feat(gates): add BUILD validation gate for config errors (#303)

* feat(gates): add BUILD validation gate to catch config errors early

Adds a new BUILD quality gate that validates pyproject.toml and
package.json before running slower gates (tests, coverage, review).
Detects TOML syntax errors, hatchling misconfigurations, and npm
dependency resolution failures with clear, actionable error messages.

* fix: address PR review feedback for BUILD gate

- Add missing TimeoutExpired catch in pip fallback path
- Add "build" mapping to _run_specific_gates to prevent KeyError
- Update _get_category_guidance configuration text to mention BUILD

* fix(ci): fix opencode-review workflow reliability issues

- Add concurrency group to cancel duplicate runs on same PR
- Remove credential-clearing step that wiped git user identity
- Remove raw PR body/title interpolation that stripped parenthesized
  file names via shell interpretation; use gh pr view instead
- Remove pyproject.toml from paths-ignore so config PRs get reviewed
- Quote shell variable assignments to prevent word splitting

---------

Co-authored-by: Test User <test@example.com>

Author: frankbria

.github/workflows/opencode-review.yml

@@ -3,13 +3,17 @@ name: OpenCode PR Review
 on:
   pull_request:
     types: [opened, synchronize]
-    # Skip review for documentation and config-only changes
+    # Skip review for documentation-only changes
     # Exclude this workflow file to prevent self-triggering loops
     paths-ignore:
       - "**/*.md"
       - ".github/workflows/opencode-review.yml"
       - ".gitignore"
-      - "pyproject.toml"
+
+# Cancel in-progress runs for the same PR to avoid duplicate reviews
+concurrency:
+  group: opencode-review-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
 
 jobs:
   opencode-review:
@@ -25,10 +29,10 @@ jobs:
       - name: Calculate total changes
         id: calc
         run: |
-          additions=${{ github.event.pull_request.additions }}
-          deletions=${{ github.event.pull_request.deletions }}
+          additions="${{ github.event.pull_request.additions }}"
+          deletions="${{ github.event.pull_request.deletions }}"
           total=$((additions + deletions))
-          echo "total=$total" >> $GITHUB_OUTPUT
+          echo "total=$total" >> "$GITHUB_OUTPUT"
 
       - name: Checkout repository
         # Only review substantial changes (5+ files OR 20+ lines changed)
@@ -40,31 +44,6 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - name: Clear git credentials to avoid duplicate auth
-        if: |
-          github.event.pull_request.changed_files >= 5 ||
-          steps.calc.outputs.total >= 20
-        run: |
-          # Clear all GitHub-related git config to prevent auth conflicts
-          git config --global --unset-all http.https://github.com/.extraheader || true
-          git config --local --unset-all http.https://github.com/.extraheader || true
-          git config --global --unset-all credential.helper || true
-          git config --local --unset-all credential.helper || true
-          git config --global --unset-all credential."https://github.com".helper || true
-          git config --local --unset-all credential."https://github.com".helper || true
-          # Remove any credential URLs
-          git config --global --unset-all credential.url || true
-          git config --local --unset-all credential.url || true
-          # Clear any includeIf configs that might add credentials
-          # Note: git config doesn't support wildcards, so we iterate over matching keys
-          # Use case-insensitive grep to catch both "includeIf" and "includeif"
-          for key in $(git config --global --list --name-only 2>/dev/null | grep -i "^includeif\." || true); do
-            git config --global --unset "$key" || true
-          done
-          for key in $(git config --local --list --name-only 2>/dev/null | grep -i "^includeif\." || true); do
-            git config --local --unset "$key" || true
-          done
-
       - name: Run OpenCode PR Review
         # Only review substantial changes (5+ files OR 20+ lines changed)
         if: |
@@ -74,18 +53,14 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
-          # Pass PR context as environment variables for the review
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          PR_TITLE: ${{ github.event.pull_request.title }}
-          PR_BODY: ${{ github.event.pull_request.body }}
-          REPO_NAME: ${{ github.repository }}
         with:
           model: zai-coding-plan/glm-4.7
           use_github_token: true
           prompt: |
             You are reviewing PR #${{ github.event.pull_request.number }} in repository ${{ github.repository }}.
 
-            PR TITLE: ${{ github.event.pull_request.title }}
+            Use `gh pr view ${{ github.event.pull_request.number }}` to read the PR title and description.
+            Use `gh pr diff ${{ github.event.pull_request.number }}` to read the changed files.
 
             Please review this pull request and provide feedback on:
             - Code quality and best practices

codeframe/core/models.py

@@ -158,6 +158,7 @@ class ReviewCategory(str, Enum):
 class QualityGateType(str, Enum):
     """Types of quality gates (Sprint 10)."""
 
+    BUILD = "build"
     TESTS = "tests"
     TYPE_CHECK = "type_check"
     COVERAGE = "coverage"

codeframe/lib/quality_gate_rules.py

@@ -29,6 +29,7 @@
 # Based on the Quality Gate Applicability Matrix
 _GATE_RULES: dict[TaskCategory, List[QualityGateType]] = {
     TaskCategory.CODE_IMPLEMENTATION: [
+        QualityGateType.BUILD,
         QualityGateType.TESTS,
         QualityGateType.COVERAGE,
         QualityGateType.TYPE_CHECK,
@@ -43,6 +44,7 @@
         QualityGateType.LINTING,
     ],
     TaskCategory.CONFIGURATION: [
+        QualityGateType.BUILD,
         QualityGateType.TYPE_CHECK,
         QualityGateType.LINTING,
     ],
@@ -52,6 +54,7 @@
         QualityGateType.SKIP_DETECTION,
     ],
     TaskCategory.REFACTORING: [
+        QualityGateType.BUILD,
         QualityGateType.TESTS,
         QualityGateType.COVERAGE,
         QualityGateType.TYPE_CHECK,
@@ -60,6 +63,7 @@
         QualityGateType.SKIP_DETECTION,
     ],
     TaskCategory.MIXED: [
+        QualityGateType.BUILD,
         QualityGateType.TESTS,
         QualityGateType.COVERAGE,
         QualityGateType.TYPE_CHECK,
@@ -72,13 +76,15 @@
 # Skip reasons for each category/gate combination
 _SKIP_REASONS: dict[TaskCategory, dict[QualityGateType, str]] = {
     TaskCategory.DESIGN: {
+        QualityGateType.BUILD: "Design tasks do not produce buildable artifacts",
         QualityGateType.TESTS: "Design tasks do not produce executable code to test",
         QualityGateType.COVERAGE: "Design tasks do not produce code requiring coverage",
         QualityGateType.TYPE_CHECK: "Design tasks do not produce typed code",
         QualityGateType.LINTING: "Design tasks may not produce lintable code",
         QualityGateType.SKIP_DETECTION: "Design tasks do not include test files",
     },
     TaskCategory.DOCUMENTATION: {
+        QualityGateType.BUILD: "Documentation tasks do not require build validation",
         QualityGateType.TESTS: "Documentation tasks do not produce executable code to test",
         QualityGateType.COVERAGE: "Documentation tasks do not produce code requiring coverage",
         QualityGateType.TYPE_CHECK: "Documentation tasks do not produce typed code",
@@ -92,6 +98,7 @@
         QualityGateType.SKIP_DETECTION: "Configuration tasks do not include test files",
     },
     TaskCategory.TESTING: {
+        QualityGateType.BUILD: "Testing tasks typically don't modify build configuration",
         QualityGateType.TYPE_CHECK: "Test code may use dynamic patterns that fail type checks",
         QualityGateType.LINTING: "Test code may use patterns that trigger linting warnings",
         QualityGateType.CODE_REVIEW: "Test code is validated through execution rather than review",

codeframe/lib/quality_gate_tool.py

@@ -31,10 +31,11 @@
 logger = logging.getLogger(__name__)
 
 # Valid quality gate check names
-VALID_CHECKS = ["tests", "types", "coverage", "review", "linting"]
+VALID_CHECKS = ["build", "tests", "types", "coverage", "review", "linting"]
 
 # Mapping from check names to QualityGateType enum
 CHECK_NAME_TO_GATE = {
+    "build": QualityGateType.BUILD,
     "tests": QualityGateType.TESTS,
     "types": QualityGateType.TYPE_CHECK,
     "coverage": QualityGateType.COVERAGE,
@@ -230,6 +231,7 @@ async def _run_specific_gates(
     # Run each requested gate
     for check in checks:
         gate_method = {
+            "build": quality_gates.run_build_gate,
             "tests": quality_gates.run_tests_gate,
             "types": quality_gates.run_type_check_gate,
             "coverage": quality_gates.run_coverage_gate,

codeframe/lib/quality_gates.py

@@ -508,6 +508,74 @@ async def run_linting_gate(self, task: Task, task_category: Optional[str] = None
 
         return result
 
+    async def run_build_gate(self, task: Task, task_category: Optional[str] = None) -> QualityGateResult:
+        """Execute build validation gate - verify project configuration files are valid.
+
+        This gate validates that pyproject.toml and/or package.json can be parsed
+        and dependencies resolved, catching configuration errors before slower gates run.
+
+        Detection Logic:
+            - If pyproject.toml exists → run uv sync --no-install-project (fallback: pip)
+            - If package.json exists → run npm install --dry-run --ignore-scripts
+
+        Args:
+            task: Task to validate
+            task_category: Optional category string for logging
+
+        Returns:
+            QualityGateResult with pass/fail status
+        """
+        start_time = datetime.now(timezone.utc)
+        failures: List[QualityGateFailure] = []
+
+        has_python = (self.project_root / "pyproject.toml").exists()
+        has_node = (self.project_root / "package.json").exists()
+
+        if has_python:
+            build_result = self._run_python_build()
+            if build_result["returncode"] != 0:
+                failures.append(
+                    QualityGateFailure(
+                        gate=QualityGateType.BUILD,
+                        reason=f"Build validation failed for pyproject.toml: {build_result['summary']}",
+                        details=build_result["output"],
+                        severity=Severity.HIGH,
+                    )
+                )
+
+        if has_node:
+            build_result = self._run_node_build()
+            if build_result["returncode"] != 0:
+                failures.append(
+                    QualityGateFailure(
+                        gate=QualityGateType.BUILD,
+                        reason=f"Build validation failed for package.json: {build_result['summary']}",
+                        details=build_result["output"],
+                        severity=Severity.HIGH,
+                    )
+                )
+
+        execution_time = (datetime.now(timezone.utc) - start_time).total_seconds()
+
+        status = "passed" if len(failures) == 0 else "failed"
+        result = QualityGateResult(
+            task_id=task.id,  # type: ignore[arg-type]
+            status=status,
+            failures=failures,
+            execution_time_seconds=execution_time,
+        )
+
+        self.db.update_quality_gate_status(
+            task_id=task.id,  # type: ignore[arg-type]
+            status=status,
+            failures=failures,
+        )
+
+        if not result.passed:
+            self._create_quality_blocker(task, failures, task_category)
+
+        return result
+
     async def run_skip_detection_gate(self, task: Task, task_category: Optional[str] = None) -> QualityGateResult:
         """Execute skip pattern detection gate - detect test skips across all languages.
 
@@ -720,7 +788,16 @@ async def run_all_gates(self, task: Task) -> QualityGateResult:
             logger.info(f"Skipping linting gate for task {task.id}: {reason}")
             skipped_gates.append(QualityGateType.LINTING.value)
 
-        # 2. Type check gate (fast)
+        # 2. Build gate (fast, validates configuration)
+        if QualityGateType.BUILD in applicable_gates:
+            build_result = await self.run_build_gate(task, category.value)
+            all_failures.extend(build_result.failures)
+        else:
+            reason = rules.get_skip_reason(category, QualityGateType.BUILD)
+            logger.info(f"Skipping build gate for task {task.id}: {reason}")
+            skipped_gates.append(QualityGateType.BUILD.value)
+
+        # 3. Type check gate (fast)
         if QualityGateType.TYPE_CHECK in applicable_gates:
             type_check_result = await self.run_type_check_gate(task, category.value)
             all_failures.extend(type_check_result.failures)
@@ -1092,10 +1169,81 @@ def _run_eslint(self) -> Dict[str, Any]:
                 "summary": "Skipped",
             }
 
+    def _run_python_build(self) -> Dict[str, Any]:
+        """Run Python build validation using uv (fallback to pip)."""
+        try:
+            result = subprocess.run(
+                ["uv", "sync", "--no-install-project"],
+                cwd=str(self.project_root),
+                capture_output=True,
+                text=True,
+                timeout=60,
+            )
+            output = result.stdout + result.stderr
+            summary = self._extract_build_error_summary(output, "pyproject.toml")
+            return {"returncode": result.returncode, "output": output, "summary": summary}
+        except FileNotFoundError:
+            # uv not available, try pip
+            try:
+                result = subprocess.run(
+                    ["pip", "install", "-e", ".", "--dry-run"],
+                    cwd=str(self.project_root),
+                    capture_output=True,
+                    text=True,
+                    timeout=60,
+                )
+                output = result.stdout + result.stderr
+                summary = self._extract_build_error_summary(output, "pyproject.toml")
+                return {"returncode": result.returncode, "output": output, "summary": summary}
+            except FileNotFoundError:
+                return {"returncode": 0, "output": "No Python build tool found, skipping", "summary": "Skipped"}
+            except subprocess.TimeoutExpired:
+                return {"returncode": 1, "output": "pip install timed out after 60 seconds", "summary": "Timeout"}
+        except subprocess.TimeoutExpired:
+            return {"returncode": 1, "output": "Build validation timed out after 60 seconds", "summary": "Timeout"}
+
+    def _run_node_build(self) -> Dict[str, Any]:
+        """Run Node.js build validation using npm."""
+        try:
+            result = subprocess.run(
+                ["npm", "install", "--dry-run", "--ignore-scripts"],
+                cwd=str(self.project_root),
+                capture_output=True,
+                text=True,
+                timeout=60,
+            )
+            output = result.stdout + result.stderr
+            summary = self._extract_build_error_summary(output, "package.json")
+            return {"returncode": result.returncode, "output": output, "summary": summary}
+        except FileNotFoundError:
+            return {"returncode": 0, "output": "npm not found, skipping", "summary": "Skipped"}
+        except subprocess.TimeoutExpired:
+            return {"returncode": 1, "output": "npm install timed out after 60 seconds", "summary": "Timeout"}
+
     # ========================================================================
     # Helper Methods - Output Parsing
     # ========================================================================
 
+    def _extract_build_error_summary(self, output: str, config_file: str) -> str:
+        """Extract summary from build validation output."""
+        if not output.strip():
+            return "No errors"
+        # Detect common build error patterns
+        if "hatchling" in output.lower():
+            match = re.search(r"Invalid section \[([^\]]+)\]", output)
+            if match:
+                return f"Invalid section [{match.group(1)}] in {config_file}"
+            return f"hatchling build error in {config_file}"
+        if "invalid toml" in output.lower() or "failed to parse" in output.lower():
+            return f"Invalid TOML syntax in {config_file}"
+        if "invalid package.json" in output.lower() or "invalid json" in output.lower():
+            return f"Invalid JSON in {config_file}"
+        if "npm err" in output.lower():
+            return f"npm dependency resolution error in {config_file}"
+        # Generic fallback
+        first_line = output.strip().split("\n")[0][:120]
+        return first_line
+
     def _extract_pytest_summary(self, output: str) -> str:
         """Extract summary from pytest output."""
         # Look for "N passed, M failed" pattern
@@ -1246,7 +1394,7 @@ def _get_category_guidance(self, task_category: str) -> str:
             ),
             "configuration": (
                 "This task was classified as a configuration task. "
-                "Only linting and type checking gates apply."
+                "Build validation, linting, and type checking gates apply."
             ),
             "testing": (
                 "This task was classified as a testing task. "