Skip to content

feat(rhodibot): add offline check CLI subcommand for CI gating#150

Merged
hyperpolymath merged 1 commit into
mainfrom
fix/rhodibot-check-cli
May 16, 2026
Merged

feat(rhodibot): add offline check CLI subcommand for CI gating#150
hyperpolymath merged 1 commit into
mainfrom
fix/rhodibot-check-cli

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 16, 2026

Why

rhodibot is currently a webhook-server-only binary (axum, --port
flag). There is no CLI scan mode, so consumer repos that try to run
rhodibot check --owner X --repo Y in CI (e.g. hyperpolymath/ubicity
issue #37) cannot — the invocation is architecturally impossible against
the code as shipped.

What

  • Add a check subcommand:
    rhodibot check --owner <o> --repo <r> [--format pretty|json].
    It calls the existing rsr::check_compliance against the GitHub REST
    API (honours GITHUB_TOKEN for rate limits / private repos; works
    unauthenticated on public repos), prints a report, and exits
    non-zero when required checks fail     so it can gate CI directly.
  • The HTTP server remains the default when no subcommand is given —
    existing deployments are unaffected.
  • Fix a pre-existing compile error in tests/integration_tests.rs
    (Hmac::new_from_slice needs the KeyInit trait in scope) so
    cargo test is green for the crate.

Validation

cargo fmt, cargo clippy --bins (clean), cargo build --release,
cargo test (48 passed). rhodibot check --help renders correctly.

Unblocks hyperpolymath/ubicity#37.

🤖 Generated with Claude Code

@hyperpolymath @claude
feat(rhodibot): add offline check CLI subcommand for CI gating
2e0ea3c 
rhodibot was webhook-server-only (axum, `--port`), with no way to run a
one-shot RSR compliance check from CI. Consumers (e.g. ubicity #37) tried
to invoke a non-existent `rhodibot check --owner X --repo Y` CLI.

Add a `check` subcommand that runs `rsr::check_compliance` against a
remote repo via the GitHub REST API (honours `GITHUB_TOKEN`; works
unauthenticated on public repos), prints a pretty/json report, and exits
non-zero when required checks fail — so it can gate CI directly. The
server remains the default behaviour when no subcommand is given, so
existing deployments are unaffected.

Also fix a pre-existing compile error in integration_tests.rs
(`Hmac::new_from_slice` needs `KeyInit` in scope) so `cargo test` is
green for the crate. fmt + clippy + 48 tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 16, 2026
Closed
Merged
hyperpolymath added a commit to hyperpolymath/ubicity that referenced this pull request May 16, 2026
@hyperpolymath @claude
fix(ci): re-enable finishingbot/seambot/rhodibot via gitbot-fleet (Refs
32df77c 
#37) (#42)

## Summary

Re-enables the three bot checks disabled in #36. They were permanent
false-red because they cloned **phantom repos**
(`hyperpolymath/finishing-bot`,
`/seambot`, `/rhodibot`) that never existed. The bots actually live in
**`hyperpolymath/gitbot-fleet`** under `bots/`.

Each workflow now: clones `gitbot-fleet` at a **pinned commit** (partial
clone + checkout SHA), builds the specific bot crate, runs the **correct
binary**, then the `if: false` guard is removed.

| Bot | Root cause fixed | Invocation |
|---|---|---|
| finishingbot | phantom clone **+ wrong binary name** (`finishingbot` →
crate binary is `finishing-bot`) | `finishing-bot --path
"$GITHUB_WORKSPACE" audit` |
| seambot | phantom clone | `seambot check` (keeps the
`spec/seams/seam-register.json` guard) |
| rhodibot | phantom clone **+ rhodibot had no CLI** (was
webhook-server-only) | `rhodibot check --owner --repo`, built-in
read-only `GITHUB_TOKEN` (public repo, no PAT) |

## Dependency

rhodibot needs the new `rhodibot check` subcommand added in
**hyperpolymath/gitbot-fleet#150**. The pinned ref is currently that
PR's branch HEAD (`2e0ea3ca67821a91e650f51bf48a6cfd1c7aae1c`); it will
be **bumped to the post-merge `main` SHA** once #150 lands. Do not merge
this before that bump.

## Tracking

`Refs #37`. Native sub-issues: #39 (seambot), #40 (finishingbot —
binary-name bug), #41 (rhodibot — blocked on gitbot-fleet#150).
Per estate workflow, #37 closes only on explicit joint agreement.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath merged commit ac295f4 into main May 16, 2026
24 checks passed
@hyperpolymath hyperpolymath deleted the fix/rhodibot-check-cli branch May 16, 2026 19:42
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 16, 2026

🔍 Hypatia Security Scan

Findings: 100 issues detected

Severity Count
🔴 Critical 0
🟠 High 34
🟡 Medium 66
View findings 
[
  {
    "reason": "Obj.magic bypassing type safety (2 occurrences, CWE-704)",
    "type": "obj_magic",
    "file": "/home/runner/work/gitbot-fleet/gitbot-fleet/bots/sustainabot/bot-integration/src/Analysis.res",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Obj.magic bypassing type safety (2 occurrences, CWE-704)",
    "type": "obj_magic",
    "file": "/home/runner/work/gitbot-fleet/gitbot-fleet/bots/sustainabot/bot-integration/lib/ocaml/Analysis.res",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "expect() in hot path (1 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/gitbot-fleet/gitbot-fleet/bots/gsbot/src/services.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (3 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/gitbot-fleet/gitbot-fleet/bots/glambot/src/analyzers/accessibility.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (3 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/gitbot-fleet/gitbot-fleet/bots/finishingbot/src/analyzers/claims.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (1 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/gitbot-fleet/gitbot-fleet/bots/finishingbot/src/analyzers/license.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (1 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/gitbot-fleet/gitbot-fleet/bots/accessibilitybot/src/analyzers/aria.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (5 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/gitbot-fleet/gitbot-fleet/bots/accessibilitybot/src/analyzers/forms.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (4 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/gitbot-fleet/gitbot-fleet/bots/accessibilitybot/src/analyzers/media.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (2 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/gitbot-fleet/gitbot-fleet/bots/accessibilitybot/src/analyzers/language.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath