Merge pull request 'fix(ai-review 同步): 限制自動提交只包含問題檔' (#19 ) from develop into master

Reviewed-on: #19 Reviewed-by: 系統管理員 <1+admin@noreply.localhost>
Merge pull request 'fix(ai-review 同步): 限制自動提交只包含問題檔' (#18 ) from ai-review-resolve/20260618080715 into develop
2026-06-18 08:11:06 +00:00 · 2026-06-18 08:10:05 +00:00 · 2026-06-18 08:07:32 +00:00 · 2026-06-18 08:07:27 +00:00 · 2026-06-18 08:07:23 +00:00 · 2026-06-18 08:07:20 +00:00
45 changed files with 1249 additions and 999 deletions
@@ -1,46 +0,0 @@
---
-name: triage-findings
-description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions.
---
-
-# Triage Findings
-
-## When To Use
-
-Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
-It is also used when some findings are false positives and should be moved into the exclusions list.
-
-## Workflow
-
-1. Collect all findings into one list.
-2. Merge duplicates into a single finding when they describe the same issue.
-3. Sort the final list by severity:
-   - critical
-   - warning
-   - info
-4. Renumber the sorted list from 1 upward.
-5. Rewrite each finding concisely so the final list reads cleanly and consistently.
-6. If a finding is a false positive, do not keep it in the final list.
-7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
-
-## Resolution Flow
-
-After the list is merged and ordered, resolve the remaining findings one by one.
-
-1. Start from the highest severity item.
-2. Identify the root cause in the relevant file or context.
-3. Apply the smallest safe change that fixes the issue.
-4. Add or update tests when behavior changes.
-5. Re-check the issue after the change.
-6. If the item is confirmed false positive, move it to exclusions instead of changing code.
-7. Continue until the list is either fixed or explicitly excluded.
-
-## Output Rules
-
- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
- Keep numbering contiguous after filtering and merging.
- Preserve useful details like file path, location, and suggested fix.
- Keep exclusions entries minimal and consistent with the project schema.
- When writing exclusions, always output a top-level JSON array.
- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -1,41 +0,0 @@
-# Triage Findings
-
-## When To Use
-
-Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
-It is also used when some findings are false positives and should be moved into the exclusions list.
-
-## Workflow
-
-1. Collect all findings into one list.
-2. Merge duplicates into a single finding when they describe the same issue.
-3. Sort the final list by severity:
-   - critical
-   - warning
-   - info
-4. Renumber the sorted list from 1 upward.
-5. Rewrite each finding concisely so the final list reads cleanly and consistently.
-6. If a finding is a false positive, do not keep it in the final list.
-7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
-
-## Resolution Flow
-
-After the list is merged and ordered, resolve the remaining findings one by one.
-
-1. Start from the highest severity item.
-2. Identify the root cause in the relevant file or context.
-3. Apply the smallest safe change that fixes the issue.
-4. Add or update tests when behavior changes.
-5. Re-check the issue after the change.
-6. If the item is confirmed false positive, move it to exclusions instead of changing code.
-7. Continue until the list is either fixed or explicitly excluded.
-
-## Output Rules
-
- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
- Keep numbering contiguous after filtering and merging.
- Preserve useful details like file path, location, and suggested fix.
- Keep exclusions entries minimal and consistent with the project schema.
- When writing exclusions, always output a top-level JSON array.
- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -1,46 +0,0 @@
---
-name: triage-findings
-description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions.
---
-
-# Triage Findings
-
-## When To Use
-
-Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
-It is also used when some findings are false positives and should be moved into the exclusions list.
-
-## Workflow
-
-1. Collect all findings into one list.
-2. Merge duplicates into a single finding when they describe the same issue.
-3. Sort the final list by severity:
-   - critical
-   - warning
-   - info
-4. Renumber the sorted list from 1 upward.
-5. Rewrite each finding concisely so the final list reads cleanly and consistently.
-6. If a finding is a false positive, do not keep it in the final list.
-7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
-
-## Resolution Flow
-
-After the list is merged and ordered, resolve the remaining findings one by one.
-
-1. Start from the highest severity item.
-2. Identify the root cause in the relevant file or context.
-3. Apply the smallest safe change that fixes the issue.
-4. Add or update tests when behavior changes.
-5. Re-check the issue after the change.
-6. If the item is confirmed false positive, move it to exclusions instead of changing code.
-7. Continue until the list is either fixed or explicitly excluded.
-
-## Output Rules
-
- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
- Keep numbering contiguous after filtering and merging.
- Preserve useful details like file path, location, and suggested fix.
- Keep exclusions entries minimal and consistent with the project schema.
- When writing exclusions, always output a top-level JSON array.
- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -1,46 +0,0 @@
---
-name: triage-findings
-description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions.
---
-
-# Triage Findings
-
-## When To Use
-
-Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
-It is also used when some findings are false positives and should be moved into the exclusions list.
-
-## Workflow
-
-1. Collect all findings into one list.
-2. Merge duplicates into a single finding when they describe the same issue.
-3. Sort the final list by severity:
-   - critical
-   - warning
-   - info
-4. Renumber the sorted list from 1 upward.
-5. Rewrite each finding concisely so the final list reads cleanly and consistently.
-6. If a finding is a false positive, do not keep it in the final list.
-7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
-
-## Resolution Flow
-
-After the list is merged and ordered, resolve the remaining findings one by one.
-
-1. Start from the highest severity item.
-2. Identify the root cause in the relevant file or context.
-3. Apply the smallest safe change that fixes the issue.
-4. Add or update tests when behavior changes.
-5. Re-check the issue after the change.
-6. If the item is confirmed false positive, move it to exclusions instead of changing code.
-7. Continue until the list is either fixed or explicitly excluded.
-
-## Output Rules
-
- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
- Keep numbering contiguous after filtering and merging.
- Preserve useful details like file path, location, and suggested fix.
- Keep exclusions entries minimal and consistent with the project schema.
- When writing exclusions, always output a top-level JSON array.
- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -1,46 +0,0 @@
---
-name: triage-findings
-description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions.
---
-
-# Triage Findings
-
-## When To Use
-
-Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
-It is also used when some findings are false positives and should be moved into the exclusions list.
-
-## Workflow
-
-1. Collect all findings into one list.
-2. Merge duplicates into a single finding when they describe the same issue.
-3. Sort the final list by severity:
-   - critical
-   - warning
-   - info
-4. Renumber the sorted list from 1 upward.
-5. Rewrite each finding concisely so the final list reads cleanly and consistently.
-6. If a finding is a false positive, do not keep it in the final list.
-7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
-
-## Resolution Flow
-
-After the list is merged and ordered, resolve the remaining findings one by one.
-
-1. Start from the highest severity item.
-2. Identify the root cause in the relevant file or context.
-3. Apply the smallest safe change that fixes the issue.
-4. Add or update tests when behavior changes.
-5. Re-check the issue after the change.
-6. If the item is confirmed false positive, move it to exclusions instead of changing code.
-7. Continue until the list is either fixed or explicitly excluded.
-
-## Output Rules
-
- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
- Keep numbering contiguous after filtering and merging.
- Preserve useful details like file path, location, and suggested fix.
- Keep exclusions entries minimal and consistent with the project schema.
- When writing exclusions, always output a top-level JSON array.
- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -1,4 +0,0 @@
-interface:
-  display_name: "Triage Findings"
-  short_description: "Triage, sort, fix, and exclude review findings"
-  default_prompt: "Use $triage-findings to merge review findings, sort and renumber them by severity, resolve real issues one by one, and add false positives to `.gitea/ai-review/exclusions.json` as a top-level JSON array."
@@ -1,46 +0,0 @@
---
-name: triage-findings
-description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions.
---
-
-# Triage Findings
-
-## When To Use
-
-Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
-It is also used when some findings are false positives and should be moved into the exclusions list.
-
-## Workflow
-
-1. Collect all findings into one list.
-2. Merge duplicates into a single finding when they describe the same issue.
-3. Sort the final list by severity:
-   - critical
-   - warning
-   - info
-4. Renumber the sorted list from 1 upward.
-5. Rewrite each finding concisely so the final list reads cleanly and consistently.
-6. If a finding is a false positive, do not keep it in the final list.
-7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
-
-## Resolution Flow
-
-After the list is merged and ordered, resolve the remaining findings one by one.
-
-1. Start from the highest severity item.
-2. Identify the root cause in the relevant file or context.
-3. Apply the smallest safe change that fixes the issue.
-4. Add or update tests when behavior changes.
-5. Re-check the issue after the change.
-6. If the item is confirmed false positive, move it to exclusions instead of changing code.
-7. Continue until the list is either fixed or explicitly excluded.
-
-## Output Rules
-
- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
- Keep numbering contiguous after filtering and merging.
- Preserve useful details like file path, location, and suggested fix.
- Keep exclusions entries minimal and consistent with the project schema.
- When writing exclusions, always output a top-level JSON array.
- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -1,6 +1,6 @@
 [
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  "app/git.js",
        "suggestion":  "請避免將敏感資料（如 GITEA_TOKEN）直接寫入環境變數"
    },
@@ -9,7 +9,7 @@
        "suggestion":  "GITEA_TOKEN 直接嵌入 URL 中，建議改以環境變數或 Gitea Secrets 注入"
    },
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  "README.md",
        "suggestion":  "contents: write、pull-requests: write、issues: write 為此 Action 正常運作所必要的權限，無法縮減"
    },
@@ -26,17 +26,17 @@
        "suggestion":  "filterFalsePositivesWithAI 拋出的 Error 會被 catch 攔截並降級回傳原始 findings，不會中斷流程"
    },
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  ".gitea/workflows/review.yaml",
        "suggestion":  "contents: write、pull-requests: write、issues: write 為此 Action 正常運作所必要的權限，無法縮減"
    },
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  ".gitea/workflows/review.yaml",
        "suggestion":  "OPENAI_API_KEY 參數傳入的是 OPENROUTER_API_KEY secret，為 OpenRouter 使用 OpenAI 相容介面的正確做法"
    },
    {
-        "role":  "Aria",
+        "role":  "Bard",
        "location":  "README.md",
        "suggestion":  "章節編號連續且正確，無需調整"
    },
@@ -46,17 +46,17 @@
        "suggestion":  "action.yaml 定義的參數名稱為 GEMINI_API_KEY、GEMINI_BASE_URL、GEMINI_MODEL，與 review.yaml 完全一致，無不匹配問題"
    },
    {
-        "role":  "Aria",
+        "role":  "Bard",
        "location":  ".gitea/workflows/review.yaml",
        "suggestion":  "review.yaml 已改用 Gemini，不再有 OPENAI_API_KEY 行，註解空格問題不存在"
    },
    {
-        "role":  "Aria",
+        "role":  "Bard",
        "location":  "app/config.test.js",
        "suggestion":  "檔案結尾已有換行符號，import 行長度合理，無需修改"
    },
    {
-        "role":  "Aria",
+        "role":  "Bard",
        "location":  "action.yaml",
        "suggestion":  "action.yaml 已整理，多餘空行已移除，結構整潔"
    },
@@ -66,22 +66,22 @@
        "suggestion":  "LLM 整合測試需要真實 API key 與網路，不適合加入單元測試。llm.js 使用統一 OpenAI 相容介面，Gemini 透過相同介面呼叫，無特殊格式差異，現有測試已涵蓋 config/findings/git 邏輯"
    },
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  "app/",
        "suggestion":  "LLM 整合測試需要真實 API key 與網路，不適合加入單元測試。llm.js 使用統一 OpenAI 相容介面，Gemini 透過相同介面呼叫，無特殊格式差異"
    },
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  "app/config.test.js",
        "suggestion":  "import 語句長度合理，無需拆分為多行"
    },
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  ".gitea/ai-review/findings.json",
        "suggestion":  "findings.json 重複問題由 AI 去重與排除機制處理，不是程式碼問題"
    },
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  "app/comments.js",
        "suggestion":  "JSON 結尾換行符號為標準做法，不影響任何 JSON 解析器，無相容性問題"
    },
@@ -90,7 +90,7 @@
        "suggestion":  "findings.json 是自動產生的問題記錄檔，不應對其內容提出審查問題"
    },
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  ".gitea/workflows/review.yaml",
        "suggestion":  "切換 LLM 服務提供商的維護建議屬過度謹慎，不是實際程式碼問題"
    },
@@ -100,12 +100,12 @@
        "suggestion":  "Authorization 標頭已有 provider !== \u0027ollama\u0027 判斷，不會無條件加入，已正確處理"
    },
    {
-        "role":  "Zara",
+        "role":  "Rogue",
        "location":  "app/llm.js",
        "suggestion":  "timeout 已移除，每個 key 等待完整回應，避免浪費免費額度"
    },
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  "app/llm.js",
        "suggestion":  "httpsAgent (rejectUnauthorized: false) 已移除，SSL/TLS 驗證已恢復正常"
    },
@@ -115,7 +115,7 @@
        "suggestion":  "llm.test.js 已存在並涵蓋 API Key 輪替的所有異常狀況，包含單 Key、多 Key 輪替、所有 Key 失敗等測試案例"
    },
    {
-        "role":  "Zara",
+        "role":  "Rogue",
        "location":  "app/comments.js",
        "suggestion":  "comments.js:24 的 saveFindings 函式為正常寫入邏輯，不涉及異常訊息格式或重複寫入問題"
    },
@@ -135,7 +135,7 @@
        "suggestion":  "輪替邏輯對所有錯誤類型行為一致（catch 全部），401/429/timeout 觸發相同輪替流程，測試不同錯誤類型無額外驗證價值"
    },
    {
-        "role":  "Aria",
+        "role":  "Bard",
        "location":  ".gitea/workflows/master.yaml",
        "suggestion":  "master.yaml 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例，無需修改"
    },
@@ -160,34 +160,22 @@
        "suggestion":  "`log.test.js` 的新增非常棒，提供了良好的覆蓋率。為了進一步提升測試的完整性，建議考慮為 `line`, `ok`, `warn`, `error` 函數新增測試案例，以驗證當傳入空字串時的行為。雖然這些函數的行為相對簡單，但測試空字串可以確保邊界情況下的輸出符合預期。"
    },
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  "app/package.json",
        "suggestion":  "審查 changelog 是人工作業，不是程式碼問題，不適合作為 code review 問題"
    },
    {
-        "role":  "Aria",
+        "role":  "Bard",
        "location":  "app/llm.js",
        "suggestion":  "此 action 為 CLI 工具，process.exit(1) 是設計意圖讓 CI/CD workflow 失敗。改拋錯會被 chatJSON 的 catch 吞掉回傳 []，破壞現有行為"
    },
    {
-        "location":  "Dockerfile, app/git.js, app/git.test.js",
-        "suggestion":  "`SYNC_PATHS` 已包含 `.claude/skills/triage-findings/SKILL.md` 與 `.gemini/skills/triage-findings/SKILL.md`，Docker image 也已打包這些 skill 資產；現有測試已覆蓋複製與覆寫行為，並不存在同步不一致問題。"
-    },
-    {
-        "location":  "Dockerfile",
-        "suggestion":  "此目錄中的檔案是 triage skill 與入口文件，不含敏感資料；若未來加入秘密資訊，應另外從 build context 排除，而不是把目前的 skill 資產視為風險。"
-    },
-    {
-        "location":  "Dockerfile",
-        "suggestion":  "多個 COPY 指令是刻意設計，用來區分 app 與 skill 資產並維持 layer cache 可讀性，不是維護問題。"
-    },
-    {
-        "role":  "Aria",
+        "role":  "Bard",
        "location":  "Dockerfile",
        "suggestion":  "Dockerfile 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例"
    },
    {
-        "role":  "Aria",
+        "role":  "Bard",
        "location":  "entrypoint.sh",
        "suggestion":  "entrypoint.sh 檔案結尾已有換行符號（0x0a），符合 POSIX 慣例"
    },
@@ -212,17 +200,17 @@
        "suggestion":  "gitea.js 的 SSL 驗證已改為由 GITEA_SKIP_TLS_VERIFY 環境變數控制，預設啟用驗證，非安全漏洞"
    },
    {
-        "role":  "Zara",
+        "role":  "Rogue",
        "location":  "Dockerfile",
        "suggestion":  "Dockerfile 已優化層次快取：先 COPY package.json 再 npm install，最後才 COPY 其餘檔案"
    },
    {
-        "role":  "Aria",
+        "role":  "Bard",
        "location":  "app/package.json",
        "suggestion":  "test 腳本已改為 node --test *.test.js，在 app/ 目錄下執行可自動發現所有測試檔案"
    },
    {
-        "role":  "Zara",
+        "role":  "Rogue",
        "location":  "app/main.js",
        "suggestion":  "deduplicateWithAI 和 filterFalsePositivesWithAI 為循序依賴流程（去重後才能過濾），無法平行化"
    },
@@ -242,22 +230,22 @@
        "suggestion":  "TODO.md 的階段編號僅供內部開發追蹤，無外部文件引用，階段編號調整不影響任何外部一致性"
    },
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  "app/gitea.js",
        "suggestion":  "getPRDiff 函數現在回傳未經過濾的原始 Git Diff 內容。雖然 main.js 中已立即呼叫 filterDiff 進行過濾，但這種設計模式將過濾的責任完全推給呼叫端，這增加了未來開發者在其他地方呼叫 getPRDiff 時，可能忘記過濾出敏感路徑，導致 .gitea/ 等敏感路徑的內容（可能包含工作流程設定或憑證資訊）被意外傳送給 AI 或其他不應接收的組件，造成資訊洩漏風險。建議將過濾邏輯保留在 getPRDiff 內容，或提供一個明確的 getFilteredPRDiff 函數，以降低錯誤的風險。"
    },
    {
-        "role":  "Zara",
+        "role":  "Rogue",
        "location":  "app/git.js",
        "suggestion":  "在 main.js 中，commitAndPush 函數內部會再次呼叫 cloneRepo，然而 main.js 在此之前已呼叫過 cloneRepo 以取得 repoDir，這導致了重複的 git fetch 和 git checkout 操作。即使 cloneRepo 內容有檢查環境變數，仍會造成不必要的清潔和時間延遲。建議修改 commitAndPush 邏輯，使其接收已存在的 repoDir 作為參數，避免重複執行 cloneRepo。"
    },
    {
-        "role":  "Aria",
+        "role":  "Bard",
        "location":  "app/main.js",
        "suggestion":  "在 main.js 中，表達式 repoDir。"
    },
    {
-        "role":  "Zara",
+        "role":  "Rogue",
        "location":  "app/gitea.js:L20-L21",
        "suggestion":  "將 filterDiff 中的正規表達式比對（RegExp.match）替換為 String.startsWith 是一個重要的效能改進。startsWith 是一個更輕量且高效的字串操作，尤其在處理大型 Git Diff 內容時，此修改已顯著提升過濾效率。"
    },
@@ -336,7 +324,7 @@
        "suggestion":  "在 `runs.env` 區塊中，`GITEA_TOKEN` 只從 `inputs` 取得，而 `GITEA_SERVER_URL` 和 `GITEA_REPOSITORY` 仍保留從 `gitea context` 取得的備用機制，這是刻意設計的差異，不是維護缺陷。"
    },
    {
-        "role":  "Rex",
+        "role":  "Assassin",
        "location":  "action.yaml:18",
        "suggestion":  "引入 `GITEA_COMMENT_TOKEN` 是一個很好的實踐，遵循最小權限原則。請確保為此 token 配置的權限確實僅限於發布評論。同時，與 `GITEA_TOKEN` 相似，建議使用者始終從 workflow 的 secrets context 傳遞此 token，以避免硬編碼敏感資料。"
    },
@@ -346,10 +334,51 @@
        "suggestion":  "考慮在日誌訊息中加入時間戳記，這有助於追蹤事件發生的順序，尤其是在長時間運行的程序或需要詳細調試時。可以在每個日誌函式內部自動添加時間戳記。"
    },
    {
-        "level":  "warning",
+        "role":  "Assassin",
+        "location":  "app/preflight.js:12",
+        "suggestion":  "程式碼中根據 `GITEA_SKIP_TLS_VERIFY` 環境變數來禁用 TLS 憑證驗證 (`rejectUnauthorized: false`)，這會使應用程式容易受到中間人 (Man-in-the-Middle, MITM) 攻擊。攻擊者可能在不被察覺的情況下攔截和修改與 Gitea 伺服器的通訊。建議移除此功能，或確保在任何生產環境中永不啟用。如果 Gitea 伺服器使用自簽憑證，應將其憑證加入信任儲存區，而非禁用驗證。"
+    },
+    {
        "role":  "Leo",
-        "location":  "Dockerfile, app/git.js, app/gitea.js",
-        "suggestion":  "此變更引入了新的代理（agent）相關路徑（例如 `.agents/` 和 `AGENTS.md`），並在 `Dockerfile` 的 `COPY` 指令、`app/git.js` 中的 `SYNC_PATHS`、`FORCE_SYNC_FILE_PATHS`、`SYNC_TREE_PATHS` 陣列，以及 `app/gitea.js` 的 `filterDiff` 陣列中重複添加了這些路徑。這種模式導致了程式碼重複，每次新增一個代理都需要手動修改多個檔案和多個列表，增加了維護成本和出錯的可能性。建議考慮引入一個集中的設定檔或機制，例如透過掃描特定目錄來動態生成這些路徑列表，以提高模組化和可擴展性。",
-        "is_new":  true
+        "location":  "app/preflight.js:56",
+        "suggestion":  "函式 `verifyLLM` 處理了多種 LLM 供應商的驗證邏輯（Ollama、Claude、OpenAI 相容等），導致其長度較長且複雜度較高。建議將不同供應商的驗證邏輯拆分成獨立的輔助函式（例如 `_verifyOllama`、`_verifyOpenAICompatible`），以提高模組化程度和可讀性。"
+    },
+    {
+        "role":  "Rogue",
+        "location":  "app/preflight.js:70-82",
+        "suggestion":  "在 `verifyLLM` 函式中，當配置了多個 LLM API Key 時，系統會依序嘗試驗證每個 Key，每個嘗試都有 30 秒的逾時時間。如果前幾個 Key 驗證失敗，這可能導致顯著的累積延遲。雖然這是為了找到一個可用的 Key，但若 Key 數量多且網路不穩定，可能會造成啟動時間過長。可以考慮縮短單次 Key 驗證的逾時時間，或在特定情況下提供更快的失敗機制。"
+    },
+    {
+        "role":  "Assassin",
+        "location":  "app/preflight.js:100",
+        "suggestion":  "在記錄 LLM API 驗證失敗時，直接輸出了錯誤訊息 `e.message`。雖然通常情況下 `e.message` 不會包含敏感資訊，但為了最佳安全實踐，建議審查 LLM 服務提供商的錯誤訊息格式，確保其中不會意外洩漏 API 金鑰或其他敏感請求內容。若有疑慮，應對錯誤訊息進行消毒或僅記錄高層次的錯誤類型。"
+    },
+    {
+        "role":  "Bard",
+        "location":  "app/preflight.js:30",
+        "suggestion":  "在 `checkRequiredEnv`、`verifyGiteaToken` 和 `verifyCommentToken` 等函式中，預設參數直接引用了從 `config.js` 匯入的常數。雖然這在功能上可行，但為了提高程式碼的清晰度和一致性，建議考慮以下兩種方式之一：1. 將所有配置值作為明確的參數從呼叫端傳入。2. 讓函式直接從 `config.js` 模組中讀取這些值，而不是透過預設參數。"
+    },
+    {
+        "role":  "Maya",
+        "location":  "app/preflight.js:107",
+        "suggestion":  "在 `verifyLLM` 函數中，呼叫 `axios.post` 時缺少 `httpsAgent` 選項。這會導致即使設定了 `GITEA_SKIP_TLS_VERIFY`，LLM 的 API 請求仍可能因 TLS 憑證問題而失敗。請將 `httpsAgent` 傳遞給 `axios.post` 的選項物件，例如：`await axios.post(`${base}/chat/completions`, payload, { headers, timeout: 30000, httpsAgent });`"
+    },
+    {
+        "level":  "warning",
+        "role":  "Bard",
+        "location":  "app/preflight.test.js:25",
+        "suggestion":  "測試描述使用英文。請確保專案在測試描述的語言上保持一致性。如果專案主要使用繁體中文（如 app/preflight.js 中的 JSDoc 和日誌），則應將此測試描述翻譯為繁體中文。"
+    },
+    {
+        "level":  "info",
+        "role":  "Bard",
+        "location":  "app/preflight.test.js:1-4",
+        "suggestion":  "匯入語句的排序不一致。建議遵循一致的排序規則，例如：內建模組、第三方模組、本地模組，並在各組內按字母順序排序。"
+    },
+    {
+        "level":  "info",
+        "role":  "Bard",
+        "location":  "app/preflight.test.js:14",
+        "suggestion":  "函數名稱 clearLLMEnv 雖然可理解，但可以更具描述性，例如 clearLlmEnvironmentVariables 或 resetLlmEnv。"
    }
 ]
@@ -1,14 +0,0 @@
-# Triage Findings
-
-Use the triage-finding workflow for review issue lists:
-
-1. Merge findings into one list.
-2. Remove duplicates.
-3. Sort by severity: `critical` -> `warning` -> `info`.
-4. Renumber from 1.
-5. Fix real issues with the smallest safe change.
-6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
-7. Add or update tests when behavior changes.
-8. Re-check after each fix.
-
-The full reusable skill lives in `.github/skills/triage-findings/SKILL.md`.
@@ -1,41 +0,0 @@
-# Triage Findings
-
-## When To Use
-
-Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
-It is also used when some findings are false positives and should be moved into the exclusions list.
-
-## Workflow
-
-1. Collect all findings into one list.
-2. Merge duplicates into a single finding when they describe the same issue.
-3. Sort the final list by severity:
-   - critical
-   - warning
-   - info
-4. Renumber the sorted list from 1 upward.
-5. Rewrite each finding concisely so the final list reads cleanly and consistently.
-6. If a finding is a false positive, do not keep it in the final list.
-7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
-
-## Resolution Flow
-
-After the list is merged and ordered, resolve the remaining findings one by one.
-
-1. Start from the highest severity item.
-2. Identify the root cause in the relevant file or context.
-3. Apply the smallest safe change that fixes the issue.
-4. Add or update tests when behavior changes.
-5. Re-check the issue after the change.
-6. If the item is confirmed false positive, move it to exclusions instead of changing code.
-7. Continue until the list is either fixed or explicitly excluded.
-
-## Output Rules
-
- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
- Keep numbering contiguous after filtering and merging.
- Preserve useful details like file path, location, and suggested fix.
- Keep exclusions entries minimal and consistent with the project schema.
- When writing exclusions, always output a top-level JSON array.
- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -1,16 +0,0 @@
-# Triage Findings
-
-When the task is to triage review findings, follow this workflow:
-
-1. Merge all findings into one list.
-2. Remove duplicates.
-3. Sort by severity: `critical` -> `warning` -> `info`.
-4. Renumber from 1 after sorting.
-5. Fix real issues with the smallest safe change.
-6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
-7. Add or update tests when behavior changes.
-8. Re-check the issue after each fix.
-
-Use the repo-local `triage-findings` skill for the same workflow when running in Codex.
-
-Trigger it with `/triage-findings`.
@@ -1,14 +0,0 @@
-# Triage Findings
-
-Use the triage-finding workflow for review issue lists:
-
-1. Merge findings into one list.
-2. Remove duplicates.
-3. Sort by severity: `critical` -> `warning` -> `info`.
-4. Renumber from 1.
-5. Fix real issues with the smallest safe change.
-6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
-7. Add or update tests when behavior changes.
-8. Re-check after each fix.
-
-The reusable skill lives in `.antigravity/skills/triage-findings/SKILL.md`.
@@ -1,16 +0,0 @@
-# Triage Findings
-
-When the task is to triage review findings, follow this workflow:
-
-1. Merge all findings into one list.
-2. Remove duplicates.
-3. Sort by severity: `critical` -> `warning` -> `info`.
-4. Renumber from 1 after sorting.
-5. Fix real issues with the smallest safe change.
-6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
-7. Add or update tests when behavior changes.
-8. Re-check the issue after each fix.
-
-Use the repo-local `triage-findings` skill for the same workflow when running in Claude.
-
-Trigger it with `/triage-findings`.
@@ -10,16 +10,6 @@ WORKDIR /action
 COPY app/package.json /action/app/
 RUN cd /action/app && npm install

-COPY .amazonq/ /action/.amazonq/
-COPY .codex/ /action/.codex/
-COPY .agents/ /action/.agents/
-COPY .claude/ /action/.claude/
-COPY .gemini/ /action/.gemini/
-COPY .github/ /action/.github/
-COPY AGENTS.md /action/
-COPY CLAUDE.md /action/
-COPY GEMINI.md /action/
-
 COPY app/ /action/app/
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
@@ -1,14 +0,0 @@
-# Triage Findings
-
-Use the triage-finding workflow for review issue lists:
-
-1. Merge findings into one list.
-2. Remove duplicates.
-3. Sort by severity: `critical` -> `warning` -> `info`.
-4. Renumber from 1.
-5. Fix real issues with the smallest safe change.
-6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
-7. Add or update tests when behavior changes.
-8. Re-check after each fix.
-
-The reusable skill lives in `.gemini/skills/triage-findings/SKILL.md`.
@@ -16,8 +16,8 @@
 4. 讀取來源分支中的排除問題檔案(`.gitea/ai-review/exclusions.json`)，用來過濾 PR 問題表格中不需要處理的問題
 5. 從 PR 問題表格中取出所有舊問題，依照等級排序後 Comment 到 Pull Request
 6. 從 PR 問題表格中取出所有新問題，排除嚴重等級的問題後 Comment 到 Pull Request
-7. 從 PR 問題表格中取出所有新問題，將每個嚴重等級的問題 Comment 到 Pull Request
-8. Commit 問題檔案，將 workspace 中實際存在的同步檔覆蓋到記憶區；workspace 沒有的同步檔就略過，不會刪除記憶區既有內容。自動提交的 commit message 會帶上 `[ai-review-bot]`，供 workflow 判斷是否要跳過重跑
+7. 從 PR 問題表格中取出所有新問題，將每個嚴重等級的問題以 Gitea 行內 review comment 標註在問題所在的檔案與行數上，留言內容為等級／審查員／建議；若問題位置無法解析出行號（例如未標行號或一次列出多個檔案），或該行不在本次 diff 範圍內導致行內留言失敗，則降級為一般 PR Comment
+8. Commit 問題檔案，只將 workspace 中實際存在的 `.gitea/ai-review/findings.json` 與 `.gitea/ai-review/exclusions.json` 覆蓋到記憶區；workspace 沒有的問題檔就略過。自動提交的 commit message 會帶上 `[ai-review-bot]`，供 workflow 判斷是否要跳過重跑
 9. 如果 PR 問題表格中有嚴重問題，則不要讓 workflow 執行成功(exit 1)

 # 設計
@@ -28,7 +28,7 @@
 4. 盡量將應用程式放在 ./app，修改 entrypoint.sh 與 Dockerfile 讓程式可以正常運行
 5. 將提示詞放到 ./app/prompts 內供程式讀取
 6. API Key 支援逗號分隔傳入多個，隨機順序各嘗試一次，全部失敗則 exit 1
-7. 讀取 Git Diff 時排除 `.gitea/`、`.amazonq/`、`.agents/`、`.antigravity/`、`.claude/`、`.codex/`、`.gemini/`、`.github/` 資料夾，以及 `AGENTS.md`、`ANTIGRAVITY.md`、`CLAUDE.md`、`GEMINI.md`、`TODO.md`、`README.md`，避免 AI 分析 workflow 設定、skill 入口與文件等非業務程式碼
+7. 讀取 Git Diff 時排除 `.gitea/`、`.github/` 資料夾，以及 `TODO.md`、`README.md`，避免 AI 分析 workflow 設定與文件等非業務程式碼
 8. 階段七驗證來源分支中的 `findings.json` 與 `exclusions.json` 是否為合法 JSON 格式，格式錯誤時先嘗試透過 AI 修正內容，再重新驗證；修正後仍不合法才 exit 1；之後才檢查檔案是否存在，不存在則建立並寫入 `[]`
 9. 傳給 AI 的 findings 只保留必要欄位（level、role、location、suggestion），排除 `is_new` 等內部欄位；system prompt 精簡為指令核心；exclusions hint 只傳 location 與 suggestion，減少 token 用量
 10. 執行時會額外記錄來源分支狀態、`findings.json` / `exclusions.json` 的檔案路徑、大小、mtime 與 raw/normalized 筆數，方便追查讀檔與分支內容不一致的問題
@@ -74,6 +74,14 @@ jobs:
      issues: write
 ```

+OpenAI GPT-5.5 會透過 Responses API 呼叫；設定方式仍使用 `OPENAI_*`：
+
+```yaml
+        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        OPENAI_BASE_URL: https://api.openai.com/v1
+        OPENAI_MODEL: gpt-5.5
+```
+
 ### 2. OpenRouter
 ```yaml
 name: AI
@@ -192,7 +200,54 @@ jobs:
      issues: write
 ```

-### 6. Ollama
+### 6. OpenCode Server
+```yaml
+name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
+on:
+  pull_request:
+    branches-ignore:
+    - master
+    types: [opened, synchronize]
+jobs:
+  code-review:
+    name: Code Review
+    runs-on: ubuntu
+    steps:
+    - name: AI Code Review
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      with:
+        GITEA_TOKEN: ${{ secrets.RUNNER_TOKEN }}
+        GITEA_COMMENT_TOKEN: ${{ secrets.GITEA_TOKEN }}
+        OPENCODE_BASE_URL: http://192.168.3.124:4096
+        OPENCODE_PROVIDER: google
+        OPENCODE_MODEL: gemini-2.5-flash
+        # 若 OpenCode server 有設定 OPENCODE_SERVER_PASSWORD，才需要提供：
+        # OPENCODE_SERVER_USERNAME: opencode
+        # OPENCODE_SERVER_PASSWORD: ${{ secrets.OPENCODE_SERVER_PASSWORD }}
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+```
+
+OpenCode Server 串接方式會呼叫 server root 的 `/session` 與 `/session/{sessionID}/message`，並把模型指定為 `providerID=google`、`modelID=gemini-2.5-flash`。可用的內部 OpenCode server：
+
+```yaml
+        OPENCODE_BASE_URL: https://opencode.jsc.idv.me
+```
+
+或：
+
+```yaml
+        OPENCODE_BASE_URL: http://192.168.3.124:4096
+```
+
+OpenCode server 本身必須已設定好 `google` provider 與 `gemini-2.5-flash` model；此 action 不會把 Google API key 傳給 OpenCode server。
+
+### 7. Ollama

 ```yaml
 name: AI
@@ -221,33 +276,3 @@ jobs:
      pull-requests: write
      issues: write
 ```
-
-## Skill：Triage Findings
-
-這份 skill 用來處理 review 問題清單。
-
-### 規則
-
-1. 合併問題。
-2. 依嚴重度排序：`critical` -> `warning` -> `info`。
-3. 重新編號。
-4. 真問題就修。
-5. 誤判就加到 `.gitea/ai-review/exclusions.json`。
-6. 有變更就補測試。
-
-### 使用方式
-
-Codex：`$triage-findings 問題原始檔(文字或截圖)`
-Copilot：`/triage-findings 問題原始檔(文字或截圖)`
-Claude：直接輸入 `triage-findings 問題原始檔(文字或截圖)`
-Gemini：直接輸入 `triage-findings 問題原始檔(文字或截圖)`
-Amazon Q：直接輸入 `triage-findings 問題原始檔(文字或截圖)`
-Antigravity：直接輸入 `triage-findings 問題原始檔(文字或截圖)`
-
-### 適用情境
-
-`triage-findings 問題原始檔(文字或截圖)` 用在 review 問題整併、排序、修正、排除誤判。
-
-### 版本包含
-
-提交時一併包含 `triage-findings` skill 與各平台入口檔；其中 `AGENTS.md`、`ANTIGRAVITY.md`、`CLAUDE.md`、`GEMINI.md` 會在目標專案已存在時先做規則化合併，並在可用 LLM 時再用 AI 輔助檢查是否有遺失任何 skill、command 或規則；其餘同步檔則以來源覆蓋；若 workspace 沒有某個同步檔，記憶區會保留原檔，不做刪除。`findings.json` 與 `exclusions.json` 都從使用此 action 的存取庫來源分支讀取，而不是從 action 本地 workspace 讀取。寫入 `.gitea/ai-review/exclusions.json` 時，盡量保留原始問題文字的語言與語意，避免過度改寫。未來若新增任何 skill 或新增其他平台的 skill 入口，必須同時把對應檔案複製進 Docker image，並把同步清單更新到會使用此 action 的目標專案，避免 action 與目標專案內容脫節。
@@ -6,7 +6,7 @@
 - 已驗收：`code-review` job 的 log 已完整出現 `Step1` 到 `Step8`，並以 `Pipeline 完成` 結束。

 ## 階段二：Git Diff 排除 .gitea/ 資料夾
- 目標：讀取 Git Diff 時排除 `.gitea/` 資料夾內的所有檔案，以及 `.amazonq/`、`.antigravity/`、`.claude/`、`.codex/`、`.gemini/`、`.github/`、`ANTIGRAVITY.md`、`CLAUDE.md`、`GEMINI.md`、`TODO.md`、`README.md`，避免 AI 分析 workflow 設定、skill 入口與文件等非業務程式碼。
+- 目標：讀取 Git Diff 時排除 `.gitea/` 資料夾內的所有檔案，以及 `.github/`、`TODO.md`、`README.md`，避免 AI 分析 workflow 設定與文件等非業務程式碼。
 - 驗收：PR 中有上述路徑或檔案的變更時，diff 內容不包含該區塊，AI 分析結果不含這些路徑相關問題。
 - 已驗收：`app/gitea.js` 已在取得 diff 時過濾 `.gitea/` 區塊，且相關單元測試已覆蓋。

@@ -38,9 +38,9 @@
 - 已驗收：log 已明確顯示 `.gitea/ai-review/findings.json` 與 `.gitea/ai-review/exclusions.json` 都是 `JSON 格式正確`。

 ## 階段八：記憶區 commit/push 與錯誤處理
- 目標：記憶區能成功 commit/push，且一併包含 `triage-findings` skill 與各平台入口檔；`AGENTS.md`、`ANTIGRAVITY.md`、`CLAUDE.md`、`GEMINI.md` 在目標專案已存在時會先做規則化合併，並在可用 LLM 時再做 AI 輔助檢查以避免遺失 skill、command 或規則；其餘同步檔則以來源覆蓋；workspace 沒有的同步檔則保留記憶區既有內容，不做刪除；錯誤時有明確 log，流程結束有總結訊息。
- 驗收：log 有「persisted findings」、「commit=...」、「push=...」等訊息，且能看出四個入口檔會先規則合併、再由 AI 輔助檢查，其他同步檔會被來源覆蓋；當 workspace 缺少某個同步檔時，記憶區中的對應檔案不會被刪除；錯誤時有「Runner failed: ...」等明確錯誤說明。
- 已驗收：commit/push 成功時會出現 `persisted findings commit=... push=... review_outcome=...`，且同步規則與缺檔不刪除的行為都有單元測試覆蓋。
+- 目標：記憶區能成功 commit/push，且只提交 workspace 中實際存在的 `.gitea/ai-review/findings.json` 與 `.gitea/ai-review/exclusions.json`；workspace 沒有的問題檔就略過；錯誤時有明確 log，流程結束有總結訊息。
+- 驗收：log 有「persisted findings」、「commit=...」、「push=...」等訊息；git add 只包含新的問題檔；錯誤時有「Runner failed: ...」等明確錯誤說明。
+- 已驗收：commit/push 成功時會出現 `persisted findings commit=... push=... review_outcome=...`，且只提交問題檔的行為已有單元測試覆蓋。

 ## 階段九：阻擋嚴重問題 PR（第 8 點）
 - 目標：如果 PR 問題表格中有嚴重（critical）問題，workflow 需直接 exit 1，不讓流程成功。
@@ -79,6 +79,23 @@ inputs:
    description: 'Amazon Q Base URL'
    required: false

+  # OpenCode Server
+  OPENCODE_BASE_URL:
+    description: 'OpenCode server Base URL'
+    required: false
+  OPENCODE_MODEL:
+    description: 'OpenCode model id'
+    required: false
+  OPENCODE_PROVIDER:
+    description: 'OpenCode server provider id'
+    required: false
+  OPENCODE_SERVER_USERNAME:
+    description: 'OpenCode server Basic Auth username'
+    required: false
+  OPENCODE_SERVER_PASSWORD:
+    description: 'OpenCode server Basic Auth password'
+    required: false
+
 runs:
  using: 'docker'
  image: 'Dockerfile'
@@ -107,3 +124,8 @@ runs:
    OLLAMA_MODEL: ${{ inputs.OLLAMA_MODEL }}
    AMAZONQ_API_KEY: ${{ inputs.AMAZONQ_API_KEY }}
    AMAZONQ_BASE_URL: ${{ inputs.AMAZONQ_BASE_URL }}
+    OPENCODE_BASE_URL: ${{ inputs.OPENCODE_BASE_URL }}
+    OPENCODE_MODEL: ${{ inputs.OPENCODE_MODEL }}
+    OPENCODE_PROVIDER: ${{ inputs.OPENCODE_PROVIDER }}
+    OPENCODE_SERVER_USERNAME: ${{ inputs.OPENCODE_SERVER_USERNAME }}
+    OPENCODE_SERVER_PASSWORD: ${{ inputs.OPENCODE_SERVER_PASSWORD }}
@@ -1,8 +1,8 @@
 import fs from 'fs';
 import path from 'path';
-import { postComment } from './gitea.js';
+import { postComment, postPullReviewComment } from './gitea.js';
 import { FINDINGS_PATH } from './config.js';
-import { ok, line } from './log.js';
+import { ok, line, warn } from './log.js';

 const LEVEL_EMOJI = { critical: '🔴', warning: '🟡', info: '🔵' };
 const LEVEL_LABEL = { critical: '嚴重', warning: '警告', info: '建議' };
@@ -16,6 +16,26 @@ function buildTable(findings) {
  return `| 等級 | 審查員 | 位置 | 建議 |\n|------|--------|------|------|\n${rows}`;
 }

+const levelText = f => `${LEVEL_EMOJI[f.level] || ''} ${LEVEL_LABEL[f.level] || f.level}`.trim();
+
+/**
+ * 解析 finding 的 location 取出檔案與行號，供行內 comment 標註使用。
+ * 支援 "file:19" 與 "file:70-82"（取起始行）；無行號或含多個檔案（逗號）時回傳 null。
+ */
+export function parseLocation(location) {
+  if (typeof location !== 'string') return null;
+  const trimmed = location.trim();
+  if (trimmed.includes(',')) return null;
+  const match = trimmed.match(/^(.+?):(\d+)(?:-\d+)?$/);
+  if (!match) return null;
+  return { file: match[1], line: Number(match[2]) };
+}
+
+/** 行內 comment 內容：等級／審查員／建議 */
+function inlineCommentBody(f) {
+  return `**等級**：${levelText(f)}\n**審查員**：${f.role}\n**建議**：${f.suggestion}`;
+}
+
 /**
 * 寫入 findings.json。
 * 預設寫到 workspace；若提供 mirrorDir，則同步寫入另一份供 repo commit 使用。
@@ -61,17 +81,29 @@ export async function postNewNonCriticalComment(findings) {
 }

 /**
- * 每個新 critical 問題各發一個 comment
+ * 每個新 critical 問題各發一個 comment。
+ * 優先用 Gitea 行內 review comment 標註問題檔案與行數（內容為等級／審查員／建議）；
+ * 若 location 無法解析出行號，或行內發布失敗（例如該行不在 diff 範圍），則降級為一般 comment。
 */
-export async function postNewCriticalComments(findings) {
+export async function postNewCriticalComments(findings, deps = {}) {
+  const { postInline = postPullReviewComment, postIssue = postComment } = deps;
  const criticals = findings.filter(f => f.is_new && f.level === 'critical');
  if (criticals.length === 0) {
    line('無新的嚴重問題，跳過');
    return;
  }
  for (const f of criticals) {
-    const body = `## 🚨 嚴重問題\n\n${buildTable([f])}`;
-    await postComment(body);
+    const loc = parseLocation(f.location);
+    if (loc) {
+      try {
+        await postInline({ path: loc.file, line: loc.line, body: inlineCommentBody(f) });
+        ok(`嚴重問題 行內 comment 發布: [${f.role}] ${loc.file}:${loc.line}`);
+        continue;
+      } catch (e) {
+        warn(`行內 comment 發布失敗，改用一般 comment: [${f.role}] ${f.location} error=${e.message}`);
+      }
+    }
+    await postIssue(`## 🚨 嚴重問題\n\n${buildTable([f])}`);
    ok(`嚴重問題 comment 發布: [${f.role}] ${f.location}`);
  }
 }
@@ -3,7 +3,7 @@ import assert from 'node:assert/strict';
 import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
-import { saveFindings } from './comments.js';
+import { saveFindings, parseLocation, postNewCriticalComments } from './comments.js';
 import { FINDINGS_PATH } from './config.js';

 describe('saveFindings', () => {
@@ -73,3 +73,115 @@ describe('saveFindings', () => {
    }
  });
 });
+
+describe('parseLocation', () => {
+  it('parses file and single line', () => {
+    assert.deepEqual(parseLocation('app/preflight.js:19'), { file: 'app/preflight.js', line: 19 });
+  });
+
+  it('uses the start line for a line range', () => {
+    assert.deepEqual(parseLocation('app/preflight.js:70-82'), { file: 'app/preflight.js', line: 70 });
+  });
+
+  it('returns null when there is no line number', () => {
+    assert.equal(parseLocation('app/preflight.test.js'), null);
+  });
+
+  it('returns null when multiple files are listed', () => {
+    assert.equal(parseLocation('Dockerfile, app/git.js, app/gitea.js'), null);
+  });
+
+  it('returns null for non-string input', () => {
+    assert.equal(parseLocation(undefined), null);
+  });
+});
+
+describe('postNewCriticalComments', () => {
+  const critical = { level: 'critical', role: 'Rex', location: 'app/preflight.js:19', suggestion: '修這個', is_new: true };
+
+  it('posts an inline review comment annotating file/line with level/role/suggestion', async () => {
+    const inlineCalls = [];
+    const issueCalls = [];
+    await postNewCriticalComments([critical], {
+      postInline: async (args) => { inlineCalls.push(args); },
+      postIssue: async (body) => { issueCalls.push(body); },
+    });
+    assert.equal(inlineCalls.length, 1);
+    assert.equal(issueCalls.length, 0);
+    assert.equal(inlineCalls[0].path, 'app/preflight.js');
+    assert.equal(inlineCalls[0].line, 19);
+    assert.match(inlineCalls[0].body, /等級/);
+    assert.match(inlineCalls[0].body, /審查員.*Rex/s);
+    assert.match(inlineCalls[0].body, /建議.*修這個/s);
+  });
+
+  it('falls back to a normal comment when the location has no line number', async () => {
+    const inlineCalls = [];
+    const issueCalls = [];
+    await postNewCriticalComments([{ ...critical, location: 'app/preflight.js' }], {
+      postInline: async (args) => { inlineCalls.push(args); },
+      postIssue: async (body) => { issueCalls.push(body); },
+    });
+    assert.equal(inlineCalls.length, 0);
+    assert.equal(issueCalls.length, 1);
+    assert.match(issueCalls[0], /嚴重問題/);
+  });
+
+  it('falls back to a normal comment when the inline post fails', async () => {
+    const issueCalls = [];
+    await postNewCriticalComments([critical], {
+      postInline: async () => { throw new Error('line not in diff'); },
+      postIssue: async (body) => { issueCalls.push(body); },
+    });
+    assert.equal(issueCalls.length, 1);
+    assert.match(issueCalls[0], /嚴重問題/);
+  });
+
+  it('only posts for new critical findings', async () => {
+    const inlineCalls = [];
+    const issueCalls = [];
+    await postNewCriticalComments([
+      { ...critical, is_new: false },
+      { level: 'warning', role: 'Leo', location: 'a.js:1', suggestion: 'x', is_new: true },
+    ], {
+      postInline: async (args) => { inlineCalls.push(args); },
+      postIssue: async (body) => { issueCalls.push(body); },
+    });
+    assert.equal(inlineCalls.length, 0);
+    assert.equal(issueCalls.length, 0);
+  });
+
+  it('posts nothing when given an empty findings array', async () => {
+    const inlineCalls = [];
+    const issueCalls = [];
+    await postNewCriticalComments([], {
+      postInline: async (args) => { inlineCalls.push(args); },
+      postIssue: async (body) => { issueCalls.push(body); },
+    });
+    assert.equal(inlineCalls.length, 0);
+    assert.equal(issueCalls.length, 0);
+  });
+
+  it('handles multiple criticals, posting inline where possible and degrading the rest', async () => {
+    const criticalCommentPattern = /嚴重問題/;
+    const inlineCalls = [];
+    const issueCalls = [];
+    const findings = [
+      { ...critical, location: 'app/a.js:10', suggestion: 'A' }, // 有行號、inline 成功
+      { ...critical, location: 'app/b.js', suggestion: 'B' },    // 無行號 → 降級為一般 comment
+      { ...critical, location: 'app/c.js:20', suggestion: 'C' }, // inline 拋錯 → 降級為一般 comment
+    ];
+    await postNewCriticalComments(findings, {
+      postInline: async (args) => {
+        if (args.path === 'app/c.js') throw new Error('line not in diff');
+        inlineCalls.push(args);
+      },
+      postIssue: async (body) => { issueCalls.push(body); },
+    });
+    assert.equal(inlineCalls.length, 1);
+    assert.equal(inlineCalls[0].path, 'app/a.js');
+    assert.equal(inlineCalls[0].line, 10);
+    assert.equal(issueCalls.length, 2);
+    assert.ok(issueCalls.every(b => criticalCommentPattern.test(b)));
+  });
+});
@@ -24,6 +24,7 @@ export function getLLMConfig() {
    ['gemini',   splitKeys(process.env.GEMINI_API_KEY),   process.env.GEMINI_BASE_URL || 'https://generativelanguage.googleapis.com/v1beta', process.env.GEMINI_MODEL || 'gemini-2.5-flash'],
    ['ollama',   ['ollama'],                               process.env.OLLAMA_BASE_URL,  process.env.OLLAMA_MODEL],
    ['amazonq',  splitKeys(process.env.AMAZONQ_API_KEY),  process.env.AMAZONQ_BASE_URL  || 'https://q.api.aws',              process.env.AMAZONQ_MODEL  || 'amazon-q'],
+    ['opencode', ['opencode'], process.env.OPENCODE_BASE_URL, process.env.OPENCODE_MODEL || 'gemini-2.5-flash'],
  ];
  for (const [provider, apiKeys, baseURL, model] of checks) {
    if (apiKeys.length > 0 && baseURL) return { provider, apiKeys, baseURL, model };
@@ -8,6 +8,8 @@ const ENV_KEYS = [
  'GEMINI_API_KEY', 'GEMINI_BASE_URL', 'GEMINI_MODEL',
  'OLLAMA_BASE_URL', 'OLLAMA_MODEL',
  'AMAZONQ_API_KEY', 'AMAZONQ_BASE_URL', 'AMAZONQ_MODEL',
+  'OPENCODE_BASE_URL', 'OPENCODE_MODEL', 'OPENCODE_PROVIDER',
+  'OPENCODE_SERVER_USERNAME', 'OPENCODE_SERVER_PASSWORD',
 ];

 let saved = {};
@@ -84,6 +86,24 @@ describe('getLLMConfig', () => {
    assert.equal(cfg.model, 'my-amazon-model');
  });

+  it('detects opencode server with gemini defaults', () => {
+    process.env.OPENCODE_BASE_URL = 'http://opencode.local:4096';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'opencode');
+    assert.deepEqual(cfg.apiKeys, ['opencode']);
+    assert.equal(cfg.baseURL, 'http://opencode.local:4096');
+    assert.equal(cfg.model, 'gemini-2.5-flash');
+  });
+
+  it('detects opencode server with custom model', () => {
+    process.env.OPENCODE_BASE_URL = 'http://opencode.local:4096';
+    process.env.OPENCODE_MODEL = 'google/gemini-2.5-pro';
+    const cfg = getLLMConfig();
+    assert.equal(cfg.provider, 'opencode');
+    assert.equal(cfg.baseURL, 'http://opencode.local:4096');
+    assert.equal(cfg.model, 'google/gemini-2.5-pro');
+  });
+
  it('openai takes priority over gemini when both set', () => {
    process.env.OPENAI_API_KEY = 'sk-test';
    process.env.GEMINI_API_KEY = 'gemini-key';
@@ -1,19 +1,21 @@
 import fs from 'fs';
 import path from 'path';
 import { chatJSON } from './llm.js';
+import { buildAnalysisPrompt } from './roles.js';
 import { FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js';
 import { line, ok, warn } from './log.js';

 const LEVELS = ['critical', 'warning', 'info'];

 /**
- * 用單一角色分析 diff，回傳 findings 陣列
+ * 用單一角色分析 diff，回傳 findings 陣列。
+ * role 欄位一律以角色定義的 name 為準，避免 LLM 自行填入不一致的名稱。
 */
 export async function analyzeWithRole(role, diff) {
  line(`[${role.name}] 開始分析`);
