feat: add pre and post implementation custom steps

[kasin-it]

Summary by CodeRabbit

• New Features

  • PR Review Pipeline (dark-launchable, label/branch scoping) with YAML configuration and webhook gating
  • AI-powered PR review (per-file and whole-PR modes) with builtin/local/remote prompt loading and safe sanitization
  • Complexity check to flag high-cyclomatic functions; configurable limits and file-ignore globs
  • GitHub webhook handler to dispatch reviews and publish check runs, annotations, and review comments/suggestions

• Documentation

  • Setup and walkthroughs for PR Review Pipeline, GitHub App webhook setup, and design/implementation plans for review & pre-research extensions

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a GitHub-triggered PR review pipeline: workflow config parsing/validation, PR bundle assembly, complexity and AI review checks with caching and fingerprints, VCS adapter review APIs, findings→annotations/comments mapping, GitHub webhook handler, Temporal dispatch helper, orchestration workflow, extensive tests, and documentation.

Changes

PR Review Pipeline v1 — Checks, Workflow, and GitHub Integration

Layer / File(s)	Summary
Design, plan, and setup docs docs/superpowers/specs/*, docs/superpowers/plans/*, SETUP.md, docs/GITHUB-APP-SETUP.md	Adds design spec and implementation plans for PR Review & Pre-Research, and documents deployment setup, dark-launch enablement, GitHub App webhook and permission steps, sample workflow.config.yaml, and TOC updates.
Runtime environment and sample config env.ts, workflow.config.yaml	Adds optional env vars GITHUB_WEBHOOK_SECRET and WORKFLOW_CONFIG_PATH and a sample workflow.config.yaml with dark-launch defaults, label-scoped rollout, ignore globs, limits, and enabled complexity check.
Dependencies package.json	Adds @ai-sdk/anthropic, ai, and js-yaml dependencies for Anthropic model integration and YAML parsing.
VCS adapter types and implementations src/adapters/vcs/types.ts, src/adapters/vcs/github.ts, src/adapters/vcs/github.test.ts, src/adapters/vcs/gitlab.ts, src/adapters/vcs/gitlab.test.ts	Extends the VCS adapter contract with review-pipeline methods (PR retrieval, list files/diff, file content at ref, commits, check runs and annotations, existing review comments, and createReview). GitHub adapter implements these methods and tests; GitLab adapter stubs throw NotSupportedError and tests assert that.
Check types and shared contracts src/lib/checks/types.ts	Defines Severity, Finding shape (locations/related/suggestions/fingerprint), CheckResult and CheckCacheManifest, PRContext and CheckContext, and a generic Check<TParams> interface using Zod schemas.
Findings -> annotations and comments src/lib/check-output.ts, src/lib/check-output.test.ts	Formats Findings into GitHub Check Run annotations and PR review comments/suggestions with severity mapping, hidden markers for dedupe, caps enforcement, suggestion anchoring validation, fence sanitization, and body truncation. Tests cover caps, dedupe, suggestion validity, sanitization, and truncation behavior.
Severity ranking and conclusion mapping src/lib/checks/result.ts, src/lib/checks/result.test.ts	Exports severityRank, severityAtLeast, maxSeverity, mapping of findings to check-run conclusions (success/neutral/failure) based on blocking and fail_on, and tests for mappings and error handling.
Check registry src/lib/checks/registry.ts	Exports CHECKS map and registerCheck/getCheck for dynamic check dispatch.
Complexity check src/lib/checks/complexity.ts, src/lib/checks/complexity.test.ts	Implements AST-driven cyclomatic complexity analysis for JS/TS using the TypeScript API, per-file changed-line scoping, glob filtering, severity thresholds (warning/critical), fingerprinting, and comprehensive tests.
