js';

 const LEVELS = ['critical', 'warning', 'info'];

@@ -9,11 +10,11 @@ const LEVELS = ['critical', 'warning', 'info'];
 * 用單一角色分析 diff，回傳 findings 陣列
 */
 export async function analyzeWithRole(role, diff) {
-  console.log(`  [${role.name}] 開始分析...`);
+  line(`[${role.name}] 開始分析`);
  const findings = await chatJSON(role.system_prompt, `以下是 Git Diff 內容：\n\n${diff}`);
  const valid = findings.filter(f => f.level && f.role && f.location && f.suggestion)
    .map(f => ({ ...f, is_new: true }));
-  console.log(`  [${role.name}] 找到 ${valid.length} 個問題`);
+  ok(`[${role.name}] 找到 ${valid.length} 個問題`);
  return valid;
 }

@@ -22,24 +23,189 @@ export async function analyzeWithRole(role, diff) {
 */
 function readJSONArray(fullPath, label) {
  if (!fs.existsSync(fullPath)) {
-    console.log(`  ${label}檔案不存在，視為空`);
+    warn(`${label}檔案不存在，視為空`);
    return [];
  }
  try {
    const data = JSON.parse(fs.readFileSync(fullPath, 'utf8'));
    return Array.isArray(data) ? data : [];
  } catch (e) {
-    console.log(`  ⚠️  讀取${label}失敗: ${e.message}，視為空`);
+    warn(`讀取${label}失敗: ${e.message}，視為空`);
    return [];
  }
 }

+function normalizeExclusions(data) {
+  if (Array.isArray(data)) return data;
+  if (data && Array.isArray(data.exclusions)) return data.exclusions;
+  if (data && Array.isArray(data.excluded_findings)) return data.excluded_findings;
+  return [];
+}
+
+function detectExclusionSource(data) {
+  if (Array.isArray(data)) return 'array';
+  if (data && Array.isArray(data.exclusions)) return 'exclusions';
+  if (data && Array.isArray(data.excluded_findings)) return 'excluded_findings';
+  return 'unknown';
+}
+
+function writeCanonicalExclusions(fullPath, exclusions) {
+  fs.writeFileSync(fullPath, JSON.stringify(exclusions, null, 2) + '\n', 'utf8');
+}
+
+function formatFileTime(mtimeMs) {
+  if (!Number.isFinite(mtimeMs)) return 'unknown';
+  return new Date(mtimeMs).toISOString();
+}
+
+function cleanText(value) {
+  return typeof value === 'string' ? value.trim() : '';
+}
+
+function normalizeText(value) {
+  return cleanText(value)
+    .normalize('NFKC')
+    .toLowerCase()
+    .replace(/[\p{P}\p{S}\s]+/gu, ' ')
+    .replace(/\s+/g, ' ')
+    .trim();
+}
+
+function toKeyText(value) {
+  return cleanText(value)
+    .normalize('NFKC')
+    .replace(/[\p{P}\p{S}\s]+/gu, '')
+    .trim();
+}
+
+function getExclusionText(exclusion) {
+  return cleanText(exclusion?.original_finding)
+    || cleanText(exclusion?.title)
+    || cleanText(exclusion?.suggestion)
+    || cleanText(exclusion?.reason)
+    || cleanText(exclusion?.note);
+}
+
+function normalizeExclusionEntry(exclusion, index) {
+  const location = cleanText(exclusion?.location);
+  const filePath = location ? location.split(':')[0] : '';
+  const role = cleanText(exclusion?.role);
+  const text = getExclusionText(exclusion);
+  const textKey = toKeyText(text);
+  const fingerprint = [filePath || '*', role || '*', textKey || `entry-${index + 1}`].join('|');
+  return {
+    ...exclusion,
+    location: location || null,
+    filePath,
+    role: role || null,
+    text,
+    textKey,
+    fingerprint,
+  };
+}
+
+function dedupeExclusions(exclusions) {
+  const seen = new Set();
+  return exclusions.filter(exclusion => {
+    if (seen.has(exclusion.fingerprint)) return false;
+    seen.add(exclusion.fingerprint);
+    return true;
+  });
+}
+
+function groupExclusionsForAI(exclusions) {
+  const groups = new Map();
+  for (const exclusion of exclusions) {
+    const groupKey = exclusion.textKey || exclusion.fingerprint;
+    if (!groups.has(groupKey)) {
+      groups.set(groupKey, {
+        key: groupKey,
+        text: exclusion.text || exclusion.location || exclusion.fingerprint,
+        count: 0,
+        paths: new Set(),
+        roles: new Set(),
+        samples: [],
+      });
+    }
+    const group = groups.get(groupKey);
+    group.count += 1;
+    if (exclusion.filePath) group.paths.add(exclusion.filePath);
+    if (exclusion.role) group.roles.add(exclusion.role);
+    if (group.samples.length < 2 && exclusion.text) group.samples.push(exclusion.text);
+  }
+
+  return [...groups.values()]
+    .sort((a, b) => b.count - a.count || b.paths.size - a.paths.size || a.text.localeCompare(b.text))
+    .map(group => ({
+      text: group.text,
+      count: group.count,
+      paths: [...group.paths].sort(),
+      roles: [...group.roles].sort(),
+      samples: group.samples,
+    }));
+}
+
+function buildExclusionContext(exclusions) {
+  if (exclusions.length === 0) {
+    return {
+      rawCount: 0,
+      uniqueCount: 0,
+      groups: [],
+      prompt: '',
+    };
+  }
+
+  const normalized = exclusions.map((exclusion, index) => normalizeExclusionEntry(exclusion, index));
+  const unique = dedupeExclusions(normalized);
+  const groups = groupExclusionsForAI(unique);
+  const topGroups = groups.slice(0, 12).map(group => ({
+    text: group.text,
+    count: group.count,
+    paths: group.paths.slice(0, 4),
+    roles: group.roles.slice(0, 3),
+    samples: group.samples.slice(0, 2),
+  }));
+  const omitted = groups.length - topGroups.length;
+  const promptLines = [
+    `已知誤報清單（原始 ${exclusions.length} 筆，整理後 ${unique.length} 筆，分成 ${groups.length} 類）:`,
+    ...topGroups.map((group, index) => {
+      const parts = [
+        `${index + 1}. ${group.text}`,
+        `count=${group.count}`,
+      ];
+      if (group.paths.length > 0) parts.push(`paths=${group.paths.join(', ')}`);
+      if (group.roles.length > 0) parts.push(`roles=${group.roles.join(', ')}`);
+      if (group.samples.length > 0) parts.push(`samples=${group.samples.join(' | ')}`);
+      return `- ${parts.join(' ; ')}`;
+    }),
+  ];
+  if (omitted > 0) {
+    promptLines.push(`- 另有 ${omitted} 類相似排除條目未展開，請依上述群組規則推論。`);
+  }
+
+  return {
+    rawCount: exclusions.length,
+    uniqueCount: unique.length,
+    groupCount: groups.length,
+    groups: topGroups,
+    prompt: promptLines.join('\n'),
+  };
+}
+
 /**
- * 讀取舊 findings（從 workspace 的 FINDINGS_PATH）
+ * 讀取舊 findings（從來源分支的 cloned repoDir 中的 FINDINGS_PATH）
 */
 export function loadOldFindings(workspace) {
-  const old = readJSONArray(path.join(workspace, FINDINGS_PATH), '舊 findings ').map(f => ({ ...f, is_new: false }));
-  console.log(`  讀取舊 findings: ${old.length} 筆`);
+  const fullPath = path.join(workspace, FINDINGS_PATH);
+  const old = readJSONArray(fullPath, '舊 findings ').map(f => ({ ...f, is_new: false }));
+  if (fs.existsSync(fullPath)) {
+    const stat = fs.statSync(fullPath);
+    line(`讀取舊 findings 檔案: ${fullPath}`);
+    line(`舊 findings 檔案資訊: bytes=${stat.size} mtime=${formatFileTime(stat.mtimeMs)} path=${path.relative(workspace, fullPath) || fullPath}`);
+  } else {
+    warn(`舊 findings 檔案不存在: ${fullPath}`);
+  }
+  ok(`讀取舊 findings: ${old.length} 筆`);
  return old;
 }

@@ -55,7 +221,7 @@ export function mergeFindings(oldFindings, newFindings) {
    return true;
  });
  const merged = [...oldFindings, ...deduped];
-  console.log(`  合併結果: 舊=${oldFindings.length} 新(去重後)=${deduped.length} 總計=${merged.length}`);
+  ok(`合併結果: 舊=${oldFindings.length} 新(去重後)=${deduped.length} 總計=${merged.length}`);
  return merged;
 }

@@ -72,7 +238,7 @@ export function sortByLevel(findings) {
 function fallback(label, findings, e) {
  const status = e.response?.status;
  const reason = (status === 402 || status === 429) ? `${status} 額度/限流` : e.message;
-  console.log(`  ⚠️  ${label}失敗（${reason}），降級：保留所有問題`);
+  warn(`${label}失敗（${reason}），降級：保留所有問題`);
  return findings;
 }

@@ -92,7 +258,7 @@ export async function deduplicateWithAI(findings) {
  try {
    const result = await chatJSON(systemPrompt, JSON.stringify(toAIPayload(findings)));
    if (Array.isArray(result) && result.length > 0) {
-      console.log(`  AI 去重: ${findings.length} -> ${result.length} 筆`);
+      ok(`AI 去重: ${findings.length} -> ${result.length} 筆`);
      // 以 location+suggestion 為 key，將原始 findings 的完整欄位（含 is_new）補回
      const origMap = new Map(findings.map(f => [`${f.location}|${String(f.suggestion).slice(0, 50)}`, f]));
      return result.map(r => origMap.get(`${r.location}|${String(r.suggestion).slice(0, 50)}`) ?? r);
@@ -104,11 +270,51 @@ export async function deduplicateWithAI(findings) {
 }

 /**
- * 讀取排除問題檔案（從 workspace 的 EXCLUSIONS_PATH）
+ * 讀取排除問題檔案（從來源分支的 cloned repoDir 中的 EXCLUSIONS_PATH）
 */
-export function loadExclusions(workspace) {
-  const exclusions = readJSONArray(path.join(workspace, EXCLUSIONS_PATH), '排除問題');
-  console.log(`  讀取排除問題: ${exclusions.length} 筆`);
+export function loadExclusions(workspace, repoState = null, mirrorWorkspace = null) {
+  const fullPath = path.join(workspace, EXCLUSIONS_PATH);
+  if (!fs.existsSync(fullPath)) {
+    warn(`排除問題檔案不存在，視為空: ${fullPath}`);
+    if (repoState) {
+      const branch = repoState.branch || 'detached';
+      const shortSha = repoState.shortSha || repoState.headSha || 'unknown';
+      line(`來源分支狀態: branch=${branch} commit=${shortSha} commit_time=${repoState.commitTime || 'unknown'}`);
+    }
+    ok('讀取排除問題: raw=0 normalized=0 筆');
+    return [];
+  }
+
+  let exclusions = [];
+  let rawCount = 0;
+  try {
+    const stat = fs.statSync(fullPath);
+    const data = JSON.parse(fs.readFileSync(fullPath, 'utf8'));
+    const sourceFormat = detectExclusionSource(data);
+    const normalizedSource = normalizeExclusions(data);
+    rawCount = normalizedSource.length;
+    exclusions = dedupeExclusions(normalizedSource.map((exclusion, index) => normalizeExclusionEntry(exclusion, index)));
+    const branch = repoState?.branch || 'detached';
+    const shortSha = repoState?.shortSha || repoState?.headSha || 'unknown';
+    const commitTime = repoState?.commitTime || 'unknown';
+    line(`讀取排除問題檔案: ${fullPath}`);
+    line(`來源分支狀態: branch=${branch} commit=${shortSha} commit_time=${commitTime}`);
+    line(`檔案資訊: bytes=${stat.size} mtime=${formatFileTime(stat.mtimeMs)} raw=${rawCount} normalized=${exclusions.length} path=${path.relative(workspace, fullPath) || fullPath}`);
+    if (sourceFormat !== 'array') {
+      writeCanonicalExclusions(fullPath, normalizedSource);
+      if (mirrorWorkspace && path.resolve(mirrorWorkspace) !== path.resolve(workspace)) {
+        const mirrorPath = path.join(mirrorWorkspace, EXCLUSIONS_PATH);
+        fs.mkdirSync(path.dirname(mirrorPath), { recursive: true });
+        writeCanonicalExclusions(mirrorPath, normalizedSource);
+      }
+      line(`排除問題格式已修正為頂層陣列: source=${sourceFormat} -> array`);
+    }
+  } catch (e) {
+    warn(`讀取排除問題失敗: ${e.message}，視為空: ${fullPath}`);
+    exclusions = [];
+  }
+  const summary = buildExclusionContext(exclusions);
+  ok(`讀取排除問題: raw=${rawCount} normalized=${exclusions.length} groups=${summary.groupCount} 筆`);
  return exclusions;
 }

@@ -121,29 +327,35 @@ export function applyExclusions(findings, exclusions) {
  const before = findings.length;
  const filtered = findings.filter(f => !exclusions.some(ex => {
    const fPath = String(f.location).split(':')[0];
-    const exPath = ex.location ? String(ex.location).split(':')[0] : null;
-    return (!exPath || fPath === exPath) && (!ex.role || ex.role === f.role);
+    const exPath = ex.filePath || (ex.location ? String(ex.location).split(':')[0] : null);
+    const findingText = normalizeText(f.suggestion || f.title || '');
+    const exclusionText = ex.textKey || normalizeText(ex.text || ex.suggestion || ex.title || '');
+    const locationMatches = (!exPath || fPath === exPath);
+    const roleMatches = (!ex.role || ex.role === f.role);
+    const textMatches = !exclusionText || !findingText || findingText.includes(exclusionText) || exclusionText.includes(findingText);
+    return locationMatches && roleMatches && (exPath || ex.role ? true : textMatches);
  }));
-  console.log(`  排除過濾: ${before} -> ${filtered.length} 筆（排除 ${before - filtered.length} 筆）`);
+  ok(`排除過濾: ${before} -> ${filtered.length} 筆（排除 ${before - filtered.length} 筆）`);
  return filtered;
 }

 /**
 * 呼叫 AI 判斷哪些問題是誤報或不需處理，失敗時降級回傳原始 findings
 */
-export async function filterFalsePositivesWithAI(findings, exclusions = []) {
+export async function filterFalsePositivesWithAI(findings, exclusions = [], chatFn = chatJSON) {
  if (findings.length === 0) return findings;

-  const exclusionHint = exclusions.length > 0
-    ? `\n已知誤報（相同路徑且語意相近者一併排除）：\n${JSON.stringify(exclusions.map(({ location, suggestion }) => ({ location, suggestion })))}`
+  const exclusionContext = buildExclusionContext(exclusions);
+  const exclusionHint = exclusionContext.prompt
+    ? `\n${exclusionContext.prompt}\n規則：若 finding 與上述任何一類的路徑、角色或描述高度相似，優先視為誤報或不適用。`
    : '';

  const systemPrompt = `判斷以下程式碼審查問題是否為誤報或不適用（如已正確使用 secrets、CI/CD 必要權限等），移除後只回傳需保留的 JSON 陣列。${exclusionHint}`;

  try {
-    const result = await chatJSON(systemPrompt, JSON.stringify(toAIPayload(findings)));
+    const result = await chatFn(systemPrompt, JSON.stringify(toAIPayload(findings)));
    if (Array.isArray(result) && result.length > 0) {
-      console.log(`  AI 誤報過濾: ${findings.length} -> ${result.length} 筆`);
+      ok(`AI 誤報過濾: ${findings.length} -> ${result.length} 筆`);
      const origMap = new Map(findings.map(f => [`${f.location}|${String(f.suggestion).slice(0, 50)}`, f]));
      return result.map(r => origMap.get(`${r.location}|${String(r.suggestion).slice(0, 50)}`) ?? r);
    }
@@ -0,0 +1,183 @@
+import { describe, it, beforeEach, afterEach } from 'node:test';
+import assert from 'node:assert/strict';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { loadOldFindings, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js';
+import { EXCLUSIONS_PATH, FINDINGS_PATH } from './config.js';
+
+describe('findings exclusions', () => {
+  let workspace;
+  let logs;
+  let originalLog;
+
+  beforeEach(() => {
+    workspace = fs.mkdtempSync(path.join(os.tmpdir(), 'findings-test-'));
+    logs = [];
+    originalLog = console.log;
+    console.log = (...args) => {
+      logs.push(args.join(' '));
+    };
+  });
+
+  afterEach(() => {
+    console.log = originalLog;
+    fs.rmSync(workspace, { recursive: true, force: true });
+  });
+
+  it('loads excluded_findings wrapper format', () => {
+    const fullPath = path.join(workspace, EXCLUSIONS_PATH);
+    fs.mkdirSync(path.dirname(fullPath), { recursive: true });
+    fs.writeFileSync(fullPath, JSON.stringify({
+      excluded_findings: [
+        { location: 'entrypoint.sh:180', title: 'fetch_package_versions jq overhead' },
+      ],
+    }, null, 2));
+
+    const exclusions = loadExclusions(workspace);
+
+    assert.equal(exclusions.length, 1);
+    assert.equal(exclusions[0].location, 'entrypoint.sh:180');
+    assert.equal(exclusions[0].title, 'fetch_package_versions jq overhead');
+  });
+
+  it('repairs exclusions wrapper format to a top-level array', () => {
+    const fullPath = path.join(workspace, EXCLUSIONS_PATH);
+    fs.mkdirSync(path.dirname(fullPath), { recursive: true });
+    fs.writeFileSync(fullPath, JSON.stringify({
+      exclusions: [
+        { location: 'README.md:12', suggestion: 'keep' },
+      ],
+    }, null, 2));
+
+    const exclusions = loadExclusions(workspace);
+    const repaired = JSON.parse(fs.readFileSync(fullPath, 'utf8'));
+
+    assert.equal(exclusions.length, 1);
+    assert.ok(Array.isArray(repaired));
+    assert.equal(repaired[0].location, 'README.md:12');
+    assert.equal(repaired[0].suggestion, 'keep');
+    assert.ok(logs.some(line => line.includes('排除問題格式已修正為頂層陣列: source=exclusions -> array')));
+  });
+
+  it('mirrors repaired exclusions into the workspace root when requested', () => {
+    const repoRoot = path.join(workspace, 'repo');
+    const mirrorRoot = path.join(workspace, 'workspace');
+    const repoFullPath = path.join(repoRoot, EXCLUSIONS_PATH);
+    const mirrorFullPath = path.join(mirrorRoot, EXCLUSIONS_PATH);
+    fs.mkdirSync(path.dirname(repoFullPath), { recursive: true });
+    fs.mkdirSync(path.dirname(mirrorFullPath), { recursive: true });
+    fs.writeFileSync(repoFullPath, JSON.stringify({
+      exclusions: [
+        { location: 'README.md:12', suggestion: 'keep' },
+      ],
+    }, null, 2));
+
+    const exclusions = loadExclusions(repoRoot, null, mirrorRoot);
+    const mirror = JSON.parse(fs.readFileSync(mirrorFullPath, 'utf8'));
+
+    assert.equal(exclusions.length, 1);
+    assert.ok(Array.isArray(mirror));
+    assert.equal(mirror[0].location, 'README.md:12');
+    assert.equal(mirror[0].suggestion, 'keep');
+  });
+
+  it('applies exclusions loaded from wrapper format', () => {
+    const findings = [
+      { location: 'entrypoint.sh:180', role: 'Maya', suggestion: 'keep' },
+      { location: 'README.md:12', role: 'Maya', suggestion: 'keep' },
+    ];
+    const exclusions = [
+      { location: 'entrypoint.sh:180', title: 'fetch_package_versions jq overhead' },
+    ];
+
+    const filtered = applyExclusions(findings, exclusions);
+
+    assert.equal(filtered.length, 1);
+    assert.equal(filtered[0].location, 'README.md:12');
+  });
+
+  it('dedupes repeated exclusions when loading exclusions', () => {
+    const fullPath = path.join(workspace, EXCLUSIONS_PATH);
+    fs.mkdirSync(path.dirname(fullPath), { recursive: true });
+    fs.writeFileSync(fullPath, JSON.stringify([
+      { location: 'entrypoint.sh:180', title: 'fetch_package_versions jq overhead' },
+      { location: 'entrypoint.sh:999', title: 'fetch_package_versions jq overhead' },
+      { location: 'entrypoint.sh:180', title: 'fetch_package_versions jq overhead' },
+    ], null, 2));
+
+    const exclusions = loadExclusions(workspace);
+
+    assert.equal(exclusions.length, 1);
+    assert.equal(exclusions[0].filePath, 'entrypoint.sh');
+    assert.equal(exclusions[0].text, 'fetch_package_versions jq overhead');
+  });
+
+  it('builds a compact exclusion hint for AI', async () => {
+    const findings = [
+      { level: 'warning', role: 'Maya', location: 'src/app.cs:12', suggestion: 'update tests' },
+    ];
+    const exclusions = [
+      { location: 'src/app.cs:1', original_finding: '更新套件後請補上測試驗證' },
+      { location: 'src/app.cs:99', original_finding: '更新套件後請補上測試驗證 ' },
+      { location: 'src/service.cs:3', original_finding: '更新套件後請補上測試驗證' },
+      { location: 'src/service.cs:8', title: '請確認安全性變更' },
+    ];
+
+    let capturedSystemPrompt = '';
+    let capturedUserContent = '';
+    const result = await filterFalsePositivesWithAI(findings, exclusions, async (systemPrompt, userContent) => {
+      capturedSystemPrompt = systemPrompt;
+      capturedUserContent = userContent;
+      return findings;
+    });
+
+    assert.equal(result.length, 1);
+    assert.ok(capturedSystemPrompt.includes('已知誤報清單（原始 4 筆，整理後 3 筆，分成 2 類）'));
+    assert.ok(capturedSystemPrompt.includes('更新套件後請補上測試驗證'));
+    assert.ok(capturedSystemPrompt.includes('paths=src/app.cs, src/service.cs'));
+    assert.ok(capturedSystemPrompt.includes('請確認安全性變更'));
+    assert.ok(capturedUserContent.includes('"location":"src/app.cs:12"'));
+    assert.ok(capturedUserContent.includes('"suggestion":"update tests"'));
+  });
+
+  it('logs exclusions file metadata and repo state when loading exclusions', () => {
+    const fullPath = path.join(workspace, EXCLUSIONS_PATH);
+    fs.mkdirSync(path.dirname(fullPath), { recursive: true });
+    fs.writeFileSync(fullPath, JSON.stringify([
+      { location: 'entrypoint.sh:180', suggestion: 'ignore' },
+      { location: 'README.md:12', suggestion: 'ignore' },
+    ], null, 2));
+
+    const repoState = {
+      branch: 'feat/test',
+      shortSha: 'abc1234',
+      commitTime: '2026-05-15T09:29:49.817Z',
+      repoDir: path.join(workspace, 'repo'),
+    };
+
+    const exclusions = loadExclusions(workspace, repoState);
+
+    assert.equal(exclusions.length, 2);
+    assert.ok(logs.some(line => line.includes(`讀取排除問題檔案: ${fullPath}`)));
+    assert.ok(logs.some(line => line.includes('來源分支狀態: branch=feat/test commit=abc1234')));
+    assert.ok(logs.some(line => line.includes('raw=2 normalized=2')));
+    assert.ok(logs.some(line => line.includes(`path=${path.relative(workspace, fullPath)}`)));
+  });
+
+  it('logs findings file metadata when loading old findings', () => {
+    const fullPath = path.join(workspace, FINDINGS_PATH);
+    fs.mkdirSync(path.dirname(fullPath), { recursive: true });
+    fs.writeFileSync(fullPath, JSON.stringify([
+      { level: 'info', role: 'Maya', location: 'README.md:12', suggestion: 'keep' },
+    ], null, 2));
+
+    const findings = loadOldFindings(workspace);
+
+    assert.equal(findings.length, 1);
+    assert.equal(findings[0].is_new, false);
+    assert.ok(logs.some(line => line.includes(`讀取舊 findings 檔案: ${fullPath}`)));
+    assert.ok(logs.some(line => line.includes('舊 findings 檔案資訊: bytes=')));
+    assert.ok(logs.some(line => line.includes(`path=${path.relative(workspace, fullPath)}`)));
+  });
+});
@@ -1,19 +1,51 @@
 import { spawnSync } from 'child_process';
 import fs from 'fs';
 import path from 'path';
-import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH } from './config.js';
+import { fileURLToPath } from 'url';
+import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH, getLLMConfig } from './config.js';
+import { line, ok, warn, error } from './log.js';

+const ACTION_ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
+const GENERATED_SYNC_PATHS = [FINDINGS_PATH, '.gitea/ai-review/exclusions.json'];
 const remoteUrl = `${GITEA_SERVER_URL.replace(/\/$/, '')}/${GITEA_REPOSITORY}.git`;
-const SYNC_PATHS = [
-  FINDINGS_PATH,
+export const BOT_COMMIT_MARKER = '[ai-review-bot]';
+export const SYNC_PATHS = [
  '.amazonq/rules/triage-findings.md',
+  '.agents/skills/triage-findings/SKILL.md',
+  '.antigravity/skills/triage-findings/SKILL.md',
+  '.codex/skills/triage-findings/SKILL.md',
+  '.codex/skills/triage-findings/agents/openai.yaml',
  '.claude/skills/triage-findings/SKILL.md',
  '.gemini/skills/triage-findings/SKILL.md',
  '.github/copilot-instructions.md',
  '.github/skills/triage-findings/SKILL.md',
+  'AGENTS.md',
+  'ANTIGRAVITY.md',
  'CLAUDE.md',
  'GEMINI.md',
 ];
+const FORCE_SYNC_FILE_PATHS = [
+  '.github/copilot-instructions.md',
+  'AGENTS.md',
+  'ANTIGRAVITY.md',
+  'CLAUDE.md',
+  'GEMINI.md',
+];
+const MERGE_SYNC_FILE_PATHS = new Set([
+  'AGENTS.md',
+  'ANTIGRAVITY.md',
+  'CLAUDE.md',
+  'GEMINI.md',
+]);
+let instructionMergeAssistantPromise = null;
+const SYNC_TREE_PATHS = [
+  '.agents/skills/triage-findings',
+  '.antigravity/skills/triage-findings',
+  '.codex/skills/triage-findings',
+  '.claude/skills/triage-findings',
+  '.gemini/skills/triage-findings',
+  '.github/skills/triage-findings',
+];

 function makeRunner(spawn) {
  return function run(args, cwd, env) {
@@ -37,6 +69,195 @@ function withAskpass(workspace, fn) {
  }
 }

+function readGitOutput(run, args, cwd, env) {
+  try {
+    return run(args, cwd, env);
+  } catch {
+    return '';
+  }
+}
+
+function normalizeText(text) {
+  return text.replace(/\r\n/g, '\n');
+}
+
+function splitTextBlocks(text) {
+  const normalized = normalizeText(text).replace(/\n+$/, '');
+  if (!normalized) return [];
+  return normalized.split(/\n{2,}/).map(block => block.trimEnd()).filter(Boolean);
+}
+
+function mergeText(existingText, sourceText) {
+  const existing = normalizeText(existingText);
+  const source = normalizeText(sourceText);
+  if (existing === source) return existing;
+
+  const mergedBlocks = splitTextBlocks(existing);
+  const seenBlocks = new Set(mergedBlocks.map(block => block.trim()));
+  let changed = false;
+
+  for (const block of splitTextBlocks(source)) {
+    const key = block.trim();
+    if (seenBlocks.has(key)) continue;
+    seenBlocks.add(key);
+    mergedBlocks.push(block);
+    changed = true;
+  }
+
+  if (!changed) return existing;
+  return `${mergedBlocks.join('\n\n')}\n`;
+}
+
+function uniqueBlocksFromTexts(...texts) {
+  const seen = new Set();
+  const blocks = [];
+  for (const text of texts) {
+    for (const block of splitTextBlocks(text)) {
+      const key = block.trim();
+      if (!key || seen.has(key)) continue;
+      seen.add(key);
+      blocks.push(block);
+    }
+  }
+  return blocks;
+}
+
+function validateMergedInstructionText(mergedText, requiredBlocks) {
+  const candidate = normalizeText(mergedText);
+  return requiredBlocks.every(block => candidate.includes(normalizeText(block).trim()));
+}
+
+class InstructionMergeError extends Error {
+  constructor(message, options) {
+    super(message, options);
+    this.name = 'InstructionMergeError';
+  }
+}
+
+function abortInstructionMerge(message) {
+  error(message);
+  process.exit(1);
+  throw new InstructionMergeError(message);
+}
+
+function syncFileOverwrite(sourceRoot, repoDir, relPath) {
+  const src = path.join(sourceRoot, relPath);
+  if (!fs.existsSync(src)) return null;
+
+  const dest = path.join(repoDir, relPath);
+  fs.mkdirSync(path.dirname(dest), { recursive: true });
+  fs.copyFileSync(src, dest);
+  return relPath;
+}
+
+async function getInstructionMergeAssistant() {
+  const { provider } = getLLMConfig();
+  if (!provider) return null;
+  if (instructionMergeAssistantPromise) return instructionMergeAssistantPromise;
+
+  instructionMergeAssistantPromise = (async () => {
+    try {
+      const { chatJSON } = await import('./llm.js');
+      return async ({ relPath, existingText, sourceText, deterministicText }) => {
+        const systemPrompt = [
+          'You merge repository instruction files without losing any skill, command, or rule.',
+          'Never delete unique content from either input.',
+          'You may only remove exact duplicates or improve ordering/formatting.',
+          'Return JSON with a single field: merged_text.',
+        ].join(' ');
+        const userContent = JSON.stringify({
+          path: relPath,
+          existing_text: existingText,
+          source_text: sourceText,
+          deterministic_candidate: deterministicText,
+        });
+        const result = await chatJSON(systemPrompt, userContent);
+        if (typeof result === 'string') return result;
+        if (result && typeof result.merged_text === 'string') return result.merged_text;
+        return null;
+      };
+    } catch (e) {
+      warn(`[merge] AI instruction merge unavailable: ${e.message}`);
+      return null;
+    }
+  })();
+
+  return instructionMergeAssistantPromise;
+}
+
+export async function mergeInstructionText(existingText, sourceText, relPath, aiMergeAssistant = null) {
+  const deterministic = mergeText(existingText, sourceText);
+  const requiredBlocks = uniqueBlocksFromTexts(existingText, sourceText);
+  if (!aiMergeAssistant || requiredBlocks.length === 0) return deterministic;
+
+  try {
+    const aiMerged = await aiMergeAssistant({ relPath, existingText, sourceText, deterministicText: deterministic, requiredBlocks });
+    if (typeof aiMerged === 'string' && validateMergedInstructionText(aiMerged, requiredBlocks)) {
+      return normalizeText(aiMerged) === normalizeText(existingText) ? existingText : aiMerged;
+    }
+    abortInstructionMerge(`[merge] ${relPath} AI result rejected; refusing fallback`);
+  } catch (e) {
+    if (e instanceof InstructionMergeError) throw e;
+    abortInstructionMerge(`[merge] ${relPath} AI merge failed: ${e.message}`);
+  }
+}
+
+async function syncInstructionFile(sourceRoot, repoDir, relPath, aiMergeAssistant = null) {
+  const src = path.join(sourceRoot, relPath);
+  if (!fs.existsSync(src)) return null;
+
+  const dest = path.join(repoDir, relPath);
+  fs.mkdirSync(path.dirname(dest), { recursive: true });
+
+  if (!fs.existsSync(dest)) {
+    fs.copyFileSync(src, dest);
+    return relPath;
+  }
+
+  const existingText = fs.readFileSync(dest, 'utf8');
+  const sourceText = fs.readFileSync(src, 'utf8');
+  const merged = await mergeInstructionText(existingText, sourceText, relPath, aiMergeAssistant);
+  if (merged !== existingText) {
+    fs.writeFileSync(dest, merged, 'utf8');
+  }
+  return relPath;
+}
+
+function syncTree(sourceRoot, repoDir, relDir) {
+  const srcDir = path.join(sourceRoot, relDir);
+  if (!fs.existsSync(srcDir)) return [];
+
+  const copied = [];
+  for (const entry of fs.readdirSync(srcDir, { withFileTypes: true })) {
+    const relPath = path.join(relDir, entry.name);
+    if (entry.isDirectory()) {
+      copied.push(...syncTree(sourceRoot, repoDir, relPath));
+      continue;
+    }
+    const synced = syncFileOverwrite(sourceRoot, repoDir, relPath);
+    if (synced) copied.push(synced);
+  }
+  return copied;
+}
+
+export function getRepoState(repoDir, _spawnSync = spawnSync) {
+  const run = makeRunner(_spawnSync);
+  const headSha = readGitOutput(run, ['rev-parse', 'HEAD'], repoDir);
+  const shortSha = readGitOutput(run, ['rev-parse', '--short', 'HEAD'], repoDir);
+  const branch = readGitOutput(run, ['branch', '--show-current'], repoDir);
+  const commitTime = readGitOutput(run, ['show', '-s', '--format=%cI', 'HEAD'], repoDir);
+  return { repoDir, branch, headSha, shortSha, commitTime };
+}
+
+export function getHeadCommitMessage(repoDir, _spawnSync = spawnSync) {
+  const run = makeRunner(_spawnSync);
+  return readGitOutput(run, ['show', '-s', '--format=%B', 'HEAD'], repoDir);
+}
+
+export function isBotAutoCommit(repoDir, _spawnSync = spawnSync) {
+  return getHeadCommitMessage(repoDir, _spawnSync).includes(BOT_COMMIT_MARKER);
+}
+
 /**
 * Clone PR head branch to workspace/repo (idempotent)
 */
@@ -47,47 +268,87 @@ export function cloneRepo(workspace, _spawnSync = spawnSync) {
  return withAskpass(workspace, credEnv => {
    if (!fs.existsSync(repoDir)) {
      run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv);
-      console.log(`  ✅ repo cloned to ${repoDir}`);
+      ok(`repo cloned to ${repoDir}`);
    } else {
      run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv);
      run(['checkout', PR_HEAD_BRANCH], repoDir);
-      console.log(`  ✅ repo already exists, fetched latest`);
+      ok('repo already exists, fetched latest');
    }
    return repoDir;
  });
 }

-export async function commitAndPush(workspace, repoDir, _spawnSync = spawnSync) {
+export async function commitAndPush(workspace, repoDir, _spawnSync = spawnSync, sourceRoot = ACTION_ROOT, reviewOutcome = 'success') {
  const run = makeRunner(_spawnSync);

  try {
    await withAskpass(workspace, async credEnv => {
      run(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir);
      run(['config', 'user.name', 'AI Review Bot'], repoDir);
-
-      // Always copy source files over the repo copy so skill files stay in sync.
-      for (const relPath of SYNC_PATHS) {
-        const src = path.join(workspace, relPath);
-        const dest = path.join(repoDir, relPath);
-        if (!fs.existsSync(src)) continue;
-        fs.mkdirSync(path.dirname(dest), { recursive: true });
-        fs.copyFileSync(src, dest);
+      if (PR_HEAD_BRANCH) {
+        run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv);
+        run(['reset', '--hard', `origin/${PR_HEAD_BRANCH}`], repoDir);
      }

