Update sdlc-agentic-pipeline skill#4
Conversation
…ipeline add sdlc-agentic-pipeline skill
📝 WalkthroughWalkthroughThis change adds the ChangesSDLC Agentic Pipeline
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant PM
participant Jira
participant DeveloperAgents
participant Reviewer
participant Tester
participant DevOps
participant CI
participant JFrog
participant ECS
PM->>Jira: Create and route SDLC tasks
DeveloperAgents->>Jira: Update tasks and submit PRs
Jira->>Reviewer: Send review request
Reviewer->>Jira: Record approval or throwback
Jira->>Tester: Send E2E testing request
Tester->>Jira: Record test sign-off or throwback
DeveloperAgents->>CI: Merge approved changes into dev
CI->>JFrog: Publish and verify artifacts
PM->>DevOps: Authorize deployment
DevOps->>ECS: Deploy and health-check the release
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Note
Due to the large number of review comments, Critical severity comments were prioritized as inline comments.
🟠 Major comments (22)
skills/sdlc-agentic-pipeline/references/agents/code-reviewer-agent.md-49-50 (1)
49-50: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winAssign the release merge to the developer agent.
The PM policy forbids PR creation and merging, but these lines assign the
dev→mainmerge to PM. Name Backend as primary when both developers are active, otherwise the sole developer agent.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/agents/code-reviewer-agent.md` around lines 49 - 50, Update the branch strategy guidance to assign the dev-to-main release merge to the developer agent rather than the PM Agent; designate Backend as primary when both developers are active, and designate the sole developer agent when only one is active.skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md-97-104 (1)
97-104: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winCorrect Option B repository bootstrap ownership. These sections say PM creates and clones the repository, but the PM policy assigns creation and initial clone to Backend and forbids PM git writes.
skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md#L97-L104: state that Backend created the repository; pass its URL/path and have Frontend clone or receive a workspace explicitly.skills/sdlc-agentic-pipeline/references/agents/devops-agent.md#L112-L116: state that Backend created the repository and have DevOps clone it before infrastructure work.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md` around lines 97 - 104, Update the repository bootstrap context in skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md lines 97-104 to state that the Backend Agent created the repository, and specify that Frontend receives the repository URL/path and either clones it or uses an explicitly provided workspace. Update skills/sdlc-agentic-pipeline/references/agents/devops-agent.md lines 112-116 to state that Backend created the repository and that DevOps clones it before infrastructure work.skills/sdlc-agentic-pipeline/references/agents/pm-agent.md-225-226 (1)
225-226: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winDo not execute
.envas shell code.
sourceevaluates command substitutions in configuration values. A modified.envcan execute arbitrary commands in the PM agent context. Parse only the requiredJIRA_*key/value fields instead.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md` around lines 225 - 226, Replace the `.env` loading command in the Step 1 project-context setup with safe parsing of only the required JIRA_* key/value fields; do not use `source`, `eval`, or otherwise execute `.env` contents, while preserving the environment values needed by the PM agent.skills/sdlc-agentic-pipeline/references/agents/backend-agent.md-372-379 (1)
372-379: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick winRemove the “accept dev for ALL conflicts” path.
This can silently discard fixes that exist only on
main, including production hotfixes. Require domain-owner resolution before committing; the later instruction at Lines 395-397 already defines the safer rule.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/agents/backend-agent.md` around lines 372 - 379, Remove the “Accept dev version for ALL conflicts” instruction from the dev-to-main conflict workflow. Update the resolution step to require domain-owner review and resolution of each conflict before committing, consistent with the existing safer rule referenced near lines 395-397; preserve the remaining branch, CI/CD, and PR steps.skills/sdlc-agentic-pipeline/references/agents/backend-agent.md-121-124 (1)
121-124: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winDo not place GitHub PATs in clone URLs. URL credentials are exposed through command history, process arguments, and tool logs.
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md#L121-L124: use an approved credential helper or non-argument authentication flow for cloning.skills/sdlc-agentic-pipeline/references/agents/devops-agent.md#L177-L180: use the same non-URL authentication mechanism.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/agents/backend-agent.md` around lines 121 - 124, Replace the PAT-in-URL clone instructions in skills/sdlc-agentic-pipeline/references/agents/backend-agent.md lines 121-124 and skills/sdlc-agentic-pipeline/references/agents/devops-agent.md lines 177-180 with the approved credential-helper or non-argument authentication flow, ensuring the token is not exposed in command history, process arguments, or tool logs.skills/sdlc-agentic-pipeline/references/agents/pm-agent.md-444-446 (1)
444-446: 🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy liftDeploy an authorized immutable artifact, not
latest. The release flow does not hand off a real tag/digest, while deployment pulls mutablelatest; a laterdevbuild can replace it before deployment, and rollback has no recorded previous image.
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md#L444-L446: delegate real release-tag/ref creation and record the approved image digest or immutable tag.skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml#L215-L224: publish and expose the built image digest/SHA as the release artifact handoff.skills/sdlc-agentic-pipeline/references/agents/devops-agent.md#L482-L519: deploy the authorized immutable digest/SHA tag rather thanlatest.skills/sdlc-agentic-pipeline/references/agents/devops-agent.md#L542-L546: capture the currently running image before replacement and use it for rollback.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md` around lines 444 - 446, Update skills/sdlc-agentic-pipeline/references/agents/pm-agent.md:444-446 to delegate creation of the real release tag/ref and record the approved immutable image tag or digest. Update skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml:215-224 to publish and expose the built image digest/SHA as the release artifact handoff. Update skills/sdlc-agentic-pipeline/references/agents/devops-agent.md:482-519 to deploy that authorized immutable digest/SHA tag instead of latest, and update skills/sdlc-agentic-pipeline/references/agents/devops-agent.md:542-546 to capture the currently running image before replacement and use it for rollback.skills/sdlc-agentic-pipeline/references/agents/devops-agent.md-244-268 (1)
244-268: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick winMatch the checklist to the workflow’s secret/variable contract.
The template reads
JFROG_PLATFORM_URL,JFROG_DOCKER_REGISTRY,JFROG_USERNAME,JFROG_PROJECT, andSONAR_PROJECT_KEYfromvars.*, but this checklist tells users to create the first four as secrets and omitsSONAR_PROJECT_KEY. Following it leaves required workflow values empty.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/agents/devops-agent.md` around lines 244 - 268, Update the “GitHub Action Secrets Checklist” to match the ci-cd.yml workflow contract: classify JFROG_PLATFORM_URL, JFROG_DOCKER_REGISTRY, JFROG_USERNAME, JFROG_PROJECT, and SONAR_PROJECT_KEY as repository variables under the appropriate Variables section, while retaining only actual secrets in the required-secret comparison and adding SONAR_PROJECT_KEY to the required configuration checklist. Update the procedure’s counts and wording so it validates both secrets and variables before proceeding.skills/sdlc-agentic-pipeline/references/agents/pm-agent.md-90-96 (1)
90-96: 🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy liftParameterize the Option A integration and release branch. Option A permits a user-selected branch, but the CI, merge, release, and manual-trigger procedures hard-code
dev; existing repositories using another branch will skip CI or merge the wrong branch.
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md#L90-L96: persist one selected integration/release branch and pass it to every downstream agent.skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml#L48-L52: generate triggers for that configured branch rather than alwaysdev.skills/sdlc-agentic-pipeline/references/agents/backend-agent.md#L318-L368: use the configured branch for feature merges and release PRs in Option A.skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md#L253-L303: use the configured branch for feature merges and release PRs in Option A.skills/sdlc-agentic-pipeline/references/agents/devops-agent.md#L270-L296: dispatch the workflow against the configured branch.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md` around lines 90 - 96, Parameterize the Option A integration/release branch end to end: in skills/sdlc-agentic-pipeline/references/agents/pm-agent.md lines 90-96, persist the user-selected branch and pass it to downstream agents; in skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml lines 48-52, generate CI triggers from that branch; in skills/sdlc-agentic-pipeline/references/agents/backend-agent.md lines 318-368 and skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md lines 253-303, use it for feature merges and release PRs; and in skills/sdlc-agentic-pipeline/references/agents/devops-agent.md lines 270-296, dispatch workflows against it instead of hard-coded dev.skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml-156-166 (1)
156-166: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winWait for the submitted Quality Gate result.
project_statuscan return the previous analysis if the scanner hasn’t finished processing yet, which can let a failing run reachdeploy-to-jfrog. Setsonar.qualitygate.wait=trueon the scan step or poll the analysis task ID before this check.skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml:143-166🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml` around lines 156 - 166, Update the SonarCloud scan step associated with the Check SonarCloud Quality Gate step to wait for the submitted analysis to finish by enabling sonar.qualitygate.wait=true, or alternatively poll its analysis task ID until completion before querying project_status. Ensure the existing quality-gate check evaluates the current analysis result and still blocks deploy-to-jfrog on failure.skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py-10-13 (1)
10-13: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winVerify the ECS host identity instead of accepting any key.
AutoAddPolicyandStrictHostKeyChecking=noallow a network attacker to impersonate the ECS host during password-based bootstrap or later verification.
skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py#L10-L13: load a verifiedknown_hostsentry and useRejectPolicy.skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py#L43-L46: removeStrictHostKeyChecking=no.skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md#L875-L883: require users to verify and record the ECS host fingerprint before SSH automation.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py` around lines 10 - 13, Harden ECS host verification across the referenced sites: in skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py lines 10-13, load the verified known_hosts entry and use RejectPolicy instead of AutoAddPolicy; in the same file lines 43-46, remove StrictHostKeyChecking=no; in skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md lines 875-883, require users to verify and record the ECS host fingerprint before running SSH automation.Source: Linters/SAST tools
skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py-30-37 (1)
30-37: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick winFail the script when the remote key installation fails.
After a failed
exec_command, the function only prints an error and exits successfully. Onboarding can therefore continue to Docker installation despite key-based access not being configured. Raise an exception or return a non-zero exit status before verification.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py` around lines 30 - 37, Update the failure branch of the SSH key installation flow around exec_command to terminate unsuccessfully when result is not "SUCCESS". Preserve the existing error output, then raise an exception or return a non-zero status before ssh.close() and any subsequent verification or onboarding steps can continue.skills/sdlc-agentic-pipeline/references/pipeline.md-177-184 (1)
177-184: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winUse one CI/CD trigger contract.
Line 183 says workflow updates use manual dispatch, while Line 184 says CI/CD auto-triggers on pushes to
dev. Choose one behavior and align the workflow instructions; otherwise the pipeline can wait for a run that was never triggered.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/pipeline.md` around lines 177 - 184, Align the Step 6 CI/CD trigger instructions to one contract: choose either manual dispatch or automatic triggering on pushes to dev, then update the workflow verification and monitoring actions and the referenced devops-agent.md guidance consistently. Remove contradictory trigger wording so the pipeline execution path matches the selected behavior.skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md-372-374 (1)
372-374: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winDo not pass the GitHub PAT through the delegation prompt.
The GitHub MCP configuration is already written before this step. Forwarding the PAT to a subagent unnecessarily exposes a repository-admin credential in task context and logs. Have the Backend Agent use its configured MCP capability instead.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md` around lines 372 - 374, Update the “Invoke Backend Agent” instructions to remove the GitHub PAT from the values passed through the delegation prompt. Keep passing the backend scope, tech stack, project prompt, repository name, owner, and visibility, and direct the Backend Agent to use its preconfigured GitHub MCP capability for repository creation.skills/sdlc-agentic-pipeline/references/pipeline.md-89-102 (1)
89-102: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick winDelegate SDD repository writes to a developer agent.
The PM Agent is read-only in
SKILL.mdLines 645-650, but this step requires creating and populating SDD files. Specify the developer-agent branch/commit/push handoff; otherwise the required SDD artifacts cannot reachdev.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/pipeline.md` around lines 89 - 102, Update the Step 2 “PM Agent — Sprint Start & SDD Setup” workflow so the read-only PM Agent delegates creating and populating spec.md, design.md, and tasks.md to a developer agent. Specify that the developer agent works on its branch, commits the SDD artifacts, pushes the branch, and provides the handoff for merging into dev; keep Jira and sprint actions with the PM Agent.skills/sdlc-agentic-pipeline/SKILL.md-148-165 (1)
148-165: 🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy liftEstablish one canonical stage numbering scheme. The documents alternately define 9, 10, and 11 numbered stages, and rerun logic maps gates to the wrong stages.
skills/sdlc-agentic-pipeline/SKILL.md#L148-L165: rename and enumerate the canonical stages, including whether1bis a stage.skills/sdlc-agentic-pipeline/README.md#L39-L57: mirror the canonical numbering and CI trigger behavior.skills/sdlc-agentic-pipeline/SKILL.md#L486-L503: correct release/deployment stage references.skills/sdlc-agentic-pipeline/references/pipeline.md#L43-L51: remap idempotency checks to their actual stages.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/SKILL.md` around lines 148 - 165, Establish one canonical stage numbering scheme across the pipeline documentation, explicitly deciding whether “1b” is a numbered stage. Update skills/sdlc-agentic-pipeline/SKILL.md lines 148-165 to define and enumerate the canonical stages, mirror that numbering and CI-trigger behavior in skills/sdlc-agentic-pipeline/README.md lines 39-57, correct release and deployment references in skills/sdlc-agentic-pipeline/SKILL.md lines 486-503, and remap idempotency checks to the actual stages in skills/sdlc-agentic-pipeline/references/pipeline.md lines 43-51.skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md-105-115 (1)
105-115: 🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy liftImplement the user-level installation option before asking for repository type.
Q0 offers user-level storage, but the copy/config instructions throughout this guide hard-code
.codeartsdoer/...project paths. Also, the stated Q0 question is never actually asked. Capture the installation scope first and derive source/target paths from it.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md` around lines 105 - 115, Update the setup flow around Q0 to actually ask and store whether the skill is installed at user or project level before asking for repository type. Use that selection to derive all subsequent skill, config, and reference source/target paths instead of hard-coding .codeartsdoer project paths, while preserving the existing project-level default.skills/sdlc-agentic-pipeline/references/templates/env-template.env-14-15 (1)
14-15: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winNormalize
JFROG_PLATFORM_URLas a full URL. Onboarding and the environment template define it ashttps://…, while report and REST examples prepend anotherhttps://, producing invalid URLs.
skills/sdlc-agentic-pipeline/references/templates/env-template.env#L14-L15: retain the full-URL convention.skills/sdlc-agentic-pipeline/SKILL.md#L364-L364: remove the prepended scheme.skills/sdlc-agentic-pipeline/references/pipeline.md#L197-L197: use<JFROG_PLATFORM_URL>/artifactory/api/.skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md#L803-L804: state explicitly that this value includes the scheme.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/templates/env-template.env` around lines 14 - 15, Normalize JFROG_PLATFORM_URL as a full URL across all references: retain the existing full-URL convention in skills/sdlc-agentic-pipeline/references/templates/env-template.env lines 14-15, remove the extra prepended scheme in skills/sdlc-agentic-pipeline/SKILL.md line 364, use <JFROG_PLATFORM_URL>/artifactory/api/ in skills/sdlc-agentic-pipeline/references/pipeline.md line 197, and explicitly state that the value includes the scheme in skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md lines 803-804.skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md-405-419 (1)
405-419: 🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy liftBootstrap
devbefore parallel development starts.Frontend is told to concurrently commit to a clone and branch that Backend has not necessarily created yet. Separate agents also cannot safely push independent initial commits to the same branch without synchronization. Create the repository and
devfirst, then dispatch isolated feature branches or explicitly coordinate rebases.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md` around lines 405 - 419, Update the setup flow before the “Frontend Agent builds concurrently with Backend” step to create and initialize the repository, push the bootstrap commit, and create the dev branch before dispatching either agent. Replace direct concurrent pushes to dev with isolated frontend/backend feature branches, or document explicit synchronization and rebase coordination before merging their commits.skills/sdlc-agentic-pipeline/references/templates/env-template.env-7-9 (1)
7-9: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick winInclude the Sonar MCP values required by the documented contract.
mcp-settings.jsonrequiresSONAR_TOKENandSONAR_ORGANIZATION, and onboarding says both belong in.env; this template only emitsSONAR_PROJECT_KEY. Generated local configuration cannot fully populate the Sonar MCP server.# SonarCloud MCP SONAR_PROJECT_KEY=<SONAR_PROJECT_KEY> +SONAR_ORGANIZATION=<SONAR_ORGANIZATION> +SONAR_TOKEN=<SONAR_TOKEN>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/templates/env-template.env` around lines 7 - 9, Update the SonarCloud MCP section in env-template.env to include placeholders for SONAR_TOKEN and SONAR_ORGANIZATION alongside SONAR_PROJECT_KEY, matching the values required by mcp-settings.json and the documented onboarding contract.skills/sdlc-agentic-pipeline/references/templates/mcp-settings.json-32-36 (1)
32-36: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick winUse the collected JFrog credential placeholder consistently.
Onboarding collects
JFROG_PASSWORDas the JFrog access token, but this template references undefined<JFROG_ACCESS_TOKEN>. The generated MCP config will not authenticate unless users manually invent an extra value.- "Authorization": "Bearer <JFROG_ACCESS_TOKEN>" + "Authorization": "Bearer <JFROG_PASSWORD>"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/templates/mcp-settings.json` around lines 32 - 36, Update the jfrog entry in the MCP settings template to reference the collected JFROG_PASSWORD placeholder for the Authorization bearer token instead of the undefined JFROG_ACCESS_TOKEN placeholder, preserving the existing URL and header structure.skills/sdlc-agentic-pipeline/references/templates/set-secrets.js-129-140 (1)
129-140: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick winExit non-zero when any secret or variable update fails.
setVariableandsetSecretreturn failure, but their results are discarded and the script always printsDone.This lets onboarding proceed with missing CI/CD credentials.+ let failed = false; console.log('Variables (plain text):'); for (const [name, value] of Object.entries(VARIABLES)) { - await setVariable(GITHUB_OWNER, GITHUB_REPO, GITHUB_PAT, name, value); + failed ||= !(await setVariable(GITHUB_OWNER, GITHUB_REPO, GITHUB_PAT, name, value)); } console.log('\nSecrets (encrypted):'); for (const [name, value] of Object.entries(SECRETS)) { - await setSecret(GITHUB_OWNER, GITHUB_REPO, GITHUB_PAT, name, value); + failed ||= !(await setSecret(GITHUB_OWNER, GITHUB_REPO, GITHUB_PAT, name, value)); } + if (failed) process.exit(1); console.log('\nDone. Verify at: https://github.com/' + GITHUB_OWNER + '/' + GITHUB_REPO + '/settings/secrets/actions');🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/templates/set-secrets.js` around lines 129 - 140, Update the main variable and secret update loops to capture the return value from setVariable and setSecret, track whether any update fails, and exit with a non-zero status when failures occur. Only print the successful “Done. Verify...” message when all updates succeed; preserve the existing iteration behavior and credential arguments.skills/sdlc-agentic-pipeline/SKILL.md-173-175 (1)
173-175: 🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy liftRemove the claimed path-based direct-push exemption. GitHub branch protection doesn’t let
.opencode/**,docs/**, orreports/**bypass PR requirements on adevpush; that ref update affects the whole branch. Route these changes through a docs branch + PR, or use a separately controlled automation path.
skills/sdlc-agentic-pipeline/SKILL.md#L173-L175skills/sdlc-agentic-pipeline/SKILL.md#L680-L682skills/sdlc-agentic-pipeline/references/pipeline.md#L299-L303skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md#L1222-L1230🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/SKILL.md` around lines 173 - 175, Remove the claimed path-based direct-push exemption from the documented SDLC pipeline flow. In skills/sdlc-agentic-pipeline/SKILL.md lines 173-175 and 680-682, skills/sdlc-agentic-pipeline/references/pipeline.md lines 299-303, and skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md lines 1222-1230, require .opencode, docs, and reports changes to use a docs branch and PR, or a separately controlled automation path.
🟡 Minor comments (2)
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md-419-430 (1)
419-430: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick winChoose PR-and-merge or direct push for reports. Both procedures claim a direct push to
devbut instead create a PR and never merge it, leaving the report unpublished.
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md#L419-L430: use a PR and explicitly merge it, or replace the PR call with the documented direct push.skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md#L344-L355: apply the same consistent publication flow.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/agents/backend-agent.md` around lines 419 - 430, Make the report publication flow consistent in skills/sdlc-agentic-pipeline/references/agents/backend-agent.md lines 419-430 and skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md lines 344-355: either retain github_create_pull_request and add the required merge step before reporting completion, or replace it with the documented direct push to dev. Ensure both procedures publish the report before reporting the commit URL and PR status to the PM Agent.skills/sdlc-agentic-pipeline/references/pipeline.md-335-339 (1)
335-339: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick winFix the broken onboarding reference.
eferences/setup/service-onboarding.mdis missing its leadingr, so the setup link/path is invalid.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/pipeline.md` around lines 335 - 339, Correct the onboarding reference in the “In Testing” status instructions by restoring the missing leading “r” in the setup path, while leaving the surrounding Jira workflow guidance unchanged.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Major comments:
In `@skills/sdlc-agentic-pipeline/references/agents/backend-agent.md`:
- Around line 372-379: Remove the “Accept dev version for ALL conflicts”
instruction from the dev-to-main conflict workflow. Update the resolution step
to require domain-owner review and resolution of each conflict before
committing, consistent with the existing safer rule referenced near lines
395-397; preserve the remaining branch, CI/CD, and PR steps.
- Around line 121-124: Replace the PAT-in-URL clone instructions in
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md lines 121-124
and skills/sdlc-agentic-pipeline/references/agents/devops-agent.md lines 177-180
with the approved credential-helper or non-argument authentication flow,
ensuring the token is not exposed in command history, process arguments, or tool
logs.
In `@skills/sdlc-agentic-pipeline/references/agents/code-reviewer-agent.md`:
- Around line 49-50: Update the branch strategy guidance to assign the
dev-to-main release merge to the developer agent rather than the PM Agent;
designate Backend as primary when both developers are active, and designate the
sole developer agent when only one is active.
In `@skills/sdlc-agentic-pipeline/references/agents/devops-agent.md`:
- Around line 244-268: Update the “GitHub Action Secrets Checklist” to match the
ci-cd.yml workflow contract: classify JFROG_PLATFORM_URL, JFROG_DOCKER_REGISTRY,
JFROG_USERNAME, JFROG_PROJECT, and SONAR_PROJECT_KEY as repository variables
under the appropriate Variables section, while retaining only actual secrets in
the required-secret comparison and adding SONAR_PROJECT_KEY to the required
configuration checklist. Update the procedure’s counts and wording so it
validates both secrets and variables before proceeding.
In `@skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md`:
- Around line 97-104: Update the repository bootstrap context in
skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md lines 97-104 to
state that the Backend Agent created the repository, and specify that Frontend
receives the repository URL/path and either clones it or uses an explicitly
provided workspace. Update
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md lines 112-116 to
state that Backend created the repository and that DevOps clones it before
infrastructure work.
In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md`:
- Around line 225-226: Replace the `.env` loading command in the Step 1
project-context setup with safe parsing of only the required JIRA_* key/value
fields; do not use `source`, `eval`, or otherwise execute `.env` contents, while
preserving the environment values needed by the PM agent.
- Around line 444-446: Update
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md:444-446 to delegate
creation of the real release tag/ref and record the approved immutable image tag
or digest. Update
skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml:215-224 to publish
and expose the built image digest/SHA as the release artifact handoff. Update
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md:482-519 to deploy
that authorized immutable digest/SHA tag instead of latest, and update
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md:542-546 to
capture the currently running image before replacement and use it for rollback.
- Around line 90-96: Parameterize the Option A integration/release branch end to
end: in skills/sdlc-agentic-pipeline/references/agents/pm-agent.md lines 90-96,
persist the user-selected branch and pass it to downstream agents; in
skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml lines 48-52,
generate CI triggers from that branch; in
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md lines 318-368
and skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md lines
253-303, use it for feature merges and release PRs; and in
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md lines 270-296,
dispatch workflows against it instead of hard-coded dev.
In `@skills/sdlc-agentic-pipeline/references/pipeline.md`:
- Around line 177-184: Align the Step 6 CI/CD trigger instructions to one
contract: choose either manual dispatch or automatic triggering on pushes to
dev, then update the workflow verification and monitoring actions and the
referenced devops-agent.md guidance consistently. Remove contradictory trigger
wording so the pipeline execution path matches the selected behavior.
- Around line 89-102: Update the Step 2 “PM Agent — Sprint Start & SDD Setup”
workflow so the read-only PM Agent delegates creating and populating spec.md,
design.md, and tasks.md to a developer agent. Specify that the developer agent
works on its branch, commits the SDD artifacts, pushes the branch, and provides
the handoff for merging into dev; keep Jira and sprint actions with the PM
Agent.
In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md`:
- Around line 372-374: Update the “Invoke Backend Agent” instructions to remove
the GitHub PAT from the values passed through the delegation prompt. Keep
passing the backend scope, tech stack, project prompt, repository name, owner,
and visibility, and direct the Backend Agent to use its preconfigured GitHub MCP
capability for repository creation.
- Around line 105-115: Update the setup flow around Q0 to actually ask and store
whether the skill is installed at user or project level before asking for
repository type. Use that selection to derive all subsequent skill, config, and
reference source/target paths instead of hard-coding .codeartsdoer project
paths, while preserving the existing project-level default.
- Around line 405-419: Update the setup flow before the “Frontend Agent builds
concurrently with Backend” step to create and initialize the repository, push
the bootstrap commit, and create the dev branch before dispatching either agent.
Replace direct concurrent pushes to dev with isolated frontend/backend feature
branches, or document explicit synchronization and rebase coordination before
merging their commits.
In `@skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py`:
- Around line 10-13: Harden ECS host verification across the referenced sites:
in skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py lines 10-13,
load the verified known_hosts entry and use RejectPolicy instead of
AutoAddPolicy; in the same file lines 43-46, remove StrictHostKeyChecking=no; in
skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md lines
875-883, require users to verify and record the ECS host fingerprint before
running SSH automation.
- Around line 30-37: Update the failure branch of the SSH key installation flow
around exec_command to terminate unsuccessfully when result is not "SUCCESS".
Preserve the existing error output, then raise an exception or return a non-zero
status before ssh.close() and any subsequent verification or onboarding steps
can continue.
In `@skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml`:
- Around line 156-166: Update the SonarCloud scan step associated with the Check
SonarCloud Quality Gate step to wait for the submitted analysis to finish by
enabling sonar.qualitygate.wait=true, or alternatively poll its analysis task ID
until completion before querying project_status. Ensure the existing
quality-gate check evaluates the current analysis result and still blocks
deploy-to-jfrog on failure.
In `@skills/sdlc-agentic-pipeline/references/templates/env-template.env`:
- Around line 14-15: Normalize JFROG_PLATFORM_URL as a full URL across all
references: retain the existing full-URL convention in
skills/sdlc-agentic-pipeline/references/templates/env-template.env lines 14-15,
remove the extra prepended scheme in skills/sdlc-agentic-pipeline/SKILL.md line
364, use <JFROG_PLATFORM_URL>/artifactory/api/ in
skills/sdlc-agentic-pipeline/references/pipeline.md line 197, and explicitly
state that the value includes the scheme in
skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md lines
803-804.
- Around line 7-9: Update the SonarCloud MCP section in env-template.env to
include placeholders for SONAR_TOKEN and SONAR_ORGANIZATION alongside
SONAR_PROJECT_KEY, matching the values required by mcp-settings.json and the
documented onboarding contract.
In `@skills/sdlc-agentic-pipeline/references/templates/mcp-settings.json`:
- Around line 32-36: Update the jfrog entry in the MCP settings template to
reference the collected JFROG_PASSWORD placeholder for the Authorization bearer
token instead of the undefined JFROG_ACCESS_TOKEN placeholder, preserving the
existing URL and header structure.
In `@skills/sdlc-agentic-pipeline/references/templates/set-secrets.js`:
- Around line 129-140: Update the main variable and secret update loops to
capture the return value from setVariable and setSecret, track whether any
update fails, and exit with a non-zero status when failures occur. Only print
the successful “Done. Verify...” message when all updates succeed; preserve the
existing iteration behavior and credential arguments.
In `@skills/sdlc-agentic-pipeline/SKILL.md`:
- Around line 148-165: Establish one canonical stage numbering scheme across the
pipeline documentation, explicitly deciding whether “1b” is a numbered stage.
Update skills/sdlc-agentic-pipeline/SKILL.md lines 148-165 to define and
enumerate the canonical stages, mirror that numbering and CI-trigger behavior in
skills/sdlc-agentic-pipeline/README.md lines 39-57, correct release and
deployment references in skills/sdlc-agentic-pipeline/SKILL.md lines 486-503,
and remap idempotency checks to the actual stages in
skills/sdlc-agentic-pipeline/references/pipeline.md lines 43-51.
- Around line 173-175: Remove the claimed path-based direct-push exemption from
the documented SDLC pipeline flow. In skills/sdlc-agentic-pipeline/SKILL.md
lines 173-175 and 680-682, skills/sdlc-agentic-pipeline/references/pipeline.md
lines 299-303, and
skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md lines
1222-1230, require .opencode, docs, and reports changes to use a docs branch and
PR, or a separately controlled automation path.
---
Minor comments:
In `@skills/sdlc-agentic-pipeline/references/agents/backend-agent.md`:
- Around line 419-430: Make the report publication flow consistent in
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md lines 419-430
and skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md lines
344-355: either retain github_create_pull_request and add the required merge
step before reporting completion, or replace it with the documented direct push
to dev. Ensure both procedures publish the report before reporting the commit
URL and PR status to the PM Agent.
In `@skills/sdlc-agentic-pipeline/references/pipeline.md`:
- Around line 335-339: Correct the onboarding reference in the “In Testing”
status instructions by restoring the missing leading “r” in the setup path,
while leaving the surrounding Jira workflow guidance unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: b8be17f5-7806-43bb-8754-451ead66505b
📒 Files selected for processing (16)
skills/sdlc-agentic-pipeline/README.mdskills/sdlc-agentic-pipeline/SKILL.mdskills/sdlc-agentic-pipeline/references/agents/backend-agent.mdskills/sdlc-agentic-pipeline/references/agents/code-reviewer-agent.mdskills/sdlc-agentic-pipeline/references/agents/devops-agent.mdskills/sdlc-agentic-pipeline/references/agents/frontend-agent.mdskills/sdlc-agentic-pipeline/references/agents/pm-agent.mdskills/sdlc-agentic-pipeline/references/agents/tester-agent.mdskills/sdlc-agentic-pipeline/references/pipeline.mdskills/sdlc-agentic-pipeline/references/setup/service-onboarding.mdskills/sdlc-agentic-pipeline/references/templates/add_ssh_key.pyskills/sdlc-agentic-pipeline/references/templates/ci-cd.ymlskills/sdlc-agentic-pipeline/references/templates/env-template.envskills/sdlc-agentic-pipeline/references/templates/mcp-settings.jsonskills/sdlc-agentic-pipeline/references/templates/set-secrets.jsskills/sdlc-agentic-pipeline/references/templates/sonar-project.properties
Updated SKILL.md and all agent references (backend, frontend, tester, code-reviewer, devops, PM)
Added pipeline reference documentation (pipeline.md)
Added new templates: add_ssh_key.py, set-secrets.js
Updated existing templates: ci-cd.yml, env-template.env, sonar-project.properties
Updated service onboarding reference
Summary by CodeRabbit
New Features
Documentation