chore: blocker triage integration lane (2026-03-03)

[KooshaPari]

Summary

• Convert blocker-triage worktree into a reviewable PR branch
• Include governance/security-guard, docs, and auth/runtime triage deltas
• Exclude local binary artifacts and worktree-internal generated files

Validation

• Blocked: task quality:fmt-staged:check cannot run because Taskfile.yml parse fails (line 359)

Residual Blockers

• Fix Taskfile.yml syntax error before task-driven quality gates can execute

Summary by CodeRabbit

Release Notes

• New Features

  • Enhanced OAuth authentication with PKCE support for secure token handling
  • GitHub Copilot device-flow authentication integration
  • Improved auth manager with dynamic provider registration and fallback handling
  • Security Guard pre-commit hooks for automated vulnerability scanning

• Bug Fixes

  • Enhanced Docker image deletion robustness and error handling
  • Improved path traversal protection in token file operations

• Documentation

  • Comprehensive governance and workflow protocols added
  • DevOps CI/CD documentation and provider catalog updates

• Refactor

  • Reorganized internal package structure for maintainability
  • Token storage architecture improvements with consistent base implementation

• Chores

  • Updated repository ownership and branding references
  • Simplified CI workflows and automated review configuration

[coderabbitai]

Important

Review skipped

Too many files!

This PR contains 194 files, which is 44 over the limit of 150.

📥 Commits

Reviewing files that changed from the base of the PR and between c9d5e11 and 842aa58.

⛔ Files ignored due to path filters (2)

• .kittify/missions/research/templates/research/evidence-log.csv is excluded by !**/*.csv
• .kittify/missions/research/templates/research/source-register.csv is excluded by !**/*.csv

📒 Files selected for processing (194)