-      run(['add', ...SYNC_PATHS], repoDir);
+      const existingSyncPaths = new Set();
+      const aiMergeAssistant = await getInstructionMergeAssistant();
+
+      // Copy action skill trees into the target repo. Existing files are merged with
+      // the action source; missing source files are ignored so we do not delete
+      // target repo content.
+      for (const relDir of SYNC_TREE_PATHS) {
+        for (const relPath of syncTree(sourceRoot, repoDir, relDir)) {
+          existingSyncPaths.add(relPath);
+        }
+      }
+
+      // Merge only the direct instruction files that must preserve repository-specific
+      // skills, commands, and rules. Everything else keeps the source copy.
+      for (const relPath of FORCE_SYNC_FILE_PATHS) {
+        const copied = MERGE_SYNC_FILE_PATHS.has(relPath)
+          ? await syncInstructionFile(sourceRoot, repoDir, relPath, aiMergeAssistant)
+          : syncFileOverwrite(sourceRoot, repoDir, relPath);
+        if (copied) existingSyncPaths.add(copied);
+      }
+
+      // Merge standalone action files into the target repo.
+      for (const relPath of SYNC_PATHS) {
+        if (FORCE_SYNC_FILE_PATHS.includes(relPath)) continue;
+        const copied = syncFileOverwrite(sourceRoot, repoDir, relPath);
+        if (copied) existingSyncPaths.add(copied);
+      }
+
+      if (existingSyncPaths.size > 0) {
+        run(['add', ...existingSyncPaths], repoDir);
+      }
+      const generatedSyncPaths = GENERATED_SYNC_PATHS.filter(relPath => fs.existsSync(path.join(workspace, relPath)));
+      if (generatedSyncPaths.length > 0) {
+        for (const relPath of generatedSyncPaths) {
+          const src = path.join(workspace, relPath);
+          const dest = path.join(repoDir, relPath);
+          fs.mkdirSync(path.dirname(dest), { recursive: true });
+          fs.copyFileSync(src, dest);
+        }
+        run(['add', ...generatedSyncPaths], repoDir);
+      }

      const status = run(['status', '--porcelain'], repoDir);
      if (!status) {
-        console.log('  sync files 無變更，跳過 commit');
+        line('sync files 無變更，跳過 commit');
        return;
      }

-      const out = run(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir);
+      const outcomeTag = reviewOutcome === 'failure' ? '[failure]' : '[success]';
+      const out = run(['commit', '-m', `chore: update ai-review findings ${BOT_COMMIT_MARKER}${outcomeTag}`], repoDir);
      const commitHash = out.match(/\[.+ ([a-f0-9]+)\]/)?.[1] || 'unknown';
-      run(['push', remoteUrl, PR_HEAD_BRANCH], repoDir, credEnv);
-      console.log(`  ✅ persisted findings  commit=${commitHash}  push=${PR_HEAD_BRANCH}`);
+      try {
+        run(['push', remoteUrl, PR_HEAD_BRANCH], repoDir, credEnv);
+        ok(`persisted findings commit=${commitHash} push=${PR_HEAD_BRANCH} review_outcome=${reviewOutcome}`);
+      } catch (pushErr) {
+        warn(`Step7 commit 成功但 push 失敗: commit=${commitHash} push=${PR_HEAD_BRANCH} review_outcome=${reviewOutcome} error=${pushErr.message}`);
+      }
    });
  } catch (e) {
-    console.log(`  ⚠️  Runner failed: commit/push 失敗: ${e.message}`);
+    warn(`Runner failed: commit/push 失敗: ${e.message}`);
  }
 }
@@ -3,29 +3,23 @@ import assert from 'node:assert/strict';
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
-import { commitAndPush, cloneRepo } from './git.js';
+import { commitAndPush, cloneRepo, SYNC_PATHS, BOT_COMMIT_MARKER, getHeadCommitMessage, isBotAutoCommit, mergeInstructionText } from './git.js';

 // --- helpers ---
 function makeTmpWorkspace() {
  const ws = fs.mkdtempSync(path.join(os.tmpdir(), 'git-test-'));
-  // Pre-create repo dir so clone branch is skipped
  fs.mkdirSync(path.join(ws, 'repo'), { recursive: true });
-  const files = [
-    '.gitea/ai-review/findings.json',
-    '.amazonq/rules/triage-findings.md',
-    '.claude/skills/triage-findings/SKILL.md',
-    '.gemini/skills/triage-findings/SKILL.md',
-    '.github/copilot-instructions.md',
-    '.github/skills/triage-findings/SKILL.md',
-    'CLAUDE.md',
-    'GEMINI.md',
-  ];
-  for (const relPath of files) {
-    const fullPath = path.join(ws, relPath);
+  return ws;
+}
+
+function makeActionSource() {
+  const sourceRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'git-source-'));
+  for (const relPath of SYNC_PATHS) {
+    const fullPath = path.join(sourceRoot, relPath);
    fs.mkdirSync(path.dirname(fullPath), { recursive: true });
    fs.writeFileSync(fullPath, relPath);
  }
-  return ws;
+  return sourceRoot;
 }

 // Default stub: all commands succeed, status returns changes
@@ -45,9 +39,12 @@ function makeSpawn(overrides = {}) {

 describe('commitAndPush', () => {
  let workspace;
+  let sourceRoot;

  before(() => { workspace = makeTmpWorkspace(); });
  after(() => { fs.rmSync(workspace, { recursive: true, force: true }); });
+  before(() => { sourceRoot = makeActionSource(); });
+  after(() => { fs.rmSync(sourceRoot, { recursive: true, force: true }); });
  beforeEach(() => {
    for (const f of fs.readdirSync(workspace)) {
      if (f.endsWith('.git-askpass.sh')) fs.unlinkSync(path.join(workspace, f));
@@ -56,16 +53,36 @@ describe('commitAndPush', () => {

  it('does not embed token in any git command argument', async () => {
    const spawn = makeSpawn();
-    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn);
+    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn, sourceRoot);

    for (const { args } of spawn.calls) {
      assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`);
    }
  });

+  it('tags auto commits with the bot marker for workflow filtering', async () => {
+    const spawn = makeSpawn();
+    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn, sourceRoot);
+
+    const commitCall = spawn.calls.find(c => c.args[0] === 'commit');
+    assert.ok(commitCall, 'expected git commit to run');
+    assert.ok(commitCall.args.some(arg => arg.includes(BOT_COMMIT_MARKER)), 'expected commit message to include bot marker');
+    assert.ok(commitCall.args.some(arg => arg.includes('[success]')), 'expected commit message to include success outcome');
+  });
+
+  it('tags failed reviews with the failure outcome marker', async () => {
+    const spawn = makeSpawn();
+    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn, sourceRoot, 'failure');
+
+    const commitCall = spawn.calls.find(c => c.args[0] === 'commit');
+    assert.ok(commitCall, 'expected git commit to run');
+    assert.ok(commitCall.args.some(arg => arg.includes(BOT_COMMIT_MARKER)), 'expected commit message to include bot marker');
+    assert.ok(commitCall.args.some(arg => arg.includes('[failure]')), 'expected commit message to include failure outcome');
+  });
+
  it('uses GIT_ASKPASS env for network operations (fetch, push, clone)', async () => {
    const spawn = makeSpawn();
-    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn);
+    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn, sourceRoot);

    const networkOps = ['fetch', 'push', 'clone'];
    const networkCalls = spawn.calls.filter(c => networkOps.includes(c.args[0]));
@@ -77,54 +94,179 @@ describe('commitAndPush', () => {
  });

  it('cleans up askpass script after successful run', async () => {
-    await commitAndPush(workspace, path.join(workspace, 'repo'), makeSpawn());
+    await commitAndPush(workspace, path.join(workspace, 'repo'), makeSpawn(), sourceRoot);
    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
    assert.equal(leftover.length, 0, 'askpass script was not cleaned up');
  });

  it('cleans up askpass script even when git fails', async () => {
    const failSpawn = () => ({ status: 1, stdout: '', stderr: 'fatal: error', error: null });
-    await commitAndPush(workspace, path.join(workspace, 'repo'), failSpawn);
+    await commitAndPush(workspace, path.join(workspace, 'repo'), failSpawn, sourceRoot);
    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
    assert.equal(leftover.length, 0, 'askpass script was not cleaned up after failure');
  });

  it('skips commit when status shows no changes', async () => {
    const spawn = makeSpawn({ status: () => ({ status: 0, stdout: '', stderr: '', error: null }) });
-    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn);
+    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn, sourceRoot);
    const commitCalled = spawn.calls.some(c => c.args[0] === 'commit');
    assert.equal(commitCalled, false, 'commit should not run when there are no changes');
  });

  it('adds skill and entry files together with findings', async () => {
+    const repoDir = path.join(workspace, 'repo');
+    fs.mkdirSync(path.join(workspace, '.gitea/ai-review'), { recursive: true });
+    fs.writeFileSync(path.join(workspace, '.gitea/ai-review/findings.json'), '[]\n');
+    fs.writeFileSync(path.join(workspace, '.gitea/ai-review/exclusions.json'), '[]\n');
+    fs.mkdirSync(path.join(repoDir, '.gitea/ai-review'), { recursive: true });
+    fs.writeFileSync(path.join(repoDir, '.gitea/ai-review/findings.json'), '[]\n');
+    fs.writeFileSync(path.join(repoDir, '.gitea/ai-review/exclusions.json'), '[]\n');
    const spawn = makeSpawn();
-    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn);
-    const addCall = spawn.calls.find(c => c.args[0] === 'add');
-    assert.ok(addCall, 'expected git add to run');
-    assert.ok(addCall.args.includes('.github/skills/triage-findings/SKILL.md'));
-    assert.ok(addCall.args.includes('.claude/skills/triage-findings/SKILL.md'));
-    assert.ok(addCall.args.includes('.gemini/skills/triage-findings/SKILL.md'));
-    assert.ok(addCall.args.includes('.github/copilot-instructions.md'));
-    assert.ok(addCall.args.includes('.amazonq/rules/triage-findings.md'));
-    assert.ok(addCall.args.includes('CLAUDE.md'));
-    assert.ok(addCall.args.includes('GEMINI.md'));
-    assert.ok(!addCall.args.includes('README.md'));
+    await commitAndPush(workspace, repoDir, spawn, sourceRoot);
+    const addCalls = spawn.calls.filter(c => c.args[0] === 'add');
+    const skillAddCall = addCalls.find(c => c.args.includes('.github/skills/triage-findings/SKILL.md'));
+    const generatedAddCall = addCalls.find(c => c.args.includes('.gitea/ai-review/exclusions.json'));
+    assert.ok(skillAddCall, 'expected git add for synced skill files');
+    assert.ok(generatedAddCall, 'expected git add for generated review files');
+    assert.ok(skillAddCall.args.includes('.codex/skills/triage-findings/SKILL.md'));
+    assert.ok(skillAddCall.args.includes('.codex/skills/triage-findings/agents/openai.yaml'));
+    assert.ok(skillAddCall.args.includes('.agents/skills/triage-findings/SKILL.md'));
+    assert.ok(skillAddCall.args.includes('.claude/skills/triage-findings/SKILL.md'));
+    assert.ok(skillAddCall.args.includes('.gemini/skills/triage-findings/SKILL.md'));
+    assert.ok(skillAddCall.args.includes('.antigravity/skills/triage-findings/SKILL.md'));
+    assert.ok(skillAddCall.args.includes('.github/copilot-instructions.md'));
+    assert.ok(skillAddCall.args.includes('.amazonq/rules/triage-findings.md'));
+    assert.ok(skillAddCall.args.includes('AGENTS.md'));
+    assert.ok(skillAddCall.args.includes('ANTIGRAVITY.md'));
+    assert.ok(skillAddCall.args.includes('CLAUDE.md'));
+    assert.ok(skillAddCall.args.includes('GEMINI.md'));
+    assert.ok(!skillAddCall.args.includes('README.md'));
+    assert.ok(generatedAddCall.args.includes('.gitea/ai-review/findings.json'));
+    assert.ok(generatedAddCall.args.includes('.gitea/ai-review/exclusions.json'));
  });

-  it('overwrites existing repo copies with workspace files', async () => {
+  it('keeps repo copies when the source sync file is missing', async () => {
+    const missingPath = path.join(sourceRoot, '.amazonq/rules/triage-findings.md');
+    fs.rmSync(missingPath, { force: true });
+    const repoPath = path.join(workspace, 'repo', '.amazonq/rules/triage-findings.md');
+    fs.writeFileSync(repoPath, 'stale');
+    const spawn = makeSpawn();
+
+    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn, sourceRoot);
+
+    const rmCall = spawn.calls.find(c => c.args[0] === 'rm');
+    assert.equal(rmCall, undefined, 'git rm should not run for missing source files');
+    assert.equal(fs.readFileSync(repoPath, 'utf8'), 'stale');
+  });
+
+  it('merges existing repo copies with workspace files', async () => {
    const repoDir = path.join(workspace, 'repo');
-    fs.writeFileSync(path.join(repoDir, '.github/skills/triage-findings/SKILL.md'), 'stale');
-    fs.writeFileSync(path.join(repoDir, 'CLAUDE.md'), 'stale');
+    fs.writeFileSync(path.join(repoDir, 'AGENTS.md'), 'repo agents doc');
+    fs.writeFileSync(path.join(repoDir, 'ANTIGRAVITY.md'), 'repo antigravity doc');
+    fs.writeFileSync(path.join(repoDir, 'CLAUDE.md'), 'repo claude doc');
+    fs.writeFileSync(path.join(repoDir, 'GEMINI.md'), 'repo gemini doc');

