Skip to content

chore(standards): synced file(s) with hallelx2/dev-standards#5

Open
hallelx2 wants to merge 10 commits into
mainfrom
repo-sync/dev-standards/default
Open

chore(standards): synced file(s) with hallelx2/dev-standards#5
hallelx2 wants to merge 10 commits into
mainfrom
repo-sync/dev-standards/default

Conversation

@hallelx2

@hallelx2 hallelx2 commented Jun 13, 2026

Copy link
Copy Markdown
Owner

synced local file(s) with hallelx2/dev-standards.

Changed files
  • created local AGENTS.md from remote AGENTS.md
  • created local .github/copilot-instructions.md from remote .github/copilot-instructions.md
  • created local directory .github/agents/ and copied all sub files/folders from remote directory .github/agents/
  • created local .github/instructions/backend.instructions.md from remote .github/instructions/backend.instructions.md
  • created local .github/instructions/frontend.instructions.md from remote .github/instructions/frontend.instructions.md
  • created local .github/instructions/security.instructions.md from remote .github/instructions/security.instructions.md
  • created local .github/workflows/security.yml from remote .github/workflows/security.yml
  • created local .github/workflows/security.reusable.yml from remote .github/workflows/security.reusable.yml
  • created local .github/workflows/jules-review.yml from remote .github/workflows/jules-review.yml
  • synced local .github/dependabot.yml with remote .github/dependabot.yml

This PR was created automatically by the repo-file-sync-action workflow run #29023833923

Copilot AI review requested due to automatic review settings June 13, 2026 02:11
@coderabbitai

coderabbitai Bot commented Jun 13, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@hallelx2, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 58 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1fb4f796-2ac1-408e-8f3b-32ec71af83e3

📥 Commits

Reviewing files that changed from the base of the PR and between 69d8b85 and 5039b38.

📒 Files selected for processing (13)
  • .github/agents/backend-reviewer.agent.md
  • .github/agents/frontend-reviewer.agent.md
  • .github/agents/security-reviewer.agent.md
  • .github/agents/test-reliability-reviewer.agent.md
  • .github/copilot-instructions.md
  • .github/dependabot.yml
  • .github/instructions/backend.instructions.md
  • .github/instructions/frontend.instructions.md
  • .github/instructions/security.instructions.md
  • .github/workflows/jules-review.yml
  • .github/workflows/security.reusable.yml
  • .github/workflows/security.yml
  • AGENTS.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch repo-sync/dev-standards/default

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sourcery-ai

sourcery-ai Bot commented Jun 13, 2026

Copy link
Copy Markdown

Reviewer's Guide

Adds shared AI agent standards, review rubrics, and reusable security/Jules review GitHub workflows by syncing them from hallelx2/dev-standards, enabling consistent automated reviews and security scanning across the repo.

Sequence diagram for automated Jules PR security review workflow

sequenceDiagram
  actor Developer
  participant GitHub
  participant jules_review_workflow as jules-review.yml
  participant Guard_step as Guard_only_run_when_a_Jules_key_is_configured
  participant Jules_action as sanjay3290/jules-pr-reviewer@main

  Developer->>GitHub: open/synchronize/ready_for_review PR
  GitHub->>jules_review_workflow: trigger pull_request event
  jules_review_workflow->>Guard_step: run guard step
  alt JULES_API_KEY present
    Guard_step-->>jules_review_workflow: enabled=true
    jules_review_workflow->>Jules_action: run Jules security review
    Jules_action-->>GitHub: post security-focused PR review
  else JULES_API_KEY missing
    Guard_step-->>GitHub: log skipping message
  end
Loading

