fix: fold in claude-code-engine review findings
Build & push image / build-and-push (pull_request) Successful in 14s
Build & push image / build-and-push (pull_request) Successful in 14s
The dogfood swarm reviewed PR #2 (9 cloud reviewers; m5 wedged by a host reboot and skipped this once). 66 findings graded via the gadfly MCP (~half real, half false-positive/clean-verification). Folding in the warranted ones: - engine.go: claudeEnv() builds a MINIMAL subprocess environment (auth token + PATH/HOME/locale/GADFLY_CLAUDE_*), no longer handing GITEA_TOKEN and provider keys to the third-party CLI (4-model consensus). - engine.go: runPass rewrite — check ctx.Err() first (don't emit a review from a timed-out run), treat an empty parsed result as an error instead of returning the raw JSON envelope, only trust a JSON answer on a clean exit, and drop the dangling ": " when there's no error detail. - engine.go: put the CLI in its own process group (Setpgid) and SIGKILL the whole group on cancel, so a timed-out lens can't orphan node procs. - engine.go: rune-safe truncateForErr. - prompts: genericized the tool-name hints in buildTask + recheck so the claude-code engine isn't told to call majordomo-only tools (read_file/ get_diff); also dropped the mort-specific framing from the recheck prompt (it must stay generic per CLAUDE.md). - README: documented that GADFLY_CLAUDE_EXTRA_ARGS is whitespace-split and can override the read-only default, and that the subprocess gets a minimal env. Left as-is (graded, noted in finding notes): operator-knob override of read-only (intentional escape hatch), shared per-lens timeout (by design), GADFLY_CLAUDE_BIN trust (operator-controlled, like GADFLY_BIN). New tests: claudeEnv filtering, rune-safe truncation, and runPass paths (clean / empty-result / is_error / non-zero) via a stub binary. gofmt clean, go vet quiet, go test -race green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -103,9 +103,18 @@ Auth is read from the environment: the default is a **Pro/Max subscription** via
|
||||
| `GADFLY_CLAUDE_MODEL` | *(from the spec suffix)* | overrides the `--model` value |
|
||||
| `GADFLY_CLAUDE_PERMISSION_MODE` | `plan` | `--permission-mode` (read-only `plan` keeps it from editing) |
|
||||
| `GADFLY_CLAUDE_ALLOWED_TOOLS` | *(unset)* | `--allowedTools` value, passed verbatim (e.g. `Read,Grep,Glob`) |
|
||||
| `GADFLY_CLAUDE_EXTRA_ARGS` | *(unset)* | extra CLI args appended verbatim (e.g. `--max-turns 30`) |
|
||||
| `GADFLY_CLAUDE_EXTRA_ARGS` | *(unset)* | extra CLI args, **whitespace-split** (no shell quoting) and appended after the defaults (e.g. `--max-turns 30`) |
|
||||
| `GADFLY_CLAUDE_BIN` | `claude` | CLI binary path |
|
||||
|
||||
> These are **operator** knobs (workflow env), not PR-author input. Because
|
||||
> `GADFLY_CLAUDE_EXTRA_ARGS` is appended *after* the defaults, it can override the
|
||||
> read-only `--permission-mode plan` (e.g. passing `--permission-mode acceptEdits`),
|
||||
> so keep it read-only unless you mean otherwise. It's whitespace-split, so values
|
||||
> can't contain spaces — use `GADFLY_CLAUDE_ALLOWED_TOOLS` / `_PERMISSION_MODE` /
|
||||
> `_MODEL` for those. The subprocess runs with a **minimal environment** (its auth
|
||||
> token + `PATH`/`HOME`/locale/`GADFLY_CLAUDE_*`), not the runner's full env, so the
|
||||
> Gitea token and provider keys aren't handed to the CLI.
|
||||
|
||||
> **Untested, like the cloud providers.** This wires the CLI in and is exercised by its unit
|
||||
> tests, but a live subscription-auth run hasn't been validated end-to-end here — and using
|
||||
> subscription auth in automated CI is a gray area in Anthropic's terms. `auto` specialist
|
||||
|
||||
Reference in New Issue
Block a user