Skip to content

TODO.md

Latest commit

 

History

History
476 lines (421 loc) · 56.9 KB

TODO.md

File metadata and controls

476 lines (421 loc) · 56.9 KB

IntelligenceX Roadmap

Status: In progress

Ops Agent Backlog

For the "smart colleague" chat agent roadmap (ADPlayground/TestimoX/ComputerX/EventViewerX + runtime parallelism), see Docs/agent-superpowers-backlog.md.

Chat/Tools Decoupling Migration

PR Feedback Churn

  • PR #399: Confirm intended shutdown semantics/ownership boundaries for queued UI publish awaiters (CancelQueuedUiPublishesForShutdown) because reviewer todo/critical guidance alternates between "complete on shutdown" vs "cancel on shutdown" and repeatedly reports outdated shutdown-order findings after fixes. Source: #399 (comment)
  • PR #438: Confirm intended routing transparency emission policy (ShouldEmitRoutingTransparency) because reviewer todo/critical guidance repeatedly alternates between "emit only on consistent/informative routing states" and "always emit with normalized counts," producing non-deterministic merge blockers after each fix. Source: #438 (comment)
  • PR #535: Reviewer todo/critical is due to review context truncation (1 patch trimmed to 4000 chars) and reports missing scripts/profile-chat-startup.ps1 implementation diff despite green required checks; treat as churn unless maintainers explicitly escalate. Source: #535 (comment)
  • PR #575: Reviewer todo/critical guidance for missing gate ruleType semantics is non-deterministic across iterations (alternates between permissive include vs strict non-match expectations while context is truncated); treat as churn unless maintainers explicitly choose one semantic contract. Source: #575 (comment)
  • PR #520: Reviewer workflow is infra-blocked on private runner auth (Not logged in. Run ChatGPT login first.), causing review / review and follow-on reviewer-guard failures despite green code checks. Source: https://github.com/EvotecIT/IntelligenceX/actions/runs/22141140443/job/64005725339 and https://github.com/EvotecIT/IntelligenceX/actions/runs/22141140352/job/64005726339
  • PR #608: Reviewer todo/critical suggests stale apply-response ordering in runtime UI, but apply execution is serialized in app-side queue (_localProviderApplyInFlight + pending request drain) and no reproducible stale-final-state path was observed after merged clear-flag fix; treat as churn unless maintainers escalate with a failing repro. Source: #608 (comment)
  • PR #715: Reviewer todo/critical keeps reporting generic archive-cache concurrency uncertainty under truncated diff context (patches trimmed to 4000 chars) even after explicit zip-slip defense, lock-based extraction/eviction, deterministic temp cleanup, and new negative/concurrency tests; treat as churn unless maintainers escalate with a failing repro. Source: #715 (comment)
  • PR #720: Reviewer todo/critical keeps reporting reusable-workflow input mismatch after fix because workflow guardrail excludes .github/workflows/* from review context; treat as churn unless maintainers escalate with a reproducible runtime validation failure. Source: #720 (comment)
  • PR #802: Website path was fixed by follow-up PR #803 (ci(website): roll forward default PowerForge pin) merged on February 25, 2026; verification runs passed (Website Build (PR): https://github.com/EvotecIT/IntelligenceX/actions/runs/22392653741 and Deploy Website on master: https://github.com/EvotecIT/IntelligenceX/actions/runs/22392976748).
  • PR #813: Reviewer todo/critical keeps re-raising mutually conflicting exclude-path normalization blockers after explicit canonicalization + rooted-path rejection + passing helper/end-to-end regressions; treat as churn unless maintainers escalate with a failing repro. Source: #813 (comment)
  • PR #996: Required review / review check is infra-blocked by transient GitHub API failures (500/502) in the review workflow/app-token setup despite green platform checks; no code-actionable signal observed. Source: https://github.com/EvotecIT/IntelligenceX/actions/runs/22637975502/job/65606164912 and https://github.com/EvotecIT/IntelligenceX/actions/runs/22638165201/job/65606970496
  • PR #1078: Required checks did not attach to head 8487f8187693289e5e5650176303c97c9a80399e after push, leaving the PR pending with 0 statuses; manual workflow_dispatch retries for test-dotnet.yml, review-intelligencex.yml, website-ci.yml, and ix-pr-babysit-monitor.yml all failed with GitHub HTTP 500, so treat as Actions infra-blocked unless maintainers explicitly accept admin merge risk. Source: #1078 (comment)
  • PR #1099: Reviewer todo/critical still repeats the short generic-question capability false-positive after the shared helper now returns false for <= 3 tokens and both public/helper regressions cover What is this?; latest reviewer triage explicitly says the complained behavior is no longer present, so treat the remaining blocker as bot churn unless maintainers escalate with a failing repro. Source: #1099 (comment)
  • PR #1155: Reviewer todo/critical still repeats the EventLog helper-name mismatch after EventLogToolContracts centralizes eventlog_channels_list in pack metadata and ToolDefinitionContractTests verifies setup/recovery helper names resolve to registered EventLog tools; latest reviewer thread triage explicitly says the renamed helper route is addressed and only lacks diff evidence, so treat the remaining blocker as churn unless maintainers escalate with a failing repro. Source: #1155 (comment)
  • PR #1179: Reviewer todo/critical still repeats the duplicate-target normalization blocker after NormalizeBackgroundSchedulerMutationTargets trims before case-insensitive duplicate detection and ToolHealthContractTests cover exact whitespace/case variants like ["foo", " foo ", "FOO"] for blocked pack/thread requests plus wire deserialization; latest reviewer note appears to be diff-evidence churn unless maintainers escalate with a failing repro. Source: #1179 (comment)

Reviewer E2E Launch Plan

Status: In progress

Goal: reviewer + static analysis + onboarding (CLI + Web) feel "done" end-to-end for a new repo.

Acceptance (Definition Of Done)

  • A new user can run intelligencex setup wizard on a clean machine and reach "PR created" without manual repo edits.
  • A new user can run intelligencex setup web and reach "PR created" without manual repo edits.
  • First merged onboarding PR produces a successful review on the next PR (sticky summary + inline when supported).
  • Review comment always includes reviewed SHA and an explicit diff-range label (base -> head).
  • Static analysis runs before review, publishes artifacts, and the review comment always renders analysis status (pass/unavailable) even when findings are zero.
  • Static analysis gate behavior is predictable: failing types/severities are documented and match observed CI results.
  • Dependabot identity limitation is documented and visible during onboarding (reviews may be authored by github-actions).

Phase A — Onboarding UX (CLI + Web)

  • CLI wizard: add "Enable static analysis" toggle and pack picker (default all-50).
  • Web UI: add "Enable static analysis" toggle and pack picker (default all-50).
  • CLI + Web: show a final "Effective config" preview (review + analysis) before Apply.
  • CLI + Web: surface the Dependabot secrets limitation in the UI copy (why bot identity may differ).
  • CLI + Web: add a post-Apply "Verify" step (workflow present, config present if requested, required secrets present, last runs links).

Phase B — Setup Output (Workflow + reviewer.json)

  • Setup config writer: include analysis section in .intelligencex/reviewer.json when static analysis is enabled (create + merge paths).
  • Setup presets: define recommended tiers for analysis packs (all-50, all-100, all-500) and a "no analysis" option.
  • Ensure workflow/config generation stays stable across upgrades (managed block upgrades do not delete user customization outside managed block).

Phase C — Review Reliability (Reduce Churn, Increase Continuity)

  • Add a diff range option for incremental review (for example reviewDiffRange: last-reviewed uses the last reviewed commit from the sticky summary as base).
  • Add a deterministic "replay" mode for debugging: load a saved PR snapshot + artifacts and run review formatting without provider calls.
  • Ensure thread triage does not repeatedly re-suggest already-addressed items; prefer dedupe and summary stability over rewriting.

Phase D — Static Analysis Productization

  • Wizard: explain analysis gate semantics (which types/severities fail the check) and link to docs.
  • Add "list packs" affordance in onboarding (CLI and Web) so users can browse available packs.
  • Provide an optional "export analyzer config" path for IDE support (explicit opt-in, never default).
  • Add a CI guardrail: intelligencex analyze validate-catalog and pack integrity checks run on every PR that touches Analysis/Catalog or Analysis/Packs.

Phase E — Docs + Samples

  • Promote Docs/reviewer/static-analysis.md from Draft to stable docs (align examples with actual wizard output).
  • Add "First PR checklist" doc: what to expect after merging onboarding PR and how to debug common issues.
  • Add screenshots (CLI + Web) for the "Configure" step and the "Verify" step.

Phase F — End-To-End Tests

  • Add tests for setup plan generation: ensure enabling analysis produces analysis in reviewer.json and does not regress existing review settings.
  • Add tests for config merge behavior (existing reviewer.json + enable analysis preserves unrelated user keys).
  • Add unit tests for SetupAnalysisPacks.TryNormalizeCsv (empty/default, invalid chars, max ids/length, dedupe).
  • Add tests for web setup validation: analysis fields rejected when not applicable (config override, update-secret/cleanup), and rejected when analysisEnabled != true but gate/packs provided.

Engine Roadmap

Status: In progress

Now — Phase 1–2 (concrete)

  • Add error classification enum + mapping (S)
  • Add diagnostic context in reviewer output (request id, retry count, provider) (S)
  • Add retry policy options in config (backoff + max attempts) (M)
  • Gate fail-open to transient errors only (S)
  • Add connectivity preflight (DNS/TLS) with actionable errors (M)
  • Add diff-range selection + default (current/pr-base/first-review) (M)
  • Add include/exclude glob filters for files (S)
  • Add smart chunking (group related hunks) (M)
  • Add review intent presets (security/perf/maintainability) (S)

Phase 0 — Scope + success criteria

  • Define "engine" scope (review pipeline, providers, context builder, formatter, thread triage).
  • Capture success metrics (review latency, failure rate, reviewer usefulness score).
  • Decide default review mode + model policy (safe defaults).

Phase 1 — Reliability + diagnostics

  • Classify error types (transient vs auth vs config vs provider) with explicit codes.
  • Add structured diagnostics block to reviewer output (request id, retry count, provider).
  • Add connectivity preflight (DNS/TLS) with actionable error messages.
  • Add configurable retry policy with exponential backoff + jitter.
  • Add fail-open gating for transient errors only (explicit config).

Phase 2 — Context quality

  • Add diff-range strategy options (current/pr-base/first-review) with default.
  • Add file filters (include/exclude globs).
  • Add binary/generated file skipping.
  • Add smart chunking (keep related hunks together; avoid orphaned changes).
  • Add language-aware hints (prompt includes detected languages).
  • Add "review intent" presets (security/perf/maintainability).

Phase 3 — Review output + UX

  • Add optional "reasoning level" label in header (low/medium/high) when provider supports it.
  • Add optional usage/limits line near model header (opt-in; ChatGPT auth).
  • Add structured findings schema for bots/automation (severity + file + line).
  • Add summary stability (avoid noisy rewording across reruns).
  • Add “triage mode” that only checks open threads.

Phase 4 — Thread triage + auto-resolve

  • Keep thread triage in main review comment (configurable placement).
  • Support "explain why not resolved" replies (optional).
  • Add diff-based auto-resolve checks (explicit evidence required).
  • Add per-bot policies (auto-resolve only for our bot by default).
  • Add PR comment summarizing what was auto-resolved.

Phase 5 — Provider abstraction

  • Centralize provider contracts (capabilities, limits, streaming, auth).
  • Add provider capability flags (usage API, reasoning level, streaming).
  • Add opt-in provider fallback (e.g., OpenAI → Copilot).
  • Add provider health checks and circuit breaker.

Phase 5.5 — Code host support (Azure DevOps Services)

  • Define code-host interface (PR metadata, files, diff, comments, threads).
  • Add ADO auth options (PAT, System.AccessToken) + env var mapping.
  • Phase 1: summary-only PR comments (no inline) using ADO REST APIs (PR-level changes endpoint for full file list).
  • Document Azure auth scheme heuristic + override guidance.
  • Document PR-level changes behavior (uses pull request changes endpoint).
  • Phase 2: inline comments with iteration + line mapping support.
  • Phase 3: thread triage + auto-resolve via thread status updates.
  • Add CLI flags/config: provider=azure, azureOrg, azureProject, azureRepo, azureBaseUrl, azureTokenEnv.
  • Add ADO pipeline templates (onboarding, permissions, secrets).

Phase 6 — Performance + cost

  • Add response streaming where supported (show partial progress).
  • Add cache for context artifacts (diff, file lists, PR metadata).
  • Add concurrency controls to avoid API throttling.
  • Consider shared HttpClient/IHttpClientFactory for Azure DevOps client.
  • Add token budgeting per file/group with hard caps.
  • Add optional "budget exceeded" summary behavior.

Phase 7 — Security + trust

  • Redact sensitive data before prompt (secrets, tokens, private keys).
  • Sanitize Azure DevOps API error payloads in logs.
  • Add "untrusted PR" guardrails (no secret access, no write actions).
  • Add workflow integrity check (block self-modifying workflow runs).
  • Add audit logging for secrets usage.

Phase 8 — Testing + validation

  • Add deterministic test harness with recorded provider responses.
  • Add golden-file tests for formatter output stability.
  • Add smoke tests for thread triage + auto-resolve.
  • Add integration test for usage/limits display.

Phase 9 — Developer experience

  • Provide local "engine replay" CLI (load PR snapshot + run offline).
  • Provide structured JSON output mode for integrations.
  • Add config validator with helpful errors + schema links.

Onboarding Roadmap (Wizard + CLI)

Status: In progress

Phase 0 — Goals & constraints

  • Confirm onboarding goals (wizard + PR-only path + upgrade path)
  • Confirm default auth choice (vendor OAuth for single repo, BYO App for org)
  • Confirm secret handling policy (auto if Sodium, manual fallback)
  • Confirm UI choice (local web UI + Spectre.Console wizard)

Phase 1 — Core setup architecture (shared by CLI + UI)

  • Add SetupHost orchestration layer (single source of truth)
  • Add wizard state model (repos, config, auth, apply mode)
  • Implement Plan → Apply flow with dry-run output
  • Implement upgrade/modify detection (existing workflow/config)

Phase 2 — CLI Wizard (Spectre.Console)

  • Add Spectre.Console dependency (CLI project only)
  • Implement interactive steps:
    • Auth mode selection
    • GitHub auth flow
    • Org vs repo selection
    • Repo multi-select
    • Config presets + advanced JSON editor
    • OpenAI login (reuse if present)
    • Apply (PR creation)
  • Non-interactive fallback (--plain, redirected input)
  • Summary table + PR links
  • Keep-secret propagation for cleanup
  • Disable manual-secret for update-secret flow

Phase 3 — GitHub App Manifest (BYO App)

  • Manifest generation (pre-filled app definition)
  • Open GitHub "Create App from Manifest"
  • Handle callback and exchange code for app id + PEM
  • App install flow (select repos / all repos)
  • Store app credentials locally for reuse

Phase 4 — Secrets handling

  • Auto-encrypt and upload secrets when Sodium available
  • Manual secret fallback (print export + instructions)
  • Support INTELLIGENCEX_AUTH_KEY for encrypted store

Phase 5 — Local Web UI Wizard

  • Local web host (Kestrel) + static assets
  • Wizard screens (same steps as CLI)
  • Advanced JSON editor panel
  • Progress checklist + success summary
  • "Manage existing setup" flow (load config from repo)
  • Workflow preview in web UI
  • Config presets (local storage)
  • Preset export/import (web UI)
  • Status badges (auth/repo/secret)
  • Enforce loopback + HTTP-only binding
  • Device flow timeout + expiry messaging
  • GitHub App manifest flow in web UI
  • Detect existing workflow/config (repo inspection)
  • Recommend setup actions based on inspection
  • Support auth bundle input for secrets (web UI)
  • Update-secret support in web UI
  • Reject non-local web UI requests + require JSON body

Phase 6 — Reviewer improvements

  • Early auth validation with actionable errors
  • Safer auth store handling in reviewer
  • Explicit secrets in workflow (no secrets: inherit)
  • Retry extra ResponseEnded + fail-open summary option

Phase 7 — Docs & README

  • README rewrite (what it is, trust model, quickstart)
  • Docs: wizard onboarding, CLI quickstart, security/trust
  • Screenshot placeholders + asset folder

Phase 8 — Copilot (experimental)

  • Keep CLI Copilot optional provider
  • Research native Copilot feasibility
  • Add provider toggle in wizard

Phase 9 — DevEx automation

  • Auto-resolve IntelligenceX bot review threads after fixes (CLI command or GitHub App action)

Review Feedback Backlog (Bots)

Collapsed by PR. Includes only explicit checklist items found in bot reviews/comments.

  • PR #3 Review smoke test — checklist items: Generate review findings (in progress); Finalize summary. Links: #3 (comment)
  • PR #21 Auto-resolve missing inline review threads — checklist items: Decide if auto-resolving should run when the latest review has zero inline comments; if yes, remove the inlineKeys.Count > 0 guard (suggested above). Links: #21 (comment)
  • PR #22 Add review thread resolver and simplify release notes — checklist items: Redact or avoid posting raw exception summaries to PR comments; keep detailed errors in logs.; Ensure fail-open output is detected and used to skip inline comments / thread resolution.; Propagate compare API truncation to avoid incorrect diff-based auto-resolve decisions.. Links: #22 (comment)
  • PR #30 Reviewer: configurable retry backoff + jitter — checklist items: Validate retryBackoffMultiplier is finite in config loader and env parsing to prevent invalid delays.. Links: #30 (comment)
  • PR #31 Reviewer: add native connectivity preflight — checklist items: Simplify or differentiate the non‑success HTTP status handling in the preflight block to avoid redundant logic.; Add tests that cover preflight timeout, DNS failure, and non‑2xx responses to ensure error mapping is stable. Links: #31 (comment)
  • PR #33 Reviewer: add review diff-range selection — checklist items: Unregister the Console.CancelKeyPress handler on exit (e.g., in a finally block).. Links: #33 (comment)
  • PR #36 Add Claude Code GitHub Workflow — checklist items: Generate review findings (in progress); Finalize summary. Links: #36 (comment)
  • PR #37 Docs: clarify config load exception wording — checklist items: Align exception type/documentation for parse failures (either adjust behavior or revert doc to “not found” only).. Links: #37 (comment)
  • PR #40 Docs: polish reviewer config and CLI usage — checklist items: Verify the correct CLI flag for reviewer auth and align the resolve-threads example accordingly.. Links: #40 (comment)
  • PR #41 feat: copilot direct transport + unified roadmap — checklist items: Preserve required environment variables (or require absolute CliPath) when InheritEnvironment=false.; Reject Timeout == TimeSpan.Zero in CopilotChatClientOptions.Validate().; Define and enforce precedence between Token and Authorization header for direct transport.. Links: #41 (comment)
  • PR #43 Azure DevOps review changes — checklist items: Fetch full PR changes instead of only the latest iteration; consider using the PR-level changes endpoint or aggregating across iterations to avoid missing files.. Links: #43
  • PR #45 OpenAI native tool calling — checklist items: Support snake_case "response_id" in TurnInfo.FromJson to avoid losing the response id on different payload formats.; Make ToolRegistry.GetDefinitions() return a deterministic order to avoid request/test flakiness.. Links: #45 (comment)
  • PR #56 feat: add review budget summary note — checklist items: Align PrepareFiles behavior for maxFiles <= 0 with ADO path to avoid empty context and misleading budget notes.. Links: #56 (comment)
  • PR #62 feat: block self-modifying workflow runs — checklist items: Add a .yaml workflow test case to cover both supported extensions.. Links: #62 (comment)
  • PR #63 feat: add secrets audit logging — checklist items: Prevent SecretsAudit.Record from queuing entries when auditing is disabled (gate with an “enabled” flag or similar).; Fix token selection to fall back on GITHUB_TOKEN when INTELLIGENCEX_GITHUB_TOKEN is empty/whitespace.. Links: #63 (comment)
  • PR #65 feat: always summarize thread auto-resolve — checklist items: Make BuildFallbackTriageSummary accessible to tests without reflection (e.g., internal + InternalsVisibleTo) to reduce brittleness.; Add at least one more test case for fallback summary (e.g., kept-only and mixed resolved/kept).. Links: #65 (comment)
  • PR #73 fix: harden retry backoff and file limits — checklist items: Deduplicate finite validation between config/env parsing; Add a negative maxFiles test to document <= 0 behavior; Document why non-finite backoff values are rejected; Clarify maxFiles <= 0 meaning in docs.. Links: #73
  • PR #74 Fix reviewer backlog items — checklist items: Consider an integration-style test that validates the failure-summary update path in Program.RunAsync.. Links: #74
  • PR #208 Manage hub external-command review churn — checklist item keeps reappearing despite early-return startup/read-init failure handling in IntelligenceX.Cli/Program.Manage.Utility.cs; treat as churn unless maintainers escalate. Links: #208 (comment)
  • PR #210 CLI/Web onboarding review churn — blocker oscillates between opposite onboarding state models across iterations; treat as churn unless maintainers explicitly escalate. Links: #210 (comment)
  • PR #229 analysis-export duplicate review churn — checklist item still reports missing mixed-separator duplicate normalization after ce8f1c2; TestSetupAnalysisExportDuplicateTargetDetection now includes .intelligencex\\analyzers\\.editorconfig vs .intelligencex/analyzers/.EDITORCONFIG and passes locally + CI. Treat as churn unless maintainers escalate. Links: #229 (comment)
  • PR #234 setup post-apply verification churn — latest bot item claims HandleSetupAsync still passes request.SecretOrg, but code at IntelligenceX.Cli/Setup/Web/WebApi.Setup.cs:210 already passes secretOrgForRepo into ResolveOrgSecretVerificationContext; treat as churn unless maintainers escalate. Links: #234 (comment)
  • PR #248 onboarding autodetect review churn — after multiple fix batches (2dd8482) and green required checks, bot still reports speculative merge blockers about subprocess strategy/workspace validation not tied to reproducible failures in current diff. Track separately and escalate only if maintainers require additional hardening before merge. Links: #248 (comment)
  • PR #275 multi-account routing review churn — after multiple fix batches (5642679, f325671) and green required checks, latest bot todo items report non-reproducible issues already covered by current code paths/tests (case-insensitive account dedupe and sticky-id null/whitespace guard). Treat as churn unless maintainers explicitly escalate. Links: #275 (comment)
  • PR #262 onboarding acceptance-path review churn — latest blocker oscillates between opposite recommendations (first rejecting production helper exposure, then rejecting reflection fallback after helper removal) despite green required checks and validated behavior; treat as churn unless maintainers explicitly escalate. Links: #262 (comment)
  • PR #293 strict-lookahead review churn — latest blocker continues to claim analyze run --strict --framework net8.0 parsing failure after parser branch hardening and dedicated regressions (TestAnalyzeRunStrictFlagAllowsKnownOptionLookaheadWithFrameworkValue, strict equals override tests) passed locally on net8/net10 and required checks are green. Treat as churn unless maintainers explicitly escalate. Links: #293 (comment)
  • PR #400 vision contract policy-prefix review churn — latest blocker still reports backticked policy-prefix miscounting after parser hardening (policySection-based explicit counters) plus direct regressions (TestVisionCheckParseDocumentSupportsBacktickedPolicyPrefixes, TestVisionCheckRunEnforceContractSupportsBacktickedPolicyPrefixes) passing locally on net8/net10 and required checks are green. Treat as churn unless maintainers explicitly escalate. Links: #400 (comment)
PR #95 Fix duplicate weekly labels in usage summary
  • Replace string-based type detection (StartsWith("code review")) with semantic context input. Links: #95 (comment)
  • Tighten secondary suffix detection (EndsWith("(secondary)")) to avoid accidental matches. Links: #95 (comment)
  • Make test assertions less formatting-coupled while still validating disambiguation behavior. Links: #95 (comment)
  • Add at least one additional regression case for (secondary) code-review weekly labels. Links: #95 (comment)
  • Decide whether code review prefix applies broadly to code-review duration labels and align tests with that intent. Links: #95 (comment)
  • Replace switch default in GetUsageLimitFallbackLabel with explicit ArgumentOutOfRangeException. Links: #95 (comment)
  • Strengthen tests with negative assertions preventing ambiguous legacy labels from reappearing. Links: #95 (comment)
  • Add explicit usage-summary part-count assertions for duplicate-weekly scenarios. Links: #95 (comment)
  • Keep secondary suffix ownership in one formatter layer to avoid future double-suffix regressions. Links: #95 (comment)
  • Standardize usage summary delimiter/prefix handling while avoiding new public API coupling between reviewer and tests. Links: #95 (comment)
PR #109 Improve static-analysis visibility in review comments
  • Count parsed analysis files only after successful parse/processing to avoid double-counting with failed files. Links: #109 (comment), #109 (comment), #109 (comment)
  • Replace broad catch {} in analysis loading with scoped recoverable exception handling. Links: #109 (comment)
  • Remove dead null-check on lines in AddOutcomeLines. Links: #109 (comment)
  • Refactor per-rule count increment to single-assignment/ternary form. Links: #109 (comment), #109 (comment)
  • Normalize rule IDs before outcome matching to reduce undercount risk from formatting/casing variations. Links: #109 (comment)
  • Pass a single AnalysisLoadResult through policy rendering to reduce future drift between report and findings. Links: #109 (comment)
  • Add explicit tests for zero-findings and unavailable-input summary behavior. Links: #109 (comment)
  • Prefer LINQ projection/grouping (Select/GroupBy) for rule normalization/count aggregation paths in policy outcomes. Links: #109 (comment), #109 (comment)
  • De-duplicate resolved analysis inputs before loading to avoid double counting and duplicate reads. Links: #109 (comment)
  • Narrow recoverable exception filter and avoid treating broad ArgumentException as recoverable parse noise. Links: #109 (comment)
  • Mark policy status as partial when findings are outside enabled packs, even when enabled-rule findings are zero. Links: #109 (comment)
  • Make Rule outcomes wording explicit for findings outside enabled packs. Links: #109 (comment)
  • De-duplicate resolved files without a second materialization pass to keep memory bounded on large glob expansions. Links: #109 (comment)
  • Treat no-enabled-rules + no-findings policy state as unavailable/not-applicable (with explicit message). Links: #109 (comment)
  • Align AnalysisSummaryBuilder.BuildSummary nullable signature with defensive null handling. Links: #109 (comment)
  • Emit unavailable analysis summary on internal load failures instead of silently dropping the analysis block. Links: #109 (comment)
  • Make summary-body parser stop at a more resilient model section prefix (### Model) to reduce template-string fragility. Links: #109 (comment)
  • Avoid empty placeholder line in model/usage bullets by always rendering a reasoning bullet. Links: #109 (comment)
  • Remove redundant File.Exists pre-check in analysis loading loop and rely on existing IO-exception path around direct reads. Links: #109 (comment)
  • Improve analysis-load failure logging to include full exception context for diagnostics. Links: #109 (comment)
  • Refine status semantics so “outside enabled packs” does not always imply execution degradation when enabled rules are clean. Links: #109 (comment)
  • Confirm heading-casing output shift is covered by tests/docs to protect downstream parser expectations. Links: #109 (comment)
  • Keep parsedInputFiles aligned with successful parse semantics by excluding empty-file no-op inputs. Links: #109 (comment)
  • Remove InvalidOperationException from recoverable analysis-load exceptions to avoid masking logic bugs. Links: #109 (comment)
  • Keep analysis-load error logging concise and avoid dumping full exception details in CI logs. Links: #109 (comment)
  • Align BuildUnavailableSummary formatting with other builders by trimming trailing newline output. Links: #109 (comment)
  • Keep AddOutcomeLines nullability contract consistent (non-null inputs, no redundant null-coalescing). Links: #109 (comment)
  • Mark policy as partial when findings exist outside enabled packs to keep risk visible in status. Links: #109 (comment)
  • Add JsonException to recoverable analysis-load exceptions for JSON parser compatibility. Links: user request in Codex thread (2026-02-06)
  • Clarify and document parsed counter semantics for analysis result files. Links: #109 (comment)
  • Add regression coverage for mixed rule outcomes (enabled findings + outside-pack findings). Links: #109 (comment)
  • Verify and lock behavior that zero-findings summaries still render content (no empty-string contract). Links: #109 (comment)
  • Render unavailable policy status when analysis load fails and summary output is disabled. Links: user request in Codex thread (2026-02-06)
  • Add test for deduplicated resolved inputs with one parse success and one parse failure counter path. Links: user request in Codex thread (2026-02-06)
PR #112 Address remaining static-analysis follow-up TODOs
  • Use one computed sanitized analysis-load failure reason and pass it consistently to unavailable policy and summary builders. Links: #112 (comment), #112 (comment)
  • Decouple unavailable policy rendering from BuildPolicy(settings) output shape via dedicated base-policy preparation path. Links: #112 (comment)
  • Move parsed/failed counter semantics into AnalysisLoadReport XML docs to reduce drift. Links: #112 (comment)
  • Add ordering-insensitive dedupe regression coverage for resolved analysis inputs. Links: #112 (comment)
  • Add explicit coverage that duplicate bad input matches increment FailedInputFiles once per unique file. Links: #112 (comment)
  • Keep unavailable reason exposure bounded (type + sanitized/truncated message) for user-facing review blocks. Links: #112 (comment)
  • Expand path-root redaction coverage for unavailable reason formatting (workspace/current/temp/profile variants). Links: #112 (comment)
  • Use text-element-safe truncation for unavailable reason rendering to avoid splitting grapheme clusters. Links: #112 (comment)
  • Add defensive sanitize/trim path in BuildUnavailablePolicy for future raw-reason callers. Links: #112 (comment)
  • Keep recoverable parser exception rationale explicit and verify single-failure counting via tests. Links: #112 (comment)
  • Simplify user-facing failure reason to exception-type allowlist + generic fallback for unexpected internals. Links: #112 (comment)
  • Keep unavailable-policy sanitization defensive for future callers while reducing sensitive detail exposure in reasons. Links: #112 (comment), #112 (comment)
  • Clarify parser-phase recoverable exception intent for FormatException/JsonException and keep non-parse exceptions escalated. Links: #112 (comment)
  • Align AnalysisLoadReport XML wording with reviewer docs (“valid payloads that produce zero findings”). Links: #112 (comment)
  • Re-throw OperationCanceledException in analysis-load handling to preserve cancellation semantics. Links: #112 (comment)
  • Remove dead null-check branch from BuildAnalysisLoadFailureReason(Exception) to keep nullability contract strict. Links: #112 (comment)
  • Map analysis-load unavailable reasons to stable user-facing categories (permission/read/format/internal). Links: #112 (comment)
  • Add regression test for top-level analysis failure path when ShowPolicy=true and Summary=false (policy embeds, summary omitted). Links: #112 (comment)
  • Keep BuildUnavailablePolicy reason sanitization length-bounded to prevent oversized unavailable blocks. Links: #112 (comment)
  • Add explicit zero-findings parsed-counter coverage for both findings JSON and SARIF payload paths (including empty runs/results). Links: #112 (comment), #112 (comment)
  • Preserve cancellation semantics through top-level reviewer error handling without posting failure-summary updates on cancellation. Links: #112 (comment)
  • Keep analysis-load failure embedding no-op when both showPolicy=false and summary=false. Links: #112 (comment)
  • Reduce IO-specific wording in user-facing unavailable reasons to stable generic category text. Links: #112 (comment)
  • Align failed counter docs with implementation for unreadable/inaccessible matched files. Links: #112 (comment)
PR #113 Improve static analysis policy readability with enabled-rules preview
  • Keep enabled-rules preview API signatures intent-focused for append-only list building. Links: #113 (comment)
  • Add defensive null handling for preview rule description fallback paths. Links: #113 (comment)
  • Preserve configured rule order in enabled-rules preview output (no implicit sorting). Links: #113 (comment)
  • Add regression coverage for enabled-rules preview truncation formatting ((truncated)). Links: #113 (comment)
  • Add regression coverage for blank-title rule preview fallback to rule ID. Links: #113 (comment)
  • Align static-analysis docs example with real enabled-rules preview output format and truncation suffix. Links: #113 (comment)
  • Clarify effective enabled-rule ordering source in policy builder (pack order after disabled filtering). Links: #113 (comment)
  • Bound long rule preview titles to keep policy lines readable and stable. Links: #113 (comment)
  • Add no-truncation assertion for empty enabled-rules preview path. Links: #113 (comment)
  • Add boundary assertion that preview includes item MaxListItems and excludes overflow. Links: #113 (comment)
  • Keep TruncatePreviewTitle null-safe with text-element-aware truncation (string? input + StringInfo). Links: #113 (comment)
  • Remove brittle hardcoded truncation math from tests and derive expected preview from shared formatting behavior. Links: #113 (comment)
  • Assert a single truncation marker occurrence when preview output is truncated. Links: #113 (comment)
PR #114 Improve static analysis policy with explicit failing/clean rule previews
  • Make AddOutcomeLines null-safe for findings input and preserve safe policy rendering when findings are null. Links: #114 (comment)
  • Refactor TryBuildBasePolicy multi-out return shape to a typed context object for maintainability. Links: #114 (comment)
  • Add docs note describing deterministic ordering and truncation behavior for outcome preview lines. Links: #114 (comment), #114 (comment)
  • Add regression test for null findings with a present load report. Links: #114 (comment)
  • Add regression test asserting deterministic ordering for failing and outside-pack preview sections. Links: #114 (comment)
  • Sort failing-rule preview by finding count (desc) then rule id to keep truncation behavior focused on highest-impact failures. Links: #114 (comment)
  • Align static-analysis docs sample with actual truncation behavior when only 5 enabled rules are shown. Links: #114 (comment)
  • Keep explicit aggregate outside-pack count assertion in analysis policy tests to protect status/count semantics. Links: #114 (comment)
PR #115 Harden static analysis policy load path and preview tests
  • Narrow exception handling in catalog load path and avoid blanket catch behavior. Links: user request in Codex thread (2026-02-06), #115
  • Return an unavailable policy block (Status: unavailable) when catalog load fails instead of empty output. Links: user request in Codex thread (2026-02-06), #115
  • Reduce mutable state exposure in policy context by using read-only/immutable collections. Links: user request in Codex thread (2026-02-06), #115
  • Strengthen analysis policy tests with structured line assertions instead of only AssertContainsText. Links: user request in Codex thread (2026-02-06), #115
  • Verify nullability handling around findings and counters in AddOutcomeLines. Links: user request in Codex thread (2026-02-06), #115
  • Keep deterministic ordering culture-invariant with ordinal comparers in sorted output paths. Links: user request in Codex thread (2026-02-06), #115
  • Make TruncatePreviewTitle null-safe at signature level. Links: user request in Codex thread (2026-02-06), #115
  • Reduce brittle expected-string construction in truncation tests. Links: user request in Codex thread (2026-02-06), #115
  • Add assertion for single (truncated) marker occurrence on preview line. Links: user request in Codex thread (2026-02-06), #115
  • Add regression coverage for non-BMP Unicode preview title truncation behavior. Links: user request in Codex thread (2026-02-06), #115
  • Centralize preview formatting constants for policy/test alignment. Links: user request in Codex thread (2026-02-06), #115
  • Normalize unavailable-policy pack display to skip blank pack IDs and preserve trimmed values. Links: #115 (comment)
  • Keep one lightweight AssertContainsText header assertion alongside strict line assertions for policy output stability. Links: #115 (comment)
  • Group analysis-policy test registration into a dedicated helper (RunAnalysisPolicyReportingTests) to reduce main-runner churn. Links: #115 (comment)
  • Complete constant migration and behavior-oriented naming (MaxRulePreviewItems, TruncatedPreviewSuffix, TruncationEllipsis) in policy builder and tests. Links: #115 (comment), #115 (comment)
  • Split oversized analysis reporting tests into topic files to satisfy internal LOC maintainability rule (IXLOC001). Links: #115
  • Keep analysis-policy helper registration grouped by feature with table-driven execution for easier reorder/maintenance. Links: #115 (comment)
  • Align analysis-policy test display naming with unavailable terminology for catalog-load fallback scenarios. Links: #115 (comment)
  • Add one snapshot-style full policy block assertion to protect against line-order or formatting regressions beyond key/value checks. Links: #115 (comment)
  • Keep analysis-policy helper under INTELLIGENCEX_REVIEWER symbol to preserve existing test-variant coverage boundaries. Links: #115 (comment)
PR #116 Cleanup static-analysis review followups and TODO backlog
PR #85 Static analysis catalog + CLI export
  • Update analysis loading to use reviewFiles so analysis findings respect filters. Links: #85 (review)
  • Add resilience around catalog loading to avoid failing reviews when the catalog is missing or unreadable. Links: #85 (review)
  • Expand severity normalization to handle “critical” (and other high-severity values if expected). Links: #85 (review)
  • Null-guard pack rules before adding to policy output. Links: #85 (comment)
  • Normalize SeverityOverrides into a case-insensitive dictionary. Links: #85 (comment)
  • Catch malformed glob patterns to avoid ArgumentException. Links: #85 (comment)
  • Treat unknown severities distinctly from none to avoid silent suppression. Links: #85 (comment)
  • Log malformed glob patterns so config errors are visible. Links: #85 (comment)
PR #99 Add maintainability LOC rule and split setup runner
  • Replace string-marker path exclusion with robust normalized path segment checks. Links: #99 (comment)
  • De-duplicate rule ID/threshold by loading from catalog or centralized constants. Links: #99 (comment)
  • Expand generated-file detection (header-based + configurable patterns). Links: #99 (comment)
  • Add tests for CRLF/LF and trailing newline/no-trailing-newline LOC counting. Links: #99 (comment)
  • Add test for case-insensitive path exclusions on Windows. Links: #99 (comment)
  • Validate docs path resolution strategy for rule metadata. Links: #99 (comment)
  • Prefer metadata-driven internal LOC rule selection/limits over hardcoded rule IDs. Links: #99 (comment)
  • Normalize and de-duplicate generated suffix handling before matching. Links: #99 (comment)
  • Make generated-header markers stricter/configurable to reduce false positives. Links: #99 (comment)
  • Keep partial-class shared state minimal/immutable during setup-runner split. Links: #99 (comment)
  • Keep internal findings tool value aligned with rule metadata (IntelligenceX.Maintainability). Links: #99 (comment)
  • Extend internal scan directory exclusions to cover .vs and node_modules. Links: #99 (comment)
  • Make generated-header marker checks case-insensitive on trimmed comment lines. Links: #99 (comment)
  • Increase generated-header scan window and keep early stop at first code token. Links: #99 (comment)
  • Match generated suffixes against filename (not full path) with normalized suffix handling. Links: #99 (comment)
  • Keep generated marker/suffix defaults in catalog tags as canonical source (no duplicate in runner constants). Links: #99 (comment)
  • Warn on unknown/malformed IXLOC001 tags to avoid silent config typos. Links: #99 (comment), #99 (comment)
  • Clarify maintainability pack enablement is explicit repo-config change (no forced migration/push into existing repos). Links: #99 (comment)
PR #127 Add tiered analysis packs and rule inventory formats
  • list-rules should recognize --help, -h, and help and return usage text with exit 0. Links: #127 (comment), #127 (comment)
  • Keep --format json output machine-parseable by writing warnings to stderr instead of stdout. Links: #127 (comment)
  • Emit [] for empty rule sets in JSON mode instead of text output. Links: #127 (comment)
  • Test helper should capture both stdout and stderr so diagnostics stream moves do not hide regressions. Links: #127 (comment)
PR #129 Expand C# static-analysis catalog and tier pack coverage
  • Correct malformed CA5350 description text in generated catalog metadata. Links: #129 (comment), #129 (comment)
  • Normalize CA5389 title casing in generated metadata for user-facing consistency. Links: #129 (comment), #129 (comment)
  • Document interpreter-based catalog refresh command in README for portability. Links: #129 (comment), #129 (comment)
  • Avoid selecting defaultSeverity: none rules in tier packs so enabled packs do not silently ship disabled analyzer entries. Links: #129 (comment)
  • Select latest NetAnalyzers NuGet package using semantic version ordering. Links: #129 (comment)