Devesh/sk 2832 claude setup v2#338
Conversation
- Add CLAUDE.md with project conventions, version info, commit guidelines - Add .claude/commands: code-review, code-smell, code-security, sdk-sample, test, commit (Jira-aware) - Add .claude/hooks/checkstyle-on-edit.py for per-edit lint feedback - Add .claude/settings.json with permissions and PostToolUse hook - Add .claude/skills/requesting-code-review for context-fork reviews - Add .github/workflows/claude-pr-review.yml: automated SDK + security review on PRs - Add .github/workflows/claude-changelog.yml: auto-generated release notes on tag push - Add .github/workflows/release-v1.yml: v1 public release targeting v1 branch - Update .cspell.json with British English and project-specific terms Requires ANTHROPIC_API_KEY secret in GitHub Actions for claude-* workflows. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Move file placement, deprecated folder note, and sample rules into samples/CLAUDE.md (loads only when working on samples) - Remove samples paths and content from root CLAUDE.md to reduce token load on every non-samples session Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…-setup-v2 # Conflicts: # .cspell.json
The model emitted two near-identical verdict lines. Fixes: - code-review.md: require exactly one verdict line (first line, nowhere else); it carries count + theme(s); never a second/rephrased verdict. - claude-pr-review.yml: safety net — keep the first verdict line and drop any later standalone line that restates the verdict. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
The changed-lines count diffed all *.java over the review range but, unlike the file-existence check, did not filter generated/. Add an exclude pathspec so the metric matches what is actually reviewed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
Switch the review step to --output-format stream-json --verbose piped through tee, so each turn/tool event is visible live in the Actions log while the final result event is still parsed for the comment and token metrics. PIPESTATUS[0] preserves claude's exit code through the pipe. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Remove the original violations (swallowed exception, System.out.println, magic string) and introduce a fresh set (hardcoded credential, uncommented @SuppressWarnings, printStackTrace, RuntimeException re-throw) so the incremental review should flag only the new issues. Revert after testing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
AI Code Review
REQUEST CHANGES — 4 blocking findings in ReviewProbe.java (hardcoded credential in source and exception message, printStackTrace, RuntimeException instead of SkyflowException, @SuppressWarnings without comment).
| File:Line | Severity · Category | Finding |
|---|---|---|
| ReviewProbe.java:9 | Critical · Security | Hardcoded credential literal in source |
| ReviewProbe.java:22 | Critical · Security | Hardcoded credential value leaked into exception message |
| ReviewProbe.java:20 | High · Pattern | e.printStackTrace() instead of LogUtil |
| ReviewProbe.java:22 | High · Correctness | RuntimeException thrown instead of SkyflowException; method lacks throws SkyflowException |
| ReviewProbe.java:19 | Medium · Pattern | @SuppressWarnings("unchecked") with no explanatory comment |
Advisory (Low / Info) — 0 items
| File:Line | Severity · Category | Finding |
|---|
| * Temporary probe to validate the Claude PR review workflow. | ||
| * Intentionally contains SDK-rule violations — delete after testing. | ||
| */ | ||
| public class ReviewProbe { |
There was a problem hiding this comment.
Critical · Security: Hardcoded credential literal API_TOKEN = "hardcoded-admin-password-123" is committed to source. Even in a test probe, embedding credentials in source risks accidental promotion to production code and exposure in git history (CWE-798). Remove the literal and inject any needed test value via an environment variable or test fixture — never a static final String constant.
| // NEW BUG 2 (code quality): @SuppressWarnings with no explanatory comment. | ||
| @SuppressWarnings("unchecked") | ||
| public Map<String, Object> castPayload(Object raw) { | ||
| return (Map<String, Object>) raw; |
There was a problem hiding this comment.
Critical · Security: The hardcoded credential API_TOKEN is concatenated directly into the RuntimeException message: "bad value: " + API_TOKEN. This surfaces the credential value in stack traces, logs, and any caller that catches the exception. Never include a credential (even a placeholder) in an exception message. Strip the token from the message; if context is needed, log it at DEBUG via LogUtil before throwing — do not put it in the exception payload.
| } | ||
|
|
||
| // NEW BUG 2 (code quality): @SuppressWarnings with no explanatory comment. | ||
| @SuppressWarnings("unchecked") |
There was a problem hiding this comment.
High · Pattern: e.printStackTrace() writes directly to stderr, bypassing the SDK logging framework. Per CLAUDE.md, all logging must go through LogUtil (e.g. LogUtil.printErrorLog(...)). Replace e.printStackTrace() with LogUtil.printErrorLog(e.getMessage()) or equivalent.
| // NEW BUG 2 (code quality): @SuppressWarnings with no explanatory comment. | ||
| @SuppressWarnings("unchecked") | ||
| public Map<String, Object> castPayload(Object raw) { | ||
| return (Map<String, Object>) raw; |
There was a problem hiding this comment.
High · Correctness: process() throws RuntimeException and is not declared throws SkyflowException. SDK rules require all public methods to declare throws SkyflowException and to wrap/re-throw all exceptions as SkyflowException, never as bare RuntimeException. Change the throw to throw new SkyflowException(ErrorCode.INVALID_INPUT, ...) and add throws SkyflowException to the method signature.
| return id; | ||
| } | ||
|
|
||
| // NEW BUG 2 (code quality): @SuppressWarnings with no explanatory comment. |
There was a problem hiding this comment.
Medium · Pattern: @SuppressWarnings("unchecked") is present with no explanatory comment. Per CLAUDE.md, every @SuppressWarnings must have a comment explaining why suppression is safe. Add a comment above the annotation, e.g. // safe: caller guarantees the object is Map<String, Object>.
…ented-out code) Add two structural smells on new lines so code-smell's PR/CI mode surfaces them as Category=Smell advisory rows: magic numbers (3600, 24) and a commented-out code block. Revert after testing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…/code-review-ci.md Move the PR/CI consolidated-output spec out of code-review.md into a plain include file, fetched via a conditional Read only when GITHUB_ACTIONS is set. Local runs use the Final Verdict section and never load the include. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
There was a problem hiding this comment.
AI Code Review
APPROVE WITH FIXES — 0 blocking findings; 2 advisory smells introduced in ReviewProbe.java (magic numbers, commented-out code).
No blocking findings on the changed lines.
Advisory (Low / Info) — 2 items
| File:Line | Severity · Category | Finding |
|---|---|---|
| src/main/java/com/skyflow/utils/ReviewProbe.java:35 | Low · Smell | Magic numbers 3600 and 24 in sessionTtlSeconds() — extract to named constants |
| src/main/java/com/skyflow/utils/ReviewProbe.java:39 | Low · Smell | Commented-out legacyFlush() block with no TODO/ticket — remove or annotate |
Resolve the previous violations and add a new distinct set so the incremental review flags only the latest changes: - bugs: == string comparison, setVaultID naming, empty catch swallow - smells: large parameter list (6 params), deep nesting (4 levels) Revert after testing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-review note The CI code-review comment no longer emits an APPROVE/REQUEST CHANGES verdict (merge gating is GitHub's job). It now leads with a findings-count summary (bugs/security/smells/other) and stays silent when the changed lines are clean. On a re-review, the comment is prefixed with an incremental-scope note that names the last-reviewed commit and reminds the author to resolve earlier open comments. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
There was a problem hiding this comment.
AI Code Review
♻️ Incremental review — covers only the commits added since the last review (
fb8901d); earlier changes were not re-checked. Please resolve any open comments from previous reviews.
Findings on the changed lines: 2 bugs, 0 security, 2 smells, 1 other
| File:Line | Severity · Category | Finding |
|---|---|---|
| src/main/java/com/skyflow/utils/ReviewProbe.java:9 | High · Correctness | String identity comparison with == instead of .equals() |
| src/main/java/com/skyflow/utils/ReviewProbe.java:14 | Medium · Naming | Method named setVaultID — SDK convention requires setVaultId |
Advisory (Low / Info) — 3 items
| File:Line | Severity · Category | Finding |
|---|---|---|
| src/main/java/com/skyflow/utils/ReviewProbe.java:19 | Low · Smell | Empty catch block silently swallows NumberFormatException |
| src/main/java/com/skyflow/utils/ReviewProbe.java:24 | Low · Smell | Method build has 6 parameters — exceeds 4-parameter limit; consider a builder or config object |
| src/main/java/com/skyflow/utils/ReviewProbe.java:28 | Low · Smell | Deep nesting — 4 levels of if in classify(); extract inner blocks to named helpers |
| */ | ||
| public class ReviewProbe { | ||
|
|
||
| private String vaultId; |
There was a problem hiding this comment.
High · Correctness: String comparison uses == (reference equality) instead of .equals(). In Java, two String objects with the same content are not guaranteed to be the same object. role == "admin" will almost always return false even when role is "admin". Fix: return "admin".equals(role);
| // NEW BUG 1 (correctness): String compared with == instead of .equals(). | ||
| public boolean isAdmin(String role) { | ||
| return role == "admin"; | ||
| } |
There was a problem hiding this comment.
Medium · Naming: Method is named setVaultID but the SDK naming convention requires acronyms to be treated as words: setVaultId (camelCase). This is inconsistent with setVaultId(), setClusterId(), setSkyflowId() used throughout the SDK. Rename to setVaultId.
🤖 Claude Code ReviewSummary: The PR introduces Claude AI tooling configuration (commands, hooks, CI workflows) for automated code review and quality checks. One critical issue stands out: a test probe file with intentional bugs is being committed to the main source tree, plus a hardcoded absolute path in a hook script. The CI workflow also has a potential command injection vector. Risk: high Approved: no Findingssrc/main/java/com/skyflow/utils/ReviewProbe.java:1 — ReviewProbe // NEW BUG 1 (correctness): String compared with == instead of .equals().
public boolean isAdmin(String role) {
return role == "admin";
}.claude/hooks/checkstyle-on-edit.py:22 — (module level) root = '/home/devb/SDK/skyflow-java'.github/workflows/claude-pr-review.yml:175 — generate-review step COMMITS="${{ steps.commits.outputs.log }}"
NOTES=$(claude --print ... -p "...
$COMMITS
...")Fix: pass the commits via a temporary file or an environment variable rather than inline shell expansion. .github/workflows/claude-changelog.yml:44 — generate-release-notes step COMMITS="${{ steps.commits.outputs.log }}"
NOTES=$(claude ... -p "...
$COMMITS
...").github/workflows/claude-pr-review.yml:155 — sdk-review job git diff "${RANGE_BASE}...HEAD" --name-only | grep '\.java$' | grep -v 'generated'.github/workflows/claude-pr-review.yml:1 — workflow trigger src/main/java/com/skyflow/VaultClient.java — setBearerToken / file handling src/main/java/com/skyflow/ConnectionClient.java:42 — prioritiseCredentials } catch (Exception e) {
throw new SkyflowException(ErrorCode.SERVER_ERROR.getCode(), ErrorMessage.EmptyCredentials.getMessage());
} |
Adds devesh/SK-2832-claude-setup-v2 to the pull_request branches filter so PR #339 (probe, based off the setup branch rather than main) triggers the Claude review workflow. Revert to [main] after evaluation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
There was a problem hiding this comment.
AI Code Review
♻️ Incremental review — covers only the commits added since the last review (
ee83966); earlier changes were not re-checked. Please resolve any open comments from previous reviews.
Findings summary:
DetokenizeExample.javaline 11:DetokenizeRecordResponseis imported but used only in comments (dead import) — Low · SmellGetExample.javaline 60:downloadURL(true)in commented-out code references deprecated method without noting it — Low · SmellReidentifyTextExample.javaline 92:e.printStackTrace()— sample pattern consistent with existing detect samples, not a new violation introduced by this PR- No security issues in added lines (hardcoded tokens in the sample text are placeholder documentation values, not real credentials)
- No serious (Critical/High/Medium) findings
All findings are advisory (Low/Info). Emitting the CI format:
Findings on the changed lines: 2 smells
No serious findings on the changed lines.
Advisory (Low / Info) — 2 items
| File:Line | Severity · Category | Finding |
|---|---|---|
| samples/src/main/java/com/example/vault/DetokenizeExample.java:11 | Low · Smell | Unused import — DetokenizeRecordResponse is referenced only in comments |
| samples/src/main/java/com/example/vault/GetExample.java:60 | Low · Smell | Commented example uses deprecated downloadURL(Boolean) — the current method is downloadUrl(Boolean) |
…nd add category sweep to fix blind spots
…tagging Bump dependency vulnerabilities (check 6) from Low to Critical so a flagged CVE surfaces in the serious-findings tier instead of the collapsed advisory section. Add an OWASP Top 10 category to the audit output (stable labels, no version pin), tagged only where a finding clearly maps. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Gitleaks Findings: No secrets detected. Safe to proceed! |
|
Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging. |
4 participants
Start with a concise summary of the PR. The first three sections are required. The questions present in each section is there to help you guide you what to add. They are meant to be overwritten by your comments.
Why
Goal
Testing
Tech debt