Cache manifest and identity src/lib/checks/cache.ts, src/lib/checks/cache.test.ts	Serializes/parses cache manifests embedded in check output, enforces size/shape validation, validates per-file cache entries, computes stable config/content hashes, and tests manifest parsing and entry validation.
AI review check src/lib/checks/ai-review.ts, src/lib/checks/ai-review.test.ts	Adds an Anthropic-backed ai-review check supporting per-file and whole-PR modes, prompt-injection defenses (wrap/escape), deterministic fingerprinting, per-file content-hash caching with manifest tracking and truncation handling, and extensive tests covering caching, prompt composition, error/guardrail paths, and fingerprint stability.
Review prompt loading src/workflows/prompts-step.ts, src/workflows/prompts-step.test.ts, src/lib/prompts.ts	Adds builtin review prompt, loadReviewPrompt to load from builtin/local/Arthur sources with traversal/security guards, size caps, fallback semantics, and tests.
PR review bundle assembly src/lib/pr-context.ts, src/lib/pr-context.test.ts	Builds ReviewBundle from VCS adapter: PR metadata, files, optional full diff, file contents (bounded parallel fetch), prior comments, ticket enrichment; applies ignore globs, max_changed_files, byte caps, and records notices. Tests include concurrency and failure scenarios.
Workflow configuration loader src/lib/workflow-config.ts, src/lib/workflow-config.test.ts	Parses workflow.config.yaml via js-yaml JSON schema, validates structure with Zod, enforces semantic constraints (unique IDs, ordering of needs, acyclic graph), validates per-check params using registered check paramsSchemas, optionally enforces webhook-secret presence, and computes stable configHash. Tests cover parsing, semantic validation, params, cycles, and webhook-secret gating.
Temporal dispatch helper src/lib/dispatch-review.ts	Exports dispatchReview that dynamically imports the review workflow starter and returns a workflow runId.
GitHub webhook endpoint src/routes/webhooks/vcs/github/pull-request.post.ts, src/routes/webhooks/vcs/github/pull-request.post.test.ts	Adds POST handler verifying x-hub-signature-256 HMAC against raw body with timing-safe comparison, loads config (requireWebhookSecret), filters by triggers/scope (label/branch_prefix/all), validates payload shape, and dispatches the review workflow. Tests cover auth, filtering, gating, and error cases.
Review workflow orchestration src/workflows/review.ts, src/workflows/review.test.ts	Orchestrates running enabled checks in order with dependency gating, same-SHA dedupe, check-run lifecycle (queued→in_progress→completed), loads prior caches and prompts, builds requested_data per check, runs checks via registry, maps findings to annotations/comments, posts review comments, handles staleness and error recovery, and copies forward prior annotations for cache-hit files. Tests cover many edge cases and regression scenarios.
Test and mock updates various *.test.ts	Extensive new and updated tests across adapters, checks, prompts, workflow-config, pr-context, check-output, ai-review, cache, complexity, and review workflow to validate functionality and edge cases.
Sample workflow config workflow.config.yaml	Adds example workflow configuration with version, review.enabled=false (dark-launch), label scope for rollout, triggers, ignore patterns, review limits, and an enabled complexity check.
Setup and GitHub App docs SETUP.md, docs/GITHUB-APP-SETUP.md	Documents PR Review Pipeline (v1) deployment steps, webhook URL/secret, required GitHub App permissions (Checks, Contents), config file path override, and rollout guidance.
Misc tests/mocks adjustments	Updates test adapter mocks and other test scaffolding to align with expanded adapter contract and workflow wiring.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• Blazity/ai-workflow#58: Related to Arthur-backed prompt loading and fallback behavior used by the review prompt loader.

