docs(examples): add risk-map.yaml example + adoption guide#896
Conversation
Codex's final-pass review (post-25-PR) flagged that docs/guides reference .river/risk-map.yaml but the repo carries no concrete example for adopters to copy. Add one under examples/risk-map/ with a README explaining the three action values and the apply / verify flow. Contents - examples/risk-map/risk-map.yaml — sample with 10 rules covering require_human_review (security-sensitive files, credentials, CI workflows), escalate (LLM call path, config, action dist, package.json), and comment_only (docs, pages, tests). Each rule has a reason string so adopters see the intent, not just the pattern. - examples/risk-map/README.md — adoption guide pointing at schemas/risk-map.schema.json, the user guide pages/guides/repo-wide-review.md, the execution-context-contract doc, and PR #877 (riskAssessment forwarding on the exec path). - examples/README.md — link to the new directory. The example was validated end-to-end with the real loadRiskMap + evaluateRisk implementation: 10 rules parse cleanly, sample paths classify correctly (require_human_review hit on secret-redactor.mjs, escalate on review-engine.mjs, comment_only on docs/, fall-through on unknown paths). No code or runtime change. 1087/1087 tests green. Refs: #800 (Codex final-pass review item #2 of 3). Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
River Reviewer
選択されたスキル (0)
スキップされたスキル (87)
優先度サマリー
スコア (参考値)結果(スコア): 96/100 内訳:
指摘
|
There was a problem hiding this comment.
Code Review
このプルリクエストでは、パスごとのリスク分類を可能にする .river/risk-map.yaml のサンプル設定と解説ドキュメントが追加されました。これには comment_only、escalate、require_human_review の各アクションの具体例が含まれています。レビューでは、READMEに記載された検証コマンドや jq パスが現在の実装と一致していない点、およびYAMLファイル内の相対リンクが他リポジトリで利用する際に機能しなくなる点について、具体的な修正の指摘が行われています。
| 1. Copy `examples/risk-map/risk-map.yaml` to `.river/risk-map.yaml` at your repo root. | ||
| 2. Edit the rules: add patterns that match your security-sensitive files; remove the example patterns that do not apply. | ||
| 3. Commit. The next `river review exec` run picks it up automatically via `runReviewPlan`'s `loadRiskMap` (#877 wired this through on the exec path). | ||
| 4. To verify the loaded map: run `river review exec --debug --output json --output-file /tmp/r.json`, then `jq '.plan.riskAssessment' /tmp/r.json` — the `aggregateAction` / `escalatedFiles` / `humanReviewFiles` reflect your rules. |
There was a problem hiding this comment.
The verification command and jq path provided here appear to be incorrect based on the current implementation in src/lib/review-plan.mjs:
- Command Error:
river review execwill currently throw aReviewPlanErrorbecauserunReviewPlan(line 314) only supportsplanOnly: trueat this stage. You likely meantriver review plan --plan-only. - Path Error: The
jqpath.plan.riskAssessmentwill not return any data becauserunReviewPlandoes not include theriskAssessmentobject in the finalartifact.planoutput. It only extractsselectedSkillsandskippedSkills(lines 420-424).
Please update the instructions to match the current capabilities or ensure the implementation is updated to include the risk assessment in the output artifact.
| # Schema: ../../schemas/risk-map.schema.json | ||
| # Spec: ../../pages/guides/repo-wide-review.md §「.river/risk-map.yaml」 |
There was a problem hiding this comment.
PlanGate Review
PlanGate review decision: pass
ポリシー: critical=fail / major=fail-if-required (warn) / minor=comment-only / info=skipped — spec: |
…ink (gemini PR #896) Apply both gemini PR #896 comments. HIGH: the README's verify step claimed "jq .plan.riskAssessment /tmp/r.json" would show aggregateAction / escalatedFiles. End-to-end test against the real runReviewPlan + loadRiskMap confirmed this is wrong: the artifact's `plan` schema only carries selectedSkills / skippedSkills / plannerMode. riskAssessment is computed internally and only forwarded to generateReview's prompt context. Rewrite step 4 to (a) verify file parses by any river review command succeeding and (b) state honestly that risk classification is not echoed on the artifact. MEDIUM: the YAML header comments referenced ../../schemas/... relative paths that break the moment an adopter copies this file to .river/risk-map.yaml. Replace with absolute GitHub URLs so the references stay resolvable after the copy. No code change; user-facing accuracy fix only. Refs: PR #896 (gemini review). Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
* docs(runbook): add release-smoke.md (codex final-pass review item #3) Close the third drift item from Codex's final-pass review (after the v0.51.0–v0.55.0 sprint). Items #1 and #2 already landed: - #1 README Epic 1 status drift (PR #889) - #2 risk-map example (PR #896) - #3 release smoke runbook (this PR) Add docs/runbook/release-smoke.md as a sibling to docs/runbook/dev.md. It is not a release runbook (release-please handles tagging), but the smoke test that confirms a fresh tag installs cleanly for an adopter. Sections - When to run: post release-please merge, post dependabot prod-dep bump, pre announcement. - What it verifies: lint/tests/skills validate, river run dry-run, npm pack --dry-run, npm audit --omit=dev, GitHub Release presence. - Smoke sequence: single bash block, all commands must exit 0. - Release confirmation via gh: tagName / publishedAt / changelog body. - When the smoke fails: concrete recovery moves for the 5 common failure modes (lockfile drift, dist staleness, audit vuln, release 404, skill loader error), pointing at the existing docs and PRs that document each fix. - Out of scope: cross-platform install, npx river try, real LLM, Vercel. No code change. Refs: PRs #889, #896 (sibling Codex final-pass items), docs/development/npm-distribution-design.md, AGENT_LEARNINGS.md gh-api empty-commit entry. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * docs(runbook): apply gemini PR #897 review on release-smoke Both gemini comments are valid; apply. 1. Resolve TAG via the upstream GitHub Release instead of the local package.json. The previous form trusted that the operator had already pulled main after the release-please merge; if they had not, the local package.json could point at the previous version and the smoke would run against the wrong commit. Use `gh release view --json tagName --jq .tagName` so the upstream release is the source of truth. 2. The "feedback_release_please_workflow_race.md memory if available" pointer was misleading — that file is Claude's internal memory, not a repo doc. Replace with a concrete pointer to the AGENT_LEARNINGS.md 2026-05-24 entry that actually carries the gh-api empty-commit pattern in the repo. No content change beyond these two clarifications. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> --------- Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Summary
Close item #2 of 3 from Codex's final-pass drift review: docs and guides reference
.river/risk-map.yamlbut the repo had no concrete example for adopters to copy from. Add one underexamples/risk-map/with a README explaining the three action values and the apply / verify flow.Contents
examples/risk-map/risk-map.yamlrequire_human_review/escalate/comment_only) withreasonstringsexamples/risk-map/README.mdexamples/README.mdSample rule coverage
require_human_reviewsrc/lib/secret-redactor.mjs,**/*.{key,pem,p12},.github/workflows/**escalatesrc/lib/review-engine.mjs,src/config/**,runners/github-action/dist/**,package.jsoncomment_onlydocs/**,pages/**,tests/**, plusdefaults.action: comment_onlyValidation
End-to-end against the real
loadRiskMap+evaluateRiskimplementation insrc/lib/risk-map.mjs:Test plan
npm test(1087/1087)loadRiskMap+evaluateRiskRefs: PR #877 (riskAssessment forwarding), Codex final-pass review.
🤖 Generated with Claude Code