feat(hybrid): Enhanced checkpoint system for multi-agent orchestration

[0xtsotsi]

Summary

• Add CheckpointService with full CRUD operations for creating, restoring, listing, and deleting checkpoints
• Add SharedAgentState with pub/sub support and transactional state management
• Add CheckpointMetadata with lineage tracking, diff, merge, and branch management
• Integrate recovery logic into AutoModeService (detectFailedAgents, recoverAgent, rollbackFeature)
• Add comprehensive unit tests (13 tests, all passing)
• Add complete documentation in docs/checkpoint-system.md

Test plan

• All 735 unit and integration tests passing
• Checkpoint create/restore/delete operations tested
• Shared state pub/sub tested
• Lineage tracking tested
• Diff and merge operations tested
• No TypeScript errors
• No ESLint warnings

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Introduced autonomous workflow orchestrator for multi-phase project research and development automation.
  • Added review watcher for automated code quality iteration and feedback handling.
  • Implemented checkpoint system for agent state versioning, recovery, and rollback capabilities.
  • Added unified MCP tool bridge for seamless integration with multiple research and development tools.
  • Enhanced multi-provider support with improved capability detection.

• Documentation

  • Added comprehensive guides for orchestration, checkpoint system, and multi-provider architecture.

• Chores

  • Updated branding from Automaker to DevFlow across configuration and documentation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[coderabbitai]

Warning

Rate limit exceeded

@0xtsotsi has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 27 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 1c2ece1 and 54fb7c4.

📒 Files selected for processing (3)

• .claude/commands/update-app.md
• apps/server/tests/unit/lib/auth.test.ts
• pr_description.md

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

This PR transforms DevFlow by introducing comprehensive autonomous workflow orchestration infrastructure. It adds checkpoint and recovery systems, a state machine for task lifecycle management, MCP bridge integration for tool invocation, shared agent state management, and new services for research, PR analysis, and Kanban board integration. Branding is updated throughout from Automaker to DevFlow, and the provider registry is refactored for clarity.

Changes

Cohort / File(s)	Summary
Branding & Metadata Updates CLAUDE.md, README.md, package.json, apps/ui/package.json	Rebrand from Automaker to DevFlow across documentation, project metadata, and app build configuration. Update repository URLs, homepage, author, and executable names.
.claude Configuration .claude/SETTINGS_GUIDE.md, .claude/settings.json	Add comprehensive Claude Code settings guide with MCP server configs, environment variables, and tool permissions. Expand settings.json with new MCP permissions for multiple tools (vibe-kanban, greptile, exa, github, git, etc.).
GitHub Automation .github/update-pr-25.sh, apps/server/src/routes/github/index.ts	Add PR update script and remove PR comment webhook imports and route handlers.
Provider Registry Refactoring apps/server/src/providers/registry.ts, apps/server/src/routes/providers/routes/{list,probe,status,test}.ts	Rename EngineRegistry singleton to providerRegistry and update all references across provider route handlers.
Checkpoint & State Management apps/server/src/lib/checkpoint-metadata.ts, apps/server/src/lib/shared-agent-state.ts, apps/server/src/services/checkpoint-service.ts, apps/server/tests/unit/services/checkpoint-service.test.ts	Introduce CheckpointMetadataManager for lineage/branching, SharedAgentState for transactional state store, CheckpointService for persistence, and comprehensive unit tests.
MCP & Orchestration Core apps/server/src/lib/mcp-bridge.ts, apps/server/src/lib/orchestrator-state-machine.ts, apps/server/src/routes/orchestrator/index.ts, apps/server/src/services/orchestrator-service.ts	Add MCPBridge for unified tool invocation, OrchestratorStateMachine for task phase transitions, new /orchestrator API routes, and comprehensive OrchestratorService managing multi-phase workflows.
Research & Analysis Services apps/server/src/services/research-service.ts, apps/server/src/services/exa-research-client.ts, apps/server/src/services/greptile-client.ts	Introduce ResearchService for Phase 1 orchestration, ExaResearchClient wrapping web/code search via MCP, and GreptileClient for semantic code analysis and PR review.
PR & Review Management apps/server/src/services/pr-review-service.ts, apps/server/src/services/github-pr-watcher.ts, apps/server/src/services/github-issue-poller-service.ts	Add PRReviewService for comment analysis and fix suggestions, update GitHub watchers with minor logging/error handling changes.
Vibe-Kanban Integration apps/server/src/services/vibe-kanban-client.ts	New VibeKanbanClient wrapping MCP tool calls for task/project/workspace management with connection handling and singleton pattern.
Provider & Claude Enhancements apps/server/src/providers/{base-provider,capability-probe,claude-provider,cursor-telemetry}.ts	Update getCapabilities return type to include undefined, add CLI prompt preprocessing for multi-part prompts, split type imports, add metadata index signature.
Auto Mode & Agent Services apps/server/src/services/auto-mode-service.ts, apps/server/src/services/agent-monitor.ts	Add checkpoint recovery methods (detectFailedAgents, recoverAgent, rollbackFeature, createCheckpoint) to AutoModeService. Update AgentMonitorService with dynamic SQLite loading and undefined-based all-trees semantics.
Settings & Configuration apps/server/src/routes/claude-settings/index.ts, apps/server/src/services/claude-settings-service.ts, apps/server/.env.example	New ClaudeSettingsService and routes for managing MCP permissions, plugins, and environment variables. Add orchestrator environment variables to .env.example.
Server Integration & Telemetry apps/server/src/index.ts, apps/server/src/lib/telemetry-factory.ts	Wire OrchestratorService and routes at /api/orchestrator with rate limiting. Update telemetry imports to direct references.
UI Updates apps/ui/src/components/views/beads-view.tsx	Add loadIssues to useBeadsIssues hook return and wire onRetry callback for error recovery.
Type System Extensions libs/types/src/{event,orchestrator,settings,index}.ts	Expand EventType union with orchestrator, MCP, review, agent, telemetry, and shared-state events. Add comprehensive OrchestratorTaskState, OrchestratorConfig, ResearchResult, and related types with defaults. Make claudeAuthMethod required in GlobalSettings.
Documentation docs/{HYBRID_ORCHESTRATION_PLAN,checkpoint-system,multi-provider-research}.md, pr_description.md, pr_title.txt	Add architecture plans, checkpoint system design, multi-provider research guide, and PR metadata. Documentation is comprehensive and non-executable.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant OrchestratorService
    participant OrchestratorStateMachine
    participant ResearchService
    participant ExaResearchClient
    participant GreptileClient
    participant VibeKanbanClient
    participant MCPBridge

    Client->>OrchestratorService: start()
    activate OrchestratorService
    
    OrchestratorService->>VibeKanbanClient: connect()
    OrchestratorService->>ExaResearchClient: connect()
    OrchestratorService->>GreptileClient: connect()
    
    rect rgb(200, 220, 255)
        note over OrchestratorService,GreptileClient: Research Phase (Phase 1)
        OrchestratorService->>ResearchService: conductResearch(feature)
        activate ResearchService
        
        par Parallel Research Tasks
            ResearchService->>GreptileClient: semanticSearch(query)
            GreptileClient->>MCPBridge: callTool('greptile_search')
        and
            ResearchService->>ExaResearchClient: webSearch(query)
            ExaResearchClient->>MCPBridge: callTool('exa_search')
        end
        
        ResearchService-->>OrchestratorService: synthesized recommendations + subtasks
        deactivate ResearchService
    end
    
    rect rgb(220, 255, 220)
        note over OrchestratorService,VibeKanbanClient: Task Management & Tracking
        OrchestratorService->>OrchestratorStateMachine: transition(taskId, 'research' → 'in_progress')
        OrchestratorStateMachine-->>OrchestratorService: valid transition
        
        OrchestratorService->>VibeKanbanClient: createTask(subtask)
        OrchestratorService->>VibeKanbanClient: updateTask(taskId, status)
    end
    
    Client->>OrchestratorService: getState()
    OrchestratorService-->>Client: current state + tracked tasks
    
    deactivate OrchestratorService

Loading

sequenceDiagram
    participant AutoModeService
    participant CheckpointService
    participant SharedAgentState
    participant CheckpointMetadataManager

    AutoModeService->>AutoModeService: detectFailedAgents()
    
    rect rgb(255, 220, 220)
        note over AutoModeService,CheckpointMetadataManager: Recovery Workflow
        AutoModeService->>CheckpointService: listCheckpoints(featureId)
        CheckpointService-->>AutoModeService: available checkpoints
        
        AutoModeService->>CheckpointService: restoreCheckpoint(checkpointId)
        activate CheckpointService
        CheckpointService-->>AutoModeService: checkpoint metadata + state
        deactivate CheckpointService
        
        AutoModeService->>SharedAgentState: setState(agentId, restored state)
        AutoModeService->>CheckpointMetadataManager: getLineage(checkpointId)
        CheckpointMetadataManager-->>AutoModeService: ancestor/descendant chain
    end
    
    rect rgb(200, 255, 220)
        note over AutoModeService,CheckpointMetadataManager: Checkpoint Creation
        AutoModeService->>SharedAgentState: getAllState()
        SharedAgentState-->>AutoModeService: current full state
        
        AutoModeService->>CheckpointService: createCheckpoint(agents, state)
        CheckpointService-->>AutoModeService: new checkpoint metadata
        
        AutoModeService->>CheckpointMetadataManager: createBranch(checkpointId, branchName)
        CheckpointMetadataManager-->>AutoModeService: branch created
    end

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

This PR introduces a substantial, multi-layered orchestration system spanning approximately 15+ new service classes, complex state management with checkpoints and transactions, event-driven architecture extensions, and deep integrations across MCP, GitHub, Vibe-Kanban, Exa, and Greptile. The changes exhibit high logic density, multiple interdependent modules, and require careful validation of control flow, error handling, and event emission patterns across the orchestrator lifecycle.

Possibly related PRs

• PR #21: Extends the provider/telemetry/agent-monitor foundation introduced in that PR, reusing the same registry patterns and event types, making this PR a significant continuation of that work.
• PR #27: Both modify and enhance GitHub issue poller service (apps/server/src/services/github-issue-poller-service.ts) and related server integration points.
• PR #18: Overlaps on Claude settings, CLI authentication flow for the provider, and claudeAuthMethod configuration changes that are refined here.

Poem

🐰 DevFlow's Grand Orchestration

From Automaker we branch and bloom,
State machines choreograph each room,
Checkpoints guard our journey's flight,
While MCP bridges let tools unite—
DevFlow hops to automation's delight! 🚀

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 62.96% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and concisely summarizes the main change: adding an enhanced checkpoint system for multi-agent orchestration, which is the primary focus of this changeset.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @0xtsotsi, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the multi-agent orchestration capabilities of the DevFlow autonomous AI development studio by introducing a robust checkpoint system. This system provides agents with the ability to persist and restore their operational state, enabling advanced recovery from failures, precise version control, and the management of parallel development branches. It lays the groundwork for more resilient and sophisticated autonomous workflows, ensuring continuity and traceability in agent-driven development.

Highlights

• Comprehensive Checkpoint System: Introduced CheckpointService for full CRUD operations (create, restore, list, delete) of agent state checkpoints.
• Advanced State Management: Implemented SharedAgentState with pub/sub support and transactional updates for atomic, multi-agent state coordination.
• Lineage and Branching: Added CheckpointMetadataManager to track checkpoint lineage, enable version comparison, diffing, merging, and branch management for parallel workflows.
• Automated Recovery Logic: Integrated recovery mechanisms into AutoModeService, allowing detection of failed/stuck agents, agent recovery from checkpoints, and feature rollbacks.
• Orchestrator Framework: Established a foundational orchestrator service (OrchestratorService) with a state machine, MCP bridge, and clients for Vibe-Kanban, Exa, and Greptile to manage autonomous development workflows.
• DevFlow Rebranding: Updated project branding from "Automaker" to "DevFlow" across documentation and configuration files.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This is a substantial pull request that introduces a sophisticated checkpoint and orchestration system for multi-agent workflows, along with a significant rebranding from Automaker to DevFlow. The new services for orchestration, checkpointing, research, and client interactions are well-structured and lay a strong foundation for autonomous development. The use of state machines, event-driven architecture, and abstraction layers like the MCP bridge is commendable.

However, there are several critical issues that need to be addressed. I've found a hardcoded absolute path and a hardcoded API key, which are significant security and portability concerns. More importantly, some core functionalities of the new checkpoint system, such as createCheckpoint and diffCheckpoints, are currently implemented as placeholders and do not provide the described functionality. This severely limits the utility of the new recovery and rollback features. I've also noted some areas where the implementation could be more robust, such as in object comparison and configuration file management.

My review provides detailed feedback on these points with suggestions for improvement. Addressing these issues will be crucial to making the new checkpoint system functional and secure.

[gemini-code-assist]

This configuration contains a hardcoded absolute local path (/home/oxtsotsi/Webrnds/DevFlow). This will cause the setup to fail for any other developer or in any other environment. Configuration files, even examples, should use placeholders or relative paths to ensure portability.

Suggested change

	"args": ["-y", "@modelcontextprotocol/server-filesystem", "/home/oxtsotsi/Webrnds/DevFlow"],
	"args": ["-y", "@modelcontextprotocol/server-filesystem", "/path/to/your/DevFlow/repo"],

[gemini-code-assist]

The createCheckpoint method currently creates checkpoints with empty taskHistory and filesModified arrays, as indicated by the comments. This means the created checkpoints do not contain the actual state of the agent's progress and are not useful for recovery or rollback. To make the checkpoint system functional, this method needs to be updated to gather and save the real-time state of the feature execution, including the history of completed tasks and the list of files that have been modified.

[gemini-code-assist]

A hardcoded API key has been found. Storing secrets directly in the source code is a critical security vulnerability. This key could be exposed and misused. It should be removed and loaded from a secure source, such as environment variables, which is a common practice already used elsewhere in this project.

Suggested change

	const exaKey = apiKey || '9b2f9ab7-c27c-4763-b0ef-2c743232dab9';
	const exaKey = apiKey || process.env.EXA_API_KEY;

[gemini-code-assist]

The permissions mcp__github__* and mcp__git__* are extremely broad, granting the agent access to all available github and git MCP tools. While this might be necessary for some autonomous tasks, it poses a significant security risk. It's recommended to specify the exact tools needed instead of using wildcards to follow the principle of least privilege. If all tools are indeed required, it would be beneficial to add a comment explaining the necessity for such broad permissions.

[gemini-code-assist]

The diffCheckpoints implementation is a placeholder. It identifies files as 'added', 'deleted', or 'modified' based only on their presence in the filesModified lists of the two checkpoints. It doesn't perform a content-level diff. A file present in both lists is marked as 'modified' without checking if its content actually changed. This is misleading and limits the utility of the diff feature. For a meaningful diff, you should consider comparing file hashes or actual content.

[gemini-code-assist]

Using JSON.stringify for object comparison is not reliable. It can fail for objects with keys in a different order, and it handles undefined values in ways that might not be expected (they are omitted). This could lead to unnecessary state updates and notifications. For robust object comparison, consider using a dedicated deep-equality library (like fast-deep-equal) or implementing a more thorough comparison function.

[gemini-code-assist]

Manually parsing and updating the .env file by splitting lines is brittle. This approach can easily break with more complex .env files that include comments, quoted values, or multi-line variables. It would be more robust to use a dedicated library for handling .env files, such as dotenv-expand or dotenv-parse-variables, to ensure correct parsing and writing.

[gemini-code-assist]

Parsing structured data from a free-text description by matching string prefixes like **Parent Task:** is fragile. Any small change in the description format will break this logic. Consider using a more robust method for storing and retrieving metadata, such as using a dedicated JSON field in the task data, or using front-matter within the description text.

[coderabbitai]

Actionable comments posted: 8

Note

Due to the large number of review comments, Critical severity comments were prioritized as inline comments.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/server/src/services/agent-monitor.ts (1)

428-436: Type inconsistency: parentId filter type doesn't match implementation.

The TypeScript type at line 433 declares parentId?: string, which allows string | undefined. However, the implementation at lines 460-467 explicitly checks for and handles null:

if (filters?.parentId !== undefined) {
  if (filters.parentId === null) {
    query += ' AND parent_id IS NULL';
  } else {
    query += ' AND parent_id = ?';
    params.push(filters.parentId);
  }
}

The null-checking branch (lines 461-462) is unreachable based on the current type signature. Update the type to match the implementation:

  getAgents(filters?: {
    status?: AgentStatus;
    engine?: string;
    featureId?: string;
    beadsId?: string;
-   parentId?: string;
+   parentId?: string | null;
    limit?: number;
    offset?: number;
  }): AgentRecord[] {

This aligns with the AgentRecord interface where parentId: string | null, allowing callers to explicitly query for agents where parent is null.

🟠 Major comments (15)

apps/server/src/services/pr-review-service.ts-474-497 (1)

474-497: Fix parameter type inconsistency.

The prNumber parameter is typed as string, but all other methods in this class use number for PR numbers. This inconsistency breaks type safety.

🔎 Proposed fix

   /**
    * Format analysis as markdown for posting to Vibe-Kanban
    */
-  formatAnalysisAsMarkdown(prNumber: string, analyses: CommentAnalysisWithFix[]): string {
+  formatAnalysisAsMarkdown(prNumber: number, analyses: CommentAnalysisWithFix[]): string {
     const lines = [
       `# PR #${prNumber} Review Analysis`,
       '',

apps/server/src/services/pr-review-service.ts-353-371 (1)

353-371: Fix regex pattern for file extension matching.

The regex pattern on Line 357 has incorrect grouping. The expression \.ts|tsx|js|jsx|json matches .ts OR tsx OR js OR jsx OR json anywhere in the string, rather than matching file extensions. This will produce false positives.

🔎 Proposed fix

   private extractFilesFromComment(body: string): string[] {
     const files: string[] = [];
 
     // Match file paths like `src/file.ts` or "src/file.ts"
-    const fileRegex = /[`"]([a-zA-Z0-9_./]+\.ts|tsx|js|jsx|json)[`"]/g;
+    const fileRegex = /[`"]([a-zA-Z0-9_./]+\.(ts|tsx|js|jsx|json))[`"]/g;
     let match;
 
     while ((match = fileRegex.exec(body)) !== null) {
       files.push(match[1]);
     }
 
     // Also look for patterns like "in X" where X might be a file
     const inRegex = /in\s+([a-zA-Z0-9_./]+\.[a-z]+)/gi;
     while ((match = inRegex.exec(body)) !== null) {
       files.push(match[1]);
     }
 
     return [...new Set(files)]; // Deduplicate
   }

apps/server/src/routes/claude-settings/index.ts-176-200 (1)

176-200: Validate environment variable value type.

Line 181 only checks if value is undefined, but doesn't validate that it's a string. Non-string values could cause issues when written to the .env file.

🔎 Proposed fix

     const { key } = req.params;
     const { value } = req.body;

-    if (value === undefined) {
+    if (value === undefined || typeof value !== 'string') {
       res.status(400).json({
         success: false,
-        error: 'value is required',
+        error: 'value must be a string',
       });
       return;
     }

apps/server/src/routes/claude-settings/index.ts-49-62 (1)

49-62: Add input validation for settings updates.

The PUT /claude-settings endpoint passes req.body directly to updateSettings without validation. This could allow clients to inject unexpected fields or malformed data. Consider:

• Validating the request body against the ClaudeSettings interface
• Using the existing validateSettings method from the service
• Returning a 400 error for invalid input before attempting the update

🔎 Proposed validation

 router.put('/', async (req: Request, res: Response): Promise<void> => {
   try {
+    const validation = settingsService.validateSettings(req.body);
+    if (!validation.valid) {
+      res.status(400).json({
+        success: false,
+        error: 'Invalid settings',
+        errors: validation.errors,
+      });
+      return;
+    }
     const updated = settingsService.updateSettings(req.body);
     res.json({
       success: true,
       settings: updated,
     });

Committable suggestion skipped: line range outside the PR's diff.

apps/server/src/lib/mcp-bridge.ts-200-210 (1)

200-210: Returning success: true when no invoker may mask configuration issues.

When __MCP_INVOKE__ is not defined, the bridge returns { success: true, data: null }. Callers may interpret this as a successful tool call, potentially causing silent failures downstream. Consider returning success: false with a descriptive message, or making this behavior configurable.

🔎 Suggested fix

     // Placeholder: Return success with null data
-    // This allows the orchestrator to continue even when MCP tools aren't fully wired
     console.warn(
       `[MCPBridge] No global MCP invoker found, returning placeholder result for ${toolName}`
     );
 
     return {
-      success: true,
-      data: null,
+      success: false,
+      error: 'MCP invoker not configured - tool call not executed',
     };

If the current behavior is intentional for graceful degradation, document this clearly and add a configuration option:

export interface MCPToolCallOptions {
  timeout?: number;
  throwOnError?: boolean;
  allowPlaceholderResult?: boolean; // New option
}

apps/server/tests/unit/services/checkpoint-service.test.ts-11-17 (1)

11-17: vi.mock should be at module level, not inside beforeEach.

