Add multi-pass specialized reviews, convention learning, PR summaries, OTel tracing, web tests, and Helm hardening

- Multi-pass specialized review pipeline: separate LLM passes for security,
  correctness, and style with per-pass system prompts and deduplication
- Convention learner integration: load/save convention store, suppress
  previously-dismissed comment patterns
- PR summary generation: generate_summary_with_commits avoids holding
  non-Sync GitIntegration across await boundaries
- Code fix suggestions: parse <<<ORIGINAL/>>>SUGGESTED blocks from LLM
  responses into structured CodeSuggestion fields
- OpenTelemetry tracing: feature-gated (otel) with OTLP exporter,
  tracing::instrument on key API handlers and webhook flows
- Config additions: multi_pass_specialized, convention_store_path fields
- Web UI tests: 35 vitest tests for SeverityBadge, ScoreGauge, CommentCard
  with testing-library/react and jsdom
- Helm hardening: NetworkPolicy and PodDisruptionBudget templates

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: haasonsaas

Cargo.lock

@@ -41,6 +41,13 @@ sha2 = "0.10"
 jsonwebtoken = "9"
 base64 = "0.22"
 futures = "0.3"
+opentelemetry = { version = "0.27", features = ["trace"], optional = true }
+opentelemetry-otlp = { version = "0.27", features = ["trace", "tonic"], optional = true }
+opentelemetry_sdk = { version = "0.27", features = ["rt-tokio"], optional = true }
+tracing-opentelemetry = { version = "0.28", optional = true }
+
+[features]
+otel = ["opentelemetry", "opentelemetry-otlp", "opentelemetry_sdk", "tracing-opentelemetry"]
 
 [dev-dependencies]
 tempfile = "3.8"

Cargo.toml

@@ -0,0 +1,37 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "diffscope.fullname" . }}
+  labels:
+    {{- include "diffscope.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "diffscope.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - port: {{ .Values.service.port }}
+          protocol: TCP
+      {{- with .Values.networkPolicy.ingressFrom }}
+      from:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+  egress:
+    # Allow DNS resolution (UDP + TCP port 53)
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    # Allow HTTPS egress for LLM APIs (OpenAI, Anthropic, etc.) and GitHub
+    - ports:
+        - port: 443
+          protocol: TCP
+    {{- with .Values.networkPolicy.extraEgress }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}

charts/diffscope/templates/networkpolicy.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "diffscope.fullname" . }}
+  labels:
+    {{- include "diffscope.labels" . | nindent 4 }}
+spec:
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  selector:
+    matchLabels:
+      {{- include "diffscope.selectorLabels" . | nindent 6 }}
+{{- end }}

charts/diffscope/templates/pdb.yaml

@@ -26,6 +26,7 @@ impl Default for RetryConfig {
 }
 
 /// Send an HTTP request with configurable retry parameters.
+#[tracing::instrument(name = "llm_request", skip(retry_config, make_request), fields(adapter = %adapter_name, max_retries = retry_config.max_retries))]
 pub async fn send_with_retry_config<F>(
     adapter_name: &str,
     retry_config: &RetryConfig,

src/adapters/common.rs

@@ -98,6 +98,11 @@ pub struct Config {
     #[serde(default = "default_feedback_path")]
     pub feedback_path: PathBuf,
 
+    /// Path to the convention store file for learned review patterns.
+    /// Defaults to ~/.local/share/diffscope/conventions.json if not set.
+    #[serde(default)]
+    pub convention_store_path: Option<String>,
+
     pub system_prompt: Option<String>,
     pub api_key: Option<String>,
     pub base_url: Option<String>,
@@ -221,6 +226,11 @@ pub struct Config {
     /// Webhook secret for verifying GitHub webhook signatures.
     #[serde(default)]
     pub github_webhook_secret: Option<String>,
+
+    /// When true, run separate specialized LLM passes for security, correctness,
+    /// and style instead of a single monolithic review prompt.
+    #[serde(default = "default_false")]
+    pub multi_pass_specialized: bool,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
@@ -316,6 +326,7 @@ impl Default for Config {
             symbol_index_lsp_command: None,
             symbol_index_lsp_languages: default_symbol_index_lsp_languages(),
             feedback_path: default_feedback_path(),
+            convention_store_path: None,
             system_prompt: None,
             api_key: None,
             base_url: None,
@@ -352,6 +363,7 @@ impl Default for Config {
             github_client_secret: None,
             github_private_key: None,
             github_webhook_secret: None,
+            multi_pass_specialized: false,
         }
     }
 }
@@ -1074,6 +1086,10 @@ fn default_true() -> bool {
     true
 }
 
+fn default_false() -> bool {
+    false
+}
+
 fn normalize_comment_types(values: &[String]) -> Vec<String> {
     if values.is_empty() {
         return default_comment_types();

src/config.rs

@@ -375,8 +375,12 @@ impl CommentSynthesizer {
     }
 
     fn generate_code_suggestion(raw: &RawComment) -> Option<CodeSuggestion> {
-        // This is a simplified implementation - in practice, you'd use the LLM
-        // to generate more sophisticated code suggestions
+        // Prefer the structured code suggestion parsed from the LLM response
+        if let Some(cs) = &raw.code_suggestion {
+            return Some(cs.clone());
+        }
+
+        // Fallback: generate a basic suggestion from the textual suggestion field
         if let Some(suggestion) = &raw.suggestion {
             if suggestion.contains("use") || suggestion.contains("replace") {
                 return Some(CodeSuggestion {
@@ -537,6 +541,7 @@ pub struct RawComment {
     pub confidence: Option<f32>,
     pub fix_effort: Option<FixEffort>,
     pub tags: Vec<String>,
+    pub code_suggestion: Option<CodeSuggestion>,
 }
 
 #[cfg(test)]

src/core/comment.rs

@@ -32,7 +32,7 @@ pub use enhanced_review::{
 };
 pub use git::{validate_ref_name, GitIntegration};
 pub use pr_summary::{PRSummaryGenerator, SummaryOptions};
-pub use prompt::PromptBuilder;
+pub use prompt::{PromptBuilder, SpecializedPassKind};
 pub use rules::{active_rules_for_file, load_rules_from_patterns, ReviewRule};
 pub use smart_review_prompt::SmartReviewPromptBuilder;
 pub use symbol_index::SymbolIndex;

src/core/mod.rs

@@ -299,7 +299,7 @@ fn analyze_file_risk(diff: &UnifiedDiff) -> HotspotResult {
 }
 
 /// Simple content similarity based on shared words.
-fn content_similarity(a: &str, b: &str) -> f32 {
+pub fn content_similarity(a: &str, b: &str) -> f32 {
     let words_a: std::collections::HashSet<&str> = a.split_whitespace().collect();
     let words_b: std::collections::HashSet<&str> = b.split_whitespace().collect();
 

src/core/multi_pass.rs

@@ -25,14 +25,21 @@ impl PRSummaryGenerator {
         adapter: &dyn LLMAdapter,
         options: SummaryOptions,
     ) -> Result<PRSummary> {
-        // Get commit messages for context
         let commits = git.get_recent_commits(10)?;
+        Self::generate_summary_with_commits(diffs, &commits, adapter, options).await
+    }
 
-        // Analyze changes
+    /// Like `generate_summary_with_options`, but takes pre-fetched commit messages
+    /// instead of a `GitIntegration` reference. This avoids holding `GitIntegration`
+    /// (which is not `Sync`) across an `.await` boundary.
+    pub async fn generate_summary_with_commits(
+        diffs: &[UnifiedDiff],
+        commits: &[String],
+        adapter: &dyn LLMAdapter,
+        options: SummaryOptions,
+    ) -> Result<PRSummary> {
         let stats = Self::calculate_stats(diffs);
-
-        // Build prompt for AI summary
-        let prompt = Self::build_summary_prompt(diffs, &commits, &stats, &options);
+        let prompt = Self::build_summary_prompt(diffs, commits, &stats, &options);
 
         let request = LLMRequest {
             system_prompt: Self::get_system_prompt(),
@@ -42,8 +49,6 @@ impl PRSummaryGenerator {
         };
 
         let response = adapter.complete(request).await?;
-
-        // Parse AI response into structured summary
         Self::parse_summary_response(&response.content, stats)
     }