• .claudeignore
• .coderabbit.yaml
• .cursor/commands/spec-kitty.accept.md
• .cursor/commands/spec-kitty.analyze.md
• .cursor/commands/spec-kitty.checklist.md
• .cursor/commands/spec-kitty.clarify.md
• .cursor/commands/spec-kitty.constitution.md
• .cursor/commands/spec-kitty.dashboard.md
• .cursor/commands/spec-kitty.implement.md
• .cursor/commands/spec-kitty.merge.md
• .cursor/commands/spec-kitty.plan.md
• .cursor/commands/spec-kitty.research.md
• .cursor/commands/spec-kitty.review.md
• .cursor/commands/spec-kitty.specify.md
• .cursor/commands/spec-kitty.status.md
• .cursor/commands/spec-kitty.tasks.md
• .cursorignore
• .env.example
• .github/copilot-instructions.md
• .github/dependabot.yml
• .github/hooks/pre-commit
• .github/hooks/security-guard.sh
• .github/prompts/spec-kitty.accept.prompt.md
• .github/prompts/spec-kitty.analyze.prompt.md
• .github/prompts/spec-kitty.checklist.prompt.md
• .github/prompts/spec-kitty.clarify.prompt.md
• .github/prompts/spec-kitty.constitution.prompt.md
• .github/prompts/spec-kitty.dashboard.prompt.md
• .github/prompts/spec-kitty.implement.prompt.md
• .github/prompts/spec-kitty.merge.prompt.md
• .github/prompts/spec-kitty.plan.prompt.md
• .github/prompts/spec-kitty.research.prompt.md
• .github/prompts/spec-kitty.review.prompt.md
• .github/prompts/spec-kitty.specify.prompt.md
• .github/prompts/spec-kitty.status.prompt.md
• .github/prompts/spec-kitty.tasks.prompt.md
• .github/required-checks.txt
• .github/scripts/security-guard.sh
• .github/workflows/docker-image.yml
• .github/workflows/security-guard-hook-audit.yml
• .github/workflows/security-guard.yml
• .gitignore
• .kilocode/workflows/spec-kitty.accept.md
• .kilocode/workflows/spec-kitty.analyze.md
• .kilocode/workflows/spec-kitty.checklist.md
• .kilocode/workflows/spec-kitty.clarify.md
• .kilocode/workflows/spec-kitty.constitution.md
• .kilocode/workflows/spec-kitty.dashboard.md
• .kilocode/workflows/spec-kitty.implement.md
• .kilocode/workflows/spec-kitty.merge.md
• .kilocode/workflows/spec-kitty.plan.md
• .kilocode/workflows/spec-kitty.research.md
• .kilocode/workflows/spec-kitty.review.md
• .kilocode/workflows/spec-kitty.specify.md
• .kilocode/workflows/spec-kitty.status.md
• .kilocode/workflows/spec-kitty.tasks.md
• .kittify/.dashboard
• .kittify/metadata.yaml
• .kittify/missions/documentation/command-templates/implement.md
• .kittify/missions/documentation/command-templates/plan.md
• .kittify/missions/documentation/command-templates/review.md
• .kittify/missions/documentation/command-templates/specify.md
• .kittify/missions/documentation/command-templates/tasks.md
• .kittify/missions/documentation/mission.yaml
• .kittify/missions/documentation/templates/divio/explanation-template.md
• .kittify/missions/documentation/templates/divio/howto-template.md
• .kittify/missions/documentation/templates/divio/reference-template.md
• .kittify/missions/documentation/templates/divio/tutorial-template.md
• .kittify/missions/documentation/templates/generators/jsdoc.json.template
• .kittify/missions/documentation/templates/generators/sphinx-conf.py.template
• .kittify/missions/documentation/templates/plan-template.md
• .kittify/missions/documentation/templates/release-template.md
• .kittify/missions/documentation/templates/spec-template.md
• .kittify/missions/documentation/templates/task-prompt-template.md
• .kittify/missions/documentation/templates/tasks-template.md
• .kittify/missions/research/command-templates/implement.md
• .kittify/missions/research/command-templates/merge.md
• .kittify/missions/research/command-templates/plan.md
• .kittify/missions/research/command-templates/review.md
• .kittify/missions/research/command-templates/specify.md
• .kittify/missions/research/command-templates/tasks.md
• .kittify/missions/research/mission.yaml
• .kittify/missions/research/templates/data-model-template.md
• .kittify/missions/research/templates/plan-template.md
• .kittify/missions/research/templates/research-template.md
• .kittify/missions/research/templates/spec-template.md
• .kittify/missions/research/templates/task-prompt-template.md
• .kittify/missions/research/templates/tasks-template.md
• .kittify/missions/software-dev/command-templates/accept.md
• .kittify/missions/software-dev/command-templates/analyze.md
• .kittify/missions/software-dev/command-templates/checklist.md
• .kittify/missions/software-dev/command-templates/clarify.md
• .kittify/missions/software-dev/command-templates/constitution.md
• .kittify/missions/software-dev/command-templates/dashboard.md
• .kittify/missions/software-dev/command-templates/implement.md
• .kittify/missions/software-dev/command-templates/merge.md
• .kittify/missions/software-dev/command-templates/plan.md
• .kittify/missions/software-dev/command-templates/review.md
• .kittify/missions/software-dev/command-templates/specify.md
• .kittify/missions/software-dev/command-templates/tasks.md
• .kittify/missions/software-dev/mission.yaml
• .kittify/missions/software-dev/templates/plan-template.md
• .kittify/missions/software-dev/templates/spec-template.md
• .kittify/missions/software-dev/templates/task-prompt-template.md
• .kittify/missions/software-dev/templates/tasks-template.md
• .kittify/scripts/debug-dashboard-scan.py
• .kittify/scripts/tasks/acceptance_core.py
• .kittify/scripts/tasks/acceptance_support.py
• .kittify/scripts/tasks/task_helpers.py
• .kittify/scripts/tasks/task_helpers_shared.py
• .kittify/scripts/tasks/tasks_cli.py
• .kittify/scripts/validate_encoding.py
• .llmignore
• .pre-commit-config.yaml
• .worktrees/config/m/config-build/active/internal/runtime/executor/user_id_cache.go
• .worktrees/config/m/config-build/active/internal/watcher/diff/models_summary.go
• .worktrees/config/m/config-build/active/internal/watcher/diff/openai_compat.go
• .worktrees/config/m/config-build/active/internal/watcher/synthesizer/helpers.go
• AGENTS.md
• CLAUDE.md
• CONTRIBUTING.md
• FEATURE_REGISTRY.md
• README.md
• SECURITY.md
• Taskfile.yml
• blocker-triage/2026-03-03-canonical-dirty-baseline.md
• cmd/boardsync/main.go
• codex-trail.md
• docs/.vitepress/config.ts
• docs/FEATURE_CHANGES_PLUSPLUS.md
• docs/OPTIMIZATION_PLAN_2026-02-23.md
• docs/README.md
• docs/getting-started.md
• docs/github-ownership-guard.md
• docs/index.md
• docs/install.md
• docs/operations/devops-cicd.md
• docs/operations/index.md
• docs/provider-catalog.md
• docs/provider-usage.md
• docs/routing-reference.md
• docs/sdk-access.md
• docs/sdk-advanced.md
• docs/sdk-usage.md
• docs/troubleshooting.md
• docs/worktree-hygiene-2026-03-03.md
• internal/api/handlers/management/auth_files.go
• internal/api/handlers/management/config_basic.go
• internal/api/handlers/management/oauth_sessions.go
• internal/api/middleware/request_logging.go
• internal/api/middleware/response_writer.go
• internal/api/server.go
• internal/auth/kiro/token.go
• internal/cmd/iflow_cookie.go
• internal/config/config.go
• internal/logging/request_logger.go
• internal/runtime/executor/logging_helpers.go
• internal/store/gitstore.go
• internal/store/postgresstore.go
• internal/watcher/clients.go
• internal/watcher/diff/config_diff.go
• internal/watcher/diff/models_summary.go
• internal/watcher/diff/openai_compat.go
• internal/watcher/synthesizer/helpers.go
• minimax-trail.md
• pkg/llmproxy/api/aliases.go
• pkg/llmproxy/api/handlers/management/config_basic.go
• pkg/llmproxy/config/sdk_config.go
• scripts/devops-checker.sh
• scripts/push-cliproxyapi-plusplus-with-fallback.sh
• sdk/api/handlers/handlers.go
• sdk/auth/codex.go
• sdk/auth/filestore.go
• sdk/cliproxy/auth/api_key_model_alias_test.go
• sdk/cliproxy/auth/conductor.go
• sdk/cliproxy/auth/conductor_executor_replace_test.go
• sdk/cliproxy/auth/oauth_model_alias.go
• sdk/cliproxy/auth/oauth_model_alias_test.go
• sdk/cliproxy/auth/selector.go
• sdk/cliproxy/auth/selector_test.go
• sdk/cliproxy/auth/types.go
• sdk/cliproxy/builder.go
• sdk/cliproxy/executor/types.go
• sdk/cliproxy/model_registry.go
• sdk/cliproxy/pipeline/context.go
• sdk/cliproxy/pprof_server.go
• sdk/cliproxy/providers.go
• sdk/cliproxy/rtprovider.go
• sdk/cliproxy/service.go
• sdk/cliproxy/service_codex_executor_binding_test.go
• sdk/cliproxy/service_excluded_models_test.go
• sdk/cliproxy/service_oauth_model_alias_test.go
• sdk/cliproxy/types.go
• sdk/cliproxy/watcher.go

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR introduces comprehensive refactoring of authentication infrastructure, security enforcement, and project branding. Changes include security guard hooks and workflows, migration of auth-related modules from internal to pkg/llmproxy paths, a new phenotype-go-auth third-party module with token storage and PKCE support, substantial auth conductor enhancements with orchestration logic, token storage restructuring using a shared BaseTokenStorage pattern, and standardization of project naming and repository references (kooshapari/cliproxyapi-plusplus).

Changes

Cohort / File(s)	Summary
Security & CI Configuration .coderabbit.yaml, .github/hooks/pre-commit, .github/hooks/security-guard.sh, .github/scripts/security-guard.sh, .github/workflows/security-guard.yml, .github/workflows/security-guard-hook-audit.yml, .github/required-checks.txt, .pre-commit-config.yaml	Adds automated security guard hooks, pre-commit checks, ggshield secret scanning, GitHub Actions workflows for security validation, and updates required CI checks to include new guard/build jobs while removing legacy checks.
Documentation & Branding Updates AGENTS.md, CLAUDE.md, CONTRIBUTING.md, FEATURE_REGISTRY.md, SECURITY.md, docs/.../*, blocker-triage/2026-03-03-canonical-dirty-baseline.md, docs/worktree-hygiene-2026-03-03.md, codex-trail.md, minimax-trail.md	Renames project references from cliproxyapi++/KooshaPari to cliproxyapi-plusplus/kooshapari, adds governance protocols, feature registry, worktree documentation, and agent/codex walkthrough documentation.
Go Module & Import Path Migration go.mod, internal/auth/claude/anthropic_auth.go, internal/auth/claude/http_client.go, internal/auth/copilot/copilot_auth.go, internal/auth/copilot/token.go, internal/auth/gemini/gemini_auth.go, internal/auth/gemini/gemini_token.go, pkg/llmproxy/auth/claude/..., pkg/llmproxy/auth/copilot/..., pkg/llmproxy/auth/codex/..., pkg/llmproxy/auth/gemini/..., pkg/llmproxy/auth/iflow/..., pkg/llmproxy/auth/kimi/..., pkg/llmproxy/auth/qwen/...	Updates import paths from internal/config, internal/misc to pkg/llmproxy equivalents; changes go.mod replace directive for phenotype-go-auth from relative path to ./third_party; affects config and utility imports across auth implementations.
New Third-Party Auth Module third_party/phenotype-go-auth/go.mod, third_party/phenotype-go-auth/README.md, third_party/phenotype-go-auth/oauth.go, third_party/phenotype-go-auth/token.go	Introduces new Go module for OAuth PKCE flow, token storage interfaces, BaseTokenStorage implementation, OAuthServer for local callbacks, and comprehensive token persistence/loading with metadata support and path validation.
Auth Token Storage Refactoring internal/auth/claude/anthropic.go, internal/auth/copilot/errors.go, internal/auth/copilot/oauth.go, pkg/llmproxy/auth/codex/openai_auth_test.go, pkg/llmproxy/auth/copilot/copilot_extra_test.go, pkg/llmproxy/auth/copilot/token_test.go, pkg/llmproxy/auth/gemini/gemini_auth_test.go, pkg/llmproxy/auth/kimi/token_path_test.go, pkg/llmproxy/auth/qwen/..., sdk/auth/kilo.go, pkg/llmproxy/api/handlers/management/auth_gemini.go, pkg/llmproxy/api/handlers/management/auth_github.go, pkg/llmproxy/api/handlers/management/auth_kilo.go	Embeds shared BaseTokenStorage struct into token storage types (Gemini, Copilot, Codex, Qwen, Kilo); adds new types PKCECodes and ClaudeAuthBundle; introduces comprehensive OAuth error types and device-flow client for Copilot.
Auth Conductor Enhancement sdk/cliproxy/auth/conductor.go	Adds extensive orchestration capabilities including dynamic provider registration/execution, quota cooldown management, retry configuration, model aliasing, API-key upstream resolution, auto-refresh background loop, persistent state tracking, HTTP request construction, and fallback/selection logic across multiple providers.
Executor & Type Name Updates pkg/llmproxy/executor/kiro_streaming.go, pkg/llmproxy/executor/kiro_transform.go	Updates type references from cliproxyauth.Auth to clipproxyauth.Auth and cliproxyexecutor to clipproxyexecutor across streaming, transformation, and web-search handler signatures.
Config & Infrastructure pkg/llmproxy/config/config.go, .env.example, .github/workflows/docker-image.yml, .github/workflows/docs.yml, .github/workflows/lint-test.yml, .github/workflows/pr-path-guard.yml, scripts/devops-checker.sh, scripts/push-cliproxyapi-plusplus-with-fallback.sh	Adds ResponsesCompactEnabled config field with getter, updates Docker image environment variable to cliproxyapi-plus, restricts docs deployment to main branch, adds devops helper scripts, and updates workflow job naming/messaging.
SDK & API Handlers sdk/api/handlers/handlers.go, sdk/api/handlers/handlers_stream_bootstrap_test.go, sdk/auth/filestore.go, sdk/cliproxy/auth/conductor_overrides_test.go, sdk/cliproxy/builder.go, sdk/cliproxy/service.go, sdk/cliproxy/types.go, sdk/cliproxy/watcher.go, sdk/api/management.go, sdk/api/options.go	Forwards X-Session-Key header for sticky routing, refactors file path validation with base-directory containment check, reorders imports for consistency, updates test expectations for cooldown behavior.
Utilities & Cleanup cmd/boardsync/main.go, cmd/server/main.go, examples/custom-provider/main.go, pkg/llmproxy/api/server.go, pkg/llmproxy/managementasset/updater.go, pkg/llmproxy/watcher/clients.go, pkg/llmproxy/watcher/diff/config_diff.go, pkg/llmproxy/watcher/diff/models_summary.go, pkg/llmproxy/watcher/diff/openai_compat.go, pkg/llmproxy/watcher/synthesizer/helpers.go, pkg/llmproxy/usage/metrics.go, pkg/llmproxy/client/types.go, pkg/llmproxy/cmd/config_cast.go, pkg/llmproxy/executor/kiro_auth.go, pkg/llmproxy/executor/kiro_executor.go, pkg/llmproxy/translator/kiro/claude/kiro_websearch_handler.go, docs/.vitepress/theme/components/CategorySwitcher.vue, docs/.vitepress/theme/custom.css	Updates repository references and build tags; renames API key count variables to client count; consolidates import duplication; adds PKCE build constraints; removes unused imports; adds placeholder Vue component and CSS file; refactors hash computation helpers.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant SDK as SDK (conductor)
    participant AuthMgr as Auth Manager
    participant Executor as Provider Executor
    participant Auth as Auth (stored)
    
    Client->>SDK: ExecuteStream(providers, request)
    SDK->>AuthMgr: pickNextMixed(providers, model)
    AuthMgr->>AuthMgr: checkRefreshes()
    AuthMgr->>Auth: Load() [if needed]
    AuthMgr-->>SDK: selected Auth + Executor
    SDK->>Executor: ExecuteStream(auth, request)
    Executor-->>SDK: StreamChunk
    SDK-->>Client: StreamChunk
    
    Note over AuthMgr: Auto-refresh loop<br/>monitors token expiry,<br/>applies cooldowns,<br/>persists state

Loading

sequenceDiagram
    participant User
    participant GitHub as GitHub OAuth
    participant DeviceFlow as Device Flow Client
    participant Local as Local OAuth Server
    participant API as Copilot API
    
    User->>DeviceFlow: RequestDeviceCode()
    DeviceFlow->>API: POST /device_code
    API-->>DeviceFlow: device_code, user_code
    DeviceFlow-->>User: Display user_code
    
    User->>GitHub: Visit link, authorize
    
    DeviceFlow->>API: Poll /token with device_code
    Note over DeviceFlow: Wait for user authorization
    GitHub->>API: Confirm authorization
    API-->>DeviceFlow: access_token
    
    DeviceFlow->>API: FetchUserInfo(access_token)
    API-->>DeviceFlow: username
    DeviceFlow-->>User: Authenticated as username

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• PR #827: Introduces phenotype-go-auth third-party module with the same PKCE/OAuth server/token storage types used in this PR's new auth infrastructure.
• PR #824: Refactors token storage across Qwen, Kilo, and other auth types to use BaseTokenStorage embedding, mirroring the same pattern applied across this PR.
• PR #696: Modifies sdk/cliproxy/auth/conductor.go with auto-refresh and provider orchestration capabilities that overlap with conductor enhancements in this PR.

Suggested labels

ci:coderabbit-bypass, auth, refactoring, security, documentation

---

🐰 Behold! A grand tapestry of tokens and guards,
Where OAuth flows dance and PKCE cards,
The conductor orchestrates with finesse and care,
While docs and imports refresh the air!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 47.83% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: blocker triage integration lane (2026-03-03)' accurately summarizes the main objective of the PR, which is to convert a blocker-triage worktree into a reviewable PR branch with governance, security, and auth improvements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/blocker-triage-canonical-dirty-20260303

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request establishes a dedicated integration lane for blocker triage, incorporating essential security and quality checks directly into the development workflow. It prepares a previously isolated worktree for review by adding pre-commit hooks for security scanning and code quality, while also refining .gitignore to manage generated files effectively.

Highlights

• Workflow Integration: Converted a blocker-triage worktree into a reviewable pull request branch, streamlining the review process for critical issues.
• Security and Quality Gates: Integrated governance, security-guard, documentation, and authentication/runtime triage deltas, enhancing code quality and security checks.
• Clean Repository Management: Configured the repository to exclude local binary artifacts and worktree-internal generated files, ensuring a cleaner and more focused codebase.

Changelog

• .coderabbit.yaml
  • Added Coderabbit AI review configuration.
• .env.example
  • Updated a comment to reflect cliproxyapi++ instead of CLIProxyAPI.
• .github/hooks/pre-commit
  • Introduced a pre-commit hook to execute the security-guard.sh script.
• .github/hooks/security-guard.sh
  • Created a script to locate and run the pre-commit executable with a specified configuration.
• .github/scripts/security-guard.sh
  • Implemented a script for ggshield secret scanning and optional codespell checks on changed files.
• .gitignore
  • Expanded ignored files to include various AI tool artifacts and Spec Kitty CLI related directories.

