feat(claude): two-agent post-commit review pair for lfx-self-serve

[josep-reyero]

Summary

Reshape the lfx-self-serve review lifecycle around a two-subagent post-commit pair (spawned in the background via the Agent tool with run_in_background: true) plus a single PR-shape skill at pre-PR time. Goal: catch what reviewers (humans + CodeRabbit + Copilot) flag before the PR opens, so reviewer time goes to architecture and product judgement rather than mechanical pattern enforcement — and do it without parking the developer in a synchronous wait.

The shape

Component	Type	Stage	Invocation
lfx-self-serve-code-reviewer	agent	post-commit (pre-PR only)	Agent tool, subagent_type: + mode: local, run_in_background: true. Audits .claude/rules/, the four docs/reviews/ checklists, architecture docs, upstream API contracts, protected files.
lfx-self-serve-learnings-reviewer	agent	post-commit (pre-PR only)	Agent tool, subagent_type: + base/extra, run_in_background: true. Comprehensive code-review rubric (security / performance / code quality / architecture / testing) cross-checked against the docs/reviews/knowledge-base/ empirical pattern KB.
/lfx-self-serve-pr-readiness	skill	pre-PR	Slash invocation. Branch / JIRA / conventional commits / rebase / DCO + GPG / diff size. Does NOT audit code.
/lfx-review-pr	skill	post-PR (review an open PR)	Slash invocation. Spawns lfx-self-serve-code-reviewer in mode: pr (returns JSON); composes a draft review with prior-comment verification, PR-shape, new-contributor tone; posts only after explicit user approval. Fetches the PR head via pull/<N>/head so it works uniformly for fork PRs.

Why agents and not skills for the review pair? Skills run synchronously and can't be invoked in parallel — the Agent tool's run_in_background: true is the only way to get genuinely concurrent reviews that don't block the dev session. Each agent runs in its own fresh forked context (no dev-thread bias) and they execute side-by-side instead of one-after-another.

Why post-commit? Both agents diff cumulatively against origin/main, so a later review pair sees the full state and supersedes any earlier in-flight one. Commit first, fire the pair off in the background, keep building. The safety bound is the PR boundary, not the commit boundary — nothing leaves the branch without a clean final review, but the branch can hold transient reviewed-and-pending-fix state. Background execution actually overlaps with dev work that way.

Why pre-PR only? Once the PR is open, CodeRabbit + Copilot auto-trigger on every push and become the live audit surface. Stacking subagent audits on top of bot audits adds latency without proportional signal — the pair is pre-PR insurance, the bots own the post-PR loop.

Why split the dev side from the review side

CLAUDE.md + .claude/rules/ + /develop's instructions already feed every dev session ~1.3K lines, plus the architecture and external API docs they cross-reference. The pattern knowledge base adds another ~1K (68 patterns across 8 categories + the senior-engineer review rubric), and it'll keep growing as we fold in more human-flagged patterns and codebase gotchas. Bolting all of that into the dev prompt would make it much heavier and harder for Claude to actually follow.

The two post-commit subagents instead spawn in parallel in their own forked contexts — so it's not tedious for the developer, and the KB lives where it's actually used.

Knowledge base — 4-month back-filled, 68 patterns

The lfx-self-serve-learnings-reviewer agent cross-checks findings against docs/reviews/knowledge-base/ — eight per-category pattern files (security.md, typescript-correctness.md, templates-and-accessibility.md, frontend-state-and-timing.md, server-request-handling.md, observability-and-logging.md, data-and-snowflake.md, code-truthiness.md) plus known-false-positives.md.

The 68 patterns were canonicalised from ~68 PRs sampled over 2026-01-15 → 2026-05-15 (~4 months) and ~754 inline CodeRabbit + GitHub Copilot review comments. Promotion rule: appeared in ≥2 PRs, OR single-PR with high severity (security / data-integrity / runtime-crash / SSR-crash). Cross-check discipline drops any finding the agent emits that can't be traced back to a quotable pattern entry.

What lives where

• .claude/agents/lfx-self-serve-code-reviewer.md — repo-convention code-review playbook with mode: local / mode: pr dispatch.
• .claude/agents/lfx-self-serve-learnings-reviewer.md — senior-engineer review rubric + KB routing + cross-check + markdown rendering. Self-contained.
• docs/reviews/knowledge-base/ — 8 pattern files + known-false-positives.md (the empirical KB). Peer to the convention checklists, team-discoverable.
• docs/reviews/{frontend,backend,shared-and-sql,docs}-checklist.md — the four code-convention checklists (canonical location, code-reviewer agent reads from here).
• .claude/skills/lfx-self-serve-pr-readiness/references/pr-shape.md — PR-shape checklist (walked by pr-readiness pre-PR and /lfx-review-pr post-PR).
• CLAUDE.md work-cycle gate — mandates the post-commit subagent pair on every pre-PR commit, drains the queue clean before opening, requires /lfx-self-serve-pr-readiness + /preflight to pass, and switches to the bot-iteration loop (no subagent pair) once the PR is open.

Team-review snapshot

Human-readable snapshot of the KB at lfx-architecture-scratch/2026-05-DevX-Time-to-Merge/lfx-self-serve-pr-learnings.md — open for team review (flag patterns to add, drop, or revise).

Work cycle (CLAUDE.md)

Pre-PR (asynchronous, while branch is local). After every commit, issue two Agent tool calls in a single message, both with run_in_background: true:

1. subagent_type: lfx-self-serve-code-reviewer, prompt: "mode: local\nbase: origin/main\nextra: <focus>" → renders a code-convention review.
2. subagent_type: lfx-self-serve-learnings-reviewer, prompt: "base: origin/main\nextra: <focus>" → renders a comprehensive rubric review with KB cross-check.

Both run concurrently in fresh forked contexts. Keep working on the next commit while they run. When the pair returns, roll every CRITICAL and reasonable SHOULD_FIX into the next commit. Multiple in-flight pairs are normal; the latest returned pair is authoritative (cumulative diff against origin/main).

Pre-PR drain: when the work is done, wait for the latest in-flight pair, fix any remaining findings, rerun until clean, then /lfx-self-serve-pr-readiness → /preflight → push → open.

Post-PR iteration: CodeRabbit + Copilot auto-trigger on every push. Wait for bot comments, triage CRITICAL / reasonable SHOULD_FIX, push a fix(review): ... commit, reply + resolve threads, repeat until clean. No subagent pair on these commits — the bots own the audit surface once the PR exists.

Test plan

• Spawn lfx-self-serve-code-reviewer (mode: local) against a branch with a fresh commit — confirm it diffs cumulatively against origin/main and renders a code-only verdict.
• Spawn lfx-self-serve-learnings-reviewer against the same branch — confirm it loads only the pattern files whose Read-when condition matches the changed-file paths, applies the rubric, and drops known false positives.
• Issue both Agent calls in one message with run_in_background: true — confirm the dev session is not blocked: it can continue tool calls while the agents run.
• Commit a follow-up while the pair is still in flight — confirm a second pair can be spawned without interference, and the second pair's diff (cumulative) supersedes the first.
• Run /lfx-self-serve-pr-readiness — verify it walks pr-shape.md and emits PR-shape findings only (no code findings).
• Run /lfx-review-pr against an open PR — verify it spawns lfx-self-serve-code-reviewer in mode: pr in background, prior-comment verification works, draft-then-approve flow blocks auto-posting.
• Run /lfx-review-pr against a PR opened from a fork — verify the pull/<N>/head refspec creates the local refs/pr/<N>/head ref and every downstream git show / git log / git merge-base reads from it cleanly.
• Confirm CLAUDE.md work-cycle references all components in correct order: pre-PR commits (subagent pair, background) → pre-PR drain → /lfx-self-serve-pr-readiness → /preflight → push → post-PR bot loop (no subagent pair).

Protected files

• CLAUDE.md modified — guard-protected-files.sh flags this. Code-owner review requested on the updated work-cycle section.

JIRA: LFXV2-1827

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds parallel post-commit reviewers, a pre-PR "shape" readiness skill and checklist, rewrites the PR-level review skill to gate mutating actions behind explicit approval, and expands the reviewers' knowledge-base documents.

Changes

Restructured Review Architecture: Post-Commit + Pre-PR + PR-Level

Layer / File(s)	Summary
Post-commit code and learnings reviewers .claude/agents/lfx-self-serve-code-reviewer.md, .claude/agents/lfx-self-serve-learnings-reviewer.md	New parallel agents that run locally after each commit: code-reviewer performs systematic file-type-aware audits against domain checklists and validates upstream API contracts; learnings-reviewer runs a structured security/performance/quality/architecture/testing rubric cross-checking against loaded KB patterns. Both support local and PR modes and emit findings (CRITICAL/SHOULD_FIX/NIT).
Pre-PR shape validation skill and checklist .claude/skills/lfx-self-serve-pr-readiness/SKILL.md, .claude/skills/lfx-self-serve-pr-readiness/references/pr-shape.md	New /lfx-self-serve-pr-readiness skill validates branch naming, JIRA references, conventional commits, rebase status, diff size, DCO/GPG signatures, PR title format, and upstream-proxy external references via pr-shape.md, emitting traceable CRITICAL/SHOULD_FIX/NIT findings and a verdict.
PR-level review skill orchestration .claude/skills/lfx-review-pr/SKILL.md	Rewritten skill that fetches PR metadata, runs background lfx-self-serve-code-reviewer in mode: pr, verifies previously recorded reviewer comments from GitHub to detect fixed items, performs PR-shape validation, compiles structured draft context, requires explicit user approval via AskUserQuestion before invoking /review, and gates all PR-mutating actions behind that approval.
Workflow documentation and skill guidance CLAUDE.md, .claude/rules/skill-guidance.md	Updated CLAUDE.md with mandatory post-commit cycle (spawn both agents in parallel after each commit, iterate until READY), pre-PR drain sequence (wait for reviews, run shape validation, run /preflight, then open PR); refined .claude/rules/skill-guidance.md trigger phrases and cowork-session guidance.
Domain-specific code review knowledge base docs/reviews/knowledge-base/*	Nine new knowledge-base documents used by reviewers for detection and fixes: code-truthiness, data-and-snowflake, frontend-state-and-timing, known-false-positives, observability-and-logging, security, server-request-handling, templates-and-accessibility, and typescript-correctness.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer
  participant CodeRev as lfx-self-serve-code-reviewer
  participant LearnRev as lfx-self-serve-learnings-reviewer
  participant Readiness as lfx-self-serve-pr-readiness
  participant CLAUDE as CLAUDE.md / Skill Guidance

  Dev->>CodeRev: invoke post-commit (mode:local)
  Dev->>LearnRev: invoke post-commit (mode:local)
  CodeRev->>LearnRev: (independent) load KB/checklists
  CodeRev-->>Dev: findings
  LearnRev-->>Dev: findings
  Dev->>Readiness: run pre-PR readiness before PR
  Readiness->>CLAUDE: consult `pr-shape.md` and rules
  Readiness-->>Dev: verdict (READY / NOT READY / READY WITH CHANGES)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• linuxfoundation/lfx-self-serve#703: Updates PR-review-skill phase logic and filtering, building on the same review-pipeline rewrite as this PR.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and specifically describes the main change: introducing a two-agent post-commit review system for lfx-self-serve.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description comprehensively explains the new two-agent post-commit review lifecycle, knowledge base structure, and required work-cycle changes, directly aligned with the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/LFXV2-1827

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

CLAUDE.md (1)

1-1: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Protected file modified — requires code-owner review.

CLAUDE.md is listed as a protected file per .claude/rules/development-rules.md and the guard-protected-files.sh hook. This change adds the new mandatory /lfx-self-serve-self-review workflow, which is appropriate, but requires extra review scrutiny and code-owner sign-off before merge. Surface this modification in the PR description and tag a code owner.

Note: The PR objectives already mention this is flagged for CODEOWNERS review, so this comment serves as formal documentation in the review.

Based on learnings: "Do not edit CLAUDE.md or other lfx-preflight protected files without code-owner review."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CLAUDE.md` at line 1, This change modifies the protected file CLAUDE.md and
therefore needs a code-owner review: update the PR description to explicitly
call out the modification to CLAUDE.md and that you added the new
/lfx-self-serve-self-review workflow, then add/mention the appropriate
CODEOWNER(s) so they are notified (per .claude/rules/development-rules.md and
guard-protected-files.sh) and wait for their approval before merging.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/skills/lfx-self-serve-self-review/SKILL.md:
- Around line 37-47: Add explicit error handling around each git command shown
(git fetch, git rev-parse --abbrev-ref HEAD, git merge-base <base> HEAD, git
diff, git log): after running each command check its exit code/throw and abort
the phase with a clear, specific message mapping failures to causes (e.g.,
"Failed to fetch from origin — check network/credentials" for git fetch; "Failed
to determine current branch" for git rev-parse; "Invalid base branch `<base>` or
not reachable from HEAD" for git merge-base; "Failed to compute diff between
`<base>` and HEAD" for git diff/log). Ensure the skill stops further processing
on any non-zero exit and surfaces the original command error output in the
message for debugging.
- Around line 211-227: The Projects table entry points to
`lfx-v2-project-service` which does not contain gen/http/openapi3.yaml; update
the service table row referencing `lfx-v2-project-service` so it either points
to the correct OpenAPI path in that repo or remove the Projects row entirely;
search the repository for the actual OpenAPI spec filename/path and replace the
table value and any related gh api example (the gh api
repos/linuxfoundation/<repo>/contents/gen/http/openapi3.yaml snippet) with the
correct repo/path if found, and verify the gh api command returns the file (or
delete the entry if no spec exists).

---

Outside diff comments:
In `@CLAUDE.md`:
- Line 1: This change modifies the protected file CLAUDE.md and therefore needs
a code-owner review: update the PR description to explicitly call out the
modification to CLAUDE.md and that you added the new /lfx-self-serve-self-review
workflow, then add/mention the appropriate CODEOWNER(s) so they are notified
(per .claude/rules/development-rules.md and guard-protected-files.sh) and wait
for their approval before merging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f123876b-ef02-4186-9490-e4b51f1e4d1f

📥 Commits

Reviewing files that changed from the base of the PR and between a3d54e9 and e3bc34d.

📒 Files selected for processing (7)

• .claude/rules/skill-guidance.md
• .claude/skills/lfx-self-serve-self-review/SKILL.md
• .claude/skills/lfx-self-serve-self-review/references/backend-checklist.md
• .claude/skills/lfx-self-serve-self-review/references/docs-checklist.md
• .claude/skills/lfx-self-serve-self-review/references/frontend-checklist.md
• .claude/skills/lfx-self-serve-self-review/references/shared-and-sql-checklist.md
• CLAUDE.md

[Copilot]

Pull request overview

Adds a new guided Claude skill to perform a local (pre-PR) self-review against repo standards, then updates contributor guidance so this self-review becomes a mandatory step before opening a PR.

Changes:

• Introduces /lfx-self-serve-self-review skill that computes a local diff vs a base branch, runs standards checks, and emits a structured findings report with a verdict.
• Updates CLAUDE.md workflow to require the self-review before /preflight and before opening any PR.
• Updates skill suggestion guidance to route “ready for PR?” intents to the new self-review skill (and positions /preflight as the mechanical follow-up).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

File	Description
CLAUDE.md	Makes /lfx-self-serve-self-review a mandatory pre-PR step and reorders the “before PR” work cycle.
.claude/skills/lfx-self-serve-self-review/SKILL.md	Adds the new self-review skill definition and report/verdict structure.
.claude/rules/skill-guidance.md	Updates skill routing so local readiness checks suggest /lfx-self-serve-self-review before /preflight.

Comments suppressed due to low confidence (2)

.claude/skills/lfx-self-serve-self-review/SKILL.md:239

• Phase 6 says an upstream spec fetch failure should be reported as a WARNING and that “an unverified contract is not a passing check”, but the report structure in Phase 7 only has Critical/Should fix/Nit sections. Please define where these warnings go (new section vs. down-level to SHOULD_FIX) so they don’t get dropped from the structured output.

For direct Snowflake SQL (not proxy calls): verify every `?` placeholder has a corresponding value in the binds array, in the correct order. Bind mismatch → **CRITICAL**.

If `gh api` fails (404, auth, network), include a **WARNING** in the report: "Upstream API contract for `<service>` could not be verified — manual validation required." An unverified contract is **not** a passing check.

.claude/skills/lfx-self-serve-self-review/SKILL.md:288

• Verdict rules don’t currently account for the “unverified upstream contract is not a passing check” case (Phase 6): since WARNING isn’t part of the verdict gating, the skill could still emit READY even when upstream validation could not be performed. Consider explicitly stating how unverified upstream contracts affect the verdict (e.g., force READY WITH CHANGES or NOT READY).

### Verdict rules

- **NOT READY** — any CRITICAL finding, any unsigned commit, or any confirmed upstream contract mismatch (not just unverified).
- **READY WITH CHANGES** — zero CRITICAL; SHOULD_FIX findings present. Address them or explicitly document the trade-off in the PR description.
- **READY** — zero CRITICAL, zero SHOULD_FIX. NITs are fine to carry forward.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 26 out of 30 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (4)

.claude/skills/lfx-self-serve-self-review/SKILL.md:53

• Phase 2/3 assumes the agent runs PR-shape checks (“Step 8”) and returns pr-shape findings, but the agent spec in .claude/agents/lfx-self-serve-code-reviewer.md states PR-shape is handled by /lfx-self-serve-pr-readiness and /lfx-review-pr, not the agent. Align this section (and the report template) with the agent’s actual JSON output so the skill doesn’t reference a non-existent category.

The playbook will:

1. Compute the local diff (Step 1, `mode: local` branch).
2. Load CLAUDE.md, `.claude/rules/*.md`, the protected-files hook, conditionally relevant architecture docs, and the four review checklists (Step 2).
3. Audit each changed file against all applicable rules and checklists (Steps 3–5).
4. Validate upstream API contracts for any backend changes (Step 6).
5. Flag protected files (Step 7).
6. Run PR-shape sanity — branch name, JIRA, conventional commits, rebase, diff size, DCO+GPG signing (Step 8, both-modes section only).
7. Return a JSON array of findings with categories `code`, `upstream-api`, `protected-files`, `pr-shape` (Step 9).

.claude/skills/lfx-review-pr/SKILL.md:75

• Phase 3 requires headRefName to git show origin/<headRefName>:<file> but also instructs running Phase 3 in parallel with the background agent and says to get headRefName from the agent’s metadata fetch. The agent output is just findings JSON (no headRefName), so Phase 3 can’t reliably run. Fix by fetching PR metadata (at least headRefName/baseRefName) in Phase 1 with gh pr view ..., or by deferring file reads until after the metadata is available from a skill-side fetch.

```bash
gh api repos/{owner}/{repo}/pulls/<N>/comments --paginate
gh api repos/{owner}/{repo}/pulls/<N>/reviews --paginate

2. Skip trivial comments: nits, acknowledgments, "+1", bot auto-comments (CodeRabbit / Copilot — these run their own review and don't need verification), and purely informational remarks.
3. For every CRITICAL or SHOULD_FIX comment from a human reviewer:
   1. Read the file on the PR branch: git show origin/<headRefName>:<file> (use the headRefName from the agent's PR metadata fetch).
   2. Compare the current code against what the comment requested.

**.claude/skills/lfx-review-pr/SKILL.md:107**
* Phase 4 references PR title/body coming from `gh pr view --json title,body` in Phase 1, and later checks also need `headRefName`, `baseRefName`, `author`, and additions/deletions. But Phase 1 currently only runs `gh repo view ...` and never fetches PR metadata. Add a Phase 1 `gh pr view <N> --json title,body,headRefName,baseRefName,author,additions,deletions` (or equivalent) so PR-shape checks and the Phase 7 summary have the required inputs.

Walk every check in .claude/skills/lfx-self-serve-pr-readiness/references/pr-shape.md against the PR data. This is the same checklist /lfx-self-serve-pr-readiness walks pre-PR, plus the two PR-only items (PR title format and external-refs check) that only apply once a PR exists.

Fetch the additional PR-level data this needs:

gh api repos/{owner}/{repo}/pulls/<N>/commits --paginate --jq '.[].commit.message'
# (PR title and body come from `gh pr view --json title,body` in Phase 1)

Then check each item from .claude/skills/lfx-self-serve-pr-readiness/references/pr-shape.md:

• Branch name format → from gh pr view --json headRefName. Match <type>/LFXV2-<number>.
• JIRA ticket reference → grep LFXV2-[0-9]+ over commit subjects + bodies + PR body. None → SHOULD_FIX.
• Conventional commit on every commit → each commit subject against the regex in pr-shape.md. chore is invalid.
• PR title format (PR-only) → type(scope): description, lowercase, no LFXV2-XXX in the title, chore invalid. → SHOULD_FIX.
• Branch rebased on base → git merge-base --is-ancestor origin/<baseRefName> origin/<headRefName>. Non-zero → SHOULD_FIX.
• Diff size → if additions > 1000 → NIT (plus a review-body note — see Additional Rules).
• DCO + GPG signing → from git log --format='%G? %h %s' origin/<baseRefName>..origin/<headRefName> and commit bodies. N / B / E codes → CRITICAL. Missing Signed-off-by: → CRITICAL.

**.claude/skills/lfx-review-pr/SKILL.md:193**
* This note says the diff-size PR-shape NIT “still emits from the agent”, but PR-shape is handled in this skill’s Phase 4 and the `lfx-self-serve-code-reviewer` agent explicitly does not emit PR-shape findings. Update this text to avoid pointing reviewers to a non-existent agent finding source.

If the PR's additions exceed 1000 lines, include in the proposed review body:

Note: This PR has {additions} additions, which exceeds the recommended 1000-line target per commit-workflow.md. Consider splitting into smaller, independently reviewable PRs.

(The PR-shape NIT for diff size still emits from the agent — this is the human-readable echo in the review body.)

Extra instructions

</details>

[Copilot]

Pull request overview

Copilot reviewed 19 out of 23 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (2)

.claude/skills/lfx-self-serve-self-review/SKILL.md:53

• This skill claims the lfx-self-serve-code-reviewer agent performs PR-shape sanity and returns category: pr-shape findings, but the new agent definition explicitly says PR-shape is not the agent’s concern (it’s handled by /lfx-self-serve-pr-readiness and /lfx-review-pr). As a result, the report rendering here will be missing PR-shape results (or will incorrectly assume PASS). Align the skill’s Phase 2 description/output schema with the agent’s actual responsibilities (code/upstream/protected-files only), or move PR-shape into this skill body explicitly.

The playbook will:

1. Compute the local diff (Step 1, `mode: local` branch).
2. Load CLAUDE.md, `.claude/rules/*.md`, the protected-files hook, conditionally relevant architecture docs, and the four review checklists (Step 2).
3. Audit each changed file against all applicable rules and checklists (Steps 3–5).
4. Validate upstream API contracts for any backend changes (Step 6).
5. Flag protected files (Step 7).
6. Run PR-shape sanity — branch name, JIRA, conventional commits, rebase, diff size, DCO+GPG signing (Step 8, both-modes section only).
7. Return a JSON array of findings with categories `code`, `upstream-api`, `protected-files`, `pr-shape` (Step 9).

.claude/skills/lfx-review-pr/SKILL.md:97

• Phase 3/4 require PR metadata (headRefName/baseRefName/author/title/body/additions) to run in parallel with the background agent, but Phase 1 no longer fetches it. As written, Phase 4 references gh pr view --json title,body “in Phase 1” and Phase 3 needs headRefName, yet neither is actually gathered until the agent finishes (and the skill doesn’t describe how to extract it from the agent output early). Consider reinstating a lightweight gh pr view <N> --json title,body,headRefName,baseRefName,author,additions,deletions in Phase 1 (or change Phase 3/4 to wait for the agent result before proceeding).

## Phase 4 — PR-shape pass (parallel with Phase 2)

Walk every check in `.claude/skills/lfx-self-serve-pr-readiness/references/pr-shape.md` against the PR data. This is the same checklist `/lfx-self-serve-pr-readiness` walks pre-PR, plus the two PR-only items (PR title format and external-refs check) that only apply once a PR exists.

Fetch the additional PR-level data this needs:

```bash
gh api repos/{owner}/{repo}/pulls/<N>/commits --paginate --jq '.[].commit.message'
# (PR title and body come from `gh pr view --json title,body` in Phase 1)

</details>

[Copilot]

Pull request overview

Copilot reviewed 19 out of 23 changed files in this pull request and generated 6 comments.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 21 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (1)

.claude/skills/lfx-self-serve-pr-readiness/references/pr-shape.md:56

• Diff-size check is described as “additions ≤ 1000 lines (per commit-workflow.md)”, but commit-workflow.md states a target of “1000 lines of diff” (which usually means additions+deletions). If you intend to measure only additions, the reference to commit-workflow.md is misleading; otherwise, adjust the check to use total changed lines to match the documented policy.

## 5. `pr-shape/diff-size` — NIT

**Check:** additions ≤ 1000 lines (per `.claude/rules/commit-workflow.md`).

**Failure message:** `This change has <N> additions, exceeding the 1000-line target. Consider splitting into smaller, independently-reviewable PRs.`

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.claude/rules/skill-guidance.md (1)

1-88: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Prettier formatting check failed — fix required before merge.

The GitHub Actions pipeline reported that this file has code style issues detected by Prettier. Run yarn format (or prettier --write .claude/rules/skill-guidance.md) to fix the formatting violations, then commit the result.

Based on learnings: Pre-commit runs npx lint-staged (prettier + lint on staged files), and you should not commit before the checks pass.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/rules/skill-guidance.md around lines 1 - 88, Prettier formatting
errors were detected in .claude/rules/skill-guidance.md; run the formatter and
commit the fix: execute yarn format (or prettier --write
.claude/rules/skill-guidance.md) to rewrite the file, verify npx lint-staged /
pre-commit hooks pass locally, then stage and commit the formatted file (do not
bypass pre-commit checks).

🧹 Nitpick comments (2)

docs/reviews/knowledge-base/server-request-handling.md (1)

65-76: ⚡ Quick win

Standardize spelling variant: "normalization" vs "normalisation".

Line 71 mixes both "normalization" (American English) and "normalisation" (British English) in the same sentence within the empirical citation. For consistency, use one variant throughout.

