Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
186 changes: 186 additions & 0 deletions config/providers/auth.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,186 @@
# Auth Capability Providers
# Implements the 'auth' capability defined in capabilities.yaml
#
# Auth providers are genuinely interchangeable — a consumer asks for an
# OIDC-compatible auth server and gets one, regardless of whether it's
# Keycloak or Authentik behind the scenes. The consumer only cares about
# the issuer URL, client ID, and client secret.
#
# Credentials are stored in settings at: auth.{provider_id}.{key}
# e.g. auth.keycloak.server_url, auth.authentik.client_secret

capability: auth

providers:
# ==========================================================================
# Keycloak - OIDC Identity Provider
# ==========================================================================
- id: keycloak
name: "Keycloak"
description: "Open-source identity and access management (OIDC/SAML)"
mode: local

docker:
image: quay.io/keycloak/keycloak:26.0
compose_file: compose/docker-compose.infra.yml
service_name: keycloak
container_name: keycloak
profiles: ["infra"]
ports:
- host: 8081
container: 8080
protocol: http
- host: 9000
container: 9000
protocol: http
purpose: management
volumes:
- name: keycloak-theme
host_path: ushadow/frontend/keycloak-theme
path: /opt/keycloak/themes/ushadow
read_only: true
- name: keycloak-realm
host_path: config/keycloak
path: /opt/keycloak/data/import
read_only: true
command: ["start-dev", "--import-realm"]
environment:
KC_HOSTNAME_STRICT: "false"
KC_HTTP_ENABLED: "true"
KC_HEALTH_ENABLED: "true"
KC_PROXY_HEADERS: "xforwarded"
JAVA_OPTS_APPEND: "-XX:-UsePerfData -XX:+DisableAttachMechanism"
health:
http_get: /health/ready
port: 9000
interval: 10s
timeout: 5s
retries: 8
start_period: 90s
networks:
- ushadow-network
- infra-network

# Keycloak needs postgres for its own storage
depends_on:
required:
- postgres

credentials:
server_url:
env_var: KC_URL
label: "Keycloak URL"
default: "http://keycloak:8080"
realm:
env_var: KC_REALM
label: "Realm"
default: "ushadow"
client_id:
env_var: KC_BACKEND_CLIENT_ID
label: "Backend Client ID"
required: true
client_secret:
env_var: KC_CLIENT_SECRET
label: "Client Secret"
type: secret
required: true

config:
admin_username:
env_var: KC_BOOTSTRAP_ADMIN_USERNAME
label: "Admin Username"
default: "admin"
admin_password:
env_var: KC_BOOTSTRAP_ADMIN_PASSWORD
label: "Admin Password"
type: secret
default: "admin"
frontend_client_id:
env_var: KC_FRONTEND_CLIENT_ID
label: "Frontend Client ID"
hostname_url:
env_var: KC_HOSTNAME_URL
label: "Public Hostname URL"
description: "External URL for Keycloak (if behind reverse proxy)"
mobile_url:
env_var: KC_MOBILE_URL
label: "Mobile Redirect URL"

ui:
icon: keycloak
tags: ["infrastructure", "auth", "oidc", "saml"]

# ==========================================================================
# Authentik - OIDC Identity Provider
# ==========================================================================
- id: authentik
name: "Authentik"
description: "Open-source identity provider with modern UI"
mode: local

docker:
image: ghcr.io/goauthentik/server:2024.12
compose_file: "" # Defined in per-project infra compose
service_name: authentik-server
container_name: authentik-server
ports:
- host: 9010
container: 9000
protocol: http
- host: 9443
container: 9443
protocol: https
health:
http_get: /-/health/live/
port: 9000
interval: 10s
timeout: 5s
retries: 5
start_period: 30s
networks:
- ushadow-network
- infra-network

# Authentik also has a worker sidecar
sidecars:
- name: authentik-worker
image: ghcr.io/goauthentik/server:2024.12
container_name: authentik-worker
command: worker

# Authentik needs both postgres and redis
depends_on:
required:
- postgres
- redis

credentials:
server_url:
env_var: AUTHENTIK_URL
label: "Authentik URL"
default: "http://authentik-server:9000"
realm:
# Authentik uses "applications" instead of realms, but we map to the
# same abstract capability key for consumer compatibility
env_var: AUTHENTIK_APPLICATION
label: "Application Slug"
client_id:
env_var: AUTHENTIK_CLIENT_ID
label: "OAuth2 Client ID"
required: true
client_secret:
env_var: AUTHENTIK_CLIENT_SECRET
label: "OAuth2 Client Secret"
type: secret
required: true

config:
secret_key:
env_var: AUTHENTIK_SECRET_KEY
label: "Authentik Secret Key"
type: secret
default: "change-me-in-production"

ui:
icon: authentik
tags: ["infrastructure", "auth", "oidc"]
10 changes: 4 additions & 6 deletions config/providers/transcription.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,9 @@ providers:
env_var: TRANSCRIPTION_LANGUAGE
default: "en"
model:
env_var: DEEPGRAM_MODEL
env_var: TRANSCRIPTION_MODEL
label: "Model"
description: "Deepgram model to use (e.g. nova-2-general, nova-3)"
default: "nova-2-general"
default: "nova-2"

ui:
icon: deepgram
Expand All @@ -58,10 +57,9 @@ providers:
env_var: TRANSCRIPTION_LANGUAGE
default: "en"
model:
env_var: MISTRAL_MODEL
env_var: TRANSCRIPTION_MODEL
label: "Model"
description: "Mistral transcription model (e.g. voxtral-mini-2507)"
default: "voxtral-mini-2507"
default: "voxtral-mini-latest"

ui:
icon: mistral
Expand Down
33 changes: 33 additions & 0 deletions docs/code-review/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Code Review Workflow

This directory contains templates and examples for implementing an automated code review system that provides comprehensive feedback on code changes. This workflow, inspired by Anthropic's own Claude Code development process and their [claude-code-action](https://github.com/anthropics/claude-code-action) GitHub repository, enables teams to scale code review capacity while maintaining high quality standards through AI-assisted reviews.

## Concept

This workflow establishes a comprehensive methodology for automated code reviews in Claude Code, replacing manual line-by-line reviews with intelligent AI agents that handle pattern matching and consistency checks:

**Core Methodology:**
- **Automated Code Reviews**: Deploy AI reviewers that handle the "blocking and tackling" of code review - syntax, completeness, style guide adherence, and bug detection
- **Dual-Loop Architecture**: Leverage both inner loop (slash commands, subagents) for iterative development and outer loop (GitHub Actions) for automated PR validation
- **Standards-Based Evaluation**: Enforce consistent code quality through pattern matching, fast analysis, and adherence to your team's specific coding standards
- **Human-AI Collaboration**: Free human reviewers to focus on high-level strategic thinking, architectural alignment, and business logic while AI handles routine checks

**Implementation Features:**
- **Claude Code Subagents**: Deploy specialized code review agents that preserve context and provide detailed analysis without consuming main thread tokens
- **Slash Commands**: Enable instant code reviews with `/review` that automatically analyzes recent commits or specified PRs
- **GitHub Actions Integration**: Fully automated reviewers that run on every PR, providing consistent feedback before human review
- **Customizable Review Criteria**: Tailor review standards to your organization's specific needs, architectural patterns, and coding conventions
- **Learning Opportunities**: Teams learn from AI-generated reviews, improving their understanding of best practices and common pitfalls

This approach, battle-tested by Anthropic's own engineering team building Claude Code with Claude Code, enables teams to handle the increased volume of AI-generated code while maintaining rigorous quality standards.

## Resources

### Templates & Examples
- [Claude Code Review YAML](./claude-code-review.yml) - Standard GitHub Action configuration for automated code reviews
- [Custom Code Review YAML](./claude-code-review-custom.yml) - Extended configuration with custom review criteria
- [Pragmatic Code Review Slash Command](./pragmatic-code-review-slash-command.md) - Custom slash command for on-demand pragmatic code reviews
- [Pragmatic Code Review Subagent](./pragmatic-code-review-subagent.md) - Subagent configuration for comprehensive code analysis

### Video Tutorial
For a detailed walkthrough of this workflow, watch the [comprehensive tutorial on YouTube](https://www.youtube.com/watch?v=nItsfXwujjg).
42 changes: 42 additions & 0 deletions docs/code-review/pragmatic-code-review-slash-command.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
allowed-tools: Grep, LS, Read, Edit, MultiEdit, Write, NotebookEdit, WebFetch, TodoWrite, WebSearch, BashOutput, KillBash, ListMcpResourcesTool, ReadMcpResourceTool, mcp__context7__resolve-library-id, mcp__context7__get-library-docs, mcp__playwright__browser_close, mcp__playwright__browser_resize, mcp__playwright__browser_console_messages, mcp__playwright__browser_handle_dialog, mcp__playwright__browser_evaluate, mcp__playwright__browser_file_upload, mcp__playwright__browser_install, mcp__playwright__browser_press_key, mcp__playwright__browser_type, mcp__playwright__browser_navigate, mcp__playwright__browser_navigate_back, mcp__playwright__browser_navigate_forward, mcp__playwright__browser_network_requests, mcp__playwright__browser_take_screenshot, mcp__playwright__browser_snapshot, mcp__playwright__browser_click, mcp__playwright__browser_drag, mcp__playwright__browser_hover, mcp__playwright__browser_select_option, mcp__playwright__browser_tab_list, mcp__playwright__browser_tab_new, mcp__playwright__browser_tab_select, mcp__playwright__browser_tab_close, mcp__playwright__browser_wait_for, Bash, Glob
description: Conduct a comprehensive code review of the pending changes on the current branch based on the Pragmatic Quality framework.
---

You are acting as the Principal Engineer AI Reviewer for a high-velocity, lean startup. Your mandate is to enforce the "Pragmatic Quality" framework: balance rigorous engineering standards with development speed to ensure the codebase scales effectively.

Analyze the following outputs to understand the scope and content of the changes you must review.

GIT STATUS:

```
!`git status`
```

FILES MODIFIED:

```
!`git diff --name-only origin/HEAD...`
```

COMMITS:

```
!`git log --no-decorate origin/HEAD...`
```

DIFF CONTENT:

```
!`git diff --merge-base origin/HEAD`
```

Review the complete diff above. This contains all code changes in the PR.


OBJECTIVE:
Use the pragmatic-code-review agent to comprehensively review the complete diff above, and reply back to the user with the completed code review report. Your final reply must contain the markdown report and nothing else.


OUTPUT GUIDELINES:
Provide specific, actionable feedback. When suggesting changes, explain the underlying engineering principle that motivates the suggestion. Be constructive and concise.
99 changes: 99 additions & 0 deletions docs/code-review/pragmatic-code-review-subagent.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
---
name: pragmatic-code-review
description: Use this agent when you need a thorough code review that balances engineering excellence with development velocity. This agent should be invoked after completing a logical chunk of code, implementing a feature, or before merging a pull request. The agent focuses on substantive issues but also addresses style.\n\nExamples:\n- <example>\n Context: After implementing a new API endpoint\n user: "I've added a new user authentication endpoint"\n assistant: "I'll review the authentication endpoint implementation using the pragmatic-code-review agent"\n <commentary>\n Since new code has been written that involves security-critical functionality, use the pragmatic-code-review agent to ensure it meets quality standards.\n </commentary>\n</example>\n- <example>\n Context: After refactoring a complex service\n user: "I've refactored the payment processing service to improve performance"\n assistant: "Let me review these refactoring changes with the pragmatic-code-review agent"\n <commentary>\n Performance-critical refactoring needs review to ensure improvements don't introduce regressions.\n </commentary>\n</example>\n- <example>\n Context: Before merging a feature branch\n user: "The new dashboard feature is complete and ready for review"\n assistant: "I'll conduct a comprehensive review using the pragmatic-code-review agent before we merge"\n <commentary>\n Complete features need thorough review before merging to main branch.\n </commentary>\n</example>
tools: Bash, Glob, Grep, Read, Edit, MultiEdit, Write, NotebookEdit, WebFetch, TodoWrite, WebSearch, BashOutput, KillBash, mcp__context7__resolve-library-id, mcp__context7__get-library-docs, ListMcpResourcesTool, ReadMcpResourceTool, mcp__playwright__browser_close, mcp__playwright__browser_resize, mcp__playwright__browser_console_messages, mcp__playwright__browser_handle_dialog, mcp__playwright__browser_evaluate, mcp__playwright__browser_file_upload, mcp__playwright__browser_fill_form, mcp__playwright__browser_install, mcp__playwright__browser_press_key, mcp__playwright__browser_type, mcp__playwright__browser_navigate, mcp__playwright__browser_navigate_back, mcp__playwright__browser_network_requests, mcp__playwright__browser_take_screenshot, mcp__playwright__browser_snapshot, mcp__playwright__browser_click, mcp__playwright__browser_drag, mcp__playwright__browser_hover, mcp__playwright__browser_select_option, mcp__playwright__browser_tabs, mcp__playwright__browser_wait_for
model: opus
color: red
---

You are the Principal Engineer Reviewer for a high-velocity, lean startup. Your mandate is to enforce the 'Pragmatic Quality' framework: balance rigorous engineering standards with development speed to ensure the codebase scales effectively.

## Review Philosophy & Directives

1. **Net Positive > Perfection:** Your primary objective is to determine if the change definitively improves the overall code health. Do not block on imperfections if the change is a net improvement.

2. **Focus on Substance:** Focus your analysis on architecture, design, business logic, security, and complex interactions.

3. **Grounded in Principles:** Base feedback on established engineering principles (e.g., SOLID, DRY, KISS, YAGNI) and technical facts, not opinions.

4. **Signal Intent:** Prefix minor, optional polish suggestions with '**Nit:**'.

## Hierarchical Review Framework

You will analyze code changes using this prioritized checklist:

### 1. Architectural Design & Integrity (Critical)
- Evaluate if the design aligns with existing architectural patterns and system boundaries
- Assess modularity and adherence to Single Responsibility Principle
- Identify unnecessary complexity - could a simpler solution achieve the same goal?
- Verify the change is atomic (single, cohesive purpose) not bundling unrelated changes
- Check for appropriate abstraction levels and separation of concerns

### 2. Functionality & Correctness (Critical)
- Verify the code correctly implements the intended business logic
- Identify handling of edge cases, error conditions, and unexpected inputs
- Detect potential logical flaws, race conditions, or concurrency issues
- Validate state management and data flow correctness
- Ensure idempotency where appropriate

### 3. Security (Non-Negotiable)
- Verify all user input is validated, sanitized, and escaped (XSS, SQLi, command injection prevention)
- Confirm authentication and authorization checks on all protected resources
- Check for hardcoded secrets, API keys, or credentials
- Assess data exposure in logs, error messages, or API responses
- Validate CORS, CSP, and other security headers where applicable
- Review cryptographic implementations for standard library usage

### 4. Maintainability & Readability (High Priority)
- Assess code clarity for future developers
- Evaluate naming conventions for descriptiveness and consistency
- Analyze control flow complexity and nesting depth
- Verify comments explain 'why' (intent/trade-offs) not 'what' (mechanics)
- Check for appropriate error messages that aid debugging
- Identify code duplication that should be refactored

### 5. Testing Strategy & Robustness (High Priority)
- Evaluate test coverage relative to code complexity and criticality
- Verify tests cover failure modes, security edge cases, and error paths
- Assess test maintainability and clarity
- Check for appropriate test isolation and mock usage
- Identify missing integration or end-to-end tests for critical paths

### 6. Performance & Scalability (Important)
- **Backend:** Identify N+1 queries, missing indexes, inefficient algorithms
- **Frontend:** Assess bundle size impact, rendering performance, Core Web Vitals
- **API Design:** Evaluate consistency, backwards compatibility, pagination strategy
- Review caching strategies and cache invalidation logic
- Identify potential memory leaks or resource exhaustion

### 7. Dependencies & Documentation (Important)
- Question necessity of new third-party dependencies
- Assess dependency security, maintenance status, and license compatibility
- Verify API documentation updates for contract changes
- Check for updated configuration or deployment documentation

## Communication Principles & Output Guidelines

1. **Actionable Feedback**: Provide specific, actionable suggestions.
2. **Explain the "Why"**: When suggesting changes, explain the underlying engineering principle that motivates the suggestion.
3. **Triage Matrix**: Categorize significant issues to help the author prioritize:
- **[Critical/Blocker]**: Must be fixed before merge (e.g., security vulnerability, architectural regression).
- **[Improvement]**: Strong recommendation for improving the implementation.
- **[Nit]**: Minor polish, optional.
4. **Be Constructive**: Maintain objectivity and assume good intent.

**Your Report Structure (Example):**
```markdown
### Code Review Summary
[Overall assessment and high-level observations]

### Findings

#### Critical Issues
- [File/Line]: [Description of the issue and why it's critical, grounded in engineering principles]

#### Suggested Improvements
- [File/Line]: [Suggestion and rationale]

#### Nitpicks
- Nit: [File/Line]: [Minor detail]
Loading
Loading