Skip to content

Add InfraGuard review pipeline#148

Merged
guima-why merged 2 commits into
mainfrom
codex/feature-review-skill
Jul 7, 2026
Merged

Add InfraGuard review pipeline#148
guima-why merged 2 commits into
mainfrom
codex/feature-review-skill

Conversation

@guima-why

Copy link
Copy Markdown
Collaborator

Summary

  • Replace the placeholder selling pipeline review step with an InfraGuard-backed ROS template review and repair workflow.
  • Add pipeline prerequisite handling for the infraguard CLI so review can be enabled only when the required tool is available.
  • Keep the interactive installer configuration-driven and simplify InfraGuard installation to the direct binary download path only, with environment override URLs, an OSS mirror, GitHub fallback URLs, SHA-256 verification, and post-install infraguard policy update.
  • Add the infraguard_scan pipeline tool with structured scan output, concise and expanded rendering, result redaction, policy/aspect expansion, and deterministic handling of CLI errors.
  • Inject selected plan context into the review step so the LLM can choose review aspects from pipeline YAML before expanding them into InfraGuard policies.
  • Update REPL prerequisite UI behavior for in-place progress, cancellation, translated user-facing text, and clearer completion/failure handling.
  • Extend pipeline completion guards, recovery/session state, A2A event translation, telemetry serialization, and tool result rendering so the new review workflow remains observable and resumable across REPL, headless, ACP, and A2A surfaces.
  • Add six-language translation coverage for new user-facing strings and add evals.json for the review skill.

Motivation

The selling pipeline previously had a placeholder review skill. The new workflow makes the review step actionable by using InfraGuard as the source of policy findings, allowing the agent to repair generated ROS templates and validate them before continuing. The prerequisite flow also prevents non-interactive runs from hanging or failing unpredictably when InfraGuard is not installed, while still giving REPL users a guided installation path.

User Impact

  • When review is enabled, the pipeline now reviews generated templates after template generation and before downstream cost/deployment work.
  • REPL users are prompted to install InfraGuard only when the review step needs it; if the prerequisite is unavailable in non-interactive mode, the review feature is disabled for that run instead of blocking execution.
  • Direct binary download is now the only offered installer path, avoiding Homebrew and Go installation reliability issues.
  • InfraGuard scan output is compact by default and can still be expanded for detailed diagnostics.
  • If the initial InfraGuard scan has no findings, the review skill can avoid unnecessary repair/validation/final-scan work.

Implementation Notes

  • pipeline.yaml defines the InfraGuard prerequisite, direct binary assets for macOS/Linux/Windows, version constraints, post-install policy update, review aspects, and blocking severities.
  • The prerequisite engine supports command/version checks, installer selection, direct binary download progress, checksum verification, post-install commands, and configurable behavior for REPL versus non-interactive modes.
  • The review prompt receives step config and plan context so aspect selection stays LLM-driven while policy mappings remain centralized in YAML.
  • Tool result redaction keeps large or sensitive tool payloads from overwhelming user-visible transcript, telemetry, and A2A surfaces.

Validation

  • make test
    • 8228 passed, 1 skipped, 271 warnings
  • make lint
    • ruff check src/ tests/: all checks passed
    • ty check src/: all checks passed
  • Pre-commit hooks during amend:
    • lint: passed
    • format: passed

Notes

  • GitHub-reported dependency vulnerabilities shown during push are on the default branch and are not introduced by this branch.

@guima-why guima-why marked this pull request as ready for review July 7, 2026 07:02
@guima-why guima-why merged commit e65fdb1 into main Jul 7, 2026
13 checks passed
@guima-why guima-why deleted the codex/feature-review-skill branch July 7, 2026 07:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant