docs, feat(SREP-4460, SREP-4926: Add Standardized Claude hooks, skill, agents. Update standardised docs)

[devppratik]

What type of PR is this?

docs/feature

What this PR does / why we need it?

• This PR brings the docs up to Agentic SDLC contribution standard
• It also adds .claude which includes standardized hooks, skills and agents

Changes

New Infrastructure:

• .claude/agents/ - 5 specialized agents
• .claude/hooks/ - Validation hooks
• .claude/skills/prow-ci/ - Prow CI skill
• .claude/settings.json - Permissions

Validation:

• prek.toml + hack/prek.ci.toml
• .gitleaks.toml - Secret scanning
• hack/ci.sh - CI validation

Documentation:

• CONTRIBUTING.md, DEVELOPMENT.md, TESTING.md
• CLAUDE.md - Preserved existing

References

• Source: docs, feat(SREP-4410, SREP-4411: Add Claude hooks, skill, agents and update docs) ocm-agent-operator#257
• JIRA: SREP-4410, SREP-4411, SREP-4460, SREP-4926

Summary by CodeRabbit

• Documentation

  • Added comprehensive developer guides and detailed AI-assisted "agents" and "skills" docs to standardize workflows, testing, and documentation duties.

• Security & Validation

  • Introduced repository secret-detection rules and allowlists, pre-commit/validation hooks, and a stop-time validation mechanism to enforce security and CI parity.

• Chores

  • Added CI/prek configurations, helper scripts, and edit-guard hooks to standardize local/CI validation, pre-edit protection, and developer tooling.

[coderabbitai]

Warning

Review limit reached

@devppratik, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 5 minutes and 9 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: eaa48fca-0a54-48f7-a78c-6e0f1069174f

📥 Commits

Reviewing files that changed from the base of the PR and between c22b506 and 3d73a3c.

📒 Files selected for processing (24)

• .claude/agents/README.md
• .claude/agents/ci-agent.md
• .claude/agents/docs-agent.md
• .claude/agents/lint-agent.md
• .claude/agents/security-agent.md
• .claude/agents/test-agent.md
• .claude/hooks/README.md
• .claude/hooks/cleanup.sh
• .claude/hooks/pre-edit.sh
• .claude/hooks/stop-prek-validation.sh
• .claude/settings.json
• .claude/skills/README.md
• .claude/skills/prow-ci/SKILL.md
• .claude/skills/prow-ci/analyze_failure.py
• .claude/skills/prow-ci/fetch_prow_artifacts.py
• .gitignore
• .gitleaks.toml
• .prek-version
• CONTRIBUTING.md
• DEVELOPMENT.md
• TESTING.md
• hack/ci.sh
• hack/prek.ci.toml
• prek.toml

Walkthrough

This PR establishes a comprehensive Claude Code developer experience framework for the OCM Agent Operator repository. It introduces agents for automated validation (lint, test, security, docs, ci), integrates them with pre-commit hooks via prek, configures gitleaks for secret detection, and provides complete developer documentation on contributions, development, and testing workflows.

Changes

Claude Developer Experience & Validation Framework

Layer / File(s)	Summary
Agent Framework & Specifications .claude/agents/README.md, .claude/agents/lint-agent.md, .claude/agents/test-agent.md, .claude/agents/security-agent.md, .claude/agents/docs-agent.md, .claude/agents/ci-agent.md	Defines five Claude agents (lint, test, security, docs, ci) with documented responsibilities, workflows, output formats, escalation criteria, and integration points. Includes agent framework README covering design principles, creation guidelines, and agent-to-agent communication.
Hook Infrastructure & Claude Code Integration .claude/hooks/README.md, .claude/hooks/pre-edit.sh, .claude/hooks/stop-prek-validation.sh, .claude/hooks/cleanup.sh, .claude/settings.json	Implements file-safety guards (pre-edit.sh) blocking edits to generated/high-risk files, a stop hook (stop-prek-validation.sh) that blocks Claude on validation failures, a noop cleanup hook, and Claude Code settings wiring tool permissions and hook execution. Hooks README documents integration architecture and troubleshooting.
Pre-commit & CI Configuration prek.toml, hack/prek.ci.toml, hack/ci.sh, .gitleaks.toml, .prek-version, .gitignore	Configures prek repositories and hooks for local development (prek.toml) and CI execution (hack/prek.ci.toml + hack/ci.sh). Adds .gitleaks.toml with allowlist and operator-specific detection rules, pins Prek to v0.4.1, and ignores .work/.
Skills Framework & Prow Integration .claude/skills/README.md, .claude/skills/prow-ci/SKILL.md, .claude/skills/prow-ci/fetch_prow_artifacts.py, .claude/skills/prow-ci/analyze_failure.py	Introduces Claude Skills framework and a prow-ci skill with CLI tools to fetch Prow artifacts and analyze failures, plus skill documentation and CI troubleshooting guidance.
Developer Guides & Contribution Standards CONTRIBUTING.md, DEVELOPMENT.md, TESTING.md	Adds comprehensive contributor and developer documentation: contribution checklist, development workflows, testing conventions, regeneration steps, and security/prerequisite guidance.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels: lgtm, approved

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Two logging exposures found: (1) fetch_prow_artifacts.py:74 logs raw gcloud stderr with potential GCP credentials, (2) stop-prek-validation.sh:91 logs raw prek output with sensitive data.	Sanitize sensitive output: replace raw stderr with generic message in fetch_prow_artifacts.py; filter tool output in stop-prek-validation.sh before including in JSON.
Description check	⚠️ Warning	The PR description provides a clear overview of changes organized by category (Infrastructure, Validation, Documentation) with JIRA references, but omits most required template sections like testing steps and the checklist.	Add the missing template sections: include the checklist (testing, unit tests, documentation updates), provide manual testing steps, and use the standard template format for consistency.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title references specific JIRA issues (SREP-4460, SREP-4926) and accurately describes the main changes: adding standardized Claude infrastructure (hooks, skills, agents) and updating documentation to meet Agentic SDLC standards.
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All 165 Ginkgo test names are stable and deterministic with no dynamic values, fmt.Sprintf, or string concatenation patterns detected in test titles.
Test Structure And Quality	✅ Passed	PR adds no actual Ginkgo test code files (*_test.go); it only contains documentation with example snippets. The custom check for "Ginkgo test code" does not apply to documentation files.
Microshift Test Compatibility	✅ Passed	This PR adds documentation, configuration, and infrastructure files only. No new Ginkgo e2e tests are added, so the MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added in PR. All changes are documentation, configuration, and helper scripts only.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only documentation, configuration, and utility files—no deployment manifests, operator code, or controllers with scheduling constraints were added or modified.
Ote Binary Stdout Contract	✅ Passed	PR contains only documentation, configuration, and utility scripts; no Go test files or OTE binaries are added/modified, so the check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR; changes consist only of documentation, configuration files, scripts, and Python utilities.
No-Weak-Crypto	✅ Passed	No weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) or insecure crypto practices found. PR adds documentation, configuration, and infrastructure only—no cryptographic code implementations.
Container-Privileges	✅ Passed	PR adds documentation, configuration, and automation tooling only. No Kubernetes manifests with container specs were added or modified, so the container-privileges check is not applicable.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: devppratik
Once this PR has been reviewed and has the lgtm label, please assign typeid for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@devppratik: This pull request references SREP-4460 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references SREP-4926 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What type of PR is this?

docs/feature

What this PR does / why we need it?

• This PR brings the docs up to Agentic SDLC contribution standard
• It also adds .claude which includes standardized hooks, skills and agents

Changes

New Infrastructure:

• .claude/agents/ - 5 specialized agents
• .claude/hooks/ - Validation hooks
• .claude/skills/prow-ci/ - Prow CI skill
• .claude/settings.json - Permissions

Validation:

• prek.toml + hack/prek.ci.toml
• .gitleaks.toml - Secret scanning
• hack/ci.sh - CI validation

Documentation:

• CONTRIBUTING.md, DEVELOPMENT.md, TESTING.md
• CLAUDE.md - Preserved existing

References

• Source: docs, feat(SREP-4410, SREP-4411: Add Claude hooks, skill, agents and update docs) ocm-agent-operator#257
• JIRA: SREP-4410, SREP-4411, SREP-4460, SREP-4926

Summary by CodeRabbit

Release Notes

• Documentation

• Added comprehensive development guides covering contribution workflow, local development setup, and testing standards

• Introduced Claude Agent framework documentation for automated validation workflows

• Security & Validation

• Added gitleaks secret scanning with custom detection rules and allowlist configuration

• Implemented pre-commit validation hooks with security guardrails

• Chores

• Added CI/CD configuration and validation tooling setup

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

hack/prek.ci.toml (1)

30-63: ⚡ Quick win

Add a unit-test hook to this CI prek profile.

This config currently gates lint/build/tidy/RBAC only; it should also run unit tests in this pipeline path.

Proposed change

 [[repos]]
 repo = "local"
 hooks = [
+  # Unit tests (exclude integration tests under ./int/)
+  {
+    id = "go-test",
+    name = "go unit tests",
+    language = "system",
+    entry = "bash -c 'make test'",
+    files = '(\.go$|go\.(mod|sum)$)',
+    pass_filenames = false
+  },
+
   # Go build check
   {
     id = "go-build",

As per coding guidelines, !(int)/**/*_test.go: Unit tests should exclude integration tests in ./int/ and can be run with make test.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/prek.ci.toml` around lines 30 - 63, Add a new local hook entry named
"unit-tests" to the existing [[repos]] block so the prek profile runs unit
tests; define id "unit-tests", name "unit tests", language "system",
pass_filenames = false and set entry to run the project Make target (e.g. "bash
-c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 120s} make
test'") so tests are run under the CI timeout and rely on the Makefile to run
only unit tests (excluding ./int/ per the guideline); place this hook alongside
the existing "go-build" / "go-mod-tidy" hooks in the diff.

.claude/skills/README.md (1)

66-72: ⚡ Quick win

Add language specifier to the directory structure code fence.

The code fence showing the directory structure is missing a language specifier, which static analysis tools flag.

📝 Proposed fix

-**Directory structure**:
-```
-.claude/skills/
-├── README.md
-└── skillname/
-    ├── SKILL.md          # Required: skill definition
-    └── reference/        # Optional: supporting docs
-```
+**Directory structure**:
+```text
+.claude/skills/
+├── README.md
+└── skillname/
+    ├── SKILL.md          # Required: skill definition
+    └── reference/        # Optional: supporting docs
+```

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/skills/README.md around lines 66 - 72, Update the README code block
for the .claude/skills directory to include a language specifier (e.g., "text")
so linters stop flagging it; edit the README.md section that renders the
directory tree for .claude/skills and change the opening triple-backtick fence
to ```text (and optionally add a short "Directory structure" label), leaving the
directory contents (README.md, skillname/, SKILL.md, reference/) unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/hooks/README.md:
- Line 73: Update the README text that currently reads "Uses CI-compatible
config (skips network-dependent hooks like rh-pre-commit, gitleaks)" to reflect
the actual rationale: mention that gitleaks is skipped because it "may not be
available in all CI environments" (matching the rationale in hack/prek.ci.toml)
rather than calling it "network-dependent"; locate the string in
.claude/hooks/README.md and replace the wording so the README and
hack/prek.ci.toml rationale are consistent.

In @.claude/hooks/stop-prek-validation.sh:
- Around line 39-49: The validation exit logic uses FORCE_LINT to decide whether
to run but the subsequent prek invocation only validates staged files by
default, allowing unstaged edits to skip checks; update the script where prek is
invoked (the stop-time validation call in .claude/hooks/stop-prek-validation.sh)
to explicitly include all changed files (e.g., call prek run --all-files) or
compute and pass the staged+unstaged file list to prek so the scope of files
validated matches the trigger condition that checks git diff-index and git
ls-files; keep the FORCE_LINT gating and only alter the prek invocation to
ensure unstaged/untracked edits are covered.

In @.gitleaks.toml:
- Around line 25-32: Remove the global allowlist entry that matches all test
files by deleting the ".*_test\.go" pattern from the allowlist.paths in
.gitleaks.toml; instead, keep or add only narrowly scoped exemptions (e.g., the
existing '''test/fixtures/.*''', '''test/deploy/.*''', or other explicit
fixture/example paths) so findings in arbitrary *_test.go files are no longer
ignored. Locate the allowlist.paths block in .gitleaks.toml and remove the
'''.*_test\.go''' line, then run gitleaks to verify only intended paths remain
exempt.

In `@TESTING.md`:
- Around line 86-105: Unit Tests section is missing an explicit exclusion for
the integration test directory; update the "Unit Tests" paragraph under the Unit
Tests header to add a short sentence clarifying that the integration tests in
the int directory are excluded from unit test guidance (and either link to the
existing doc describing test targets or add a parenthetical note), explicitly
stating that the normal CI/dev target (make test) does not run tests in int and
that integration tests are executed separately via the integration test target
(for example: go test ./int/).

---

Nitpick comments:
In @.claude/skills/README.md:
- Around line 66-72: Update the README code block for the .claude/skills
directory to include a language specifier (e.g., "text") so linters stop
flagging it; edit the README.md section that renders the directory tree for
.claude/skills and change the opening triple-backtick fence to ```text (and
optionally add a short "Directory structure" label), leaving the directory
contents (README.md, skillname/, SKILL.md, reference/) unchanged.

In `@hack/prek.ci.toml`:
- Around line 30-63: Add a new local hook entry named "unit-tests" to the
existing [[repos]] block so the prek profile runs unit tests; define id
"unit-tests", name "unit tests", language "system", pass_filenames = false and
set entry to run the project Make target (e.g. "bash -c 'T=$(command -v timeout
|| command -v gtimeout || echo); ${T:+$T 120s} make test'") so tests are run
under the CI timeout and rely on the Makefile to run only unit tests (excluding
./int/ per the guideline); place this hook alongside the existing "go-build" /
"go-mod-tidy" hooks in the diff.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a74f616f-43fa-4c73-96d0-acdc2f91f0f9

📥 Commits

Reviewing files that changed from the base of the PR and between b542e4f and abce6e9.

📒 Files selected for processing (21)

• .claude/agents/README.md
• .claude/agents/ci-agent.md
• .claude/agents/docs-agent.md
• .claude/agents/lint-agent.md
• .claude/agents/security-agent.md
• .claude/agents/test-agent.md
• .claude/hooks/README.md
• .claude/hooks/cleanup.sh
• .claude/hooks/pre-edit.sh
• .claude/hooks/stop-prek-validation.sh
• .claude/settings.json
• .claude/skills/README.md
• .claude/skills/prow-ci/SKILL.md
• .gitleaks.toml
• .prek-version
• CONTRIBUTING.md
• DEVELOPMENT.md
• TESTING.md
• hack/ci.sh
• hack/prek.ci.toml
• prek.toml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

For the prekCLI, what files doesprek runvalidate by default when no filenames or--all-files flag is provided?