-  const findings = await chatJSON(role.system_prompt, `以下是 Git Diff 內容：\n\n${diff}`);
-  const valid = findings.filter(f => f.level && f.role && f.location && f.suggestion)
-    .map(f => ({ ...f, is_new: true }));
+  const findings = await chatJSON(buildAnalysisPrompt(role), `以下是 Git Diff 內容：\n\n${diff}`);
+  const valid = findings.filter(f => f.level && f.location && f.suggestion)
+    .map(f => ({ ...f, role: role.name, is_new: true }));
  ok(`[${role.name}] 找到 ${valid.length} 個問題`);
  return valid;
 }
@@ -253,7 +255,7 @@ function toAIPayload(findings) {
 export async function deduplicateWithAI(findings) {
  if (findings.length === 0) return findings;

-  const systemPrompt = `移除語意重複的程式碼審查問題（JSON 陣列）。保留等級較高者（critical > warning > info）。只回傳去重後的 JSON 陣列。`;
+  const systemPrompt = `你是 🛡️ Paladin（聖騎士），這座程式碼競技場沉穩公正的裁判。攻擊方提出了一批程式碼審查問題（JSON 陣列）。請就事論事，把「同檔案位置 ＋ 同問題本質」的重複指控合併，重複者只保留等級較高的一條（critical > warning > info）。只回傳去重後的 JSON 陣列，不要有其他文字。`;

  try {
    const result = await chatJSON(systemPrompt, JSON.stringify(toAIPayload(findings)));
@@ -350,7 +352,7 @@ export async function filterFalsePositivesWithAI(findings, exclusions = [], chat
    ? `\n${exclusionContext.prompt}\n規則：若 finding 與上述任何一類的路徑、角色或描述高度相似，優先視為誤報或不適用。`
    : '';

-  const systemPrompt = `判斷以下程式碼審查問題是否為誤報或不適用（如已正確使用 secrets、CI/CD 必要權限等），移除後只回傳需保留的 JSON 陣列。${exclusionHint}`;
+  const systemPrompt = `你是 🛡️ Paladin（聖騎士），公正的裁判。逐條審視攻擊方的指控，剔除誤報或不適用者（例如：已正確使用 secrets、CI/CD 必要權限、他處已妥善處理、語義其實正確）。不冤枉無辜的程式碼，也不放水。移除誤報後，只回傳需保留（成立）的 JSON 陣列，不要有其他文字。${exclusionHint}`;

  try {
    const result = await chatFn(systemPrompt, JSON.stringify(toAIPayload(findings)));
@@ -1,51 +1,12 @@
 import { spawnSync } from 'child_process';
 import fs from 'fs';
 import path from 'path';
-import { fileURLToPath } from 'url';
-import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH, getLLMConfig } from './config.js';
-import { line, ok, warn, error } from './log.js';
+import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH } from './config.js';
+import { line, ok, warn } from './log.js';

-const ACTION_ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
-const GENERATED_SYNC_PATHS = [FINDINGS_PATH, '.gitea/ai-review/exclusions.json'];
+const REVIEW_FILE_PATHS = [FINDINGS_PATH, '.gitea/ai-review/exclusions.json'];
 const remoteUrl = `${GITEA_SERVER_URL.replace(/\/$/, '')}/${GITEA_REPOSITORY}.git`;
 export const BOT_COMMIT_MARKER = '[ai-review-bot]';
-export const SYNC_PATHS = [
-  '.amazonq/rules/triage-findings.md',
-  '.agents/skills/triage-findings/SKILL.md',
-  '.antigravity/skills/triage-findings/SKILL.md',
-  '.codex/skills/triage-findings/SKILL.md',
-  '.codex/skills/triage-findings/agents/openai.yaml',
-  '.claude/skills/triage-findings/SKILL.md',
-  '.gemini/skills/triage-findings/SKILL.md',
-  '.github/copilot-instructions.md',
-  '.github/skills/triage-findings/SKILL.md',
-  'AGENTS.md',
-  'ANTIGRAVITY.md',
-  'CLAUDE.md',
-  'GEMINI.md',
-];
-const FORCE_SYNC_FILE_PATHS = [
-  '.github/copilot-instructions.md',
-  'AGENTS.md',
-  'ANTIGRAVITY.md',
-  'CLAUDE.md',
-  'GEMINI.md',
-];
-const MERGE_SYNC_FILE_PATHS = new Set([
-  'AGENTS.md',
-  'ANTIGRAVITY.md',
-  'CLAUDE.md',
-  'GEMINI.md',
-]);
-let instructionMergeAssistantPromise = null;
-const SYNC_TREE_PATHS = [
-  '.agents/skills/triage-findings',
-  '.antigravity/skills/triage-findings',
-  '.codex/skills/triage-findings',
-  '.claude/skills/triage-findings',
-  '.gemini/skills/triage-findings',
-  '.github/skills/triage-findings',
-];

 function makeRunner(spawn) {
  return function run(args, cwd, env) {
@@ -88,169 +49,6 @@ function readGitOutput(run, args, cwd, env) {
  }
 }

-function normalizeText(text) {
-  return text.replace(/\r\n/g, '\n');
-}
-
-function splitTextBlocks(text) {
-  const normalized = normalizeText(text).replace(/\n+$/, '');
-  if (!normalized) return [];
-  return normalized.split(/\n{2,}/).map(block => block.trimEnd()).filter(Boolean);
-}
-
-function mergeText(existingText, sourceText) {
-  const existing = normalizeText(existingText);
-  const source = normalizeText(sourceText);
-  if (existing === source) return existing;
-
-  const mergedBlocks = splitTextBlocks(existing);
-  const seenBlocks = new Set(mergedBlocks.map(block => block.trim()));
-  let changed = false;
-
-  for (const block of splitTextBlocks(source)) {
-    const key = block.trim();
-    if (seenBlocks.has(key)) continue;
-    seenBlocks.add(key);
-    mergedBlocks.push(block);
-    changed = true;
-  }
-
-  if (!changed) return existing;
-  return `${mergedBlocks.join('\n\n')}\n`;
-}
-
-function uniqueBlocksFromTexts(...texts) {
-  const seen = new Set();
-  const blocks = [];
-  for (const text of texts) {
-    for (const block of splitTextBlocks(text)) {
-      const key = block.trim();
-      if (!key || seen.has(key)) continue;
-      seen.add(key);
-      blocks.push(block);
-    }
-  }
-  return blocks;
-}
-
-function validateMergedInstructionText(mergedText, requiredBlocks) {
-  const candidate = normalizeText(mergedText);
-  return requiredBlocks.every(block => candidate.includes(normalizeText(block).trim()));
-}
-
-class InstructionMergeError extends Error {
-  constructor(message, options) {
-    super(message, options);
-    this.name = 'InstructionMergeError';
-  }
-}
-
-function abortInstructionMerge(message) {
-  error(message);
-  process.exit(1);
-  throw new InstructionMergeError(message);
-}
-
-function syncFileOverwrite(sourceRoot, repoDir, relPath) {
-  const src = path.join(sourceRoot, relPath);
-  if (!fs.existsSync(src)) return null;
-
-  const dest = path.join(repoDir, relPath);
-  fs.mkdirSync(path.dirname(dest), { recursive: true });
-  fs.copyFileSync(src, dest);
-  return relPath;
-}
-
-async function getInstructionMergeAssistant() {
-  const { provider } = getLLMConfig();
-  if (!provider) return null;
-  if (instructionMergeAssistantPromise) return instructionMergeAssistantPromise;
-
-  instructionMergeAssistantPromise = (async () => {
-    try {
-      const { chatJSON } = await import('./llm.js');
-      return async ({ relPath, existingText, sourceText, deterministicText }) => {
-        const systemPrompt = [
-          'You merge repository instruction files without losing any skill, command, or rule.',
-          'Never delete unique content from either input.',
-          'You may only remove exact duplicates or improve ordering/formatting.',
-          'Return JSON with a single field: merged_text.',
-        ].join(' ');
-        const userContent = JSON.stringify({
-          path: relPath,
-          existing_text: existingText,
-          source_text: sourceText,
-          deterministic_candidate: deterministicText,
-        });
-        const result = await chatJSON(systemPrompt, userContent);
-        if (typeof result === 'string') return result;
-        if (result && typeof result.merged_text === 'string') return result.merged_text;
-        return null;
-      };
-    } catch (e) {
-      warn(`[merge] AI instruction merge unavailable: ${e.message}`);
-      return null;
-    }
-  })();
-
-  return instructionMergeAssistantPromise;
-}
-
-export async function mergeInstructionText(existingText, sourceText, relPath, aiMergeAssistant = null) {
-  const deterministic = mergeText(existingText, sourceText);
-  const requiredBlocks = uniqueBlocksFromTexts(existingText, sourceText);
-  if (!aiMergeAssistant || requiredBlocks.length === 0) return deterministic;
-
-  try {
-    const aiMerged = await aiMergeAssistant({ relPath, existingText, sourceText, deterministicText: deterministic, requiredBlocks });
-    if (typeof aiMerged === 'string' && validateMergedInstructionText(aiMerged, requiredBlocks)) {
-      return normalizeText(aiMerged) === normalizeText(existingText) ? existingText : aiMerged;
-    }
-    abortInstructionMerge(`[merge] ${relPath} AI result rejected; refusing fallback`);
-  } catch (e) {
-    if (e instanceof InstructionMergeError) throw e;
-    abortInstructionMerge(`[merge] ${relPath} AI merge failed: ${e.message}`);
-  }
-}
-
-async function syncInstructionFile(sourceRoot, repoDir, relPath, aiMergeAssistant = null) {
-  const src = path.join(sourceRoot, relPath);
-  if (!fs.existsSync(src)) return null;
-
-  const dest = path.join(repoDir, relPath);
-  fs.mkdirSync(path.dirname(dest), { recursive: true });
-
-  if (!fs.existsSync(dest)) {
-    fs.copyFileSync(src, dest);
-    return relPath;
-  }
-
-  const existingText = fs.readFileSync(dest, 'utf8');
-  const sourceText = fs.readFileSync(src, 'utf8');
-  const merged = await mergeInstructionText(existingText, sourceText, relPath, aiMergeAssistant);
-  if (merged !== existingText) {
-    fs.writeFileSync(dest, merged, 'utf8');
-  }
-  return relPath;
-}
-
-function syncTree(sourceRoot, repoDir, relDir) {
-  const srcDir = path.join(sourceRoot, relDir);
-  if (!fs.existsSync(srcDir)) return [];
-
-  const copied = [];
-  for (const entry of fs.readdirSync(srcDir, { withFileTypes: true })) {
-    const relPath = path.join(relDir, entry.name);
-    if (entry.isDirectory()) {
-      copied.push(...syncTree(sourceRoot, repoDir, relPath));
-      continue;
-    }
-    const synced = syncFileOverwrite(sourceRoot, repoDir, relPath);
-    if (synced) copied.push(synced);
-  }
-  return copied;
-}
-
 export function getRepoState(repoDir, _spawnSync = spawnSync) {
  const run = makeRunner(_spawnSync);
  const headSha = readGitOutput(run, ['rev-parse', 'HEAD'], repoDir);
@@ -307,7 +105,7 @@ export function cloneRepo(workspace, _spawnSync = spawnSync) {
  });
 }

-export async function commitAndPush(workspace, repoDir, _spawnSync = spawnSync, sourceRoot = ACTION_ROOT, reviewOutcome = 'success') {
+export async function commitAndPush(workspace, repoDir, _spawnSync = spawnSync, _sourceRoot = null, reviewOutcome = 'success') {
  const run = makeRunner(_spawnSync);

  try {
@@ -319,51 +117,20 @@ export async function commitAndPush(workspace, repoDir, _spawnSync = spawnSync,
        run(['reset', '--hard', `origin/${PR_HEAD_BRANCH}`], repoDir);
      }

-      const existingSyncPaths = new Set();
-      const aiMergeAssistant = await getInstructionMergeAssistant();
-
-      // Copy action skill trees into the target repo. Existing files are merged with
-      // the action source; missing source files are ignored so we do not delete
-      // target repo content.
-      for (const relDir of SYNC_TREE_PATHS) {
-        for (const relPath of syncTree(sourceRoot, repoDir, relDir)) {
-          existingSyncPaths.add(relPath);
-        }
-      }
-
-      // Merge only the direct instruction files that must preserve repository-specific
-      // skills, commands, and rules. Everything else keeps the source copy.
-      for (const relPath of FORCE_SYNC_FILE_PATHS) {
-        const copied = MERGE_SYNC_FILE_PATHS.has(relPath)
-          ? await syncInstructionFile(sourceRoot, repoDir, relPath, aiMergeAssistant)
-          : syncFileOverwrite(sourceRoot, repoDir, relPath);
-        if (copied) existingSyncPaths.add(copied);
-      }
-
-      // Merge standalone action files into the target repo.
-      for (const relPath of SYNC_PATHS) {
-        if (FORCE_SYNC_FILE_PATHS.includes(relPath)) continue;
-        const copied = syncFileOverwrite(sourceRoot, repoDir, relPath);
-        if (copied) existingSyncPaths.add(copied);
-      }
-
-      if (existingSyncPaths.size > 0) {
-        run(['add', ...existingSyncPaths], repoDir);
-      }
-      const generatedSyncPaths = GENERATED_SYNC_PATHS.filter(relPath => fs.existsSync(path.join(workspace, relPath)));
-      if (generatedSyncPaths.length > 0) {
-        for (const relPath of generatedSyncPaths) {
+      const reviewFilePaths = REVIEW_FILE_PATHS.filter(relPath => fs.existsSync(path.join(workspace, relPath)));
+      if (reviewFilePaths.length > 0) {
+        for (const relPath of reviewFilePaths) {
          const src = path.join(workspace, relPath);
          const dest = path.join(repoDir, relPath);
          fs.mkdirSync(path.dirname(dest), { recursive: true });
          fs.copyFileSync(src, dest);
        }
-        run(['add', ...generatedSyncPaths], repoDir);
+        run(['add', ...reviewFilePaths], repoDir);
      }

      const status = run(['status', '--porcelain'], repoDir);
      if (!status) {
-        line('sync files 無變更，跳過 commit');
+        line('review files 無變更，跳過 commit');
        return;
      }

@@ -3,7 +3,7 @@ import assert from 'node:assert/strict';
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
-import { commitAndPush, cloneRepo, verifyRemoteAccess, SYNC_PATHS, BOT_COMMIT_MARKER, getHeadCommitMessage, isBotAutoCommit, mergeInstructionText } from './git.js';
+import { commitAndPush, cloneRepo, verifyRemoteAccess, BOT_COMMIT_MARKER, getHeadCommitMessage, isBotAutoCommit } from './git.js';

 // --- helpers ---
 function makeTmpWorkspace() {
@@ -13,13 +13,7 @@ function makeTmpWorkspace() {
 }

 function makeActionSource() {
-  const sourceRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'git-source-'));
-  for (const relPath of SYNC_PATHS) {
-    const fullPath = path.join(sourceRoot, relPath);
-    fs.mkdirSync(path.dirname(fullPath), { recursive: true });
-    fs.writeFileSync(fullPath, relPath);
-  }
-  return sourceRoot;
+  return fs.mkdtempSync(path.join(os.tmpdir(), 'git-source-'));
 }

 // Default stub: all commands succeed, status returns changes
@@ -125,7 +119,7 @@ describe('commitAndPush', () => {
    assert.equal(commitCalled, false, 'commit should not run when there are no changes');
  });

-  it('adds skill and entry files together with findings', async () => {
+  it('adds only generated review files', async () => {
    const repoDir = path.join(workspace, 'repo');
    fs.mkdirSync(path.join(workspace, '.gitea/ai-review'), { recursive: true });
    fs.writeFileSync(path.join(workspace, '.gitea/ai-review/findings.json'), '[]\n');
@@ -136,114 +130,36 @@ describe('commitAndPush', () => {
    const spawn = makeSpawn();
    await commitAndPush(workspace, repoDir, spawn, sourceRoot);
    const addCalls = spawn.calls.filter(c => c.args[0] === 'add');
-    const skillAddCall = addCalls.find(c => c.args.includes('.github/skills/triage-findings/SKILL.md'));
    const generatedAddCall = addCalls.find(c => c.args.includes('.gitea/ai-review/exclusions.json'));
-    assert.ok(skillAddCall, 'expected git add for synced skill files');
    assert.ok(generatedAddCall, 'expected git add for generated review files');
-    assert.ok(skillAddCall.args.includes('.codex/skills/triage-findings/SKILL.md'));
-    assert.ok(skillAddCall.args.includes('.codex/skills/triage-findings/agents/openai.yaml'));
