Automated drift remediation pipeline

[jpr5]

Summary

• Add scripts/drift-report-collector.ts that runs drift tests, parses vitest JSON output, and produces structured drift-report.json with provider-to-file mappings
• Add scripts/fix-drift.ts that reads the drift report, constructs a prompt, invokes Claude Code CLI to auto-fix builders, and creates a PR or GitHub issue
• Add .github/workflows/fix-drift.yml that triggers on drift test failure (or manual dispatch) to run the full collect→fix→verify→PR pipeline
• Update .github/workflows/test-drift.yml to use the collector script and upload drift report artifacts
• Add serializeDiffsAsJSON() export to schema.ts for structured drift serialization
• Add @types/node and tsx dev dependencies for running TypeScript scripts in CI
• Document the automated workflow in DRIFT.md and CLAUDE.md

Test plan

• All 533 existing tests pass
• Manually trigger fix-drift.yml via workflow_dispatch to verify end-to-end
• Verify drift-report.json artifact appears on test-drift workflow runs
• Introduce intentional drift (e.g., remove refusal: null) and verify the pipeline detects and fixes it

🤖 Generated with Claude Code

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/CopilotKit/llmock/@copilotkit/llmock@41

commit: 4b6f190

[jpr5]

PR #41 Review: Automated Drift Remediation Pipeline

Author: jpr5 | Branch: fix/drift-remediation → main | Status: Open Reviewed: 2026-03-19 | Existing PR Comments: None (only pkg-pr-new bot)

---

Critical Issues

1. Shell injection via file paths in fix-drift.ts

Files: scripts/fix-drift.ts lines 340-342, 346-348, 369-371

File paths from git status --porcelain are interpolated into shell commands via execPassthrough() → execSync(). The double-quote wrapping is insufficient — a filename containing ", $, or backticks breaks out of the shell context.

const quoted = builderFiles.map((f) => `"${f}"`).join(" ");
execPassthrough(`git add ${quoted}`);

Fix: Use execFileSync with argument arrays (bypasses the shell entirely):

import { execFileSync } from "node:child_process";
execFileSync("git", ["add", ...builderFiles], { stdio: "inherit" });

Apply the same fix to all exec/execPassthrough calls that interpolate dynamic values: git checkout -b, git push, gh pr create, gh issue create.

---

2. Exit code 1 is ambiguous — conflates "critical drift" with "script crashed"

Files: .github/workflows/fix-drift.yml lines 38-47, .github/workflows/test-drift.yml lines 21-29, scripts/drift-report-collector.ts line 374

The collector uses process.exit(1) for "critical drift found." But Node.js also exits with code 1 for any unhandled exception (missing import, syntax error, writeFileSync failure). The workflow's set +e / check-exit-code logic cannot distinguish these cases.

A broken collector (e.g., missing dependency) would be treated as "critical drift found," causing the pipeline to invoke Claude Code against a nonexistent report file.

Fix: Use exit code 2 for "critical drift found" and let exit code 1 mean "script error":

// drift-report-collector.ts
process.exit(2); // critical diffs found

# workflow
if [ "$EXIT_CODE" -eq 2 ]; then
  echo "skip=false" >> $GITHUB_OUTPUT
elif [ "$EXIT_CODE" -ne 0 ]; then
  exit $EXIT_CODE  # real crash
fi

---

3. No tests for ~900 lines of new script code

The three new scripts (drift-report-collector.ts, fix-drift.ts, drift-types.ts) contain complex parsing, provider mapping, prompt construction, and orchestration logic with zero unit tests.

Highest-risk untested code:

• parseDriftBlock() — regex-based parser that is the single point of failure for the entire pipeline. If it fails to match (e.g., due to a formatting change in formatDriftReport), the pipeline silently produces zero entries and exits 0 ("no drift").
• extractProviderName() — longest-match-first sorting logic that maps describe-block titles to providers.
• collectDriftEntries() — three distinct error-handling branches (unmapped throws, all-unparseable throws, some-unparseable warns).

Minimum viable test: A round-trip test that calls formatDriftReport() → parseDriftBlock() and asserts the parsed output matches the original diffs. This guards the serialization contract the entire pipeline depends on.

---

Important Issues

4. Bash(git *) in Claude Code allowedTools is overly permissive

File: scripts/fix-drift.ts line 169

The tool allowlist permits any git command including git push, git reset --hard, git config. The workflow handles committing/pushing in later steps — Claude Code should only need read-only git access.

Fix: Replace with specific safe commands: Bash(git diff *), Bash(git status *), Bash(git log *).

---

5. Bare catch {} swallows all error details in issue mode

File: scripts/fix-drift.ts lines 457-461

try {
  report = readDriftReport(reportPath);
} catch {
  console.warn("Could not read drift report, creating issue with available info");
}

This discards the error entirely — no message, no stack trace. Operators cannot distinguish "report never created" from "report exists but is corrupted" from "permission denied."

Fix: Bind the error, log the full message, and include it in the issue body.

---

6. execPassthrough discards exit code, signal, and error details

File: scripts/fix-drift.ts lines 74-80

The original error object (exit code, signal, stderr) is discarded and replaced with a generic "see stderr output above." In CI, stderr may have scrolled off. Preserve error details in the thrown message.

---

7. extractJsonFromString fallback can parse wrong JSON fragment

File: scripts/drift-report-collector.ts lines 208-222

The fallback finds the first { and last } in stdout and parses that substring. If vitest emits stray braces in warnings or deprecation notices, this could parse a completely wrong JSON object with no structural validation.

Fix: After parsing, validate that testResults exists and is an array before returning.

---

8. Workflow missing concurrency control

File: .github/workflows/fix-drift.yml

No concurrency key. If a manual workflow_dispatch fires while a scheduled run is in progress, both will try to create branches, push, and create PRs simultaneously.

Fix:

concurrency:
  group: drift-fix
  cancel-in-progress: true

---

9. No timeout on Claude Code invocation

File: scripts/fix-drift.ts lines 150-203

The child process has no timeout. --max-turns 50 limits Claude turns, but a hung single turn will consume the entire GitHub Actions job timeout (6 hours).

Fix: Add a timer that kills the child process after ~30 minutes.

---

10. Duplicated type hierarchies: ParsedDiff vs ShapeDiff, dual DriftSeverity

Files: scripts/drift-types.ts, src/__tests__/drift/schema.ts

DriftSeverity is defined identically in both files. ParsedDiff and ShapeDiff are structurally identical with different names. The pipeline serializes ShapeDiff to text via formatDriftReport, then regex-parses it back into ParsedDiff — a fragile round-trip through unstructured text.

Fix: Deduplicate DriftSeverity to a single canonical location. Consider adopting JSON-structured output to replace the text→regex round-trip.

---

11. serializeDiffsAsJSON is dead code

File: src/__tests__/drift/schema.ts lines 477-493

The function's own docstring says "not currently consumed by the pipeline." No tests, no callers.

Fix: Either integrate it into the pipeline (replacing the fragile text parsing) or remove it from this PR.

---

Suggestions

12. Unparseable test failures silently dropped when mixed with valid entries

scripts/drift-report-collector.ts lines 322-332 — When some failures parse and others don't, the unparseable ones are logged as a warning but lost. Consider including unparseable test names in the drift report.

13. Child process signal kills reported as exit code 1

scripts/fix-drift.ts line 200 — code ?? 1 conflates OOM-killed/SIGTERM with normal failure. Listen for the signal parameter and log it.

14. Duplicated git status --porcelain parsing logic

scripts/fix-drift.ts lines 321-333 and 357-368 — Identical 12-line block copy-pasted. Extract into a getChangedFiles() helper.

15. Duplicated JSON parse + fallback extraction pattern

scripts/drift-report-collector.ts lines 232-271 — Two nearly identical try/fallback blocks. Collapse into a single parseVitestOutput(stdout) helper.

16. Provider mapping constants could be inlined

scripts/drift-report-collector.ts lines 53-124 — Four separate const variables each used exactly once. Only ANTHROPIC_MAPPING (two keys) justifies extraction.

17. JSDoc for PROVIDER_MAP incorrectly states functions "may not be exported"

scripts/drift-report-collector.ts lines 97-101 — All listed builder functions ARE exported. Update to: "The function names are the public builder functions for each provider."

18. parseDriftBlock JSDoc example is misleading

scripts/drift-report-collector.ts lines 132-144 — Implies the function receives clean report text; it actually receives raw vitest failureMessages content with error boilerplate.

19. Unnecessary /// <reference types="node" /> directives

scripts/drift-report-collector.ts line 1, scripts/fix-drift.ts line 1 — Redundant because scripts/tsconfig.json already includes "types": ["node"].

20. readDriftReport does not validate individual entry structure

scripts/fix-drift.ts lines 38-54 — Only checks entries is an array, then casts with as DriftReport. A malformed entry would cause a runtime TypeError deep in downstream code.

---

Strengths

• Well-designed pipeline architecture. The three-step collect→fix→verify pattern with fallback to issue creation is sound. Clean separation of collector (structured data) from fixer (prompt construction).
• Thoughtful error handling in collectDriftEntries. The distinction between unmapped (throw), all-unparseable (throw), and some-unparseable (warn + continue) shows careful consideration of failure modes.
• Good CI workflow design. Artifact uploads with if: always(), proper step dependencies, and drift-test → fix-drift workflow chaining are well structured.
• Clean type definitions in drift-types.ts. Simple, serialization-friendly shapes with appropriate use of string | null for optional fields.
• Excellent documentation. The three-way comparison table in DRIFT.md and the Gemini Live "unverified" explanation are model examples of "explain the why" documentation.
• Provider mapping is explicit and centralized. Easy to extend and understand.

---

Recommended Action

Request changes. The shell injection issues (#1), ambiguous exit code (#2), and complete absence of tests (#3) should be addressed before merge. Issues #4-#9 are important improvements that would significantly harden the pipeline. The remaining suggestions can be addressed in follow-up PRs.

[jpr5]

Addressed (5 commits)

Critical:

• (1) Shell injection — replaced all dynamic-input execPassthrough() calls with execFileSafe(file, args[]) using execFileSync, bypassing the shell entirely for git add, git checkout -b, git push, gh pr create, gh issue create
• (2) Ambiguous exit code — collector now exits with code 2 for "critical drift found"; both workflows updated to distinguish eq 2 (drift) from ne 0 (crash); exit code 1 is now reserved for unhandled script errors
• (3) No tests — 19 new unit tests in src/__tests__/drift-collector.test.ts covering parseDriftBlock (round-trip via formatDriftReport, null on missing header, multi-entry, unknown severity), extractProviderName (longest-match, unknown provider), and collectDriftEntries (all three error branches)

Important:

• (4) allowedTools restricted from Bash(git *) to Bash(git diff *), Bash(git status *), Bash(git log *)
• (5) Bare catch {} in issue mode now logs the error message
• (6) execPassthrough preserves exit code, signal, and stderr in thrown errors
• (7) extractJsonFromString validates testResults is an array before returning
• (8) concurrency: group: drift-fix, cancel-in-progress: true added to fix-drift.yml
• (9) 30-minute setTimeout kills Claude Code child process if it hangs; signal name logged on kill

Suggestions:

• (10) DriftSeverity duplication: added NOTE comment in drift-types.ts explaining why cross-boundary dedup wasn't done
• (11) serializeDiffsAsJSON dead code removed from schema.ts
• (13) Signal reporting on child process close
• (14) Duplicated git status --porcelain parsing extracted into getChangedFiles() helper
• (15) Two near-identical JSON parse+fallback blocks collapsed into parseVitestOutput() helper
• (17) PROVIDER_MAP JSDoc corrected (functions are public, not "may not be exported")
• (18) parseDriftBlock JSDoc updated to accurately describe raw vitest failureMessages input

Skipped:

• (16) Provider mapping constants: kept as-is; the structure is clear and all four are used
• (19) /// <reference types="node" /> directives: restored (LSP uses root tsconfig.json which excludes scripts/, so the reference directive is required for type resolution)
• (20) readDriftReport individual entry validation: implemented (was in original task)

[jpr5]

PR (41) Review: Automated Drift Remediation Pipeline

Author: jpr5 | Branch: fix/drift-remediation → main | Reviewed: 2026-03-19

Prior review context: A previous review identified 20 issues. The author addressed 16 of them across 5 commits (shell injection fix, exit code 2, unit tests, restricted allowedTools, timeout, concurrency, error detail preservation, dead code removal, helper extraction, JSDoc fixes). This review evaluates the current state and identifies remaining and new issues.

---

Critical Issues

(1) Remaining execPassthrough calls in createPr still use shell-interpreted execSync

scripts/fix-drift.ts lines 390, 395, 399-400, 406

The prior review's shell injection fix introduced execFileSafe for git/gh commands with dynamic arguments. However, createPr still uses execPassthrough (which calls execSync through a shell) for several git commit commands:

execPassthrough('git commit -m "fix: auto-remediate API drift in builder functions"');
execPassthrough('git commit -m "test: update SDK shapes for drift remediation"');
execPassthrough("git add package.json CHANGELOG.md");
execPassthrough(`git commit -m "chore: bump version to ${newVersion}" --allow-empty`);
execPassthrough('git commit -m "fix: remaining drift remediation changes"');

While the newVersion value is validated as three numeric parts (limiting injection risk), this is an incomplete remediation — all these should use execFileSafe with argument arrays for consistency and defense-in-depth. The execPassthrough function itself should then be removable as dead code.

---

(2) createPr can produce a PR with only a version bump and no actual drift fixes

scripts/fix-drift.ts lines 352-429

The function calls getChangedFiles() and splits results into builderFiles and testFiles. If Claude Code made no source changes (or its changes were reverted during verification), both arrays will be empty. The function proceeds to commit only package.json and CHANGELOG.md (with --allow-empty), push, and create a PR that claims to "auto-remediate API drift" but contains zero actual code fixes.

The workflow's verification steps (pnpm test and pnpm test:drift) would need to fail to prevent this, but if the drift was borderline or tests are flaky, an empty fix PR could slip through.

Fix: After collecting builderFiles and testFiles, verify at least one source file was changed before proceeding. If no source files changed, abort with a clear error.

---

Important Issues

(3) Test file PROVIDER_MAP is already out of sync with source

src/__tests__/drift-collector.test.ts lines 51-97 vs scripts/drift-report-collector.ts lines 54-125

The test file header says copies "must be reflected here" when originals change. They have already diverged:

• Source OpenAI Chat has 4 builderFunctions; test has 2
• Source Anthropic has 4 functions; test has 1
• Source Gemini has 4 functions; test has 1
• Source OpenAI Realtime has 2 functions; test has 1

The tests still pass because they don't assert on builderFunctions content, but this undermines confidence that the test copy matches production behavior.

Fix: Either align the test copy with the source, or add a comment explicitly documenting that the test intentionally uses a subset and why. Consider adding a structural sync check.

---

(4) SIGTERM timeout does not escalate to SIGKILL; timeout exit code is indistinguishable

scripts/fix-drift.ts lines 230-262

The 30-minute timeout sends SIGTERM, but the child process can ignore it (no SIGKILL escalation). When killed by signal, code is null and the promise resolves with code ?? 1, making timeouts indistinguishable from generic failures.

Fix: Add SIGKILL escalation after a 10-second grace period. Use a distinct exit code (e.g., 124, matching the timeout command convention).

---

(5) parseDriftBlock silently discards entries with unknown severity levels

scripts/drift-report-collector.ts line 166

When an entry has a severity not in VALID_SEVERITIES, it is silently skipped. No log, no counter. If the drift test framework adds a new severity level, those entries would be invisibly lost from the report.

Fix: Log a warning when unknown severities are encountered.

---

(6) exec helper still uses shell-interpreted execSync

scripts/fix-drift.ts lines 71-82

Current call sites use static strings so this is safe today, but it's a footgun for future maintainers. At minimum, add a JSDoc warning that this function must never be called with interpolated strings.

---

(7) fix-drift.ts has zero test coverage for its pure functions

scripts/fix-drift.ts — 540 lines with no tests. Several pure functions are readily testable: readDriftReport (4 error paths), buildPrompt, buildPrBody, getChangedFiles (quote/rename parsing), patchBumpVersion, addChangelogEntry, parseMode.

Fix: Add unit tests for at least readDriftReport, buildPrompt, and getChangedFiles.

---

(8) extractJsonFromString and parseVitestOutput are untested

scripts/drift-report-collector.ts lines 212-258 — These handle the critical path of parsing vitest JSON output with fallback recovery. Complex enough to warrant direct testing.

---

(9) Triple-defined DriftSeverity and dual ParsedDiff/ShapeDiff

DriftSeverity exists in three files. The NOTE in drift-types.ts mentions two locations but misses the third copy in drift-collector.test.ts.

Fix: Update the NOTE to mention all three locations. Consider a compile-time structural compatibility check.

---

(10) PROVIDER_MAP JSDoc says "public builder functions" but many are not exported

scripts/drift-report-collector.ts lines 98-101 — Several listed functions are module-private. Change "public builder functions" to "builder functions".

---

Suggestions

(11) DRIFT.md implies single invocation for fix + PR but the workflow uses two separate invocations of fix-drift.ts. Update to reflect the two-invocation pattern.

(12) fix-drift.ts file-level JSDoc exit codes are incomplete — in default mode the exit code is passed through from Claude Code.

(13) Error-detail formatting is duplicated between execFileSafe and execPassthrough. Extract a formatExecError helper.

(14) hasStdout type guard uses unnecessary as Record<string, unknown> cast — use "stdout" in err narrowing instead.

(15) collectDriftEntries test function uses inline type literal instead of local DriftEntry interface — 14 lines of redundant types.

(16) readDriftReport validation is shallow — does not validate individual diff fields or severity values. A malformed report with severity: "banana" would pass and cause cryptic failures downstream.

---

Strengths

• Well-designed pipeline architecture. The collect → fix → verify → PR/issue pattern with clean separation of concerns is sound.
• Thorough error handling in collectDriftEntries. Three distinct failure modes (unmapped → throw, all-unparseable → throw, some-unparseable → warn) show careful thought.
• Good CI workflow design. Artifact uploads with if: always(), concurrency control, exit code 2 disambiguation, and workflow chaining are well structured.
• Excellent documentation. DRIFT.md's three-way comparison table and the Gemini Live "unverified" explanation are model examples.
• Strong round-trip test design. Using formatDriftReport() as the authoritative formatter validates the serialization contract.
• Clean type definitions. ShapeNode in schema.ts is a textbook discriminated union.
• Responsive to review feedback. 16 of 20 prior findings were addressed across 5 well-organized commits.

---

Recommended Action

Request changes. The remaining execPassthrough usage (1) and the empty-PR risk (2) are the most important fixes. The test/source PROVIDER_MAP divergence (3) should be addressed to maintain test validity. The remaining items are improvements that could be addressed in follow-up work.

[jpr5]

PR (41) — fix/drift-remediation — Resolution Complete

All actionable findings from the code review have been addressed. CI is fully green.

Commits added on top of the PR author's work

fix: address remaining PR review findings (3751fa1)

Covers everything not already landed in the remote's 5 commits:

FindingFixSIGKILL escalation after SIGTERM timeoutAdded 10s grace period + SIGKILL fallback; timed-out process exits with code 124Remaining execPassthrough calls in createPrConverted all to execFileSafe with arg arrays (no shell)Empty-PR guard in createPrAborts with exit code 2 + clear message when no source files changedreadDriftReport validation depthAdded per-entry severity validation against VALID_SEVERITIESformatExecError helperUnified error formatting across exec and execFileSafeexec() JSDocAdded shell-injection warning + "static strings only" noteparsePorcelainLine extractionExtracted from getChangedFiles for direct testabilityFunction exports + isMain guardAll pure functions exported; main() gated on isMain for safe import in testsExit code JSDocAdded codes 2 (no files changed) and 124 (timeout)hasStdout type guardFixed to use "stdout" in err instead of unsafe castPROVIDER_MAP JSDocClarified "internal or exported" builder functionsdrift-types.ts NOTEAdded missing drift-collector.test.ts locationDRIFT.mdUpdated to reflect two-invocation model (--create-pr / --create-issue as separate steps)

Tests added

• src/__tests__/drift-scripts.test.ts (new, 27 tests) — covers fix-drift.ts exported pure functions: readDriftReport, parseMode, buildPrompt, buildPrBody, patchBumpVersion, addChangelogEntry, parsePorcelainLine, todayStamp
• src/__tests__/drift-collector.test.ts (extended, +11 tests) — added extractJsonFromString (5 cases) and hasStdout (6 cases) as inline local copies following the file's existing pattern

Final check results

commitlint   pass
eslint       pass
exports      pass
prettier     pass
preview      pass
test (20)    pass
test (22)    pass
test (24)    pass

590 tests passing locally. All 9 CI checks green on the remote.

[jpr5]

Code Review — 6-Agent Analysis

Reviewed with: code reviewer, silent failure hunter, test coverage analyzer, comment analyzer, type design analyzer, CI workflow reviewer.

Critical (3)

1. cancel-in-progress: true can kill the fix workflow mid-PR-creation or mid-git-push

.github/workflows/fix-drift.yml line 11. If a second drift test fails while the first fix run is creating a PR, the first run is killed — leaving an orphaned branch or half-created PR. Change to cancel-in-progress: false; the concurrency group already serializes runs.

2. runDriftTests() catch block discards the original error

scripts/drift-report-collector.ts ~line 280. When execSync throws for non-test reasons (ENOENT, ENOMEM, maxBuffer exceeded), the error lacks .stdout, so the catch falls through to throw new Error("Failed to run drift tests or parse output") — discarding the actual cause. Chain the original: throw new Error(\Failed to run drift tests: ${err instanceof Error ? err.message : String(err)}`)`.

3. SIGKILL grace timer not cleared on normal close after timeout

scripts/fix-drift.ts invokeClaudeCode(). When the timeout fires, SIGTERM is sent and a SIGKILL timer is scheduled. If the process exits after SIGTERM but before the SIGKILL timer fires, the timer is never cleared. It then calls .kill("SIGKILL") on a dead process, which throws ESRCH (uncaught). Store the timer ref and clear it in the close handler.

Important (5)

4. patchBumpVersion() runs before Claude's changes are committed

scripts/fix-drift.ts createPr(). Version bump and changelog write happen before getChangedFiles() is called, meaning package.json/CHANGELOG.md are dirty alongside Claude's changes. If Claude also modified package.json, the version bump overwrites those changes. Move patchBumpVersion()/addChangelogEntry() to after the builder/test commits.

5. git rev-parse failure defaults to "HEAD" instead of re-throwing

scripts/fix-drift.ts ~line 378. If git rev-parse --abbrev-ref HEAD fails, the catch block defaults to "HEAD", causing createPr to create a NEW branch fix/drift-YYYY-MM-DD instead of using the workflow-created branch. This produces a branch mismatch — commits are on one branch, PR targets another. Re-throw instead of defaulting.

6. Exit code 1 is ambiguous — script error vs Claude Code failure

scripts/fix-drift.ts bottom. The .catch() handler exits 1 for pre-invocation failures (bad drift report, prompt construction error), which is the same code Claude Code returns for generic failures. Use a distinct code (e.g., 3) so the workflow can distinguish infrastructure failures from AI failures.

7. fix-drift.ts has zero test coverage despite exporting pure testable functions

readDriftReport, buildPrompt, patchBumpVersion, addChangelogEntry, buildPrBody, parsePorcelainLine, parseMode — all exported, all pure, all untested. A fix-drift.test.ts covering these would catch regressions in the entire PR/issue creation pipeline.

8. if-no-files-found: ignore on drift report artifact masks collector crashes

Both workflow files. If the collector crashes before writing drift-report.json, the artifact upload silently succeeds with nothing. Use warn instead of ignore so operators see a visible warning.

Suggestions (4)

9. Silent skip on exit 0 confusing for manual dispatch — Add a log line in the "Check for critical diffs" step when no drift is found. Manual workflow_dispatch users get zero output otherwise.

10. Test file PROVIDER_MAP already diverged from source — Test copy has fewer builderFunctions per provider than the real PROVIDER_MAP. Configure vitest to resolve scripts/ imports directly to eliminate the copy-paste pattern.

11. exec() is exported but should be private — The JSDoc warns "NEVER call with interpolated values" but it's exported. Remove the export; execFileSafe exists for external use.

12. Re-run reuses branch name on GitHub Actions retry — $(date +%Y-%m-%d)-${{ github.run_number }} doesn't change on re-runs. Use ${{ github.run_id }} instead to avoid force-pushing over an existing PR branch.

Strengths

• Shell injection properly mitigated via execFileSafe/execFileSync for all dynamic args
• Thorough test coverage for collector parsing (parseDriftBlock, extractProviderName, collectDriftEntries error paths)
• Good error handling patterns (formatExecError, hasStdout type guard)
• Clean type design for the drift pipeline interchange format
• Well-structured CI workflow with separate collect/fix/verify/PR/issue stages