Ignored Files

• Ignored by pattern: .github/workflows/** (3)
  • .github/workflows/docker-image.yml
  • .github/workflows/security-guard-hook-audit.yml
  • .github/workflows/security-guard.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull request overview

Converts a blocker-triage worktree into a PR branch by removing worktree/local/generated artifacts, and adding governance/security guardrails (Git hooks + CI pre-commit) plus a few runtime/docs tweaks.

Changes:

• Remove large sets of mission templates / generated workflow & prompt files under .kittify/, .kilocode/, .cursor/, and .github/prompts/.
• Add CI “Security Guard” workflows and repo-managed Git hooks to enforce pre-commit/secret scanning.
• Adjust Docker workflow tag deletion behavior and rename app references in .env.example / workflow env.

Reviewed changes

Copilot reviewed 109 out of 190 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
.kittify/scripts/tasks/task_helpers.py	Removed legacy shim module (now deleted).
.kittify/scripts/tasks/acceptance_support.py	Removed legacy acceptance script entrypoint (now deleted).
.kittify/scripts/debug-dashboard-scan.py	Removed debug-only dashboard scan script.
.kittify/missions/software-dev/templates/tasks-template.md	Removed software-dev tasks template.
.kittify/missions/software-dev/templates/task-prompt-template.md	Removed software-dev task prompt template.
.kittify/missions/software-dev/templates/spec-template.md	Removed software-dev spec template.
.kittify/missions/software-dev/templates/plan-template.md	Removed software-dev plan template.
.kittify/missions/software-dev/mission.yaml	Removed software-dev mission definition.
.kittify/missions/software-dev/command-templates/review.md	Removed software-dev review command template.
.kittify/missions/software-dev/command-templates/plan.md	Removed software-dev plan command template.
.kittify/missions/software-dev/command-templates/implement.md	Removed software-dev implement command template.
.kittify/missions/software-dev/command-templates/dashboard.md	Removed software-dev dashboard command template.
.kittify/missions/software-dev/command-templates/clarify.md	Removed software-dev clarify command template.
.kittify/missions/software-dev/command-templates/analyze.md	Removed software-dev analyze command template.
.kittify/missions/software-dev/command-templates/accept.md	Removed software-dev accept command template.
.kittify/missions/research/templates/tasks-template.md	Removed research tasks template.
.kittify/missions/research/templates/task-prompt-template.md	Removed research task prompt template.
.kittify/missions/research/templates/spec-template.md	Removed research spec template.
.kittify/missions/research/templates/research/source-register.csv	Removed research source register template CSV.
.kittify/missions/research/templates/research/evidence-log.csv	Removed research evidence log template CSV.
.kittify/missions/research/templates/research-template.md	Removed research decision log template.
.kittify/missions/research/templates/plan-template.md	Removed research plan template.
.kittify/missions/research/templates/data-model-template.md	Removed research data model template.
.kittify/missions/research/mission.yaml	Removed research mission definition.
.kittify/missions/research/command-templates/tasks.md	Removed research tasks command template.
.kittify/missions/research/command-templates/specify.md	Removed research specify command template.
.kittify/missions/research/command-templates/review.md	Removed research review command template.
.kittify/missions/research/command-templates/plan.md	Removed research plan command template.
.kittify/missions/research/command-templates/implement.md	Removed research implement command template.
.kittify/missions/documentation/templates/tasks-template.md	Removed documentation tasks template.
.kittify/missions/documentation/templates/task-prompt-template.md	Removed documentation task prompt template.
.kittify/missions/documentation/templates/spec-template.md	Removed documentation spec template.
.kittify/missions/documentation/templates/release-template.md	Removed documentation release template.
.kittify/missions/documentation/templates/generators/sphinx-conf.py.template	Removed Sphinx conf template.
.kittify/missions/documentation/templates/generators/jsdoc.json.template	Removed JSDoc config template.
.kittify/missions/documentation/templates/divio/tutorial-template.md	Removed Divio tutorial template.
.kittify/missions/documentation/templates/divio/reference-template.md	Removed Divio reference template.
.kittify/missions/documentation/templates/divio/howto-template.md	Removed Divio how-to template.
.kittify/missions/documentation/templates/divio/explanation-template.md	Removed Divio explanation template.
.kittify/missions/documentation/mission.yaml	Removed documentation mission definition.
.kittify/missions/documentation/command-templates/tasks.md	Removed documentation tasks command template.
.kittify/missions/documentation/command-templates/specify.md	Removed documentation specify command template.
.kittify/metadata.yaml	Removed generated spec-kitty metadata file.
.kittify/.dashboard	Removed local dashboard state file.
.kilocode/workflows/spec-kitty.status.md	Removed generated workflow doc.
.kilocode/workflows/spec-kitty.review.md	Removed generated workflow doc.
.kilocode/workflows/spec-kitty.research.md	Removed generated workflow doc.
.kilocode/workflows/spec-kitty.plan.md	Removed generated workflow doc.
.kilocode/workflows/spec-kitty.implement.md	Removed generated workflow doc.
.kilocode/workflows/spec-kitty.dashboard.md	Removed generated workflow doc.
.kilocode/workflows/spec-kitty.clarify.md	Removed generated workflow doc.
.kilocode/workflows/spec-kitty.analyze.md	Removed generated workflow doc.
.kilocode/workflows/spec-kitty.accept.md	Removed generated workflow doc.
.github/workflows/security-guard.yml	Added CI workflow to run pre-commit checks.
.github/workflows/security-guard-hook-audit.yml	Added CI workflow to verify repo-managed Git hooks execute.
.github/workflows/docker-image.yml	Adjusted env + hardened Docker Hub tag deletion behavior.
.github/scripts/security-guard.sh	Added local script for ggshield + optional codespell pass.
.github/prompts/spec-kitty.status.prompt.md	Removed generated prompt file.
.github/prompts/spec-kitty.review.prompt.md	Removed generated prompt file.
.github/prompts/spec-kitty.research.prompt.md	Removed generated prompt file.
.github/prompts/spec-kitty.plan.prompt.md	Removed generated prompt file.
.github/prompts/spec-kitty.implement.prompt.md	Removed generated prompt file.
.github/prompts/spec-kitty.dashboard.prompt.md	Removed generated prompt file.
.github/prompts/spec-kitty.clarify.prompt.md	Removed generated prompt file.
.github/prompts/spec-kitty.analyze.prompt.md	Removed generated prompt file.
.github/prompts/spec-kitty.accept.prompt.md	Removed generated prompt file.
.github/hooks/security-guard.sh	Added repo-managed pre-commit hook runner.
.github/hooks/pre-commit	Added repo-managed pre-commit hook entrypoint.
.github/copilot-instructions.md	Removed Copilot instructions file.
.env.example	Updated app naming in comment header.
.cursorignore	Removed Cursor ignore config.
.cursor/commands/spec-kitty.status.md	Removed generated Cursor command doc.
.cursor/commands/spec-kitty.review.md	Removed generated Cursor command doc.
.cursor/commands/spec-kitty.research.md	Removed generated Cursor command doc.
.cursor/commands/spec-kitty.plan.md	Removed generated Cursor command doc.
.cursor/commands/spec-kitty.implement.md	Removed generated Cursor command doc.
.cursor/commands/spec-kitty.dashboard.md	Removed generated Cursor command doc.
.cursor/commands/spec-kitty.clarify.md	Removed generated Cursor command doc.
.cursor/commands/spec-kitty.analyze.md	Removed generated Cursor command doc.
.cursor/commands/spec-kitty.accept.md	Removed generated Cursor command doc.
.coderabbit.yaml	Added CodeRabbit review configuration.
.claudeignore	Removed Claude ignore config.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