📝 Suggested fix

-**Empirical citation:** PR `#272` `apps/lfx-one/src/server/services/meeting.service.ts:696` — "Email matching against query-service tags is case-sensitive. Here `email` is taken directly from the OIDC claims and passed into `getMeetingRegistrantsByEmail` without normalization, while other code paths lower-case emails before comparing/filtering." Also flagged in PR `#249` `public-meeting.controller.ts:66` — "The email should be lowercased before passing to `addInvitedStatusToMeeting` for consistent tag matching."
+**Empirical citation:** PR `#272` `apps/lfx-one/src/server/services/meeting.service.ts:696` — "Email matching against query-service tags is case-sensitive. Here `email` is taken directly from the OIDC claims and passed into `getMeetingRegistrantsByEmail` without normalisation, while other code paths lower-case emails before comparing/filtering." Also flagged in PR `#249` `public-meeting.controller.ts:66` — "The email should be lowercased before passing to `addInvitedStatusToMeeting` for consistent tag matching."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reviews/knowledge-base/server-request-handling.md` around lines 65 - 76,
The document mixes "normalization" and "normalisation"; pick one variant and
make all occurrences consistent (e.g., change every "normalisation" to
"normalization" or vice versa) within this review file and related sentences
that reference functions like getMeetingRegistrantsByEmail and
addInvitedStatusToMeeting and the user.controller.ts citation so the empirical
citation and the Fix paragraph use the same spelling throughout.

docs/reviews/knowledge-base/code-truthiness.md (1)

51-62: ⚡ Quick win

Standardize spelling variant: "optimization" vs "optimisation".

Line 57 uses "optimization" (American English) while line 61 uses "optimisation" (British English). For consistency within the document, pick one variant and use it throughout.

📝 Suggested fix

-**Empirical citation:** PR `#247` `apps/lfx-one/src/app/shared/components/sidebar/sidebar.component.ts:27` (also `:42`) — "The PR description mentions adding an `isPlatformBrowser` guard to prevent wasted SSR calls, and `PLATFORM_ID` is injected on line 27, but it's never actually used in the code. The `initProjects` method should check if it's running in the browser before making the HTTP call to properly implement the SSR optimization mentioned in the PR summary."
+**Empirical citation:** PR `#247` `apps/lfx-one/src/app/shared/components/sidebar/sidebar.component.ts:27` (also `:42`) — "The PR description mentions adding an `isPlatformBrowser` guard to prevent wasted SSR calls, and `PLATFORM_ID` is injected on line 27, but it's never actually used in the code. The `initProjects` method should check if it's running in the browser before making the HTTP call to properly implement the SSR optimisation mentioned in the PR summary."
 
-**Failure message:** `PLATFORM_ID` injected but `isPlatformBrowser` guard never called — SSR optimisation claimed but missing.
+**Failure message:** `PLATFORM_ID` injected but `isPlatformBrowser` guard never called — SSR optimisation claimed but missing.
 
-**Fix:** either add the guard (`if (isPlatformBrowser(this.platformId)) { this.initProjects(); }`) or update the comment / PR description to accurately reflect what's optimised (e.g., `shareReplay(1)` caching only).
+**Fix:** either add the guard (`if (isPlatformBrowser(this.platformId)) { this.initProjects(); }`) or update the comment / PR description to accurately reflect what's optimised (e.g., `shareReplay(1)` caching only).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reviews/knowledge-base/code-truthiness.md` around lines 51 - 62, Choose
one spelling variant ("optimization" or "optimisation") and make it consistent
throughout the document `code-truthiness/ssr-guard-claimed-but-not-implemented`;
update every occurrence (e.g., the Pattern/Failure message that currently reads
"SSR optimisation" and the Empirical citation / Fix text that uses
"optimization") to the chosen variant so the pattern name, failure message, and
explanatory text all use the same spelling.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/agents/lfx-self-serve-code-reviewer.md:
- Line 49: Replace the incorrect phrase "This mode runs **pre-commit**" with
"post-commit" in the sentence that begins "This mode runs ..." inside
.claude/agents/lfx-self-serve-code-reviewer.md; also adjust the following clause
to clarify that the staged diff is included to cover the first commit on a new
branch (where there is no prior commit) rather than implying the agent runs
before commit—which aligns the sentence with the agent description ("post-commit
in the background") and the mode description ("post-commit review").

In `@CLAUDE.md`:
- Around line 258-297: The change touches a protected file (CLAUDE.md) which per
the repo policy requires explicit code-owner review; update the PR to either
remove the edit or explicitly surface this modification by adding a clear note
in the PR description and requesting review from the CLAUDE.md code-owners
(follow the lfx-preflight/code-owner workflow), and ensure the PR includes the
code-owner approval before merging so the modification to CLAUDE.md is accepted.

---

Outside diff comments:
In @.claude/rules/skill-guidance.md:
- Around line 1-88: Prettier formatting errors were detected in
.claude/rules/skill-guidance.md; run the formatter and commit the fix: execute
yarn format (or prettier --write .claude/rules/skill-guidance.md) to rewrite the
file, verify npx lint-staged / pre-commit hooks pass locally, then stage and
commit the formatted file (do not bypass pre-commit checks).

---

Nitpick comments:
In `@docs/reviews/knowledge-base/code-truthiness.md`:
- Around line 51-62: Choose one spelling variant ("optimization" or
"optimisation") and make it consistent throughout the document
`code-truthiness/ssr-guard-claimed-but-not-implemented`; update every occurrence
(e.g., the Pattern/Failure message that currently reads "SSR optimisation" and
the Empirical citation / Fix text that uses "optimization") to the chosen
variant so the pattern name, failure message, and explanatory text all use the
same spelling.

In `@docs/reviews/knowledge-base/server-request-handling.md`:
- Around line 65-76: The document mixes "normalization" and "normalisation";
pick one variant and make all occurrences consistent (e.g., change every
"normalisation" to "normalization" or vice versa) within this review file and
related sentences that reference functions like getMeetingRegistrantsByEmail and
addInvitedStatusToMeeting and the user.controller.ts citation so the empirical
citation and the Fix paragraph use the same spelling throughout.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a3ceea08-12c8-4cf3-b037-c9a046382a60

📥 Commits

Reviewing files that changed from the base of the PR and between e3bc34d and e520209.

📒 Files selected for processing (21)

• .claude/agents/code-standards-enforcer.md
• .claude/agents/lfx-self-serve-code-reviewer.md
• .claude/agents/lfx-self-serve-learnings-reviewer.md
• .claude/rules/skill-guidance.md
• .claude/skills/lfx-review-pr/SKILL.md
• .claude/skills/lfx-self-serve-pr-readiness/SKILL.md
• .claude/skills/lfx-self-serve-pr-readiness/references/pr-shape.md
• CLAUDE.md
• docs/reviews/backend-checklist.md
• docs/reviews/docs-checklist.md
• docs/reviews/frontend-checklist.md
• docs/reviews/knowledge-base/code-truthiness.md
• docs/reviews/knowledge-base/data-and-snowflake.md
• docs/reviews/knowledge-base/frontend-state-and-timing.md
• docs/reviews/knowledge-base/known-false-positives.md
• docs/reviews/knowledge-base/observability-and-logging.md
• docs/reviews/knowledge-base/security.md
• docs/reviews/knowledge-base/server-request-handling.md
• docs/reviews/knowledge-base/templates-and-accessibility.md
• docs/reviews/knowledge-base/typescript-correctness.md
• docs/reviews/shared-and-sql-checklist.md

💤 Files with no reviewable changes (1)

• .claude/agents/code-standards-enforcer.md

✅ Files skipped from review due to trivial changes (5)

• docs/reviews/knowledge-base/observability-and-logging.md
• docs/reviews/knowledge-base/data-and-snowflake.md
• docs/reviews/knowledge-base/templates-and-accessibility.md
• docs/reviews/knowledge-base/typescript-correctness.md
• docs/reviews/knowledge-base/frontend-state-and-timing.md

[Copilot]

Pull request overview

Copilot reviewed 17 out of 21 changed files in this pull request and generated 3 comments.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/reviews/knowledge-base/security.md (1)

202-202: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix markdown formatting to clear pipeline warnings.

Quality Checks report Prettier style issues for this file; please run Prettier and commit the formatting-only update (likely EOF/newline/wrapping cleanup).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reviews/knowledge-base/security.md` at line 202, Run Prettier on the
affected markdown file and commit a formatting-only update to resolve the
Prettier style warnings: ensure EOF newline, fix wrapping/line length issues,
and apply consistent Markdown formatting (e.g., headers, lists, code fences) so
the Quality Checks pass; make this a standalone commit titled something like
"chore: format markdown (Prettier)" and do not change content other than
whitespace/formatting.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/reviews/knowledge-base/security.md`:
- Line 159: The guidance incorrectly advises binding a
DomSanitizer.bypassSecurityTrustUrl result via [innerHTML]; change the text to
remove any reference to using [innerHTML] with bypassSecurityTrustUrl and
instead instruct to bind the trusted value to [href] or [attr.href] (not
[innerHTML]), mention that [innerHTML] is for bypassSecurityTrustHtml, and be
explicit about the security trade-off—only use
DomSanitizer.bypassSecurityTrustUrl for known-safe URLs you constructed (never
untrusted user input).
- Around line 67-68: Update the paragraph about [innerHTML] to state Angular's
actual default behavior: Angular automatically sanitizes bindings in the HTML
security context (e.g., [innerHTML]) and strips dangerous constructs like
<script> and executable attributes, so unsafe payloads do not survive by
default; clarify that the real vulnerability is when code explicitly bypasses
the sanitizer (e.g., using DomSanitizer.bypassSecurityTrustHtml or similar APIs)
with untrusted data, and adjust the wording to replace claims that Angular
"doesn't auto-sanitize" or that scripts "can survive" with this corrected
explanation.

---

Outside diff comments:
In `@docs/reviews/knowledge-base/security.md`:
- Line 202: Run Prettier on the affected markdown file and commit a
formatting-only update to resolve the Prettier style warnings: ensure EOF
newline, fix wrapping/line length issues, and apply consistent Markdown
formatting (e.g., headers, lists, code fences) so the Quality Checks pass; make
this a standalone commit titled something like "chore: format markdown
(Prettier)" and do not change content other than whitespace/formatting.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a612a8f2-5b90-4b7f-9b50-58b536a878a5

📥 Commits

Reviewing files that changed from the base of the PR and between 0935ccc and 71f6659.

📒 Files selected for processing (1)

• docs/reviews/knowledge-base/security.md

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

docs/reviews/knowledge-base/security.md (2)

67-68: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Correct the Angular [innerHTML] sanitization claim (per prior review).

This text still incorrectly states that Angular doesn't auto-sanitize [innerHTML] and that dangerous payloads "can survive." As confirmed by the prior review's web search, Angular automatically sanitizes [innerHTML] bindings in the HTML security context, explicitly removing <script> tags and executable attributes by default. The XSS risk arises only when code explicitly bypasses sanitization (e.g., using bypassSecurityTrustHtml with untrusted data), not from Angular's default behavior. This inaccuracy will mislead reviewers using this KB.

📝 Suggested correction

-**Pattern:** `[innerHTML]="userField"` binding where `userField` is user-provided content (vote description, meeting description, comment body) without sanitization. Angular doesn't auto-sanitize `[innerHTML]` for trusted-HTML; it strips at runtime but `<script>` tags / `onerror=` attributes / encoded JS payloads can survive.
+**Pattern:** `[innerHTML]="userField"` binding where `userField` is user-provided content (vote description, meeting description, comment body) and the code explicitly bypasses Angular's sanitizer. Angular auto-sanitizes `[innerHTML]` by default in the HTML security context, removing `<script>` tags and dangerous executable attributes. The XSS risk occurs when developers use `DomSanitizer.bypassSecurityTrustHtml` (or similar bypass APIs) with untrusted user content.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reviews/knowledge-base/security.md` around lines 67 - 68, Update the
paragraph describing the `[innerHTML]` pattern to state that Angular
automatically sanitizes `[innerHTML]` in the HTML security context (removing
`<script>` tags and executable attributes) and that XSS only becomes a risk when
sanitization is intentionally bypassed (for example via
DomSanitizer.bypassSecurityTrustHtml or similar APIs) or when unsafe content is
otherwise inserted into a trusted DOM context; replace the claim that Angular
“doesn't auto-sanitize” and that payloads “can survive” with this corrected
explanation and add a short note linking the risky exception
(bypassSecurityTrustHtml) so reviewers know when to be concerned.

---

159-159: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove [innerHTML] from the bypassSecurityTrustUrl guidance (per prior review).

This line still incorrectly suggests binding bypassSecurityTrustUrl via [innerHTML]. As confirmed by the prior review's web search of Angular documentation, bypassSecurityTrustUrl is specifically for the URL security context and must bind to [href] or [attr.href], never [innerHTML]. The [innerHTML] binding is for the HTML security context and requires bypassSecurityTrustHtml instead. This incorrect guidance will cause implementation errors.

📝 Suggested correction

-**Fix:** use `DomSanitizer.bypassSecurityTrustUrl(url)` to mark the URL as safe, bind via `[innerHTML]` or `[attr.href]`. Be explicit about the security trade-off; only do this for known-safe URLs you constructed (not user input).
+**Fix:** use `DomSanitizer.bypassSecurityTrustUrl(url)` to mark the URL as safe, then bind to `[href]` or `[attr.href]`. (Note: `[innerHTML]` requires `bypassSecurityTrustHtml`, not `bypassSecurityTrustUrl`.) Be explicit about the security trade-off; only do this for known-safe URLs you constructed (not user input).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reviews/knowledge-base/security.md` at line 159, The guidance
incorrectly recommends binding DomSanitizer.bypassSecurityTrustUrl via
[innerHTML]; update the text to remove any suggestion of using [innerHTML] with
bypassSecurityTrustUrl and explicitly state that bypassSecurityTrustUrl must be
bound to [href] or [attr.href] (or used in URL contexts) while
bypassSecurityTrustHtml is the correct sanitizer for HTML content and
[innerHTML]; keep the security note that these bypasses should only be used for
known-safe, constructed URLs (not user input).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/reviews/knowledge-base/security.md`:
- Around line 1-201: The markdown has many lines exceeding Prettier's
88-character limit (e.g., the "Security" header and the `security/*` pattern
sections like `security/secrets-in-diff`,
`security/public-meeting-visibility-filter`,
`security/href-from-untrusted-source`), so reformat the file with Prettier to
wrap long lines and fix markdown formatting; run the project formatter (yarn
prettier --write) on the file, re-check that all long lines in the `Security`
section and each `security/...` pattern paragraph are wrapped to <=88 chars, and
commit the formatted result.

---

Duplicate comments:
In `@docs/reviews/knowledge-base/security.md`:
- Around line 67-68: Update the paragraph describing the `[innerHTML]` pattern
to state that Angular automatically sanitizes `[innerHTML]` in the HTML security
context (removing `<script>` tags and executable attributes) and that XSS only
becomes a risk when sanitization is intentionally bypassed (for example via
DomSanitizer.bypassSecurityTrustHtml or similar APIs) or when unsafe content is
otherwise inserted into a trusted DOM context; replace the claim that Angular
“doesn't auto-sanitize” and that payloads “can survive” with this corrected
explanation and add a short note linking the risky exception
(bypassSecurityTrustHtml) so reviewers know when to be concerned.
- Line 159: The guidance incorrectly recommends binding
DomSanitizer.bypassSecurityTrustUrl via [innerHTML]; update the text to remove
any suggestion of using [innerHTML] with bypassSecurityTrustUrl and explicitly
state that bypassSecurityTrustUrl must be bound to [href] or [attr.href] (or
used in URL contexts) while bypassSecurityTrustHtml is the correct sanitizer for
HTML content and [innerHTML]; keep the security note that these bypasses should
only be used for known-safe, constructed URLs (not user input).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b9f3966a-dae7-4f08-b641-afa5fdc97c1a

📥 Commits

Reviewing files that changed from the base of the PR and between 71f6659 and af91168.

📒 Files selected for processing (1)

• docs/reviews/knowledge-base/security.md

[Copilot]

Pull request overview

Copilot reviewed 17 out of 21 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 21 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 21 changed files in this pull request and generated 2 comments.