Vitest hoists vi.mock() calls to the top of the file regardless of where they're placed. Putting it inside beforeEach is misleading and won't re-mock on each test. Move the mock declaration to the module level.

🔎 Proposed fix

 import { rm } from 'fs/promises';
 import path from 'path';
 
+// Mock secure-fs module (hoisted to top by Vitest)
+vi.mock('@/lib/secure-fs.js');
+
 describe('CheckpointService', () => {
   const testProjectPath = '/tmp/test-checkpoint-project';
   let service: CheckpointService;
 
   beforeEach(async () => {
     vi.clearAllMocks();
     service = new CheckpointService(testProjectPath);
-
-    // Mock fs operations
-    vi.mock('@/lib/secure-fs.js');
   });

apps/server/src/routes/orchestrator/index.ts-93-108 (1)

93-108: Add input validation for configuration updates.

The req.body is passed directly to updateConfig without any validation. This could allow malformed or malicious configuration to be set. Consider adding schema validation using a library like zod or at minimum type-checking critical fields.

🔎 Suggested approach

+import { z } from 'zod';
+
+const configSchema = z.object({
+  pollIntervalMs: z.number().positive().optional(),
+  maxConcurrentTasks: z.number().int().positive().optional(),
+  // Add other config fields as needed
+}).strict();
+
 router.put('/config', async (req: Request, res: Response): Promise<void> => {
   try {
+    const parseResult = configSchema.safeParse(req.body);
+    if (!parseResult.success) {
+      res.status(400).json({
+        success: false,
+        error: parseResult.error.message,
+      });
+      return;
+    }
     const orchestrator = getOrchestratorService(events);
-    orchestrator.updateConfig(req.body);
+    orchestrator.updateConfig(parseResult.data);

Committable suggestion skipped: line range outside the PR's diff.

apps/server/src/services/greptile-client.ts-245-259 (1)

245-259: Missing MCP availability check in triggerCodeReview.

Same issue as getPRAnalysis - should check bridge.isAvailable() before calling the tool.

apps/server/src/lib/shared-agent-state.ts-72-85 (1)

72-85: Bug: Transaction state check fails for explicitly set undefined values.

Using transactionState.get(key) !== undefined cannot distinguish between "key not in transaction" and "key explicitly set to undefined in transaction". Use has() to check existence.

Proposed fix

 getState<T extends StateValue>(key: StateKey): T | undefined {
   // If in transaction, check transaction state first
   if (this.transactionActive) {
     if (this.transactionDeletes.has(key)) {
       return undefined;
     }
-    const transactionValue = this.transactionState.get(key);
-    if (transactionValue !== undefined) {
-      return transactionValue as T;
+    if (this.transactionState.has(key)) {
+      return this.transactionState.get(key) as T;
     }
   }

   return this.state.get(key) as T | undefined;
 }

apps/server/src/services/greptile-client.ts-222-237 (1)

222-237: Inconsistent error handling: getPRAnalysis throws but doesn't check MCP availability.

Unlike semanticSearch (lines 189-194) which returns empty results when MCP is unavailable, getPRAnalysis calls the bridge without checking availability first, potentially causing an unhandled exception.

Proposed fix

 async getPRAnalysis(prNumber: number): Promise<MergeRequestDetails> {
   const bridge = getMCPBridge();

+  if (!bridge.isAvailable()) {
+    throw new GreptileError('MCP not available', 'MCP_UNAVAILABLE');
+  }
+
   const response = await bridge.callTool('mcp__plugin_greptile_greptile__get_merge_request', {

apps/server/src/services/orchestrator-service.ts-860-867 (1)

860-867: Event payload inconsistency: oldState vs oldStatus/newStatus.

The event payload uses oldState (which references the potentially unchanged tracked?.state) and newStatus, but oldState should capture the state before the update. Since the state was already mutated on lines 847-849, tracked?.state now holds the new value.

Proposed fix

 private updateTaskState(
   id: string,
   state: OrchestratorTaskState,
   phase: OrchestratorPhase
 ): void {
   const tracked = this.trackedTasks.get(id);
+  const previousState = tracked?.state || 'todo';
   if (tracked) {
     tracked.state = state;
     tracked.phase = phase;
     tracked.lastActivityAt = new Date();
   }

   // Also update state machine
   this.stateMachine.setTaskState(id, {
     taskId: id,
     state,
     previousState: null,
     enteredAt: new Date(),
     metadata: {},
   });

   // Emit event
   this.events.emit('orchestrator:task-updated', {
     taskId: id,
-    oldState: tracked?.state || 'todo',
+    oldState: previousState,
     newStatus: state,
     timestamp: new Date().toISOString(),
   });
 }

libs/types/src/orchestrator.ts-63-77 (1)

63-77: Avoid process.env in types package.

DEFAULT_ORCHESTRATOR_CONFIG uses process.env which makes this types package incompatible with browser environments and violates separation of concerns. Move this constant to the server package where it's consumed.

Additionally, this repeats the hardcoded API key security issue from orchestrator-service.ts.

Proposed fix

Move DEFAULT_ORCHESTRATOR_CONFIG to apps/server/src/services/orchestrator-service.ts or a dedicated config file in the server package:

-/**
- * Default orchestrator configuration
- */
-export const DEFAULT_ORCHESTRATOR_CONFIG: OrchestratorConfig = {
-  pollInterval: 30000, // 30 seconds
-  projectId: null,
-  projectName: process.env.ORCHESTRATOR_PROJECT_NAME || 'DevFlow',
-  exaApiKey: process.env.EXA_API_KEY || '9b2f9ab7-c27c-4763-b0ef-2c743232dab9',
-  // ... rest
-};

Committable suggestion skipped: line range outside the PR's diff.

apps/server/src/services/auto-mode-service.ts-2768-2774 (1)

2768-2774: Checkpoint state is always created with empty task history and files.

The AgentState created for checkpoints always has empty taskHistory and filesModified arrays. This significantly reduces the usefulness of checkpoints for recovery, as they won't contain any meaningful state to restore from.

Suggested approach

Consider populating these from the feature's planSpec.tasks and tracking modified files during execution:

 const state: AgentState = {
   featureId,
-  taskHistory: [], // Task history would need to be tracked during execution
-  filesModified: [], // Would need to track this during execution
+  taskHistory: feature.planSpec?.tasks?.map(t => ({
+    taskId: t.id,
+    description: t.description,
+    status: t.status,
+    startTime: t.startTime,
+    endTime: t.endTime,
+  })) || [],
+  filesModified: [], // TODO: Track modified files during execution
   context: `Checkpoint created at ${new Date().toISOString()}`,
   timestamp: new Date().toISOString(),
 };

Committable suggestion skipped: line range outside the PR's diff.

apps/server/src/services/auto-mode-service.ts-2620-2626 (1)

2620-2626: Type mismatch: ParsedTask doesn't have startTime/endTime properties.

The ParsedTask interface (lines 32-38) defines id, description, filePath, phase, and status. The code here assigns startTime and endTime which will result in TypeScript errors or silent property addition on runtime objects.

Proposed fix - extend the interface or remove unused properties

 // Option 1: Update ParsedTask interface (lines 32-38)
 interface ParsedTask {
   id: string;
   description: string;
   filePath?: string;
   phase?: string;
   status: 'pending' | 'in_progress' | 'completed' | 'failed';
+  startTime?: string;
+  endTime?: string;
 }

 // Option 2: Remove unused properties in the mapping
-const parsedTasks: ParsedTask[] = checkpoint.state.taskHistory.map((t) => ({
-  id: t.taskId,
-  description: t.description,
-  status: t.status,
-  startTime: t.startTime,
-  endTime: t.endTime,
-}));
+const parsedTasks: ParsedTask[] = checkpoint.state.taskHistory.map((t) => ({
+  id: t.taskId,
+  description: t.description,
+  status: t.status,
+}));

apps/server/src/services/vibe-kanban-client.ts-593-601 (1)

593-601: Singleton factory doesn't accept events, causing MCP bridge initialization to fail.

getVibeKanbanClient accepts projectName and retryConfig options but not events. Since getMCPBridge() (called in callTool at line 568) requires events for first-time initialization, any tool call will throw 'Events emitter required for first-time MCP bridge initialization' unless the bridge was initialized elsewhere.

🔎 Proposed fix: include events in factory options

 export function getVibeKanbanClient(options?: {
   projectName?: string;
   retryConfig?: RetryConfig;
+  events?: EventEmitter;
 }): VibeKanbanClient {
   if (!globalClient) {
     globalClient = new VibeKanbanClient(options);
   }
   return globalClient;
 }

🟡 Minor comments (9)

apps/server/.env.example-76-76 (1)

76-76: Fix typo in GitHub repository name.

The repository owner is misspelled as "oxtsotsi" instead of "0xtsotsi" (missing the leading "0"). This will cause GitHub operations to fail if used.

🔎 Proposed fix

-ORCHESTRATOR_GITHUB_REPO=oxtsotsi/DevFlow
+ORCHESTRATOR_GITHUB_REPO=0xtsotsi/DevFlow

docs/multi-provider-research.md-62-68 (1)

62-68: Fix markdown linting: Add language identifier to fenced code block.

The fenced code block for available models is missing a language specifier, which triggers a markdownlint warning.

🔎 Proposed fix

-```
+```text
 /model auto      - Auto-select best model
 /model sonnet-4.5 - Claude 4.5 Sonnet
 /model gpt-5.2    - GPT-5.2
 /model opus-4.5   - Claude 4.5 Opus
 /model grok      - Grok

</details>

</blockquote></details>
<details>
<summary>docs/multi-provider-research.md-129-135 (1)</summary><blockquote>

`129-135`: **Clarify the status of listed CVEs — they cannot be verified in public databases.**

The CVEs listed (CVE-2025-54135, CVE-2025-61593, GHSA-v64q-396f-7m79) do not appear in the MITRE CVE database or NVD advisories. Either add a clear disclaimer indicating these are hypothetical/example vulnerabilities for documentation purposes, or provide references to where these advisories are published. Without clarification, readers may be confused about whether these are real security advisories applicable to their systems.

</blockquote></details>
<details>
<summary>apps/server/src/services/research-service.ts-662-673 (1)</summary><blockquote>

`662-673`: **Potential undefined reference when accessing subtask dependencies.**

When `maxSubtasks` is 5, the code references `subtasks[2]` and `subtasks[3]` for dependencies. However, `subtasks[2]` is only added when `maxSubtasks >= 3` and `subtasks[3]` when `maxSubtasks >= 4`. If this logic changes or indices shift, this could cause runtime errors.