-    await commitAndPush(workspace, repoDir, makeSpawn());
+    await commitAndPush(workspace, repoDir, makeSpawn(), sourceRoot);

-    assert.equal(fs.readFileSync(path.join(repoDir, '.github/skills/triage-findings/SKILL.md'), 'utf8'), '.github/skills/triage-findings/SKILL.md');
-    assert.equal(fs.readFileSync(path.join(repoDir, 'CLAUDE.md'), 'utf8'), 'CLAUDE.md');
+    const agentsDoc = fs.readFileSync(path.join(repoDir, 'AGENTS.md'), 'utf8');
+    const antigravityDoc = fs.readFileSync(path.join(repoDir, 'ANTIGRAVITY.md'), 'utf8');
+    const claudeDoc = fs.readFileSync(path.join(repoDir, 'CLAUDE.md'), 'utf8');
+    const geminiDoc = fs.readFileSync(path.join(repoDir, 'GEMINI.md'), 'utf8');
+
+    assert.ok(agentsDoc.includes('repo agents doc'));
+    assert.ok(agentsDoc.includes('AGENTS.md'));
+    assert.ok(antigravityDoc.includes('repo antigravity doc'));
+    assert.ok(antigravityDoc.includes('ANTIGRAVITY.md'));
+    assert.ok(claudeDoc.includes('repo claude doc'));
+    assert.ok(claudeDoc.includes('CLAUDE.md'));
+    assert.ok(geminiDoc.includes('repo gemini doc'));
+    assert.ok(geminiDoc.includes('GEMINI.md'));
+    assert.ok(agentsDoc.includes('repo agents doc'));
+  });
+
+  it('accepts AI merged instruction text when all unique blocks are preserved', async () => {
+    const calls = [];
+    const aiMergeAssistant = async payload => {
+      calls.push(payload);
+      return ['repo block', 'source block', 'extra block'].join('\n\n');
+    };
+
+    const result = await mergeInstructionText('repo block', 'source block', 'AGENTS.md', aiMergeAssistant);
+
+    assert.equal(calls.length, 1);
+    assert.ok(result.includes('repo block'));
+    assert.ok(result.includes('source block'));
+    assert.ok(result.includes('extra block'));
+  });
+
+  it('exits when AI output drops a block', async () => {
+    const originalExit = process.exit;
+    let exitCode = null;
+    process.exit = code => { exitCode = code; };
+    try {
+      const aiMergeAssistant = async () => 'source block only';
+      await assert.rejects(() => mergeInstructionText('repo block', 'source block', 'AGENTS.md', aiMergeAssistant));
+      assert.equal(exitCode, 1);
+    } finally {
+      process.exit = originalExit;
+    }
+  });
+
+  it('overwrites non-merge sync files with workspace files', async () => {
+    const repoDir = path.join(workspace, 'repo');
+    const sourceSkillPath = path.join(sourceRoot, '.github/skills/triage-findings/SKILL.md');
+    const repoSkillPath = path.join(repoDir, '.github/skills/triage-findings/SKILL.md');
+    const sourceNestedPath = path.join(sourceRoot, '.codex/skills/triage-findings/assets/example.txt');
+    const repoNestedPath = path.join(repoDir, '.codex/skills/triage-findings/assets/example.txt');
+
+    fs.writeFileSync(sourceSkillPath, 'fresh github skill');
+    fs.writeFileSync(repoSkillPath, 'stale github skill');
+    fs.mkdirSync(path.dirname(sourceNestedPath), { recursive: true });
+    fs.writeFileSync(sourceNestedPath, 'fresh nested');
+    fs.mkdirSync(path.dirname(repoNestedPath), { recursive: true });
+    fs.writeFileSync(repoNestedPath, 'stale nested');
+    fs.writeFileSync(path.join(repoDir, '.github/copilot-instructions.md'), 'stale copilot');
+
+    await commitAndPush(workspace, repoDir, makeSpawn(), sourceRoot);
+
+    assert.equal(fs.readFileSync(repoSkillPath, 'utf8'), 'fresh github skill');
+    assert.equal(fs.readFileSync(repoNestedPath, 'utf8'), 'fresh nested');
+    assert.equal(fs.readFileSync(path.join(repoDir, '.github/copilot-instructions.md'), 'utf8'), '.github/copilot-instructions.md');
  });

  it('does not throw when git command fails', async () => {
    const failSpawn = () => ({ status: 1, stdout: '', stderr: 'fatal: error', error: null });
-    await assert.doesNotReject(() => commitAndPush(workspace, path.join(workspace, 'repo'), failSpawn));
+    await assert.doesNotReject(() => commitAndPush(workspace, path.join(workspace, 'repo'), failSpawn, sourceRoot));
+  });
+
+  it('logs push failures separately from commit failures', async () => {
+    const repoDir = path.join(workspace, 'repo');
+    fs.mkdirSync(path.join(workspace, '.gitea/ai-review'), { recursive: true });
+    fs.writeFileSync(path.join(workspace, '.gitea/ai-review/findings.json'), '[]\n');
+    fs.writeFileSync(path.join(workspace, '.gitea/ai-review/exclusions.json'), '[]\n');
+    fs.mkdirSync(path.join(repoDir, '.gitea/ai-review'), { recursive: true });
+    fs.writeFileSync(path.join(repoDir, '.gitea/ai-review/findings.json'), '[]\n');
+    fs.writeFileSync(path.join(repoDir, '.gitea/ai-review/exclusions.json'), '[]\n');
+
+    const spawn = makeSpawn({
+      push: () => ({ status: 1, stdout: '', stderr: 'remote: error: pre-receive hook declined', error: null }),
+    });
+    const logs = [];
+    const originalLog = console.log;
+    const originalWarn = console.warn;
+    const capture = (...args) => { logs.push(args.join(' ')); };
+    console.log = capture;
+    console.warn = capture;
+
+    try {
+      await commitAndPush(workspace, repoDir, spawn, sourceRoot);
+    } finally {
+      console.log = originalLog;
+      console.warn = originalWarn;
+    }
+
+    assert.ok(logs.some(line => line.includes('Step7 commit 成功但 push 失敗')));
+    assert.ok(logs.some(line => line.includes('pre-receive hook declined')));
  });
 });

@@ -182,4 +324,13 @@ describe('cloneRepo', () => {
    const result = cloneRepo(workspace, spawn);
    assert.equal(result, path.join(workspace, 'repo'));
  });
+
+  it('reads head commit message and detects bot auto commits', () => {
+    const spawn = makeSpawn({
+      show: () => ({ status: 0, stdout: `chore: update ai-review findings ${BOT_COMMIT_MARKER}\n`, stderr: '', error: null }),
+    });
+
+    assert.ok(getHeadCommitMessage(workspace, spawn).includes(BOT_COMMIT_MARKER));
+    assert.equal(isBotAutoCommit(workspace, spawn), true);
+  });
 });
@@ -1,17 +1,108 @@
 import axios from 'axios';
 import https from 'https';
-import { GITEA_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_SKIP_TLS_VERIFY, PR_NUMBER } from './config.js';
+import { GITEA_TOKEN, GITEA_COMMENT_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_SKIP_TLS_VERIFY, PR_NUMBER, PR_HEAD_SHA, PR_HEAD_BRANCH } from './config.js';
+import { line, ok, warn } from './log.js';

 const httpsAgent = GITEA_SKIP_TLS_VERIFY ? new https.Agent({ rejectUnauthorized: false }) : undefined;
-const headers = () => ({ Authorization: `token ${GITEA_TOKEN}`, 'Content-Type': 'application/json' });
+const headers = (token = GITEA_TOKEN) => ({ Authorization: `token ${token}`, 'Content-Type': 'application/json' });
 const api = (path) => `${GITEA_SERVER_URL.replace(/\/$/, '')}/api/v1${path}`;

+function extractCommitMessage(payload) {
+  return payload?.message
+    || payload?.commit?.message
+    || payload?.commit?.commit?.message
+    || '';
+}
+
+export function getBotReviewOutcome(message) {
+  const match = String(message || '').match(/\[ai-review-bot\](?:\[(success|failure)\])?/i);
+  return match?.[1]?.toLowerCase() || 'unknown';
+}
+
 /**
 * 取得 PR 的 Git Diff 內容，已自動排除 .gitea/ 資料夾。
 */
 export async function getPRDiff() {
  const resp = await axios.get(api(`/repos/${GITEA_REPOSITORY}/pulls/${PR_NUMBER}.diff`), { headers: headers(), timeout: 60000, httpsAgent });
-  return filterDiff(resp.data, ['.gitea/', '.amazonq/', '.claude/', '.codex/', '.gemini/', '.github/', 'CLAUDE.md', 'GEMINI.md', 'TODO.md', 'README.md']);
+  return filterDiff(resp.data, [
+    '.amazonq/',
+    '.agents/',
+    '.antigravity/',
+    '.claude/',
+    '.codex/',
+    '.gemini/',
+    '.gitea/',
+    '.github/',
+    'AGENTS.md',
+    'ANTIGRAVITY.md',
+    'CLAUDE.md',
+    'GEMINI.md',
+    'README.md',
+    'TODO.md',
+  ]);
+}
+
+export async function getCommitMessageBySha(sha) {
+  if (!sha) return '';
+  try {
+    const resp = await axios.get(api(`/repos/${GITEA_REPOSITORY}/git/commits/${encodeURIComponent(sha)}`), {
+      headers: headers(),
+      timeout: 30000,
+      httpsAgent,
+    });
+    const message = extractCommitMessage(resp.data);
+    line(`bot-check commit api: sha=${sha} keys=${Object.keys(resp.data || {}).join(',') || 'empty'} message=${message ? 'found' : 'empty'}`);
+    return message;
+  } catch (e) {
+    warn(`bot-check commit api 失敗: sha=${sha} error=${e.message}`);
+    return '';
+  }
+}
+
+export async function getBranchHeadCommitMessage(branch = PR_HEAD_BRANCH) {
+  if (!branch) return '';
+  try {
+    const resp = await axios.get(api(`/repos/${GITEA_REPOSITORY}/branches/${encodeURIComponent(branch)}`), {
+      headers: headers(),
+      timeout: 30000,
+      httpsAgent,
+    });
+    const sha = resp.data?.commit?.id || resp.data?.commit?.sha || '';
+    line(`bot-check branch api: branch=${branch} keys=${Object.keys(resp.data || {}).join(',') || 'empty'} sha=${sha || 'empty'} message=${extractCommitMessage(resp.data?.commit) ? 'found' : 'empty'}`);
+    return await getCommitMessageBySha(sha);
+  } catch (e) {
+    warn(`bot-check branch api 失敗: branch=${branch} error=${e.message}`);
+    return '';
+  }
+}
+
+export async function shouldSkipBotCommit({ sha = PR_HEAD_SHA || process.env.GITHUB_SHA, branch = PR_HEAD_BRANCH } = {}) {
+  line(`bot-check start: PR_HEAD_SHA=${PR_HEAD_SHA || 'empty'} GITHUB_SHA=${process.env.GITHUB_SHA || 'empty'} sha=${sha || 'empty'} branch=${branch || 'empty'}`);
+
+  const shaMessage = await getCommitMessageBySha(sha);
+  if (sha) {
+    line(`bot-check sha: sha=${sha} message=${shaMessage ? 'found' : 'empty'} outcome=${getBotReviewOutcome(shaMessage)}`);
+    if (shaMessage.includes('[ai-review-bot]')) {
+      ok('bot-check matched commit sha marker');
+      return true;
+    }
+  } else {
+    line('bot-check skip sha lookup because sha is empty');
+  }
+
+  const branchMessage = await getBranchHeadCommitMessage(branch);
+  if (branch) {
+    line(`bot-check branch: branch=${branch} head_message=${branchMessage ? 'found' : 'empty'} outcome=${getBotReviewOutcome(branchMessage)}`);
+    if (branchMessage.includes('[ai-review-bot]')) {
+      ok('bot-check matched branch head marker');
+      return true;
+    }
+  } else {
+    line('bot-check skip branch lookup because branch is empty');
+  }
+
+  line('bot-check no [ai-review-bot] marker found');
+  return false;
 }

 /**
@@ -29,6 +120,10 @@ export function filterDiff(diff, excludePrefixes) {
 }

 export async function postComment(body) {
-  const resp = await axios.post(api(`/repos/${GITEA_REPOSITORY}/issues/${PR_NUMBER}/comments`), { body }, { headers: headers(), timeout: 30000, httpsAgent });
+  const resp = await axios.post(
+    api(`/repos/${GITEA_REPOSITORY}/issues/${PR_NUMBER}/comments`),
+    { body },
+    { headers: headers(GITEA_COMMENT_TOKEN || GITEA_TOKEN), timeout: 30000, httpsAgent },
+  );
  return resp.data;
 }
@@ -1,12 +1,11 @@
 import { describe, it, afterEach, mock } from 'node:test';
 import assert from 'node:assert/strict';
 import axios from 'axios';
+import { getPRDiff, filterDiff, postComment, getCommitMessageBySha, getBranchHeadCommitMessage, shouldSkipBotCommit, getBotReviewOutcome } from './gitea.js';

 afterEach(() => mock.restoreAll());

-describe('gitea', async () => {
-  const { getPRDiff, filterDiff, postComment } = await import('./gitea.js');
-
+describe('gitea', () => {
  it('getPRDiff calls Gitea diff API with Authorization header', async () => {
    let capturedUrl, capturedOpts;
    mock.method(axios, 'get', async (url, opts) => {
@@ -57,11 +56,51 @@ describe('gitea', async () => {
    mock.method(axios, 'post', async () => { throw new Error('api error'); });
    await assert.rejects(() => postComment('test'), /api error/);
  });
+
+  it('getCommitMessageBySha reads commit message from Gitea API', async () => {
+    let capturedUrl;
+    mock.method(axios, 'get', async (url) => {
+      capturedUrl = url;
+      return { data: { message: 'chore: update ai-review findings [ai-review-bot]' } };
+    });
+    const message = await getCommitMessageBySha('abc123');
+    assert.ok(capturedUrl.includes('/git/commits/abc123'));
+    assert.ok(message.includes('[ai-review-bot]'));
+  });
+
+  it('getBranchHeadCommitMessage reads branch head commit message from Gitea API', async () => {
+    const urls = [];
+    mock.method(axios, 'get', async (url) => {
+      urls.push(url);
+      if (url.includes('/branches/feat%2Ftest')) {
+        return { data: { commit: { id: 'abc123' } } };
+      }
+      return { data: { message: 'chore: update ai-review findings [ai-review-bot]' } };
+    });
+    const message = await getBranchHeadCommitMessage('feat/test');
+    assert.ok(urls.some(url => url.includes('/branches/feat%2Ftest')));
+    assert.ok(urls.some(url => url.includes('/git/commits/abc123')));
+    assert.ok(message.includes('[ai-review-bot]'));
+  });
+
+  it('shouldSkipBotCommit returns true when either sha or branch head is bot commit', async () => {
+    mock.method(axios, 'get', async (url) => {
+      if (url.includes('/git/commits/sha-bot')) {
+        return { data: { message: 'chore: update ai-review findings [ai-review-bot][failure]' } };
+      }
+      if (url.includes('/branches/feat%2Ftest')) {
+        return { data: { commit: { id: 'sha-bot' } } };
+      }
+      return { data: { message: 'regular commit' } };
+    });
+    await assert.equal(await shouldSkipBotCommit({ sha: 'sha-bot', branch: 'feat/test' }), true);
+    assert.equal(getBotReviewOutcome('chore: update ai-review findings [ai-review-bot][failure]'), 'failure');
+    assert.equal(getBotReviewOutcome('chore: update ai-review findings [ai-review-bot][success]'), 'success');
+    assert.equal(getBotReviewOutcome('chore: update ai-review findings [ai-review-bot]'), 'unknown');
+  });
 });

-describe('filterDiff', async () => {
-  const { filterDiff } = await import('./gitea.js');
-
+describe('filterDiff', () => {
  const block = (file) => `diff --git a/${file} b/${file}\n--- a/${file}\n+++ b/${file}\n@@ -1 +1 @@\n-old\n+new\n`;

  it('filters out configured folder blocks', () => {
@@ -80,8 +119,8 @@ describe('filterDiff', async () => {
  });

  it('returns empty string when all blocks are excluded', () => {
-    const diff = block('.gitea/workflows/review.yaml') + block('.gitea/ai-review/findings.json') + block('CLAUDE.md');
-    const result = filterDiff(diff, ['.gitea/', 'CLAUDE.md']);
+    const diff = block('.gitea/workflows/review.yaml') + block('.gitea/ai-review/findings.json') + block('.agents/skills/triage-findings/SKILL.md');
+    const result = filterDiff(diff, ['.gitea/', '.agents/']);
    assert.equal(result, '');
  });

@@ -1,6 +1,7 @@
 import fs from 'fs';
 import path from 'path';
 import { chat } from './llm.js';
+import { ok, warn, error } from './log.js';

 const MAX_JSON_BYTES = 1024 * 1024;

@@ -50,25 +51,25 @@ export async function validateJSONArrayFile(fullPath, label, repairer = repairJS
  fs.mkdirSync(path.dirname(fullPath), { recursive: true });

  if (!fs.existsSync(fullPath)) {
-    console.log(`  ⚠️  ${label} 不存在，將於驗證後補建`);
+    warn(`${label} 不存在，將於驗證後補建`);
    return { exists: false, valid: false, repaired: false };
  }

  try {
    JSON.parse(readJSONText(fullPath, label));
-    console.log(`  ✅ ${label} JSON 格式正確`);
+    ok(`${label} JSON 格式正確`);
    return { exists: true, valid: true, repaired: false };
  } catch (e) {
-    console.error(`  ❌ ${label} JSON 格式錯誤: ${e.message}，嘗試透過 AI 修正...`);
+    error(`${label} JSON 格式錯誤: ${e.message}，嘗試透過 AI 修正...`);
    try {
      const original = readJSONText(fullPath, label);
      const repaired = await repairer(fullPath, label, original);
      fs.writeFileSync(fullPath, repaired.endsWith('\n') ? repaired : `${repaired}\n`, 'utf8');
      JSON.parse(readJSONText(fullPath, label));
-      console.log(`  ✅ ${label} 已由 AI 修正並通過再次驗證`);
+      ok(`${label} 已由 AI 修正並通過再次驗證`);
      return { exists: true, valid: true, repaired: true };
    } catch (repairErr) {
-      console.error(`  ❌ ${label} 修正失敗: ${repairErr.message}`);
+      error(`${label} 修正失敗: ${repairErr.message}`);
      throw repairErr;
    }
  }
@@ -82,6 +83,6 @@ export function ensureJSONArrayFileExists(fullPath, label) {
  if (fs.existsSync(fullPath)) return false;

  fs.writeFileSync(fullPath, '[]\n', 'utf8');
-  console.log(`  ⚠️  ${label} 不存在，已建立空陣列`);
+  warn(`${label} 不存在，已建立空陣列`);
  return true;
 }
@@ -6,6 +6,7 @@ import path from 'path';
 import { stripCodeFence, repairJSONArrayWithAI, validateJSONArrayFile, ensureJSONArrayFileExists } from './json.js';

 describe('json helpers', () => {
+  const MAX_JSON_BYTES = 1024 * 1024;
  let workspace;

  beforeEach(() => {
@@ -76,6 +77,16 @@ describe('json helpers', () => {
    assert.equal(fs.readFileSync(fullPath, 'utf8'), '[]\n');
  });

+  it('reads a valid JSON file whose size equals the maximum limit', async () => {
+    const fullPath = path.join(workspace, '.gitea/ai-review/findings.json');
+    fs.mkdirSync(path.dirname(fullPath), { recursive: true });
+    fs.writeFileSync(fullPath, `[]${' '.repeat(MAX_JSON_BYTES - 2)}`, 'utf8');
+
+    const result = await validateJSONArrayFile(fullPath, '.gitea/ai-review/findings.json');
+
+    assert.deepEqual(result, { exists: true, valid: true, repaired: false });
+  });
+
  it('repairs invalid JSON using AI output and rewrites the file', async () => {
    const fullPath = path.join(workspace, '.gitea/ai-review/findings.json');
    fs.mkdirSync(path.dirname(fullPath), { recursive: true });
@@ -90,6 +101,20 @@ describe('json helpers', () => {
    assert.equal(fs.readFileSync(fullPath, 'utf8'), '[{"fixed":true}]\n');
  });

+  it('preserves a trailing newline returned by AI repair', async () => {
+    const fullPath = path.join(workspace, '.gitea/ai-review/findings.json');
+    fs.mkdirSync(path.dirname(fullPath), { recursive: true });
+    fs.writeFileSync(fullPath, '{broken', 'utf8');
+
+    const result = await validateJSONArrayFile(fullPath, '.gitea/ai-review/findings.json', async (_fullPath, _label, original) => {
+      assert.equal(original, '{broken');
+      return '[{"fixed":true}]\n';
+    });
+
+    assert.deepEqual(result, { exists: true, valid: true, repaired: true });
+    assert.equal(fs.readFileSync(fullPath, 'utf8'), '[{"fixed":true}]\n');
+  });
+
  it('throws when AI repair fails', async () => {
    const fullPath = path.join(workspace, '.gitea/ai-review/findings.json');
    fs.mkdirSync(path.dirname(fullPath), { recursive: true });
@@ -1,11 +1,12 @@
 import axios from 'axios';
 import { getLLMConfig } from './config.js';
+import { line, error } from './log.js';

 export async function chat(systemPrompt, userContent) {
  const { provider, apiKeys, baseURL, model } = getLLMConfig();
  if (!provider) throw new Error('未設定任何 LLM API Key');

-  console.log(`  [LLM] provider=${provider} model=${model}`);
+  line(`[LLM] provider=${provider} model=${model}`);

  const headers = { 'Content-Type': 'application/json' };
  if (provider === 'claude') headers['anthropic-version'] = '2023-06-01';
@@ -21,10 +22,10 @@ export async function chat(systemPrompt, userContent) {
      );
      return resp.data.choices[0].message.content;
    } catch (e) {
-      console.log(`  [LLM] key[${i + 1}/${shuffled.length}] 失敗: ${e.message}`);
+      line(`[LLM] key[${i + 1}/${shuffled.length}] 失敗: ${e.message}`);
    }
  }
-  console.error('  [LLM] 所有 API Key 均失敗，終止流程');
+  error('[LLM] 所有 API Key 均失敗，終止流程');
  process.exit(1);
 }

