2 Commits

Author SHA1 Message Date
Steve Dudenhoeffer 17064a6d75 ci: inherit gadfly's default swarm (slim caller, re-pin @b02b11d)
CI / Tidy (pull_request) Successful in 9m26s
CI / Build & Test (pull_request) Successful in 9m42s
steve/gadfly#10 centralized the curated swarm (3 cloud + Claude Code, 5-lens
suite) as the reusable workflow's input defaults. Drop majordomo's explicit
`with:` swarm block and inherit it; only the consumer-specific allow-list
remains. Re-pin to the post-#10 gadfly commit (@b02b11d). Update CLAUDE.md's
Gadfly section to match (was 6 cloud / 3 lenses).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 22:44:49 -04:00
Steve Dudenhoeffer ecf39087a9 ci: switch gadfly review to the reusable workflow (curated swarm, 5 lenses)
Adversarial Review (Gadfly) / review (pull_request) Successful in 8m49s
CI / Tidy (pull_request) Successful in 9m37s
CI / Build & Test (pull_request) Successful in 10m14s
Replace majordomo's full self-contained Gadfly stub with a thin caller of
steve/gadfly's reusable workflow, matching mort/executus's hardened pattern:
- explicit secret forwarding (least privilege); GITEA_TOKEN is the auto token.
- pinned to an immutable gadfly commit (@20a5c43), not @main.

Curated swarm tuned for majordomo:
- 3 strong cloud models (minimax-m3, glm-5.2, deepseek-v4-pro) — dropped
  qwen3-coder:480b, nemotron-3-super, glm-5.1.
- Claude Code engine (sonnet, opus, opus:max), claude-code=3 so all three
  claudes run at once.
- 5-lens default suite (security, correctness, maintainability, performance,
  error-handling) for every model (lenses are global).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 21:58:23 -04:00
4 changed files with 50 additions and 133 deletions
+21 -50
View File
@@ -1,12 +1,8 @@
# Gadfly — agentic adversarial PR reviewer (https://gitea.stevedudenhoeffer.com/steve/gadfly).
#
# Runs the published Gadfly image (pinned to an immutable :sha- tag — act_runner
# caches :latest, and this build is what carries foreman provider-type support)
# as a specialist swarm and posts
# ONE consolidated review comment as gitea-actions. Advisory only — never blocks a
# merge. This reviews majordomo PRs with 6 ollama-cloud models (3-lens suite).
# Gadfly is a simple system — findings are advisory; always double-check before
# acting.
# Gadfly adversarial review — subscribes to steve/gadfly's reusable workflow and
# INHERITS its default swarm. This stub holds only the triggers, the actor gate,
# secret forwarding, and the allow-list; the swarm config (models, lenses,
# concurrency, timeouts) lives centrally in gadfly's review-reusable.yml so it is
# tuned in ONE place. Advisory only — never blocks a merge.
name: Adversarial Review (Gadfly)
@@ -33,50 +29,25 @@ concurrency:
jobs:
review:
# Security: only trusted users may trigger a secret-bearing run via a PR
# comment (pull_request + workflow_dispatch are already trusted). Mirrors
# GADFLY_ALLOWED_USERS, the in-container belt-and-suspenders check.
# comment (pull_request + workflow_dispatch are already trusted). Mirrors the
# allowed_users input below (the in-container belt-and-suspenders check) — both
# lists must stay in sync; a workflow if: can't read a workflow_call input.
if: >-
github.event_name != 'issue_comment'
|| (github.event.issue.pull_request
&& (github.actor == 'steve'
|| github.actor == 'fizi'
|| github.actor == 'dazed'))
runs-on: ubuntu-latest
# Fleet: 6 ollama-cloud models (lens fan-out), no local Macs. (Trimmed the
# weakest reviewers by grade — m5/qwen3.6, gemma4, gpt-oss, kimi-k2.7 — plus
# the earlier M1 drop.) Plenty of headroom for the cloud lanes.
timeout-minutes: 45
steps:
- uses: docker://gitea.stevedudenhoeffer.com/steve/gadfly:sha-d7f364d
env:
GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
# Cloud-only fleet (no local Macs). Cloud concurrency lives in the
# LENSES: models run a few at a time (ollama-cloud=3) with their 3 lenses
# concurrent (LENS ollama-cloud=3) so comments land sooner.
GADFLY_MODELS: "minimax-m3:cloud,glm-5.2:cloud,glm-5.1:cloud,deepseek-v4-pro:cloud,nemotron-3-super:cloud,qwen3-coder:480b-cloud"
GADFLY_PROVIDER_CONCURRENCY: "ollama-cloud=3"
GADFLY_PROVIDER_LENS_CONCURRENCY: "ollama-cloud=3"
# Default => the 3-lens suite (security, correctness, error-handling).
# Set the repo var GADFLY_SPECIALISTS to override (csv / "all" / "auto").
GADFLY_SPECIALISTS: ${{ vars.GADFLY_SPECIALISTS || 'security,correctness,error-handling' }}
# Per-lens deadline + bounded steps to keep each reviewer's run sane.
GADFLY_TIMEOUT_SECS: "600"
GADFLY_MAX_STEPS: "14"
# Allow-list for the comment trigger (mirrors the job-level if: guard).
GADFLY_ALLOWED_USERS: "steve,fizi,dazed"
# --- findings telemetry: POST runs + findings to the gadfly-reports store ---
# Advisory & off unless GADFLY_FINDINGS_URL is set; failures only log to
# stderr and never affect the review. GADFLY_REPO / GADFLY_PR are derived
# in-container; the URL + token are user-scope secrets.
GADFLY_FINDINGS_URL: ${{ secrets.GADFLY_FINDINGS_URL }}
GADFLY_FINDINGS_TOKEN: ${{ secrets.GADFLY_FINDINGS_TOKEN }}
# --- event context (leave as-is) ---
EVENT_NAME: ${{ github.event_name }}
PR: ${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
PR_BRANCH: ${{ github.head_ref }}
IS_DRAFT: ${{ github.event.pull_request.draft }}
COMMENT_BODY: ${{ github.event.comment.body }}
COMMENT_ID: ${{ github.event.comment.id }}
ACTOR: ${{ github.actor }}
# Pinned to an immutable gadfly commit (not @main): a push to gadfly can't
# silently change the code that runs with our forwarded secrets.
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d69139843665da4cdbf776bc0b3583490d
# Least privilege: forward only the review secrets (not `secrets: inherit`,
# which would expose every repo secret). GITEA_TOKEN is the automatic token.
secrets:
OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
GADFLY_FINDINGS_URL: ${{ secrets.GADFLY_FINDINGS_URL }}
GADFLY_FINDINGS_TOKEN: ${{ secrets.GADFLY_FINDINGS_TOKEN }}
with:
# Consumer-specific allow-list; everything else is inherited.
allowed_users: "steve,fizi,dazed"
+5 -3
View File
@@ -142,9 +142,11 @@ Ship work through PRs and let Gadfly review it before merge:
- **Push to a PR, never straight to `main`.** Branch, push, open a PR.
`.gitea/workflows/adversarial-review.yml` runs Gadfly (the standalone
agentic adversarial reviewer) — a fleet of 6 ollama-cloud models, each
running the 3-lens suite (security, correctness, error-handling). Advisory
only; it never blocks the merge.
agentic adversarial reviewer) by subscribing to gadfly's reusable workflow
and inheriting its default swarm — 3 cloud models + the Claude Code engine
(sonnet/opus/opus:max), each running the 5-lens suite (security, correctness,
maintainability, performance, error-handling). The swarm is tuned centrally
in gadfly, not here. Advisory only; it never blocks the merge.
- **Wait for Gadfly to finish, then read its output.** Don't merge while the
review is still running. Each model posts one consolidated comment; weigh
every finding on its merits and fix the real ones (Gadfly is a simple
+15 -41
View File
@@ -5,16 +5,10 @@
// already satisfies the target's llm.Capabilities. Images that do not fit
// are decoded, downscaled (never upscaled), and re-encoded into an allowed
// format and byte budget. Anything that cannot honestly be made to fit —
// undecodable formats, impossible byte budgets, images for a text-only
// target — fails with an error wrapping llm.ErrUnsupported so a failover
// chain can advance to a more capable target without a health penalty.
//
// Over-count is the exception: a request carrying more images than
// MaxImagesPerReq does NOT fail — the oldest images are replaced with a short
// text placeholder and the most-recent MaxImagesPerReq are kept, because a hard
// refuse exhausts a chain whose targets share the same cap (e.g. an agent loop
// accumulating a preview image per iteration). MaxImagesPerReq remains the
// per-model knob (0 = no image support).
// undecodable formats, impossible byte budgets, too many images, images for
// a text-only target — fails with an error wrapping llm.ErrUnsupported so a
// failover chain can advance to a more capable target without a health
// penalty.
//
// Why a separate package: every provider would otherwise duplicate the same
// decode/scale/encode pipeline. Providers keep only a cheap capability
@@ -58,21 +52,15 @@ func Normalize(req llm.Request, caps llm.Capabilities) (llm.Request, error) {
if !caps.SupportsImages() {
return llm.Request{}, fmt.Errorf("media: %w: target does not accept image input (request carries %d image(s))", llm.ErrUnsupported, total)
}
// Over-cap images are elided in the same copy-on-write pass below: the
// OLDEST excess are replaced with a placeholder and the most-recent
// MaxImagesPerReq kept (see the package doc for why we elide rather than
// refuse). toElide is how many of the first images, front-to-back, to drop.
toElide := 0
// Why error instead of dropping the overflow: silently removing an image
// changes the question the caller asked; the honest move is to refuse and
// let a chain try a roomier target.
if total > caps.MaxImagesPerReq {
toElide = total - caps.MaxImagesPerReq
return llm.Request{}, fmt.Errorf("media: %w: request carries %d images, target allows at most %d per request", llm.ErrUnsupported, total, caps.MaxImagesPerReq)
}
// Single copy-on-write pass: for each image, the first toElide become a text
// placeholder; the rest are size-normalized against caps. The Messages slice
// and an affected message's Parts slice are copied at most once.
out := req
copiedMessages := false
seen := 0
for mi := range req.Messages {
copiedParts := false
for pi, part := range req.Messages[mi].Parts {
@@ -80,22 +68,13 @@ func Normalize(req llm.Request, caps llm.Capabilities) (llm.Request, error) {
if !ok {
continue
}
seen++
var replacement llm.Part
if seen <= toElide {
replacement = llm.Text(imageOverflowPlaceholder)
} else {
norm, changed, err := normalizeImage(ip, caps)
if err != nil {
return llm.Request{}, fmt.Errorf("media: message %d, part %d: %w", mi, pi, err)
}
if !changed {
continue
}
replacement = norm
norm, changed, err := normalizeImage(ip, caps)
if err != nil {
return llm.Request{}, fmt.Errorf("media: message %d, part %d: %w", mi, pi, err)
}
if !changed {
continue
}
if !copiedMessages {
out.Messages = make([]llm.Message, len(req.Messages))
copy(out.Messages, req.Messages)
@@ -107,17 +86,12 @@ func Normalize(req llm.Request, caps llm.Capabilities) (llm.Request, error) {
out.Messages[mi].Parts = parts
copiedParts = true
}
out.Messages[mi].Parts[pi] = replacement
out.Messages[mi].Parts[pi] = norm
}
}
return out, nil
}
// imageOverflowPlaceholder replaces an image elided to fit a target's
// per-request image cap. It keeps the message turn intact and tells the model
// an earlier image was omitted rather than silently changing the conversation.
const imageOverflowPlaceholder = "[earlier image omitted to fit this model's per-request image limit]"
// Info reports an image part's sniffed format ("jpeg", "png", "gif", or
// "webp") and pixel dimensions. It is a cheap metadata read — the pixels are
// never decoded. webp is recognized by signature but not decodable with the
+9 -39
View File
@@ -149,48 +149,18 @@ func TestNormalizeImagesUnsupported(t *testing.T) {
}
}
func TestNormalizeOverCount(t *testing.T) {
// 3 distinguishable images across 2 messages; cap = 2. Over-count no longer
// errors — the OLDEST image is replaced with a placeholder and the most-recent
// two (the relevant ones in an iterative run) are kept, in order.
a := llm.Image("image/png", encPNG(t, gradient(2, 2))).(llm.ImagePart)
b := llm.Image("image/png", encPNG(t, gradient(4, 4))).(llm.ImagePart)
c := llm.Image("image/png", encPNG(t, gradient(8, 8))).(llm.ImagePart)
func TestNormalizeTooManyImages(t *testing.T) {
img := llm.Image("image/png", encPNG(t, gradient(4, 4)))
req := llm.Request{Messages: []llm.Message{
llm.UserParts(a, b),
llm.UserParts(c),
llm.UserParts(img, img),
llm.UserParts(img),
}}
caps := llm.Capabilities{MaxImagesPerReq: 2, MaxImageDimension: 64, MaxImageBytes: 1 << 20, AllowedImageMIME: []string{"image/png"}}
out, err := Normalize(req, caps)
if err != nil {
t.Fatalf("over-count should not error: %v", err)
_, err := Normalize(req, llm.Capabilities{MaxImagesPerReq: 2})
if !errors.Is(err, llm.ErrUnsupported) {
t.Fatalf("err = %v, want ErrUnsupported", err)
}
var imgs []llm.ImagePart
placeholders := 0
for _, m := range out.Messages {
for _, p := range m.Parts {
switch v := p.(type) {
case llm.ImagePart:
imgs = append(imgs, v)
case llm.TextPart:
if v.Text == imageOverflowPlaceholder {
placeholders++
}
}
}
}
// The exact survivors are the most-recent two, in order: b then c (a elided).
if len(imgs) != 2 || !bytes.Equal(imgs[0].Data, b.Data) || !bytes.Equal(imgs[1].Data, c.Data) {
t.Fatalf("kept %d images; want exactly [b, c] (the most-recent two)", len(imgs))
}
if placeholders != 1 {
t.Errorf("placeholders = %d, want 1 for the elided oldest image", placeholders)
}
// Input request untouched (copy-on-write): the first part is still image a,
// not a placeholder — a len check alone wouldn't catch in-place substitution.
first, ok := req.Messages[0].Parts[0].(llm.ImagePart)
if !ok || !bytes.Equal(first.Data, a.Data) {
t.Errorf("input request was mutated; first part = %+v", req.Messages[0].Parts[0])
if !strings.Contains(err.Error(), "3 images") || !strings.Contains(err.Error(), "at most 2") {
t.Errorf("err message %q lacks the counts", err)
}
}