ci: inherit gadfly's default swarm (slim caller, re-pin @b02b11d) #14

Merged
steve merged 1 commits from ci/gadfly-default into main 2026-06-28 02:48:25 +00:00
Owner

Follow-up to the merged #13: now that steve/gadfly#10 centralized the curated swarm as the reusable workflow's default, drop executus's explicit with: swarm block and inherit it.

  • Re-pin uses: …@20a5c43 → @b02b11d (post-#10 gadfly commit).
  • Remove models / specialists / provider_concurrency / provider_lens_concurrency / timeout_secs / max_steps / timeout_minutes — all inherited now (3 cloud + Claude Code, 5-lens suite).
  • Keep only the consumer-specific allowed_users + secret forwarding + actor gate.

Net effect: executus moves from 6-cloud/3-lens to the shared default (3 cloud + Claude Code, 5 lenses), edited centrally in gadfly going forward. Advisory only.

🤖 Generated with Claude Code

Follow-up to the merged #13: now that steve/gadfly#10 centralized the curated swarm as the reusable workflow's **default**, drop executus's explicit `with:` swarm block and **inherit** it. - Re-pin `uses: …@20a5c43 → @b02b11d` (post-#10 gadfly commit). - Remove `models` / `specialists` / `provider_concurrency` / `provider_lens_concurrency` / `timeout_secs` / `max_steps` / `timeout_minutes` — all inherited now (3 cloud + Claude Code, 5-lens suite). - Keep only the consumer-specific `allowed_users` + secret forwarding + actor gate. Net effect: executus moves from 6-cloud/3-lens to the shared default (3 cloud + Claude Code, 5 lenses), edited centrally in gadfly going forward. Advisory only. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

🪰 Gadfly — live review status

6/6 reviewers finished · updated 2026-06-28 02:32:32Z

claude-code/opus · claude-code — done

  • security — No material issues found
  • correctness — No material issues found
  • maintainability — Minor issues
  • performance — No material issues found
  • error-handling — No material issues found

claude-code/opus:max · claude-code — done

  • security — No material issues found
  • correctness — No material issues found
  • maintainability — Minor issues
  • performance — No material issues found
  • error-handling — No material issues found

claude-code/sonnet · claude-code — done

  • security — No material issues found
  • correctness — No material issues found
  • maintainability — No material issues found
  • performance — No material issues found
  • error-handling — Minor issues

deepseek-v4-pro:cloud · ollama-cloud — done

  • security — No material issues found
  • correctness — No material issues found
  • maintainability — No material issues found
  • performance — No material issues found
  • error-handling — No material issues found

glm-5.2:cloud · ollama-cloud — done

  • security — No material issues found
  • correctness — No material issues found
  • maintainability — No material issues found
  • performance — No material issues found
  • error-handling — No material issues found

minimax-m3:cloud · ollama-cloud — done

  • security — No material issues found
  • correctness — No material issues found
  • maintainability — No material issues found
  • performance — No material issues found
  • error-handling — No material issues found

Live status board. Findings are posted in each model's own comment. Advisory only — does not block merge.

<!-- gadfly-status-board --> ## 🪰 Gadfly — live review status 6/6 reviewers finished · updated 2026-06-28 02:32:32Z #### `claude-code/opus` · claude-code — ✅ done - ✅ **security** — No material issues found - ✅ **correctness** — No material issues found - ✅ **maintainability** — Minor issues - ✅ **performance** — No material issues found - ✅ **error-handling** — No material issues found #### `claude-code/opus:max` · claude-code — ✅ done - ✅ **security** — No material issues found - ✅ **correctness** — No material issues found - ✅ **maintainability** — Minor issues - ✅ **performance** — No material issues found - ✅ **error-handling** — No material issues found #### `claude-code/sonnet` · claude-code — ✅ done - ✅ **security** — No material issues found - ✅ **correctness** — No material issues found - ✅ **maintainability** — No material issues found - ✅ **performance** — No material issues found - ✅ **error-handling** — Minor issues #### `deepseek-v4-pro:cloud` · ollama-cloud — ✅ done - ✅ **security** — No material issues found - ✅ **correctness** — No material issues found - ✅ **maintainability** — No material issues found - ✅ **performance** — No material issues found - ✅ **error-handling** — No material issues found #### `glm-5.2:cloud` · ollama-cloud — ✅ done - ✅ **security** — No material issues found - ✅ **correctness** — No material issues found - ✅ **maintainability** — No material issues found - ✅ **performance** — No material issues found - ✅ **error-handling** — No material issues found #### `minimax-m3:cloud` · ollama-cloud — ✅ done - ✅ **security** — No material issues found - ✅ **correctness** — No material issues found - ✅ **maintainability** — No material issues found - ✅ **performance** — No material issues found - ✅ **error-handling** — No material issues found <sub>Live status board. Findings are posted in each model's own comment. Advisory only — does not block merge.</sub>

🪰 Gadfly review — minimax-m3:cloud (ollama-cloud)

Verdict: No material issues found — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security — No material issues found

Verdict: No material issues found

Reviewed through the security lens only. The change is configuration-only (no new code paths, no new taint sources, no new secrets surface).

Notes on what I checked:

  • Secret forwarding unchanged & still least-privilege. .gitea/workflows/adversarial-review.yml:44-48 still forwards exactly the four secrets the consumer expects, matching the inherited swarm the PR describes (3 ollama-cloud + Claude Code). No new secrets introduced, none dropped.
  • Pinning preserved & strengthened. Line 42 still pins to an immutable commit SHA (b02b11d69139843665da4cdbf776bc0b3583490d), not a branch — so a push to steve/gadfly cannot silently swap the code that runs with the forwarded secrets. This is the correct mitigation for the cross-repo trust delegation that already existed before this PR.
  • Actor gate preserved. Lines 34–39 still gate issue_comment to steve | fizi | dazed and only when the issue is linked to a PR. pull_request and workflow_dispatch are correctly left ungated (those triggers are already trusted).
  • Allow-list input preserved. allowed_users: "steve,fizi,dazed" on line 52 is still passed, so the in-container belt-and-suspenders check is intact.
  • Token scope unchanged. permissions: block still contents: read, issues: write, pull-requests: write — appropriately scoped; no actions: write or wildcard.
  • No new injection surfaces. Removing the with: blocks actually shrinks the set of interpolated values flowing into the reusable workflow. No new template, path, SQL, command, or SSRF vectors are introduced.
  • Removed inputs. timeout_secs, max_steps, timeout_minutes, provider_concurrency, provider_lens_concurrency, specialists, models are pure behavior knobs — removing them is a delegation to upstream defaults and has no direct security implication on executus.
  • Unverified (out of reach). I cannot independently inspect steve/gadfly's review-reusable.yml at @b02b11d to confirm its defaults don't, e.g., request additional secrets or relax input validation. The immutable-SHA pin + the unchanged explicit allowed_users is the appropriate boundary given that constraint.

Nothing in the diff opens a new authn/authz gap, injection vector, SSRF, deserialization risk, secret leak, or unsafe default from this lens.

🎯 Correctness — No material issues found

VERDICT: No material issues found

What I checked:

  • .gitea/workflows/adversarial-review.yml post-change (full file): the change is purely a deletion of with: keys plus a version-pin bump to b02b11d. No logic was added; nothing in the repo references the removed keys (specialists, provider_concurrency, provider_lens_concurrency, timeout_secs, max_steps, timeout_minutes), so there is no consumer-side reference to break. Verified by grep across the repo.
  • The actor gate (steve/fizi/dazed) still mirrors allowed_users at adversarial-review.yml:34-39 and :52 — consistent.
  • The pinned uses: at :42 references an external, immutable commit hash, which is the right hardening per the in-file comment.

One unverified semantic claim worth surfacing (not a blocker, just a "trust-but-verify" note):

  • The new header comment at :1-5 asserts the inherited default is "3 cloud models + Claude Code sonnet/opus/opus:max, 5-lens suite." The upstream default swarm at steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d… is not in this repo, so I cannot re-derive the model/specialist counts from first principles. Independently, examples/reviewer/main.go:17-21 documents its own DefaultLenses (which the file's comment says "mirrors gadfly's default") as exactly 3 lenses (security, correctness, error-handling) — not 5. So the canary comment and the new header comment disagree on the lens count. Either gadfly's upstream default has grown to 5 lenses since the canary was written (plausible — b02b11d is the whole point of this PR), or the new header's "5-lens suite" is wrong. I can't confirm without network access to gadfly at that commit. Suggested fix: after this PR merges, run a dogfood review once and have the reporter dump the actual swarm size back into this comment (or the canary's) so the two stay aligned.
🧹 Code cleanliness & maintainability — No material issues found

I've verified the current state of .gitea/workflows/adversarial-review.yml against the diff.

VERDICT: No material issues found

Reviewing through the code cleanliness & maintainability lens:

  • Header comment is now accurate. The previous version claimed "Mirrors gadfly's own dogfood config: 6 cloud models + the Claude Code engine…", which would have become a lie the moment this PR landed. The new header describes the inheritance contract truthfully. Good housekeeping.
  • Removed keys truly are redundant. models, specialists, provider_concurrency, provider_lens_concurrency, timeout_secs, max_steps, timeout_minutes were all duplicated state with gadfly's default; deleting them is a pure cleanup with no loss of information (the pin comment still points readers at the source of truth).
  • Style consistency preserved. The new 2-line comment above with: follows the existing pattern of intent-explaining comments that sit above each block (compare to the comment above uses: and above the if: gate). Alignment of secrets: is kept intact.
  • Preexisting "duplication" is not new. steve,fizi,dazed appears in both the if: actor gate and with: allowed_users. This is intentional and explicitly documented in-file ("Mirrors the allowed_users input below (the in-container belt-and-suspenders check)") — not introduced by this PR, and not in my lane to flag.
  • Secret-name fix piggy-backed cleanly. The comment now reads GITEA_TOKEN is auto instead of the old CLAUDE_CODE_OAUTH_TOKEN is auto (verified: .gitea/workflows/adversarial-review.yml:43), correcting a stale leftover from before #13.

The change is a net positive for cleanliness: 7 duplicated config lines removed, 1 stale comment updated, and the file honestly describes what it now does.

Performance — No material issues found

VERDICT: No material issues found

Nothing in this diff is in the performance lane worth flagging.

  • Swarm size is being reduced, not grown. The PR explicitly drops the executus override from a 6-cloud + 3-lens swarm to the inherited 3-cloud + 5-lens default. Fewer models, fewer specialists, lower implied fan-out — net improvement on CI wall-time and provider cost, not a regression.
  • Concurrency knobs (provider_concurrency, provider_lens_concurrency) are removed in favor of upstream defaults. I can't verify what those defaults are without access to steve/gadfly@… at the pinned commit b02b11d, but the override removal is the entire purpose of the PR ("inherit"), so flagging the unknown default as a regression would be guessing. Not flagging.
  • Timeouts (timeout_secs, timeout_minutes) are removed. Same situation — I cannot read the upstream review-reusable.yml defaults to compare, and removing an explicit override is a deliberate consumer choice, not a perf regression introduced by this diff.
  • Hot paths / N+1 / allocations / unbounded growth / blocking calls: not applicable — this is a Gitea Actions YAML file with no executable code paths of my own.
  • Commit re-pin 20a5c43 → b02b11d: pins to a newer upstream commit, which is the contract this PR is built on; not a perf concern in itself.

No verification gaps worth raising in this lane — the file is 53 lines of declarative CI config and I've read the full state. The change is a perf-positive simplification.

🧯 Error handling & edge cases — No material issues found

Now I have enough context. Let me think through this strictly via my lens (error handling & edge cases).

Analysis through error-handling/edge-case lens:

  1. Removed timeout_minutes: 90 — Before, the caller set timeout_minutes: 90. After the change, no caller override means the reusable workflow's default timeout-minutes applies. This is purely an inheritance-of-default situation — not an error-handling regression in the caller itself, as long as gadfly's default is sane. Not a finding for this lens (depends on the external default I cannot verify, and other lenses cover contract drift).

  2. Removed timeout_secs: 600 / max_steps: 14 — same as above; inherited from defaults. Not a lens-of-mine finding.

  3. Pin @b02b11d69139843665da4cdbf776bc0b3583490d — syntactically a 40-char hex SHA. Well-formed. Not in my lane.

  4. concurrency.group expression (unchanged by the diff but still in scope for the file):

    gadfly-${{ github.event.issue.number || github.event.pull_request.number || github.event.inputs.pr_number }}
    

    On pull_request events, github.event.issue is absent and github.event.pull_request.number is the natural source. On issue_comment, github.event.issue.number exists. On workflow_dispatch, both github.event.issue and github.event.pull_request are null; only github.event.inputs.pr_number provides a number. Gitea's expression evaluator treats null as falsy, so the || chain falls through correctly. Not broken by the diff.

  5. if: actor gate (unchanged): The if: short-circuits on non-issue_comment events (no gate), and on issue_comment requires the issue to actually be a PR (github.event.issue.pull_request truthy) AND the actor to be in the allow-list. If someone comments on a non-PR issue (just an issue), the gate evaluates false && (… || … || …)false, so the job is skipped — which is the intended behavior (don't run a secret-bearing reviewer on plain issues). No silent failure, no crash.

  6. workflow_dispatch with empty pr_number inputpr_number is required: true in the inputs: schema (verified at lines 18–19). Gitea enforces required: true at dispatch time, so an empty string can't get past the UI. Even if it could, the concurrency group expression with an empty string would just collapse runs on the same empty key. Not a defect in the changed code.

  7. Empty with: allowed_users — explicitly set to "steve,fizi,dazed", non-empty. Fine.

  8. None of the removed values had a nil/empty-collection defensive angle — they were simple string scalars. Removing them can't introduce a "nil deref" or "empty collection" bug at the caller level; the defaults live in the callee.

  9. No new defer, cleanup, or rollback was added or removed in this diff — there is no Go code, only YAML. There's nothing to leak, no file descriptor to close, no goroutine to cancel.

Net: the diff is a pure inheritance change at the YAML caller. Nothing it adds or removes introduces a new nil/empty/overflow/boundary error path in this file. The error-handling shape of the workflow (actor gate, concurrency group, required inputs, pinned ref) is unchanged.

VERDICT: No material issues found in the error-handling / edge-case lens.

Review — Error handling & edge cases

No material issues found in this lens.

The diff is a pure inheritance change at the YAML caller — it removes a handful of with: string scalars (models, specialists, provider_concurrency, provider_lens_concurrency, timeout_secs, max_steps, timeout_minutes) and re-pins the reusable workflow to a new SHA. Verified directly in the checked-out file .gitea/workflows/adversarial-review.yml:42-52:

  • The actor gate at lines 34–39 still correctly short-circuits on non-issue_comment events and rejects comments on non-PR issues (github.event.issue.pull_request falsy ⇒ false && … ⇒ safe skip, no partial evaluation).
  • The concurrency.group expression at line 26 falls through issue.number → pull_request.number → inputs.pr_number correctly for each of the three triggers.
  • workflow_dispatch.inputs.pr_number is declared required: true (lines 18–19), so an empty/nil dispatch payload can't reach the job.
  • The new pin @b02b11d69139843665da4cdbf776bc0b3583490d is a syntactically valid 40-char hex SHA.
  • No Go code, resources, deferred cleanup, or error-swallowing paths are introduced or removed; the diff is YAML-only.

Whether the inherited defaults (3-cloud swarm, 5 lenses, new timeout/step limits) are themselves adequate is a contract/correctness question that belongs to another lens.

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 2m 56s

<!-- gadfly-review:ollama:minimax-m3:cloud --> ### 🪰 Gadfly review — `minimax-m3:cloud` (ollama-cloud) **Verdict: No material issues found** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — No material issues found</summary> ## Verdict: No material issues found Reviewed through the security lens only. The change is configuration-only (no new code paths, no new taint sources, no new secrets surface). Notes on what I checked: - **Secret forwarding unchanged & still least-privilege.** `.gitea/workflows/adversarial-review.yml:44-48` still forwards exactly the four secrets the consumer expects, matching the inherited swarm the PR describes (3 ollama-cloud + Claude Code). No new secrets introduced, none dropped. - **Pinning preserved & strengthened.** Line 42 still pins to an immutable commit SHA (`b02b11d69139843665da4cdbf776bc0b3583490d`), not a branch — so a push to `steve/gadfly` cannot silently swap the code that runs with the forwarded secrets. This is the correct mitigation for the cross-repo trust delegation that already existed before this PR. - **Actor gate preserved.** Lines 34–39 still gate `issue_comment` to `steve | fizi | dazed` and only when the issue is linked to a PR. `pull_request` and `workflow_dispatch` are correctly left ungated (those triggers are already trusted). - **Allow-list input preserved.** `allowed_users: "steve,fizi,dazed"` on line 52 is still passed, so the in-container belt-and-suspenders check is intact. - **Token scope unchanged.** `permissions:` block still `contents: read, issues: write, pull-requests: write` — appropriately scoped; no `actions: write` or wildcard. - **No new injection surfaces.** Removing the `with:` blocks actually shrinks the set of interpolated values flowing into the reusable workflow. No new template, path, SQL, command, or SSRF vectors are introduced. - **Removed inputs.** `timeout_secs`, `max_steps`, `timeout_minutes`, `provider_concurrency`, `provider_lens_concurrency`, `specialists`, `models` are pure behavior knobs — removing them is a delegation to upstream defaults and has no direct security implication on executus. - **Unverified (out of reach).** I cannot independently inspect `steve/gadfly`'s `review-reusable.yml` at `@b02b11d` to confirm its defaults don't, e.g., request additional secrets or relax input validation. The immutable-SHA pin + the unchanged explicit `allowed_users` is the appropriate boundary given that constraint. Nothing in the diff opens a new authn/authz gap, injection vector, SSRF, deserialization risk, secret leak, or unsafe default from this lens. </details> <details><summary><b>🎯 Correctness</b> — No material issues found</summary> VERDICT: No material issues found What I checked: - `.gitea/workflows/adversarial-review.yml` post-change (full file): the change is purely a deletion of `with:` keys plus a version-pin bump to `b02b11d`. No logic was added; nothing in the repo references the removed keys (`specialists`, `provider_concurrency`, `provider_lens_concurrency`, `timeout_secs`, `max_steps`, `timeout_minutes`), so there is no consumer-side reference to break. Verified by `grep` across the repo. - The actor gate (`steve`/`fizi`/`dazed`) still mirrors `allowed_users` at `adversarial-review.yml:34-39` and `:52` — consistent. - The pinned `uses:` at `:42` references an external, immutable commit hash, which is the right hardening per the in-file comment. One unverified semantic claim worth surfacing (not a blocker, just a "trust-but-verify" note): - The new header comment at `:1-5` asserts the inherited default is "3 cloud models + Claude Code sonnet/opus/opus:max, **5-lens suite**." The upstream default swarm at `steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d…` is not in this repo, so I cannot re-derive the model/specialist counts from first principles. Independently, `examples/reviewer/main.go:17-21` documents its own `DefaultLenses` (which the file's comment says "mirrors gadfly's default") as exactly **3 lenses** (`security`, `correctness`, `error-handling`) — not 5. So the canary comment and the new header comment disagree on the lens count. Either gadfly's upstream default has grown to 5 lenses since the canary was written (plausible — `b02b11d` is the whole point of this PR), or the new header's "5-lens suite" is wrong. I can't confirm without network access to gadfly at that commit. Suggested fix: after this PR merges, run a dogfood review once and have the reporter dump the actual swarm size back into this comment (or the canary's) so the two stay aligned. </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — No material issues found</summary> I've verified the current state of `.gitea/workflows/adversarial-review.yml` against the diff. ## VERDICT: No material issues found Reviewing through the **code cleanliness & maintainability** lens: - **Header comment is now accurate.** The previous version claimed "Mirrors gadfly's own dogfood config: 6 cloud models + the Claude Code engine…", which would have become a lie the moment this PR landed. The new header describes the inheritance contract truthfully. Good housekeeping. - **Removed keys truly are redundant.** `models`, `specialists`, `provider_concurrency`, `provider_lens_concurrency`, `timeout_secs`, `max_steps`, `timeout_minutes` were all duplicated state with gadfly's default; deleting them is a pure cleanup with no loss of information (the pin comment still points readers at the source of truth). - **Style consistency preserved.** The new 2-line comment above `with:` follows the existing pattern of intent-explaining comments that sit above each block (compare to the comment above `uses:` and above the `if:` gate). Alignment of `secrets:` is kept intact. - **Preexisting "duplication" is not new.** `steve,fizi,dazed` appears in both the `if:` actor gate and `with: allowed_users`. This is intentional and explicitly documented in-file ("Mirrors the allowed_users input below (the in-container belt-and-suspenders check)") — not introduced by this PR, and not in my lane to flag. - **Secret-name fix piggy-backed cleanly.** The comment now reads `GITEA_TOKEN is auto` instead of the old `CLAUDE_CODE_OAUTH_TOKEN is auto` (verified: `.gitea/workflows/adversarial-review.yml:43`), correcting a stale leftover from before #13. The change is a net positive for cleanliness: 7 duplicated config lines removed, 1 stale comment updated, and the file honestly describes what it now does. </details> <details><summary><b>⚡ Performance</b> — No material issues found</summary> VERDICT: No material issues found Nothing in this diff is in the performance lane worth flagging. - **Swarm size is being reduced, not grown.** The PR explicitly drops the executus override from a 6-cloud + 3-lens swarm to the inherited 3-cloud + 5-lens default. Fewer models, fewer specialists, lower implied fan-out — net *improvement* on CI wall-time and provider cost, not a regression. - **Concurrency knobs (`provider_concurrency`, `provider_lens_concurrency`) are removed in favor of upstream defaults.** I can't verify what those defaults are without access to `steve/gadfly@…` at the pinned commit `b02b11d`, but the override removal is the entire purpose of the PR ("inherit"), so flagging the unknown default as a regression would be guessing. Not flagging. - **Timeouts (`timeout_secs`, `timeout_minutes`) are removed.** Same situation — I cannot read the upstream `review-reusable.yml` defaults to compare, and removing an explicit override is a deliberate consumer choice, not a perf regression introduced by this diff. - **Hot paths / N+1 / allocations / unbounded growth / blocking calls**: not applicable — this is a Gitea Actions YAML file with no executable code paths of my own. - **Commit re-pin `20a5c43 → b02b11d`**: pins to a newer upstream commit, which is the contract this PR is built on; not a perf concern in itself. No verification gaps worth raising in this lane — the file is 53 lines of declarative CI config and I've read the full state. The change is a perf-positive simplification. </details> <details><summary><b>🧯 Error handling & edge cases</b> — No material issues found</summary> Now I have enough context. Let me think through this strictly via my lens (error handling & edge cases). **Analysis through error-handling/edge-case lens:** 1. **Removed `timeout_minutes: 90`** — Before, the caller set `timeout_minutes: 90`. After the change, no caller override means the reusable workflow's default `timeout-minutes` applies. This is purely an inheritance-of-default situation — not an error-handling regression in the caller itself, as long as gadfly's default is sane. Not a finding for this lens (depends on the external default I cannot verify, and other lenses cover contract drift). 2. **Removed `timeout_secs: 600` / `max_steps: 14`** — same as above; inherited from defaults. Not a lens-of-mine finding. 3. **Pin `@b02b11d69139843665da4cdbf776bc0b3583490d`** — syntactically a 40-char hex SHA. Well-formed. Not in my lane. 4. **`concurrency.group` expression** (unchanged by the diff but still in scope for the file): ``` gadfly-${{ github.event.issue.number || github.event.pull_request.number || github.event.inputs.pr_number }} ``` On `pull_request` events, `github.event.issue` is absent and `github.event.pull_request.number` is the natural source. On `issue_comment`, `github.event.issue.number` exists. On `workflow_dispatch`, both `github.event.issue` and `github.event.pull_request` are null; only `github.event.inputs.pr_number` provides a number. Gitea's expression evaluator treats null as falsy, so the `||` chain falls through correctly. Not broken by the diff. 5. **`if:` actor gate** (unchanged): The `if:` short-circuits on non-`issue_comment` events (no gate), and on `issue_comment` requires the issue to actually be a PR (`github.event.issue.pull_request` truthy) AND the actor to be in the allow-list. If someone comments on a non-PR issue (just an `issue`), the gate evaluates `false && (… || … || …)` → `false`, so the job is skipped — which is the intended behavior (don't run a secret-bearing reviewer on plain issues). No silent failure, no crash. 6. **`workflow_dispatch` with empty `pr_number` input** — `pr_number` is `required: true` in the `inputs:` schema (verified at lines 18–19). Gitea enforces `required: true` at dispatch time, so an empty string can't get past the UI. Even if it could, the concurrency group expression with an empty string would just collapse runs on the same empty key. Not a defect in the changed code. 7. **Empty `with:` `allowed_users`** — explicitly set to `"steve,fizi,dazed"`, non-empty. Fine. 8. **None of the removed values had a nil/empty-collection defensive angle** — they were simple string scalars. Removing them can't introduce a "nil deref" or "empty collection" bug at the caller level; the defaults live in the callee. 9. **No new `defer`, `cleanup`, or rollback** was added or removed in this diff — there is no Go code, only YAML. There's nothing to leak, no file descriptor to close, no goroutine to cancel. Net: the diff is a pure inheritance change at the YAML caller. Nothing it adds or removes introduces a new nil/empty/overflow/boundary error path in this file. The error-handling shape of the workflow (actor gate, concurrency group, required inputs, pinned ref) is unchanged. **VERDICT: No material issues found** in the error-handling / edge-case lens. ## Review — Error handling & edge cases No material issues found in this lens. The diff is a pure inheritance change at the YAML caller — it removes a handful of `with:` string scalars (`models`, `specialists`, `provider_concurrency`, `provider_lens_concurrency`, `timeout_secs`, `max_steps`, `timeout_minutes`) and re-pins the reusable workflow to a new SHA. Verified directly in the checked-out file `.gitea/workflows/adversarial-review.yml:42-52`: - The actor gate at lines 34–39 still correctly short-circuits on non-`issue_comment` events and rejects comments on non-PR issues (`github.event.issue.pull_request` falsy ⇒ `false && …` ⇒ safe skip, no partial evaluation). - The `concurrency.group` expression at line 26 falls through `issue.number → pull_request.number → inputs.pr_number` correctly for each of the three triggers. - `workflow_dispatch.inputs.pr_number` is declared `required: true` (lines 18–19), so an empty/nil dispatch payload can't reach the job. - The new pin `@b02b11d69139843665da4cdbf776bc0b3583490d` is a syntactically valid 40-char hex SHA. - No Go code, resources, deferred cleanup, or error-swallowing paths are introduced or removed; the diff is YAML-only. Whether the inherited defaults (3-cloud swarm, 5 lenses, new timeout/step limits) are themselves adequate is a contract/correctness question that belongs to another lens. </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 2m 56s</sub>

🪰 Gadfly review — claude-code/sonnet (claude-code)

Verdict: Minor issues — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security — No material issues found

No material issues found

Verified by reading .gitea/workflows/adversarial-review.yml at line 42:

  • Pin is a full 40-char commit SHA (b02b11d69139843665da4cdbf776bc0b3583490d) — not a branch or tag. An upstream push to gadfly cannot silently change the code that runs with forwarded secrets. The prior pin (20a5c43…) was likewise a full SHA; no regression here.

  • Actor gate (if:) matches allowed_users exactly. Lines 37–39 enumerate steve, fizi, dazed — identical to the allowed_users: "steve,fizi,dazed" input at line 52. The belt-and-suspenders model is intact: the gate blocks the job entirely for untrusted issue_comment actors before secrets are ever forwarded to the sub-workflow.

  • Secret forwarding is unchanged and explicit. The four secrets (OLLAMA_CLOUD_API_KEY, CLAUDE_CODE_OAUTH_TOKEN, GADFLY_FINDINGS_URL, GADFLY_FINDINGS_TOKEN) are the same set as before; nothing new is added or dropped. Least-privilege is preserved.

  • Inheriting defaults does not widen the trust surface. Because the uses: reference is SHA-pinned, gadfly's defaults are frozen at b02b11d. Any future change to gadfly's default swarm is inert until this repo re-pins.

🎯 Correctness — No material issues found

The file reads clean. Here is my verdict:


No material issues found

The change is a straightforward delegation of swarm configuration to gadfly's centrally-managed reusable workflow. Verified:

  • Actor gate / allow-list consistency (lines 37–39 vs line 52): The if: comment-gate hardcodes steve, fizi, dazed; allowed_users passes the same three names. These match exactly — no drift introduced by the removal of the other with: keys.
  • YAML structure (line 49–52): A with: block containing only a comment and a single key is valid YAML; GHA will parse it correctly.
  • Removed keys (models, specialists, provider_concurrency, provider_lens_concurrency, timeout_secs, max_steps, timeout_minutes): All were optional inputs with defaults defined in gadfly's reusable workflow. Omitting them causes the downstream defaults to apply — the intended behavior.
  • Secret forwarding (lines 44–48): OLLAMA_CLOUD_API_KEY is still forwarded; the PR description says the new default still includes cloud models, so forwarding it is correct. Extra secrets passed to a reusable workflow that doesn't declare them are silently ignored, so this is safe regardless.
  • Pin hash (line 42): The commit SHA b02b11d69139843665da4cdbf776bc0b3583490d is a full 40-character SHA — no truncation or copy-paste error detectable from within this repo.

The only thing I cannot verify from within this repo is whether the gadfly default swarm at @b02b11d truly matches the header comment's description ("3 cloud models + Claude Code sonnet/opus/opus:max, 5-lens suite") — that requires reading the external gadfly repo. But the comment is documentation, not an executable claim; the actual runtime behaviour is owned by gadfly's commit.

🧹 Code cleanliness & maintainability — No material issues found

No material issues found

The diff is a clean configuration reduction: it removes six explicit with: parameters that are now inherited from the upstream reusable workflow, updates the pin commit, and refreshes the header comment to match reality. From a cleanliness standpoint:

  • The header comment now accurately describes what the file does (a stub that holds only triggers, gate, secret forwarding, and allow-list). It's honest and concise.
  • The inline comment inside with: explains why only allowed_users remains — no implicit reasoning for a future reader.
  • The removed parameters were all dead weight once they became defaults upstream; the file is visibly simpler.
  • The minor wording fix ("this swarm uses" → "the swarm uses", line 43) is an improvement.

Nothing to flag under this lens.

Performance — No material issues found

No material issues found

This change is pure CI YAML configuration — it removes explicit swarm parameters and inherits them from gadfly's reusable workflow. Through the performance lens, there is nothing to flag:

  • Total agent work is roughly neutral. The old explicit config ran 9 models × 3 lenses = 27 combinations; the inherited default (per the PR description: 3 cloud + 3 Claude Code variants × 5 lenses) is ~30 combinations. Slightly more, but within noise for an advisory-only job.

  • provider_concurrency / provider_lens_concurrency removed. The old explicit throttle (ollama-cloud=3,claude-code=2) is gone. The inherited defaults from review-reusable.yml@b02b11d govern burst behavior instead. I cannot read the external gadfly repo to verify those defaults — but since the workflow is advisory-only and Gitea enforces platform-level queue limits, this is not a material regression.

  • timeout_minutes: 90 removed. The explicit cap on total workflow wall-time is gone. If the inherited default is longer or absent, a stuck run holds a CI slot for longer. Verified that this parameter no longer appears in the checked-out file (:52). Low impact given the advisory-only nature of the job.

No efficiency regression, unbounded growth, or missing limit rises to a blocking level here.

🧯 Error handling & edge cases — Minor issues

The removal of timeout_minutes: 90 is confirmed at line 52 — the with: block contains only allowed_users. The upstream review-reusable.yml is external and inaccessible from this repo, so the inherited default cannot be verified here. The finding is factually grounded and appropriately scoped.


Minor issues

  • timeout_minutes safety bound removed (.gitea/workflows/adversarial-review.yml, with: block at line 49–52). The previous config passed timeout_minutes: 90 as an explicit input to the reusable workflow, capping a stuck or runaway swarm at 90 minutes. The new stub omits this entirely; the with: block now contains only allowed_users. The inherited default from review-reusable.yml@b02b11d cannot be confirmed from this repository — if that default is absent or substantially larger (Gitea Actions' job-level default is 360 minutes), a hung swarm now ties up CI resources for far longer with no local guard.

    Suggested fix: either confirm (and document in a comment) the upstream default for timeout_minutes, or keep an explicit override (timeout_minutes: 90) to preserve the local safety net regardless of upstream drift.

No other material issues found. The actor gate and allowed_users list are in sync (both enumerate steve, fizi, dazed), and the secret-forwarding set is unchanged.

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 32s

<!-- gadfly-review:ollama:claude-code/sonnet --> ### 🪰 Gadfly review — `claude-code/sonnet` (claude-code) **Verdict: Minor issues** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — No material issues found</summary> **No material issues found** Verified by reading `.gitea/workflows/adversarial-review.yml` at line 42: - **Pin is a full 40-char commit SHA** (`b02b11d69139843665da4cdbf776bc0b3583490d`) — not a branch or tag. An upstream push to gadfly cannot silently change the code that runs with forwarded secrets. The prior pin (`20a5c43…`) was likewise a full SHA; no regression here. - **Actor gate (`if:`) matches `allowed_users` exactly.** Lines 37–39 enumerate `steve`, `fizi`, `dazed` — identical to the `allowed_users: "steve,fizi,dazed"` input at line 52. The belt-and-suspenders model is intact: the gate blocks the job entirely for untrusted `issue_comment` actors before secrets are ever forwarded to the sub-workflow. - **Secret forwarding is unchanged and explicit.** The four secrets (`OLLAMA_CLOUD_API_KEY`, `CLAUDE_CODE_OAUTH_TOKEN`, `GADFLY_FINDINGS_URL`, `GADFLY_FINDINGS_TOKEN`) are the same set as before; nothing new is added or dropped. Least-privilege is preserved. - **Inheriting defaults does not widen the trust surface.** Because the `uses:` reference is SHA-pinned, gadfly's defaults are frozen at `b02b11d`. Any future change to gadfly's default swarm is inert until this repo re-pins. </details> <details><summary><b>🎯 Correctness</b> — No material issues found</summary> The file reads clean. Here is my verdict: --- **No material issues found** The change is a straightforward delegation of swarm configuration to gadfly's centrally-managed reusable workflow. Verified: - **Actor gate / allow-list consistency** (lines 37–39 vs line 52): The `if:` comment-gate hardcodes `steve`, `fizi`, `dazed`; `allowed_users` passes the same three names. These match exactly — no drift introduced by the removal of the other `with:` keys. - **YAML structure** (line 49–52): A `with:` block containing only a comment and a single key is valid YAML; GHA will parse it correctly. - **Removed keys** (`models`, `specialists`, `provider_concurrency`, `provider_lens_concurrency`, `timeout_secs`, `max_steps`, `timeout_minutes`): All were optional inputs with defaults defined in gadfly's reusable workflow. Omitting them causes the downstream defaults to apply — the intended behavior. - **Secret forwarding** (lines 44–48): `OLLAMA_CLOUD_API_KEY` is still forwarded; the PR description says the new default still includes cloud models, so forwarding it is correct. Extra secrets passed to a reusable workflow that doesn't declare them are silently ignored, so this is safe regardless. - **Pin hash** (line 42): The commit SHA `b02b11d69139843665da4cdbf776bc0b3583490d` is a full 40-character SHA — no truncation or copy-paste error detectable from within this repo. The only thing I cannot verify from within this repo is whether the gadfly default swarm at `@b02b11d` truly matches the header comment's description ("3 cloud models + Claude Code sonnet/opus/opus:max, 5-lens suite") — that requires reading the external gadfly repo. But the comment is documentation, not an executable claim; the actual runtime behaviour is owned by gadfly's commit. </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — No material issues found</summary> **No material issues found** The diff is a clean configuration reduction: it removes six explicit `with:` parameters that are now inherited from the upstream reusable workflow, updates the pin commit, and refreshes the header comment to match reality. From a cleanliness standpoint: - The header comment now accurately describes what the file does (a stub that holds only triggers, gate, secret forwarding, and allow-list). It's honest and concise. - The inline comment inside `with:` explains why only `allowed_users` remains — no implicit reasoning for a future reader. - The removed parameters were all dead weight once they became defaults upstream; the file is visibly simpler. - The minor wording fix ("this swarm uses" → "the swarm uses", line 43) is an improvement. Nothing to flag under this lens. </details> <details><summary><b>⚡ Performance</b> — No material issues found</summary> **No material issues found** This change is pure CI YAML configuration — it removes explicit swarm parameters and inherits them from gadfly's reusable workflow. Through the performance lens, there is nothing to flag: - **Total agent work is roughly neutral.** The old explicit config ran 9 models × 3 lenses = 27 combinations; the inherited default (per the PR description: 3 cloud + 3 Claude Code variants × 5 lenses) is ~30 combinations. Slightly more, but within noise for an advisory-only job. - **`provider_concurrency` / `provider_lens_concurrency` removed.** The old explicit throttle (`ollama-cloud=3,claude-code=2`) is gone. The inherited defaults from `review-reusable.yml@b02b11d` govern burst behavior instead. I cannot read the external gadfly repo to verify those defaults — but since the workflow is advisory-only and Gitea enforces platform-level queue limits, this is not a material regression. - **`timeout_minutes: 90` removed.** The explicit cap on total workflow wall-time is gone. If the inherited default is longer or absent, a stuck run holds a CI slot for longer. Verified that this parameter no longer appears in the checked-out file (`:52`). Low impact given the advisory-only nature of the job. No efficiency regression, unbounded growth, or missing limit rises to a blocking level here. </details> <details><summary><b>🧯 Error handling & edge cases</b> — Minor issues</summary> The removal of `timeout_minutes: 90` is confirmed at line 52 — the `with:` block contains only `allowed_users`. The upstream `review-reusable.yml` is external and inaccessible from this repo, so the inherited default cannot be verified here. The finding is factually grounded and appropriately scoped. --- **Minor issues** - **`timeout_minutes` safety bound removed** (`.gitea/workflows/adversarial-review.yml`, `with:` block at line 49–52). The previous config passed `timeout_minutes: 90` as an explicit input to the reusable workflow, capping a stuck or runaway swarm at 90 minutes. The new stub omits this entirely; the `with:` block now contains only `allowed_users`. The inherited default from `review-reusable.yml@b02b11d` cannot be confirmed from this repository — if that default is absent or substantially larger (Gitea Actions' job-level default is 360 minutes), a hung swarm now ties up CI resources for far longer with no local guard. Suggested fix: either confirm (and document in a comment) the upstream default for `timeout_minutes`, or keep an explicit override (`timeout_minutes: 90`) to preserve the local safety net regardless of upstream drift. No other material issues found. The actor gate and `allowed_users` list are in sync (both enumerate `steve`, `fizi`, `dazed`), and the secret-forwarding set is unchanged. </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 32s</sub>

🪰 Gadfly review — deepseek-v4-pro:cloud (ollama-cloud)

Verdict: No material issues found — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security — No material issues found

Verdict: No material issues found

  • Commit pinning is preserved. The reusable workflow remains pinned to a full immutable SHA (@b02b11d…), so a push to steve/gadfly cannot silently change the code that runs with forwarded secrets. The old pin (@20a5c43…) is simply rotated to the new commit — no regression.

  • Actor gate unchanged. The if: condition still restricts issue_comment-triggered runs to the same three usernames (steve, fizi, dazed), and the allowed_users input mirrors it. No new actors can trigger a secret-bearing run.

  • Secret forwarding unchanged. The same four secrets (OLLAMA_CLOUD_API_KEY, CLAUDE_CODE_OAUTH_TOKEN, GADFLY_FINDINGS_URL, GADFLY_FINDINGS_TOKEN) are forwarded — no additions, no removals. The "least privilege" comment remains accurate.

  • Inheriting defaults does not expand the trust boundary. The removed with: parameters (models, specialists, concurrency, timeouts) are now inherited from the reusable workflow's defaults at the pinned commit. The consumer already trusts the reusable workflow's code; inheriting its defaults does not introduce a new trust relationship or expose secrets to a new path. The defaults are immutable for that commit.

  • No injection surface. The only consumer-supplied input (allowed_users) is a hardcoded literal string of usernames, not derived from any attacker-controllable source.

🎯 Correctness — No material issues found

No material issues found.

The change is a straightforward consumer-side cleanup: remove explicit with: inputs and rely on defaults from a newly-pinned version of the external reusable workflow. Everything I can verify locally checks out:

  • Actor gate ↔ allowed_users consistency (verified by reading .gitea/workflows/adversarial-review.yml:34-39,52): the if: condition gates on steve, fizi, dazed — exactly the same set passed as allowed_users. No drift.
  • Secrets match the new swarm profile (verified by reading the file): OLLAMA_CLOUD_API_KEY + CLAUDE_CODE_OAUTH_TOKEN cover the "3 cloud + Claude Code" default described in the PR. The findings secrets are unchanged.
  • No stale references to removed inputs (verified via grep): the removed parameters (timeout_secs, max_steps, provider_concurrency, etc.) are not referenced elsewhere in this repo's workflow or config in a way that would break.

One unverified concern (cannot check — the reusable workflow lives in steve/gadfly, outside this repo): if any of the seven removed with: inputs (models, specialists, provider_concurrency, provider_lens_concurrency, timeout_secs, max_steps, timeout_minutes) lack a default in the new pinned commit b02b11d, the workflow will fail at runtime with a missing-input error. The PR description states these were centralized as defaults in steve/gadfly#10, but I have no tool access to confirm that the pinned commit actually contains those defaults.

🧹 Code cleanliness & maintainability — No material issues found

No material issues found.

The diff is clean and well-scoped. It removes ~8 lines of explicit swarm configuration that duplicated the reusable workflow's defaults, updates the comment block to accurately describe what's now inherited, and leaves only the consumer-specific allowed_users in with:. No dead code, no confusing names, no leaky abstractions introduced.

The one pre-existing maintainability wart — the if: actor gate (lines 36-39) hardcoding the same three usernames as allowed_users (line 52) — is already documented by the comment on line 33 ("belt-and-suspenders") and is not made worse by this PR. If anything, the PR makes the file easier to maintain going forward since swarm changes now happen in one place (gadfly's review-reusable.yml) rather than needing a synchronized edit here.

Performance — No material issues found

No material issues found

The diff is a pure CI workflow configuration change that removes explicit swarm parameters in favor of inherited defaults. From a performance lens:

  • Fewer cloud models: drops from 6 cloud models to 3, reducing total cloud API review passes (old: 6×3 lenses = 18; new: 3×5 lenses = 15). This is a net reduction in cloud inference work.
  • Concurrency and timeouts are now inherited: I cannot verify the upstream defaults (they live in steve/gadfly/.gitea/workflows/review-reusable.yml, outside this repo), so I can't confirm whether the inherited provider_concurrency, timeout_secs, or timeout_minutes differ materially from the removed values. The PR description frames this as a deliberate centralization, and the removed values (ollama-cloud=3, timeout_secs=600, timeout_minutes=90) are unremarkable — no obvious risk of a hidden regression.
  • No N+1, allocation, hot-loop, or unbounded-growth concerns — this is a workflow YAML, not application code.

Nothing in this change raises a concrete, verifiable performance concern.

🧯 Error handling & edge cases — No material issues found

Verdict: No material issues found

The diff is a pure configuration simplification — it removes explicit with: parameters in favor of defaults inherited from the upstream reusable workflow. From an error-handling & edge-cases perspective:

  • No new error paths introduced. The change removes parameters; it doesn't add logic, conditionals, or code that could fail.
  • No swallowed errors. There's no error handling to get wrong here — it's a YAML workflow declaration.
  • No nil/empty/zero/negative edge cases. The removed parameters (models, specialists, timeout_secs, max_steps, timeout_minutes, etc.) are now supplied by the reusable workflow's defaults rather than being explicitly set. If those defaults were missing or invalid, the failure would surface as a workflow load/run error in the external repo — not a silent degradation here.
  • Secrets forwarding unchanged. Same four secrets, same Least privilege pattern.
  • Actor gate unchanged. The if: block and allowed_users list are untouched; any pre-existing divergence risk between them is not introduced by this diff.

The one operational shift — timeout_minutes: 90 being removed and falling back to the reusable workflow's (or the platform's) default — is an intentional centralization, not an oversight. If the inherited default is substantially longer, a hung job would burn more runner minutes, but that's a resource/governance concern outside this lens.

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 7s

<!-- gadfly-review:ollama:deepseek-v4-pro:cloud --> ### 🪰 Gadfly review — `deepseek-v4-pro:cloud` (ollama-cloud) **Verdict: No material issues found** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — No material issues found</summary> ## Verdict: No material issues found - **Commit pinning is preserved.** The reusable workflow remains pinned to a full immutable SHA (`@b02b11d…`), so a push to `steve/gadfly` cannot silently change the code that runs with forwarded secrets. The old pin (`@20a5c43…`) is simply rotated to the new commit — no regression. - **Actor gate unchanged.** The `if:` condition still restricts `issue_comment`-triggered runs to the same three usernames (`steve`, `fizi`, `dazed`), and the `allowed_users` input mirrors it. No new actors can trigger a secret-bearing run. - **Secret forwarding unchanged.** The same four secrets (`OLLAMA_CLOUD_API_KEY`, `CLAUDE_CODE_OAUTH_TOKEN`, `GADFLY_FINDINGS_URL`, `GADFLY_FINDINGS_TOKEN`) are forwarded — no additions, no removals. The "least privilege" comment remains accurate. - **Inheriting defaults does not expand the trust boundary.** The removed `with:` parameters (`models`, `specialists`, concurrency, timeouts) are now inherited from the reusable workflow's defaults at the pinned commit. The consumer already trusts the reusable workflow's code; inheriting its defaults does not introduce a new trust relationship or expose secrets to a new path. The defaults are immutable for that commit. - **No injection surface.** The only consumer-supplied input (`allowed_users`) is a hardcoded literal string of usernames, not derived from any attacker-controllable source. </details> <details><summary><b>🎯 Correctness</b> — No material issues found</summary> No material issues found. The change is a straightforward consumer-side cleanup: remove explicit `with:` inputs and rely on defaults from a newly-pinned version of the external reusable workflow. Everything I can verify locally checks out: - **Actor gate ↔ `allowed_users` consistency** (verified by reading `.gitea/workflows/adversarial-review.yml:34-39,52`): the `if:` condition gates on `steve`, `fizi`, `dazed` — exactly the same set passed as `allowed_users`. No drift. - **Secrets match the new swarm profile** (verified by reading the file): `OLLAMA_CLOUD_API_KEY` + `CLAUDE_CODE_OAUTH_TOKEN` cover the "3 cloud + Claude Code" default described in the PR. The findings secrets are unchanged. - **No stale references to removed inputs** (verified via `grep`): the removed parameters (`timeout_secs`, `max_steps`, `provider_concurrency`, etc.) are not referenced elsewhere in this repo's workflow or config in a way that would break. **One unverified concern** (cannot check — the reusable workflow lives in `steve/gadfly`, outside this repo): if any of the seven removed `with:` inputs (`models`, `specialists`, `provider_concurrency`, `provider_lens_concurrency`, `timeout_secs`, `max_steps`, `timeout_minutes`) lack a default in the new pinned commit `b02b11d`, the workflow will fail at runtime with a missing-input error. The PR description states these were centralized as defaults in steve/gadfly#10, but I have no tool access to confirm that the pinned commit actually contains those defaults. </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — No material issues found</summary> **No material issues found.** The diff is clean and well-scoped. It removes ~8 lines of explicit swarm configuration that duplicated the reusable workflow's defaults, updates the comment block to accurately describe what's now inherited, and leaves only the consumer-specific `allowed_users` in `with:`. No dead code, no confusing names, no leaky abstractions introduced. The one pre-existing maintainability wart — the `if:` actor gate (lines 36-39) hardcoding the same three usernames as `allowed_users` (line 52) — is already documented by the comment on line 33 ("belt-and-suspenders") and is not made worse by this PR. If anything, the PR makes the file easier to maintain going forward since swarm changes now happen in one place (gadfly's `review-reusable.yml`) rather than needing a synchronized edit here. </details> <details><summary><b>⚡ Performance</b> — No material issues found</summary> **No material issues found** The diff is a pure CI workflow configuration change that removes explicit swarm parameters in favor of inherited defaults. From a performance lens: - **Fewer cloud models**: drops from 6 cloud models to 3, reducing total cloud API review passes (old: 6×3 lenses = 18; new: 3×5 lenses = 15). This is a net reduction in cloud inference work. - **Concurrency and timeouts are now inherited**: I cannot verify the upstream defaults (they live in `steve/gadfly/.gitea/workflows/review-reusable.yml`, outside this repo), so I can't confirm whether the inherited `provider_concurrency`, `timeout_secs`, or `timeout_minutes` differ materially from the removed values. The PR description frames this as a deliberate centralization, and the removed values (`ollama-cloud=3`, `timeout_secs=600`, `timeout_minutes=90`) are unremarkable — no obvious risk of a hidden regression. - **No N+1, allocation, hot-loop, or unbounded-growth concerns** — this is a workflow YAML, not application code. Nothing in this change raises a concrete, verifiable performance concern. </details> <details><summary><b>🧯 Error handling & edge cases</b> — No material issues found</summary> ## Verdict: No material issues found The diff is a pure configuration simplification — it removes explicit `with:` parameters in favor of defaults inherited from the upstream reusable workflow. From an error-handling & edge-cases perspective: - **No new error paths introduced.** The change removes parameters; it doesn't add logic, conditionals, or code that could fail. - **No swallowed errors.** There's no error handling to get wrong here — it's a YAML workflow declaration. - **No nil/empty/zero/negative edge cases.** The removed parameters (`models`, `specialists`, `timeout_secs`, `max_steps`, `timeout_minutes`, etc.) are now supplied by the reusable workflow's defaults rather than being explicitly set. If those defaults were missing or invalid, the failure would surface as a workflow load/run error in the external repo — not a silent degradation here. - **Secrets forwarding unchanged.** Same four secrets, same `Least privilege` pattern. - **Actor gate unchanged.** The `if:` block and `allowed_users` list are untouched; any pre-existing divergence risk between them is not introduced by this diff. The one operational shift — `timeout_minutes: 90` being removed and falling back to the reusable workflow's (or the platform's) default — is an intentional centralization, not an oversight. If the inherited default is substantially longer, a hung job would burn more runner minutes, but that's a resource/governance concern outside this lens. </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 7s</sub>

🪰 Gadfly review — glm-5.2:cloud (ollama-cloud)

Verdict: No material issues found — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security — No material issues found

No material issues found

  • Verified the final file at .gitea/workflows/adversarial-review.yml:1-52. The security-relevant controls are all preserved across the change:
    • Immutable commit pin (adversarial-review.yml:42): re-pinned from 20a5c43… to b02b11d…, and the comment at :40-41 still correctly documents that it's pinned to an immutable commit (not @main) so a push to steve/gadfly cannot silently alter the code that runs with forwarded secrets. Inheriting defaults from the reusable workflow is safe precisely because of this pin — the default swarm is frozen at the pinned commit, not subject to a mutable ref.
    • Secret forwarding scope (adversarial-review.yml:44-48): unchanged and still least-privilege — only OLLAMA_CLOUD_API_KEY, CLAUDE_CODE_OAUTH_TOKEN, GADFLY_FINDINGS_URL, GADFLY_FINDINGS_TOKEN are forwarded. No new secrets are exposed by dropping the explicit with: model block, and removing those inputs doesn't widen the secret surface (the forwarded set is independent of the models/specialists/concurrency inputs).
    • Actor gate (adversarial-review.yml:34-39): unchanged — issue_comment triggers remain restricted to steve/fizi/dazed, and allowed_users (:52) is unchanged as the in-container belt-and-suspenders check.
  • I could not open steve/gadfly's review-reusable.yml@b02b11d… (it lives in the external gadfly repo, not vendored into this checkout, and find_files/grep confirm no copy exists here), so I could not independently confirm the inherited default swarm only ever uses the four forwarded secrets. That is a trust boundary inherent to consuming a reusable workflow, but it's gated by the immutable pin and is outside what this repo's diff can establish — flagging as unverified rather than a defect.
🎯 Correctness — No material issues found

VERDICT: No material issues found

The change is entirely within .gitea/workflows/adversarial-review.yml and is a consumer stub for an external reusable workflow (steve/gadfly/.gitea/workflows/review-reusable.yml). I reviewed it through the correctness lens:

  • YAML structure is valid: uses: pin updated to @b02b11d…, secrets: forwarding unchanged, with: now contains only allowed_users.
  • The actor gate (if:) still matches the allowed_users list exactly (steve, fizi, dazed), so the belt-and-suspenders check remains self-consistent.
  • The concurrency group, permissions, and triggers are untouched and remain correct.

One caveat (unverified, outside this repo): the correctness of inheriting the swarm depends on the reusable workflow at @b02b11d declaring defaults for models, specialists, provider_concurrency, provider_lens_concurrency, timeout_secs, max_steps, and timeout_minutes. That file lives in the steve/gadfly repo, which is not present in this checkout, so I could not confirm those defaults exist. If any of those is a required with input without a default, the run would fail — but this is a cross-repo concern not verifiable with the tools available here, and it is exactly the migration the PR description asserts was done in gadfly#10.

Verified by reading .gitea/workflows/adversarial-review.yml in full and confirming no other local files reference the reusable workflow's inputs.

🧹 Code cleanliness & maintainability — No material issues found

Verdict: No material issues found

Through the code-cleanliness lens, this change is a straightforward simplification: it removes 6 explicit with: overrides and relies on the reusable workflow's defaults, leaving only the consumer-specific allowed_users. The header comment was correctly updated to match the new behavior (3 cloud + Claude Code, 5 lenses) rather than the stale "6 cloud models / 3-lens" description. The remaining file is well-structured — comments are accurate, the least-privilege secret-forwarding rationale is retained, and the pin rationale stays consistent with the repin. No dead code, no duplication, no leaky abstractions introduced.

Performance — No material issues found

Verdict: No material issues found

The diff is a CI-config change that trims an explicit with: swarm block down to allowed_users and re-pins the reusable workflow to a new immutable commit. From a performance lens:

  • Removing explicit models/specialists/provider_concurrency and inheriting the upstream default is neutral-to-positive: the caller no longer overrides concurrency caps, so whatever the reusable workflow declares is used. No new unbounded work, N+1 patterns, or hot-path allocations are introduced — this file just delegates to a pinned external workflow.
  • The only retained consumer-specific input is allowed_users (a static string), so no per-run growth or repeated parsing concern.
  • I cannot read steve/gadfly's review-reusable.yml@b02b11d… from this checkout to verify the inherited default's concurrency/timeout bounds, so any claim about them would be unverified; but this PR does not introduce the regressions — it merely stops overriding values it previously set. The performance characteristics are determined by the pinned upstream commit, which is itself pinned for reviewability.

Outside my lens: the commit-pin change (@20a5c43…@b02b11d…) is a supply-chain/trust concern, not a performance one.

No blocking, minor, or material performance issues in this change.

🧯 Error handling & edge cases — No material issues found

VERDICT: No material issues found

Through the error-handling / edge-case lens, this diff is benign:

  • The actor gate (lines 34-39) and concurrency group (line 26) are unchanged by the diff; their nil/empty handling (github.event.issue.pull_request truthiness guard before actor access; || fallthrough chain for the concurrency key) is pre-existing and not regressed.
  • The diff only removes with: inputs (models, specials, timeout_secs, max_steps, timeout_minutes) and forwards defaults from the pinned reusable workflow. The one edge case worth noting — whether the pinned steve/gadfly@b02b11d reusable workflow defines a default timeout_minutes / timeout_secs such that omitting it doesn't leave a hung run with no outer cap — lives in the external steve/gadfly repo, which I cannot inspect with my read-only tools over this checked-out repository. I verified there is no job-level timeout-minutes here in either the old or new version (it was a with: input passed to the reusable workflow, not a Gitea job property), so the removal is purely "stop forwarding this input" and its handling is the reusable's responsibility. Cannot confirm a regression without access to that repo; flagging as unverified rather than asserting.
  • Secret forwarding is unchanged; no new swallowed-error or missing-cleanup path is introduced. allowed_users remains the only consumer-specific with: input, so no empty-collection edge arises from the trim.

No error-handling or edge-case issue in this repository's code is introduced by the diff.

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 0s

<!-- gadfly-review:ollama:glm-5.2:cloud --> ### 🪰 Gadfly review — `glm-5.2:cloud` (ollama-cloud) **Verdict: No material issues found** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — No material issues found</summary> No material issues found - Verified the final file at `.gitea/workflows/adversarial-review.yml:1-52`. The security-relevant controls are all preserved across the change: - **Immutable commit pin** (`adversarial-review.yml:42`): re-pinned from `20a5c43…` to `b02b11d…`, and the comment at `:40-41` still correctly documents that it's pinned to an immutable commit (not `@main`) so a push to `steve/gadfly` cannot silently alter the code that runs with forwarded secrets. Inheriting defaults from the reusable workflow is safe precisely *because* of this pin — the default swarm is frozen at the pinned commit, not subject to a mutable ref. - **Secret forwarding scope** (`adversarial-review.yml:44-48`): unchanged and still least-privilege — only `OLLAMA_CLOUD_API_KEY`, `CLAUDE_CODE_OAUTH_TOKEN`, `GADFLY_FINDINGS_URL`, `GADFLY_FINDINGS_TOKEN` are forwarded. No new secrets are exposed by dropping the explicit `with:` model block, and removing those inputs doesn't widen the secret surface (the forwarded set is independent of the `models`/`specialists`/concurrency inputs). - **Actor gate** (`adversarial-review.yml:34-39`): unchanged — `issue_comment` triggers remain restricted to `steve`/`fizi`/`dazed`, and `allowed_users` (`:52`) is unchanged as the in-container belt-and-suspenders check. - I could not open `steve/gadfly`'s `review-reusable.yml@b02b11d…` (it lives in the external gadfly repo, not vendored into this checkout, and `find_files`/`grep` confirm no copy exists here), so I could not independently confirm the inherited default swarm only ever uses the four forwarded secrets. That is a trust boundary inherent to consuming a reusable workflow, but it's gated by the immutable pin and is outside what this repo's diff can establish — flagging as unverified rather than a defect. </details> <details><summary><b>🎯 Correctness</b> — No material issues found</summary> VERDICT: No material issues found The change is entirely within `.gitea/workflows/adversarial-review.yml` and is a consumer stub for an external reusable workflow (`steve/gadfly/.gitea/workflows/review-reusable.yml`). I reviewed it through the correctness lens: - YAML structure is valid: `uses:` pin updated to `@b02b11d…`, `secrets:` forwarding unchanged, `with:` now contains only `allowed_users`. - The actor gate (`if:`) still matches the `allowed_users` list exactly (`steve`, `fizi`, `dazed`), so the belt-and-suspenders check remains self-consistent. - The concurrency group, permissions, and triggers are untouched and remain correct. One caveat (unverified, outside this repo): the correctness of inheriting the swarm depends on the reusable workflow at `@b02b11d` declaring defaults for `models`, `specialists`, `provider_concurrency`, `provider_lens_concurrency`, `timeout_secs`, `max_steps`, and `timeout_minutes`. That file lives in the `steve/gadfly` repo, which is not present in this checkout, so I could not confirm those defaults exist. If any of those is a *required* `with` input without a default, the run would fail — but this is a cross-repo concern not verifiable with the tools available here, and it is exactly the migration the PR description asserts was done in gadfly#10. Verified by reading `.gitea/workflows/adversarial-review.yml` in full and confirming no other local files reference the reusable workflow's inputs. </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — No material issues found</summary> **Verdict: No material issues found** Through the code-cleanliness lens, this change is a straightforward simplification: it removes 6 explicit `with:` overrides and relies on the reusable workflow's defaults, leaving only the consumer-specific `allowed_users`. The header comment was correctly updated to match the new behavior (3 cloud + Claude Code, 5 lenses) rather than the stale "6 cloud models / 3-lens" description. The remaining file is well-structured — comments are accurate, the least-privilege secret-forwarding rationale is retained, and the pin rationale stays consistent with the repin. No dead code, no duplication, no leaky abstractions introduced. </details> <details><summary><b>⚡ Performance</b> — No material issues found</summary> **Verdict: No material issues found** The diff is a CI-config change that trims an explicit `with:` swarm block down to `allowed_users` and re-pins the reusable workflow to a new immutable commit. From a performance lens: - Removing explicit `models`/`specialists`/`provider_concurrency` and inheriting the upstream default is neutral-to-positive: the caller no longer overrides concurrency caps, so whatever the reusable workflow declares is used. No new unbounded work, N+1 patterns, or hot-path allocations are introduced — this file just delegates to a pinned external workflow. - The only retained consumer-specific input is `allowed_users` (a static string), so no per-run growth or repeated parsing concern. - I cannot read `steve/gadfly`'s `review-reusable.yml@b02b11d…` from this checkout to verify the inherited default's concurrency/timeout bounds, so any claim about them would be unverified; but this PR does not introduce the regressions — it merely stops overriding values it previously set. The performance characteristics are determined by the pinned upstream commit, which is itself pinned for reviewability. Outside my lens: the commit-pin change (`@20a5c43…` → `@b02b11d…`) is a supply-chain/trust concern, not a performance one. No blocking, minor, or material performance issues in this change. </details> <details><summary><b>🧯 Error handling & edge cases</b> — No material issues found</summary> VERDICT: No material issues found Through the error-handling / edge-case lens, this diff is benign: - The actor gate (lines 34-39) and concurrency group (line 26) are unchanged by the diff; their nil/empty handling (`github.event.issue.pull_request` truthiness guard before actor access; `||` fallthrough chain for the concurrency key) is pre-existing and not regressed. - The diff only removes `with:` inputs (`models`, `specials`, `timeout_secs`, `max_steps`, `timeout_minutes`) and forwards defaults from the pinned reusable workflow. The one edge case worth noting — whether the pinned `steve/gadfly@b02b11d` reusable workflow defines a default `timeout_minutes` / `timeout_secs` such that omitting it doesn't leave a hung run with no outer cap — lives in the external `steve/gadfly` repo, which I cannot inspect with my read-only tools over this checked-out repository. I verified there is no job-level `timeout-minutes` here in either the old or new version (it was a `with:` input passed *to* the reusable workflow, not a Gitea job property), so the removal is purely "stop forwarding this input" and its handling is the reusable's responsibility. Cannot confirm a regression without access to that repo; flagging as unverified rather than asserting. - Secret forwarding is unchanged; no new swallowed-error or missing-cleanup path is introduced. `allowed_users` remains the only consumer-specific `with:` input, so no empty-collection edge arises from the trim. No error-handling or edge-case issue in this repository's code is introduced by the diff. </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 0s</sub>

🪰 Gadfly review — claude-code/opus (claude-code)

Verdict: Minor issues — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security — No material issues found

This is a CI workflow config change, reviewed through the Security lens. The diff only re-pins the reusable-workflow SHA, removes the explicit swarm config (inheriting gadfly's defaults), and rewords comments. I verified the full file at its checked-out state.

VERDICT: No material issues found

Security-relevant properties I checked, all preserved by this diff:

  • Supply-chain pin intact (.gitea/workflows/adversarial-review.yml:42). The uses: still references a full 40-hex-char immutable commit SHA (b02b11d6…3583490d), not @main or a mutable tag. This is the load-bearing protection — secrets are forwarded to frozen third-party workflow code. Inheriting gadfly's "default swarm" does not weaken this: the default is resolved at the pinned commit, so it cannot change under our feet without a future re-pin PR like this one. Verified by reading the line and counting the SHA length.

  • Secret forwarding unchanged and still least-privilege (:44-48). The same four secrets are forwarded as before; removing the with: model/concurrency block does not broaden secret exposure. Narrowing 6→3 cloud models reduces, not increases, consumers of OLLAMA_CLOUD_API_KEY. No secret is interpolated into a shell/run: context, so no leakage path is introduced.

  • Actor gate untouched and consistent (:34-39, :52). The issue_comment trust gate (steve/fizi/dazed) and the allowed_users belt-and-suspenders input are not modified by this diff and remain in sync. The diff does not alter triggers, permissions:, or the gate logic.

Residual trust assumption (not a finding, and inherent to the design): the content of the inherited default swarm and how gadfly consumes the four forwarded secrets live in the external steve/gadfly repo at b02b11d, which is outside this checkout and therefore not verifiable from here. The immutable pin is the correct and intended mitigation for that boundary, and it is in place.

Outside my lens: the if: gate exempts pull_request/workflow_dispatch from the actor allow-list (only issue_comment is gated) — but that logic is pre-existing and unchanged by this diff, so it's not introduced here.

🎯 Correctness — No material issues found

The file is valid YAML and internally consistent. Within my Correctness lens, here's my assessment.

What I verified:

  • Read the full checked-out .gitea/workflows/adversarial-review.yml. The diff applied cleanly: the with: block now contains only allowed_users, and the uses: pin is @b02b11d…. YAML is well-formed (no dangling keys, with: still has a valid child).
  • The actor gate (adversarial-review.yml:34-39) hardcodes steve/fizi/dazed, which is consistent with the retained allowed_users: "steve,fizi,dazed" (line 52) — no mismatch introduced.
  • OLLAMA_CLOUD_API_KEY is still forwarded (line 45), consistent with a swarm that still includes cloud models per the new comment. No now-orphaned or now-missing secret evident from what's reviewable here.

What I could not verify (out of reach, not a defect I can confirm):

  • The core premise — that the removed inputs (models, specialists, provider_concurrency, provider_lens_concurrency, timeout_secs, max_steps, timeout_minutes) are genuinely supplied as defaults by steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d… — lives in an external repo at a pinned commit not present in this checkout. I cannot confirm those defaults exist or that their values equal the previous explicit ones. If gadfly#10 did not default one of these (or renamed allowed_users), the run would silently change behavior or fail input validation. This is the only real correctness risk, and it is unverifiable from here.
  • Likewise the comment's factual claims ("3 cloud models + Claude Code sonnet/opus/opus:max, 5-lens suite", lines 1-2) describe the remote default; I can't confirm they match what @b02b11d actually defines.

The change is config-only, advisory, and internally coherent. The behavioral correctness hinges entirely on the pinned gadfly commit's defaults, which is by design (centralization) but is the spot to double-check before merge.


VERDICT: No material issues found

  • No logic or semantic-correctness defect is present in the reviewable diff: YAML is valid, the retained allow-list matches the actor gate, and the forwarded secrets remain consistent with a cloud+Claude-Code swarm (verified by reading adversarial-review.yml:34-52).
  • One unverifiable dependency (not a confirmed finding): correctness now relies on review-reusable.yml@b02b11d… actually defaulting every removed input to the intended values. Worth confirming against that gadfly commit before merge, but it is outside what these repo tools can reach.
🧹 Code cleanliness & maintainability — Minor issues

I've verified the draft against the actual file. Both findings accurately describe the file's content — the header comment at lines 1-5 does hardcode a specific snapshot of gadfly's swarm ("3 cloud models + Claude Code sonnet/opus/opus:max, 5-lens suite") while the change's stated purpose is to inherit that centrally, and the inline comment at 50-51 generically restates the same "inherit the default swarm" point.

VERDICT: Minor issues

  • .gitea/workflows/adversarial-review.yml:1-5 — the header comment re-enumerates the very swarm details the PR set out to stop hardcoding. The point of this change (per the inline comment at lines 50-51) is that the model fleet and lens suite now live centrally in gadfly and are inherited, so this repo no longer tracks them. But the header comment hardcodes "3 cloud models + Claude Code sonnet/opus/opus:max, 5-lens suite" — a snapshot of gadfly's current default. When gadfly edits its default, this comment silently goes stale and nothing in this repo flags it, reintroducing the drift the change is trying to eliminate. Low-churn fix: make the header generic like the inline comment already is (e.g. "INHERITS its default swarm — models + lenses defined in gadfly's review-reusable.yml") and drop the enumerated specifics.

  • adversarial-review.yml:1-5 and :50-51 — two comments now redundantly explain the same "inherit the default swarm" point. Minor; once the header is made generic per above, the inline comment at 50-51 largely repeats it. Consider trimming one so there's a single source of truth for the "why" in this file.

Performance — No material issues found

VERDICT: No material issues found

This is a CI workflow config change that removes the explicit swarm parameters (models, specialists, provider_concurrency, provider_lens_concurrency, timeout_secs, max_steps, timeout_minutes) so the caller inherits gadfly's reusable-workflow defaults. There is no application code or hot path here to regress.

Through the Performance lens specifically:

  • Concurrency control is intact and correct. adversarial-review.yml:25-27 keeps a concurrency group keyed on the PR number with cancel-in-progress: true, so superseded runs are still cancelled — no stacked/duplicate swarm runs piling up. The diff doesn't touch this.
  • Removed timeout_minutes: 90 (caller-side job cap) is not a perf regression I can substantiate. The previous timeout_secs: 600 was also removed and is now inherited, so run-bounding moves into the reusable workflow rather than disappearing. The reusable workflow (steve/gadfly@b02b11d…/review-reusable.yml) lives in another repo and is not present in this checkout (grep/find for review-reusable returns nothing local), so I cannot confirm the inherited timeout value — but I have no basis to claim the bound was dropped, only relocated.
  • Compute envelope shifts but is intentional and not a regression in this repo's lane. Per the description the swarm goes 6-cloud/3-lens → 3-cloud + Claude Code/5-lens. Whether that nets to more or less work depends entirely on the inherited defaults I can't see; either way it's a deliberate central-config decision, not avoidable work this diff introduces.

Nothing in my lens (N+1, allocations, hot-loop work, unbounded growth, blocking calls, quadratic behavior) is applicable to a pure config-inheritance change. Clean from a performance standpoint.

🧯 Error handling & edge cases — No material issues found

VERDICT: No material issues found

This is a declarative Gitea Actions config change: it re-pins the reusable-workflow ref (@20a5c43 → @b02b11d) and deletes six with: inputs (models, specialists, provider_concurrency, provider_lens_concurrency, timeout_secs, max_steps, plus timeout_minutes) so they inherit the reusable workflow's defaults. I read the full file (.gitea/workflows/adversarial-review.yml:1-53) and confirmed the diff is the only change in the working tree against HEAD; the remaining if: gate, secret forwarding, and allowed_users are untouched and internally consistent.

Through the error-handling & edge-cases lens there is nothing to flag:

  • No code paths, error returns, cleanup/rollback, or nil/empty/boundary handling are introduced or removed — this is pure CI wiring.
  • The actor gate (adversarial-review.yml:34-39) and concurrency key (:26) are unchanged; the ||/&& short-circuit logic and the github.event.issue.number || ... || inputs.pr_number fallback chain are not modified by this PR.

One adjacent observation, explicitly unverified and outside my lane (it's a config/correctness concern, not error-handling, and I cannot check it because review-reusable.yml lives in the external steve/gadfly repo, not this checkout): deleting timeout_secs/max_steps/timeout_minutes means run-bounding now relies entirely on defaults defined in commit b02b11d. If that commit does not actually set those defaults, runs could be unbounded. The PR description asserts the defaults exist post-#10; that claim is not verifiable from this repository alone. Worth a one-time confirmation, but not a blocking issue in my lens.

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 10s

<!-- gadfly-review:ollama:claude-code/opus --> ### 🪰 Gadfly review — `claude-code/opus` (claude-code) **Verdict: Minor issues** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — No material issues found</summary> This is a CI workflow config change, reviewed through the Security lens. The diff only re-pins the reusable-workflow SHA, removes the explicit swarm config (inheriting gadfly's defaults), and rewords comments. I verified the full file at its checked-out state. ## VERDICT: No material issues found Security-relevant properties I checked, all preserved by this diff: - **Supply-chain pin intact** (`.gitea/workflows/adversarial-review.yml:42`). The `uses:` still references a full 40-hex-char immutable commit SHA (`b02b11d6…3583490d`), not `@main` or a mutable tag. This is the load-bearing protection — secrets are forwarded to *frozen* third-party workflow code. Inheriting gadfly's "default swarm" does **not** weaken this: the default is resolved at the pinned commit, so it cannot change under our feet without a future re-pin PR like this one. Verified by reading the line and counting the SHA length. - **Secret forwarding unchanged and still least-privilege** (`:44-48`). The same four secrets are forwarded as before; removing the `with:` model/concurrency block does not broaden secret exposure. Narrowing 6→3 cloud models reduces, not increases, consumers of `OLLAMA_CLOUD_API_KEY`. No secret is interpolated into a shell/`run:` context, so no leakage path is introduced. - **Actor gate untouched and consistent** (`:34-39`, `:52`). The `issue_comment` trust gate (steve/fizi/dazed) and the `allowed_users` belt-and-suspenders input are not modified by this diff and remain in sync. The diff does not alter triggers, `permissions:`, or the gate logic. Residual trust assumption (not a finding, and inherent to the design): the *content* of the inherited default swarm and how gadfly consumes the four forwarded secrets live in the external `steve/gadfly` repo at `b02b11d`, which is outside this checkout and therefore not verifiable from here. The immutable pin is the correct and intended mitigation for that boundary, and it is in place. Outside my lens: the `if:` gate exempts `pull_request`/`workflow_dispatch` from the actor allow-list (only `issue_comment` is gated) — but that logic is pre-existing and unchanged by this diff, so it's not introduced here. </details> <details><summary><b>🎯 Correctness</b> — No material issues found</summary> The file is valid YAML and internally consistent. Within my **Correctness** lens, here's my assessment. What I verified: - Read the full checked-out `.gitea/workflows/adversarial-review.yml`. The diff applied cleanly: the `with:` block now contains only `allowed_users`, and the `uses:` pin is `@b02b11d…`. YAML is well-formed (no dangling keys, `with:` still has a valid child). - The actor gate (`adversarial-review.yml:34-39`) hardcodes `steve`/`fizi`/`dazed`, which is consistent with the retained `allowed_users: "steve,fizi,dazed"` (line 52) — no mismatch introduced. - `OLLAMA_CLOUD_API_KEY` is still forwarded (line 45), consistent with a swarm that still includes cloud models per the new comment. No now-orphaned or now-missing secret evident from what's reviewable here. What I could not verify (out of reach, not a defect I can confirm): - The core premise — that the removed inputs (`models`, `specialists`, `provider_concurrency`, `provider_lens_concurrency`, `timeout_secs`, `max_steps`, `timeout_minutes`) are genuinely supplied as defaults by `steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d…` — lives in an external repo at a pinned commit not present in this checkout. I cannot confirm those defaults exist or that their values equal the previous explicit ones. If gadfly#10 did *not* default one of these (or renamed `allowed_users`), the run would silently change behavior or fail input validation. This is the only real correctness risk, and it is unverifiable from here. - Likewise the comment's factual claims ("3 cloud models + Claude Code sonnet/opus/opus:max, 5-lens suite", lines 1-2) describe the remote default; I can't confirm they match what `@b02b11d` actually defines. The change is config-only, advisory, and internally coherent. The behavioral correctness hinges entirely on the pinned gadfly commit's defaults, which is by design (centralization) but is the spot to double-check before merge. --- **VERDICT: No material issues found** - No logic or semantic-correctness defect is present in the reviewable diff: YAML is valid, the retained allow-list matches the actor gate, and the forwarded secrets remain consistent with a cloud+Claude-Code swarm (verified by reading `adversarial-review.yml:34-52`). - One unverifiable dependency (not a confirmed finding): correctness now relies on `review-reusable.yml@b02b11d…` actually defaulting every removed input to the intended values. Worth confirming against that gadfly commit before merge, but it is outside what these repo tools can reach. </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — Minor issues</summary> I've verified the draft against the actual file. Both findings accurately describe the file's content — the header comment at lines 1-5 does hardcode a specific snapshot of gadfly's swarm ("3 cloud models + Claude Code sonnet/opus/opus:max, 5-lens suite") while the change's stated purpose is to inherit that centrally, and the inline comment at 50-51 generically restates the same "inherit the default swarm" point. ## VERDICT: Minor issues - **`.gitea/workflows/adversarial-review.yml:1-5` — the header comment re-enumerates the very swarm details the PR set out to stop hardcoding.** The point of this change (per the inline comment at lines 50-51) is that the model fleet and lens suite now live centrally in gadfly and are inherited, so this repo no longer tracks them. But the header comment hardcodes "3 cloud models + Claude Code sonnet/opus/opus:max, 5-lens suite" — a snapshot of gadfly's current default. When gadfly edits its default, this comment silently goes stale and nothing in this repo flags it, reintroducing the drift the change is trying to eliminate. Low-churn fix: make the header generic like the inline comment already is (e.g. "INHERITS its default swarm — models + lenses defined in gadfly's review-reusable.yml") and drop the enumerated specifics. - **`adversarial-review.yml:1-5` and `:50-51` — two comments now redundantly explain the same "inherit the default swarm" point.** Minor; once the header is made generic per above, the inline comment at 50-51 largely repeats it. Consider trimming one so there's a single source of truth for the "why" in this file. </details> <details><summary><b>⚡ Performance</b> — No material issues found</summary> **VERDICT: No material issues found** This is a CI workflow config change that removes the explicit swarm parameters (`models`, `specialists`, `provider_concurrency`, `provider_lens_concurrency`, `timeout_secs`, `max_steps`, `timeout_minutes`) so the caller inherits gadfly's reusable-workflow defaults. There is no application code or hot path here to regress. Through the Performance lens specifically: - **Concurrency control is intact and correct.** `adversarial-review.yml:25-27` keeps a `concurrency` group keyed on the PR number with `cancel-in-progress: true`, so superseded runs are still cancelled — no stacked/duplicate swarm runs piling up. The diff doesn't touch this. - **Removed `timeout_minutes: 90` (caller-side job cap) is not a perf regression I can substantiate.** The previous `timeout_secs: 600` was also removed and is now inherited, so run-bounding moves into the reusable workflow rather than disappearing. The reusable workflow (`steve/gadfly@b02b11d…/review-reusable.yml`) lives in another repo and is not present in this checkout (`grep`/`find` for `review-reusable` returns nothing local), so I cannot confirm the inherited timeout value — but I have no basis to claim the bound was dropped, only relocated. - **Compute envelope shifts but is intentional and not a regression in this repo's lane.** Per the description the swarm goes 6-cloud/3-lens → 3-cloud + Claude Code/5-lens. Whether that nets to more or less work depends entirely on the inherited defaults I can't see; either way it's a deliberate central-config decision, not avoidable work this diff introduces. Nothing in my lens (N+1, allocations, hot-loop work, unbounded growth, blocking calls, quadratic behavior) is applicable to a pure config-inheritance change. Clean from a performance standpoint. </details> <details><summary><b>🧯 Error handling & edge cases</b> — No material issues found</summary> **VERDICT: No material issues found** This is a declarative Gitea Actions config change: it re-pins the reusable-workflow ref (`@20a5c43 → @b02b11d`) and deletes six `with:` inputs (`models`, `specialists`, `provider_concurrency`, `provider_lens_concurrency`, `timeout_secs`, `max_steps`, plus `timeout_minutes`) so they inherit the reusable workflow's defaults. I read the full file (`.gitea/workflows/adversarial-review.yml:1-53`) and confirmed the diff is the only change in the working tree against `HEAD`; the remaining `if:` gate, secret forwarding, and `allowed_users` are untouched and internally consistent. Through the **error-handling & edge-cases** lens there is nothing to flag: - No code paths, error returns, cleanup/rollback, or nil/empty/boundary handling are introduced or removed — this is pure CI wiring. - The actor gate (`adversarial-review.yml:34-39`) and concurrency key (`:26`) are unchanged; the `||`/`&&` short-circuit logic and the `github.event.issue.number || ... || inputs.pr_number` fallback chain are not modified by this PR. One adjacent observation, explicitly **unverified and outside my lane** (it's a config/correctness concern, not error-handling, and I cannot check it because `review-reusable.yml` lives in the external `steve/gadfly` repo, not this checkout): deleting `timeout_secs`/`max_steps`/`timeout_minutes` means run-bounding now relies entirely on defaults defined in commit `b02b11d`. If that commit does not actually set those defaults, runs could be unbounded. The PR description asserts the defaults exist post-#10; that claim is not verifiable from this repository alone. Worth a one-time confirmation, but not a blocking issue in my lens. </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 10s</sub>

🪰 Gadfly review — claude-code/opus:max (claude-code)

Verdict: Minor issues — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security — No material issues found

I've read the actual workflow file at its checked-out state and confirmed the diff matches. This is a CI config-slimming change. Let me reason through the security-relevant controls.

VERDICT: No material issues found

The change removes the explicit with: swarm config (models, concurrency, step/timeout caps) and re-pins the gadfly reusable workflow. Through the security lens, the controls that actually matter all survive the slimming:

  • Pinning to an immutable SHA is preserved (adversarial-review.yml:42). The pin moved 20a5c43 → b02b11d, but it's still a full 40-char commit SHA, not @main. The stated guarantee — "a push to gadfly can't silently change the code that runs with our forwarded secrets" — still holds, and critically it also freezes the now-inherited defaults (models, max_steps, timeouts) at that commit. Inheriting defaults does not widen the trust boundary, because the defaults live inside the pinned ref. (Verified by reading the file; I cannot verify the contents of the remote steve/gadfly repo at b02b11d from here — that trust is inherent to any cross-repo pin and is not introduced by this diff.)
  • Least-privilege secret forwarding is unchanged (:44-48). The same four secrets are still explicitly enumerated. The reusable workflow can only ever use secrets the caller forwards, so inheriting an unseen swarm config cannot cause it to consume a secret executus didn't hand over. This is the real security boundary and it's intact.
  • The actor gate is untouched (:34-39): issue_comment triggers remain restricted to steve/fizi/dazed, and allowed_users (:52) still mirrors that list as the in-container belt-and-suspenders check — the two remain consistent after the edit.
  • Triggers, permissions: (read contents / write issues+PRs), and concurrency are not modified by this diff.

Nothing in the removed lines (models, provider_concurrency, max_steps, timeout_*) is a security control — those are resource/DoS-bounding knobs (a separate lens), and removing them here only delegates them to the pinned upstream default.

No authn/authz gap, injection sink, secret-leak, or tainted-data path is introduced or weakened by this change.

Outside my lens: the removed max_steps/timeout_secs/timeout_minutes now rely entirely on gadfly's upstream defaults being sane — a resource-bounding concern worth a correctness/cost reviewer's glance, but not a security issue.

(Note: I did not enter the plan workflow or create a plan file — this task is an adversarial security review whose deliverable is the review itself, and I confined myself to read-only investigation.)

🎯 Correctness — No material issues found

This is a CI-config change (a caller workflow that delegates to an external reusable workflow). I've read the full post-change file and checked the workflow directory. Let me note what's verifiable here versus what isn't.

The substance of this PR — that the removed with: inputs (models, specialists, provider_concurrency, provider_lens_concurrency, timeout_secs, max_steps, timeout_minutes) now resolve to the intended defaults — lives entirely in steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d…, which is an external repo not present in this checkout. I cannot read it, so the central correctness claim is unverifiable from here. I'll flag that honestly rather than guess.


VERDICT: No material issues found

Within the Correctness lens, the change to this file is sound:

  • .gitea/workflows/adversarial-review.yml:49-52 — After removing the six swarm inputs, the with: block still contains allowed_users, so it is non-empty and YAML-valid. Verified by reading the full file. No dangling/empty mapping.
  • .gitea/workflows/adversarial-review.yml:34-39 — The actor gate (steve/fizi/dazed) is unchanged and remains consistent with the retained allowed_users: "steve,fizi,dazed". The diff doesn't touch this, and the two lists still agree. Verified.
  • .gitea/workflows/adversarial-review.yml:42 — The uses: pin is re-pointed to a full 40-char commit SHA (b02b11d…490d), preserving the immutable-pin invariant the surrounding comment depends on. Well-formed.

Caveats I could not verify (genuinely out of reach, not dropped nits):

  • Whether review-reusable.yml@b02b11d actually declares defaults for all six removed inputs. If any of models/specialists/provider_concurrency/provider_lens_concurrency/timeout_secs/max_steps is a required: true input there (or timeout_minutes is referenced with no default), this caller will fail at dispatch. The PR body asserts gadfly#10 made these defaults; I take that on faith — it cannot be checked from this repo.
  • The header comment's behavioral claims ("3 cloud + Claude Code sonnet/opus/opus:max, 5-lens suite") describe the external default, not anything defined in this file. If that default later drifts, this comment silently goes stale — but that's a doc-accuracy risk, not a logic bug in the diff.

No correctness defect is introduced by the lines actually changed here.

🧹 Code cleanliness & maintainability — Minor issues

VERDICT: Minor issues

My lens is code cleanliness & maintainability. The diff is a clean slimming of the workflow stub — removing the explicit with: swarm block and inheriting gadfly's default is exactly the kind of de-duplication that reduces maintenance surface. One maintainability concern remains:

  • .gitea/workflows/adversarial-review.yml:1-2 — the header comment re-duplicates the very config the change just centralized. The whole point of this change (per the line 50-51 comment) is that the swarm config "lives centrally in gadfly's review-reusable.yml." But the file-top comment still enumerates the inherited default's contents: "3 cloud models + Claude Code sonnet/opus/opus:max, 5-lens suite." That enumeration is no longer set or verifiable in this repo — when gadfly's default swarm changes, this comment silently goes stale with nothing here to catch it (confirmed: grepping the repo, this is the only place describing the specific swarm shape; README.md and CLAUDE.md describe the swarm only generically as an "N×M swarm" and don't restate the model/lens counts). Suggested low-churn fix: drop the specific model/lens enumeration from lines 1-2 and describe it by reference only — e.g. "inherits its default review swarm (defined in gadfly's review-reusable.yml)." This keeps the doc honest without re-pinning a copy of the central config.
Performance — No material issues found

This is a CI workflow config change that delegates the swarm configuration to an external reusable workflow. I've verified the checked-out file matches the diff. Evaluating strictly through the Performance lens:

There is no application code, hot path, query, loop, or allocation in this change — it's a YAML stub that forwards triggers/secrets and inherits swarm config from an externally-pinned gadfly workflow (review-reusable.yml@b02b11d…), which is not in this repo and cannot be read.

VERDICT: No material issues found

  • The workload shape does change (6 cloud/3-lens → 3 cloud + Claude Code/5-lens), and the explicit provider_concurrency, provider_lens_concurrency, timeout_secs, and max_steps caps are removed so they now inherit gadfly's defaults. This is the stated intent, advisory-only, and the actual concurrency/step bounds live in the external pinned workflow I cannot inspect — so I can't substantiate any concrete regression. Not a finding, just the boundary of what's verifiable here.
  • concurrency.group with cancel-in-progress: true (adversarial-review.yml:25-27) is unchanged and still prevents redundant overlapping runs per PR — good for runner utilization; no regression.

One thing worth a glance on the gadfly side (unverified, outside this repo): the removed timeout_minutes: 90 was a job-level wall-clock cap. If review-reusable.yml doesn't define its own job timeout, a hung swarm run could now occupy a runner up to the platform default (commonly 360 min) instead of 90. That's the only resource-occupancy concern, and it can only be confirmed by reading the pinned reusable workflow.

Nothing material in the performance lane within this diff.

🧯 Error handling & edge cases — No material issues found

VERDICT: No material issues found

This diff is a pure CI workflow config change to .gitea/workflows/adversarial-review.yml: it re-pins the reusable-workflow ref and removes the explicit swarm with: inputs so they inherit gadfly's centralized defaults. I read the full file (53 lines) at its checked-out state to confirm there is no executable logic here.

Through the error handling & edge cases lens, there is nothing material:

  • No swallowed errors, cleanup/rollback, panics, or boundary/nil/overflow paths exist in a declarative YAML stub.
  • The actor gate (adversarial-review.yml:34-39) and allowed_users (:52) remain consistent (steve,fizi,dazed), so the comment-trigger guard's unhappy path is unchanged and still closed.
  • Secret forwarding (:44-48) is intact, so no new "missing credential" failure mode is introduced on the caller side.

One caveat I could not verify (and which is really CI-reliability, not strictly my lens): the call now relies on models, specialists, timeout_secs, max_steps, etc. all having defaults in review-reusable.yml@b02b11d. That file lives in the external steve/gadfly repo and is not in this checkout, so I can't confirm those inputs are non-required. If any were declared required: true without a default in that commit, the workflow call would fail at dispatch — but the PR description states #10 made them defaults, and this is unverifiable from here rather than a demonstrable defect.

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 1s

<!-- gadfly-review:ollama:claude-code/opus:max --> ### 🪰 Gadfly review — `claude-code/opus:max` (claude-code) **Verdict: Minor issues** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — No material issues found</summary> I've read the actual workflow file at its checked-out state and confirmed the diff matches. This is a CI config-slimming change. Let me reason through the security-relevant controls. ## VERDICT: No material issues found The change removes the explicit `with:` swarm config (models, concurrency, step/timeout caps) and re-pins the gadfly reusable workflow. Through the security lens, the controls that actually matter all survive the slimming: - **Pinning to an immutable SHA is preserved** (`adversarial-review.yml:42`). The pin moved `20a5c43 → b02b11d`, but it's still a full 40-char commit SHA, not `@main`. The stated guarantee — "a push to gadfly can't silently change the code that runs with our forwarded secrets" — still holds, and critically it *also* freezes the now-inherited defaults (models, `max_steps`, timeouts) at that commit. Inheriting defaults does **not** widen the trust boundary, because the defaults live inside the pinned ref. *(Verified by reading the file; I cannot verify the contents of the remote `steve/gadfly` repo at `b02b11d` from here — that trust is inherent to any cross-repo pin and is not introduced by this diff.)* - **Least-privilege secret forwarding is unchanged** (`:44-48`). The same four secrets are still explicitly enumerated. The reusable workflow can only ever use secrets the caller forwards, so inheriting an unseen swarm config cannot cause it to consume a secret executus didn't hand over. This is the real security boundary and it's intact. - **The actor gate is untouched** (`:34-39`): `issue_comment` triggers remain restricted to `steve/fizi/dazed`, and `allowed_users` (`:52`) still mirrors that list as the in-container belt-and-suspenders check — the two remain consistent after the edit. - Triggers, `permissions:` (read contents / write issues+PRs), and concurrency are not modified by this diff. Nothing in the removed lines (`models`, `provider_concurrency`, `max_steps`, `timeout_*`) is a security control — those are resource/DoS-bounding knobs (a separate lens), and removing them here only delegates them to the pinned upstream default. No authn/authz gap, injection sink, secret-leak, or tainted-data path is introduced or weakened by this change. Outside my lens: the removed `max_steps`/`timeout_secs`/`timeout_minutes` now rely entirely on gadfly's upstream defaults being sane — a resource-bounding concern worth a correctness/cost reviewer's glance, but not a security issue. (Note: I did not enter the plan workflow or create a plan file — this task is an adversarial security review whose deliverable is the review itself, and I confined myself to read-only investigation.) </details> <details><summary><b>🎯 Correctness</b> — No material issues found</summary> This is a CI-config change (a caller workflow that delegates to an external reusable workflow). I've read the full post-change file and checked the workflow directory. Let me note what's verifiable here versus what isn't. The substance of this PR — that the removed `with:` inputs (`models`, `specialists`, `provider_concurrency`, `provider_lens_concurrency`, `timeout_secs`, `max_steps`, `timeout_minutes`) now resolve to the *intended* defaults — lives entirely in `steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d…`, which is an external repo not present in this checkout. I cannot read it, so the central correctness claim is unverifiable from here. I'll flag that honestly rather than guess. --- **VERDICT: No material issues found** Within the Correctness lens, the change to this file is sound: - `.gitea/workflows/adversarial-review.yml:49-52` — After removing the six swarm inputs, the `with:` block still contains `allowed_users`, so it is non-empty and YAML-valid. Verified by reading the full file. No dangling/empty mapping. - `.gitea/workflows/adversarial-review.yml:34-39` — The actor gate (`steve`/`fizi`/`dazed`) is unchanged and remains consistent with the retained `allowed_users: "steve,fizi,dazed"`. The diff doesn't touch this, and the two lists still agree. Verified. - `.gitea/workflows/adversarial-review.yml:42` — The `uses:` pin is re-pointed to a full 40-char commit SHA (`b02b11d…490d`), preserving the immutable-pin invariant the surrounding comment depends on. Well-formed. **Caveats I could not verify (genuinely out of reach, not dropped nits):** - Whether `review-reusable.yml@b02b11d` actually declares defaults for *all six* removed inputs. If any of `models`/`specialists`/`provider_concurrency`/`provider_lens_concurrency`/`timeout_secs`/`max_steps` is a `required: true` input there (or `timeout_minutes` is referenced with no default), this caller will fail at dispatch. The PR body asserts gadfly#10 made these defaults; I take that on faith — it cannot be checked from this repo. - The header comment's behavioral claims ("3 cloud + Claude Code sonnet/opus/opus:max, 5-lens suite") describe the *external* default, not anything defined in this file. If that default later drifts, this comment silently goes stale — but that's a doc-accuracy risk, not a logic bug in the diff. No correctness defect is introduced by the lines actually changed here. </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — Minor issues</summary> VERDICT: Minor issues My lens is code cleanliness & maintainability. The diff is a clean slimming of the workflow stub — removing the explicit `with:` swarm block and inheriting gadfly's default is exactly the kind of de-duplication that reduces maintenance surface. One maintainability concern remains: - **`.gitea/workflows/adversarial-review.yml:1-2` — the header comment re-duplicates the very config the change just centralized.** The whole point of this change (per the line 50-51 comment) is that the swarm config "lives centrally in gadfly's review-reusable.yml." But the file-top comment still enumerates the inherited default's contents: *"3 cloud models + Claude Code sonnet/opus/opus:max, 5-lens suite."* That enumeration is no longer set or verifiable in this repo — when gadfly's default swarm changes, this comment silently goes stale with nothing here to catch it (confirmed: grepping the repo, this is the only place describing the specific swarm shape; README.md and CLAUDE.md describe the swarm only generically as an "N×M swarm" and don't restate the model/lens counts). Suggested low-churn fix: drop the specific model/lens enumeration from lines 1-2 and describe it by reference only — e.g. "inherits its default review swarm (defined in gadfly's review-reusable.yml)." This keeps the doc honest without re-pinning a copy of the central config. </details> <details><summary><b>⚡ Performance</b> — No material issues found</summary> This is a CI workflow config change that delegates the swarm configuration to an external reusable workflow. I've verified the checked-out file matches the diff. Evaluating strictly through the **Performance** lens: There is no application code, hot path, query, loop, or allocation in this change — it's a YAML stub that forwards triggers/secrets and inherits swarm config from an externally-pinned gadfly workflow (`review-reusable.yml@b02b11d…`), which is not in this repo and cannot be read. **VERDICT: No material issues found** - The workload shape does change (6 cloud/3-lens → 3 cloud + Claude Code/5-lens), and the explicit `provider_concurrency`, `provider_lens_concurrency`, `timeout_secs`, and `max_steps` caps are removed so they now inherit gadfly's defaults. This is the stated intent, advisory-only, and the actual concurrency/step bounds live in the external pinned workflow I cannot inspect — so I can't substantiate any concrete regression. Not a finding, just the boundary of what's verifiable here. - `concurrency.group` with `cancel-in-progress: true` (`adversarial-review.yml:25-27`) is unchanged and still prevents redundant overlapping runs per PR — good for runner utilization; no regression. One thing worth a glance on the gadfly side (unverified, outside this repo): the removed `timeout_minutes: 90` was a job-level wall-clock cap. If `review-reusable.yml` doesn't define its own job timeout, a hung swarm run could now occupy a runner up to the platform default (commonly 360 min) instead of 90. That's the only resource-occupancy concern, and it can only be confirmed by reading the pinned reusable workflow. Nothing material in the performance lane within this diff. </details> <details><summary><b>🧯 Error handling & edge cases</b> — No material issues found</summary> VERDICT: No material issues found This diff is a pure CI workflow config change to `.gitea/workflows/adversarial-review.yml`: it re-pins the reusable-workflow ref and removes the explicit swarm `with:` inputs so they inherit gadfly's centralized defaults. I read the full file (53 lines) at its checked-out state to confirm there is no executable logic here. Through the **error handling & edge cases** lens, there is nothing material: - No swallowed errors, cleanup/rollback, panics, or boundary/nil/overflow paths exist in a declarative YAML stub. - The actor gate (`adversarial-review.yml:34-39`) and `allowed_users` (`:52`) remain consistent (`steve,fizi,dazed`), so the comment-trigger guard's unhappy path is unchanged and still closed. - Secret forwarding (`:44-48`) is intact, so no new "missing credential" failure mode is introduced on the caller side. One caveat I could not verify (and which is really CI-reliability, not strictly my lens): the call now relies on `models`, `specialists`, `timeout_secs`, `max_steps`, etc. all having defaults in `review-reusable.yml@b02b11d`. That file lives in the external `steve/gadfly` repo and is not in this checkout, so I can't confirm those inputs are non-`required`. If any were declared `required: true` without a default in that commit, the workflow call would fail at dispatch — but the PR description states #10 made them defaults, and this is unverifiable from here rather than a demonstrable defect. </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 1s</sub>
steve added 1 commit 2026-06-28 02:44:50 +00:00
ci: inherit gadfly's default swarm (slim caller, re-pin @b02b11d)
executus CI / test (pull_request) Successful in 1m50s
d5a24c6f6e
steve/gadfly#10 moved the curated swarm (3 cloud + Claude Code sonnet/opus/
opus:max, 5-lens suite) into the reusable workflow's input defaults. Drop this
repo's explicit `with:` swarm block and inherit it — only the consumer-specific
allow-list remains. Re-pin to the post-#10 gadfly commit (@b02b11d).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
steve force-pushed ci/gadfly-default from 75234c2768 to d5a24c6f6e 2026-06-28 02:44:50 +00:00 Compare
steve merged commit 56baac758d into main 2026-06-28 02:48:25 +00:00
steve deleted branch ci/gadfly-default 2026-06-28 02:48:25 +00:00
Sign in to join this conversation.
No Reviewers
No Label
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: steve/executus#14