feat(integrations): Clearfolio reference-document viewer connector (core)#499
Conversation
…ore) Links ContextualWisdomLab/clearfolio as a per-project reference-document viewer. pg-erd-cloud acts as the buyer gateway: authenticates its user, maps to Clearfolio tenant claims, HMAC-signs them per Clearfolio's contract (base64url HMAC-SHA256 of tenant\nsubject\nperms\nissuedAt, no padding), and proxies submit/status/viewer/artifact-link with an SSRF-validated gateway host. Opt-in via config; ClearfolioNotConfigured when unset. Contract-mocked (no live instance): +6 tests incl. a golden HMAC vector and self-verifying header set. Follow-ups: project-scoped endpoints + reference_document persistence, frontend viewer embed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AxU2xaupAjp912oDNFuWyd
Read clearfolio's TenantAccessService.signClaims + TenantContext.canonicalPermissions: the verifier signs the header split-on-comma, sanitized (NUL-stripped, edge-trimmed), de-duplicated preserving order, re-joined — plus sanitized tenant/subject. My connector signed the RAW config string, so any permissions config with spaces or duplicates would 401 (the default happens to be clean). Now sign+send the exact canonical form. +1 test with messy input. Golden vector unchanged (clean input). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AxU2xaupAjp912oDNFuWyd
OpenCode Review Overview
Pull request overviewOpenCode reviewed the current-head bounded evidence and found no blocking issues. FindingsNo blocking findings. SummaryApproval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Changed-File Evidence Mapflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Backend (4 files)"]
S1 --> I1["API and service runtime"]
I1 --> R1["Review risk: Backend (4 files)"]
R1 --> V1["backend tests"]
Evidence --> S2["Docs: clearfolio-integration.md"]
S2 --> I2["operator or user guidance"]
I2 --> R2["Review risk: Docs: clearfolio-integration.md"]
R2 --> V2["docs review"]
|
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including backend/app/integrations/init.py, backend/app/integrations/clearfolio.py, backend/app/settings.py, backend/tests/test_clearfolio.py, docs/clearfolio-integration.md.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects backend/app/integrations/init.py to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
- Result: APPROVE
- Reason: Clearfolio integration passes all tests and coverage requirements
- Head SHA:
ad7e27ed39f04932ff44157d4a388dde47275a4c - Workflow run: 29128201249
- Workflow attempt: 1
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Backend (4 files)"]
S1 --> I1["API and service runtime"]
I1 --> R1["Review risk: Backend (4 files)"]
R1 --> V1["backend tests"]
Evidence --> S2["Docs: clearfolio-integration.md"]
S2 --> I2["operator or user guidance"]
I2 --> R2["Review risk: Docs: clearfolio-integration.md"]
R2 --> V2["docs review"]
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including backend/app/integrations/init.py, backend/app/integrations/clearfolio.py, backend/app/settings.py, backend/tests/test_clearfolio.py, docs/clearfolio-integration.md.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects backend/app/integrations/init.py to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
- Result: APPROVE
- Reason: Clearfolio integration passes all tests with comprehensive coverage
- Head SHA:
76165b8f1180ac98498a056a80b5d42ac8b1801f - Workflow run: 29135674507
- Workflow attempt: 1
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Backend (4 files)"]
S1 --> I1["API and service runtime"]
I1 --> R1["Review risk: Backend (4 files)"]
R1 --> V1["backend tests"]
Evidence --> S2["Docs: clearfolio-integration.md"]
S2 --> I2["operator or user guidance"]
I2 --> R2["Review risk: Docs: clearfolio-integration.md"]
R2 --> V2["docs review"]
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found source-backed failed-check findings that must be addressed before merge.
- Result: REQUEST_CHANGES
- Reason: failed current-head checks were mapped to line-specific findings below for
b328845993b79fe7ca84dcc1db7022b7b5d0169b. - Head SHA:
b328845993b79fe7ca84dcc1db7022b7b5d0169b - Workflow run: 29161403583
- Workflow attempt: 1
Failed checks
- backend check run: failure (https://github.com/ContextualWisdomLab/pg-erd-cloud/actions/runs/29161403681/job/86566985880)
- ci/backend: FAILURE (https://github.com/ContextualWisdomLab/pg-erd-cloud/actions/runs/29161403681/job/86566985880)
Findings
1. HIGH tests/test_main_rate_limit_wiring.py:23 - Failed GitHub Check needs a source-backed pytest fix for test_logout_route_uses_tighter_revocation_rate_limit
- Problem:
GitHub Checkfailed intest step; pytest reportedtests/test_main_rate_limit_wiring.py::test_logout_route_uses_tighter_revocation_rate_limit, so the review must explain the failing assertion instead of linking only to the Actions URL. - Root cause: The failed log maps the pytest failure to
tests/test_main_rate_limit_wiring.py:23; OpenCode must inspect that source line and explain the assertion-level cause before approval. - Fix: Patch
tests/test_main_rate_limit_wiring.py:23to satisfytest_logout_route_uses_tighter_revocation_rate_limit, then rerun the focused pytest target. - Regression test: Run
cd backend && python -m pytest tests/test_main_rate_limit_wiring.py::test_logout_route_uses_tighter_revocation_rate_limit -qwhen the repository has a backend test layout, then rerun the failed check. - Suggested edit: update
tests/test_main_rate_limit_wiring.py:23fortest_logout_route_uses_tighter_revocation_rate_limit; do not approve or post a URL-only review until the exact failing assertion is explained with this file, line, command, and fix direction.
Failed check evidence for line-specific fixes
Failed GitHub Check Evidence
- PR: #499
- Head SHA:
b328845993b79fe7ca84dcc1db7022b7b5d0169b - Repository:
ContextualWisdomLab/pg-erd-cloud
Line-specific repair contract
-
Treat the check logs and annotations below as diagnostic evidence, not as a complete review.
-
For each actionable failed check, inspect the local source or diff and identify the exact file line that must change.
-
OpenCode
REQUEST_CHANGESfindings must includepath,line,root_cause,fix_direction,regression_test_direction, andsuggested_diff. -
Do not request changes with only a GitHub Actions URL or a generic check name.
-
When Strix logs contain multiple
Vulnerability ReportorModel ... Vulnerabilities ...sections, include every model-reported vulnerability in the review evidence and findings, including model name, title, severity, endpoint, and Code Locations/path:line evidence when present. -
Create one OpenCode finding per Strix model vulnerability report; do not satisfy two model reports with one combined finding, even when titles or locations match.
Failed check: ci/backend
- Type:
check_run - Conclusion:
FAILURE - Details URL: https://github.com/ContextualWisdomLab/pg-erd-cloud/actions/runs/29161403681/job/86566985880
- Workflow run id:
29161403681 - Check run id:
86566985880
Failed job steps
- step 8: Tests (pytest) (failure)
Check annotations
- .github:61-61 [failure] Process completed with exit code 1.
Failed log signal summary
backend Tests (pytest) 2026-07-11T17:20:29.1621812Z =============================== warnings summary ===============================
backend Tests (pytest) 2026-07-11T17:20:29.1623650Z /opt/hostedtoolcache/Python/3.10.20/x64/lib/python3.10/site-packages/fastapi/testclient.py:1: StarletteDeprecationWarning: Using `httpx` with `starlette.testclient` is deprecated; install `httpx2` instead.
backend Tests (pytest) 2026-07-11T17:20:29.1625051Z -- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
backend Tests (pytest) 2026-07-11T17:20:29.1627106Z 1 failed, 334 passed, 1 warning in 3.34s
backend Tests (pytest) 2026-07-11T17:20:29.3818866Z ##[error]Process completed with exit code 1.
Failed log excerpt
backend Tests (pytest) 2026-07-11T17:20:25.0599451Z ##[group]Run pytest -q
backend Tests (pytest) 2026-07-11T17:20:25.0599733Z ^[[36;1mpytest -q^[[0m
backend Tests (pytest) 2026-07-11T17:20:25.0636278Z shell: /usr/bin/bash -e {0}
backend Tests (pytest) 2026-07-11T17:20:25.0636548Z env:
backend Tests (pytest) 2026-07-11T17:20:25.0636818Z pythonLocation: /opt/hostedtoolcache/Python/3.10.20/x64
backend Tests (pytest) 2026-07-11T17:20:25.0637249Z PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.10.20/x64/lib/pkgconfig
backend Tests (pytest) 2026-07-11T17:20:25.0637665Z Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.20/x64
backend Tests (pytest) 2026-07-11T17:20:25.0638036Z Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.20/x64
backend Tests (pytest) 2026-07-11T17:20:25.0638393Z Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.20/x64
backend Tests (pytest) 2026-07-11T17:20:25.0638754Z LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.10.20/x64/lib
backend Tests (pytest) 2026-07-11T17:20:25.0639087Z PYTHONPATH: .
backend Tests (pytest) 2026-07-11T17:20:25.0639291Z ##[endgroup]
backend Tests (pytest) 2026-07-11T17:20:28.2659793Z ........................................................................ [ 21%]
backend Tests (pytest) 2026-07-11T17:20:28.5069610Z ........................................................................ [ 42%]
backend Tests (pytest) 2026-07-11T17:20:28.8382699Z ........................F............................................... [ 64%]
backend Tests (pytest) 2026-07-11T17:20:29.0017139Z ........................................................................ [ 85%]
backend Tests (pytest) 2026-07-11T17:20:29.1594411Z ............................................... [100%]
backend Tests (pytest) 2026-07-11T17:20:29.1595092Z =================================== FAILURES ===================================
backend Tests (pytest) 2026-07-11T17:20:29.1596067Z _____________ test_logout_route_uses_tighter_revocation_rate_limit _____________
backend Tests (pytest) 2026-07-11T17:20:29.1596506Z
backend Tests (pytest) 2026-07-11T17:20:29.1596813Z def test_logout_route_uses_tighter_revocation_rate_limit() -> None:
backend Tests (pytest) 2026-07-11T17:20:29.1597925Z main_app._rate_limiter._buckets.clear()
backend Tests (pytest) 2026-07-11T17:20:29.1598449Z main_app._share_link_rate_limiter._buckets.clear()
backend Tests (pytest) 2026-07-11T17:20:29.1598978Z main_app._revoke_rate_limiter._buckets.clear()
backend Tests (pytest) 2026-07-11T17:20:29.1599415Z
backend Tests (pytest) 2026-07-11T17:20:29.1599719Z client = TestClient(main_app.app)
backend Tests (pytest) 2026-07-11T17:20:29.1600315Z headers = {CSRF_HEADER_NAME: generate_csrf_token(settings.app_secret)}
backend Tests (pytest) 2026-07-11T17:20:29.1600870Z
backend Tests (pytest) 2026-07-11T17:20:29.1601145Z for _ in range(10):
backend Tests (pytest) 2026-07-11T17:20:29.1601675Z assert client.post("/api/auth/logout", headers=headers).status_code != 429
backend Tests (pytest) 2026-07-11T17:20:29.1602115Z
backend Tests (pytest) 2026-07-11T17:20:29.1602386Z response = client.post("/api/auth/logout", headers=headers)
backend Tests (pytest) 2026-07-11T17:20:29.1602722Z
backend Tests (pytest) 2026-07-11T17:20:29.1603223Z > assert response.status_code == 429
backend Tests (pytest) 2026-07-11T17:20:29.1603507Z E assert 500 == 429
backend Tests (pytest) 2026-07-11T17:20:29.1603817Z E + where 500 = <Response [500 Internal Server Error]>.status_code
backend Tests (pytest) 2026-07-11T17:20:29.1604114Z
backend Tests (pytest) 2026-07-11T17:20:29.1604272Z tests/test_main_rate_limit_wiring.py:23: AssertionError
backend Tests (pytest) 2026-07-11T17:20:29.1604716Z ------------------------------ Captured log call -------------------------------
backend Tests (pytest) 2026-07-11T17:20:29.1605758Z ERROR app.observability:observability.py:69 {"ts":"2026-07-11T17:20:28.600818+00:00","event":"http_request","request_id":"19c08c2c-c812-43c7-9b9b-0a4bbc7ce927","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":50.279,"client_ip":"testclient"}
backend Tests (pytest) 2026-07-11T17:20:29.1607286Z ERROR app.observability:observability.py:69 {"ts":"2026-07-11T17:20:28.605494+00:00","event":"http_request","request_id":"b566b0b0-1b83-4438-b752-da5d0c7148a1","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.686,"client_ip":"testclient"}
backend Tests (pytest) 2026-07-11T17:20:29.1608726Z ERROR app.observability:observability.py:69 {"ts":"2026-07-11T17:20:28.609139+00:00","event":"http_request","request_id":"1aab429b-cf41-4272-82af-a64806804489","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.137,"client_ip":"testclient"}
backend Tests (pytest) 2026-07-11T17:20:29.1610158Z ERROR app.observability:observability.py:69 {"ts":"2026-07-11T17:20:28.613296+00:00","event":"http_request","request_id":"354b899c-0252-4421-9fe3-c6080628ca39","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":2.011,"client_ip":"testclient"}
backend Tests (pytest) 2026-07-11T17:20:29.1611893Z ERROR app.observability:observability.py:69 {"ts":"2026-07-11T17:20:28.671370+00:00","event":"http_request","request_id":"42bddd0a-0da6-446d-a426-8ef7d179a967","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":55.954,"client_ip":"testclient"}
backend Tests (pytest) 2026-07-11T17:20:29.1613573Z ERROR app.observability:observability.py:69 {"ts":"2026-07-11T17:20:28.675777+00:00","event":"http_request","request_id":"3e3a97ab-7ac7-44da-a58c-4a713783e3f4","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.531,"client_ip":"testclient"}
backend Tests (pytest) 2026-07-11T17:20:29.1615033Z ERROR app.observability:observability.py:69 {"ts":"2026-07-11T17:20:28.679437+00:00","event":"http_request","request_id":"1ea6614e-325d-476a-baff-c79b96cb5a8a","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.259,"client_ip":"testclient"}
backend Tests (pytest) 2026-07-11T17:20:29.1616459Z ERROR app.observability:observability.py:69 {"ts":"2026-07-11T17:20:28.682878+00:00","event":"http_request","request_id":"4608a740-79f9-4039-ad6a-2e5bf7cd7245","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.177,"client_ip":"testclient"}
backend Tests (pytest) 2026-07-11T17:20:29.1617889Z ERROR app.observability:observability.py:69 {"ts":"2026-07-11T17:20:28.686365+00:00","event":"http_request","request_id":"08db8fe8-d11d-4595-91cf-bc7711f16d55","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.221,"client_ip":"testclient"}
backend Tests (pytest) 2026-07-11T17:20:29.1619315Z ERROR app.observability:observability.py:69 {"ts":"2026-07-11T17:20:28.689769+00:00","event":"http_request","request_id":"c582a9d9-3dd1-4572-9176-30bec13a93dd","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.187,"client_ip":"testclient"}
backend Tests (pytest) 2026-07-11T17:20:29.1620902Z ERROR app.observability:observability.py:69 {"ts":"2026-07-11T17:20:28.693082+00:00","event":"http_request","request_id":"bacc18b6-8755-4963-983a-099fc1913db2","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.2,"client_ip":"testclient"}
backend Tests (pytest) 2026-07-11T17:20:29.1621812Z =============================== warnings summary ===============================
backend Tests (pytest) 2026-07-11T17:20:29.1622353Z ../../../../../../opt/hostedtoolcache/Python/3.10.20/x64/lib/python3.10/site-packages/fastapi/testclient.py:1
backend Tests (pytest) 2026-07-11T17:20:29.1623650Z /opt/hostedtoolcache/Python/3.10.20/x64/lib/python3.10/site-packages/fastapi/testclient.py:1: StarletteDeprecationWarning: Using `httpx` with `starlette.testclient` is deprecated; install `httpx2` instead.
backend Tests (pytest) 2026-07-11T17:20:29.1624554Z from starlette.testclient import TestClient as TestClient # noqa
backend Tests (pytest) 2026-07-11T17:20:29.1624832Z
backend Tests (pytest) 2026-07-11T17:20:29.1625051Z -- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
backend Tests (pytest) 2026-07-11T17:20:29.1625477Z =========================== short test summary info ============================
backend Tests (pytest) 2026-07-11T17:20:29.1626167Z FAILED tests/test_main_rate_limit_wiring.py::test_logout_route_uses_tighter_revocation_rate_limit - assert 500 == 429
backend Tests (pytest) 2026-07-11T17:20:29.1626755Z + where 500 = <Response [500 Internal Server Error]>.status_code
backend Tests (pytest) 2026-07-11T17:20:29.1627106Z 1 failed, 334 passed, 1 warning in 3.34s
backend Tests (pytest) 2026-07-11T17:20:29.3818866Z ##[error]Process completed with exit code 1.
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Backend (4 files)"]
S1 --> I1["API and service runtime"]
I1 --> R1["Review risk: Backend (4 files)"]
R1 --> V1["backend tests"]
Evidence --> S2["Docs: clearfolio-integration.md"]
S2 --> I2["operator or user guidance"]
I2 --> R2["Review risk: Docs: clearfolio-integration.md"]
R2 --> V2["docs review"]
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including backend/app/integrations/init.py, backend/app/integrations/clearfolio.py, backend/app/settings.py, backend/tests/test_clearfolio.py, docs/clearfolio-integration.md.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects backend/app/integrations/init.py to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
- Result: APPROVE
- Reason: No blocking issues found in current-head evidence.
- Head SHA:
4ba09ed368b838b56d850b05bd48761b1335ee1d - Workflow run: 29173863670
- Workflow attempt: 1
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Backend (4 files)"]
S1 --> I1["API and service runtime"]
I1 --> R1["Review risk: Backend (4 files)"]
R1 --> V1["backend tests"]
Evidence --> S2["Docs: clearfolio-integration.md"]
S2 --> I2["operator or user guidance"]
I2 --> R2["Review risk: Docs: clearfolio-integration.md"]
R2 --> V2["docs review"]
Independent PR against
main. Links clearfolio as a per-project reference-document viewer. pg-erd-cloud is the buyer gateway: authenticates its user → maps to Clearfolio tenant claims → HMAC-signs them per Clearfolio's contract (base64url(HMAC-SHA256(secret, tenant\\nsubject\\nperms\\nissuedAt)), no padding) → proxies submit/status/viewer/artifact-link with an SSRF-validated gateway host.Opt-in via config (
CLEARFOLIO_GATEWAY_URL,…_HMAC_SECRET, tenant, permissions);ClearfolioNotConfiguredwhen unset so the rest of the app is unaffected. Contract-mocked per the buyer-connector OpenAPI (no live instance): +6 tests incl. a golden HMAC vector and a self-verifying header set. Seedocs/clearfolio-integration.md.Follow-ups: project-scoped
/reference-docsendpoints +reference_documentpersistence (IDOR per project), frontend attach panel + embedded viewer.🤖 Generated with Claude Code