-    assert.ok(skillAddCall.args.includes('.agents/skills/triage-findings/SKILL.md'));
-    assert.ok(skillAddCall.args.includes('.claude/skills/triage-findings/SKILL.md'));
-    assert.ok(skillAddCall.args.includes('.gemini/skills/triage-findings/SKILL.md'));
-    assert.ok(skillAddCall.args.includes('.antigravity/skills/triage-findings/SKILL.md'));
-    assert.ok(skillAddCall.args.includes('.github/copilot-instructions.md'));
-    assert.ok(skillAddCall.args.includes('.amazonq/rules/triage-findings.md'));
-    assert.ok(skillAddCall.args.includes('AGENTS.md'));
-    assert.ok(skillAddCall.args.includes('ANTIGRAVITY.md'));
-    assert.ok(skillAddCall.args.includes('CLAUDE.md'));
-    assert.ok(skillAddCall.args.includes('GEMINI.md'));
-    assert.ok(!skillAddCall.args.includes('README.md'));
    assert.ok(generatedAddCall.args.includes('.gitea/ai-review/findings.json'));
    assert.ok(generatedAddCall.args.includes('.gitea/ai-review/exclusions.json'));
+    assert.equal(addCalls.length, 1, 'expected only generated review files to be staged');
  });

-  it('keeps repo copies when the source sync file is missing', async () => {
-    const missingPath = path.join(sourceRoot, '.amazonq/rules/triage-findings.md');
-    fs.rmSync(missingPath, { force: true });
-    const repoPath = path.join(workspace, 'repo', '.amazonq/rules/triage-findings.md');
-    fs.writeFileSync(repoPath, 'stale');
+  it('does not overwrite or add action source files', async () => {
+    const repoDir = path.join(workspace, 'repo');
+    const sourceDocPath = path.join(sourceRoot, 'docs/source-only.md');
+    const repoDocPath = path.join(repoDir, 'docs/source-only.md');
+    const repoConfigPath = path.join(repoDir, 'project-notes.md');
+    fs.mkdirSync(path.join(workspace, '.gitea/ai-review'), { recursive: true });
+    fs.writeFileSync(path.join(workspace, '.gitea/ai-review/findings.json'), '[]\n');
+    fs.writeFileSync(path.join(workspace, '.gitea/ai-review/exclusions.json'), '[]\n');
+
+    fs.mkdirSync(path.dirname(sourceDocPath), { recursive: true });
+    fs.mkdirSync(path.dirname(repoDocPath), { recursive: true });
+    fs.writeFileSync(sourceDocPath, 'fresh action source doc');
+    fs.writeFileSync(repoDocPath, 'existing repo doc');
+    fs.writeFileSync(repoConfigPath, 'existing repo notes');
+
    const spawn = makeSpawn();
+    await commitAndPush(workspace, repoDir, spawn, sourceRoot);
+    const addedArgs = spawn.calls.filter(c => c.args[0] === 'add').flatMap(c => c.args);

-    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn, sourceRoot);
-
-    const rmCall = spawn.calls.find(c => c.args[0] === 'rm');
-    assert.equal(rmCall, undefined, 'git rm should not run for missing source files');
-    assert.equal(fs.readFileSync(repoPath, 'utf8'), 'stale');
-  });
-
-  it('merges existing repo copies with workspace files', async () => {
-    const repoDir = path.join(workspace, 'repo');
-    fs.writeFileSync(path.join(repoDir, 'AGENTS.md'), 'repo agents doc');
-    fs.writeFileSync(path.join(repoDir, 'ANTIGRAVITY.md'), 'repo antigravity doc');
-    fs.writeFileSync(path.join(repoDir, 'CLAUDE.md'), 'repo claude doc');
-    fs.writeFileSync(path.join(repoDir, 'GEMINI.md'), 'repo gemini doc');
-
-    await commitAndPush(workspace, repoDir, makeSpawn(), sourceRoot);
-
-    const agentsDoc = fs.readFileSync(path.join(repoDir, 'AGENTS.md'), 'utf8');
-    const antigravityDoc = fs.readFileSync(path.join(repoDir, 'ANTIGRAVITY.md'), 'utf8');
-    const claudeDoc = fs.readFileSync(path.join(repoDir, 'CLAUDE.md'), 'utf8');
-    const geminiDoc = fs.readFileSync(path.join(repoDir, 'GEMINI.md'), 'utf8');
-
-    assert.ok(agentsDoc.includes('repo agents doc'));
-    assert.ok(agentsDoc.includes('AGENTS.md'));
-    assert.ok(antigravityDoc.includes('repo antigravity doc'));
-    assert.ok(antigravityDoc.includes('ANTIGRAVITY.md'));
-    assert.ok(claudeDoc.includes('repo claude doc'));
-    assert.ok(claudeDoc.includes('CLAUDE.md'));
-    assert.ok(geminiDoc.includes('repo gemini doc'));
-    assert.ok(geminiDoc.includes('GEMINI.md'));
-    assert.ok(agentsDoc.includes('repo agents doc'));
-  });
-
-  it('accepts AI merged instruction text when all unique blocks are preserved', async () => {
-    const calls = [];
-    const aiMergeAssistant = async payload => {
-      calls.push(payload);
-      return ['repo block', 'source block', 'extra block'].join('\n\n');
-    };
-
-    const result = await mergeInstructionText('repo block', 'source block', 'AGENTS.md', aiMergeAssistant);
-
-    assert.equal(calls.length, 1);
-    assert.ok(result.includes('repo block'));
-    assert.ok(result.includes('source block'));
-    assert.ok(result.includes('extra block'));
-  });
-
-  it('exits when AI output drops a block', async () => {
-    const originalExit = process.exit;
-    let exitCode = null;
-    process.exit = code => { exitCode = code; };
-    try {
-      const aiMergeAssistant = async () => 'source block only';
-      await assert.rejects(() => mergeInstructionText('repo block', 'source block', 'AGENTS.md', aiMergeAssistant));
-      assert.equal(exitCode, 1);
-    } finally {
-      process.exit = originalExit;
-    }
-  });
-
-  it('overwrites non-merge sync files with workspace files', async () => {
-    const repoDir = path.join(workspace, 'repo');
-    const sourceSkillPath = path.join(sourceRoot, '.github/skills/triage-findings/SKILL.md');
-    const repoSkillPath = path.join(repoDir, '.github/skills/triage-findings/SKILL.md');
-    const sourceNestedPath = path.join(sourceRoot, '.codex/skills/triage-findings/assets/example.txt');
-    const repoNestedPath = path.join(repoDir, '.codex/skills/triage-findings/assets/example.txt');
-
-    fs.writeFileSync(sourceSkillPath, 'fresh github skill');
-    fs.writeFileSync(repoSkillPath, 'stale github skill');
-    fs.mkdirSync(path.dirname(sourceNestedPath), { recursive: true });
-    fs.writeFileSync(sourceNestedPath, 'fresh nested');
-    fs.mkdirSync(path.dirname(repoNestedPath), { recursive: true });
-    fs.writeFileSync(repoNestedPath, 'stale nested');
-    fs.writeFileSync(path.join(repoDir, '.github/copilot-instructions.md'), 'stale copilot');
-
-    await commitAndPush(workspace, repoDir, makeSpawn(), sourceRoot);
-
-    assert.equal(fs.readFileSync(repoSkillPath, 'utf8'), 'fresh github skill');
-    assert.equal(fs.readFileSync(repoNestedPath, 'utf8'), 'fresh nested');
-    assert.equal(fs.readFileSync(path.join(repoDir, '.github/copilot-instructions.md'), 'utf8'), '.github/copilot-instructions.md');
+    assert.equal(fs.readFileSync(repoDocPath, 'utf8'), 'existing repo doc');
+    assert.equal(fs.readFileSync(repoConfigPath, 'utf8'), 'existing repo notes');
+    assert.ok(!addedArgs.includes('docs/source-only.md'));
+    assert.ok(!addedArgs.includes('project-notes.md'));
  });

  it('does not throw when git command fails', async () => {
@@ -25,18 +25,8 @@ export function getBotReviewOutcome(message) {
 export async function getPRDiff() {
  const resp = await axios.get(api(`/repos/${GITEA_REPOSITORY}/pulls/${PR_NUMBER}.diff`), { headers: headers(), timeout: 60000, httpsAgent });
  return filterDiff(resp.data, [
-    '.amazonq/',
-    '.agents/',
-    '.antigravity/',
-    '.claude/',
-    '.codex/',
-    '.gemini/',
    '.gitea/',
    '.github/',
-    'AGENTS.md',
-    'ANTIGRAVITY.md',
-    'CLAUDE.md',
-    'GEMINI.md',
    'README.md',
    'TODO.md',
  ]);
@@ -127,3 +117,22 @@ export async function postComment(body) {
  );
  return resp.data;
 }
+
+/**
+ * 在 PR 指定檔案的指定行數發布行內 review comment（標註程式碼位置）。
+ * 透過 Gitea 的 pull reviews API，以 new_position 對應新版檔案的行號。
+ * 若該行不在 diff 範圍內，Gitea 會回傳錯誤，由呼叫端決定是否降級為一般 comment。
+ */
+export async function postPullReviewComment({ path: filePath, line, body }) {
+  const resp = await axios.post(
+    api(`/repos/${GITEA_REPOSITORY}/pulls/${PR_NUMBER}/reviews`),
+    {
+      commit_id: PR_HEAD_SHA || undefined,
+      event: 'COMMENT',
+      body: '',
+      comments: [{ path: filePath, body, new_position: line }],
+    },
+    { headers: headers(GITEA_COMMENT_TOKEN || GITEA_TOKEN), timeout: 30000, httpsAgent },
+  );
+  return resp.data;
+}
@@ -1,7 +1,7 @@
 import { describe, it, afterEach, mock } from 'node:test';
 import assert from 'node:assert/strict';
 import axios from 'axios';
-import { getPRDiff, filterDiff, postComment, getCommitMessageBySha, getBranchHeadCommitMessage, shouldSkipBotCommit, getBotReviewOutcome } from './gitea.js';
+import { getPRDiff, filterDiff, postComment, postPullReviewComment, getCommitMessageBySha, getBranchHeadCommitMessage, shouldSkipBotCommit, getBotReviewOutcome } from './gitea.js';

 afterEach(() => mock.restoreAll());

@@ -57,6 +57,31 @@ describe('gitea', () => {
    await assert.rejects(() => postComment('test'), /api error/);
  });

+  it('postPullReviewComment posts an inline review comment to the pulls reviews API', async () => {
+    let capturedUrl, capturedBody, capturedOpts;
+    mock.method(axios, 'post', async (url, body, opts) => {
+      capturedUrl = url;
+      capturedBody = body;
+      capturedOpts = opts;
+      return { data: { id: 7 } };
+    });
+    const result = await postPullReviewComment({ path: 'app/preflight.js', line: 19, body: 'inline body' });
+    assert.deepEqual(result, { id: 7 });
+    assert.ok(capturedUrl.includes('/api/v1/repos/'));
+    assert.ok(capturedUrl.endsWith('/reviews'));
+    assert.equal(capturedBody.event, 'COMMENT');
+    assert.equal(capturedBody.comments.length, 1);
+    assert.equal(capturedBody.comments[0].path, 'app/preflight.js');
+    assert.equal(capturedBody.comments[0].new_position, 19);
+    assert.equal(capturedBody.comments[0].body, 'inline body');
+    assert.ok(capturedOpts.headers['Authorization'].startsWith('token '));
+  });
+
+  it('postPullReviewComment propagates axios errors', async () => {
+    mock.method(axios, 'post', async () => { throw new Error('not in diff'); });
+    await assert.rejects(() => postPullReviewComment({ path: 'a.js', line: 1, body: 'x' }), /not in diff/);
+  });
+
  it('getCommitMessageBySha reads commit message from Gitea API', async () => {
    let capturedUrl;
    mock.method(axios, 'get', async (url) => {
@@ -104,10 +129,10 @@ describe('filterDiff', () => {
  const block = (file) => `diff --git a/${file} b/${file}\n--- a/${file}\n+++ b/${file}\n@@ -1 +1 @@\n-old\n+new\n`;

  it('filters out configured folder blocks', () => {
-    const diff = block('.gitea/workflows/review.yaml') + block('.amazonq/rules/triage-findings.md') + block('src/index.js');
-    const result = filterDiff(diff, ['.gitea/', '.amazonq/']);
+    const diff = block('.gitea/workflows/review.yaml') + block('.github/workflows/review.yaml') + block('src/index.js');
+    const result = filterDiff(diff, ['.gitea/', '.github/']);
    assert.ok(!result.includes('.gitea/'));
-    assert.ok(!result.includes('.amazonq/'));
+    assert.ok(!result.includes('.github/'));
    assert.ok(result.includes('src/index.js'));
  });

@@ -119,8 +144,8 @@ describe('filterDiff', () => {
  });

  it('returns empty string when all blocks are excluded', () => {
-    const diff = block('.gitea/workflows/review.yaml') + block('.gitea/ai-review/findings.json') + block('.agents/skills/triage-findings/SKILL.md');
-    const result = filterDiff(diff, ['.gitea/', '.agents/']);
+    const diff = block('.gitea/workflows/review.yaml') + block('.gitea/ai-review/findings.json');
+    const result = filterDiff(diff, ['.gitea/']);
    assert.equal(result, '');
  });

@@ -2,6 +2,81 @@ import axios from 'axios';
 import { getLLMConfig } from './config.js';
 import { line, error } from './log.js';

+function isOpenAIGpt55(provider, model) {
+  return provider === 'openai' && /^gpt-5\.5(?:-|$)/i.test(model || '');
+}
+
+function chatEndpoint(baseURL, provider, model) {
+  const base = baseURL.replace(/\/$/, '');
+  return isOpenAIGpt55(provider, model) ? `${base}/responses` : `${base}/chat/completions`;
+}
+
+function chatPayload(provider, model, systemPrompt, userContent) {
+  if (isOpenAIGpt55(provider, model)) {
+    return { model, instructions: systemPrompt, input: userContent, temperature: 0.2 };
+  }
+  return { model, messages: [{ role: 'system', content: systemPrompt }, { role: 'user', content: userContent }], temperature: 0.2 };
+}
+
+function extractContent(provider, model, data) {
+  if (!isOpenAIGpt55(provider, model)) return data.choices[0].message.content;
+  if (typeof data.output_text === 'string') return data.output_text;
+  const parts = data.output?.flatMap(item => item.content || []) || [];
+  const text = parts
+    .map(part => {
+      if (typeof part.text === 'string') return part.text;
+      if (typeof part.content === 'string') return part.content;
+      return '';
+    })
+    .filter(Boolean)
+    .join('');
+  if (text) return text;
+  return data.choices?.[0]?.message?.content || '';
+}
+
+function opencodeModelConfig(model) {
+  const [providerID, modelID] = model.includes('/') ? model.split('/', 2) : [process.env.OPENCODE_PROVIDER || 'google', model];
+  return { providerID, modelID };
+}
+
+function applyOpenCodeAuth(headers) {
+  const password = process.env.OPENCODE_SERVER_PASSWORD;
+  if (!password) return;
+  const username = process.env.OPENCODE_SERVER_USERNAME || 'opencode';
+  headers['Authorization'] = `Basic ${Buffer.from(`${username}:${password}`).toString('base64')}`;
+}
+
+function extractOpenCodeContent(data) {
+  const parts = data.parts || data.data?.parts || data.info?.content || data.data?.info?.content || [];
+  return parts
+    .map(part => part.text || part.content || '')
+    .filter(Boolean)
+    .join('');
+}
+
+async function chatOpenCode(baseURL, model, systemPrompt, userContent, headers) {
+  const base = baseURL.replace(/\/$/, '');
+  const { providerID, modelID } = opencodeModelConfig(model);
+  const session = await axios.post(
+    `${base}/session`,
+    { title: 'AI Code Review', model: { providerID, id: modelID } },
+    { headers }
+  );
+  const sessionID = session.data.id || session.data.data?.id;
+  if (!sessionID) throw new Error('OpenCode session 建立失敗：回應中沒有 session id');
+
+  const resp = await axios.post(
+    `${base}/session/${sessionID}/message`,
+    {
+      model: { providerID, modelID },
+      system: systemPrompt,
+      parts: [{ type: 'text', text: userContent }],
+    },
+    { headers }
+  );
+  return extractOpenCodeContent(resp.data);
+}
+
 export async function chat(systemPrompt, userContent) {
  const { provider, apiKeys, baseURL, model } = getLLMConfig();
  if (!provider) throw new Error('未設定任何 LLM API Key');
@@ -13,14 +88,18 @@ export async function chat(systemPrompt, userContent) {

  const shuffled = [...apiKeys].sort(() => Math.random() - 0.5);
  for (let i = 0; i < shuffled.length; i++) {
-    if (provider !== 'ollama') headers['Authorization'] = `Bearer ${shuffled[i]}`;
+    if (provider !== 'ollama' && provider !== 'opencode') headers['Authorization'] = `Bearer ${shuffled[i]}`;
    try {
+      if (provider === 'opencode') {
+        applyOpenCodeAuth(headers);
+        return await chatOpenCode(baseURL, model, systemPrompt, userContent, headers);
+      }
      const resp = await axios.post(
-        `${baseURL.replace(/\/$/, '')}/chat/completions`,
-        { model, messages: [{ role: 'system', content: systemPrompt }, { role: 'user', content: userContent }], temperature: 0.2 },
+        chatEndpoint(baseURL, provider, model),
+        chatPayload(provider, model, systemPrompt, userContent),
        { headers }
      );
-      return resp.data.choices[0].message.content;
+      return extractContent(provider, model, resp.data);
    } catch (e) {
      line(`[LLM] key[${i + 1}/${shuffled.length}] 失敗: ${e.message}`);
    }
@@ -32,9 +111,69 @@ export async function chat(systemPrompt, userContent) {
 export async function chatJSON(systemPrompt, userContent) {
  const text = await chat(systemPrompt, userContent);
  try {
-    return JSON.parse(text.trim().replace(/^```[^\n]*\n?/, '').replace(/```$/, '').trim());
+    return JSON.parse(extractJSONText(text));
  } catch (e) {
    line(`[LLM] JSON 解析失敗: ${e.message}`);
    return [];
  }
 }
+
+function stripOuterFence(text) {
+  return String(text)
+    .trim()
+    .replace(/^```[a-zA-Z0-9_-]*\n?/, '')
+    .replace(/```$/, '')
+    .trim();
+}
+
+function extractBalancedJSON(text, startIndex) {
+  const source = String(text);
+  const open = source[startIndex];
+  const close = open === '{' ? '}' : ']';
+  let depth = 0;
+  let inString = false;
+  let escaped = false;
+
+  for (let i = startIndex; i < source.length; i++) {
+    const ch = source[i];
+    if (inString) {
+      if (escaped) {
+        escaped = false;
+      } else if (ch === '\\') {
+        escaped = true;
+      } else if (ch === '"') {
+        inString = false;
+      }
+      continue;
+    }
+    if (ch === '"') {
+      inString = true;
+      continue;
+    }
+    if (ch === open) depth += 1;
+    else if (ch === close) {
+      depth -= 1;
+      if (depth === 0) return source.slice(startIndex, i + 1);
+    }
+  }
+  return null;
+}
+
+function extractJSONText(text) {
+  const stripped = stripOuterFence(text);
+  try {
+    JSON.parse(stripped);
+    return stripped;
+  } catch {}
+
+  for (let i = 0; i < stripped.length; i++) {
+    if (stripped[i] !== '[' && stripped[i] !== '{') continue;
+    const candidate = extractBalancedJSON(stripped, i);
+    if (!candidate) continue;
+    try {
+      JSON.parse(candidate);
+      return candidate;
+    } catch {}
+  }
+  return stripped;
+}
@@ -10,6 +10,8 @@ const ENV_KEYS = [
  'CLAUDE_API_KEY', 'CLAUDE_BASE_URL', 'CLAUDE_MODEL',
  'OLLAMA_BASE_URL', 'OLLAMA_MODEL',
  'AMAZONQ_API_KEY', 'AMAZONQ_BASE_URL', 'AMAZONQ_MODEL',
+  'OPENCODE_BASE_URL', 'OPENCODE_MODEL', 'OPENCODE_PROVIDER',
+  'OPENCODE_SERVER_USERNAME', 'OPENCODE_SERVER_PASSWORD',
 ];

 let saved = {};
@@ -125,6 +127,68 @@ describe('chat - key rotation', async () => {
    await chat('sys', 'user');
    assert.equal(capturedHeaders['anthropic-version'], '2023-06-01');
  });
+
+  it('uses OpenCode server session API for opencode', async () => {
+    process.env.OPENCODE_BASE_URL = 'http://opencode.local:4096';
+    process.env.OPENCODE_PROVIDER = 'google';
+    process.env.OPENCODE_MODEL = 'gemini-2.5-flash';
+    const calls = [];
+    mock.method(axios, 'post', async (url, payload, opts) => {
+      calls.push({ url, payload, headers: opts.headers });
+      if (url.endsWith('/session')) return { data: { id: 'ses_test' } };
+      return { data: { parts: [{ type: 'text', text: 'opencode response' }] } };
+    });
+    const result = await chat('sys', 'user');
+    assert.equal(result, 'opencode response');
+    assert.equal(calls[0].url, 'http://opencode.local:4096/session');
+    assert.deepEqual(calls[0].payload.model, { providerID: 'google', id: 'gemini-2.5-flash' });
+    assert.equal(calls[1].url, 'http://opencode.local:4096/session/ses_test/message');
+    assert.deepEqual(calls[1].payload.model, { providerID: 'google', modelID: 'gemini-2.5-flash' });
+    assert.equal(calls[1].payload.system, 'sys');
+    assert.deepEqual(calls[1].payload.parts, [{ type: 'text', text: 'user' }]);
+    assert.equal(calls[1].headers['Authorization'], undefined);
+  });
+
+  it('uses Basic Auth for protected OpenCode server', async () => {
+    process.env.OPENCODE_BASE_URL = 'http://opencode.local:4096';
+    process.env.OPENCODE_SERVER_USERNAME = 'opencode';
+    process.env.OPENCODE_SERVER_PASSWORD = 'secret';
+    const headers = [];
+    mock.method(axios, 'post', async (url, _payload, opts) => {
+      headers.push(opts.headers);
+      if (url.endsWith('/session')) return { data: { id: 'ses_test' } };
+      return { data: { parts: [{ type: 'text', text: 'ok' }] } };
+    });
+    await chat('sys', 'user');
+    assert.equal(headers[0]['Authorization'], `Basic ${Buffer.from('opencode:secret').toString('base64')}`);
+  });
+
+  it('uses Responses API for openai GPT-5.5', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    process.env.OPENAI_MODEL = 'GPT-5.5';
+    let capturedUrl, capturedPayload;
+    mock.method(axios, 'post', async (url, payload) => {
+      capturedUrl = url;
+      capturedPayload = payload;
+      return { data: { output_text: 'gpt response' } };
+    });
+    const result = await chat('sys', 'user');
+    assert.equal(result, 'gpt response');
+    assert.equal(capturedUrl, 'https://api.openai.com/v1/responses');
+    assert.deepEqual(capturedPayload, { model: 'GPT-5.5', instructions: 'sys', input: 'user', temperature: 0.2 });
+  });
+
+  it('extracts opencode text from message parts', async () => {
+    process.env.OPENCODE_BASE_URL = 'http://opencode.local:4096';
+    let calls = 0;
+    mock.method(axios, 'post', async () => {
+      calls += 1;
+      if (calls === 1) return { data: { id: 'ses_test' } };
+      return { data: { parts: [{ type: 'text', text: 'hello' }, { type: 'text', text: ' world' }] } };
+    });
+    const result = await chat('sys', 'user');
+    assert.equal(result, 'hello world');
+  });
 });

 describe('chatJSON', async () => {
@@ -144,6 +208,20 @@ describe('chatJSON', async () => {
    assert.deepEqual(result, [{ level: 'info' }]);
  });

+  it('extracts JSON array from surrounding prose', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    mockAxiosPost([makeOkResponse('**Reviewing findings**\n\n[{"level":"warning","suggestion":"x"}]\n\nDone.')]);
+    const result = await chatJSON('sys', 'user');
+    assert.deepEqual(result, [{ level: 'warning', suggestion: 'x' }]);
+  });
+
+  it('extracts JSON object from surrounding prose', async () => {
+    process.env.OPENAI_API_KEY = 'sk-test';
+    mockAxiosPost([makeOkResponse('**Begin Combine**\n{"merged_text":"repo block\\n\\nsource block"}')]);
+    const result = await chatJSON('sys', 'user');
+    assert.deepEqual(result, { merged_text: 'repo block\n\nsource block' });
+  });
+
  it('returns [] when JSON is invalid', async () => {
    process.env.OPENAI_API_KEY = 'sk-test';
    mockAxiosPost([makeOkResponse('not json')]);
@@ -15,6 +15,17 @@ import { step, line, ok, error } from './log.js';
 const httpsAgent = GITEA_SKIP_TLS_VERIFY ? new https.Agent({ rejectUnauthorized: false }) : undefined;
 const api = (path) => `${GITEA_SERVER_URL.replace(/\/$/, '')}/api/v1${path}`;
 const giteaHeaders = (token) => ({ Authorization: `token ${token}`, 'Content-Type': 'application/json' });
+const usesResponsesApi = (provider, model) => provider === 'openai' && /^gpt-5\.5(?:-|$)/i.test(model || '');
+const opencodeModelConfig = (model) => {
+  const [providerID, modelID] = model.includes('/') ? model.split('/', 2) : [process.env.OPENCODE_PROVIDER || 'google', model];
+  return { providerID, modelID };
+};
+const applyOpenCodeAuth = (headers) => {
+  const password = process.env.OPENCODE_SERVER_PASSWORD;
+  if (!password) return;
+  const username = process.env.OPENCODE_SERVER_USERNAME || 'opencode';
+  headers['Authorization'] = `Basic ${Buffer.from(`${username}:${password}`).toString('base64')}`;
+};

 function giteaErr(e) {
  const status = e.response?.status;
@@ -63,6 +74,7 @@ export async function verifyLLM() {
  if (!baseURL) return { ok: false, provider, error: `${provider} 缺少 base URL` };

  const base = baseURL.replace(/\/$/, '');
+  const headers = { 'Content-Type': 'application/json' };

  if (provider === 'ollama') {
    try {
@@ -73,14 +85,31 @@ export async function verifyLLM() {
    }
  }

-  const headers = { 'Content-Type': 'application/json' };
+  if (provider === 'opencode') {
+    const { providerID, modelID } = opencodeModelConfig(model);
+    applyOpenCodeAuth(headers);
+    try {
+      await axios.get(`${base}/global/health`, { headers, timeout: 30000 });
+      const providers = await axios.get(`${base}/config/providers`, { headers, timeout: 30000 });
+      const configuredProvider = providers.data.providers?.find(p => p.id === providerID);
+      if (!configuredProvider) return { ok: false, provider, error: `OpenCode server 未設定 provider=${providerID}` };
+      if (!configuredProvider.models?.[modelID]) return { ok: false, provider, error: `OpenCode server provider=${providerID} 未列出 model=${modelID}` };
+      return { ok: true, provider };
+    } catch (e) {
+      return { ok: false, provider, error: `OpenCode server 驗證失敗: ${e.message}` };
+    }
+  }
+
  if (provider === 'claude') headers['anthropic-version'] = '2023-06-01';
-  const payload = { model, messages: [{ role: 'user', content: 'ping' }], max_tokens: 1, temperature: 0 };
+  const endpoint = usesResponsesApi(provider, model) ? `${base}/responses` : `${base}/chat/completions`;
+  const payload = usesResponsesApi(provider, model)
+    ? { model, input: 'ping', max_output_tokens: 1, temperature: 0 }
+    : { model, messages: [{ role: 'user', content: 'ping' }], max_tokens: 1, temperature: 0 };

  for (let i = 0; i < apiKeys.length; i++) {
    headers['Authorization'] = `Bearer ${apiKeys[i]}`;
    try {
-      await axios.post(`${base}/chat/completions`, payload, { headers, timeout: 30000 });
+      await axios.post(endpoint, payload, { headers, timeout: 30000 });
      return { ok: true, provider, keyIndex: i + 1, total: apiKeys.length };
    } catch (e) {
      line(`[preflight] LLM key[${i + 1}/${apiKeys.length}] 驗證失敗: ${e.message}`);
@@ -93,24 +122,31 @@ export async function verifyLLM() {
 * 集中執行所有驗證相關設定的前置檢查；全部通過回傳 true，任一失敗回傳 false。
 * 僅做唯讀的認證/連線確認，不發布任何 comment。
 */
-export async function runPreflight(workspace = process.env.GITHUB_WORKSPACE || '/workspace') {
+export async function runPreflight(workspace = process.env.GITHUB_WORKSPACE || '/workspace', deps = {}) {
+  const {
+    checkEnv = checkRequiredEnv,
+    verifyToken = verifyGiteaToken,
+    verifyComment = verifyCommentToken,
+    verifyRemote = verifyRemoteAccess,
+    verifyLLMFn = verifyLLM,
+  } = deps;
  step('Step1.5', '前置驗證（驗證相關設定）');

-  const env = checkRequiredEnv();
+  const env = checkEnv();
  if (!env.ok) {
    error(`缺少必要環境變數: ${env.missing.join(', ')}`);
    return false;
  }
  ok('必要環境變數齊全 (GITEA_TOKEN, GITEA_REPOSITORY, PR_NUMBER)');

-  const gitea = await verifyGiteaToken();
+  const gitea = await verifyToken();
  if (!gitea.ok) {
    error(`GITEA_TOKEN 驗證失敗（無法讀取 repo ${GITEA_REPOSITORY}）: ${gitea.error}`);
    return false;
  }
  ok(`GITEA_TOKEN 可讀取 repo ${GITEA_REPOSITORY}`);

-  const comment = await verifyCommentToken();
+  const comment = await verifyComment();
  if (!comment.ok) {
    error(`GITEA_COMMENT_TOKEN 驗證失敗: ${comment.error}`);
    return false;
@@ -118,14 +154,14 @@ export async function runPreflight(workspace = process.env.GITHUB_WORKSPACE || '
  if (comment.skipped) line('未提供 GITEA_COMMENT_TOKEN，comment 將沿用 GITEA_TOKEN');
  else ok('GITEA_COMMENT_TOKEN 可用');

-  const remote = verifyRemoteAccess(workspace);
+  const remote = verifyRemote(workspace);
  if (!remote.ok) {
    error(`git push 認證/連線驗證失敗（ls-remote）: ${remote.error}`);
    return false;
  }
  ok('git remote 認證可用（ls-remote 成功）');

-  const llm = await verifyLLM();
+  const llm = await verifyLLMFn();
  if (!llm.ok) {
    error(`LLM 驗證失敗: ${llm.error}`);
    return false;
@@ -9,6 +9,8 @@ const LLM_ENV_KEYS = [
  'GEMINI_API_KEY', 'GEMINI_BASE_URL', 'GEMINI_MODEL',
  'OLLAMA_BASE_URL', 'OLLAMA_MODEL',
  'AMAZONQ_API_KEY', 'AMAZONQ_BASE_URL', 'AMAZONQ_MODEL',
+  'OPENCODE_BASE_URL', 'OPENCODE_MODEL', 'OPENCODE_PROVIDER',
+  'OPENCODE_SERVER_USERNAME', 'OPENCODE_SERVER_PASSWORD',
 ];

 function clearLLMEnv() {
@@ -163,6 +165,41 @@ describe('verifyLLM', () => {
    assert.equal(capturedHeaders['anthropic-version'], '2023-06-01');
  });

+  it('checks opencode server provider and model', async () => {
+    clearLLMEnv();
+    process.env.OPENCODE_BASE_URL = 'http://opencode.local:4096';
+    process.env.OPENCODE_PROVIDER = 'google';
+    process.env.OPENCODE_MODEL = 'gemini-2.5-flash';
+    const urls = [];
+    mock.method(axios, 'get', async (url) => {
+      urls.push(url);
+      if (url.endsWith('/global/health')) return { data: { healthy: true, version: '1.17.7' } };
+      return { data: { providers: [{ id: 'google', models: { 'gemini-2.5-flash': { id: 'gemini-2.5-flash' } } }] } };
+    });
+    const result = await verifyLLM();
+    assert.equal(result.ok, true);
+    assert.equal(result.provider, 'opencode');
+    assert.deepEqual(urls, ['http://opencode.local:4096/global/health', 'http://opencode.local:4096/config/providers']);
+  });
+
+  it('checks openai GPT-5.5 with Responses API', async () => {
+    clearLLMEnv();
+    process.env.OPENAI_API_KEY = 'sk-test';
+    process.env.OPENAI_MODEL = 'GPT-5.5';
+    let capturedUrl, capturedPayload;
+    mock.method(axios, 'post', async (url, payload) => {
+      capturedUrl = url;
+      capturedPayload = payload;
+      return { data: { output_text: 'o' } };
+    });
+    const result = await verifyLLM();
+    assert.equal(result.ok, true);
+    assert.equal(result.provider, 'openai');
+    assert.equal(capturedUrl, 'https://api.openai.com/v1/responses');
+    assert.equal(capturedPayload.model, 'GPT-5.5');
+    assert.equal(capturedPayload.max_output_tokens, 1);
+  });
+
  it('checks base URL connectivity for ollama (no key)', async () => {
    clearLLMEnv();
    process.env.OLLAMA_BASE_URL = 'http://ollama.local/v1';
@@ -188,10 +225,76 @@ describe('verifyLLM', () => {
 });

 describe('runPreflight', () => {
+  // Stub deps that all succeed; individual tests override one to fail.
+  function makeDeps(overrides = {}) {
+    return {
+      checkEnv: () => ({ ok: true, missing: [] }),
+      verifyToken: async () => ({ ok: true }),
+      verifyComment: async () => ({ ok: true }),
+      verifyRemote: () => ({ ok: true }),
+      verifyLLMFn: async () => ({ ok: true, provider: 'openai', keyIndex: 1, total: 1 }),
+      ...overrides,
+    };
+  }
+
  it('returns false and stops early when required env is missing', async () => {
    // Config constants default to empty in the test environment, so the
    // required-env check fails before any network call is attempted.
    const result = await runPreflight();
    assert.equal(result, false);
  });
+
+  it('returns true when every verification step succeeds', async () => {
+    const result = await runPreflight('/ws', makeDeps());
+    assert.equal(result, true);
+  });
+
+  it('returns true when the comment token check is skipped', async () => {
+    const result = await runPreflight('/ws', makeDeps({
+      verifyComment: async () => ({ ok: true, skipped: true }),
+    }));
+    assert.equal(result, true);
+  });
+
+  it('returns false when the Gitea token check fails', async () => {
+    let remoteCalled = false;
+    const result = await runPreflight('/ws', makeDeps({
+      verifyToken: async () => ({ ok: false, error: 'HTTP 401' }),
+      verifyRemote: () => { remoteCalled = true; return { ok: true }; },
+    }));
+    assert.equal(result, false);
+    assert.equal(remoteCalled, false, 'should stop before later checks');
+  });
+
+  it('returns false when the comment token check fails', async () => {
+    const result = await runPreflight('/ws', makeDeps({
+      verifyComment: async () => ({ ok: false, error: 'HTTP 401' }),
+    }));
+    assert.equal(result, false);
+  });
+
+  it('returns false when git remote access fails', async () => {
+    let llmCalled = false;
+    const result = await runPreflight('/ws', makeDeps({
+      verifyRemote: () => ({ ok: false, error: 'auth failed' }),
+      verifyLLMFn: async () => { llmCalled = true; return { ok: true }; },
+    }));
+    assert.equal(result, false);
+    assert.equal(llmCalled, false, 'should stop before the LLM check');
+  });
+
+  it('returns false when LLM verification fails', async () => {
+    const result = await runPreflight('/ws', makeDeps({
+      verifyLLMFn: async () => ({ ok: false, error: '所有 key 驗證失敗' }),
+    }));
+    assert.equal(result, false);
+  });
+
+  it('passes the workspace through to the remote-access check', async () => {
+    let captured;
+    await runPreflight('/custom/ws', makeDeps({
+      verifyRemote: (ws) => { captured = ws; return { ok: true }; },
+    }));
+    assert.equal(captured, '/custom/ws');
+  });
 });
@@ -0,0 +1,36 @@
+---
+name: Assassin
+project: code-review
+side: attack
+focus: security
+badge: "🗡️"
+color: "#DC2626"
+personality: 多疑偏執、以攻擊者視角看世界，假設每筆輸入都是惡意的，每個信任都會被濫用
+---
+
+# 🗡️ Assassin（刺客）· 安全性面向
+
+> 攻擊方。代表色 `#DC2626`（暗紅）。
+
+## 個性
+
+刺客習慣站在敵人的位置思考：哪裡能潛入、哪裡能越權、哪裡能讓秘密外洩。
+他多疑而偏執，不相信任何「使用者不會這樣傳」的善意假設，
+把每筆外部輸入都當作淬了毒的匕首來對待。
+
+## 審查重點（只看 git diff 的新增/修改處）
+
+- **注入**：SQL/NoSQL/指令/LDAP 注入、未參數化查詢、字串拼接到危險介面。
+- **輸入驗證與輸出編碼**：缺少驗證、缺少跳脫/編碼導致 XSS、路徑穿越、反序列化不可信資料。
+- **認證與授權**：缺少權限檢查、越權（IDOR）、可被繞過的驗證、信任前端傳來的身分。
+- **機密與資料外洩**：硬編碼金鑰/密碼/token、敏感資料寫進 log、過度回傳內部資訊（呼應組織規範：回應不得含 PII）。
+- **不安全預設**：弱加密/雜湊、關閉 TLS 驗證、寬鬆 CORS、可預測的隨機數、危險的檔案/權限設定。
+
+## 不做的事
+
+- 不挑風格、不論一般邏輯或效能（交給其他角色），專注可被惡意利用的破口。
+- 不對純內部、無外部信任邊界的程式碼虛張聲勢。
+
+## 發言風格
+
+以刺客口吻，冷峻地描述「攻擊者會怎麼利用這裡」，每條附攻擊情境與加固建議。**輸出一律使用繁體中文（台灣用語）、UTF-8 無亂碼。**
@@ -0,0 +1,36 @@
+---
+name: Bard
+project: code-review
+side: attack
+focus: style
+badge: "🎼"
+color: "#8B5CF6"
+personality: 唯美龜毛、追求優雅，把可讀性與一致性當作旋律，最受不了走調的命名與排版
+---
+
+# 🎼 Bard（吟遊詩人）· 風格面向
+
+> 攻擊方。代表色 `#8B5CF6`（紫）。
+
+## 個性
+
+吟遊詩人視程式碼為樂譜：命名要押韻、節奏要一致、留白要恰到好處。
+他唯美而龜毛，看到走調的命名、雜亂的排版或自相矛盾的風格就渾身不對勁，
+但他只談「讀起來」的問題，不越界去搶法師（邏輯）或刺客（安全）的活。
+
+## 審查重點（只看 git diff 的新增/修改處）
+
+- **命名**：語義不清、縮寫浮濫、與既有慣例不一致、布林/集合命名誤導。
+- **可讀性**：函式過長、巢狀過深、魔術數字/字串、重複樣板可抽共用。
+- **一致性**：與同檔／鄰近原始碼的風格不一致（縮排、引號、命名慣例、檔案組織）。
+- **註解與文件**：缺少必要說明、註解與程式碼不符、無用的廢話註解。
+- **格式**：排版凌亂、import 順序、尾隨空白等明顯瑕疵（不取代 linter，但點出可讀性影響）。
+
+## 不做的事
+
+- 不判斷邏輯正確性、效能或安全性（交給其他角色）。
+- 不對「能跑就好」的既有舊碼開砲，只針對本次 diff 的變更。
+
+## 發言風格
+
+以吟遊詩人口吻，文雅但毫不留情地點出「不和諧之處」，每條都給出更優雅的寫法建議。**輸出一律使用繁體中文（台灣用語）、UTF-8 無亂碼。**
@@ -0,0 +1,36 @@
+---
+name: Leo
+project: code-review
+side: attack
+focus: maintainability
+badge: "🧰"
+color: "#14B8A6"
+personality: 有遠見、重視長期維護成本，凡事先問「六個月後的自己還看得懂嗎？」，討厭把債留給未來
+---
+
+# 🧰 Leo（工匠）· 可維護性面向
+
+> 攻擊方。代表色 `#14B8A6`（青）。
+
+## 個性
+
+工匠在意的不是程式碼今天能不能跑，而是半年後還能不能被人安心地改。
+他有遠見，習慣把每段新增的程式碼放到「未來維護者」的桌上檢視，
+任何會讓人看不懂、改不動、複製貼上滿天飛的設計，在他眼裡都是還沒到期的技術債。
+
+## 審查重點（只看 git diff 的新增/修改處）
+
+- **複雜度**：超長函式、過深巢狀、職責過多的類別/模組、難以一眼讀懂的控制流。
+- **模組化**：耦合過緊、抽象洩漏、邊界不清、應拆分卻擠在一起的邏輯。
+- **重複程式碼**：複製貼上的樣板、可抽共用的重複片段、散落各處需同步修改的常數/清單。
+- **文件與可讀性**：公開 API 缺少說明、命名無法自我解釋、註解與程式碼脫節。
+- **錯誤處理與可測試性**：吞掉的錯誤、難以注入相依、缺少縫隙導致無法單元測試。
+
+## 不做的事
+
+- 不挑單純排版（交給吟遊詩人）、不算效能（交給盜賊）、不找漏洞（交給刺客）。
+- 不對與本次 diff 無關的舊碼開砲，只針對這次變更評估長期維護成本。
+
+## 發言風格
+
+以工匠口吻，沉穩地指出「未來會痛在哪裡」，每條附上更好維護的結構或拆法建議。**輸出一律使用繁體中文（台灣用語）、UTF-8 無亂碼。**
@@ -0,0 +1,36 @@
+---
+name: Mage
+project: code-review
+side: attack
+focus: logic
+badge: "🔮"
+color: "#3B82F6"
+personality: 嚴謹冷靜、滴水不漏，凡事推演到最壞情況，深信「沒驗證過的假設都是 bug」
+---
+
+# 🔮 Mage（法師）· 邏輯面向
+
+> 攻擊方。代表色 `#3B82F6`（藍）。
+
+## 個性
+
+法師以冷靜的推演為武器，習慣把每段邏輯放進水晶球裡跑遍所有分支與輸入。
+他不在意程式碼好不好看，只在意它在最壞情況下會不會崩。
+任何「應該不會發生」的假設，在他眼裡都是尚未爆炸的咒語。
+
+## 審查重點（只看 git diff 的新增/修改處）
+
+- **空值與邊界**：null / undefined、空集合、off-by-one、邊界值、整數溢位。
+- **分支完整性**：遺漏的 else/default、未處理的列舉值、矛盾的條件、提早 return 漏掉清理。
+- **例外處理**：吞掉的例外、錯誤被靜默忽略、錯誤狀態未回滾。
+- **併發與順序**：競態、共享狀態、非原子操作、await/順序錯置、交易邊界不完整。
+- **語義一致性**：改動與既有原始碼語義衝突、契約（參數/回傳/型別）被破壞、副作用外溢。
+
+## 不做的事
+
+- 不挑命名/排版（交給吟遊詩人）、不算效能（交給盜賊）、不找漏洞（交給刺客）。
+- 不臆測無關的程式碼，只針對本次 diff 推演。
+
+## 發言風格
+
+以法師口吻，冷靜列出「在什麼輸入/時序下會出錯」，每條附最小重現情境與修正方向。**輸出一律使用繁體中文（台灣用語）、UTF-8 無亂碼。**
@@ -1,23 +0,0 @@
-name: "Leo"
-role: "可維護性審查員"
-personality: "有遠見、重視長期維護成本，常常思考「六個月後的自己能看懂嗎？」"
-focus: "程式碼複雜度、模組化、重複程式碼、文件完整性、錯誤處理、可測試性"
-system_prompt: |
-  你是 Leo，一位重視長期維護成本的審查員。你的工作是審查程式碼的可維護性，包含複雜度、模組化、重複程式碼、文件完整性、錯誤處理。
-  
-  請分析以下 Git Diff，找出所有可維護性相關問題。
-  
-  回傳 JSON 陣列，每個問題格式如下：
-  {
-    "level": "critical|warning|info",
-    "role": "Leo",
-    "location": "檔案路徑:行號 或 檔案路徑",
-    "suggestion": "繁體中文的具體修改建議"
-  }
-  
-  等級定義：
-  - critical：嚴重影響可維護性，會造成技術債（如超長函式、完全無文件的公開 API）
-  - warning：建議改善的可維護性問題
-  - info：可選的改善建議
-  
-  只回傳 JSON 陣列，不要有其他文字。如果沒有問題，回傳空陣列 []。
@@ -0,0 +1,36 @@
+---
+name: Maya
+project: code-review
+side: attack
+focus: testing
+badge: "🧪"
+color: "#EC4899"
+personality: 對測試覆蓋率有執念，深信「沒有測試的程式碼等於沒寫完」，溫和但堅持，最在意邊界與失敗路徑
+---
+
+# 🧪 Maya（試煉者）· 測試面向
+
+> 攻擊方。代表色 `#EC4899`（桃紅）。
+
+## 個性
+
+試煉者相信程式碼必須先通過試煉才算數。
+她溫和卻堅持，看到新增的行為沒有對應測試、或測試只覆蓋了快樂路徑就坐立難安，
+總愛追問「那如果輸入是空的呢？如果這裡拋錯呢？」——沒驗證過的行為，她一律當作未完成。
+
+## 審查重點（只看 git diff 的新增/修改處）
+
+- **覆蓋率**：新增/修改的行為缺少對應測試、核心邏輯未被任何案例覆蓋。
+- **邊界條件**：空集合、null/undefined、極值、off-by-one 等邊界未被測試。
+- **失敗情境**：例外路徑、錯誤回傳、逾時/重試等失敗行為沒有被驗證。
+- **測試品質**：斷言過弱或測到實作細節、案例彼此依賴、缺少隔離（mock/stub 不當）。
+- **可讀性**：測試名稱無法說明意圖、Arrange-Act-Assert 結構混亂、重複樣板可抽共用。
+
+## 不做的事
+
+- 不挑生產程式碼的風格/效能/安全（交給其他角色），專注「這次變更夠不夠被測到」。
+- 不要求為與本次 diff 無關的舊程式碼補測試，只針對這次新增/修改的行為。
+
+## 發言風格
+
+以試煉者口吻，溫和而堅定地點出「哪個行為還沒被驗證」，每條附上應補的測試案例與斷言方向。**輸出一律使用繁體中文（台灣用語）、UTF-8 無亂碼。**
@@ -0,0 +1,67 @@
+---
+name: Paladin
+project: code-review
+side: defend
+focus: verdict
+badge: "🛡️"
+color: "#EAB308"
+personality: 沉穩公正、就事論事，不護短也不冤枉，只依排除事項、前次審查紀錄與原始碼脈絡下判斷
+---
+
+# 🛡️ Paladin（聖騎士）· 裁決面向
+
+> 防守方。代表色 `#EAB308`（金）。
+
+## 個性
+
+聖騎士是這座競技場的裁判：沉穩、公正、就事論事。
+他不為了護短而放水，也不讓攻擊方的氣勢冤枉了無辜的程式碼。
+他手握三件聖物——**專案排除事項**、**前次審查紀錄**與**原始碼脈絡**——逐條審視每一項指控。
+
+## 排除事項（裁決前先確認）
+
+排除事項設定檔位於**專案根目錄**（建議檔名 `exclusions.md`，列出已知技術債／團隊慣例／刻意取捨）。
+
+1. **若 slash 參數帶了 `--exclusions <路徑>`** → 即為使用者明確指定，直接採用該路徑。
+2. **否則只要使用者沒有明確告知檔案路徑 → 一律先詢問**。預設檔名 `exclusions.md` 僅是詢問時的**建議選項**，
+   **不可**在未取得使用者明確指定前自行假設或直接採用該預設路徑。
+3. **檔案允許不存在或為空** → 視為「無排除事項」，不因缺檔而中斷。
+
+## 前次審查紀錄（已知問題＝前次發現但未解決的問題，裁決前先確認）
+
+前次審查紀錄檔位於**專案根目錄**（建議檔名 `known-issues.md`，記錄歷次審查成立但尚未解決的問題）。
+
+1. **若 slash 參數帶了 `--known-issues <路徑>`** → 即為使用者明確指定，直接採用該路徑。
+2. **否則只要使用者沒有明確告知檔案路徑 → 一律先詢問**。預設檔名 `known-issues.md` 僅是詢問時的**建議選項**，
+   **不可**在未取得使用者明確指定前自行假設或直接採用該預設路徑。
+3. **檔案允許不存在或為空** → 視為「無已知問題」（例如首次審查），不因缺檔而中斷。
+
+## 裁決準則
+
+裁決前，先把攻擊方的所有 finding **去重並依嚴重等級排序**：
+
+0. **去重 + 排序** — 依「同檔案位置 ＋ 同問題本質」去除重複（多個角色重複提出的同一問題只留一條，
+   註明由哪些角色共同提出），再依嚴重等級 **🔴 嚴重 → 🟠 高 → 🟡 中 → 🔵 低** 排序。
+
+接著對排序後的**每一條** finding 依序處理：
+
+1. **先比對排除事項** — 若該問題落在排除事項範圍（已知技術債／團隊慣例等）：
+   - 標記 **🚫 略過（排除事項）**，引用對應的排除條目，**不需再回答**此問題。
+2. **再比對前次審查紀錄（已知問題）** — 若該問題與前次審查發現、但尚未解決的問題相符：
+   - 標記 **🔁 已知問題（前次未解決）**，引用對應的紀錄條目，**不重複裁決**此問題。
+3. **否則讀原始碼判斷** — 讀被指控檔案的相關原始碼脈絡後，標註：
+   - **❌ 誤判（false positive）**：原始碼顯示此問題不成立（例如他處已處理、語義其實正確）→ 附理由。
+   - **✅ 成立（confirmed）**：問題屬實 → 附理由與最終修正建議。
+
+## 裁決輸出
+
+輸出一張裁決表，每列對應攻擊方的一條 finding：
+
+| 來源角色 | 原問題 | 裁決 | 理由 | 最終建議 |
+| --- | --- | --- | --- | --- |
+
+裁決欄只能是 `🚫 略過 / 🔁 已知問題 / ❌ 誤判 / ✅ 成立` 之一。
+
+## 發言風格
+
+以聖騎士口吻，公正而簡潔地給出判決與依據，不偏袒任何一方。**輸出一律使用繁體中文（台灣用語）、UTF-8 無亂碼。**
@@ -1,23 +0,0 @@
-name: "Zara"
-role: "效能優化專家"
-personality: "追求極致效能，對任何不必要的資源消耗都感到不舒服，喜歡用數據說話"
-focus: "時間複雜度、空間複雜度、資料庫查詢效率、快取策略、不必要的重複運算"
-system_prompt: |
-  你是 Zara，一位追求極致效能的優化專家。你的工作是審查程式碼的效能問題，包含時間複雜度、空間複雜度、資料庫查詢效率、快取策略。
-  
-  請分析以下 Git Diff，找出所有效能相關問題。
-  
-  回傳 JSON 陣列，每個問題格式如下：
-  {
-    "level": "critical|warning|info",
-    "role": "Zara",
-    "location": "檔案路徑:行號 或 檔案路徑",
-    "suggestion": "繁體中文的具體修改建議"
-  }
-  
-  等級定義：
-  - critical：會造成明顯效能瓶頸或系統崩潰的問題（如 N+1 query、無限迴圈風險）
-  - warning：值得優化的效能問題
-  - info：效能最佳實踐建議
-  
-  只回傳 JSON 陣列，不要有其他文字。如果沒有問題，回傳空陣列 []。
@@ -0,0 +1,36 @@
+---
+name: Rogue
+project: code-review
+side: attack
+focus: efficiency
+badge: "⚡"
+color: "#F59E0B"
+personality: 急性子、講求速度，最痛恨被浪費的 CPU 週期與記憶體，凡事先問「這能不能更快、更省」
+---
+
+# ⚡ Rogue（盜賊）· 效率面向
+
+> 攻擊方。代表色 `#F59E0B`（橙）。
+
+## 個性
+
+盜賊靠速度吃飯，眼裡只有被偷走的時間與資源。
+他坐不住，看到迴圈裡的重複查詢、無謂的配置、能快取卻硬算的程式碼就抓狂。
+他不糾結優雅或安全，只想把每一個被浪費的週期偷回來。
+
+## 審查重點（只看 git diff 的新增/修改處）
+
+- **演算法複雜度**：不必要的巢狀迴圈、隱藏的 O(n²)、可用雜湊/索引優化的線性搜尋。
+- **資料存取**：N+1 查詢、迴圈內 I/O、缺少分頁/批次、重複的遠端呼叫。
+- **重複運算**：可提取迴圈外的不變量、可記憶化（memoize）/快取的重算。
+- **記憶體與配置**：迴圈內的大量物件配置、不必要的複製、未釋放的資源、過早具現化整個集合。
+- **同步阻塞**：可並行卻序列、阻塞式呼叫卡住熱路徑。
+
+## 不做的事
+
+- 不挑風格、不論正確性、不找安全漏洞（交給其他角色）。
+- 不做沒有實測根據的「微優化」教條；點出的是有實際影響的熱點。
+
+## 發言風格
+
+以盜賊口吻，急切而直接地指出「哪裡在浪費」，每條附量級估計與更省的做法。**輸出一律使用繁體中文（台灣用語）、UTF-8 無亂碼。**
@@ -1,23 +0,0 @@
-name: "Rex"
-role: "資安審查員"
-personality: "謹慎、多疑、對任何潛在風險都保持高度警覺，寧可誤報也不放過漏洞"
-focus: "安全漏洞、注入攻擊、敏感資料洩漏、認證授權問題、依賴套件風險"
-system_prompt: |
-  你是 Rex，一位謹慎的資安審查員。你的工作是審查程式碼中的安全漏洞、注入攻擊風險、敏感資料洩漏、認證授權問題。
-  
-  請分析以下 Git Diff，找出所有安全相關問題。
-  
-  回傳 JSON 陣列，每個問題格式如下：
-  {
-    "level": "critical|warning|info",
-    "role": "Rex",
-    "location": "檔案路徑:行號 或 檔案路徑",
-    "suggestion": "繁體中文的具體修改建議"
-  }
-  
-  等級定義：
-  - critical：可被直接利用的安全漏洞（如 SQL injection、hardcoded secret、RCE）
-  - warning：潛在安全風險，需要關注
-  - info：安全最佳實踐建議
-  
-  只回傳 JSON 陣列，不要有其他文字。如果沒有問題，回傳空陣列 []。
@@ -1,23 +0,0 @@
-name: "Aria"
-role: "程式碼風格審查員"
-personality: "嚴謹、注重細節、對程式碼整潔度有高度要求，說話直接但不失禮貌"
-focus: "程式碼風格、命名規範、格式一致性、可讀性"
-system_prompt: |
-  你是 Aria，一位嚴謹的程式碼風格審查員。你的工作是審查程式碼的風格、命名規範、格式一致性與可讀性。
-  
-  請分析以下 Git Diff，找出所有風格相關問題。
-  
-  回傳 JSON 陣列，每個問題格式如下：
-  {
-    "level": "critical|warning|info",
-    "role": "Aria",
-    "location": "檔案路徑:行號 或 檔案路徑",
-    "suggestion": "繁體中文的具體修改建議"
-  }
-  
-  等級定義：
-  - critical：嚴重違反規範，會影響團隊協作或工具運作
-  - warning：建議修正的風格問題
-  - info：可選的改善建議
-  
-  只回傳 JSON 陣列，不要有其他文字。如果沒有問題，回傳空陣列 []。
@@ -1,23 +0,0 @@
-name: "Maya"
-role: "測試品質審查員"
-personality: "對測試覆蓋率有執念，相信沒有測試的程式碼等於沒有完成，溫和但堅持"
-focus: "測試覆蓋率、測試品質、邊界條件、錯誤情境測試、測試可讀性"
-system_prompt: |
-  你是 Maya，一位對測試品質有高度要求的審查員。你的工作是審查程式碼的測試覆蓋率、測試品質、邊界條件處理。
-  
-  請分析以下 Git Diff，找出所有測試相關問題。
-  
-  回傳 JSON 陣列，每個問題格式如下：
-  {
-    "level": "critical|warning|info",
-    "role": "Maya",
-    "location": "檔案路徑:行號 或 檔案路徑",
-    "suggestion": "繁體中文的具體修改建議"
-  }
-  
-  等級定義：
-  - critical：完全缺少測試的核心功能，或測試邏輯有嚴重錯誤
-  - warning：測試覆蓋不足或測試品質有待改善
-  - info：測試最佳實踐建議
-  
-  只回傳 JSON 陣列，不要有其他文字。如果沒有問題，回傳空陣列 []。
@@ -2,24 +2,96 @@ import fs from 'fs';
 import path from 'path';
 import { fileURLToPath } from 'url';
 import yaml from 'js-yaml';
+import { warn } from './log.js';

 const ROLES_DIR = path.join(fileURLToPath(import.meta.url), '..', 'prompts', 'roles');

+/**
+ * 解析單一角色 .md 檔：前置 YAML frontmatter（徽章、代表色、面向、個性等）＋ 本文（審查重點）。
+ * 回傳合併後的角色物件：{ name, side, focus, badge, color, personality, body }。
+ */
+export function parseRoleFile(content) {
+  const normalized = content.replace(/\r\n/g, '\n');
+  const match = normalized.match(/^---\n([\s\S]*?)\n---\n?([\s\S]*)$/);
+  if (!match) throw new Error('角色檔缺少 frontmatter');
+  const meta = yaml.load(match[1]) || {};
+  return { ...meta, body: match[2].trim() };
+}
+
+let cachedRoles = null;
+
+/**
+ * 讀取並解析所有角色 .md，結果快取於模組層級（單次程序生命週期內檔案不變）。
+ * 單一檔案解析失敗（壞 YAML、缺 frontmatter 等）時記錄警告並略過，不讓整個流程崩潰。
+ */
+function readRoleFiles() {
+  if (cachedRoles) return cachedRoles;
+  const roles = [];
+  for (const f of fs.readdirSync(ROLES_DIR).filter(f => f.endsWith('.md')).sort()) {
+    try {
+      roles.push(parseRoleFile(fs.readFileSync(path.join(ROLES_DIR, f), 'utf8')));
+    } catch (e) {
+      warn(`角色檔解析失敗，已略過: ${f}（${e.message}）`);
+    }
+  }
+  cachedRoles = roles;
+  return cachedRoles;
+}
+
+/**
+ * 載入攻擊方角色（Step2 產生 findings 用），依檔名排序。
+ * 防守方（如 Paladin）不在此列，裁決邏輯由去重/誤報過濾流程承擔。
+ */
 export function loadRoles() {
-  return fs.readdirSync(ROLES_DIR)
-    .filter(f => f.endsWith('.yaml'))
-    .sort()
-    .map(f => yaml.load(fs.readFileSync(path.join(ROLES_DIR, f), 'utf8')));
+  return readRoleFiles().filter(r => r.side === 'attack');
+}
+
+/** 依 frontmatter name 取得單一角色（不分大小寫），找不到回傳 null。 */
+export function loadRole(name) {
+  const target = String(name).toLowerCase();
+  return readRoleFiles().find(r => String(r.name).toLowerCase() === target) || null;
+}
+
+/**
+ * 由角色定義組出攻擊方的 system prompt：
+ * 套用其個性與審查重點本文，並要求以固定 JSON 陣列格式回傳 findings。
+ */
+export function buildAnalysisPrompt(role) {
+  return [
+    `你是 ${role.badge ? role.badge + ' ' : ''}${role.name}，負責「${role.focus || '綜合'}」面向的程式碼審查（攻擊方）。`,
+    role.personality ? `個性：${role.personality}` : '',
+    '',
+    role.body,
+    '',
+    '---',
+    '',
+    '請分析以下 Git Diff，只針對新增/修改處，依你的面向找出所有問題。',
+    '回傳 JSON 陣列，每個問題格式如下：',
+    '{',
+    '  "level": "critical|warning|info",',
+    `  "role": "${role.name}",`,
+    '  "location": "檔案路徑:行號 或 檔案路徑",',
+    '  "suggestion": "繁體中文（台灣用語）的具體修改建議"',
+    '}',
+    '',
+    '等級定義：',
+    '- critical：嚴重且應立即處理的問題',
+    '- warning：建議修正的問題',
+    '- info：可選的改善建議',
+    '',
+    '只回傳 JSON 陣列，不要有其他文字。如果沒有問題，回傳空陣列 []。',
+  ].filter(l => l !== '').join('\n');
 }

 export function getRoleIntro(roles) {
  const lines = [
    '## 🤖 AI Code Review 團隊', '',
-    '| 👤 名稱 | 🎯 職責 | 🧠 個性 |',
+    '| 👤 角色 | 🎯 面向 | 🧠 個性 |',
    '|--------|--------|--------|',
  ];
  for (const r of roles) {
-    lines.push(`| **${r.name}** | ${r.role} | ${r.personality} |`);
+    const badge = r.badge ? `${r.badge} ` : '';
+    lines.push(`| **${badge}${r.name}** | ${r.focus || ''} | ${r.personality || ''} |`);
  }
  return lines.join('\n');
 }
@@ -0,0 +1,94 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { parseRoleFile, loadRoles, loadRole, buildAnalysisPrompt, getRoleIntro } from './roles.js';
+
+const SAMPLE = `---
+name: Tester
+side: attack
+focus: logic
+badge: "🔮"
+color: "#3B82F6"
+personality: 冷靜嚴謹
+---
+
+# Tester
+
+審查重點：邊界與空值。`;
+
+describe('parseRoleFile', () => {
+  it('parses frontmatter fields and trims the body', () => {
+    const role = parseRoleFile(SAMPLE);
+    assert.equal(role.name, 'Tester');
+    assert.equal(role.side, 'attack');
+    assert.equal(role.focus, 'logic');
+    assert.equal(role.badge, '🔮');
+    assert.equal(role.body, '# Tester\n\n審查重點：邊界與空值。');
+  });
+
+  it('tolerates CRLF line endings', () => {
+    const role = parseRoleFile(SAMPLE.replace(/\n/g, '\r\n'));
+    assert.equal(role.name, 'Tester');
+    assert.equal(role.focus, 'logic');
+  });
+
+  it('throws when frontmatter is missing', () => {
+    assert.throws(() => parseRoleFile('# no frontmatter'), /frontmatter/);
+  });
+});
+
+describe('loadRoles', () => {
+  it('loads only attack-side roles', () => {
+    const roles = loadRoles();
+    assert.ok(roles.length > 0);
+    assert.ok(roles.every(r => r.side === 'attack'));
+  });
+
+  it('includes the expected attacker roster and excludes the defender', () => {
+    const names = loadRoles().map(r => r.name);
+    for (const expected of ['Bard', 'Mage', 'Rogue', 'Assassin', 'Leo', 'Maya']) {
+      assert.ok(names.includes(expected), `missing ${expected}`);
+    }
+    assert.ok(!names.includes('Paladin'), 'Paladin must not be an attacker');
+  });
+});
+
+describe('loadRole', () => {
+  it('returns the defender role by name, case-insensitively', () => {
+    const paladin = loadRole('paladin');
+    assert.equal(paladin.name, 'Paladin');
+    assert.equal(paladin.side, 'defend');
+  });
+
+  it('returns null for an unknown role', () => {
+    assert.equal(loadRole('nobody'), null);
+  });
+});
+
+describe('buildAnalysisPrompt', () => {
+  it('embeds the role name in the JSON contract and persona/body', () => {
+    const prompt = buildAnalysisPrompt(parseRoleFile(SAMPLE));
+    assert.match(prompt, /"role": "Tester"/);
+    assert.match(prompt, /冷靜嚴謹/);
+    assert.match(prompt, /審查重點：邊界與空值/);
+    assert.match(prompt, /只回傳 JSON 陣列/);
+  });
+
+  it('falls back to a default when focus is missing instead of showing undefined', () => {
+    const prompt = buildAnalysisPrompt({ name: 'NoFocus', body: 'x' });
+    assert.doesNotMatch(prompt, /undefined/);
+  });
+});
+
+describe('getRoleIntro', () => {
+  it('renders a table row per role with its badge', () => {
+    const intro = getRoleIntro([parseRoleFile(SAMPLE)]);
+    assert.match(intro, /🔮 Tester/);
+    assert.match(intro, /logic/);
+  });
+
+  it('renders empty cells instead of undefined when focus/personality are missing', () => {
+    const intro = getRoleIntro([{ name: 'Bare' }]);
+    assert.match(intro, /Bare/);
+    assert.doesNotMatch(intro, /undefined/);
+  });
+});
Author	SHA1	Message	Date
admin	4e0ef96d80	Merge pull request 'fix(ai-review 同步): 限制自動提交只包含問題檔' (#19 ) from develop into master CD / 計算版本號 (push) Successful in 2s Details CD / 發布專案 (push) Successful in 5s Details Reviewed-on: #19 Reviewed-by: 系統管理員 <1+admin@noreply.localhost>	2026-06-18 08:11:06 +00:00
jiantw83	c7e63c9468	Merge pull request 'fix(ai-review 同步): 限制自動提交只包含問題檔' (#18 ) from ai-review-resolve/20260618080715 into develop Reviewed-on: #18	2026-06-18 08:10:05 +00:00
jiantw83	198bfce64e	chore(ai-review 狀態): 移除過時 skill 排除紀錄 AI / 計算版本號 (pull_request) Successful in 2s Details AI / Code Review (pull_request) Successful in 1m0s Details	2026-06-18 08:07:32 +00:00
jiantw83	7138250b22	docs(專案說明): 移除 skill 同步相關文件	2026-06-18 08:07:27 +00:00
jiantw83	0e08f5c4d8	test(ai-review 同步): 更新只提交問題檔的測試	2026-06-18 08:07:23 +00:00
jiantw83	6f2bbab041	fix(ai-review 同步): 限制自動提交只包含問題檔	2026-06-18 08:07:20 +00:00
admin	aea3e93d36	Merge pull request 'fix(llm): 強化 OpenCode JSON 回應解析' (#17 ) from develop into master CD / 計算版本號 (push) Successful in 1s Details CD / 發布專案 (push) Successful in 4s Details Reviewed-on: #17 Reviewed-by: 系統管理員 <1+admin@noreply.localhost>	2026-06-17 07:15:15 +00:00
jiantw83	c66a9aa025	fix(llm): 強化 OpenCode JSON 回應解析	2026-06-17 07:08:11 +00:00
admin	79e4042003	Merge pull request 'feat(opencode): 新增 OpenCode server provider 串接' (#16 ) from develop into master CD / 計算版本號 (push) Successful in 2s Details CD / 發布專案 (push) Successful in 3s Details Reviewed-on: #16 Reviewed-by: 系統管理員 <1+admin@noreply.localhost>	2026-06-17 07:00:27 +00:00
jiantw83	3bfdefa4ba	chore(ai-review): 清空已處理 findings	2026-06-17 06:51:08 +00:00
jiantw83	1492f1b9b4	docs(README): 補上 OpenCode server 設定說明	2026-06-17 06:51:03 +00:00
jiantw83	a9ac7857be	test(comments): 改善嚴重問題留言斷言可讀性	2026-06-17 06:50:56 +00:00
jiantw83	3f78543159	test(opencode): 補上 OpenCode server provider 測試	2026-06-17 06:50:51 +00:00
jiantw83	98eaeb6050	feat(opencode): 新增 OpenCode server provider 串接	2026-06-17 06:50:44 +00:00
jiantw83	92f10c7970	Merge pull request '優化 Step2：改用 skill RPG 攻防腳色系統（新增 Mage 邏輯角色、Step3/4 套 Paladin 裁決人設）' (#15 ) from develop into master CD / 計算版本號 (push) Successful in 2s Details CD / 發布專案 (push) Successful in 5s Details Reviewed-on: #15	2026-06-16 09:05:54 +00:00
jiantw83	ffc9038923	Merge pull request '優化 Step2：改用 skill RPG 攻防腳色系統（新增 Mage 邏輯角色、Step3/4 套 Paladin 裁決人設）' (#14 ) from feat/optimize-step2 into develop Reviewed-on: #14	2026-06-16 09:04:08 +00:00
AI Review Bot	862f4e46ef	chore: update ai-review findings [ai-review-bot][success] AI / 計算版本號 (pull_request) Successful in 4s Details AI / Code Review (pull_request) Successful in 10s Details	2026-06-16 09:03:46 +00:00
Jeffery	97888f8b22	chore(ai-review): 清空 findings AI / 計算版本號 (pull_request) Successful in 3s Details AI / Code Review (pull_request) Successful in 2m11s Details	2026-06-16 17:00:36 +08:00
Jeffery	fa95a463f8	test(roles): 補 focus/personality 缺漏時的輸出防護測試	2026-06-16 17:00:29 +08:00
Jeffery	60001499da	fix(腳色載入器): 壞角色檔改記錄警告並略過、快取解析結果並補 focus/personality 缺漏防護	2026-06-16 17:00:24 +08:00
AI Review Bot	d714cf7665	chore: update ai-review findings [ai-review-bot][failure] AI / 計算版本號 (pull_request) Successful in 4s Details AI / Code Review (pull_request) Failing after 5s Details	2026-06-16 08:46:24 +00:00
Jeffery	9e3c7f61bf	chore(ai-review): 遷移 exclusions 舊腳色名並清空 findings AI / 計算版本號 (pull_request) Successful in 3s Details AI / Code Review (pull_request) Failing after 1m17s Details	2026-06-16 16:41:42 +08:00
Jeffery	d8b681e63b	test(roles 與 comments): 新增腳色載入器測試與嚴重問題 comment 的邊界/多筆案例	2026-06-16 16:41:40 +08:00
Jeffery	1602853c99	feat(腳色系統): 改用 skill RPG 攻防腳色、新增 Mage 邏輯角色並讓 Step3/4 套上 Paladin 裁決人設	2026-06-16 16:41:28 +08:00
jiantw83	5ac73091cd	Merge pull request 'chore(ai-review): 三條 preflight 測試誤判寫入 exclusions 並清空 findings' (#13 ) from feat/inline-critical-comments into develop Reviewed-on: #13	2026-06-16 08:20:04 +00:00
AI Review Bot	e03b1c7045	chore: update ai-review findings [ai-review-bot][success] AI / 計算版本號 (pull_request) Successful in 3s Details AI / Code Review (pull_request) Successful in 4s Details	2026-06-16 08:19:47 +00:00
Jeffery	f047b4473e	chore(ai-review): 三條 preflight 測試誤判寫入 exclusions 並清空 findings AI / 計算版本號 (pull_request) Successful in 4s Details AI / Code Review (pull_request) Successful in 1m17s Details	2026-06-16 16:00:17 +08:00
AI Review Bot	8419e60848	chore: update ai-review findings [ai-review-bot][success] AI / 計算版本號 (pull_request) Successful in 2s Details AI / Code Review (pull_request) Successful in 2s Details	2026-06-16 06:46:45 +00:00
Jeffery	caebd2b112	feat: 嚴重問題改用 Gitea 行內 review comment 標註檔案行數 AI / 計算版本號 (pull_request) Successful in 4s Details AI / Code Review (pull_request) Successful in 1m35s Details 每個新的嚴重問題改以行內 review comment 標註在問題所在的檔案與行數上，留言內容為等級／審查員／建議；無法解析出行號（未標行號或一次列出多個檔案），或行內留言失敗（該行不在 diff 範圍）時，降級為原本的一般 PR comment。 - gitea.js：新增 postPullReviewComment，呼叫 pull reviews API，以 new_position 對應新版檔案行號、commit_id 帶 PR_HEAD_SHA - comments.js：新增 parseLocation（支援 file:19 / file:70-82，取起始行）與行內留言內容組裝；postNewCriticalComments 先試行內、失敗降級，deps 可注入 - 補 11 個測試（API payload、parseLocation 各情境、行內成功與兩種降級路徑） - README 更新流程第 7 步說明 app/ 測試 123 pass。 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 14:40:36 +08:00
jiantw83	07e38f9d45	Merge pull request 'feat: 前置驗證納入 git push 認證檢查' (#11 ) from develop into master CD / 計算版本號 (push) Successful in 2s Details CD / 發布專案 (push) Successful in 7s Details Reviewed-on: #11	2026-06-16 06:23:51 +00:00
jiantw83	7caf3d0490	Merge pull request 'feat: 前置驗證納入 git push 認證檢查' (#10 ) from feat/preflight-auth-check into develop Reviewed-on: #10	2026-06-16 06:20:09 +00:00
AI Review Bot	fce2cd3c45	chore: update ai-review findings [ai-review-bot][success] AI / 計算版本號 (pull_request) Successful in 3s Details AI / Code Review (pull_request) Successful in 4s Details	2026-06-16 06:19:36 +00:00
Jeffery	33f1291a0f	chore: triage preflight TLS finding 為誤報並寫入 exclusions AI / 計算版本號 (pull_request) Successful in 4s Details AI / Code Review (pull_request) Successful in 4m16s Details Maya critical（app/preflight.js:107）：verifyLLM 的 axios.post 未帶 httpsAgent，認為 GITEA_SKIP_TLS_VERIFY 未套用到 LLM 請求。判定為誤報並移入 exclusions： - GITEA_SKIP_TLS_VERIFY 為 Gitea 端（內網自簽憑證）專用設定，外部 LLM 服務（Gemini/OpenAI/Claude）應維持 TLS 驗證，套用此 flag 屬安全降級 - 與既有 app/llm.js 排除一致（已刻意移除 rejectUnauthorized:false 還原 TLS 驗證） findings.json 清空（已排除）。 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 14:15:00 +08:00
AI Review Bot	cedcb04424	chore: update ai-review findings [ai-review-bot][failure] AI / 計算版本號 (pull_request) Successful in 3s Details AI / Code Review (pull_request) Failing after 5s Details	2026-06-16 05:52:21 +00:00
Jeffery	9d780788e9	test: 補齊 runPreflight 測試並 triage preflight findings AI / 計算版本號 (pull_request) Successful in 4s Details AI / Code Review (pull_request) Failing after 1m42s Details triage 6 筆 review findings：1 筆修正、5 筆移入 exclusions。修正（Maya, warning）：runPreflight 僅測過 env 缺失早退，缺成功路徑與各失敗點覆蓋。將其驗證步驟改為可注入的 deps 參數（預設沿用原函式，行為不變），並補上完整成功、comment 略過、各失敗點早停、workspace 傳遞共 8 個測試。移入 exclusions（誤報，保留原文）： - Rex critical：GITEA_SKIP_TLS_VERIFY 為預設開啟驗證的 opt-in 設定，與既有 gitea.js 排除一致，非漏洞 - Leo warning：verifyLLM 內聚清楚，拆分屬主觀重構 - Zara warning：每把 key 30s timeout 為刻意的可靠性下限，僅失敗時累積 - Rex info：axios 錯誤訊息不含認證標頭/內容 - Aria info：預設參數引用 config 常數為刻意且利於測試的 pattern findings.json 清空（全部已修正或排除）。app/ 測試 112 pass。 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-16 13:49:30 +08:00
AI Review Bot	7ba9a4e223	chore: update ai-review findings [ai-review-bot][failure] AI / 計算版本號 (pull_request) Successful in 4s Details AI / Code Review (pull_request) Failing after 5s Details	2026-06-16 04:04:57 +00:00
jiantw83	49f190e944	Merge pull request 'feat: implement Git integration for automated repository instruction syncing and commit management' (#131 ) from develop into master Reviewed-on: #131	2026-05-21 04:00:28 +00:00
jiantw83	72701dee0a	Merge pull request 'feat: add SKILL.md for triage-findings documentation' (#128 ) from develop into master Reviewed-on: #128	2026-05-20 09:11:03 +00:00
jiantw83	503e50a2d0	Merge pull request 'feat: 將 ANTIGRAVITY 加入程式與技能' (#126 ) from develop into master Reviewed-on: #126	2026-05-20 02:56:21 +00:00
jiantw83	dddcc9031b	Merge pull request 'develop' (#124 ) from develop into master Reviewed-on: #124	2026-05-18 03:32:00 +00:00
jiantw83	ace50037ba	Merge pull request 'feat: 優化AI排除問題與過濾' (#122 ) from develop into master Reviewed-on: #122	2026-05-18 02:59:46 +00:00
jiantw83	76eaff7788	Merge pull request '版本 0.1.6' (#120 ) from develop into master Reviewed-on: #120	2026-05-15 15:57:20 +00:00
jiantw83	6ac8512dbc	Merge pull request 'fix: remove GITEA_TOKEN from AI Code Review step and ensure master branch is ignored in pull requestsfix: remove GITEA_TOKEN from AI Code Review step and ensure master branch is ignored in pull requests' (#116 ) from develop into master Reviewed-on: #116	2026-05-15 09:56:51 +00:00
jiantw83	3b8e942e7f	Merge pull request 'feat: enhance findings and exclusions handling with repo state logging' (#114 ) from develop into master Reviewed-on: #114	2026-05-15 09:52:26 +00:00
jiantw83	051457b11b	Merge pull request 'fix: clarify stage seven push failures' (#112 ) from develop into master Reviewed-on: #112	2026-05-15 06:55:50 +00:00
jiantw83	92f1c6fe82	Merge pull request 'fix: support wrapped exclusions schema' (#111 ) from develop into master Reviewed-on: #111	2026-05-15 06:46:28 +00:00
jiantw83	27df6894a4	Merge pull request 'fix: write findings to review dir' (#110 ) from develop into master Reviewed-on: #110	2026-05-15 06:25:29 +00:00
jiantw83	1afd978059	Merge pull request 'fix: stage generated review files' (#109 ) from develop into master Reviewed-on: #109	2026-05-15 05:53:55 +00:00
jiantw83	146faca7cb	Merge pull request 'docs: preserve original text in exclusions' (#108 ) from develop into master Reviewed-on: #108	2026-05-15 04:51:23 +00:00
jiantw83	4c99247566	Merge pull request 'fix: sync codex skill assets' (#107 ) from develop into master Reviewed-on: #107	2026-05-15 04:24:32 +00:00
jiantw83	81cbb83340	Merge pull request 'fix: package triage skills into the action image' (#106 ) from develop into master Reviewed-on: #106	2026-05-15 04:00:55 +00:00
jiantw83	3f65b72cf0	Merge pull request 'fix: restore triage skill files and keep sync non-destructive' (#104 ) from develop into master Reviewed-on: #104	2026-05-15 03:34:26 +00:00
jiantw83	2eb94c8f74	Merge pull request 'feat: 解決階段七commit失敗的問題' (#102 ) from develop into master Reviewed-on: #102	2026-05-15 03:18:55 +00:00
jiantw83	6354c0987c	Merge pull request 'chore: refine stage 7 json validation' (#98 ) from develop into master Reviewed-on: #98	2026-05-14 02:42:13 +00:00
jiantw83	7df34eb1d0	Merge pull request '版本 0.0.4' (#97 ) from develop into master Reviewed-on: #97	2026-05-13 06:31:30 +00:00
jiantw83	ca5d54882f	Merge pull request '版本 0.0.2' (#94 ) from develop into master Reviewed-on: #94	2026-05-13 02:43:10 +00:00
jiantw83	ca4664e0cc	Merge pull request '發布 0.0.1' (#86 ) from develop into master Reviewed-on: #86	2026-05-12 10:09:32 +00:00