From a3b268c82386d8bdee020c5979ebdf24b24031f3 Mon Sep 17 00:00:00 2001 From: AI Review Bot Date: Sat, 16 May 2026 15:12:19 +0000 Subject: [PATCH] chore: update ai-review findings [ai-review-bot][failure] --- .amazonq/rules/triage-findings.md | 14 +++++ .claude/skills/triage-findings/SKILL.md | 29 ++++++++++ .codex/skills/triage-findings/SKILL.md | 45 ++++++++++++++ .../skills/triage-findings/agents/openai.yaml | 4 ++ .gemini/skills/triage-findings/SKILL.md | 29 ++++++++++ .gitea/ai-review/findings.json | 58 +++++++++++++++++++ .github/copilot-instructions.md | 14 +++++ .github/skills/triage-findings/SKILL.md | 14 +++++ CLAUDE.md | 16 +++++ GEMINI.md | 14 +++++ 10 files changed, 237 insertions(+) create mode 100644 .amazonq/rules/triage-findings.md create mode 100644 .claude/skills/triage-findings/SKILL.md create mode 100644 .codex/skills/triage-findings/SKILL.md create mode 100644 .codex/skills/triage-findings/agents/openai.yaml create mode 100644 .gemini/skills/triage-findings/SKILL.md create mode 100644 .gitea/ai-review/findings.json create mode 100644 .github/copilot-instructions.md create mode 100644 .github/skills/triage-findings/SKILL.md create mode 100644 CLAUDE.md create mode 100644 GEMINI.md diff --git a/.amazonq/rules/triage-findings.md b/.amazonq/rules/triage-findings.md new file mode 100644 index 0000000..4b65ce1 --- /dev/null +++ b/.amazonq/rules/triage-findings.md @@ -0,0 +1,14 @@ +# Triage Findings + +When the task is to triage review findings, follow this workflow: + +1. Merge all findings into one list. +2. Remove duplicates. +3. Sort by severity: `critical` -> `warning` -> `info`. +4. Renumber from 1 after sorting. +5. Fix real issues with the smallest safe change. +6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +7. Add or update tests when behavior changes. +8. Re-check the issue after each fix. + +Use the repo-local `triage-findings` skill for the same workflow when running in Codex. diff --git a/.claude/skills/triage-findings/SKILL.md b/.claude/skills/triage-findings/SKILL.md new file mode 100644 index 0000000..c4ab450 --- /dev/null +++ b/.claude/skills/triage-findings/SKILL.md @@ -0,0 +1,29 @@ +--- +name: triage-findings +description: Triage findings, fix real issues, and exclude false positives. +--- + +# Triage Findings + +## Use + +直接輸入:`triage-findings 問題原始檔(文字或截圖)` + +## Workflow + +1. Merge all findings. +2. Sort by severity: + - critical + - warning + - info +3. Renumber from 1. +4. Fix real issues. +5. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +6. Add tests when behavior changes. + +## Output Rules + +- Keep the final list short. +- Keep numbering contiguous. +- Preserve file path, location, and fix. +- When writing exclusions, prefer the original issue text over paraphrased rewrites. diff --git a/.codex/skills/triage-findings/SKILL.md b/.codex/skills/triage-findings/SKILL.md new file mode 100644 index 0000000..21476cb --- /dev/null +++ b/.codex/skills/triage-findings/SKILL.md @@ -0,0 +1,45 @@ +--- +name: triage-findings +description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions. +--- + +# Triage Findings + +## When To Use + +Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list. +It is also used when some findings are false positives and should be moved into the exclusions list. + +## Workflow + +1. Collect all findings into one list. +2. Merge duplicates into a single finding when they describe the same issue. +3. Sort the final list by severity: + - critical + - warning + - info +4. Renumber the sorted list from 1 upward. +5. Rewrite each finding concisely so the final list reads cleanly and consistently. +6. If a finding is a false positive, do not keep it in the final list. +7. Add false positives to the exclusions list using the existing schema in the repo or task context, and preserve the original finding wording as much as possible, including language and semantics. + +## Resolution Flow + +After the list is merged and ordered, resolve the remaining findings one by one. + +1. Start from the highest severity item. +2. Identify the root cause in the relevant file or context. +3. Apply the smallest safe change that fixes the issue. +4. Add or update tests when behavior changes. +5. Re-check the issue after the change. +6. If the item is confirmed false positive, move it to exclusions instead of changing code. +7. Continue until the list is either fixed or explicitly excluded. + +## Output Rules + +- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable. +- Keep numbering contiguous after filtering and merging. +- Preserve useful details like file path, location, and suggested fix. +- Keep exclusions entries minimal and consistent with the project schema. +- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema. +- If the source already provides a severity or title, keep it unless it conflicts with the final ordering. diff --git a/.codex/skills/triage-findings/agents/openai.yaml b/.codex/skills/triage-findings/agents/openai.yaml new file mode 100644 index 0000000..6f59e2c --- /dev/null +++ b/.codex/skills/triage-findings/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Triage Findings" + short_description: "Triage, sort, fix, and exclude review findings" + default_prompt: "Use $triage-findings to merge review findings, sort and renumber them by severity, resolve real issues one by one, and add false positives to exclusions." diff --git a/.gemini/skills/triage-findings/SKILL.md b/.gemini/skills/triage-findings/SKILL.md new file mode 100644 index 0000000..c4ab450 --- /dev/null +++ b/.gemini/skills/triage-findings/SKILL.md @@ -0,0 +1,29 @@ +--- +name: triage-findings +description: Triage findings, fix real issues, and exclude false positives. +--- + +# Triage Findings + +## Use + +直接輸入:`triage-findings 問題原始檔(文字或截圖)` + +## Workflow + +1. Merge all findings. +2. Sort by severity: + - critical + - warning + - info +3. Renumber from 1. +4. Fix real issues. +5. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +6. Add tests when behavior changes. + +## Output Rules + +- Keep the final list short. +- Keep numbering contiguous. +- Preserve file path, location, and fix. +- When writing exclusions, prefer the original issue text over paraphrased rewrites. diff --git a/.gitea/ai-review/findings.json b/.gitea/ai-review/findings.json new file mode 100644 index 0000000..1280c8a --- /dev/null +++ b/.gitea/ai-review/findings.json @@ -0,0 +1,58 @@ +[ + { + "level": "critical", + "role": "Rex", + "location": "entrypoint.sh:44", + "suggestion": "變數 `CHECK_URL` 直接用於 `curl` 命令中,存在命令注入風險。惡意使用者可以透過在 `CHECK_URL` 中注入 `curl` 選項(例如 `-X POST` 或 `--output`)來改變 `curl` 的行為,甚至可能導致敏感資料洩漏或執行非預期操作。建議使用 `curl --url \"$CHECK_URL\"` 來明確指定參數為 URL,防止其被解析為 `curl` 選項。此外,應對 `CHECK_URL` 進行嚴格的 URL 格式驗證,確保其不包含任何惡意字元或選項。", + "is_new": true + }, + { + "level": "critical", + "role": "Maya", + "location": "entrypoint.sh", + "suggestion": "此 Git Diff 引入了多項邏輯改動,但未見任何新增或修改的測試檔案。對於核心的 `entrypoint.sh` 腳本,應引入一個專用的測試框架(例如 Bats 或 shUnit2),並建立一套全面的單元測試與整合測試,以確保所有功能按預期運作,特別是對於錯誤處理和邊界條件的驗證。", + "is_new": true + }, + { + "level": "warning", + "role": "Zara", + "location": "entrypoint.sh:56", + "suggestion": "目前的健康檢查機制中,`curl` 的最大等待時間 (`--max-time 60`) 和重試間隔 (`sleep 60`) 都固定為 60 秒。這導致每次檢查失敗後,至少需要 120 秒才能進行下一次嘗試,大幅降低了健康檢查的響應速度。建議將這些時間參數設定為可配置的環境變數 (例如 `CURL_TIMEOUT` 和 `RETRY_INTERVAL`),以便根據實際應用場景調整。對於需要快速偵測服務狀態變化的情境,應考慮縮短這些時間。", + "is_new": true + }, + { + "level": "warning", + "role": "Rex", + "location": "Dockerfile:10", + "suggestion": "Dockerfile 中複製了 `rootCA.pem` 和 `jsc.idv.me+4.pem` 到容器中。請確保這些檔案僅包含公開的憑證資料,不包含任何私鑰或其他敏感資訊。若這些檔案包含私鑰,則會構成嚴重的安全漏洞。建議在 CI/CD 流程中增加檢查,確保這些檔案的內容符合預期。", + "is_new": true + }, + { + "level": "warning", + "role": "Aria", + "location": "Dockerfile:15", + "suggestion": "檔案末尾應包含一個空行,以符合 POSIX 規範並避免某些工具處理時產生問題。", + "is_new": true + }, + { + "level": "info", + "role": "Leo", + "location": "Dockerfile", + "suggestion": "在 Dockerfile 中,部分描述性註解被移除。雖然指令本身清晰且符合 Dockerfile 簡潔的趨勢,但對於不熟悉此映像檔用途或 Dockerfile 最佳實踐的開發者來說,簡潔的註解(例如說明為何複製特定憑證或更新 CA 證書的目的)可以提高首次閱讀時的理解性。建議考慮在關鍵步驟旁添加簡要註解,以平衡簡潔性與可讀性。", + "is_new": true + }, + { + "level": "info", + "role": "Rex", + "location": "Dockerfile:1", + "suggestion": "使用 `ubuntu:latest` 作為基礎映像檔可能導致非預期的行為或安全更新延遲。`latest` 標籤會隨著上游映像檔的更新而改變,使得建置結果不可重現。建議使用特定的版本標籤(例如 `ubuntu:22.04` 或 `ubuntu:20.04`)來確保建置的可預測性和安全性。", + "is_new": true + }, + { + "level": "info", + "role": "Maya", + "location": "Dockerfile", + "suggestion": "雖然 Dockerfile 本身不是應用程式程式碼,但其建置過程和最終映像檔的品質對整體系統至關重要。建議導入 Docker 映像檔建置測試工具(例如 Hadolint 進行靜態分析,或 Container Structure Test 進行運行時驗證),以確保映像檔的安全性、效率和正確性,例如檢查是否安裝了所有必要的工具,以及證書是否正確配置。", + "is_new": true + } +] diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 0000000..f1a77ef --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,14 @@ +# Triage Findings + +Use the triage-finding workflow for review issue lists: + +1. Merge findings into one list. +2. Remove duplicates. +3. Sort by severity: `critical` -> `warning` -> `info`. +4. Renumber from 1. +5. Fix real issues with the smallest safe change. +6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +7. Add or update tests when behavior changes. +8. Re-check after each fix. + +The full reusable skill lives in `.claude/skills/triage-findings/SKILL.md`. diff --git a/.github/skills/triage-findings/SKILL.md b/.github/skills/triage-findings/SKILL.md new file mode 100644 index 0000000..8ca4117 --- /dev/null +++ b/.github/skills/triage-findings/SKILL.md @@ -0,0 +1,14 @@ +# Triage Findings + +Use the triage-finding workflow for review issue lists: + +1. Merge findings into one list. +2. Remove duplicates. +3. Sort by severity: `critical` -> `warning` -> `info`. +4. Renumber from 1. +5. Fix real issues with the smallest safe change. +6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +7. Add or update tests when behavior changes. +8. Re-check after each fix. + +The reusable skill lives in `.gemini/skills/triage-findings/SKILL.md`. diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..fa2403d --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,16 @@ +# Triage Findings + +When the task is to triage review findings, follow this workflow: + +1. Merge all findings into one list. +2. Remove duplicates. +3. Sort by severity: `critical` -> `warning` -> `info`. +4. Renumber from 1 after sorting. +5. Fix real issues with the smallest safe change. +6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +7. Add or update tests when behavior changes. +8. Re-check the issue after each fix. + +Use the repo-local `triage-findings` skill for the same workflow when running in Codex. + +Trigger it with `/triage-findings`. diff --git a/GEMINI.md b/GEMINI.md new file mode 100644 index 0000000..8ca4117 --- /dev/null +++ b/GEMINI.md @@ -0,0 +1,14 @@ +# Triage Findings + +Use the triage-finding workflow for review issue lists: + +1. Merge findings into one list. +2. Remove duplicates. +3. Sort by severity: `critical` -> `warning` -> `info`. +4. Renumber from 1. +5. Fix real issues with the smallest safe change. +6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +7. Add or update tests when behavior changes. +8. Re-check after each fix. + +The reusable skill lives in `.gemini/skills/triage-findings/SKILL.md`.