💡 Result:

When the prek CLI's "prek run" command is executed without specifying individual files or using the "--all-files" flag, it defaults to validating only the files that are currently staged in Git [1]. This behavior is similar to the default operation of "pre-commit run" [2][1].

Citations:

• 1: http://prek.j178.dev/usage/
• 2: https://github.com/j178/prek/blob/master/README.md

---

Fix stop-time validation coverage for unstaged edits

prek run validates only staged files by default when no filenames/--all-files are provided. In .claude/hooks/stop-prek-validation.sh, the trigger exits only when there are any uncommitted changes (including unstaged/untracked), but the validation command at the referenced prek run line does not appear to scope to unstaged files—so unstaged edits can bypass stop-time validation. Add an explicit scope (e.g., --all-files or a staged/unstaged-aware invocation) so the files checked match the trigger condition.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/hooks/stop-prek-validation.sh around lines 39 - 49, The validation
exit logic uses FORCE_LINT to decide whether to run but the subsequent prek
invocation only validates staged files by default, allowing unstaged edits to
skip checks; update the script where prek is invoked (the stop-time validation
call in .claude/hooks/stop-prek-validation.sh) to explicitly include all changed
files (e.g., call prek run --all-files) or compute and pass the staged+unstaged
file list to prek so the scope of files validated matches the trigger condition
that checks git diff-index and git ls-files; keep the FORCE_LINT gating and only
alter the prek invocation to ensure unstaged/untracked edits are covered.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

In gitleaks v8 TOML config, does [allowlist].pathswith pattern.*_test.goexclude all files ending in_test.go from detection?

💡 Result:

Yes—if the pattern you set under [allowlist].paths is .*_test\.go, it will exclude any file path that matches that regex, i.e., any path ending in _test.go (and possibly more, depending on the rest of the path). In gitleaks, allowlist.paths entries are compiled as regular expressions and a finding is ignored when the allowlist path regex matches the finding’s path value. The implementation combines the configured path regexes and uses MatchString(path) to decide whether a path is allowed to be ignored [1]. Also, gitleaks’ docs/examples show that allowlist matching uses the paths field as one of the match criteria for whether a finding should be ignored [2]. So with paths = ['''.*_test\.go'''], the regex .*_test\.go will match a path like .../foo_test.go, which effectively excludes _test.go files from detection for any findings whose path matches the allowlist criteria [1].

Citations:

• 1: https://github.com/gitleaks/gitleaks/blob/master/config/allowlist.go
• 2: https://github.com/gitleaks/gitleaks

---

Remove global allowlist for *_test.go from .gitleaks.toml
allowlist.paths includes .*_test\.go, which regex-matches finding path values and causes gitleaks to ignore any findings in files ending with _test.go, creating a security blind spot. Remove that entry and scope any exemptions to specific fixture/example paths instead.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.gitleaks.toml around lines 25 - 32, Remove the global allowlist entry that
matches all test files by deleting the ".*_test\.go" pattern from the
allowlist.paths in .gitleaks.toml; instead, keep or add only narrowly scoped
exemptions (e.g., the existing '''test/fixtures/.*''', '''test/deploy/.*''', or
other explicit fixture/example paths) so findings in arbitrary *_test.go files
are no longer ignored. Locate the allowlist.paths block in .gitleaks.toml and
remove the '''.*_test\.go''' line, then run gitleaks to verify only intended
paths remain exempt.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if ./int/ directory exists and contains tests

echo "=== Checking for ./int/ directory ==="
if [ -d "./int" ]; then
  echo "Directory ./int/ exists"
  fd -t f -e go . ./int
else
  echo "Directory ./int/ does not exist"
fi

echo ""
echo "=== Checking for references to int tests in documentation ==="
rg -i 'int.*test|integration.*test' -g '*.md'

Repository: openshift/managed-node-metadata-operator

Length of output: 2164

---

Document ./int/ exclusion for Unit Tests in TESTING.md (lines 86-105).

./int/ exists and contains integration tests, but TESTING.md’s Unit Tests section doesn’t mention excluding ./int/ from the unit-test guidance. Add an explicit note (or cross-link to the existing doc that states make test excludes ./int/ and go test ./int/ runs integration tests).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@TESTING.md` around lines 86 - 105, Unit Tests section is missing an explicit
exclusion for the integration test directory; update the "Unit Tests" paragraph
under the Unit Tests header to add a short sentence clarifying that the
integration tests in the int directory are excluded from unit test guidance (and
either link to the existing doc describing test targets or add a parenthetical
note), explicitly stating that the normal CI/dev target (make test) does not run
tests in int and that integration tests are executed separately via the
integration test target (for example: go test ./int/).

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.60%. Comparing base (b542e4f) to head (3d73a3c).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #270   +/-   ##
=======================================
  Coverage   58.60%   58.60%           
=======================================
  Files           5        5           
  Lines         244      244           
=======================================
  Hits          143      143           
  Misses         87       87           
  Partials       14       14           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

.claude/hooks/README.md (1)

73-73: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify gitleaks exclusion rationale.