APP_NAME contains ++, which is invalid in common Docker/OCI naming contexts (and often gets reused in tags/labels/artifact names). This is likely to break image naming/tagging or any script that assumes [a-z0-9._-]+. Use a Docker-safe identifier (e.g., cliproxyapi-plus or cliproxyapi) and keep any “++” branding only in human-facing docs.

Suggested change

	APP_NAME: cliproxyapi++
	APP_NAME: cliproxyapi-plus

[Copilot]

The cliproxyapi++ rename in the example header will drift from tooling/config expectations if the project still uses the existing DockerHub repo slug cli-proxy-api-plus / prior CLIProxyAPI naming elsewhere. Consider aligning this comment with the canonical app/repo identifier used in build/publish tooling (or adding a short note mapping “branding name” to “artifact-safe name”).

Suggested change

	# Example environment configuration for cliproxyapi++.
	# Example environment configuration for cli-proxy-api-plus (CLIProxyAPI).

[Copilot]

This pipeline is not portable and can mis-handle filenames: xargs -r is not supported on macOS/BSD, and piping newline-delimited paths through grep | xargs will break on paths with spaces. Prefer using NUL-delimited output (git diff --name-only -z) and xargs -0, or iterate in a while IFS= read -r loop; also avoid relying on -r for correctness.

Suggested change

	changed_files=$(git diff --cached --name-only --diff-filter=ACM || true)
	if [ -z "${changed_files}" ]; then
	changed_files=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true)
	fi
	if [ -n "${changed_files}" ]; then
	echo "[security-guard] Running optional codespell fast pass"
	echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | xargs -r codespell -q 2 -L "hte,teh" || true
	diff_cmd=()
	# Prefer staged changes; fall back to the last commit if there are none.
	if git diff --cached --name-only --diff-filter=ACM --quiet >/dev/null 2>&1; then
	# No staged changes (or unable to diff); try last commit range.
	if ! git diff --name-only HEAD~1..HEAD --quiet >/dev/null 2>&1; then
	diff_cmd=(git diff --name-only -z HEAD~1..HEAD)
	fi
	else
	# There are staged changes to check.
	diff_cmd=(git diff --cached --name-only --diff-filter=ACM -z)
	fi
	if [ "${#diff_cmd[@]}" -ne 0 ]; then
	echo "[security-guard] Running optional codespell fast pass"
	files=()
	"${diff_cmd[@]}" | while IFS= read -r -d '' path; do
	case "$path" in
	*.md|*.txt|*.py|*.ts|*.tsx|*.js|*.go|*.rs|*.kt|*.java|*.yaml|*.yml)
	files+=("$path")
	;;
	esac
	done
	if [ "${#files[@]}" -gt 0 ]; then
	codespell -q 2 -L "hte,teh" "${files[@]}" || true
	fi

[Copilot]

Auto-installing pre-commit from inside a Git hook modifies the user environment unexpectedly and may pull unpinned dependencies at commit time. Safer behavior is to fail with a clear instruction (e.g., “install pre-commit via pipx/uv/pip in your venv”) or install into a controlled toolchain (like uv tool run / pipx run) rather than performing an implicit global install.

Suggested change

	echo "pre-commit executable not found; trying to install via pip"
	python -m pip install --quiet pre-commit
	PRE_COMMIT="pre-commit"
	echo "pre-commit executable not found." >&2
	echo "Please install it before committing, for example:" >&2
	echo " - In your virtualenv: python -m pip install pre-commit" >&2
	echo " - Or with pipx: pipx install pre-commit" >&2
	echo "After installation, re-run your commit." >&2
	exit 1

[gemini-code-assist]

Code Review

This pull request introduces several changes related to development workflow and tooling, including adding configuration for CodeRabbit, pre-commit hooks for security scanning, and updating the .gitignore file. My review focuses on the new shell scripts and the .gitignore changes. I've identified a potential bug in the security-guard.sh script related to handling filenames with spaces, and a redundant entry in the .gitignore file. Addressing these points will improve the robustness and maintainability of the new scripts and configurations.

[gemini-code-assist]

The current use of xargs will not correctly handle filenames that contain spaces, because xargs splits its input on whitespace by default. This can result in codespell either failing or not scanning the intended files. To make this script more robust, you should use a method that correctly handles spaces in file paths, such as using null-delimited streams.

Suggested change

	echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | xargs -r codespell -q 2 -L "hte,teh" || true
	echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | tr '\n' '\0' | xargs -0 -r codespell -q 2 -L "hte,teh" || true

[gemini-code-assist]

This entry .kittify/.dashboard is redundant because of the more general .kittify/ entry on line 75. To keep the .gitignore file clean and avoid confusion, it's best to remove this redundant line.

[KooshaPari]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[KooshaPari]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[KooshaPari]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[KooshaPari]

Status update: I’m treating this as the canonical blocker-lane PR for cliproxy right now. Current blocker is true branch conflict (CONFLICTING/DIRTY) after upstream drift plus a live branch rewrite during prior cleanup runs. I’m not proceeding with a risky history rewrite here; next step is to close/rebase this lane from a clean PR branch that includes only non-conflicting 839 deltas, then rerun checks. 838 appears to be a likely duplicate of earlier policy-federation lane and can be closed once 839 is reconstituted.

[KooshaPari]

Closing this stale blocker-triage lane: it now has very large structural drift (196 files, 20k+ deletions) and is conflict-heavy against current main. Please reopen as a clean replay PR if any remaining deltas are still needed.