[agents] Add rigorous pull-request review workflow (#147)

Author: coisa

.agents/agents/review-guardian.md

@@ -0,0 +1,53 @@
+---
+name: review-guardian
+description: Review Fast Forward pull requests with a rigorous, findings-first contract before or during human review.
+primary-skill: pull-request-review
+supporting-skills:
+  - phpunit-tests
+  - sphinx-docs
+  - package-readme
+---
+
+# review-guardian
+
+## Purpose
+
+Provide a repeatable, high-signal pull-request review pass that helps
+maintainers catch regressions, missing coverage, stale docs, workflow risks,
+and generated-output drift before human review time is spent.
+
+## Responsibilities
+
+- Review ready pull requests with findings first and summaries second.
+- Prioritize bugs, regressions, missing tests, missing documentation, CI or
+  workflow risk, generated-output drift, and consumer-sync side effects.
+- Reference repository files whenever possible so maintainers can move quickly.
+- Treat packaged skills, project agents, workflow wrappers, local actions,
+  changelog entries, wiki output, and generated reports as first-class review
+  surfaces when touched.
+- Stay reusable across this repository and consumer repositories that
+  synchronize DevTools assets.
+
+## Use When
+
+- A pull request has just transitioned from draft to ready for review.
+- A maintainer wants a fresh rigorous review pass on an existing pull request.
+- A change touches workflows, generated outputs, synchronized assets, or other
+  surfaces where a generic summary would miss important risk.
+
+## Boundaries
+
+- Do not replace human review or branch protection.
+- Do not drift into implementation or patch authoring unless explicitly asked.
+- Do not weaken the findings-first contract with generic praise or summary
+  text before the actual issues.
+
+## Primary Skill
+
+- `pull-request-review`
+
+## Supporting Skills
+
+- `phpunit-tests`
+- `sphinx-docs`
+- `package-readme`

.agents/skills/pull-request-review/SKILL.md

@@ -0,0 +1,59 @@
+---
+name: pull-request-review
+description: Review Fast Forward pull requests with a findings-first contract that prioritizes bugs, regressions, missing tests, missing docs, generated-output drift, and workflow risk over general summaries.
+---
+
+# Fast Forward Pull Request Review
+
+Use this skill when a pull request is ready for review and maintainers need a
+repeatable, high-signal review pass. The review MUST lead with concrete
+findings, ordered by severity, with repository file references whenever
+possible.
+
+## Workflow
+
+1. Resolve the pull request context, touched files, and highest-risk surfaces.
+   Read [references/surface-priorities.md](references/surface-priorities.md).
+2. Inspect behavior before style. Start with source, workflows, generated
+   outputs, synchronized assets, tests, and documentation that can change
+   release or automation behavior.
+3. Produce the review using the findings-first contract. Read
+   [references/review-contract.md](references/review-contract.md).
+4. Call out missing or weak tests, missing docs, changelog gaps, generated
+   artifact drift, and consumer-sync impacts whenever the changed surfaces make
+   them relevant.
+5. Only after the findings, add a brief summary or note residual risk. If no
+   issues are found, say that clearly and mention any remaining verification
+   gaps.
+
+## Fast Forward Defaults
+
+- Findings come first. Summaries are secondary.
+- Prioritize bugs, regressions, missing coverage, missing documentation,
+  workflow or CI risks, generated-output drift, and sync side effects over
+  stylistic nits.
+- Treat ``.github/workflows``, ``resources/github-actions``, ``.github/actions``,
+  ``.agents/skills``, ``.agents/agents``, ``README.md``, ``docs/``,
+  ``CHANGELOG.md``, and ``.github/wiki`` as high-signal review surfaces.
+- Prefer precise repository file references in every finding.
+- Review what changed, but reason about downstream consumer impact when the PR
+  touches packaged assets or synchronized defaults.
+- Do not dilute the review with praise or generic narrative before the
+  findings.
+
+## Reference Guide
+
+| Need | Reference |
+|------|-----------|
+| Decide which changed surfaces deserve the closest scrutiny | [references/surface-priorities.md](references/surface-priorities.md) |
+| Format the review output in the expected findings-first shape | [references/review-contract.md](references/review-contract.md) |
+
+## Anti-patterns
+
+- Do not lead with a summary before the findings.
+- Do not spend the review budget on low-value formatting commentary when
+  behavioral or workflow risk exists.
+- Do not ignore generated files, synced assets, or workflow wrappers when the
+  pull request touched their sources.
+- Do not claim a pull request is clean without mentioning the verification
+  scope or any residual gaps.

.agents/skills/pull-request-review/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "Fast Forward Rigorous Review"
+  short_description: "Review Fast Forward pull requests with a findings-first contract"
+  default_prompt: "Use $pull-request-review to perform a rigorous findings-first review of this Fast Forward pull request."

.agents/skills/pull-request-review/references/review-contract.md

@@ -0,0 +1,37 @@
+Review Contract
+===============
+
+Every rigorous review produced from this skill MUST follow this contract:
+
+1. Findings first.
+2. Findings ordered by severity.
+3. Each finding anchored to a repository file reference whenever possible.
+4. Open questions or assumptions after the findings, not before them.
+5. A short summary only after the findings, and only when it adds value.
+
+Expected output shape:
+
+- Findings
+  - ``High`` / ``Medium`` / ``Low`` severity labels when helpful.
+  - One issue per bullet or short paragraph.
+  - Explain the concrete risk or regression, not just the changed code.
+  - Include the most relevant file path for each finding.
+- Open Questions / Assumptions
+  - Use only when uncertainty affects confidence in the findings.
+- Summary
+  - Briefly describe the net result after the findings.
+
+Required review themes:
+
+- Bugs and regressions.
+- Missing or weak tests.
+- Missing or stale documentation.
+- Generated-output drift.
+- Workflow, CI, or release automation risk.
+- Consumer-sync or packaged-asset side effects.
+
+If no issues are found:
+
+- State that clearly.
+- Mention the scope that was reviewed.
+- Call out any remaining test or verification gaps.

.agents/skills/pull-request-review/references/surface-priorities.md

@@ -0,0 +1,37 @@
+Surface Priorities
+==================
+
+When a pull request is ready for review, inspect the highest-risk surfaces
+first.
+
+Highest priority
+----------------
+
+- ``src/`` when public behavior, orchestration, dependency injection, or
+  compatibility may have changed.
+- ``tests/`` when behavior changed but coverage may be missing or weakened.
+- ``.github/workflows/`` and ``.github/actions/`` when permissions, triggers,
+  release behavior, or CI guarantees may have changed.
+- ``resources/github-actions/`` when a repository-facing workflow wrapper can
+  drift from the reusable workflow implementation.
+- ``.agents/skills/`` and ``.agents/agents/`` when packaged prompts or
+  consumer-synchronized capabilities changed.
+
+Additional Fast Forward review surfaces
+--------------------------------------
+
+- ``README.md`` and ``docs/`` for onboarding, command, or workflow drift.
+- ``CHANGELOG.md`` for notable user-facing or automation-facing changes.
+- ``.github/wiki`` when generated wiki output is touched.
+- ``resources/`` when synchronized templates or packaged defaults changed.
+
+Typical review questions
+------------------------
+
+- Did the implementation change behavior without matching tests?
+- Did the workflow wrapper stay aligned with the reusable workflow?
+- Did packaged assets change without explaining the consumer impact?
+- Did docs, README, changelog, or generated outputs remain consistent with the
+  implementation?
+- Did the pull request alter release automation, sync flows, or CI permissions
+  in a risky way?

.github/actions/review/render-request/action.yml

@@ -0,0 +1,30 @@
+name: Render Rigorous Review Request
+description: Render a deterministic review brief for a pull request that is ready for rigorous review.
+
+inputs:
+  pull-request-number:
+    description: Pull request number to review.
+    required: false
+    default: ''
+
+outputs:
+  pull-request-number:
+    description: Resolved pull request number.
+    value: ${{ steps.render.outputs.pull-request-number }}
+  comment:
+    description: Sticky pull-request comment body.
+    value: ${{ steps.render.outputs.comment }}
+  summary:
+    description: GitHub Actions step summary body.
+    value: ${{ steps.render.outputs.summary }}
+
+runs:
+  using: composite
+  steps:
+    - id: render
+      uses: actions/github-script@v8
+      with:
+        github-token: ${{ github.token }}
+        script: |
+          const run = require(`${process.env.GITHUB_ACTION_PATH}/run.cjs`);
+          await run({github, context, core});

.github/actions/review/render-request/run.cjs

@@ -0,0 +1,149 @@
+const MAX_LISTED_FILES = 12;
+
+function classifyTouchedSurfaces(files) {
+  const checks = [
+    [
+      'Source behavior or orchestration changed; verify regressions, contracts, and dependency boundaries.',
+      (file) => file.startsWith('src/'),
+    ],
+    [
+      'Tests changed; confirm assertions still cover the touched behavior and edge cases.',
+      (file) => file.startsWith('tests/'),
+    ],
+    [
+      'Docs or README changed; verify commands, examples, and generated outputs stayed aligned.',
+      (file) => file === 'README.md' || file.startsWith('docs/'),
+    ],
+    [
+      'Workflow or local GitHub Action logic changed; scrutinize permissions, triggers, release flow, and CI side effects.',
+      (file) => file.startsWith('.github/workflows/') || file.startsWith('.github/actions/'),
+    ],
+    [
+      'Consumer workflow wrappers changed; verify they still mirror the reusable workflow contract safely.',
+      (file) => file.startsWith('resources/github-actions/'),
+    ],
+    [
+      'Packaged agent surfaces changed; verify prompts, sync behavior, and inherited guidance.',
+      (file) => file.startsWith('.agents/skills/') || file.startsWith('.agents/agents/') || file === 'AGENTS.md',
+    ],
+    [
+      'Changelog changed; verify notable behavior and automation changes are documented accurately.',
+      (file) => file === 'CHANGELOG.md',
+    ],
+    [
+      'Wiki output changed; confirm generated content updates are intentional and consistent with the source.',
+      (file) => file.startsWith('.github/wiki'),
+    ],
+    [
+      'Packaged resources changed; verify consumer repositories inherit the right defaults and generated artifacts.',
+      (file) => file.startsWith('resources/'),
+    ],
+  ];
+
+  return checks
+    .filter(([, matcher]) => files.some(matcher))
+    .map(([message]) => message);
+}
+
+function renderComment({pull, files, focusAreas}) {
+  const listedFiles = files.slice(0, MAX_LISTED_FILES);
+  const remainingCount = Math.max(0, files.length - listedFiles.length);
+  const touchedSurfaces = focusAreas.length > 0
+    ? focusAreas
+    : ['No special review surface was inferred beyond the normal findings-first review contract.'];
+
+  const lines = [
+    '## Rigorous review requested',
+    '',
+    'This pull request is ready for the dedicated `review-guardian` pass powered by `$pull-request-review`.',
+    '',
+    `- PR: #${pull.number} — ${pull.title}`,
+    `- Author: @${pull.user.login}`,
+    `- Base: \`${pull.base.ref}\``,
+    `- Head: \`${pull.head.ref}\` @ \`${pull.head.sha.slice(0, 7)}\``,
+    '',
+    '### Review focus',
+    ...touchedSurfaces.map((item) => `- ${item}`),
+    '',
+    '### Sample changed files',
+    ...listedFiles.map((file) => `- \`${file}\``),
+  ];
+
+  if (remainingCount > 0) {
+    lines.push(`- ...and ${remainingCount} more files.`);
+  }
+
+  lines.push(
+    '',
+    '### Suggested prompt',
+    '```text',
+    `Use $pull-request-review with the review-guardian agent to review PR #${pull.number} (${pull.html_url}).`,
+    'Lead with findings ordered by severity. Include repository file references whenever possible.',
+    'Prioritize bugs, regressions, missing tests, missing docs, generated-output drift, and workflow or CI impacts.',
+    `Base: ${pull.base.ref}`,
+    `Head: ${pull.head.ref} @ ${pull.head.sha.slice(0, 7)}`,
+    '```',
+  );
+
+  return lines.join('\n');
+}
+
+function renderSummary({pull, focusAreas}) {
+  const lines = [
+    '## Rigorous review requested',
+    '',
+    `- Pull request: [#${pull.number}](${pull.html_url})`,
+    '- Agent: `review-guardian`',
+    '- Skill: `$pull-request-review`',
+    '',
+    '### Findings-first expectations',
+    '- Lead with bugs, regressions, missing tests, missing docs, generated-output drift, and workflow or CI risk.',
+    '- Include repository file references whenever possible.',
+  ];
+
+  if (focusAreas.length > 0) {
+    lines.push('', '### Inferred high-signal surfaces', ...focusAreas.map((item) => `- ${item}`));
+  }
+
+  return lines.join('\n');
+}
+
+module.exports = async function run({github, context, core}) {
+  const owner = context.repo.owner;
+  const repo = context.repo.repo;
+  const input = core.getInput('pull-request-number').trim();
+  const inferredNumber = String(context.payload.pull_request?.number || '').trim();
+  const pullRequestNumber = input || inferredNumber;
+
+  if (pullRequestNumber === '') {
+    core.setFailed('Unable to resolve a pull request number for the rigorous review workflow.');
+    return;
+  }
+
+  const pull_number = Number.parseInt(pullRequestNumber, 10);
+
+  if (Number.isNaN(pull_number)) {
+    core.setFailed(`Invalid pull request number: ${pullRequestNumber}`);
+    return;
+  }
+
+  const {data: pull} = await github.rest.pulls.get({
+    owner,
+    repo,
+    pull_number,
+  });
+
+  const files = await github.paginate(github.rest.pulls.listFiles, {
+    owner,
+    repo,
+    pull_number,
+    per_page: 100,
+  });
+
+  const changedFiles = files.map((file) => file.filename);
+  const focusAreas = classifyTouchedSurfaces(changedFiles);
+
+  core.setOutput('pull-request-number', String(pull.number));
+  core.setOutput('comment', renderComment({pull, files: changedFiles, focusAreas}));
+  core.setOutput('summary', renderSummary({pull, focusAreas}));
+};