<details>
<summary>🔎 Safer approach using IDs</summary>

```diff
     // Subtask 5: Review and refinement
     if (maxSubtasks >= 5) {
+      const testingTaskId = subtasks.find(s => s.title === 'Testing and validation')?.id;
+      const docTaskId = subtasks.find(s => s.title === 'Documentation')?.id;
       subtasks.push({
         id: `${this.generateTaskId()}-${taskIndex++}`,
         title: 'Review and refinement',
         description: `Review and refine: ${description}`,
         files: context.relatedFiles || [],
         complexity: 'low',
-        dependencies: [subtasks[2].id, subtasks[3].id],
+        dependencies: [testingTaskId, docTaskId].filter((id): id is string => !!id),
         acceptanceCriteria: ['Code review complete', 'Feedback addressed', 'Ready for merge'],
       });
     }

apps/server/src/lib/mcp-bridge.ts-181-198 (1)

181-198: Timer leak in Promise.race - cleanup timeout on success.

When globalInvoke resolves before the timeout, the setTimeout timer continues running until it fires (though the rejection is ignored). This can cause issues in long-running processes. Use AbortController or manual cleanup.

🔎 Proposed fix

       try {
         const timeout = options?.timeout || 30000;
+        let timeoutId: NodeJS.Timeout;
+        const timeoutPromise = new Promise((_, reject) => {
+          timeoutId = setTimeout(() => reject(new Error('Tool call timeout')), timeout);
+        });
+        
         const result = await Promise.race([
-          globalInvoke(toolName, params),
-          new Promise((_, reject) =>
-            setTimeout(() => reject(new Error('Tool call timeout')), timeout)
-          ),
+          globalInvoke(toolName, params).finally(() => clearTimeout(timeoutId)),
+          timeoutPromise,
         ]);
         return {
           success: true,
           data: result,
         };

apps/server/src/services/orchestrator-service.ts-130-130 (1)

130-130: Typo in default GitHub repository name.

The default repository is oxtsotsi/DevFlow but based on the PR URL, it should be 0xtsotsi/DevFlow (with a zero, not letter 'o').

Proposed fix

-      githubRepository: process.env.ORCHESTRATOR_GITHUB_REPO || 'oxtsotsi/DevFlow',
+      githubRepository: process.env.ORCHESTRATOR_GITHUB_REPO || '0xtsotsi/DevFlow',

libs/types/src/orchestrator.ts-361-366 (1)

361-366: Event payload type mismatch with implementation.

The orchestrator:task-updated event payload defines oldStatus and newStatus as OrchestratorTaskState, but the implementation in orchestrator-service.ts (line 864) uses oldState instead of oldStatus.

Proposed fix - align the type with implementation

 'orchestrator:task-updated': {
   taskId: string;
-  oldStatus: OrchestratorTaskState;
+  oldState: OrchestratorTaskState;
   newStatus: OrchestratorTaskState;
   timestamp: string;
 };

apps/server/src/services/vibe-kanban-client.ts-337-374 (1)

337-374: appendToDescription silently overwrites explicit description.

If both options.description and options.appendToDescription are provided, the explicit description (set at line 348) gets overwritten by the append logic (line 354). This could lead to unexpected data loss.

🔎 Proposed fix: prioritize explicit description or combine them

       if (options.description !== undefined) {
         updates.description = options.description;
       }
 
-      if (options.appendToDescription) {
+      if (options.appendToDescription && options.description === undefined) {
         // Get current task first
         const current = await this.getTask(taskId);
         updates.description = `${current.description}\n\n${options.appendToDescription}`;
+      } else if (options.appendToDescription && options.description !== undefined) {
+        // Append to the new description being set
+        updates.description = `${options.description}\n\n${options.appendToDescription}`;
       }

apps/server/src/services/vibe-kanban-client.ts-147-158 (1)

147-158: Retry configuration is stored but never used.

The retryConfig is assigned to this.retryConfig but the callTool method (lines 564-577) does not implement any retry logic despite the class documentation stating "retry-ready MCP tool invocation." Either implement the retry logic or remove the misleading configuration and documentation.

🔎 Suggested implementation with exponential backoff

   private async callTool(
     toolName: string,
     params: Record<string, unknown>
   ): Promise<{ success: boolean; data?: unknown; error?: string }> {
     const bridge = getMCPBridge();
+    let lastError: unknown;
 
-    const result = await bridge.callTool(toolName, params);
-
-    if (!result.success) {
-      throw new VibeKanbanError(result.error || 'MCP tool call failed', 'MCP_ERROR');
+    for (let attempt = 0; attempt <= this.retryConfig.maxRetries; attempt++) {
+      try {
+        const result = await bridge.callTool(toolName, params);
+        if (result.success) {
+          return result;
+        }
+        lastError = new VibeKanbanError(result.error || 'MCP tool call failed', 'MCP_ERROR');
+      } catch (error) {
+        lastError = error;
+      }
+
+      if (attempt < this.retryConfig.maxRetries) {
+        const delay = Math.min(
+          this.retryConfig.baseDelay * Math.pow(2, attempt),
+          this.retryConfig.maxDelay
+        );
+        await new Promise((resolve) => setTimeout(resolve, delay));
+      }
     }
 
-    return result;
+    throw lastError instanceof VibeKanbanError
+      ? lastError
+      : new VibeKanbanError('MCP tool call failed after retries', 'MCP_ERROR', lastError);
   }

Committable suggestion skipped: line range outside the PR's diff.

🧹 Nitpick comments (37)

apps/server/src/providers/cursor-telemetry.ts (1)

21-29: LGTM! Index signature appropriately supports extensible metadata.

The addition of [key: string]: unknown enables runtime-added metadata keys while maintaining type safety by using unknown rather than any. This aligns well with the PR's goal of expanding telemetry capabilities across the system.

The usage throughout the file is safe—metadata is populated with known fields and only assigned when non-empty.

Optional enhancement: Consider documenting commonly expected dynamic keys in a JSDoc comment (e.g., traceId, sessionId, etc.) to guide future usage, though this is not critical.

apps/server/src/services/github-issue-poller-service.ts (1)

444-458: Consider more specific error handling for label operations.

The bare catch on line 444 is fine since the error wasn't used, but the overall error handling assumes all failures mean "label doesn't exist." This could mask other issues like network problems, authentication failures, or permission errors. The nested catch on line 449 also silently swallows all label creation errors.

🔎 Suggested approach for more robust error handling

Consider checking error messages or using more specific error handling:

     try {
       await execAsyncCmd(`gh issue edit ${issueNumber} --add-label "${CLAIMED_LABEL}"`, {
         cwd: projectPath,
         env: execEnv,
       });
 
       console.log(`[GitHubPoller] Added '${CLAIMED_LABEL}' label to issue #${issueNumber}`);
-    } catch {
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      
+      // Only attempt label creation if error suggests label doesn't exist
+      if (!errorMessage.includes('label') && !errorMessage.includes('not found')) {
+        console.warn(`[GitHubPoller] Unexpected error adding label to issue #${issueNumber}:`, errorMessage);
+        throw error;
+      }
+      
       // If label doesn't exist, create it first
-      await execAsyncCmd(`gh label create "${CLAIMED_LABEL}" --color "0366d6"`, {
+      try {
+        await execAsyncCmd(`gh label create "${CLAIMED_LABEL}" --color "0366d6"`, {
-        cwd: projectPath,
-        env: execEnv,
-      }).catch(() => {
-        // Label might already exist, ignore error
-      });
+          cwd: projectPath,
+          env: execEnv,
+        });
+        console.log(`[GitHubPoller] Created '${CLAIMED_LABEL}' label`);
+      } catch (createError) {
+        const createErrorMsg = createError instanceof Error ? createError.message : String(createError);
+        if (!createErrorMsg.includes('already exists')) {
+          console.warn(`[GitHubPoller] Failed to create label:`, createErrorMsg);
+        }
+      }
 
       // Try adding the label again
       await execAsyncCmd(`gh issue edit ${issueNumber} --add-label "${CLAIMED_LABEL}"`, {
         cwd: projectPath,
         env: execEnv,
       });
     }

This approach provides better observability and only swallows expected errors.

apps/server/src/services/agent-monitor.ts (1)

21-29: Consider using dynamic import() instead of require() in ES modules.

The file uses ES module syntax (import/export statements), but require() is a CommonJS pattern. For consistency and better module handling, consider using dynamic import() instead:

const getDatabase = async () => {
  try {
    const module = await import('better-sqlite3');
    return module.default;
  } catch {
    return null;
  }
};

Note: This would make initialize() need to handle the async nature of the import.

apps/server/src/services/pr-review-service.ts (3)

319-322: Clarify or adjust question detection threshold.

The check body.split('?').length < 3 excludes comments with multiple questions (3+ question marks). This threshold seems arbitrary—comments with several questions might still warrant a response.

Consider either:

• Removing the threshold (detect any comment with '?' as a question)
• Documenting why multi-question comments should be treated differently
• Adjusting the logic to: body.includes('?') for simplicity

🔎 Simplified approach

     // Check for questions
-    if (body.includes('?') && body.split('?').length < 3) {
+    if (body.includes('?')) {
       issueType = 'question';
       priority = 'low';
     }

---

427-452: Add guard for empty affectedFiles array.

Lines 436 and 444 access analysis.affectedFiles[0] without verifying the array is non-empty. While the placeholder methods handle empty strings, it's clearer to skip analyses with no affected files.

🔎 Proposed improvement

   async generateFixSuggestions(
     prNumber: number,
     analyses: CommentAnalysisWithFix[]
   ): Promise<Map<string, string[]>> {
     const suggestions = new Map<string, string[]>();
 
     for (const analysis of analyses) {
+      if (analysis.affectedFiles.length === 0) {
+        continue; // Skip analyses with no affected files
+      }
+
       if (analysis.issueType === 'conflict') {
         const suggestion = await this.searchConflictResolution(
-          analysis.affectedFiles[0] || '',
+          analysis.affectedFiles[0],
           prNumber
         );
         if (suggestion) {
           suggestions.set(analysis.id, [suggestion]);
         }
       } else if (analysis.issueType === 'suggestion') {
         // For suggestions, we might search for similar patterns
-        const similarPatterns = await this.searchSimilarPatterns(analysis.affectedFiles[0] || '');
+        const similarPatterns = await this.searchSimilarPatterns(analysis.affectedFiles[0]);
         if (similarPatterns.length > 0) {
           suggestions.set(analysis.id, similarPatterns);
         }
       }
     }
 
     return suggestions;
   }

---

194-221: Use --json output for more reliable status checks parsing.

The current text parsing is fragile and assumes a specific gh CLI output format. The codebase already uses JSON output for other gh commands in this file; apply the same approach here for consistency. The gh pr checks command supports --json with fields including name, state, and link.

Update the command to use:

gh pr checks ${prNumber} --json name,state,link --repo ${this.githubRepository}

Then parse the JSON output. Note: avoid fields like conclusion or detailsUrl as they are not available in the pr checks output; use link instead.

.github/update-pr-25.sh (1)

1-15: Consider adding validation for pr_description.md existence.

The script references pr_description.md at line 12 without checking if the file exists. While gh will fail if the file is missing, an explicit check would provide a clearer error message.

🔎 Proposed improvement

 set -e
 
+# Validate pr_description.md exists
+if [ ! -f pr_description.md ]; then
+  echo "❌ Error: pr_description.md not found"
+  exit 1
+fi
+
 PR_NUMBER=25
 TITLE="feat: Add Vibe Kanban Review Watcher for automated code quality iteration"

docs/HYBRID_ORCHESTRATION_PLAN.md (2)

71-77: Add language specifier to code block.

The fenced code block should specify a language (e.g., http or plaintext) for better syntax highlighting and accessibility.

🔎 Proposed fix

-```
+```http
 GET  /api/providers - List all providers
 GET  /api/providers/:name/status - Check provider status
 GET  /api/agents - List running agents
 GET  /api/agents/:id - Get agent details
 GET  /api/telemetry - Get metrics

</details>

---

`161-175`: **Add language specifier to execution order diagram.**

The fenced code block should specify a language (e.g., `plaintext` or `mermaid`) for better rendering.



<details>
<summary>🔎 Proposed fix</summary>

```diff
-```
+```plaintext
 M1-T1 (Research) → M1-T2 (Cursor Provider)
                 → M1-T3 (Agent Monitor)
                 → M1-T4 (Telemetry)

package.json (1)

2-2: Consider aligning package name with DevFlow branding.

The package name remains "automaker" while the description and homepage reference DevFlow. For consistency with the rebranding effort across the repository, consider updating the package name to "devflow" or "@devflow/monorepo" to avoid confusion.

README.md (1)

417-417: Consider updating license name for consistency.

The license section still references "Automaker License Agreement" while the rest of the README has been updated to DevFlow branding. Consider whether the license name should be updated to "DevFlow License Agreement" or if retaining the original name is intentional (e.g., if the license itself hasn't changed).

.claude/SETTINGS_GUIDE.md (1)

74-98: Clarify that repository paths and names are examples to customize.

The guide contains hardcoded values like "oxtsotsi/DevFlow", "main", and "/home/oxtsotsi/Webrnds/DevFlow" which are user-specific. Consider adding a note or comment indicating these are example values that users must customize for their own setup to prevent copy-paste errors.

🔎 Suggested enhancement

     "greptile": {
       "command": "npx",
       "args": ["-y", "@greptile/mcp-server@latest"],
       "env": {
         "GREPTILE_API_KEY": "YOUR_KEY_HERE",
-        "GREPTILE_REPO": "oxtsotsi/DevFlow",
-        "GREPTILE_BRANCH": "main"
+        "GREPTILE_REPO": "your-org/your-repo",  // Replace with your GitHub repo
+        "GREPTILE_BRANCH": "main"                // Replace with your default branch
       },
       "disabled": false
     },

And add a note at the beginning of section 3:

> **Note:** Replace placeholder values (`YOUR_KEY_HERE`, repository paths, and project names) with your actual configuration.

apps/ui/package.json (1)

2-2: Consider aligning package name with DevFlow branding.

Similar to the root package.json, the package name remains "@automaker/ui" while other metadata references DevFlow. For consistency, consider renaming to "@devflow/ui" or similar. Note this would require updating imports across the workspace.

docs/checkpoint-system.md (2)

7-31: Add language identifier to fenced code block.

The architecture diagram should specify a language identifier (e.g., text or ascii) to satisfy markdown linting rules.

🔎 Proposed fix

-```
+```text
 ┌─────────────────────────────────────────────────────────────────┐
 │                         Checkpoint System                        │

---

80-85: Add language identifier to fenced code block.

The directory tree should specify a language identifier (e.g., text) for proper markdown formatting.

🔎 Proposed fix

-```
+```text
 .automaker/checkpoints/

apps/server/src/services/claude-settings-service.ts (2)

195-224: Consider edge cases in .env file parsing.

The current line-by-line parser doesn't handle:

• Quoted values with = signs inside quotes
• Multi-line values
• Escaped characters
• Comments at the end of lines

For production use, consider using a well-tested library like dotenv for parsing, or document these limitations.

---

230-264: Consider validating environment variable keys and values.

The updateEnvVar method writes arbitrary key-value pairs to the .env file without validation. Consider:

• Restricting keys to allowed patterns (e.g., alphanumeric + underscore)
• Sanitizing values to prevent injection of malicious content
• Validating against the OrchestratorEnvVars interface for type safety

apps/server/src/routes/orchestrator/index.ts (2)

157-182: Hardcoded state list may drift from actual state machine.

The states array is hardcoded rather than derived from the actual OrchestratorStateMachine. This could lead to inconsistencies if states are added or renamed. Consider exposing a method from the state machine or orchestrator service to retrieve valid states dynamically.

🔎 Suggested approach

   router.get('/state-machine', async (req: Request, res: Response): Promise<void> => {
     try {
-      getOrchestratorService(events);
-      // Access state machine through internal API
-      // For now, return basic info
+      const orchestrator = getOrchestratorService(events);
+      const stateMachine = orchestrator.getStateMachine(); // Add this method if not present
       res.json({
         success: true,
-        states: [
-          'todo',
-          'researching',
-          ...
-        ],
+        states: stateMachine.getValidStates(), // Expose states from state machine
+        diagram: stateMachine.exportMermaidDiagram(),
       });

---

1-13: Minor: Update header comment to include all routes.

The header lists 6 routes but the implementation has 7 (missing GET /orchestrator/state-machine).

apps/server/tests/unit/services/checkpoint-service.test.ts (2)

19-26: Cleanup in afterEach may be ineffective or cause errors.

The rm() call uses the real fs/promises module, but @/lib/secure-fs.js is mocked. If the test directory was never created (due to mocking), this cleanup is unnecessary. Additionally, if any test accidentally uses the real filesystem, this cleanup might not catch all artifacts.

Consider removing this cleanup since all filesystem operations are mocked, or use a dedicated temp directory utility that handles cleanup automatically.

🔎 Suggested simplification

   afterEach(async () => {
-    // Clean up test directory
-    try {
-      await rm(testProjectPath, { recursive: true, force: true });
-    } catch {
-      // Ignore cleanup errors
-    }
+    vi.restoreAllMocks();
   });

---

295-312: Consider using mock implementations instead of spying on the service under test.

Spying on service.restoreCheckpoint tests implementation details rather than behavior. If the internal implementation changes, these tests may break even if the public API works correctly. Consider mocking the underlying secureFs.readFile to return the expected checkpoint data instead.

apps/server/src/services/research-service.ts (2)

233-238: Hardcoded fallback repository name should be configurable.

The fallback value 'oxtsotsi/DevFlow' appears to be a development default. Consider using only environment variables or throwing an error if no repository is configured, to avoid accidental use in production.

🔎 Suggested fix

     const repository =
       context.repository ||
       this.greptileRepository ||
-      process.env.ORCHESTRATOR_GITHUB_REPO ||
-      'oxtsotsi/DevFlow';
+      process.env.ORCHESTRATOR_GITHUB_REPO;
+
+    if (!repository) {
+      console.warn('[ResearchService] No repository configured for Greptile search');
+      return [];
+    }

---

332-349: Incomplete basicFileAnalysis implementation.

This fallback method returns empty arrays, which means LSP analysis provides no value when the MCP bridge is unavailable. Consider adding a TODO comment or implementing basic regex-based file scanning as a fallback.

Would you like me to help implement a basic file analysis that extracts imports and exports using regex patterns?

apps/server/src/lib/orchestrator-state-machine.ts (2)

30-31: Minor: ASCII diagram has formatting issues.

Lines 31 and 44 are missing the leading * character, causing the diagram to render incorrectly in documentation. This appears to be a copy-paste artifact.

🔎 Fix

- *     │             │
- *     ▼             ▼
- * ┌─────────┐  ┌──────────────┐
- │  queue  │  │   in_progress │  (Validation failed, back to impl)
+ *     │             │
+ *     ▼             ▼
+ * ┌─────────┐  ┌──────────────┐
+ * │  queue  │  │   in_progress │  (Validation failed, back to impl)

And similarly for line 44:

- * ┌────────┐ ┌───────────────┐
- │  ready  │ │ pr_fixes_needed│  (Comments/conflicts found)
+ * ┌────────┐ ┌───────────────┐
+ * │  ready  │ │ pr_fixes_needed│  (Comments/conflicts found)

Also applies to: 44-44

---

131-137: Validation bypass in non-strict mode may hide workflow issues.

When strictMode is false, validation failures are silently bypassed (e.g., return hasSubtasks || !this.config.strictMode). This could allow invalid state transitions that may cause issues later in the workflow. Consider logging a warning when validation is bypassed.

🔎 Suggested enhancement

       validation: async (ctx) => {
         // Validate: research complete, subtasks created
         const hasSubtasks = Array.isArray(ctx?.subtasks) && ctx.subtasks.length > 0;
-        return hasSubtasks || !this.config.strictMode;
+        if (!hasSubtasks && !this.config.strictMode) {
+          console.warn('[StateMachine] Bypassing subtasks validation in non-strict mode');
+          return true;
+        }
+        return hasSubtasks;
       },

apps/server/src/services/orchestrator-service.ts (1)

643-645: Unused variable in destructuring pattern.

The underscore variables _ are unused in the filter/map callbacks. Use more explicit naming or omit if not needed.

Proposed fix

-      const prTasks = Array.from(this.trackedTasks.entries())
-        .filter(([_, t]) => t.state === 'pr_created')
-        .map(([id, _]) => id);
+      const prTasks = Array.from(this.trackedTasks.entries())
+        .filter(([, t]) => t.state === 'pr_created')
+        .map(([id]) => id);

apps/server/src/lib/shared-agent-state.ts (2)

57-60: Performance: JSON.stringify comparison is expensive for large objects.

Using JSON.stringify for deep equality on every setState is O(n) and can be slow for large objects. Consider using a library like fast-deep-equal or accepting the trade-off of always notifying on set.

---

35-35: Unused private field: events.

The events field is declared and assigned but never used in the class. Either utilize it for emitting state change events or remove it.

Proposed fix (if not needed)

 export class SharedAgentState {
   private state: Map<StateKey, StateValue> = new Map();
   private subscriptions: Map<StateKey, Set<StateCallback>> = new Map();
-  private events: EventEmitter;
   private transactionActive = false;
   private transactionState: Map<StateKey, StateValue> = new Map();
   private transactionDeletes: Set<StateKey> = new Set();

-  constructor(events: EventEmitter) {
-    this.events = events;
+  constructor(_events: EventEmitter) {
+    // Events emitter reserved for future use
   }

apps/server/src/services/greptile-client.ts (1)

472-480: Singleton ignores options after first initialization.

Once globalClient is created, subsequent calls to getGreptileClient() with different options will return the existing client, ignoring the new options. Consider logging a warning or throwing if options differ.

apps/server/src/services/auto-mode-service.ts (1)

2577-2578: CheckpointService instantiated on every method call.

Creating a new CheckpointService instance for each checkpoint operation is inefficient. Consider caching the instance or making it a class member.

Proposed fix

 export class AutoModeService {
   private events: EventEmitter;
   private runningFeatures = new Map<string, RunningFeature>();
   // ... other fields
+  private checkpointServices = new Map<string, CheckpointService>();
+
+  private getCheckpointService(projectPath: string): CheckpointService {
+    if (!this.checkpointServices.has(projectPath)) {
+      this.checkpointServices.set(projectPath, new CheckpointService(projectPath));
+    }
+    return this.checkpointServices.get(projectPath)!;
+  }

apps/server/src/lib/checkpoint-metadata.ts (1)

203-208: Files marked as "modified" without actual modification detection.

Lines 203-208 mark files as "modified" if they exist in both checkpoints, but this doesn't actually detect if the file content changed. This could lead to false positives in the diff.

Consider adding a note in the return type or documentation that this is a structural diff, not a content diff, or implement content hash comparison.

apps/server/src/services/checkpoint-service.ts (2)

74-84: Confusing error handling for checkpoint existence check.

The logic is inverted: secureFs.access() throws when the file doesn't exist, and succeeds when it does exist. So if access succeeds (no throw), the checkpoint exists. The current code throws on success, which is correct, but the catch block logic is confusing.

Proposed clearer implementation

-    // Check if checkpoint already exists
-    try {
-      await secureFs.access(checkpointPath);
-      throw new Error(`Checkpoint ${checkpointId} already exists`);
-    } catch (error) {
-      // If error is "already exists", re-throw it
-      if ((error as Error).message.includes('already exists')) {
-        throw error;
-      }
-      // Otherwise, file doesn't exist, continue
-    }
+    // Check if checkpoint already exists
+    let exists = false;
+    try {
+      await secureFs.access(checkpointPath);
+      exists = true;
+    } catch {
+      // File doesn't exist, which is what we want
+    }
+    if (exists) {
+      throw new Error(`Checkpoint ${checkpointId} already exists`);
+    }

---

150-152: Silent failure on directory read error.

Returning an empty array when readdir fails masks potential issues like permission errors or missing directories. Consider logging a warning or distinguishing between "no checkpoints" and "error reading checkpoints".

Proposed fix

     } catch (error) {
+      // Only return empty if directory doesn't exist
+      const err = error as NodeJS.ErrnoException;
+      if (err.code !== 'ENOENT') {
+        console.warn(`[CheckpointService] Error listing checkpoints: ${err.message}`);
+      }
       return [];
     }

apps/server/src/services/exa-research-client.ts (1)

159-164: Unused class fields: apiKey and mcpUrl.

These fields are stored but never referenced after construction. If they're intended for future use, add a comment; otherwise, remove them.

apps/server/src/services/vibe-kanban-client.ts (3)

244-251: Silent error swallowing may hide issues.

findProjectByName catches all errors and returns null, which makes it impossible to distinguish between "project doesn't exist" and "MCP connection failed." Consider logging the error or handling specific error types differently.

🔎 Suggested improvement

   async findProjectByName(name: string): Promise<VibeKanbanProject | null> {
     try {
       const projects = await this.listProjects();
       return projects.find((p) => p.name === name) || null;
-    } catch {
+    } catch (error) {
+      console.warn(`[VibeKanban] Error finding project by name: ${(error as Error).message}`);
       return null;
     }
   }

---

253-274: Method name is misleading.

createProject doesn't actually create a project—it finds an existing one or falls back to the first available project. While the JSDoc note explains this, consider renaming to getOrCreateProject or ensureProject for clarity.

---

579-585: Consider validating projectId in setProjectId.

This method sets connected = true without verifying the project exists. Consider adding optional validation or documenting that callers must ensure the projectId is valid.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd /tmp && git ls-files apps/server/src/providers/ | head -20

Repository: 0xtsotsi/DevFlow

Length of output: 128

---

🏁 Script executed:

cat -n apps/server/src/providers/base-provider.ts | sed -n '80,110p'

Repository: 0xtsotsi/DevFlow

Length of output: 1057

---

🏁 Script executed:

# Find all TypeScript files that might extend BaseProvider or implement getCapabilities
fd --type f -e ts -e tsx apps/server/src/providers/ | grep -v node_modules

Repository: 0xtsotsi/DevFlow

Length of output: 469

---

🏁 Script executed:

# Search for classes extending BaseProvider
rg -n "extends BaseProvider" --type ts

Repository: 0xtsotsi/DevFlow

Length of output: 357

---

🏁 Script executed:

# Search for implementations of getCapabilities
rg -n "getCapabilities" --type ts -A 3

Repository: 0xtsotsi/DevFlow

Length of output: 1686

---

🏁 Script executed:

# Check for npm scripts for typecheck and lint
cat package.json | grep -A 20 '"scripts"'

Repository: 0xtsotsi/DevFlow

Length of output: 1931

---

🏁 Script executed:

cat package.json | grep -A 100 '"scripts"' | grep -E "(typecheck|lint)"

Repository: 0xtsotsi/DevFlow

Length of output: 377

---

🏁 Script executed:

# Check apps/server package.json for scripts
cat apps/server/package.json | grep -A 50 '"scripts"'

Repository: 0xtsotsi/DevFlow

Length of output: 1409

---

🏁 Script executed:

# Check the full content of implementations to see return types
cat -n apps/server/src/providers/claude-provider.ts | sed -n '47,65p'

Repository: 0xtsotsi/DevFlow

Length of output: 860

---

🏁 Script executed:

# Check cursor provider implementation
cat -n apps/server/src/providers/cursor-provider.ts | sed -n '243,261p'

Repository: 0xtsotsi/DevFlow

Length of output: 860

---

🏁 Script executed:

# Check the call site more carefully
cat -n apps/server/src/routes/providers/routes/list.ts | sed -n '35,50p'

Repository: 0xtsotsi/DevFlow

Length of output: 665

---

🏁 Script executed:

# Check if there's a typecheck script defined
grep -r "typecheck" apps/server/ --include="*.json"

Repository: 0xtsotsi/DevFlow

Length of output: 42

---

🏁 Script executed:

# Look for any tsconfig to understand the TypeScript setup
cat apps/server/tsconfig.json 2>/dev/null || echo "No tsconfig.json found"

Repository: 0xtsotsi/DevFlow

Length of output: 540

---

🏁 Script executed:

# Check if there's any type mismatch - see full context of implementations
cat -n apps/server/src/providers/claude-provider.ts | sed -n '40,75p'

Repository: 0xtsotsi/DevFlow

Length of output: 1394

---

🏁 Script executed:

# Check TestProvider in tests to see what it implements
cat -n apps/server/tests/unit/providers/base-provider.test.ts | head -50

Repository: 0xtsotsi/DevFlow

Length of output: 1884

---

🏁 Script executed:

# Verify no typecheck script exists anywhere
grep -r "typecheck" apps/server/package.json package.json

Repository: 0xtsotsi/DevFlow

Length of output: 42

---

🏁 Script executed:

# Double-check the list.ts call site and understand ProviderInfo type
cat -n apps/server/src/routes/providers/routes/list.ts | sed -n '1,50p'

Repository: 0xtsotsi/DevFlow

Length of output: 1831

---

Missing quality gate script prevents verification.

The review cannot proceed per coding guidelines requiring npm run typecheck before syncing—this script does not exist in the repository. Additionally, npm run lint must be run as a quality gate and should be verified clean for this change.

Once the typecheck script is added and both npm run lint and npm run typecheck pass clean, the type signature change itself is sound: implementations in ClaudeProvider and CursorProvider correctly narrow the return type (covariant), and the call site in list.ts safely checks the optional method before invocation.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical bug: Wrong filter value for root agents.

Line 495 passes { parentId: undefined } to get root agents, but this is incorrect. When filters.parentId is undefined, the condition at line 460 (filters?.parentId !== undefined) evaluates to false, causing the entire parent filter block to be skipped. This returns all agents regardless of parent, not just root agents.

To get root agents (those with parent_id IS NULL in the database), the implementation at lines 460-467 requires passing { parentId: null }.

🔎 Proposed fix

   getAgentTree(rootId?: string): AgentTreeNode[] {
     // Get root agents
     const roots =
-      rootId !== undefined ? [this.getAgent(rootId)] : this.getAgents({ parentId: undefined });
+      rootId !== undefined ? [this.getAgent(rootId)] : this.getAgents({ parentId: null as any });
 
     return roots
       .filter((r): r is AgentRecord => r !== null)
       .map((root) => this.buildTreeNode(root, 0));
   }

Note: The as any cast is needed due to the type inconsistency noted in the next comment. The proper fix requires addressing both issues together.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	getAgentTree(rootId?: string): AgentTreeNode[] {
	// Get root agents
	const roots = rootId ? [this.getAgent(rootId)] : this.getAgents({ parentId: null });
	const roots =
	rootId !== undefined ? [this.getAgent(rootId)] : this.getAgents({ parentId: undefined });
	getAgentTree(rootId?: string): AgentTreeNode[] {
	// Get root agents
	const roots =
	rootId !== undefined ? [this.getAgent(rootId)] : this.getAgents({ parentId: null as any });
	return roots
	.filter((r): r is AgentRecord => r !== null)
	.map((root) => this.buildTreeNode(root, 0));
	}

🤖 Prompt for AI Agents

In apps/server/src/services/agent-monitor.ts around lines 492 to 495, the code
calls getAgents({ parentId: undefined }) which does not trigger the parent
filter and therefore returns all agents; change the call to pass { parentId:
null } (or { parentId: null } as any if needed to bypass the current type
mismatch) so the filters block treats it as “parent_id IS NULL” and only root
agents are returned.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Bug: Circular dependency in connect() causes immediate failure.

connect() calls webSearch(), which calls ensureConnected(), which throws because connected is still false. The connection test will always fail.

Proposed fix

 async connect(): Promise<void> {
   try {
-    // Test connection with a simple search
-    await this.webSearch({ query: 'test', numResults: 1 });
+    // Test connection with a direct tool call (bypass ensureConnected check)
+    const bridge = getMCPBridge();
+    await bridge.callTool('mcp__exa__web_search_exa', {
+      query: 'test',
+      numResults: 1,
+      useAutoprompt: false,
+    });
     this.connected = true;
     console.log('[Exa] Connected successfully');
   } catch (error) {

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In apps/server/src/services/exa-research-client.ts around lines 185-198,
connect() currently calls webSearch() which internally calls ensureConnected()
and fails because this.connected is still false; change connect() so it does not
invoke webSearch() through the public API that enforces ensureConnected. Either
(preferred) perform a low-level health/ping call on the underlying HTTP/client
transport that does not rely on this.connected, or set this.connected = true
just for the test call and if the test fails reset this.connected = false and
throw the ExaError; ensure any thrown error includes the original error object.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Security: Hardcoded API key in singleton factory.

Same security issue as in other files - the hardcoded API key 9b2f9ab7-c27c-4763-b0ef-2c743232dab9 should be removed.

Proposed fix

 export function getExaResearchClient(apiKey?: string, mcpUrl?: string): ExaResearchClient {
   if (!globalClient) {
-    // Use defaults if not provided
-    const exaKey = apiKey || '9b2f9ab7-c27c-4763-b0ef-2c743232dab9';
+    const exaKey = apiKey || process.env.EXA_API_KEY;
+    if (!exaKey) {
+      throw new ExaError('Exa API key required', 'NO_API_KEY');
+    }
     const exaUrl = mcpUrl || 'https://mcp.exa.ai/mcp';
     globalClient = new ExaResearchClient(exaKey, exaUrl);
   }

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In apps/server/src/services/exa-research-client.ts around lines 586-594, remove
the hardcoded API key and replace it with a secure retrieval from configuration:
prefer the passed apiKey parameter, otherwise read from an environment variable
(e.g. process.env.EXA_RESEARCH_API_KEY); if neither is available, throw an
explicit error so the service fails fast instead of using a secret in code. Do
not log the key, and keep the existing mcpUrl fallback behavior (or similarly
source it from process.env.EXA_RESEARCH_MCP_URL) so the singleton still
initializes safely without embedded secrets.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Security: Hardcoded API key in source code.

The fallback API key 9b2f9ab7-c27c-4763-b0ef-2c743232dab9 is hardcoded. This is a security risk as it exposes credentials in version control. Remove the hardcoded fallback and require the environment variable to be set.

Proposed fix

-      exaApiKey: process.env.EXA_API_KEY || '9b2f9ab7-c27c-4763-b0ef-2c743232dab9',
+      exaApiKey: process.env.EXA_API_KEY || '',

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	exaApiKey: process.env.EXA_API_KEY || '9b2f9ab7-c27c-4763-b0ef-2c743232dab9',
	exaMcpUrl: 'https://mcp.exa.ai/mcp',
	exaApiKey: process.env.EXA_API_KEY || '',
	exaMcpUrl: 'https://mcp.exa.ai/mcp',

🤖 Prompt for AI Agents

In apps/server/src/services/orchestrator-service.ts around lines 126-127 the EXA
API key is hardcoded as a fallback which is a security risk; remove the
hardcoded fallback and require process.env.EXA_API_KEY to be provided at runtime
— update the code to read the key only from process.env.EXA_API_KEY and add a
startup check that throws or exits with a clear error if the env var is missing
so the service fails fast instead of using a default credential.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Shell command injection vulnerability.

task.title is interpolated directly into a shell command without escaping. A malicious title like "; rm -rf / # could execute arbitrary commands. Use proper argument escaping or pass arguments safely.

Proposed fix using shell escaping

+// Add a helper function to escape shell arguments
+function escapeShellArg(arg: string): string {
+  return `'${arg.replace(/'/g, "'\\''")}'`;
+}

 // Create PR using GitHub CLI
-const { stdout } = await execAsync(
-  `gh pr create --title "${task.title}" --body "${this.generatePRBody(task)}" --base ${this.config.defaultBaseBranch} --repo ${this.config.githubRepository}`,
-  { timeout: 30000 }
-);
+const { stdout } = await execAsync(
+  `gh pr create --title ${escapeShellArg(task.title)} --body ${escapeShellArg(this.generatePRBody(task))} --base ${escapeShellArg(this.config.defaultBaseBranch)} --repo ${escapeShellArg(this.config.githubRepository)}`,
+  { timeout: 30000 }
+);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const { stdout } = await execAsync(
	`gh pr create --title "${task.title}" --body "${this.generatePRBody(task)}" --base ${this.config.defaultBaseBranch} --repo ${this.config.githubRepository}`,
	{ timeout: 30000 }
	);
	function escapeShellArg(arg: string): string {
	return `'${arg.replace(/'/g, "'\\''")}'`;
	}
	// Create PR using GitHub CLI
	const { stdout } = await execAsync(
	`gh pr create --title ${escapeShellArg(task.title)} --body ${escapeShellArg(this.generatePRBody(task))} --base ${escapeShellArg(this.config.defaultBaseBranch)} --repo ${escapeShellArg(this.config.githubRepository)}`,
	{ timeout: 30000 }
	);

🤖 Prompt for AI Agents

In apps/server/src/services/orchestrator-service.ts around lines 591-594, the
code interpolates task.title and PR body directly into a shell string which
allows shell-injection; change to invoke the GitHub CLI without a shell string
by calling a child_process method that accepts an argument array (e.g.,
execFile, spawn, or use execa) and pass the command and each flag/value as
separate args (title and body as individual arguments) instead of embedding them
in a template string; additionally, ensure the title and body are
validated/trimmed and, if necessary, replace or remove newlines/unsafe
characters before passing as args and preserve the timeout option.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's look at the full method context
cat -n apps/server/src/services/pr-review-service.ts | head -200

Repository: 0xtsotsi/DevFlow

Length of output: 6818

---

🏁 Script executed:

# Check if there are any tests that show how this is used
find . -type f -name "*.test.ts" -o -name "*.spec.ts" | xargs grep -l "pr-review-service\|reviewComments" 2>/dev/null | head -5

Repository: 0xtsotsi/DevFlow

Length of output: 42

---

🏁 Script executed:

# Verify jq filter behavior with a test
cat > /tmp/test_jq.sh << 'EOF'
#!/bin/bash

# Test jq filter behavior
test_json='{"comments": [{"id": 1, "reviewId": 100, "body": "test1"}, {"id": 2, "reviewId": 200, "body": "test2"}]}'

echo "=== Original filter (no array wrapping) ==="
echo "$test_json" | jq '.comments[] | select(.reviewId != null)'

echo -e "\n=== With array wrapping ==="
echo "$test_json" | jq '[.comments[] | select(.reviewId != null)]'

echo -e "\n=== Test JSON parsing of original output ==="
original_output=$(echo "$test_json" | jq '.comments[] | select(.reviewId != null)')
echo "Output: $original_output"
echo "Trying to parse..."
echo "$original_output" | node -e "const data = require('fs').readFileSync(0, 'utf-8'); try { JSON.parse(data); console.log('Success'); } catch(e) { console.log('Failed:', e.message); }"

echo -e "\n=== Test JSON parsing of wrapped output ==="
wrapped_output=$(echo "$test_json" | jq '[.comments[] | select(.reviewId != null)]')
echo "Output: $wrapped_output"
echo "Trying to parse..."
echo "$wrapped_output" | node -e "const data = require('fs').readFileSync(0, 'utf-8'); try { JSON.parse(data); console.log('Success'); } catch(e) { console.log('Failed:', e.message); }"

echo -e "\n=== Test with empty result ==="
empty_result=$(echo "$test_json" | jq '.comments[] | select(.reviewId == 99999)')
echo "Output (empty): '$empty_result'"
echo "Trying to parse with || '[]'..."
node -e "const str = '$empty_result' || '[]'; console.log('Would parse:', str);"
EOF
bash /tmp/test_jq.sh

Repository: 0xtsotsi/DevFlow

Length of output: 938

---

🏁 Script executed:

# Check GitHub API documentation or any test files that show the structure
find . -type f \( -name "*.test.ts" -o -name "*.spec.ts" \) -exec grep -l "reviewComments\|review.*comment" {} \; 2>/dev/null

# Also check for any mock data or type definitions
grep -r "reviewId" --include="*.ts" --include="*.tsx" 2>/dev/null | head -20

Repository: 0xtsotsi/DevFlow

Length of output: 231

---

🏁 Script executed:

# Verify the actual GitHub API structure for PR comments
# Create a test to show what fields are available
cat > /tmp/verify_github_api.sh << 'EOF'
#!/bin/bash

# According to GitHub API documentation, review comments have reviewId field
# Regular comments do NOT have reviewId field
# This distinction is correct

# Test the logic with different scenarios
test_all_comments='{"comments": [
  {"id": 1, "body": "regular comment"},
  {"id": 2, "reviewId": 100, "body": "review comment"},
  {"id": 3, "body": "another regular comment"},
  {"id": 4, "reviewId": 200, "body": "another review comment"}
]}'

echo "=== All comments ==="
echo "$test_all_comments" | jq '.comments'

echo -e "\n=== Only review comments (broken - no array wrapper) ==="
echo "$test_all_comments" | jq '.comments[] | select(.reviewId != null)'

echo -e "\n=== Only review comments (correct - with array wrapper) ==="
echo "$test_all_comments" | jq '[.comments[] | select(.reviewId != null)]'

echo -e "\n=== Edge case: Single review comment ==="
single='{"comments": [{"id": 1, "reviewId": 100, "body": "review"}]}'
single_output=$(echo "$single" | jq '.comments[] | select(.reviewId != null)')
echo "Output: $single_output"
node -e "try { JSON.parse('$single_output'); console.log('Parses OK'); } catch(e) { console.log('Parse Error'); }"

echo -e "\n=== Edge case: No review comments ==="
none='{"comments": [{"id": 1, "body": "regular"}]}'
none_output=$(echo "$none" | jq '.comments[] | select(.reviewId != null)')
echo "Output: '$none_output'"
echo "With fallback: '${none_output}' || '[]' = '${none_output || '[]'}'"
EOF
bash /tmp/verify_github_api.sh

Repository: 0xtsotsi/DevFlow

Length of output: 1418

---

🏁 Script executed:

# Check if there's any documentation about this in README or docs
find . -type f \( -name "README.md" -o -name "*.md" \) -exec grep -l "gh pr\|review.*comment\|GitHub API" {} \; 2>/dev/null | head -5

Repository: 0xtsotsi/DevFlow

Length of output: 191

---

🏁 Script executed:

# Verify if the code is actually tested or if there are any test cases
find . -type f -name "*.test.ts" -o -name "*.spec.ts" | xargs grep -l "getPRState\|PRReviewService" 2>/dev/null

# Also check the git history to see if this was recently added
git log --oneline -n 20 -- apps/server/src/services/pr-review-service.ts 2>/dev/null || echo "No git history available"

Repository: 0xtsotsi/DevFlow

Length of output: 122

---

🏁 Script executed:

# Double-check: test the actual behavior with the fallback
cat > /tmp/final_test.sh << 'EOF'
#!/bin/bash

# Scenario 1: Empty result (current code works)
echo "=== Scenario 1: No review comments ==="
empty_output=""
result=$(echo "$empty_output" || echo '[]')
echo "Fallback works: $result"
node -e "const data = '$result'; try { JSON.parse(data); console.log('✓ Parses'); } catch(e) { console.log('✗ Fails'); }"

# Scenario 2: Single object (current code FAILS)
echo -e "\n=== Scenario 2: Single review comment ==="
single_obj='{"id": 1, "reviewId": 100, "body": "test"}'
echo "Trying to parse: $single_obj"
node -e "try { JSON.parse('$single_obj'); console.log('✓ Parses'); } catch(e) { console.log('✗ Fails:', e.message); }"

# Scenario 3: Multiple objects (current code FAILS)
echo -e "\n=== Scenario 3: Multiple review comments ==="
multi_obj='{"id": 1, "reviewId": 100}
{"id": 2, "reviewId": 200}'
echo "Trying to parse multi-line JSON..."
node -e "const data = '{\"id\": 1, \"reviewId\": 100}\n{\"id\": 2, \"reviewId\": 200}'; try { JSON.parse(data); console.log('✓ Parses'); } catch(e) { console.log('✗ Fails:', e.message); }"

# Scenario 4: With array wrapper (should work)
echo -e "\n=== Scenario 4: With array wrapper ==="
array_obj='[{"id": 1, "reviewId": 100}, {"id": 2, "reviewId": 200}]'
node -e "const data = '[{\"id\": 1, \"reviewId\": 100}, {\"id\": 2, \"reviewId\": 200}]'; try { JSON.parse(data); console.log('✓ Parses'); } catch(e) { console.log('✗ Fails'); }"
EOF
bash /tmp/final_test.sh

Repository: 0xtsotsi/DevFlow

Length of output: 454

---

Fix JSON parsing for review comments when multiple results exist.

The jq filter .comments[] | select(.reviewId != null) outputs multiple newline-delimited JSON objects rather than a single JSON array. This causes JSON.parse() to fail when two or more review comments exist. The fix wraps the filter in array brackets to produce valid JSON:

       const { stdout: reviewCommentsData } = await execAsync(
-        `gh pr view ${prNumber} --json comments --repo ${this.githubRepository} -q '.comments[] | select(.reviewId != null)'`
+        `gh pr view ${prNumber} --json comments --repo ${this.githubRepository} -q '[.comments[] | select(.reviewId != null)]'`
       );
       const reviewComments: PRComment[] = JSON.parse(reviewCommentsData || '[]');

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const { stdout: reviewCommentsData } = await execAsync(
	`gh pr view ${prNumber} --json comments --repo ${this.githubRepository} -q '.comments[] | select(.reviewId != null)'`
	);
	const reviewComments: PRComment[] = JSON.parse(reviewCommentsData || '[]');
	const { stdout: reviewCommentsData } = await execAsync(
	`gh pr view ${prNumber} --json comments --repo ${this.githubRepository} -q '[.comments[] | select(.reviewId != null)]'`
	);
	const reviewComments: PRComment[] = JSON.parse(reviewCommentsData || '[]');

🤖 Prompt for AI Agents

In apps/server/src/services/pr-review-service.ts around lines 148 to 151, the jq
filter returns multiple newline-delimited JSON objects which breaks JSON.parse
when there are multiple review comments; update the execAsync call to wrap the
filter in array brackets so it emits a single JSON array (e.g. change the -q
filter to '[.comments[] | select(.reviewId != null)]'), keep the existing
fallback to '[]' when stdout is empty, and ensure reviewComments is parsed from
that array output.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Circular dependency causes connect() to always fail.

connect() calls findProjectByName() (line 166), which calls listProjects() (line 246), which calls ensureConnected() (line 220). Since this.connected is false at this point, ensureConnected() throws 'Client not connected', making it impossible to ever connect.

🔎 Proposed fix: bypass ensureConnected during initial connection

   /**
    * List all projects
    */
-  async listProjects(): Promise<VibeKanbanProject[]> {
-    this.ensureConnected();
+  async listProjects(skipConnectionCheck = false): Promise<VibeKanbanProject[]> {
+    if (!skipConnectionCheck) {
+      this.ensureConnected();
+    }
 
     try {
       const result = await this.callTool('mcp__vibe_kanban__list_projects', {});

And update findProjectByName:

-  async findProjectByName(name: string): Promise<VibeKanbanProject | null> {
+  async findProjectByName(name: string, skipConnectionCheck = false): Promise<VibeKanbanProject | null> {
     try {
-      const projects = await this.listProjects();
+      const projects = await this.listProjects(skipConnectionCheck);
       return projects.find((p) => p.name === name) || null;

And update connect:

-      const project = await this.findProjectByName(this.projectName);
+      const project = await this.findProjectByName(this.projectName, true);

Committable suggestion skipped: line range outside the PR's diff.

[greptile-apps]

Greptile Summary

• Primary change implements comprehensive checkpoint system for multi-agent orchestration with CheckpointService, SharedAgentState, and recovery logic in AutoModeService
• Adds orchestrator services integrating Greptile, Exa, and VibeKanban for autonomous workflow management across research, implementation, and PR phases
• Introduces MCP bridge for tool integration and provider capability detection along with rebranding from Automaker to DevFlow throughout documentation

Important Files Changed

Filename	Overview
apps/server/src/services/exa-research-client.ts	New service with hardcoded API key exposed in plain text (security vulnerability)
pr_title.txt	Contains mismatched title "Vibe Kanban Review Watcher" instead of actual PR title about checkpoint system
pr_description.md	Documents Review Watcher service but conflicts with actual PR about checkpoint enhancement
apps/server/.env.example	Adds orchestrator config with inconsistent branding and typo in GitHub repo URL

Confidence score: 3/5

• This PR contains significant architectural enhancements but has multiple critical issues that need addressing before merge
• Score lowered due to hardcoded API keys, PR metadata inconsistencies, branding conflicts, and incomplete MCP tool integrations in several services
• Pay close attention to apps/server/src/services/exa-research-client.ts for security issues and verify PR title/description alignment with actual changes

[greptile-apps]

Additional Comments (4)

1. libs/types/src/event.ts, line 2 (link)

   style: comment mentions 'AutoMaker' but should be 'DevFlow' based on recent branding changes

2. CLAUDE.md, line 32-38 (link)

   style: Package namespace inconsistency - still using @automaker/* despite rebranding to DevFlow. Should the shared library packages be renamed to use @devflow/* namespace to match the rebrand?

   _{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

3. README.md, line 69-73 (link)

   style: Inconsistent branding - these paragraphs still reference 'Automaker' while the document has been rebranded to 'DevFlow'

   _{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

4. apps/server/.env.example, line 1-2 (link)

   style: Branding inconsistency - comments still reference 'Automaker' but project has been rebranded to 'DevFlow'

   Context Used: Context from dashboard - CLAUDE.md (source)

_{49 files reviewed, 41 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: Title mismatch: This file shows 'Vibe Kanban Review Watcher' but the actual PR is about 'Enhanced checkpoint system for multi-agent orchestration'. The title should match the comprehensive checkpoint system changes described in the PR body.

Suggested change

	feat: Add Vibe Kanban Review Watcher for automated code quality iteration
	feat(hybrid): Enhanced checkpoint system for multi-agent orchestration

Should this file contain the same title as the PR, or is this intentionally different for a specific workflow reason?

[greptile-apps]

logic: The title string doesn't match the actual PR title in the body, which mentions 'Enhanced checkpoint system for multi-agent orchestration'

Suggested change

	TITLE="feat: Add Vibe Kanban Review Watcher for automated code quality iteration"
	TITLE="feat(hybrid): Enhanced checkpoint system for multi-agent orchestration"

Should this script be updating PR #25 specifically, or is this a template that needs to be updated with the correct PR details?

[greptile-apps]

style: Promise.race timeout implementation creates potential memory leak if globalInvoke doesn't resolve/reject

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[greptile-apps]

style: The placeholder text '[Image content]' might be confusing in the prompt - consider a more descriptive placeholder like '[Image: content omitted in CLI mode]' to clarify why image data is missing

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[greptile-apps]

style: the orchestrator instance is retrieved but never used - consider removing if not needed or implement the intended functionality

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[greptile-apps]

logic: Shell injection vulnerability - task title and description are not escaped before being passed to shell command

[greptile-apps]

logic: The jq filter .comments[] | select(.reviewId != null) may not work correctly. GitHub API's gh pr view --json comments returns regular PR comments, not review comments. Use gh pr view --json reviewComments instead.

[greptile-apps]

style: Status check parsing is brittle and depends on gh pr checks output format which varies between versions. Consider using gh pr view --json statusCheckRollup for more reliable structured data.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[greptile-apps]

logic: Potential runtime error if searchTerms[0] is undefined when searchTerms array is empty

[greptile-apps]

logic: Factory function signature doesn't match constructor - missing optional greptileRepository parameter

Suggested change

	export function createResearchService(
	exaClient: ExaResearchClient,
	events: EventEmitter
	): ResearchService {
	return new ResearchService(exaClient, events);
	export function createResearchService(
	exaClient: ExaResearchClient,
	events: EventEmitter,
	greptileRepository?: string
	): ResearchService {
	return new ResearchService(exaClient, events, greptileRepository);