Poem

🐰 I hopped through diffs and HMACs in hand,
I wrapped untrusted text in a safety band,
Checks queued, cached, and findings aligned,
Comments and annotations neatly signed,
The pipeline hums — a rabbit-reviewed land.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch AIW-71-webhook-steps

[coderabbitai]

Actionable comments posted: 10

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

SETUP.md (1)

357-357: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix stale internal link reference.

The link to troubleshooting points to #12-troubleshooting, but Troubleshooting is now section 13 after the PR Review Pipeline section was added.

Proposed fix

-If anything stalls, jump to [troubleshooting](`#12-troubleshooting`).
+If anything stalls, jump to [troubleshooting](`#13-troubleshooting`).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SETUP.md` at line 357, Update the stale internal link in SETUP.md: find the
text "If anything stalls, jump to [troubleshooting](`#12-troubleshooting`)." and
change the anchor to point to the current Troubleshooting section (replace
"`#12-troubleshooting`" with the correct anchor, e.g. "`#13-troubleshooting`" or the
exact slug of the "Troubleshooting" header). Ensure the link text remains
"troubleshooting" and the anchor matches the actual header slug for the
Troubleshooting section.

🧹 Nitpick comments (3)

package.json (1)

34-34: 💤 Low value

Dependency ordering inconsistency.

The ai package at line 34 is placed after pino, breaking alphabetical order. For consistency and maintainability, consider moving it to line 20 (before @ai-sdk/anthropic) or after h3 at line 30.

Proposed reordering

     "h3": "^1",
+    "ai": "^5.0.0",
     "js-yaml": "^4.1.0",
     "nitropack": "^2",
     "pino": "^10.3.1",
-    "ai": "^5.0.0",
     "workflow": "latest",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 34, The dependency "ai": "^5.0.0" is out of
alphabetical order in package.json; move the "ai" entry so dependencies are
sorted alphabetically (for example place "ai" before "`@ai-sdk/anthropic`" or
after "h3") to restore consistent ordering, preserving its version string and
trailing commas/JSON syntax while keeping other dependency entries unchanged.

docs/GITHUB-APP-SETUP.md (1)

231-237: 💤 Low value

Add language identifier to fenced code block.

The fenced code block at line 231 should specify a language for proper syntax highlighting and to resolve the markdownlint warning.

Proposed fix

-   ```
+   ```text
    https://<your-vercel-domain>/webhooks/vcs/github/pull-request
    ```

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/GITHUB-APP-SETUP.md` around lines 231 - 237, Add a language identifier
to the fenced code block containing the URL
"https://<your-vercel-domain>/webhooks/vcs/github/pull-request" so markdownlint
stops warning; change the opening fence from ``` to a language-specific fence
such as ```text (or ```bash if you prefer) to enable proper syntax highlighting
and linting for that code block.

src/adapters/vcs/github.test.ts (1)

514-543: ⚡ Quick win

Add a regression test for \ No newline at end of file marker handling.

Current parser tests cover +++ headers, but not the in-hunk backslash metadata marker. Add this case to prevent line-range drift regressions.

Suggested test case

 describe("parseChangedLineRangesFromPatch", () => {
+  it("ignores '\\ No newline at end of file' marker for line counting", () => {
+    const patch = "@@ -1,2 +1,2 @@\n-old\n+new\n\\ No newline at end of file\n+next\n";
+    expect(parseChangedLineRangesFromPatch(patch)).toEqual([
+      { start: 1, end: 1 },
+      { start: 2, end: 2 },
+    ]);
+  });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/adapters/vcs/github.test.ts` around lines 514 - 543, Add a regression
test to ensure the in-hunk backslash metadata marker ("\ No newline at end of
file") is ignored by parseChangedLineRangesFromPatch: create a new it block in
the existing describe("parseChangedLineRangesFromPatch") tests that passes a
patch containing a hunk with a real "+" addition line followed immediately by
the "\ No newline at end of file" marker and assert that
parseChangedLineRangesFromPatch returns only the expected range for the real
added line (and does not treat the backslash marker as an added line); reference
the parseChangedLineRangesFromPatch function name and the test suite in
github.test.ts when adding this case.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/GITHUB-APP-SETUP.md`:
- Line 273: The markdown link "[PR Review Pipeline (v1)](#)" has an empty href;
update that link so it points to the actual section anchor in SETUP.md (e.g.,
replace "#" with "SETUP.md#pr-review-pipeline-v1" or the correct anchor
generated from the "PR Review Pipeline (v1)" header). Locate the link text "[PR
Review Pipeline (v1)](#)" and change the href to the proper relative anchor so
the link navigates to the PR Review Pipeline (v1) section.

In `@src/adapters/vcs/github.ts`:
- Around line 534-542: The logic that increments newLineNum when encountering a
context line mistakenly treats diff metadata like "\ No newline at end of file"
as a real file line; update the diff-parsing block (the one using rangeStart,
rangeEnd, ranges, and newLineNum) to detect and skip metadata lines (e.g., lines
that exactly start with "\ No newline at end of file" or match the typical diff
metadata pattern) so you do not increment newLineNum for those cases; leave
range flushing behavior intact but only increment newLineNum for actual file
lines (context/added/removed lines) rather than metadata markers.

In `@src/lib/check-output.ts`:
- Around line 42-44: sanitizeFences currently only replaces exact triple
backticks which allows runs of 4+ backticks to leave an unneutralized ```
sequence; change the replacement to target any run of 3 or more backticks by
using a /`{3,}/g matcher and neutralize the entire run by inserting zero‑width
joiners between each backtick (e.g., map the matched ticks to
ticks.split('').join('\u200D')); update the sanitizeFences function accordingly
and apply the same updated regex + replacement logic to the other
fence-sanitization call sites in this file that use the /```/g replacement so
all 3+ backtick runs are neutralized.

In `@src/lib/checks/ai-review.ts`:
- Around line 409-415: The whole-PR path in runWholePr is using a hard-coded
checkId value ("ai_review") when calling toFinding, which causes fingerprint
collisions; update that to use the configured check id (the same source used by
runPerFile) — e.g., replace the literal "ai_review" in the toFinding call with
the configured requested_data["check_id"] (or the variable that holds the check
id in this scope) so runWholePr and runPerFile generate consistent fingerprints
for the same configured check.
- Around line 440-445: The prompt currently injects PR-controlled strings raw
(e.g., file.path in buildPerFilePrompt and the changed_files usage around the
other block), so treat those as untrusted too: pass file.path and any
changed_files values through the same sanitizer (wrapUntrusted) before
concatenating into prompts (e.g., replace direct uses of file.path and
changed_files with wrapUntrusted(file.path) and
wrapUntrusted(changed_filesItem)) to ensure filenames/changed file lists cannot
inject instructions outside the protected regions.

In `@src/lib/checks/cache.ts`:
- Around line 27-34: The parser currently finds the first MANIFEST_OPEN and can
pick up injected markers earlier in the text; update parseCacheManifest to
prefer the manifest appended at the end by locating the last occurrence of
MANIFEST_OPEN (use text.lastIndexOf(MANIFEST_OPEN)) and the last occurrence of
MANIFEST_CLOSE (use text.lastIndexOf(MANIFEST_CLOSE)), verify the close index is
after the open index, then compute after = open + MANIFEST_OPEN.length and slice
the body from after..end and trim as before; this ensures the trailing footer
manifest (not an earlier injected marker) is parsed.

In `@src/routes/webhooks/vcs/github/pull-request.post.ts`:
- Around line 70-75: The repo-name equality check is case-sensitive and can
falsely ignore valid webhooks; update the comparison that uses fullName and
expectedFullName to normalize casing (e.g., .toLowerCase() or locale-insensitive
lowercasing) and trim whitespace on both values before comparing, and keep the
existing logger call but log the normalized values (still using fullName and
expectedFullName identifiers to find the code). Ensure you compare
normalizedFullName === normalizedExpectedFullName and return the same ignored
response only when they truly differ.

In `@src/workflows/prompts-step.ts`:
- Around line 101-125: The lexical path check using path.relative +
fs.stat/fs.readFile can be bypassed by symlinks; update the loader (symbols:
repoRoot, abs, rel, MAX_PROMPT_BYTES, fs.stat, fs.readFile) to canonicalize and
validate real paths: call fs.realpath on both repoRoot and the candidate abs and
ensure the real abs starts with the real repoRoot, and use fs.lstat on abs (at
least the final component) to reject if it is a symlink before reading; if lstat
indicates a symlink or the realpath check fails, throw an error similar to the
existing messages.

In `@src/workflows/review.ts`:
- Around line 464-484: The whole-PR branch in src/workflows/review.ts ignores
requested "file_content" even though computeBundleRequest fetched it; update the
whole_pr branch in the else block to honor data.includes("file_content") by
adding the file contents from bundle into the request payload (similar to how
changed_files is handled). Specifically, when data.includes("file_content") set
base["file_content"] to the file content structure produced by
computeBundleRequest (e.g., derived from bundle.files entries or whatever bundle
property holds fetched contents) so whole-PR reviews receive the same file
content input as ai_review mode.
- Around line 789-817: The current createReviewStep call (inside the try that
computes result from findingsToComments) can throw and override the overall
check outcome; separate review publication from check completion by moving the
createReviewStep invocation out of the main result-producing try/catch (or wrap
it in its own try/catch), ensure any errors from createReviewStep are
caught/logged (do not rethrow), and always proceed to persist/complete the Check
Run with the computed result (result, summary, conclusion) even if review
comment publishing fails; references: findingsToComments, checkCfg.comments,
result, createReviewStep, existingComments.

---

Outside diff comments:
In `@SETUP.md`:
- Line 357: Update the stale internal link in SETUP.md: find the text "If
anything stalls, jump to [troubleshooting](`#12-troubleshooting`)." and change the
anchor to point to the current Troubleshooting section (replace
"`#12-troubleshooting`" with the correct anchor, e.g. "`#13-troubleshooting`" or the
exact slug of the "Troubleshooting" header). Ensure the link text remains
"troubleshooting" and the anchor matches the actual header slug for the
Troubleshooting section.

---

Nitpick comments:
In `@docs/GITHUB-APP-SETUP.md`:
- Around line 231-237: Add a language identifier to the fenced code block
containing the URL
"https://<your-vercel-domain>/webhooks/vcs/github/pull-request" so markdownlint
stops warning; change the opening fence from ``` to a language-specific fence
such as ```text (or ```bash if you prefer) to enable proper syntax highlighting
and linting for that code block.

In `@package.json`:
- Line 34: The dependency "ai": "^5.0.0" is out of alphabetical order in
package.json; move the "ai" entry so dependencies are sorted alphabetically (for
example place "ai" before "`@ai-sdk/anthropic`" or after "h3") to restore
consistent ordering, preserving its version string and trailing commas/JSON
syntax while keeping other dependency entries unchanged.

In `@src/adapters/vcs/github.test.ts`:
- Around line 514-543: Add a regression test to ensure the in-hunk backslash
metadata marker ("\ No newline at end of file") is ignored by
parseChangedLineRangesFromPatch: create a new it block in the existing
describe("parseChangedLineRangesFromPatch") tests that passes a patch containing
a hunk with a real "+" addition line followed immediately by the "\ No newline
at end of file" marker and assert that parseChangedLineRangesFromPatch returns
only the expected range for the real added line (and does not treat the
backslash marker as an added line); reference the
parseChangedLineRangesFromPatch function name and the test suite in
github.test.ts when adding this case.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 309faa1f-9ed8-490e-8d0e-406bc9b4a727

📥 Commits

Reviewing files that changed from the base of the PR and between 19a912d and 193f22c.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (37)

• SETUP.md
• docs/GITHUB-APP-SETUP.md
• docs/superpowers/plans/2026-05-20-pr-review-extensions-implementation-plan.md
• docs/superpowers/specs/2026-05-19-pr-review-extensions-design.md
• env.ts
• package.json
• src/adapters/vcs/github.test.ts
• src/adapters/vcs/github.ts
• src/adapters/vcs/gitlab.test.ts
• src/adapters/vcs/gitlab.ts
• src/adapters/vcs/types.ts
• src/lib/check-output.test.ts
• src/lib/check-output.ts
• src/lib/checks/ai-review.test.ts
• src/lib/checks/ai-review.ts
• src/lib/checks/cache.test.ts
• src/lib/checks/cache.ts
• src/lib/checks/complexity.test.ts
• src/lib/checks/complexity.ts
• src/lib/checks/registry.ts
• src/lib/checks/result.test.ts
• src/lib/checks/result.ts
• src/lib/checks/types.ts
• src/lib/dispatch-review.ts
• src/lib/dispatch.test.ts
• src/lib/pr-context.test.ts
• src/lib/pr-context.ts
• src/lib/prompts.ts
• src/lib/workflow-config.test.ts
• src/lib/workflow-config.ts
• src/routes/webhooks/vcs/github/pull-request.post.test.ts
• src/routes/webhooks/vcs/github/pull-request.post.ts
• src/workflows/prompts-step.test.ts
• src/workflows/prompts-step.ts
• src/workflows/review.test.ts
• src/workflows/review.ts
• workflow.config.yaml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/checks/cache.ts`:
- Around line 29-33: The manifest parsing uses MANIFEST_OPEN and MANIFEST_CLOSE
but finds the closing marker with lastIndexOf which can match a later `-->`
elsewhere; update the logic in the function in src/lib/checks/cache.ts
(variables: start, after, end and constants MANIFEST_OPEN/MANIFEST_CLOSE) to
locate the closing marker paired with the selected open marker by using a search
for MANIFEST_CLOSE starting at `after` (e.g., indexOf with `after` as the
fromIndex) and then validate `end > start`; adjust any subsequent slicing to use
this `end` so the manifest block is correctly extracted.