File-Level Changes

Change Details Files
Introduce repository-wide AI/agent standards for development and review.
  • Add AGENTS.md as the canonical brief for all AI agents interacting with the codebase, defining workflow expectations, review bar, language-specific conventions, and security requirements.
  • Document Vectorless-specific security rules around BYOK keys and multi-tenant isolation to guide future implementation and reviews.
AGENTS.md
Configure baseline instructions for Copilot-powered PR reviews.
  • Add a focused rubric for Copilot to review PRs in a fixed order (right thing, done right, safe), emphasizing security, tests, and multi-tenant isolation.
  • Clarify expectations for referencing issues (Closes HAL-), citing file:line, and preferring high-signal findings.
.github/copilot-instructions.md
Add reusable security scanning workflow and caller workflow for CI.
  • Create a reusable security.reusable.yml workflow that runs gitleaks for secrets, Trivy for dependency/config/secrets scanning, and gosec for conditional Go SAST.
  • Create a top-level security.yml workflow that runs on PRs and main pushes and delegates to the reusable workflow with inherited secrets.
  • Set minimal permissions needed for security scanning jobs and explain why CodeQL is excluded here and expected to be configured per-repo.
.github/workflows/security.reusable.yml
.github/workflows/security.yml
Automate optional security-focused Jules PR reviews via GitHub Actions.
  • Add a jules-review workflow that triggers on PR events and conditionally invokes the sanjay3290/jules-pr-reviewer action when JULES_API_KEY is configured.
  • Ensure the workflow safely no-ops when the secret is absent and passes a strict security-focused review prompt pointing to the security-reviewer agent spec.
.github/workflows/jules-review.yml
Define specialized AI reviewer agents for backend, frontend, security, and test reliability.
  • Add backend-reviewer.agent.md to enforce Go backend standards around error handling, concurrency, context usage, data access, and testing.
  • Add frontend-reviewer.agent.md to enforce TypeScript/Next.js standards for server/client boundaries, XSS, a11y, performance, and brand consistency.
  • Add security-reviewer.agent.md to provide an adversarial application-security rubric focusing on authz, multi-tenant isolation, secrets/BYOK, injection/SSRF, crypto, and dependency risk.
  • Add test-reliability-reviewer.agent.md to ensure tests prove behavior, cover edge cases, remain deterministic, and support reliable changes.
.github/agents/backend-reviewer.agent.md
.github/agents/frontend-reviewer.agent.md
.github/agents/security-reviewer.agent.md
.github/agents/test-reliability-reviewer.agent.md
Add path-scoped instruction files that bind reviewer rubrics to file types in the repo.
  • Add backend.instructions.md that applies Go backend review guidance to all *.go files, focusing on error handling, concurrency, context, resources, data access, and tests.
  • Add frontend.instructions.md that applies TS/TSX/CSS frontend review guidance, including security, type safety, a11y, performance, and brand consistency.
  • Add security.instructions.md that applies a security review rubric to all files, emphasizing authorization, multi-tenant isolation, BYOK handling, injection/SSRF, crypto, and dependency risk.
.github/instructions/backend.instructions.md
.github/instructions/frontend.instructions.md
.github/instructions/security.instructions.md

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • In .github/workflows/security.reusable.yml, consider pinning securego/gosec@master to a specific release tag or SHA to avoid unexpected behavior when the master branch changes.
  • Similarly, in .github/workflows/jules-review.yml, using sanjay3290/jules-pr-reviewer@main could introduce breaking changes over time; pinning to a version or commit SHA would make the workflow more stable and auditable.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In `.github/workflows/security.reusable.yml`, consider pinning `securego/gosec@master` to a specific release tag or SHA to avoid unexpected behavior when the `master` branch changes.
- Similarly, in `.github/workflows/jules-review.yml`, using `sanjay3290/jules-pr-reviewer@main` could introduce breaking changes over time; pinning to a version or commit SHA would make the workflow more stable and auditable.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR syncs shared engineering standards and GitHub automation from hallelx2/dev-standards into this repository, establishing consistent AI-agent guidance and baseline security/review workflows.

Changes:

  • Adds repo-level agent/review standards (AGENTS.md) and Copilot review baseline instructions.
  • Introduces path-scoped review rubrics and specialized agent profiles under .github/instructions/ and .github/agents/.
  • Adds security scanning and optional “Jules” automated review workflows under .github/workflows/.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
AGENTS.md Adds shared engineering/review standards for human + AI agents.
.github/copilot-instructions.md Adds baseline Copilot PR review rubric and priorities.
.github/instructions/backend.instructions.md Adds Go-specific review checklist for .go files.
.github/instructions/frontend.instructions.md Adds TypeScript/Next/CSS review checklist for frontend files.
.github/instructions/security.instructions.md Adds universal security review checklist applied to all files.
.github/agents/backend-reviewer.agent.md Defines a specialized backend reviewer agent profile.
.github/agents/frontend-reviewer.agent.md Defines a specialized frontend reviewer agent profile.
.github/agents/security-reviewer.agent.md Defines an adversarial security reviewer agent profile.
.github/agents/test-reliability-reviewer.agent.md Defines a test/reliability reviewer agent profile.
.github/workflows/security.yml Adds a caller workflow that runs the shared security reusable workflow on PRs and main pushes.
.github/workflows/security.reusable.yml Adds reusable security scanners (gitleaks, Trivy, gosec) for consistent cross-repo scanning.
.github/workflows/jules-review.yml Adds optional automated Jules security review workflow gated on JULES_API_KEY.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +21 to +22
uses: ./.github/workflows/security.reusable.yml
secrets: inherit
Comment thread .github/workflows/security.reusable.yml Outdated
Comment on lines +23 to +26
- name: gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ github.token }}
Comment thread .github/workflows/security.reusable.yml Outdated
Comment on lines +33 to +35
- name: Trivy filesystem scan
uses: aquasecurity/trivy-action@0.28.0
with:
Comment on lines +52 to +56
- name: gosec
if: steps.detect.outputs.is_go == 'true'
uses: securego/gosec@master
with:
args: -no-fail -fmt text ./...
Comment on lines +30 to +35
- name: Jules security review
if: steps.guard.outputs.enabled == 'true'
uses: sanjay3290/jules-pr-reviewer@main
with:
jules-api-key: ${{ secrets.JULES_API_KEY }}
github-token: ${{ github.token }}
@hallelx2 hallelx2 force-pushed the repo-sync/dev-standards/default branch 2 times, most recently from fc89bdd to 21ae366 Compare June 13, 2026 02:20
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@hallelx2 hallelx2 force-pushed the repo-sync/dev-standards/default branch 5 times, most recently from 6f0b3aa to 0f70703 Compare June 15, 2026 11:50
@hallelx2 hallelx2 force-pushed the repo-sync/dev-standards/default branch 2 times, most recently from 3c981ce to 29107cc Compare June 29, 2026 10:27
@hallelx2 hallelx2 force-pushed the repo-sync/dev-standards/default branch from 29107cc to a84e2cf Compare July 6, 2026 07:30
steps:
- uses: actions/checkout@v4
- name: Install Trivy (latest binary — avoids the action's broken setup-trivy pin)
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
# Local reference — the reusable file is synced into THIS repo too, so each repo
# is self-contained and this works whether dev-standards is public or private.
uses: ./.github/workflows/security.reusable.yml
secrets: inherit
Comment thread .github/dependabot.yml
Comment on lines +6 to +10
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
labels: [dependencies, security]
Comment thread .github/dependabot.yml
Comment on lines +19 to +24
- package-ecosystem: npm
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 5
commit-message:
prefix: "ci"
include: scope
labels: [dependencies, security]
name: Secrets (gitleaks)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
name: Node/TS deps (npm audit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
id: detect
run: |
if [ -f package.json ]; then echo "is_node=true" >> "$GITHUB_OUTPUT"; else echo "is_node=false" >> "$GITHUB_OUTPUT"; fi
- uses: actions/setup-node@v4
name: Python deps + SAST (pip-audit + bandit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
id: detect
run: |
if ls requirements*.txt pyproject.toml setup.py >/dev/null 2>&1; then echo "is_py=true" >> "$GITHUB_OUTPUT"; else echo "is_py=false" >> "$GITHUB_OUTPUT"; fi
- uses: actions/setup-python@v5
name: Vulns + misconfig (Trivy)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
@hallelx2 hallelx2 force-pushed the repo-sync/dev-standards/default branch from a84e2cf to 969eee4 Compare July 9, 2026 14:04
hallelx2 added 7 commits July 9, 2026 14:04
Synced AI-review standards from hallelx2/dev-standards.
…m remote '.github/copilot-instructions.md'

Synced AI-review standards from hallelx2/dev-standards.
…b/agents/'

Synced AI-review standards from hallelx2/dev-standards.
…tions.md' from remote '.github/instructions/backend.instructions.md'

Synced AI-review standards from hallelx2/dev-standards.
…ctions.md' from remote '.github/instructions/frontend.instructions.md'

Synced AI-review standards from hallelx2/dev-standards.
…ctions.md' from remote '.github/instructions/security.instructions.md'

Synced AI-review standards from hallelx2/dev-standards.
… remote '.github/workflows/security.yml'

Synced AI-review standards from hallelx2/dev-standards.
hallelx2 added 3 commits July 9, 2026 14:04
…yml' from remote '.github/workflows/security.reusable.yml'

Synced AI-review standards from hallelx2/dev-standards.
…from remote '.github/workflows/jules-review.yml'

Synced AI-review standards from hallelx2/dev-standards.
….github/dependabot.yml'

Synced AI-review standards from hallelx2/dev-standards.
@hallelx2 hallelx2 force-pushed the repo-sync/dev-standards/default branch from 969eee4 to 5039b38 Compare July 9, 2026 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants