Fix PR 289 code review findings by djm81 · Pull Request #292 · nold-ai/specfact-cli-modules

djm81 · 2026-05-23T22:24:50Z

Summary

constrain dead-branch detection/autofix to adjacent safe duplicate guards by clearing remembered guards across intervening state changes
preserve applied safe-mechanical simplification evidence in post-fix review reports
add specfact code review run --instructions as an AI-facing simplify / clean-code fallback for users without installed prompts or skills
tighten bundled prompt/skill guidance into an interactive decision-card workflow for vibe-coder and junior users, and update module docs to promote --instructions as the lowest-friction onboarding path
clarify the --instructions fallback after subagent simulation: clean PR branches should use base-ref branch-delta Python files, and findings without guidance_kind are unguided advisories rather than auto-fix input
document manifest checksum vs registry tarball checksum semantics and remove redundant schema-version guard

Validation

hatch run pytest tests/unit/specfact_code_review/tools/test_ai_bloat_runner.py tests/unit/specfact_code_review/run/test_commands.py tests/unit/specfact_code_review/run/test_findings.py -q
hatch run pytest tests/unit/specfact_code_review/review/test_commands.py::test_review_run_help_lists_simplify_focus tests/unit/specfact_code_review/review/test_commands.py::test_review_run_instructions_prints_ai_workflow_without_running_review tests/unit/docs/test_code_review_docs_parity.py::test_code_review_run_doc_mentions_public_ty_options tests/unit/test_guided_simplify_resources.py tests/unit/specfact_code_review/rules/test_updater.py::test_load_bundled_skill_content_returns_valid_structure_when_available -q
hatch run pytest tests/unit/specfact_code_review/review/test_commands.py::test_review_run_instructions_prints_ai_workflow_without_running_review tests/unit/docs/test_code_review_docs_parity.py::test_code_review_run_doc_mentions_public_ty_options -q
hatch run specfact code review run --instructions
subagent simulation using only the printed --instructions guidance; confirmed conservative decision-card behavior and led to the base-ref fallback clarification
hatch run validate-prompt-commands
hatch run type-check
hatch run lint
hatch run yaml-lint
hatch run check-bundle-imports
hatch run verify-modules-signature --payload-from-filesystem --enforce-version-bump --version-check-base origin/dev
openspec validate code-review-12-guided-simplification-enforcement --strict
hatch run specfact code review run --bug-hunt --include-tests --json --out .specfact/code-review.json --scope changed
pre-commit: code review gate passed with 0 findings; contract-test passed 773 tests, 2 warnings

Review finding notes

Registry checksum mismatch: documented as intentional because manifest integrity covers canonical module source payload while registry sha256 covers tarball bytes.
v0.47.23 registry artifacts: left intact as historical registry artifacts; registry already contains prior published versions and index points at the current published version.
The latest local code-review payload checksum is checksum-only until CI signing automation re-signs the changed payload.

strix-security · 2026-05-23T22:24:53Z

Strix is installed on this repository, but we could not run this PR security review because this workspace does not have an active plan. If you'd like to continue receiving code reviews, you can add a payment method or manage billing here.

coderabbitai · 2026-05-23T22:25:14Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7c2142d9-a962-4ef9-8091-62d88282941d

📥 Commits

Reviewing files that changed from the base of the PR and between 49be799 and 56ec058.

📒 Files selected for processing (7)

docs/bundles/code-review/run.md
docs/modules/code-review.md
openspec/changes/code-review-12-guided-simplification-enforcement/TDD_EVIDENCE.md
packages/specfact-code-review/module-package.yaml
packages/specfact-code-review/src/specfact_code_review/review/commands.py
packages/specfact-project/module-package.yaml
tests/unit/specfact_code_review/review/test_commands.py

✅ Files skipped from review due to trivial changes (3)

docs/modules/code-review.md
docs/bundles/code-review/run.md
openspec/changes/code-review-12-guided-simplification-enforcement/TDD_EVIDENCE.md

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (4)

packages/**/module-package.yaml

⚙️ CodeRabbit configuration file

packages/**/module-package.yaml: Validate metadata: name, version, commands, dependencies, and parity with packaged src.
Call out semver and signing implications when manifests or payloads change.

Files:

packages/specfact-project/module-package.yaml
packages/specfact-code-review/module-package.yaml

**/*.{js,ts,tsx,jsx,py,java,cs,go,rb,php,cpp,c,h}

📄 CodeRabbit inference engine (CLAUDE.md)

Preserve the clean-code compliance gate and its category references (naming, kiss, yagni, dry, and solid)

Files:

packages/specfact-code-review/src/specfact_code_review/review/commands.py
tests/unit/specfact_code_review/review/test_commands.py

packages/**/src/**/*.py

⚙️ CodeRabbit configuration file

packages/**/src/**/*.py: Focus on adapter and bridge patterns: imports from specfact_cli (models, runtime, validators),
Typer/Rich command surfaces, and clear boundaries so core upgrades do not silently break bundles.
Flag breaking assumptions about registry loading, lazy imports, and environment/mode behavior.

Files:

packages/specfact-code-review/src/specfact_code_review/review/commands.py

tests/**/*.py

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first and integration tests: migration suites, bundle validation, and flakiness.
Ensure changes to adapters or bridges have targeted coverage.

Files:

tests/unit/specfact_code_review/review/test_commands.py

🔀 Multi-repo context nold-ai/specfact-cli

nold-ai/specfact-cli — relevant cross-repo consumers & spots to check

Pre-commit/CI consumer that parses ReviewReport JSON:
- scripts/pre_commit_code_review.py — defines CodeReviewReport and _load_review_report(...) that model-validates JSON reports; any change to ReviewReport envelope (schema_version logic or added finding metadata) may affect this loader. [::nold-ai/specfact-cli::scripts/pre_commit_code_review.py]
Registry / module package schema/version handling:
- src/specfact_cli/registry/module_packages.py — functions reading module manifest schema_version and checking compatibility (e.g., _raw_schema_version_str, compatibility checks). Changes to module-package.yaml semantics (integrity.checksum vs tarball checksums) may need doc/compatibility alignment here. [::nold-ai/specfact-cli::src/specfact_cli/registry/module_packages.py]
- tests referencing registry index and schema_version: tests/unit/scripts/test_update_registry_index.py, tests/unit/scripts/test_verify_bundle_published.py — update expectations if manifest/version handling changes. [::nold-ai/specfact-cli::tests/unit/scripts/test_update_registry_index.py] [::nold-ai/specfact-cli::tests/unit/scripts/test_verify_bundle_published.py]
ReviewReport / schema_version consumers across codebase:
- Multiple references and tests expect ReviewReport/schema_version presence and values: openspec/specs/review-report-model/spec.md, docs/modules/code-review.md, tests/integration/test_specmatic_integration.py, and many other tests that parse or assert schema_version. These are likely to observe the report schema_version change/selection behavior. [::nold-ai/specfact-cli::openspec/specs/review-report-model/spec.md] [::nold-ai/specfact-cli::docs/modules/code-review.md] [::nold-ai/specfact-cli::tests/integration/test_specmatic_integration.py]
ai_bloat / dead-branch documentation & guidance:
- docs/modules/code-review.md — documents ai_bloat findings (duplicate terminal guards / dead-branch). Changes to dead-branch detection/autofix logic may diverge from docs or other tooling relying on documented behaviour. [::nold-ai/specfact-cli::docs/modules/code-review.md]
Model/version utility functions used by analyzers/generators:
- src/specfact_cli/migrations/plan_migrator.py and get_current_schema_version() are imported across analyzers and generators (e.g., src/specfact_cli/analyzers/code_analyzer.py, generators/plan_generator.py). If ReviewReport schema_version semantics change, ensure these consumers remain consistent. [::nold-ai/specfact-cli::src/specfact_cli/migrations/plan_migrator.py] [::nold-ai/specfact-cli::src/specfact_cli/analyzers/code_analyzer.py]

Notes / risk areas:

Any change that adds simplification evidence fields inside findings (before_ref/after_ref/improvement) or alters when schema_version is bumped could break strict JSON validators, pre-commit gates, CI scripts that model-validate ReviewReport, or tests asserting exact schema_version strings.
Module manifest integrity/checksum doc clarifications in the PR warrant verifying module package publishing/verification code and tests that compare checksums (see registry/module_packages and tests mentioned).

🔇 Additional comments (4)

packages/specfact-code-review/module-package.yaml (1)

2-2: LGTM!

Also applies to: 26-27

packages/specfact-code-review/src/specfact_code_review/review/commands.py (1)

36-46: LGTM!

Also applies to: 146-156

packages/specfact-project/module-package.yaml (1)

2-2: LGTM!

Also applies to: 30-31

tests/unit/specfact_code_review/review/test_commands.py (1)

40-42: LGTM!

📝 Walkthrough

Bundle and Module Surface

specfact-code-review (0.47.24 → 0.47.26) and specfact-project (0.41.15 → 0.41.17) version bumps reflect:

New specfact code review run --instructions CLI flag that prints AI-facing guided simplify/clean-code workflow instructions and exits (status 0) without running the review pipeline. This serves as a low-friction fallback for users without bundled prompts or installed skills.
Signature and checksum metadata updated in both module manifests; cryptographic signature recomputed by CI signing automation for specfact-code-review.

Commands and Adapters

specfact code review run command surface:

Added instructions: bool parameter (via typer.Option(False, "--instructions", ...)) to review_app.command("run") in packages/specfact-code-review/src/specfact_code_review/review/commands.py
New _RUN_INSTRUCTIONS constant contains multiline AI-facing guidance (36 lines added to review/commands.py)

Simplification fix execution path (packages/specfact-code-review/src/specfact_code_review/run/commands.py):

_apply_simplification_fixes(report: ReviewReport) -> list[ReviewFinding] now returns a collection of applied findings instead of a count; callers must check len(applied) instead of comparing to integers
Two new helpers: _applied_simplification_finding(finding) and _with_applied_simplification_findings(report, applied_findings) to preserve evidence of applied safe-mechanical simplifications in post-fix review reports
During review_focus == "simplify", applied simplification findings are captured from the initial run, Ruff autofixes are applied, the review is rerun, and applied findings are merged back into the final report

Dead-branch and duplicate-guard detection (packages/specfact-code-review/src/specfact_code_review/tools/ai_bloat_runner.py):

prior_terminal_tests set is now cleared when encountering non-if statements and in the else branch of terminal-return checks, preventing earlier guards from incorrectly influencing later duplicate-guard detection after state changes (e.g., variable reassignment)
Matching logic applied in _apply_duplicate_terminal_guard_fix() in run/commands.py

Data Model and Integrity

ReviewFinding expansion (packages/specfact-code_review/src/specfact_code_review/run/findings.py):

Added optional fields: before_ref: EvidenceRef | None, after_ref: EvidenceRef | None, improvement: str | None to record evidence of applied simplifications
EvidenceRef (new Pydantic model) provides structured evidence references with path, start_line, end_line, artifact_id, and optional description fields

ReviewReport governance schema:

_derive_governance_fields() now sets schema_version = "1.2" only when simplification_summary is already non-None, removing the prior condition that upgraded schema whenever guided simplification metadata existed

Manifest and Registry Semantics

README.md clarity added (2 lines):

Manifest integrity.checksum values cover the canonical module source payload
Registry checksum_sha256 and .tar.gz.sha256 files cover the published tarball artifact, so these hashes can intentionally differ
registry/index.json and published tarballs are not updated locally; they are updated by publish-modules after merge

Cross-Repo Contracts

No specfact-cli import changes or new version constraints detected in bundle dependencies
EvidenceRef, before_ref, after_ref, and improvement fields are backward-compatible additions (optional fields on ReviewFinding)
_apply_simplification_fixes return type change from int to list[ReviewFinding] is internal to this bundle (not a cross-repo contract)
Core compatibility ranges unchanged: specfact-code-review >=0.44.0,<1.0.0, specfact-project >=0.40.0,<1.0.0

Documentation and Developer Guidance

--instructions option documented in docs/modules/code-review.md and docs/bundles/code-review/run.md with examples and expected AI-assistant content structure
Skill and prompt updates: .vibe/skills/specfact-code-review/SKILL.md, packages/specfact-code-review/resources/skills/.../SKILL.md, and packages/specfact-project/resources/prompts/specfact.08-simplify.md refactored to emphasize interactive cleanup coaching, decision-card workflow for vibe coders, explicit per-file validation cadence, and conservative defaults for design_judgment handling
New prohibitions added: avoid copying prompt templates into IDEs when installed skills provide guidance; don't apply design_judgment findings solely for shorter patches; don't batch-rewrite without explicit user approval

Test Coverage and Validation

Mechanical-simplification tests updated to assert len(applied) instead of comparing applied to integers
New test: test_dead_branch_ignores_duplicate_guard_after_assignment() in tests/unit/specfact_code_review/tools/test_ai_bloat_runner.py verifies guards are cleared after variable reassignments
Strengthened test: test_run_review_once_applies_simplification_fixes_before_rerun() now asserts first finding reflects applied simplification with non-None before_ref, after_ref, and improvement metadata
Guided resource tests refactored to use _assert_contains_all() helper for centralized substring validation
OpenSpec validation: code-review-12-guided-simplification-enforcement scenario passed openspec validate --strict with 125 test passes; TDD_EVIDENCE.md documents "failing before" pytest invocations for dead-branch-after-assignment edge case and expanded "passing after" results (including prompt validation, instruction-mode runs, module signature verification, and bug-hunt coverage)

CI and Signing

Pre-commit hook auto-runs sign-modules.py --allow-unsigned --payload-from-filesystem on non-main branches; signatures are refreshed locally for changed module payloads
CI sign-modules.yml re-signs changed modules after merge to dev/main with cryptographic verification
Module payload verification runs with --payload-from-filesystem --enforce-version-bump on PRs targeting dev; --require-signature enforced only for main-branch targets

Walkthrough

The PR emits applied-simplification findings (with EvidenceRef), preserves them across Ruff autofix + rerun, fixes duplicate-terminal-guard reachability tracking, tightens report schema upgrade logic, and updates CLI/skill/docs/tests and package metadata.

Changes

Guided Simplification Evidence and Duplicate-Guard Fix

Layer / File(s)	Summary
Dead-branch duplicate-guard state tracking fix `packages/specfact-code-review/src/specfact_code_review/tools/ai_bloat_runner.py`, `packages/specfact-code-review/src/specfact_code_review/run/commands.py`, `tests/unit/specfact_code_review/tools/test_ai_bloat_runner.py`	Reset `prior_terminal_tests` when control flow is interrupted or an `if` is non-terminal to avoid stale duplicate-guard matches; add test for reassignment-after-guard edge case.
Simplification findings evidence tracking and integration `packages/specfact-code-review/src/specfact_code_review/run/commands.py`, `tests/unit/specfact_code_review/run/test_commands.py`	`_apply_simplification_fixes` now returns a list of applied `ReviewFinding` objects with `EvidenceRef` before/after refs. The runner captures applied findings, runs Ruff autofixes, reruns the review, and merges applied findings into the final `ReviewReport`. Interactive and non-interactive paths updated; tests assert collection length and finding metadata.
Governance field schema version adjustment `packages/specfact-code-review/src/specfact_code_review/run/findings.py`	`ReviewReport._derive_governance_fields` upgrades `schema_version` to "1.2" only when `simplification_summary` is non-None, not merely when findings contain guided-simplification metadata.
Package metadata and documentation updates `packages/specfact-code-review/module-package.yaml`, `packages/specfact-project/module-package.yaml`, `README.md`, `docs/`, `packages//resources//SKILL.md`, `packages//resources/prompts/`, `openspec/changes/`, `tests/unit/*`	Bump package versions and integrity entries, add `--instructions` CLI option and `_RUN_INSTRUCTIONS` text, update skill/prompt documentation and onboarding to include `--instructions` fallback, expand TDD evidence, and adjust tests for new CLI/tests/refactored simplification evidence behavior.

Sequence Diagram

sequenceDiagram
  participant CLI
  participant ReviewRunner
  participant Ruff
  participant Report
  CLI->>ReviewRunner: run (fix + focus=simplify)
  ReviewRunner->>ReviewRunner: collect applied ReviewFinding list
  ReviewRunner->>Ruff: run autofix on repo
  Ruff->>ReviewRunner: autofix results
  ReviewRunner->>ReviewRunner: rerun review
  ReviewRunner->>Report: merge applied findings into rerun report

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related issues

[Change] Guided simplification enforcement for code review #286: implements guided-simplification enforcement touching the same simplify flow, ai_bloat logic, findings schema, prompts, and tests.

Possibly related PRs

nold-ai/specfact-cli-modules#290: Similar dead-branch/duplicate-terminal-guard state clearing changes and matching unit-test coverage.
Add AI bloat review advisories #271: Related to the ai_bloat AST runner and ai_bloat findings pipeline evolution.
Feature/code review ai bloat detection #270: Continued work on ai_bloat dead-branch detection and related tests.

Suggested labels

module, openspec

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 6.25% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title lacks a Conventional Commits prefix and is somewhat vague about the specific changes made in this PR.	Consider using a Conventional Commits prefix (e.g., 'fix:', 'feat:', 'docs:') and clarify the main change, such as 'fix: constrain dead-branch detection and add --instructions fallback' or similar.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description provides comprehensive coverage of changes, validation evidence, and addresses key template sections including summary, scope, bundle impact, validation evidence, and review notes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

Create stacked PR
Commit on current branch

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch fix/pr289-dev-review-findings

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/specfact-code-review/module-package.yaml`:
- Around line 26-27: The manifest was updated only to set integrity.signature
while the signing evidence notes used --allow-unsigned; block merging and
restore proper cryptographic signing by re-generating a real signature that
matches the checksum/payload, remove the temporary --allow-unsigned evidence,
and verify the signature with a full verification run (use --require-signature)
so integrity.signature and checksum: sha256:66840898... match the final payload;
update the manifest's evidence/comments to reflect the successful verification
and include the signer identity used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bea50c52-6e24-4bf0-898f-c37a4a91a400

📥 Commits

Reviewing files that changed from the base of the PR and between 3584a6f and 49be799.

📒 Files selected for processing (12)

.vibe/skills/specfact-code-review/SKILL.md
docs/bundles/code-review/run.md
docs/modules/code-review.md
openspec/changes/code-review-12-guided-simplification-enforcement/TDD_EVIDENCE.md
packages/specfact-code-review/module-package.yaml
packages/specfact-code-review/src/specfact_code_review/resources/skills/specfact-code-review/SKILL.md
packages/specfact-code-review/src/specfact_code_review/review/commands.py
packages/specfact-project/module-package.yaml
packages/specfact-project/resources/prompts/specfact.08-simplify.md
skills/specfact-code-review/SKILL.md
tests/unit/specfact_code_review/review/test_commands.py
tests/unit/test_guided_simplify_resources.py

✅ Files skipped from review due to trivial changes (1)

docs/bundles/code-review/run.md

📜 Review details

🧰 Additional context used

📓 Path-based instructions (6)

packages/**/module-package.yaml

⚙️ CodeRabbit configuration file

packages/**/module-package.yaml: Validate metadata: name, version, commands, dependencies, and parity with packaged src.
Call out semver and signing implications when manifests or payloads change.

Files:

packages/specfact-project/module-package.yaml
packages/specfact-code-review/module-package.yaml

**/*.{js,ts,tsx,jsx,py,java,cs,go,rb,php,cpp,c,h}

📄 CodeRabbit inference engine (CLAUDE.md)

Preserve the clean-code compliance gate and its category references (naming, kiss, yagni, dry, and solid)

Files:

packages/specfact-code-review/src/specfact_code_review/review/commands.py
tests/unit/test_guided_simplify_resources.py
tests/unit/specfact_code_review/review/test_commands.py

packages/**/src/**/*.py

⚙️ CodeRabbit configuration file

packages/**/src/**/*.py: Focus on adapter and bridge patterns: imports from specfact_cli (models, runtime, validators),
Typer/Rich command surfaces, and clear boundaries so core upgrades do not silently break bundles.
Flag breaking assumptions about registry loading, lazy imports, and environment/mode behavior.

Files:

packages/specfact-code-review/src/specfact_code_review/review/commands.py

docs/**/*.md

⚙️ CodeRabbit configuration file

docs/**/*.md: User-facing and cross-site accuracy: Jekyll front matter, links per documentation-url-contract,
CLI examples matching bundled commands.

Files:

docs/modules/code-review.md

tests/**/*.py

⚙️ CodeRabbit configuration file

tests/**/*.py: Contract-first and integration tests: migration suites, bundle validation, and flakiness.
Ensure changes to adapters or bridges have targeted coverage.

Files:

tests/unit/test_guided_simplify_resources.py
tests/unit/specfact_code_review/review/test_commands.py

openspec/**/*.md

⚙️ CodeRabbit configuration file

openspec/**/*.md: Specification truth: proposal/tasks/spec deltas vs. bundle behavior, CHANGE_ORDER, and
drift vs. shipped modules or docs.

Files:

openspec/changes/code-review-12-guided-simplification-enforcement/TDD_EVIDENCE.md

🪛 LanguageTool

.vibe/skills/specfact-code-review/SKILL.md

[style] ~23-~23: As an alternative to the over-used intensifier ‘very’, consider replacing this phrase.
Context: ...lify review after each accepted file or very small batch; if validation cannot prove safet...

(EN_WEAK_ADJECTIVE)

skills/specfact-code-review/SKILL.md

[style] ~23-~23: As an alternative to the over-used intensifier ‘very’, consider replacing this phrase.
Context: ...lify review after each accepted file or very small batch; if validation cannot prove safet...

(EN_WEAK_ADJECTIVE)

packages/specfact-project/resources/prompts/specfact.08-simplify.md

[style] ~99-~99: As an alternative to the over-used intensifier ‘very’, consider replacing this phrase.
Context: ...pted edits. After each accepted file or very small batch, run the most targeted relevant t...

(EN_WEAK_ADJECTIVE)

openspec/changes/code-review-12-guided-simplification-enforcement/TDD_EVIDENCE.md

[style] ~53-~53: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...st_guided_simplify_resources.py -q` - Result after prompt/skill user-experience tigh...