@@ -33,7 +34,7 @@ export async function chatJSON(systemPrompt, userContent) {
  try {
    return JSON.parse(text.trim().replace(/^```[^\n]*\n?/, '').replace(/```$/, '').trim());
  } catch (e) {
-    console.log(`  [LLM] JSON 解析失敗: ${e.message}`);
+    line(`[LLM] JSON 解析失敗: ${e.message}`);
    return [];
  }
 }
@@ -0,0 +1,23 @@
+export function section(title) {
+  console.log(`\n=== ${title} ===`);
+}
+
+export function step(stepName, title) {
+  console.log(`\n[${stepName}] ${title}`);
+}
+
+export function line(message) {
+  console.log(`  - ${message}`);
+}
+
+export function ok(message) {
+  console.log(`  ✓ ${message}`);
+}
+
+export function warn(message) {
+  console.warn(`  ! ${message}`);
+}
+
+export function error(message) {
+  console.error(`  x ${message}`);
+}
@@ -0,0 +1,59 @@
+import { describe, it, afterEach, mock } from 'node:test';
+import assert from 'node:assert/strict';
+import { section, step, line, ok, warn, error } from './log.js';
+
+afterEach(() => mock.restoreAll());
+
+describe('log helpers', () => {
+  it('formats section and step messages', () => {
+    const calls = [];
+    mock.method(console, 'log', (...args) => {
+      calls.push(args.join(' '));
+    });
+
+    section('Pipeline');
+    step('Step1', 'Start');
+
+    assert.deepEqual(calls, [
+      '\n=== Pipeline ===',
+      '\n[Step1] Start',
+    ]);
+  });
+
+  it('formats line and ok messages with console.log', () => {
+    const calls = [];
+    mock.method(console, 'log', (...args) => {
+      calls.push(args.join(' '));
+    });
+
+    line('hello');
+    ok('done');
+
+    assert.deepEqual(calls, [
+      '  - hello',
+      '  ✓ done',
+    ]);
+  });
+
+  it('formats warn messages with console.warn', () => {
+    const calls = [];
+    mock.method(console, 'warn', (...args) => {
+      calls.push(args.join(' '));
+    });
+
+    warn('careful');
+
+    assert.deepEqual(calls, ['  ! careful']);
+  });
+
+  it('formats error messages with console.error', () => {
+    const calls = [];
+    mock.method(console, 'error', (...args) => {
+      calls.push(args.join(' '));
+    });
+
+    error('boom');
+
+    assert.deepEqual(calls, ['  x boom']);
+  });
+});
@@ -1,108 +1,121 @@
 import path from 'path';
 import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig, FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js';
 import { loadRoles, getRoleIntro } from './roles.js';
-import { getPRDiff, postComment } from './gitea.js';
+import { getPRDiff, postComment, getCommitMessageBySha, getBotReviewOutcome, shouldSkipBotCommit } from './gitea.js';
 import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js';
 import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js';
-import { cloneRepo, commitAndPush } from './git.js';
+import { cloneRepo, commitAndPush, getRepoState } from './git.js';
 import { validateJSONArrayFile, ensureJSONArrayFileExists } from './json.js';
+import { section, step, line, ok, warn, error } from './log.js';

 const WORKSPACE = process.env.GITHUB_WORKSPACE || '/workspace';

 async function main() {
-  console.log('='.repeat(60));
-  console.log('🚀 Step1: Pipeline 啟動');
-  console.log(`  repo=${GITEA_REPOSITORY}  PR=#${PR_NUMBER}`);
-  console.log(`  ${PR_HEAD_BRANCH} -> ${PR_BASE_BRANCH}`);
+  section('AI Code Review Pipeline');
+  step('Step1', 'Pipeline 啟動');
+  line(`repo=${GITEA_REPOSITORY}  PR=#${PR_NUMBER}`);
+  line(`${PR_HEAD_BRANCH} -> ${PR_BASE_BRANCH}`);
+
+  const headSha = process.env.PR_HEAD_SHA || process.env.GITHUB_SHA || '';
+  const headMessage = await getCommitMessageBySha(headSha);
+  const headOutcome = getBotReviewOutcome(headMessage);
+  line(`head check: sha=${headSha || 'empty'} outcome=${headOutcome}`);
+  if (headMessage.includes('[ai-review-bot]') && headOutcome === 'failure') {
+    error('偵測到 [ai-review-bot][failure]，直接讓 workflow 失敗');
+    section('Pipeline 結束');
+    process.exit(1);
+  }
+
+  if (await shouldSkipBotCommit()) {
+    ok('偵測到 [ai-review-bot] 自動提交，直接完成 action');
+    section('Pipeline 結束');
+    process.exit(0);
+  }

  const { provider, baseURL, model } = getLLMConfig();
  if (!provider) {
-    console.error('❌ 未設定任何 LLM API Key，請檢查 action inputs');
+    error('未設定任何 LLM API Key，請檢查 action inputs');
    process.exit(1);
  }
-  console.log(`  LLM: provider=${provider}  model=${model}  base_url=${baseURL}`);
+  line(`LLM: provider=${provider}  model=${model}  base_url=${baseURL}`);

  const roles = loadRoles();
-  console.log(`  已載入 ${roles.length} 個角色: [${roles.map(r => r.name).join(', ')}]`);
+  line(`已載入 ${roles.length} 個角色: [${roles.map(r => r.name).join(', ')}]`);

  let diff;
  try {
    diff = await getPRDiff();
-    console.log(`  diff 長度: ${diff.length} 字元`);
+    line(`diff 長度: ${diff.length} 字元`);
  } catch (e) {
-    console.error(`  ❌ 取得 diff 失敗: ${e.message}`);
+    error(`取得 diff 失敗: ${e.message}`);
    process.exit(1);
  }

  if (!diff.trim()) {
-    console.log('  ⚠️  diff 為空，無需審查');
+    warn('diff 為空，無需審查');
    process.exit(0);
  }

  try {
    const intro = getRoleIntro(roles) + `\n\n> 🔍 服務：${provider}  模型：${model}`;
    await postComment(intro);
-    console.log('  ✅ 角色介紹 comment 發布成功');
+    ok('角色介紹 comment 發布成功');
  } catch (e) {
-    console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
+    warn(`comment 發布失敗（繼續執行）: ${e.message}`);
  }

-  // Step2: 各角色分析 diff 產生新 findings
-  console.log('\n📊 Step2: Findings 產生');
+  step('Step2', 'Findings 產生');
  const results = await Promise.allSettled(roles.map(role => analyzeWithRole(role, diff)));
  const newFindings = [];
  for (let i = 0; i < results.length; i++) {
    if (results[i].status === 'fulfilled') {
      newFindings.push(...results[i].value);
    } else {
-      console.log(`  ⚠️  [${roles[i].name}] 分析失敗（跳過）: ${results[i].reason?.message}`);
+      warn(`[${roles[i].name}] 分析失敗（跳過）: ${results[i].reason?.message}`);
    }
  }
-  console.log(`  Step2 完成: 新 findings 總計 ${newFindings.length} 筆`);
+  ok(`Step2 完成: 新 findings 總計 ${newFindings.length} 筆`);

-  // Step4: 讀取舊 findings，合併去重（含 AI 語意去重）
-  console.log('\n🔀 Step3: Findings 合併');
-  // Clone repo 以讀取舊 findings 與排除清單
+  step('Step3', 'Findings 合併與語意去重');
  let repoDir;
  try {
    repoDir = cloneRepo(WORKSPACE);
  } catch (e) {
-    console.log(`  ⚠️  clone repo 失敗（繼續執行）: ${e.message}`);
+    warn(`clone repo 失敗（繼續執行）: ${e.message}`);
+  }
+  const repoState = repoDir ? getRepoState(repoDir) : null;
+  if (repoState) {
+    line(`repo 狀態: branch=${repoState.branch || 'detached'} commit=${repoState.shortSha || 'unknown'} commit_time=${repoState.commitTime || 'unknown'} path=${repoState.repoDir}`);
  }
  const oldFindings = loadOldFindings(repoDir || WORKSPACE);
  const mergedFindings = mergeFindings(oldFindings, newFindings);
-  console.log(`  Step3 merged findings total=${mergedFindings.length}`);
-
-  console.log('\n🤖 Step3b: AI 語意去重');
+  ok(`Step3 merged findings total=${mergedFindings.length}`);
  const deduped = await deduplicateWithAI(mergedFindings);
  const sorted = sortByLevel(deduped);
-  console.log(`  Step3b dedup findings total=${sorted.length} (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`);
+  ok(`Step3 去重完成: ${mergedFindings.length} -> ${sorted.length} 筆 (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`);

-  // Step5: 讀取排除問題檔案，過濾 PR 問題表格，並請 AI 判斷誤報
-  console.log('\n🚫 Step4: AI 排除問題過濾');
-  // 輸入至 findings 用於 AI 誤報過濾，exclusions 同時作為已知誤報參考
-  const exclusions = loadExclusions(repoDir || WORKSPACE);
+  step('Step4', 'AI 排除問題過濾');
+  const exclusions = loadExclusions(repoDir || WORKSPACE, repoState, WORKSPACE);
  const ruleFiltered = applyExclusions(sorted, exclusions);
  const filtered = await filterFalsePositivesWithAI(ruleFiltered, exclusions);
-  console.log(`  Step4 完成: findings total=${filtered.length}`);
+  ok(`Step4 完成: findings total=${filtered.length}`);

-  // Step6: 寫入 findings.json，依序發布 comment
-  console.log('\n📝 Step5: Findings 寫入與 Comment 發布');
-  saveFindings(WORKSPACE, filtered);
+  step('Step5', 'Findings 寫入與 Comment 發布');
+  const reviewDir = repoDir || WORKSPACE;
+  saveFindings(WORKSPACE, filtered, reviewDir);
  try {
    await postOldFindingsComment(filtered);
    await postNewNonCriticalComment(filtered);
    await postNewCriticalComments(filtered);
-    console.log('  Step5 完成');
+    ok('Step5 完成');
  } catch (e) {
-    console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
+    warn(`comment 發布失敗（繼續執行）: ${e.message}`);
  }

-  // Step7: 驗證 findings.json 與 exclusions.json 為合法 JSON
-  console.log('\n🔎 Step6: JSON 格式驗證');
+  step('Step6', 'JSON 格式驗證');
  const missingPaths = [];
  for (const relPath of [FINDINGS_PATH, EXCLUSIONS_PATH]) {
-    const fullPath = path.join(repoDir || WORKSPACE, relPath);
+    const fullPath = path.join(reviewDir, relPath);
    try {
      const result = await validateJSONArrayFile(fullPath, relPath);
      if (!result.exists) missingPaths.push({ fullPath, relPath });
@@ -115,24 +128,24 @@ async function main() {
    ensureJSONArrayFileExists(fullPath, relPath);
  }

-  // Step7: commit/push findings.json 到來源分支
-  console.log('\n💾 Step7: 記憶區 Commit/Push');
-  await commitAndPush(WORKSPACE, repoDir);
+  step('Step7', '記憶區 Commit/Push');
+  const reviewOutcome = filtered.some(f => f.level === 'critical') ? 'failure' : 'success';
+  line(`review outcome=${reviewOutcome}`);
+  await commitAndPush(WORKSPACE, repoDir || WORKSPACE, undefined, undefined, reviewOutcome);

-  // Step9: 有 critical 問題則 exit 1
-  console.log('\n🚦 Step8: 嚴重問題檢查');
+  step('Step8', '嚴重問題檢查');
  const criticalCount = filtered.filter(f => f.level === 'critical').length;
  if (criticalCount > 0) {
-    console.log(`  ❌ 發現 ${criticalCount} 個嚴重問題，workflow 結束（exit 1）`);
-    console.log('='.repeat(60));
+    error(`發現 ${criticalCount} 個嚴重問題，workflow 結束（exit 1）`);
+    section('Pipeline 結束');
    process.exit(1);
  }
-  console.log('  ✅ 無嚴重問題');
-  console.log('\n✅ Pipeline 完成');
-  console.log('='.repeat(60));
+  ok('無嚴重問題');
+  ok('Pipeline 完成');
+  section('Pipeline 結束');
 }