In `@src/workflows/prompts-step.ts`:
- Around line 111-132: The tests for loadReviewPrompt need their
node:fs/promises mock updated to include lstat and realpath and adjusted
per-test setup: add lstat and realpath to the vi.mock("node:fs/promises", ...)
return object, reset their jest/vi spies in the loadReviewPrompt beforeEach, and
in the “valid relative path” test stub lstat to return an object whose
isSymbolicLink() returns false and stub realpath to return canonical paths such
that realAbs === realRoot or realAbs startsWith(realRoot + path.sep; use the
same repoRoot value as the test), while the missing/oversize local tests should
either have lstat/realpath throw/reject to exercise the new guards or have them
succeed and let stat/readFile drive the size/missing-file assertions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2cb52ef8-8662-47a0-9011-4a86dece5bd4

📥 Commits

Reviewing files that changed from the base of the PR and between 193f22c and 8125e8f.

📒 Files selected for processing (11)

• SETUP.md
• docs/GITHUB-APP-SETUP.md
• package.json
• src/adapters/vcs/github.test.ts
• src/adapters/vcs/github.ts
• src/lib/check-output.ts
• src/lib/checks/ai-review.ts
• src/lib/checks/cache.ts
• src/routes/webhooks/vcs/github/pull-request.post.ts
• src/workflows/prompts-step.ts
• src/workflows/review.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pair the manifest close marker with the selected open marker.

This now assumes the cache block owns the final --> in the whole check output, but src/workflows/review.ts still prefixes the manifest before overflow/unanchored text. Any later --> in a finding or code sample will make parsing fall through to null, so cache reuse silently stops working for that run.

Suggested fix

-  const end = text.lastIndexOf(MANIFEST_CLOSE);
-  if (end <= start) return null;
+  const end = text.indexOf(MANIFEST_CLOSE, after);
+  if (end < after) return null;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/checks/cache.ts` around lines 29 - 33, The manifest parsing uses
MANIFEST_OPEN and MANIFEST_CLOSE but finds the closing marker with lastIndexOf
which can match a later `-->` elsewhere; update the logic in the function in
src/lib/checks/cache.ts (variables: start, after, end and constants
MANIFEST_OPEN/MANIFEST_CLOSE) to locate the closing marker paired with the
selected open marker by using a search for MANIFEST_CLOSE starting at `after`
(e.g., indexOf with `after` as the fromIndex) and then validate `end > start`;
adjust any subsequent slicing to use this `end` so the manifest block is
correctly extracted.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/superpowers/plans/2026-05-21-pre-research-wiring.md`:
- Around line 1329-1331: Add a fence language label to the unlabeled code block
containing the text starting "2. **Read pre-research brief (if present)**" so
markdownlint MD040 is satisfied; change the opening triple backticks to include
a language such as text (e.g., ```text) and leave the rest of the block
unchanged, ensuring the `<pre_research_brief>` mention and emphasis are
preserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2dccd68b-408a-4202-879d-7b026451a185

📥 Commits

Reviewing files that changed from the base of the PR and between 8125e8f and 667e395.

📒 Files selected for processing (3)

• docs/superpowers/plans/2026-05-21-pre-research-wiring.md
• src/lib/checks/ai-review.test.ts
• src/workflows/prompts-step.test.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a fence language on Line 1329 to satisfy markdownlint MD040.

This code block is currently unlabeled and can trigger docs-lint noise/failures.

Proposed fix

-```
+```text
 2. **Read pre-research brief (if present)** — If the input begins with a `<pre_research_brief>` block, treat its contents as additional context. Trust the brief on external/library/API facts but **verify any code-level claims against the actual repo** before depending on them.

</details>

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.22.1)</summary>

[warning] 1329-1329: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @docs/superpowers/plans/2026-05-21-pre-research-wiring.md around lines 1329 -
1331, Add a fence language label to the unlabeled code block containing the text
starting "2. Read pre-research brief (if present)" so markdownlint MD040 is
satisfied; change the opening triple backticks to include a language such as
text (e.g., ```text) and leave the rest of the block unchanged, ensuring the
<pre_research_brief> mention and emphasis are preserved.

</details>

<!-- fingerprinting:phantom:poseidon:hawk -->

<!-- This is an auto-generated comment by CodeRabbit -->