Explorar o código

ci(claude-bot): structure PR review and issue triage prompts

Rework the handle-pr-review, handle-pr-fix, and handle-issue prompts to produce professional, structured output. The review job now rates findings by severity and confidence across explicit review areas and reports a Summary, Findings, and a text-only verdict in one plain comment; the fix job reuses the same lens to prioritize what it applies versus leaves for the author; issue triage gains a structured bug-confirmation format and explicit outcomes for mislabeled and not-a-bug reports, closing conservatively. Severity uses text labels to respect the no-emoji house style, and the adapted ignore-list keeps i18n and generated files flaggable.
MHSanaei hai 11 horas
pai
achega
c62e8c6bbe
Modificáronse 1 ficheiros con 143 adicións e 34 borrados
  1. 143 34
      .github/workflows/claude-bot.yml

+ 143 - 34
.github/workflows/claude-bot.yml

@@ -201,14 +201,14 @@ jobs:
                already exist in that list. Never create new labels. Quote any
                already exist in that list. Never create new labels. Quote any
                multi-word label name, e.g. --add-label "clarification needed".
                multi-word label name, e.g. --add-label "clarification needed".
 
 
-            2. SPAM / INVALID CHECK: Treat the issue as spam ONLY if you are
-               highly confident it matches one of:
+            2. VALIDITY CHECK: Treat the issue as invalid and close it ONLY if
+               you are highly confident it matches one of:
                  - Body empty or only whitespace, punctuation, or emoji.
                  - Body empty or only whitespace, punctuation, or emoji.
                  - Pure gibberish / random characters with no real request.
                  - Pure gibberish / random characters with no real request.
                  - Obvious advertising, promotion, or links unrelated to 3x-ui.
                  - Obvious advertising, promotion, or links unrelated to 3x-ui.
                  - A throwaway test issue (just "test", "asdf", "hello", etc.).
                  - A throwaway test issue (just "test", "asdf", "hello", etc.).
                  - No relation at all to 3x-ui / Xray.
                  - No relation at all to 3x-ui / Xray.
-               If it clearly is spam:
+               If it clearly matches one of these:
                  a) gh issue comment ${{ github.event.issue.number }} --body "..."
                  a) gh issue comment ${{ github.event.issue.number }} --body "..."
                     (short, polite: closed because it lacks a valid, actionable
                     (short, polite: closed because it lacks a valid, actionable
                     report; invite them to reopen with details)
                     report; invite them to reopen with details)
@@ -216,7 +216,8 @@ jobs:
                  c) gh issue close ${{ github.event.issue.number }} --reason "not planned"
                  c) gh issue close ${{ github.event.issue.number }} --reason "not planned"
                  d) STOP. Do not do steps 3-6.
                  d) STOP. Do not do steps 3-6.
                If you have ANY doubt, treat it as a real issue and continue.
                If you have ANY doubt, treat it as a real issue and continue.
-               A short or low-quality but genuine report is NOT spam.
+               A short or low-quality but genuine report is NOT invalid;
+               investigate it instead.
 
 
             3. DUPLICATE CHECK: Search existing issues using the main keywords
             3. DUPLICATE CHECK: Search existing issues using the main keywords
                from the title:
                from the title:
@@ -253,6 +254,13 @@ jobs:
                info is missing (version from `x-ui`, OS, install method - script
                info is missing (version from `x-ui`, OS, install method - script
                vs Docker, Xray/inbound config, or relevant logs), also add the
                vs Docker, Xray/inbound config, or relevant logs), also add the
                "clarification needed" label.
                "clarification needed" label.
+               If the issue's stated type is wrong - for example filed as a
+               feature request but actually a bug, or the reverse - correct it:
+               remove the wrong label, add the right one, and if the title
+               misstates the type or problem, fix it with
+               `gh issue edit ${{ github.event.issue.number }} --title "<corrected title>"`,
+               preserving the reporter's meaning and changing only what is
+               needed for clarity. Note any retitle in your comment.
 
 
             6. RESPOND: Post ONE comment that fully addresses the issue,
             6. RESPOND: Post ONE comment that fully addresses the issue,
                following COMMENT STYLE above.
                following COMMENT STYLE above.
@@ -261,14 +269,32 @@ jobs:
                  copy-pasteable commands, exact file paths, and exact setting
                  copy-pasteable commands, exact file paths, and exact setting
                  names taken from the repo. Do NOT invent features, paths,
                  names taken from the repo. Do NOT invent features, paths,
                  flags, or commands.
                  flags, or commands.
-               - If it is a BUG and you found the root cause, CONFIRM it: name
-                 the exact file, function, and line, explain what happens and
-                 why, and tag @${{ github.repository_owner }} so a maintainer
-                 can decide on a fix. Do NOT open a pull request and do NOT edit
-                 code; a fix is made only when the maintainer requests it by
-                 mentioning @claude.
+               - If it is a BUG and you found the root cause, CONFIRM it with a
+                 structured comment using these plain-text headings: Title (a
+                 one-line summary of the defect); Severity (Critical, High,
+                 Medium, Low, or Suggestion); Category (Correctness, Security,
+                 Performance, Reliability, Maintainability, API, Testing, or
+                 Documentation); Why this matters (the concrete runtime,
+                 security, or maintainability impact); Recommendation (the fix
+                 approach - do NOT open a pull request or edit code; a fix is
+                 made only when the maintainer requests it by mentioning
+                 @claude); and an optional short Example as a plain fenced code
+                 block naming the exact file, function, and line. State your
+                 confidence and, if it is low, say so. Tag
+                 @${{ github.repository_owner }} so a maintainer can decide on a
+                 fix.
+               - If it is filed or titled as a bug but investigation CONFIRMS
+                 there is no bug (expected behavior, a user configuration error,
+                 or a misunderstanding), explain why with evidence from the
+                 source (exact file and line), remove the bug label, add
+                 "question" or "invalid" as appropriate, optionally correct the
+                 title, and close it with
+                 `gh issue close ${{ github.event.issue.number }} --reason "not planned"`.
+                 If you are not certain, or key information is missing, do NOT
+                 close: add "clarification needed" and keep it open.
                - For a feature/enhancement request, a question, or a
                - For a feature/enhancement request, a question, or a
-                 documentation issue, just answer it; never open a PR.
+                 documentation issue, answer it in prose in the style above (no
+                 Severity/heading scaffold); never open a PR.
                - If, after investigating, you still cannot determine the cause,
                - If, after investigating, you still cannot determine the cause,
                  state briefly what you checked and ask for the specific
                  state briefly what you checked and ask for the specific
                  missing details rather than guessing.
                  missing details rather than guessing.
@@ -422,13 +448,23 @@ jobs:
                For backend changes trace the call sites; for DB/model changes
                For backend changes trace the call sites; for DB/model changes
                check migrations. Read as many files as you need; do not stop at
                check migrations. Read as many files as you need; do not stop at
                the first file. Separate what you CONFIRMED in the source from
                the first file. Separate what you CONFIRMED in the source from
-               what you infer, and do not invent problems.
+               what you infer, and do not invent problems. Weigh each change
+               against the review areas - correctness, security, reliability,
+               performance, concurrency, maintainability, API design, testing,
+               and documentation - and rate each real problem by severity
+               (Critical, High, Medium, Low, or Suggestion).
 
 
             5. APPLY FIXES (this is the core of the job): for every real problem
             5. APPLY FIXES (this is the core of the job): for every real problem
                you find - a bug, a correctness or security issue, a broken
                you find - a bug, a correctness or security issue, a broken
                caller, a build break, or a convention violation - and for
                caller, a build break, or a convention violation - and for
                refactors that clearly improve the code, MAKE the change directly
                refactors that clearly improve the code, MAKE the change directly
-               with Edit/Write, following the project conventions above. Keep
+               with Edit/Write, following the project conventions above.
+               Prioritize by severity: always apply Critical and High
+               correctness and security fixes and clear convention violations,
+               and apply Medium maintainability fixes when they are low-risk;
+               leave Low and Suggestion items - and anything large, risky, or
+               that you are not confident is correct - for the author, and list
+               them with their severity in your step-6 summary. Keep
                each edit focused and correct; do not rewrite unrelated code or
                each edit focused and correct; do not rewrite unrelated code or
                reformat wholesale. You cannot run builds or tests here, so make
                reformat wholesale. You cannot run builds or tests here, so make
                changes that are obviously correct; if a needed fix is large,
                changes that are obviously correct; if a needed fix is large,
@@ -559,6 +595,59 @@ jobs:
               frontend/src does not affect users until internal/web/dist is
               frontend/src does not affect users until internal/web/dist is
               rebuilt.
               rebuilt.
 
 
+            REVIEW PRINCIPLES
+            - Base every finding on evidence: a specific diff hunk or a
+              file:line in the checked-out source. Never invent hypothetical
+              problems, and do not assume missing context unless the change
+              clearly requires it.
+            - If you are uncertain, say so explicitly; do not present an
+              assumption as fact.
+            - Prefer a few high-signal findings over many low-value ones. Do
+              not report the same issue twice and do not bikeshed style. Ignore
+              pure-formatting changes unless they reduce readability.
+            - Ignore true vendor code, lock files, and build output. Do NOT
+              ignore i18n or generated files here: a new English key missing
+              from any of the 13 internal/web/translation/ JSONs, or a
+              frontend/src/generated or frontend/public/openapi.json that would
+              be dirty after `make gen`, is a real convention violation.
+
+            REVIEW AREAS (weigh each against the diff):
+            - Correctness: logic errors, edge cases, nil/empty handling,
+              invalid assumptions, regressions.
+            - Security: authentication and authorization, input validation,
+              injection, XSS, CSRF, SSRF, path traversal, secrets exposure,
+              unsafe defaults. Pay special attention to
+              internal/web/controller/ handlers, subscription output in
+              internal/sub/, and Xray config generation in internal/xray/.
+            - Reliability: error handling, resource cleanup, timeouts, retry
+              and failure paths, child-process and goroutine failure handling.
+            - Performance: unnecessary allocations, N+1 or unbounded GORM
+              queries, expensive work in hot loops or per-request paths.
+            - Concurrency: races, deadlocks, unsynchronized shared state,
+              goroutine or task leaks (xray/mtproto child processes, cron jobs
+              in internal/web/job/).
+            - Maintainability: readability, naming, duplication, complexity.
+            - API design: backward compatibility, breaking changes, request
+              validation, error responses.
+            - Testing: missing coverage or edge-case tests, wrong assertions
+              (this repo uses the stdlib testing package only).
+            - Documentation: a new route needs an endpoints.ts entry; note any
+              needed upgrade or configuration notes.
+
+            SEVERITY (assign exactly one per finding; text labels, no emoji):
+            - Critical: security hole, data corruption, crash, privilege
+              escalation, authentication bypass, or severe regression.
+            - High: likely production bug, incorrect behavior, or a significant
+              performance problem.
+            - Medium: missing validation, an unhandled edge case, a
+              maintainability problem, or a moderate performance issue.
+            - Low: minor readability or consistency improvement.
+            - Suggestion: optional improvement with no correctness impact.
+
+            CONFIDENCE (assign exactly one per finding): High, Medium, or Low.
+            Reserve High for issues you CONFIRMED in the source (name the file
+            and line); label anything inferred Medium or Low.
+
             CURRENT PULL REQUEST
             CURRENT PULL REQUEST
             REPO:   ${{ github.repository }}
             REPO:   ${{ github.repository }}
             NUMBER: ${{ github.event.pull_request.number }}
             NUMBER: ${{ github.event.pull_request.number }}
@@ -578,28 +667,48 @@ jobs:
 
 
             3. INVESTIGATE: For each meaningful change, open the changed file
             3. INVESTIGATE: For each meaningful change, open the changed file
                region and the base-repo code it touches with Read/Glob/Grep.
                region and the base-repo code it touches with Read/Glob/Grep.
-               Focus on REAL problems: correctness bugs, security issues,
-               broken callers, build breaks, data loss, and clear convention
-               violations from the list above. Do not bikeshed style or invent
-               issues.
-
-            4. REPORT: Post ONE comment on the PR
-               (`gh pr comment ${{ github.event.pull_request.number }} --body "..."`).
-               - Lead with a one- or two-sentence verdict.
-               - Then a short list of the real problems you found, each naming
-                 the exact file and line (as text, e.g.
-                 `internal/web/service/foo.go:42`) and stating what is wrong and
-                 why it matters, grounded in the code.
+               Weigh it against the REVIEW AREAS and PROJECT CONVENTIONS above.
+               For backend changes trace the call sites; for DB/model changes
+               check migrations. For every real problem, assign a severity and
+               a confidence and record the exact file:line. Discard anything you
+               cannot ground in the diff or the source; do not bikeshed style or
+               invent issues.
+
+            4. REPORT: Post ONE plain comment on the PR
+               (`gh pr comment ${{ github.event.pull_request.number }} --body "..."`),
+               structured as below and scaled to the size of the change:
+               - Summary: lead with one to three sentences on what the PR
+                 changes, its overall quality, the main risks, and your overall
+                 recommendation.
+               - Findings, most severe first. Give each as a compact block with
+                 these fields on their own lines:
+                   Severity / Confidence / Category
+                   Location: file:line as plain text (e.g.
+                   internal/web/service/foo.go:42), not a Markdown link
+                   Problem: what is wrong
+                   Why it matters: the practical runtime, security, or
+                   maintainability impact
+                   Recommendation: the preferred fix
+                 A code example is optional and, if included, MUST be a plain
+                 fenced code block, never a ```suggestion``` block.
+               - Positive observations: include only when genuinely substantive
+                 (good validation, tests, or a clean refactor); otherwise omit
+                 them rather than pad the comment.
+               - Verdict: end with a single text line - Approve, Comment, or
+                 Request changes - plus one or two sentences of reasoning. This
+                 is TEXT ONLY; do NOT post a GitHub review with an APPROVE or
+                 REQUEST_CHANGES event. For blocking problems (Critical or High
+                 correctness, security, data loss, or a build break), tag
+                 @${{ github.repository_owner }} so a maintainer decides how to
+                 proceed.
+               - Keep it as short as completeness allows: a trivial or clean PR
+                 gets just the Summary and Verdict (findings only if any); a
+                 large or risky PR gets the full structure.
                - Do NOT post ```suggestion``` blocks and do NOT open an inline
                - Do NOT post ```suggestion``` blocks and do NOT open an inline
-                 review; this is a single plain comment.
-               - If there are blocking problems (correctness, security, data
-                 loss, build break), tag @${{ github.repository_owner }} so a
-                 maintainer decides how to proceed.
-               - If the PR looks correct, say so plainly and note anything the
-                 maintainer should still verify.
-               - Reply in the SAME LANGUAGE the PR is written in, be
-                 professional and matter-of-fact (no emoji, no filler), and end
-                 with one italic line stating the review was generated
+                 review; this is a single plain comment. Reply in the SAME
+                 LANGUAGE the PR is written in, stay professional and
+                 matter-of-fact (no emoji, no exclamation marks, no filler), and
+                 end with one italic line stating the review was generated
                  automatically and a maintainer may follow up.
                  automatically and a maintainer may follow up.
 
 
             RULES
             RULES