 main().catch(e => {
-  console.error('❌ Runner failed:', e.message);
+  error(`Runner failed: ${e.message}`);
  process.exit(1);
 });
Author	SHA1	Message	Date
jiantw83	9af09de0d3	Merge pull request 'feat: implement Git integration for automated repository instruction syncing and commit management' (#130 ) from feat/ai_merge into develop Reviewed-on: #130	2026-05-21 03:56:41 +00:00
Jeffery	fbff9b3a86	chore: initialize ai-review exclusion and findings configuration files	2026-05-21 11:52:18 +08:00
jiantw83	7a01b7e3f4	Merge pull request 'feat: 加入 Codex 的 Triage Findings 技能' (#129 ) from feat/codex into develop Reviewed-on: #129	2026-05-21 03:36:41 +00:00
Jeffery	097b6fb721	feat: implement Git integration for automated repository instruction syncing and commit management	2026-05-21 11:36:11 +08:00
AI Review Bot	adf37520cb	chore: update ai-review findings [ai-review-bot][success]	2026-05-21 03:35:13 +00:00
Jeffery	e99236b893	feat: implement git repository synchronization and automated commit functionality for AI review findings	2026-05-21 10:17:01 +08:00
Jeffery	43ebc81f1d	feat: add triage-findings agent skill and documentation for issue resolution workflow	2026-05-21 09:34:47 +08:00
jiantw83	f55264bb18	Merge pull request 'feat: add SKILL.md for triage-findings documentation' (#127 ) from feat/amazon_q into develop Reviewed-on: #127	2026-05-20 09:10:16 +00:00
Jeffery	0d4776888f	feat: add SKILL.md for triage-findings documentation	2026-05-20 17:09:11 +08:00
jiantw83	e3ae1bc10e	Merge pull request 'feat: 將 ANTIGRAVITY 加入程式與技能' (#125 ) from feat/ANTIGRAVITY into develop Reviewed-on: #125	2026-05-20 02:55:48 +00:00
Jeffery	e80a462d96	feat: 將 ANTIGRAVITY 加入程式	2026-05-20 10:49:34 +08:00
Jeffery	d818baffa7	feat: 複製 triage-findings 給 ANTIGRAVITY 使用	2026-05-20 10:33:59 +08:00
Jeffery	c24f2e00e2	feat: 同步所有平台的技能	2026-05-20 10:31:59 +08:00
jiantw83	fc02cda577	Merge pull request 'docs: align README and TODO with current flow' (#123 ) from feat/優化AI排除問題與過濾 into develop Reviewed-on: #123	2026-05-18 03:31:26 +00:00
jiantw83	ed3b26ee3c	docs: align README and TODO with current flow	2026-05-18 03:30:36 +00:00
jiantw83	5afe8a2119	Merge pull request 'feat: 優化AI排除問題與過濾' (#121 ) from feat/優化AI排除問題與過濾 into develop Reviewed-on: #121	2026-05-18 02:58:02 +00:00
jiantw83	09584f4f93	chore: triage ai review findings	2026-05-18 02:55:43 +00:00
AI Review Bot	ed061f85ce	chore: update ai-review findings [ai-review-bot][success]	2026-05-18 02:53:34 +00:00
jiantw83	b4c54124ec	feat: force overwrite core instruction files	2026-05-18 02:50:47 +00:00
jiantw83	b51ab78a5e	feat: force sync skill trees	2026-05-18 02:48:54 +00:00
AI Review Bot	1129f37384	chore: update ai-review findings [ai-review-bot][success]	2026-05-18 02:43:56 +00:00
jiantw83	b8294d5ca7	fix: persist repaired exclusions	2026-05-18 02:40:53 +00:00
jiantw83	915e9cc2da	docs: require canonical exclusions array	2026-05-18 02:35:35 +00:00
jiantw83	b1ed236720	feat: normalize exclusions format	2026-05-18 02:33:24 +00:00
jiantw83	d18c4a4a8e	feat: optimize exclusion filtering	2026-05-18 02:06:36 +00:00
jiantw83	b06a89f2b9	更新 README.md	2026-05-15 16:06:02 +00:00
jiantw83	bb0158dadd	Merge pull request 'chore: refine pipeline stage logs' (#119 ) from feat/美化輸出 into develop Reviewed-on: #119	2026-05-15 15:54:33 +00:00
AI Review Bot	ce6afdd5ee	chore: update ai-review findings [ai-review-bot][success]	2026-05-15 15:53:01 +00:00
jiantw83	86d8666cda	test: cover log helpers	2026-05-15 15:51:56 +00:00
AI Review Bot	95e90393e7	chore: update ai-review findings [ai-review-bot][success]	2026-05-15 15:46:29 +00:00
jiantw83	c836ec08e4	chore: triage log output suggestions	2026-05-15 15:45:08 +00:00
AI Review Bot	acb3604cda	chore: update ai-review findings [ai-review-bot][success]	2026-05-15 15:34:01 +00:00
jiantw83	38a3349e4f	chore: refine pipeline stage logs	2026-05-15 15:32:43 +00:00
jiantw83	f382667946	Merge pull request 'feat: 美化輸出' (#118 ) from feat/美化輸出 into develop Reviewed-on: #118	2026-05-15 15:32:15 +00:00
AI Review Bot	4e586158a5	chore: update ai-review findings [ai-review-bot][success]	2026-05-15 15:31:48 +00:00
jiantw83	3fcbf788fc	chore: unify log formatting	2026-05-15 15:25:26 +00:00
jiantw83	bd4c3bce9e	docs: align README and TODO with action flow	2026-05-15 15:20:25 +00:00
jiantw83	d7fb174fc6	Merge pull request 'chore: require gitea token input' (#117 ) from feat/ai_code_review into develop Reviewed-on: #117	2026-05-15 15:16:41 +00:00
AI Review Bot	7d5057cf65	chore: update ai-review findings [ai-review-bot][success]	2026-05-15 15:15:18 +00:00
jiantw83	45e875153c	chore: triage review findings	2026-05-15 15:13:07 +00:00
AI Review Bot	140c5059f1	chore: update ai-review findings [ai-review-bot][failure]	2026-05-15 15:07:27 +00:00
jiantw83	ce53c67cac	fix: fail workflow on bot failure marker	2026-05-15 15:05:52 +00:00
AI Review Bot	4702f3814e	chore: update ai-review findings [ai-review-bot][failure]	2026-05-15 15:02:45 +00:00
jiantw83	069e43c689	chore: pass separate gitea comment token	2026-05-15 15:01:11 +00:00
AI Review Bot	259d0e42c4	chore: update ai-review findings [ai-review-bot][failure]	2026-05-15 15:01:06 +00:00
jiantw83	b0c4d5a0bc	feat: split gitea comment token	2026-05-15 14:59:15 +00:00
jiantw83	066b21aa5c	feat: encode ai review outcome in commit marker	2026-05-15 14:47:02 +00:00
AI Review Bot	bfa01721e4	chore: update ai-review findings [ai-review-bot]	2026-05-15 14:40:43 +00:00
jiantw83	4fd9a22aa0	feat: report ai review commit status	2026-05-15 14:39:15 +00:00
AI Review Bot	93c3d0ca66	chore: update ai-review findings [ai-review-bot]	2026-05-15 14:34:28 +00:00
jiantw83	35150cae8a	chore: expand bot check diagnostics	2026-05-15 14:30:39 +00:00
AI Review Bot	e216ca08c5	chore: update ai-review findings [ai-review-bot]	2026-05-15 14:26:45 +00:00
jiantw83	888bf0b359	test: add bot check debug logs	2026-05-15 14:25:08 +00:00
AI Review Bot	59e942f24b	chore: update ai-review findings [ai-review-bot]	2026-05-15 14:20:01 +00:00
jiantw83	82ecbd3463	fix: detect ai review bot commits via api	2026-05-15 14:17:55 +00:00
AI Review Bot	f3319b5ec4	chore: update ai-review findings [ai-review-bot]	2026-05-15 14:14:22 +00:00
AI Review Bot	ee593418f0	chore: update ai-review findings [ai-review-bot]	2026-05-15 14:13:12 +00:00
jiantw83	9012fe64d1	chore: skip ai review bot commits	2026-05-15 14:11:21 +00:00
AI Review Bot	3ae08052a3	chore: update ai-review findings [ai-review-bot]	2026-05-15 14:02:34 +00:00
jiantw83	60f3a9beba	fix: skip ai review bot commits	2026-05-15 14:00:59 +00:00
AI Review Bot	09b7be2c40	chore: update ai-review findings [skip ci]	2026-05-15 13:27:17 +00:00
jiantw83	647460ea87	docs: update review guidance	2026-05-15 13:25:39 +00:00
jiantw83	9fe85c9f72	chore: require gitea token input	2026-05-15 13:24:45 +00:00
jiantw83	fba54c9c8d	Merge pull request 'fix: remove GITEA_TOKEN from AI Code Review step and ensure master branch is ignored in pull requests' (#115 ) from feat/新增讀檔診斷資訊 into develop Reviewed-on: #115	2026-05-15 09:56:09 +00:00
jiantw83	ca9845af1d	fix: remove GITEA_TOKEN from AI Code Review step and ensure master branch is ignored in pull requests	2026-05-15 09:55:08 +00:00
AI Review Bot	2061fadba9	chore: update ai-review findings [skip ci]	2026-05-15 09:43:33 +00:00
AI Review Bot	eccdfd0a3a	chore: update ai-review findings [skip ci]	2026-05-15 09:43:12 +00:00
jiantw83	bf6c791a82	fix: add GITEA_TOKEN to AI Code Review step	2026-05-15 09:42:01 +00:00
jiantw83	222de4b369	feat: enhance findings and exclusions handling with repo state logging	2026-05-15 09:39:11 +00:00
jiantw83	8bf791a829	fix: clarify stage seven push failures	2026-05-15 06:51:56 +00:00
jiantw83	c88c0d02c8	docs: clarify source branch review files	2026-05-15 06:43:20 +00:00
jiantw83	f43ba63f0f	fix: support wrapped exclusions schema	2026-05-15 06:39:17 +00:00
jiantw83	4a29c4aaa3	fix: refresh repo before staging review files	2026-05-15 06:23:07 +00:00
jiantw83	78ec8f6d6a	test: cover saveFindings temp dir cases	2026-05-15 06:17:09 +00:00
jiantw83	5c5773e4fd	fix: write findings to review dir	2026-05-15 06:10:09 +00:00
jiantw83	ece7377fc8	fix: stage generated review files	2026-05-15 05:47:06 +00:00
jiantw83	68cd124f59	docs: preserve original text in exclusions	2026-05-15 04:47:54 +00:00
jiantw83	e9f3baf95f	docs: require skill sync for new platforms	2026-05-15 04:19:56 +00:00
jiantw83	33d5cdde7c	fix: sync codex skill assets	2026-05-15 04:15:01 +00:00
jiantw83	ae96ead6cf	docs: update stage acceptance logs	2026-05-15 04:12:33 +00:00
jiantw83	d502393745	Merge pull request 'fix: package triage skills into the action image' (#105 ) from feat/restore-triage-skill into develop Reviewed-on: #105	2026-05-15 03:56:33 +00:00
jiantw83	e5539c377c	docs: exclude triage skill sync false positives	2026-05-15 03:55:12 +00:00
jiantw83	109048e604	fix: package triage skills into the action image	2026-05-15 03:48:05 +00:00
jiantw83	f241f70898	Merge pull request 'fix: restore triage skill files and keep sync non-destructive' (#103 ) from feat/restore-triage-skill into develop Reviewed-on: #103	2026-05-15 03:32:52 +00:00
jiantw83	7186098edf	fix: restore triage skill files and keep sync non-destructive	2026-05-15 03:30:48 +00:00
jiantw83	46da713fa7	Merge pull request 'feat: 解決階段七commit失敗的問題' (#101 ) from feat/解決階段七commit失敗的問題 into develop Reviewed-on: #101	2026-05-15 03:15:19 +00:00
AI Review Bot	515ccb0509	chore: update ai-review findings [skip ci]	2026-05-15 03:14:28 +00:00
jiantw83	69e3b33558	docs: describe mirror sync commit behavior	2026-05-15 03:11:41 +00:00
jiantw83	c70a818986	fix: mirror sync files before commit	2026-05-15 03:09:54 +00:00
jiantw83	684c35bc00	fix: skip missing sync paths in commit step	2026-05-15 03:04:27 +00:00
jiantw83	93c602b86a	Merge pull request 'feat: 新增skill處理問題' (#100 ) from feat/新增skill處理問題 into develop Reviewed-on: #100	2026-05-14 02:39:57 +00:00
jiantw83	b397b76a7a	chore: triage review findings	2026-05-14 02:37:45 +00:00
AI Review Bot	c5c3f1d7e1	chore: update ai-review findings [skip ci]	2026-05-14 02:24:48 +00:00
jiantw83	12980d6ca4	fix: dedupe sync paths in git tests	2026-05-14 02:22:50 +00:00
AI Review Bot	aa8b3ae89a	chore: update ai-review findings [skip ci]	2026-05-14 02:20:01 +00:00
jiantw83	1ad87ac4a4	fix: address triaged review findings	2026-05-14 02:18:17 +00:00
AI Review Bot	fb5c28114d	chore: update ai-review findings [skip ci]	2026-05-14 02:14:49 +00:00
jiantw83	fd49610838	Merge pull request 'feat: tighten json validation repair flow' (#99 ) from feat/驗證JSON檔案 into develop Reviewed-on: #99	2026-05-14 01:26:07 +00:00