Skip to content

feat: Amber automatic code reviews with memory system (Phase 2) #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jeremyeder wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Amber automatic code reviews with memory system (Phase 2) #33

jeremyeder wants to merge 2 commits into from

Conversation

@jeremyeder
Copy link
Owner

@jeremyeder jeremyeder commented Dec 2, 2025

Summary

Implements Phase 2 of the Amber workflow transparency initiative: automatic PR reviews using the memory system from PRs ambient-code#359 and ambient-code#360.

Changes

New Workflow: .github/workflows/amber-auto-review.yml

Automatic PR reviews with repository intelligence:

  • Trigger: Automatic on PR open/synchronize
  • Memory System: Loads 7 files for comprehensive repository context
    • CLAUDE.md (master project instructions)
    • backend-development.md (Go backend, K8s patterns)
    • frontend-development.md (NextJS, Shadcn UI, React Query)
    • security-standards.md (Auth, RBAC, token handling)
    • k8s-client-usage.md (User token vs service account)
    • error-handling.md (Consistent error patterns)
    • react-query-usage.md (Data fetching patterns)
  • Transparency: Every review includes:
    • Link to workflow run (90-day log retention)
    • Collapsible section showing which memory files were loaded
    • Clear explanation of how Amber applies repository standards
  • Comment Management: Minimizes old review comments before posting new one

Modified Workflow: .github/workflows/claude-code-review.yml

Changed from automatic to manual-only:

  • Before: Triggered automatically on all PRs
  • After: Only triggers on @claude mentions in comments
  • Reason: Separate automatic reviews (Amber) from manual reviews (Claude)

Three-Tier AI Integration

This completes the separation of AI review types:

  1. @claude (Lightweight) - Manual, quick interactions

    • No repository wrapping, fastest response
    • Use for: questions, exploration, explanations

  2. Automatic PR Reviews (Amber-Wrapped) - NEW with this PR

    • Applies CLAUDE.md + memory system standards
    • Shows decision process via workflow logs
    • Trigger: Every PR open/sync (automatic)

  3. @amber mentions (Repository-Aware) - Future Phase 3

    • Planned: Manual @amber mentions for specific tasks
    • Will apply same memory system as automatic reviews

Testing

After merge, every new PR will trigger amber-auto-review.yml. To test immediately:

  1. Merge this PR
  2. Create a new test PR
  3. Verify review comment appears with transparency section
  4. Check workflow logs via the link in the review

Design Decisions

Why Direct File Loading (No Shell Script)

Rejected approach: Shell script prompt builder using sed/grep/perl to extract CLAUDE.md sections

Chosen approach: Direct file loading via Claude's Read tool

  • Simpler implementation
  • More maintainable (change memory files, workflow stays the same)
  • Leverages built-in Claude Code capabilities
  • No fragile shell script parsing

Why Memory System Over CLAUDE.md Extraction

The memory system (PRs ambient-code#359, ambient-code#360) provides:

  • Curated, focused context for specific domains
  • Easier to maintain and update
  • Better separation of concerns
  • Loadable on-demand for targeted work

Impact

Users will see: Every PR automatically gets a repository-aware code review showing:

  • Issues categorized by severity (Blocker/Critical/Major/Minor)
  • Positive highlights
  • Prioritized recommendations
  • Full transparency into AI decision-making

Developers will benefit from:

  • Consistent application of project standards
  • Early detection of anti-patterns
  • Confidence in AI reviews (visible decision process)
  • Reduced review burden on human reviewers

Related

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

jeremyeder and others added 2 commits December 2, 2025 16:09
@jeremyeder @claude
feat: add workflow transparency links to all AI bot comments
2a222b0 
Add workflow run links to amber-issue-handler and claude-code-review
workflows, enabling users to see complete AI decision-making process.

Changes:
- amber-issue-handler.yml: Add links to 3 comment locations
  * "Report no changes" comment
  * "Validate changes" comment
  * "Create Pull Request" issue comment
- claude-code-review.yml: Add post-processing step to append link

All bot comments now include workflow run link with 90-day retention note,
allowing users to inspect files read, search patterns, and AI reasoning.

Part of Phase 1: Add Transparency (non-breaking, additive changes)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jeremyeder @claude
feat: add Amber automatic code reviews with memory system
d2cb69a 
- Create amber-auto-review.yml for automatic PR reviews using memory system
- Loads CLAUDE.md + 6 memory files (context + patterns) for repository-aware reviews
- Disable automatic trigger in claude-code-review.yml (now @claude mentions only)
- Adds transparency links showing which memory files were loaded
- Result: Automatic reviews use Amber (repository-aware), @claude stays lightweight

Related to Phase 2 of Amber workflow transparency initiative.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Dec 2, 2025

Claude Code Review

Summary

This PR implements Phase 2 of the Amber workflow transparency initiative by adding automatic code reviews on all pull requests. The implementation loads repository-specific standards from the memory system (7 context files) and posts comprehensive reviews.

Overall Assessment: Well-structured with strong transparency features. However, several critical issues must be addressed before merge, particularly around security and error handling.

Issues by Severity

Blocker Issues

1. Security Risk: Unrestricted Repository Access in pull_request_target

Location: .github/workflows/amber-auto-review.yml:12-13

Issue: Using pull_request_target without restrictions allows code from untrusted forks to execute with write permissions.

Recommendation: Add this safety check at line 16:
if: github.event.pull_request.head.repo.full_name == github.repository

Reference: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Critical Issues

2. Workflow Will Fail Silently When Memory Files Don't Exist

Location: .github/workflows/amber-auto-review.yml:83-91

Issue: Prompt assumes all memory files exist. The PR description mentions PRs ambient-code#359 and ambient-code#360 which weren't found in this repository, suggesting files may not exist yet.

Recommendation: Add file existence validation or update prompt to handle missing files gracefully.

3. Comment Minimization Will Fail on High-Volume PRs

Location: .github/workflows/amber-auto-review.yml:35-67

Issues:

  • No rate limiting between GraphQL API calls
  • No retry logic for transient failures
  • Error handling is silent (continue-on-error: true)

Recommendation: Add retry logic with exponential backoff and rate limiting.

4. Missing Pull Request Number Extraction

Location: .github/workflows/claude-code-review.yml:165-168

Issue: Workflow triggers on issue_comment events but code expects context.payload.pull_request.number (undefined for issue comments).

Fix: Use optional chaining: const prNumber = context.payload.pull_request?.number || context.payload.issue?.number

Major Issues

5. Workflow Code Duplication

Both workflows have nearly identical Add workflow link steps (~70 lines each).

Recommendation: Extract to composite action for maintainability.

6. No Handling for Review Timeouts or Failures

Location: .github/workflows/amber-auto-review.yml:70-127

Recommendation: Add timeout-minutes: 15 and failure notification step.

7. Memory System Visibility Could Be More Actionable

Transparency section lists files but doesn't link to them. Add table with clickable links.

Minor Issues

8. Memory System File List Duplication - File list appears in 3 places

9. Missing Workflow Documentation - No header comments explaining triggers

10. Hardcoded Bot Username - Make configurable via env var

Positive Highlights

  1. Excellent Transparency Design - Collapsible memory system section is exemplary
  2. Strong Separation of Concerns - Clear distinction between automatic and manual reviews
  3. Proactive Comment Management - Minimizing old reviews prevents clutter
  4. Comprehensive Context Loading - 7 memory files ensure repository-aware reviews
  5. 90-Day Log Retention - Documented retention period builds trust
  6. Structured Review Format - Severity-based categorization is highly actionable

Recommendations

Priority 1 (Must Fix Before Merge)

  1. Add fork PR safety check (Blocker Epic: MPP Deployment - Single-Namespace vTeam Implementation #1)
  2. Fix PR number extraction (Critical [Phase 1] Add unit tests for single-namespace mode #4)
  3. Add memory file validation (Critical [Phase 1] Add SINGLE_NAMESPACE_MODE support to operator #2)

Priority 2 (Should Fix Before Merge)

  1. Add retry logic and rate limiting (Critical [Phase 1] Disable project creation endpoint in backend for single-namespace mode #3)
  2. Add timeout and failure notification (Major [Phase 2] Update operator to reference namespace Roles instead of ClusterRoles #6)

Priority 3 (Address in Follow-up)

  1. Extract shared code to composite action (Major [Phase 2] Convert ClusterRoles to namespace-scoped Roles #5)
  2. Enhance transparency section with links (Major [Phase 3] Create corrected RBAC manifests (03-rbac.yaml) #7)
  3. Add workflow documentation headers (Minor [Phase 3] Create deployment manifests (04-06) with MPP configurations #9)

Final Recommendation: Excellent work on workflow transparency. The security issue and critical bugs must be addressed before merge. Fix these issues and this will be a model implementation.

@jeremyeder jeremyeder mentioned this pull request Dec 2, 2025
Merged
jeremyeder added a commit to ambient-code/platform that referenced this pull request Dec 2, 2025
@jeremyeder @claude
feat: Amber automatic code reviews with memory system (Phase 2) (#405)
9ce1eca 
## Summary

Implements Phase 2 of the Amber workflow transparency initiative:
automatic PR reviews using the memory system from PRs #359 and #360.

## Changes

### New Workflow: `.github/workflows/amber-auto-review.yml`

**Automatic PR reviews with repository intelligence:**

- **Trigger**: Automatic on PR open/synchronize
- **Memory System**: Loads 7 files for comprehensive repository context
  - CLAUDE.md (master project instructions)
  - backend-development.md (Go backend, K8s patterns)
  - frontend-development.md (NextJS, Shadcn UI, React Query)
  - security-standards.md (Auth, RBAC, token handling)
  - k8s-client-usage.md (User token vs service account)
  - error-handling.md (Consistent error patterns)
  - react-query-usage.md (Data fetching patterns)
- **Transparency**: Every review includes:
  - Link to workflow run (90-day log retention)
  - Collapsible section showing which memory files were loaded
  - Clear explanation of how Amber applies repository standards
- **Comment Management**: Minimizes old review comments before posting
new one

### Modified Workflow: `.github/workflows/claude-code-review.yml`

**Changed from automatic to manual-only:**

- **Before**: Triggered automatically on all PRs
- **After**: Only triggers on `@claude` mentions in comments
- **Reason**: Separate automatic reviews (Amber) from manual reviews
(Claude)

## Three-Tier AI Integration

This completes the separation of AI review types:

1. **`@claude`** (Lightweight) - Manual, quick interactions
   - No repository wrapping, fastest response
   - Use for: questions, exploration, explanations

2. **Automatic PR Reviews** (Amber-Wrapped) - NEW with this PR
   - Applies CLAUDE.md + memory system standards
   - Shows decision process via workflow logs
   - Trigger: Every PR open/sync (automatic)

3. **`@amber` mentions** (Repository-Aware) - Future Phase 3
   - Planned: Manual `@amber` mentions for specific tasks
   - Will apply same memory system as automatic reviews

## Testing

Tested on fork with PR: jeremyeder#33

After merge, every new PR will trigger `amber-auto-review.yml`. To
verify immediately:

1. Merge this PR
2. The workflow should trigger on this PR itself (meta!)
3. Verify review comment appears with transparency section
4. Check workflow logs via the link in the review

## Design Decisions

### Why Direct File Loading (No Shell Script)

**Rejected approach**: Shell script prompt builder using sed/grep/perl
to extract CLAUDE.md sections

**Chosen approach**: Direct file loading via Claude's Read tool
- Simpler implementation
- More maintainable (change memory files, workflow stays the same)
- Leverages built-in Claude Code capabilities
- No fragile shell script parsing

### Why Memory System Over CLAUDE.md Extraction

The memory system (PRs #359, #360) provides:
- Curated, focused context for specific domains
- Easier to maintain and update
- Better separation of concerns
- Loadable on-demand for targeted work

## Impact

**Users will see**: Every PR automatically gets a repository-aware code
review showing:
- Issues categorized by severity (Blocker/Critical/Major/Minor)
- Positive highlights
- Prioritized recommendations
- Full transparency into AI decision-making

**Developers will benefit from**:
- Consistent application of project standards
- Early detection of anti-patterns
- Confidence in AI reviews (visible decision process)
- Reduced review burden on human reviewers

## Related

- **Builds on**: PRs #359, #360 (Memory System)
- **Part of**: Amber Workflow Transparency Initiative
- **Documentation**: Will be updated in follow-up PR

---

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeremyeder