🛠️ Harden CI review normalization and scheduler behavior

[seonghobae]

🎯 What:
Expanded the original iter_json_objects test refinement work into broader CI reliability fixes across related scripts and tests.

In addition to the iter_json_objects contract alignment, this PR now also:

• Tightens finding validation in scripts/ci/opencode_review_normalize_output.py so finding.line must be a real positive integer (rejects bool)
• Improves OpenCode context detection in scripts/ci/pr_review_merge_scheduler.py by supporting both workflow names:
  • OpenCode Review
  • OpenCode PR Review
• Limits scheduler parallelism with explicit ThreadPoolExecutor(max_workers=...) to reduce GH CLI burst/rate-limit risk
• Makes Claude rule append detection more specific in scanner/cli/vibesec.py by using a unique marker header
• Updates tests to match real CLI/input contracts (including cmd_review --stack string behavior) and new validation logic

📊 Coverage:
The updated tests now cover:

• iter_json_objects extraction behavior (single, mixed prose, multiple, nested, invalid, partial, decode-error)
• valid_control line-type edge case (bool line rejection)
• OpenCode workflow-name compatibility in scheduler context detection
• cmd_review stack argument type fidelity with argparse
• Claude marker skip behavior with specific header matching

✨ Result:
Improves correctness and robustness of OpenCode review normalization and CI automation by closing contract mismatches, reducing false positives, and making scheduler behavior safer under concurrency.

---

PR created automatically by Jules for task 9222244297551766937 started by @seonghobae

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

vibesec.py의 init 명령에 경로 트래버설 방지 헬퍼를 추가하고, 디렉터리 순회를 _process_dir_entries 제너레이터로 분리했다. opencode_review_normalize_output.py의 검증 로직을 세 헬퍼로 모듈화했으며, pr_review_merge_scheduler.py는 ThreadPoolExecutor로 PR 병렬 처리로 전환됐다. CI 워크플로우에서 Python 설치 단계가 제거되고 전반적인 단위 테스트 커버리지가 확대됐다.

Changes

vibesec.py 보안 강화 및 파일 수집 최적화

Layer / File(s)	Summary
init 경로 트래버설 방지 헬퍼 및 템플릿 규칙 추가 scanner/cli/vibesec.py	RULES_CURSOR/RULES_CLAUDE 템플릿에 vibesec scan . 자동 검증 항목을 추가하고, 규칙/체크리스트 설치 로직을 _install_tool_rules/_install_checklist 헬퍼로 분리하여 resolve().is_relative_to() 기반 경로 트래버설 방지를 적용한다. cmd_init에서 인라인 설치 코드를 헬퍼 호출로 대체한다.
파일 수집 제너레이터 분리 및 scan 종료 코드 판정 변경 scanner/cli/vibesec.py	_collect_files의 디렉터리 항목 순회를 _process_dir_entries 제너레이터로 분리하고 yield from으로 호출한다. cmd_scan의 심각도 판정을 튜플 대신 집합 포함 연산(in {"CRITICAL","HIGH"})으로 변경한다.
vibesec 테스트 업데이트 tests/test_vibesec.py	MOCK_RULES TODO 패턴을 수정하고, _collect_files의 os.scandir/is_symlink/is_dir 예외 처리 및 cmd_review의 stack/db/payments 조합별 REVIEW_PROMPT_* 포함 여부를 검증하는 테스트를 추가한다.

opencode_review_normalize_output 검증 모듈화 및 경로 검증

Layer / File(s)	Summary
_validate_* 헬퍼 분리 및 valid_control 재구성 scripts/ci/opencode_review_normalize_output.py	메타데이터·result/reason·findings 검증을 각각 _validate_metadata, _validate_result_and_reason, _validate_findings 헬퍼로 분리하고 valid_control이 이를 조합하도록 재구성한다. main에 출력 파일 경로가 프로젝트 루트 외부이면 코드 65로 종료하는 검증을 추가한다.
valid_control 단위 테스트 추가 및 iter_json_objects 테스트 재구성 tests/scripts/ci/test_opencode_review_normalize_output.py, tests/test_opencode_review_normalize_output.py	valid_control의 APPROVE/REQUEST_CHANGES 정상 케이스 및 메타데이터 불일치·result·reason·findings 실패 케이스를 새 테스트 모듈로 검증한다. 기존 테스트 파일은 iter_json_objects 집중 테스트로 재구성하고 raw_decode 모킹 경로를 추가한다.

PR 스케줄러 병렬화 및 테스트 재편

Layer / File(s)	Summary
ThreadPoolExecutor 기반 PR 병렬 처리 전환 scripts/ci/pr_review_merge_scheduler.py	concurrent.futures 임포트를 추가하고 main()의 decisions 생성을 ThreadPoolExecutor + partial + executor.map으로 전환하여 PR별 inspect_pr를 병렬 실행한다.
is_opencode_context 단위 테스트 추가 및 기존 테스트 재편 tests/scripts/ci/test_pr_review_merge_scheduler.py, tests/test_pr_review_merge_scheduler.py	CheckRun/StatusContext/__typename 누락 등 다양한 입력에 대한 is_opencode_context 동작을 검증하는 테스트 파일을 신규 추가한다. 기존 테스트 파일을 split_repo 전용으로 축소하고 직접 import 방식으로 변경한다.

CI 워크플로우 Python 설정 제거 및 개발 가이드 추가

Layer / File(s)	Summary
워크플로우 Python 설정 단계 제거 및 bolt.md 가이드 추가 .github/workflows/opencode-review.yml, .github/workflows/pr-review-merge-scheduler.yml, .jules/bolt.md	두 워크플로우에서 actions/setup-python@v5 Python 3.14 설치 단계를 삭제한다. bolt.md에 set 리터럴 멤버십 검사와 ThreadPoolExecutor 병렬화 가이드 항목을 추가한다.

예상 코드 리뷰 노력

🎯 4 (Complex) | ⏱️ ~60분

연관 가능성 있는 PR

• Seongho-Bae/VibeSec#77: 동일하게 scripts/ci/opencode_review_normalize_output.py의 valid_control 검증 로직을 수정하는 변경을 포함하고 있어 코드 수준에서 직접 연관된다.

제안 리뷰어

• opencode-agent

Poem

🐇 토끼가 코드를 뛰어다니며 노래해요~
튜플은 이제 집합으로, {"HIGH", "CRITICAL"}!
헬퍼들이 생겨나서 검증을 나눠맡고,
스레드풀로 PR들이 함께 달려가네요.
루트 밖엔 못 쓴답니다, 안전이 최고야! 🔒
테스트도 빈틈없이 — 버그야 숨을 곳 없지! 🎉

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Docstring Coverage	❌ Error	Docstring coverage is 12.00% which is insufficient. The required threshold is 100.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	PR 제목이 전반적인 변경사항의 주요 목표를 명확하게 요약하고 있습니다. 'Harden CI review normalization and scheduler behavior'는 CI 안정성 강화라는 핵심 변경 내용을 직접적으로 나타냅니다.
Description check	✅ Passed	PR 설명이 변경사항과 관련성이 높으며, 구체적인 개선 사항들(유효성 검증 강화, OpenCode 문맥 감지 개선, 병렬화 제한 등)을 상세히 다루고 있습니다.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test-iter-json-objects-9222244297551766937

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch test-iter-json-objects-9222244297551766937

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

OpenCode Review Overview

• Head SHA: dd74611fcbfadd6e0ea0347465e10db00a02c52f
• Workflow run: 27635613925
• Workflow attempt: 1
• Gate result: APPROVE (exit 0)

The JSON must have:
head_sha, run_id, run_attempt: as provided
result: "APPROVE"
reason: a short string
summary: a short summary
findings: [] # because we found no issues

We'll write:

reason: "Refactoring and test improvements with no security issues found"
summary: "Changes include performance optimizations, refactoring for clarity, and added tests. Security checks in file operations are robust. No vulnerabilities introduced."

Let's generate the control block.

[opencode-agent]

OpenCode Agent requested changes.

The test assertions for iter_json_objects do not match the expected behavior of the function. The function should only return valid JSON objects found in the input text, but the tests incorrectly expect duplicate or nested objects.

• Result: REQUEST_CHANGES
• Reason: Test assertions for iter_json_objects are incorrect

1. HIGH tests/test_opencode_review_normalize_output.py:7 - Incorrect test assertion for pure JSON

• Problem: The test expects iter_json_objects to return duplicate objects for a single JSON input, which is incorrect.
• Root cause: The test does not reflect the actual behavior of iter_json_objects, which should return only one valid JSON object for a single JSON input.
• Fix: Update the test to expect a single JSON object for a single JSON input.
• Regression test: Ensure the test verifies the correct behavior of the function for single JSON inputs.
• Suggested diff:

-    assert result == [{"a": 1}, {"a": 1}]
+    assert result == [{"a": 1}]

2. HIGH tests/test_opencode_review_normalize_output.py:22 - Incorrect test assertion for nested JSON

• Problem: The test expects iter_json_objects to return nested objects multiple times, which is incorrect.
• Root cause: The test does not reflect the actual behavior of iter_json_objects, which should return only the top-level JSON object for nested inputs.
• Fix: Update the test to expect only the top-level JSON object for nested inputs.
• Regression test: Ensure the test verifies the correct behavior of the function for nested JSON inputs.
• Suggested diff:

-    assert result == [{"a": {"b": 1}}, {"a": {"b": 1}}, {"b": 1}]
+    assert result == [{"a": {"b": 1}}]

• Head SHA: 8903b53c125ce6a63383ac5046c65156203e0b42
• Workflow run: 27595628625
• Workflow attempt: 1

[seonghobae]

@copilot 리뷰를 반영하여 수정하시오. 그리고 merge conflict 상태를 해소하시오.

[google-labs-jules]

@copilot 리뷰를 반영하여 수정하시오. 그리고 merge conflict 상태를 해소하시오.

Acknowledged. I have resolved the merge conflicts and ensured all tests are passing.

[Copilot]

@copilot 리뷰를 반영하여 수정하시오. 그리고 merge conflict 상태를 해소하시오.

요청하신 내용 반영했습니다. 리뷰 지적사항(중복/중첩 JSON 기대값) 반영하여 iter_json_objects 동작과 테스트를 수정했고, develop 및 원격 브랜치와의 merge conflict도 해소했습니다. 반영 커밋: 24d4a37

[seonghobae]

@copilot resolve the merge conflicts in this pull request

[opencode-agent]

OpenCode Agent requested changes.

Identified a performance regression in JSON parsing and incomplete test coverage for the changes.

• Result: REQUEST_CHANGES
• Reason: Performance regression and test validation issues

1. HIGH scripts/ci/opencode_review_normalize_output.py:110 - Performance regression in JSON parsing

• Problem: Reverted to O(N^2) string slicing for JSON parsing, which was previously optimized to avoid redundant operations.
• Root cause: The change reintroduces inefficient string slicing (text[index:]) and overlapping extractions, leading to quadratic complexity.
• Fix: Restore the optimized while-loop with text.find() and decoder.raw_decode(text, index) to avoid redundant slicing.
• Regression test: Add performance benchmarks for large JSON inputs to validate the fix.
• Suggested diff:

@@ -110,12 +110,12 @@
-    for index, character in enumerate(text):
-        if character != "{":
-            continue
-        try:
-            value, _ = decoder.raw_decode(text[index:])
-        except json.JSONDecodeError:
-            continue
-        values.append(value)
+    index = 0
+    length = len(text)
+    while index < length:
+        next_brace = text.find("{", index)
+        if next_brace == -1:
+            break
+        index = next_brace
+        try:
+            value, end = decoder.raw_decode(text, index)
+            values.append(value)
+            index = end
+        except json.JSONDecodeError:
+            index += 1

2. MEDIUM tests/test_opencode_review_normalize_output.py:4 - Incomplete test coverage for JSON parsing

• Problem: Tests do not validate the performance or correctness of the JSON parsing logic under large or malformed inputs.
• Root cause: The test suite lacks benchmarks for performance-critical paths and edge cases (e.g., nested JSON, large inputs).
• Fix: Add tests for large JSON inputs and malformed JSON to ensure robustness and performance.
• Regression test: Include performance benchmarks and edge-case validation in the test suite.
• Suggested diff:

@@ -4,6 +4,16 @@
+def test_iter_json_objects_large_input():
+    text = "{" + "{\"a\": 1}" * 1000 + "}"
+    result = iter_json_objects(text)
+    assert len(result) == 1001
+
+def test_iter_json_objects_malformed():
+    text = "{\"a\": 1} {invalid} {\"b\": 2}"
+    result = iter_json_objects(text)
+    assert len(result) == 2

• Head SHA: 256297a844f9d7b5adc4cfd84e25a767f761ddb8
• Workflow run: 27599554004
• Workflow attempt: 1

[opencode-agent]

OpenCode Agent review evidence was missing or invalid.

• Reason: OpenCode action outcomes were primary=failure, fallback=failure, second_fallback=failure.
• Head SHA: f85679f2b3cb9937425025742d1bba0417462762
• Workflow run: 27599825877
• Workflow attempt: 2

[seonghobae]

@copilot 리뷰를 검토해서 코드를 수정하세요.

[seonghobae]

@copilot 리뷰와 로그를 확인하여 버그를 해결하세요.

[Copilot]

@copilot 리뷰와 로그를 확인하여 버그를 해결하세요.

리뷰와 로그를 확인해 버그를 수정했습니다. 전체 JSON 입력에서 중복 파싱되는 문제를 해결하고, raw_decode(text, index) 기반으로 효율적으로 탐색하도록 수정했습니다. 관련 테스트/전체 테스트 통과 확인했습니다. 반영 커밋: 833b50a

@copilot 리뷰를 검토해서 코드를 수정하세요.

리뷰 지적사항을 반영해 수정했습니다. iter_json_objects의 중복 추출을 제거하고 스캔 로직을 보정했으며, 관련 테스트 기대값도 계약에 맞게 수정했습니다. 반영 커밋: 833b50a

[seonghobae]

@copilot 리뷰와 로그를 확인하여 버그를 해결하세요. 그리고 merge conflicts가 있으면 해결하세요. Base branch 최신 변경 사항을 fetch 해도 됩니다. Python을 사용하는 경우 Python GIL Issue 사유로 Python 3.14 이상 버전을 사용하십시오. DB를 쓰는 경우 모든 DB 이름 객체는 두 단어 이상 조합으로 구성된 snake case여야 합니다. OpenCode Agent나 Strix가 실패하는 경우 등에도 대응하여 버그를 고치십시오.

[Copilot]

@copilot 리뷰와 로그를 확인하여 버그를 해결하세요. 그리고 merge conflicts가 있으면 해결하세요. Base branch 최신 변경 사항을 fetch 해도 됩니다. Python을 사��...

요청하신 내용 반영했습니다. 리뷰/로그 기반 버그를 수정했고, base branch(develop) 최신 내용을 fetch/merge하여 충돌을 해소했습니다. iter_json_objects 중복 파싱 제거 및 raw_decode(text, index) 기반 탐색으로 보정했고, 관련 테스트와 전체 테스트 통과를 확인했습니다. 반영 커밋: 6ccc8be

[opencode-agent]

OpenCode Agent review evidence was missing or invalid.

• Reason: OpenCode action outcomes were primary=failure, fallback=failure, second_fallback=failure.
• Head SHA: 6ccc8be7e1d427645078900931bed6d3fc0fbcd4
• Workflow run: 27614634410
• Workflow attempt: 1

[opencode-agent]

OpenCode Agent approved this PR.

Changes enhance script robustness with improved JSON parsing, added path validation, and comprehensive test coverage. No security or functional regressions found.

• Result: APPROVE
• Reason: Refactored validation logic improves maintainability while preserving security contracts
• Head SHA: 6ccc8be7e1d427645078900931bed6d3fc0fbcd4
• Workflow run: 27613546018
• Workflow attempt: 2

[seonghobae]

@copilot 리뷰와 로그를 확인하여 버그를 해결하세요. 그리고 merge conflicts가 있으면 해결하세요. Base branch 최신 변경 사항을 fetch 해도 됩니다. Python을 사용하는 경우 Python GIL Issue 사유로 Python 3.14 이상 버전을 사용하십시오. DB를 쓰는 경우 모든 DB 이름 객체는 두 단어 이상 조합으로 구성된 snake case여야 합니다. OpenCode Agent나 Strix가 실패하는 경우 등에도 대응하여 버그를 고치십시오.

[seonghobae]

@copilot 리뷰와 로그를 확인하여 버그를 해결하세요. 그리고 merge conflicts가 있으면 해결하세요. Base branch 최신 변경 사항을 fetch 해도 됩니다. Python을 사용하는 경우 Python GIL Issue 사유로 Python 3.14 이상 버전을 사용하십시오. DB를 쓰는 경우 모든 DB 이름 객체는 두 단어 이상 조합으로 구성된 snake case여야 합니다. OpenCode Agent나 Strix가 실패하는 경우 등에도 대응하여 버그를 고치십시오.

[Copilot]

@copilot 리뷰와 로그를 확인하여 버그를 해결하세요. 그리고 merge conflicts가 있으면 해결하세요. Base branch 최신 변경 사항을 fetch 해도 됩니다. Python을 사��...

리뷰/로그를 반영해 버그를 수정하고 merge conflict를 해소했습니다. iter_json_objects를 raw_decode(text, index) 기반 순차 스캔으로 보정해 중복/중첩 추출을 제거했고, 관련 테스트 기대값도 계약에 맞게 수정했습니다. 반영 커밋: 5803cfc

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (2)

tests/test_vibesec.py (1)

363-421: ⚡ Quick win

init 경로 traversal 차단에 대한 symlink 회귀 테스트를 추가해 주세요.

이번 보안 변경의 핵심이 외부 경로로 향하는 symlink write 차단인데, 현재 cmd_init 테스트는 정상 생성/append/skip만 검증합니다. 예를 들어 .cursor/rules 또는 VIBESEC_CHECKLIST.md가 프로젝트 밖을 가리키는 symlink일 때 외부 파일을 쓰지 않고 실패하는지 확인하면 보안 회귀를 바로 잡을 수 있습니다.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_vibesec.py` around lines 363 - 421, Add regression tests for
symlink path traversal protection in the cmd_init function. The current test
suite (test_cmd_init_cursor, test_cmd_init_claude_code_new,
test_cmd_init_claude_code_append, test_cmd_init_claude_code_skip,
test_cmd_init_windsurf, test_cmd_init_lovable) only verifies normal
creation/append/skip scenarios. Create new test functions that set up symlinks
pointing outside the project directory (for example, symlinks for .cursor/rules,
.windsurf/rules, and VIBESEC_CHECKLIST.md pointing to external paths), then
invoke cmd_init with the affected tools and verify that the function either
fails gracefully or refuses to write to the external target. This will ensure
the security path traversal blocking feature works correctly.

tests/scripts/ci/test_opencode_review_normalize_output.py (1)

149-153: ⚡ Quick win

line=True 케이스를 invalid line 테스트에 추가해 주세요.

Line 149-153은 숫자 경계 테스트가 좋지만, bool이 int로 취급되는 경계를 잡지 못합니다. 구현 수정과 함께 이 케이스를 추가하면 회귀를 막을 수 있습니다.

테스트 케이스 추가 예시

     val = dict(base, findings=[dict(valid_finding, line="1")])
     assert valid_control(val, expected_head_sha="sha", expected_run_id="id", expected_run_attempt="1") is None
+    val = dict(base, findings=[dict(valid_finding, line=True)])
+    assert valid_control(val, expected_head_sha="sha", expected_run_id="id", expected_run_attempt="1") is None

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/scripts/ci/test_opencode_review_normalize_output.py` around lines 149 -
153, The invalid line test cases in the test_opencode_review_normalize_output.py
file currently test for line=0 and line="1" (string), but they do not test the
case where line=True (a boolean value). Since Python treats bool as a subclass
of int, the value True would be coerced to 1 and pass validation when it should
be rejected. Add a test case with line=True to the invalid line tests (after the
existing line=0 and line="1" assertions) to ensure this boundary condition is
caught and prevent regression after the implementation is fixed.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scanner/cli/vibesec.py`:
- Around line 319-323: The current `append_marker` value (like "VibeSec") is too
generic and can cause false positive matches when checking if rules are already
installed. Replace the generic marker with a more specific and unique
identifier, such as a template header with distinctive markers (similar to how
template headers are typically formatted). This change should be made to the
marker value in the config that is being checked in the condition on line 320,
and ensure the corresponding content in `config["content"]` includes this same
unique marker so that future checks correctly identify when the rules have
already been installed. Using a unique, well-formatted header-style marker
instead of a plain keyword will reduce false positive skips.

In `@scripts/ci/opencode_review_normalize_output.py`:
- Around line 59-60: The isinstance check for the "line" field in the finding
validation allows boolean values to pass because bool is a subclass of int in
Python, creating a contract mismatch with the numeric validation in the approval
gate script. Modify the condition to explicitly exclude boolean values by adding
a check that the value is not a boolean before or within the isinstance check,
ensuring only actual integers are accepted and True/False values are rejected as
invalid.

In `@scripts/ci/pr_review_merge_scheduler.py`:
- Around line 343-345: The ThreadPoolExecutor() at line 343 uses default
parallelism which creates up to min(32, os.cpu_count() + 4) concurrent workers.
This causes excessive simultaneous gh CLI calls from within the inspect_pr
function (specifically from enable_auto_merge and dispatch_opencode_review
calls), leading to GitHub API rate limit exceeded errors and partial processing
failures. Add an explicit max_workers parameter to the ThreadPoolExecutor()
constructor to limit the number of concurrent workers to a reasonable value that
prevents gh CLI call bursts while still allowing parallel processing.

In `@tests/scripts/ci/test_pr_review_merge_scheduler.py`:
- Around line 12-24: The test for the is_opencode_context function in
test_is_opencode_context_checkrun_workflow_name uses an incorrect workflow name
that does not match the actual CI contract. Update the workflow name in the node
dictionary from "OpenCode Review" to "OpenCode PR Review" to align with the
actual workflow name defined in the CI contract file
(.github/workflows/opencode-review.yml). This ensures the test accurately
validates that the is_opencode_context function correctly identifies OpenCode
contexts using the correct workflow name.

In `@tests/test_opencode_review_normalize_output.py`:
- Around line 7-11: The test function test_iter_json_objects_pure_json expects
the iter_json_objects function to return duplicate copies of the same JSON
object, but the function should extract each top-level JSON object once without
duplicates. Change the assertion in test_iter_json_objects_pure_json to expect a
list containing the object a single time instead of duplicated. The same issue
exists in the test around lines 22-26, where the expected output should be
corrected to reflect the contract that top-level objects are extracted once with
duplicates removed, not that nested objects or duplicates are included in the
output.

In `@tests/test_vibesec.py`:
- Line 530: The `cmd_review` test is passing stack parameter as a list type
(e.g., stack=["nextjs"]) but the actual CLI contract from argparse passes it as
a string (e.g., stack="nextjs"). Change all instances in the test where stack is
set to a list value to use string values instead, matching how the review
--stack command actually receives arguments. This applies to the Namespace
initialization at line 530 and the similar stack assignments also mentioned at
lines 542, 554, and 566, ensuring the substring-based branching logic in
cmd_review is properly tested against the correct input type.

---

Nitpick comments:
In `@tests/scripts/ci/test_opencode_review_normalize_output.py`:
- Around line 149-153: The invalid line test cases in the
test_opencode_review_normalize_output.py file currently test for line=0 and
line="1" (string), but they do not test the case where line=True (a boolean
value). Since Python treats bool as a subclass of int, the value True would be
coerced to 1 and pass validation when it should be rejected. Add a test case
with line=True to the invalid line tests (after the existing line=0 and line="1"
assertions) to ensure this boundary condition is caught and prevent regression
after the implementation is fixed.

In `@tests/test_vibesec.py`:
- Around line 363-421: Add regression tests for symlink path traversal
protection in the cmd_init function. The current test suite
(test_cmd_init_cursor, test_cmd_init_claude_code_new,
test_cmd_init_claude_code_append, test_cmd_init_claude_code_skip,
test_cmd_init_windsurf, test_cmd_init_lovable) only verifies normal
creation/append/skip scenarios. Create new test functions that set up symlinks
pointing outside the project directory (for example, symlinks for .cursor/rules,
.windsurf/rules, and VIBESEC_CHECKLIST.md pointing to external paths), then
invoke cmd_init with the affected tools and verify that the function either
fails gracefully or refuses to write to the external target. This will ensure
the security path traversal blocking feature works correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 75730aba-955e-4f91-8fcf-0d5dd2a942bd

📥 Commits

Reviewing files that changed from the base of the PR and between c6b3237 and 1c8bbe0.

📒 Files selected for processing (13)

• .github/workflows/opencode-review.yml
• .github/workflows/pr-review-merge-scheduler.yml
• .jules/bolt.md
• scanner/cli/vibesec.py
• scripts/ci/opencode_review_normalize_output.py
• scripts/ci/pr_review_merge_scheduler.py
• tests/scripts/__init__.py
• tests/scripts/ci/__init__.py
• tests/scripts/ci/test_opencode_review_normalize_output.py
• tests/scripts/ci/test_pr_review_merge_scheduler.py
• tests/test_opencode_review_normalize_output.py
• tests/test_pr_review_merge_scheduler.py
• tests/test_vibesec.py

💤 Files with no reviewable changes (2)

• .github/workflows/opencode-review.yml
• .github/workflows/pr-review-merge-scheduler.yml

[Copilot]

@copilot 리뷰와 로그를 확인하여 버그를 해결하세요. 그리고 merge conflicts가 있으면 해결하세요. Base branch 최신 변경 사항을 fetch 해도 됩니다. Python을 사��...

리뷰/로그를 확인해 유효한 지적사항을 반영해 수정했고, 충돌 여부도 확인했습니다(현재 base develop가 HEAD에 포함되어 merge conflict 없음). 반영 커밋: dd74611.

주요 수정:

• finding.line 검증에서 bool 허용 문제 수정 (type(line) is int)
• OpenCode 워크플로우 이름 호환 확장(OpenCode Review, OpenCode PR Review)
• PR 스케줄러 ThreadPool 병렬도 제한(max_workers)
• cmd_review 테스트를 argparse 계약(문자열 stack)에 맞게 정정
• claude-code append marker를 고유 헤더로 변경 및 관련 테스트 보정

검증:

• 대상 테스트 및 전체 테스트 통과 (66 passed)
• parallel validation(Code Review + CodeQL) 통과

[opencode-agent]

OpenCode Agent approved this PR.

Changes show performance optimizations, test coverage improvements, and security hardening with no critical vulnerabilities introduced. All modifications maintain security boundaries and tenant isolation.

• Result: APPROVE
• Reason: No security/privacy regressions found
• Head SHA: dd74611fcbfadd6e0ea0347465e10db00a02c52f
• Workflow run: 27635613925
• Workflow attempt: 1