This line describes gitleaks as "network-dependent," which is inconsistent with the actual rationale stated on line 149: "may not be available in all CI environments." Gitleaks runs locally without network access.

📝 Suggested fix

-Uses CI-compatible config (skips network-dependent hooks like rh-pre-commit, gitleaks)
+Uses CI-compatible config (skips hooks requiring internal network access or that may not be available: rh-pre-commit, gitleaks)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/hooks/README.md at line 73, Update the README line that currently
reads "Uses CI-compatible config (skips network-dependent hooks like
rh-pre-commit, gitleaks)" to accurately reflect the reason for skipping
gitleaks: change the phrase to indicate gitleaks "may not be available in all CI
environments" (or similar) rather than calling it "network-dependent"; locate
and edit the sentence containing "rh-pre-commit, gitleaks" so it matches the
rationale used elsewhere (e.g., the line referencing availability in CI
environments).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/agents/docs-agent.md:
- Around line 185-198: The code block under the "## Output Format" section (the
example starting with "Updated: DEVELOPMENT.md") is missing a language tag;
update the fenced code block to include the required language identifier (use
`bash` per the file's style rule) so the block reads with a language tag (change
the opening fence from ``` to ```bash) to comply with the styling rule
referenced earlier.

In @.claude/hooks/README.md:
- Line 182: Update the README.md entry that currently says the stop hook runs
"prek run --all-files" to match the actual behavior implemented in
stop-prek-validation.sh: document that the hook runs "prek run --config
hack/prek.ci.toml" and that it validates only changed files (for speed) rather
than all files. Mention the exact command and the changed-files-only behavior so
the documentation matches the script.

In @.claude/skills/README.md:
- Around line 66-72: The fenced code block showing the directory tree in
.claude/skills/ README.md lacks a language specifier; update the opening fence
from ``` to a language-tagged fence such as ```text (or ```bash) so the snippet
(the block containing ".claude/skills/ ├── README.md └── skillname/") includes a
language specifier for proper Markdown rendering and consistency.

---

Duplicate comments:
In @.claude/hooks/README.md:
- Line 73: Update the README line that currently reads "Uses CI-compatible
config (skips network-dependent hooks like rh-pre-commit, gitleaks)" to
accurately reflect the reason for skipping gitleaks: change the phrase to
indicate gitleaks "may not be available in all CI environments" (or similar)
rather than calling it "network-dependent"; locate and edit the sentence
containing "rh-pre-commit, gitleaks" so it matches the rationale used elsewhere
(e.g., the line referencing availability in CI environments).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f35d25d3-0fea-4b4a-9829-b07d968c8acd

📥 Commits

Reviewing files that changed from the base of the PR and between abce6e9 and 6f3b031.

📒 Files selected for processing (21)

• .claude/agents/README.md
• .claude/agents/ci-agent.md
• .claude/agents/docs-agent.md
• .claude/agents/lint-agent.md
• .claude/agents/security-agent.md
• .claude/agents/test-agent.md
• .claude/hooks/README.md
• .claude/hooks/cleanup.sh
• .claude/hooks/pre-edit.sh
• .claude/hooks/stop-prek-validation.sh
• .claude/settings.json
• .claude/skills/README.md
• .claude/skills/prow-ci/SKILL.md
• .gitleaks.toml
• .prek-version
• CONTRIBUTING.md
• DEVELOPMENT.md
• TESTING.md
• hack/ci.sh
• hack/prek.ci.toml
• prek.toml

✅ Files skipped from review due to trivial changes (9)

• .prek-version
• .claude/hooks/cleanup.sh
• DEVELOPMENT.md
• .claude/agents/lint-agent.md
• CONTRIBUTING.md
• .claude/agents/ci-agent.md
• TESTING.md
• .claude/agents/security-agent.md
• hack/prek.ci.toml

🚧 Files skipped from review as they are similar to previous changes (6)

• hack/ci.sh
• .gitleaks.toml
• .claude/settings.json
• .claude/agents/test-agent.md
• .claude/hooks/stop-prek-validation.sh
• prek.toml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add language specifier to fenced code block.

The fenced code block showing directory structure should have a language specifier for consistency with markdown best practices.

📝 Proposed fix

 **Directory structure**:
-```
+```text
 .claude/skills/
 ├── README.md
 └── skillname/

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	```
	.claude/skills/
	├── README.md
	└── skillname/
	├── SKILL.md # Required: skill definition
	└── reference/ # Optional: supporting docs
	```
	**Directory structure**:

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 66-66: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/skills/README.md around lines 66 - 72, The fenced code block showing
the directory tree in .claude/skills/ README.md lacks a language specifier;
update the opening fence from ``` to a language-tagged fence such as ```text (or
```bash) so the snippet (the block containing ".claude/skills/ ├── README.md └──
skillname/") includes a language specifier for proper Markdown rendering and
consistency.

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/hooks/stop-prek-validation.sh:
- Line 30: The script currently runs `cd "$REPO_ROOT"` without handling failure;
update the `cd "$REPO_ROOT"` invocation to guard its failure (e.g., check the
exit status and exit with non‑zero or `return` if it fails) so the rest of the
validation does not execute from the wrong directory; locate the `cd
"$REPO_ROOT"` line in .claude/hooks/stop-prek-validation.sh and add a failure
check (e.g., `cd "$REPO_ROOT" || { echo "Failed to change directory"; exit 1;
}`) to stop the script when the chdir fails.

In @.claude/skills/prow-ci/analyze_failure.py:
- Around line 11-19: Replace xml.etree.ElementTree with defusedxml and tighten
exception handling in parse_junit_xml: import defusedxml.ElementTree as ET and
from defusedxml.common import DefusedXmlException, then in
parse_junit_xml(xml_file) catch specific errors instead of a broad except —
handle ET.ParseError for malformed XML, DefusedXmlException for security
violations, and OSError/IOError for file I/O separately (log or re-raise
appropriately) while keeping the normal parse logic using ET.parse(xml_file) and
root = tree.getroot().

In @.claude/skills/prow-ci/SKILL.md:
- Around line 69-71: The fenced block that currently contains the URL example
should include a language tag for markdownlint compliance; update the
triple-backtick fence surrounding the URL (the fenced URL example block) to use
```text instead of plain ```, ensuring the block is
```text\nhttps://prow.ci.openshift.org/...\n``` so the URL is treated as plain
text and passes linting.
- Line 7: The top-level header text is incorrect: replace the current title
string "Prow CI Analysis for Rbac Permissions Operator" with the
repository/operator name "managed-node-metadata-operator" so the header reads
something like "Prow CI Analysis for managed-node-metadata-operator"; locate and
update the markdown header line (the string starting with "# Prow CI Analysis
for ...") in SKILL.md accordingly to keep naming consistent.
- Around line 75-80: Replace the user-specific absolute cd with a repo-relative
instruction: tell users to run from the repository root (or use a relative path)
and invoke the script via the repo path to fetch artifacts (e.g., run the
fetch_prow_artifacts.py script from repo root). Update the example command that
references fetch_prow_artifacts.py and the output directory .work/prow-artifacts
so it uses relative paths (or prefixes with ./) and remove the hard-coded
/Users/ppanda/... path so the steps are portable across environments.

In `@TESTING.md`:
- Around line 131-147: Remove the duplicated opening fence and extra closing
fence around the Go test snippet so the fenced code block is a single valid
```go ... ``` block; update the markdown so the example test (the It("should
reconcile resource" test using resource, reconciler.Reconcile,
k8sClient.Create/Get and resource.Status.Conditions) is enclosed in one proper
```go fence only.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: eac4eba6-1740-4cf1-a332-58b7229e7a90

📥 Commits

Reviewing files that changed from the base of the PR and between 6f3b031 and c22b506.

📒 Files selected for processing (24)

• .claude/agents/README.md
• .claude/agents/ci-agent.md
• .claude/agents/docs-agent.md
• .claude/agents/lint-agent.md
• .claude/agents/security-agent.md
• .claude/agents/test-agent.md
• .claude/hooks/README.md
• .claude/hooks/cleanup.sh
• .claude/hooks/pre-edit.sh
• .claude/hooks/stop-prek-validation.sh
• .claude/settings.json
• .claude/skills/README.md
• .claude/skills/prow-ci/SKILL.md
• .claude/skills/prow-ci/analyze_failure.py
• .claude/skills/prow-ci/fetch_prow_artifacts.py
• .gitignore
• .gitleaks.toml
• .prek-version
• CONTRIBUTING.md
• DEVELOPMENT.md
• TESTING.md
• hack/ci.sh
• hack/prek.ci.toml
• prek.toml

✅ Files skipped from review due to trivial changes (8)

• .prek-version
• DEVELOPMENT.md
• .gitignore
• prek.toml
• CONTRIBUTING.md
• .claude/agents/test-agent.md
• .claude/agents/ci-agent.md
• .claude/agents/security-agent.md

🚧 Files skipped from review as they are similar to previous changes (7)

• hack/ci.sh
• .claude/hooks/cleanup.sh
• .claude/agents/lint-agent.md
• .claude/settings.json
• .gitleaks.toml
• hack/prek.ci.toml
• .claude/hooks/pre-edit.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Guard cd failure before continuing execution.

If cd fails, the script can run validation from the wrong directory.

Proposed fix

-cd "$REPO_ROOT"
+cd "$REPO_ROOT" || {
+  jq -n '{"decision":"block","reason":"Failed to change to repository root. Cannot run prek validation."}'
+  exit 0
+}

🧰 Tools

🪛 Shellcheck (0.11.0)

[warning] 30-30: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

(SC2164)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/hooks/stop-prek-validation.sh at line 30, The script currently runs
`cd "$REPO_ROOT"` without handling failure; update the `cd "$REPO_ROOT"`
invocation to guard its failure (e.g., check the exit status and exit with
non‑zero or `return` if it fails) so the rest of the validation does not execute
from the wrong directory; locate the `cd "$REPO_ROOT"` line in
.claude/hooks/stop-prek-validation.sh and add a failure check (e.g., `cd
"$REPO_ROOT" || { echo "Failed to change directory"; exit 1; }`) to stop the
script when the chdir fails.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify current XML parser usage and broad exception handling in this script.
rg -n "import xml\\.etree\\.ElementTree|defusedxml|ET\\.parse\\(|except Exception" .claude/skills/prow-ci/analyze_failure.py

Repository: openshift/managed-node-metadata-operator

Length of output: 189

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".claude/skills/prow-ci/analyze_failure.py"

echo "== File header =="
sed -n '1,120p' "$FILE" | nl -ba

echo
echo "== Focused ranges (11-25) =="
sed -n '8,30p' "$FILE" | nl -ba

echo
echo "== Focused ranges (45-70) =="
sed -n '40,80p' "$FILE" | nl -ba

echo
echo "== Search for defusedxml usage across repo =="
rg -n "defusedxml" . || true

echo
echo "== Search for requirements/pyproject that might declare defusedxml =="
ls -la | head
fd -a "requirements*.txt" . || true
fd -a "pyproject.toml" . || true
fd -a "setup.cfg" . || true
fd -a "Pipfile" . || true

Repository: openshift/managed-node-metadata-operator

Length of output: 163

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".claude/skills/prow-ci/analyze_failure.py"

echo "== File existence =="
ls -ლა "$FILE" || true

echo
echo "== File top (1-120) =="
sed -n '1,120p' "$FILE" | cat -n

echo
echo "== Focused ranges (8-30) =="
sed -n '8,30p' "$FILE" | cat -n

echo
echo "== Focused ranges (40-80) =="
sed -n '40,80p' "$FILE" | cat -n

echo
echo "== Search for defusedxml usage across repo =="
rg -n "defusedxml" . || true

echo
echo "== Search for XML parser usage across repo =="
rg -n "xml\.etree\.ElementTree|defusedxml\.ElementTree" . || true

echo
echo "== Search for dependency declarations =="
# Prefer common Python dependency files; use find so we don't depend on fd
find . -maxdepth 4 -type f \( -iname "requirements*.txt" -o -iname "pyproject.toml" -o -iname "setup.cfg" -o -iname "setup.py" -o -iname "Pipfile" \) -print || true

Repository: openshift/managed-node-metadata-operator

Length of output: 7778

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".claude/skills/prow-ci/analyze_failure.py"

echo "== Other XML parsing in this file (entire file) =="
rg -n "ET\.parse|ElementTree|xml\.etree" "$FILE" || true

echo
echo "== Search for broad Exception handling in this file =="
rg -n "except Exception" "$FILE" || true

echo
echo "== Search for defusedxml anywhere in repo =="
rg -n "defusedxml" . || true

echo
echo "== List likely dependency files (top 4 levels) =="
find . -maxdepth 4 -type f \( -iname "requirements*.txt" -o -iname "pyproject.toml" -o -iname "setup.cfg" -o -iname "setup.py" -o -iname "Pipfile" -o -iname "poetry.lock" \) -print || true

echo
echo "== If any dependency files exist, search them for defusedxml =="
DEPS=$(find . -maxdepth 4 -type f \( -iname "requirements*.txt" -o -iname "pyproject.toml" -o -iname "setup.cfg" -o -iname "setup.py" -o -iname "Pipfile" -o -iname "poetry.lock" \) -print || true)
if [ -n "$DEPS" ]; then
  echo "$DEPS" | while read -r f; do
    rg -n "defusedxml" "$f" >/dev/null 2>&1 && echo "found in: $f" || true
  done
else
  echo "No dependency files found within maxdepth 4."
fi

echo
echo "== Show rest of analyze_failure.py near the exception line =="
sed -n '1,120p' "$FILE" | cat -n
sed -n '120,220p' "$FILE" | cat -n

Repository: openshift/managed-node-metadata-operator

Length of output: 9712

---

🌐 Web query:

defusedxml ElementTree exception types ParseError DefusedXmlException usage

💡 Result:

In the defusedxml library, ParseError is an alias for the standard library's xml.etree.ElementTree.ParseError [1][2]. It is used to catch XML parsing errors in the same way you would with the standard library [2][3]. DefusedXmlException is a base exception class used by defusedxml to represent security-related violations [2][4]. Usage and Exception Hierarchy: 1. ParseError: This exception class is re-exported by defusedxml.ElementTree [5][2]. It is used for standard XML structural or syntax errors [3]. 2. Security Exceptions: When security constraints are violated (e.g., forbidding DTDs or entities), defusedxml raises specific exceptions [1][2]. These include: - DTDForbidden: Raised when a DTD processing instruction is found [1][2]. - EntitiesForbidden: Raised when an entity is declared [1][2]. - ExternalReferenceForbidden: Raised when external resources are referenced [1][2]. - NotSupportedError: A base-like error for unsupported features [2][4]. - DefusedXmlException: The base class for these specific security exceptions [2][4]. When using defusedxml, you can catch these specific security violations to distinguish them from standard syntax-based ParseErrors [1][2]. Example usage: from defusedxml import ElementTree as DET from defusedxml import DTDForbidden, EntitiesForbidden, ExternalReferenceForbidden try: tree = DET.parse("untrusted.xml") except DET.ParseError: # Handle standard XML syntax errors print("Syntax error") except (DTDForbidden, EntitiesForbidden, ExternalReferenceForbidden) as e: # Handle security violations print(f"Security violation: {e}") except DET.DefusedXmlException: # Catch-all for other defusedxml-specific issues print("General defusedxml error")

Citations:

• 1: https://github.com/tiran/defusedxml/blob/main/README.md
• 2: https://pypi.org/project/defusedxml/
• 3: https://stackoverflow.com/questions/47917787/xml-etree-elementtree-parseerror-exception-handling-not-catching-errors
• 4: https://github.com/tiran/defusedxml/
• 5: https://github.com/tiran/defusedxml/blob/main/defusedxml/ElementTree.py

---

🌐 Web query:

defusedxml DefusedXmlException import path defusedxml.common

💡 Result:

The DefusedXmlException class is part of the defusedxml library and is located in the defusedxml.common module [1][2][3]. You can import it using the following path: from defusedxml.common import DefusedXmlException This exception serves as the base class for security-related exceptions raised by the library, such as DTDForbidden, EntitiesForbidden, and ExternalReferenceForbidden [1][3]. It is typically caught when parsing untrusted XML to handle cases where the input violates security policies configured in the defusedxml parsers [2].

Citations:

• 1: https://www.apt-browse.com/browse/ubuntu/trusty/universe/all/python-defusedxml/0.4.1-1/file/usr/share/pyshared/defusedxml/common.py
• 2: https://oneuptime.com/blog/post/2026-01-24-fix-xxe-vulnerabilities/view
• 3: https://github.com/tiran/defusedxml/blob/main/README.md

---

🏁 Script executed:

#!/bin/bash
# Verify current XML parser usage and broad exception handling in this script.
rg -n "import xml\\.etree\\.ElementTree|defusedxml|ET\\.parse\\(|except Exception" .claude/skills/prow-ci/analyze_failure.py

Repository: openshift/managed-node-metadata-operator

Length of output: 189

---

Harden XML parsing for untrusted JUnit artifacts

File: .claude/skills/prow-ci/analyze_failure.py (lines 11-19, 51-53)

parse_junit_xml() parses downloaded junit*.xml using xml.etree.ElementTree and catches a broad except Exception, which increases exposure to malicious XML payloads. Use defusedxml.ElementTree and narrow exceptions to XML parse errors vs defused security violations vs IO errors.

Suggested code change

-import xml.etree.ElementTree as ET
+from defusedxml import ElementTree as ET
+from defusedxml.common import DefusedXmlException
...
-    except Exception as e:
+    except (ET.ParseError, DefusedXmlException, OSError) as e:
         print(f"Warning: Could not parse {xml_file}: {e}", file=sys.stderr)
         return []

🧰 Tools

🪛 Ruff (0.15.15)

[error] 18-18: Using xml to parse untrusted data is known to be vulnerable to XML attacks; use defusedxml equivalents

(S314)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/skills/prow-ci/analyze_failure.py around lines 11 - 19, Replace
xml.etree.ElementTree with defusedxml and tighten exception handling in
parse_junit_xml: import defusedxml.ElementTree as ET and from defusedxml.common
import DefusedXmlException, then in parse_junit_xml(xml_file) catch specific
errors instead of a broad except — handle ET.ParseError for malformed XML,
DefusedXmlException for security violations, and OSError/IOError for file I/O
separately (log or re-raise appropriately) while keeping the normal parse logic
using ET.parse(xml_file) and root = tree.getroot().

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Repository/operator name in title is incorrect.

The header says “Rbac Permissions Operator”, but this skill is for managed-node-metadata-operator. Please align the title to avoid confusion.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/skills/prow-ci/SKILL.md at line 7, The top-level header text is
incorrect: replace the current title string "Prow CI Analysis for Rbac
Permissions Operator" with the repository/operator name
"managed-node-metadata-operator" so the header reads something like "Prow CI
Analysis for managed-node-metadata-operator"; locate and update the markdown
header line (the string starting with "# Prow CI Analysis for ...") in SKILL.md
accordingly to keep naming consistent.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Malformed fenced code block in controller test example.

There is a duplicated opening fence (```go twice) and an extra closing fence, which breaks markdown rendering.

Suggested fix

-```go
-```go
+```go
 It("should reconcile resource", func() {
     // Create custom resource
     resource := &v1alpha1.CustomResource{...}
     Expect(k8sClient.Create(ctx, resource)).To(Succeed())
@@
 })

-```

</details>

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.22.1)</summary>

[warning] 147-147: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @TESTING.md around lines 131 - 147, Remove the duplicated opening fence and
extra closing fence around the Go test snippet so the fenced code block is a
single valid go ... block; update the markdown so the example test (the
It("should reconcile resource" test using resource, reconciler.Reconcile,
k8sClient.Create/Get and resource.Status.Conditions) is enclosed in one proper

[openshift-ci]

@devppratik: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/validate	3d73a3c	link	true	/test validate

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.