Skip to content

Update sdlc-agentic-pipeline skill#4

Merged
CodeArtsAgent merged 3 commits into
CodeArtsAgent:mainfrom
codeartstest:main
Jul 18, 2026
Merged

Update sdlc-agentic-pipeline skill#4
CodeArtsAgent merged 3 commits into
CodeArtsAgent:mainfrom
codeartstest:main

Conversation

@codeartstest

@codeartstest codeartstest commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
  • Updated SKILL.md and all agent references (backend, frontend, tester, code-reviewer, devops, PM)

  • Added pipeline reference documentation (pipeline.md)

  • Added new templates: add_ssh_key.py, set-secrets.js

  • Updated existing templates: ci-cd.yml, env-template.env, sonar-project.properties

  • Updated service onboarding reference

Summary by CodeRabbit

  • New Features

    • Added an end-to-end agentic SDLC pipeline covering requirements, development, review, testing, deployment, and sprint closure.
    • Added onboarding guidance for repository setup and integrations with Jira, GitHub, SonarCloud, Semgrep, JFrog, and Huawei Cloud ECS.
    • Added CI/CD, environment, security, deployment, and service configuration templates.
  • Documentation

    • Added detailed workflow references for each specialized SDLC agent, operational gates, error handling, and release procedures.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This change adds the sdlc-agentic-pipeline skill, documenting six-agent Jira-coordinated SDLC execution, onboarding procedures, agent-specific workflows, release and deployment controls, and templates for MCP, CI/CD, SonarCloud, environment, secrets, and ECS setup.

Changes

SDLC Agentic Pipeline

Layer / File(s) Summary
Architecture and lifecycle contracts
skills/sdlc-agentic-pipeline/README.md, skills/sdlc-agentic-pipeline/SKILL.md, skills/sdlc-agentic-pipeline/references/pipeline.md
Defines the six agents, Jira message routing, lifecycle states, branch rules, merge gates, idempotency, and throwback behavior.
Service onboarding and configuration
skills/sdlc-agentic-pipeline/references/setup/*, skills/sdlc-agentic-pipeline/references/templates/env-template.env, mcp-settings.json, sonar-project.properties, set-secrets.js, add_ssh_key.py
Documents existing/new repository onboarding and configures Jira, GitHub, SonarCloud, Semgrep, JFrog, ECS, Playwright, secrets, and SSH access.
Pipeline orchestration and release flow
skills/sdlc-agentic-pipeline/SKILL.md, skills/sdlc-agentic-pipeline/references/pipeline.md, skills/sdlc-agentic-pipeline/references/agents/pm-agent.md, references/templates/ci-cd.yml
Describes requirements, sprint setup, development, review, E2E testing, CI/CD, artifact verification, release, deployment, sprint close, and report generation.
Specialized agent workflows
skills/sdlc-agentic-pipeline/references/agents/*
Adds operational instructions for backend, frontend, code review, testing, PM coordination, DevOps automation, PR ownership, sign-offs, and failure handling.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant PM
  participant Jira
  participant DeveloperAgents
  participant Reviewer
  participant Tester
  participant DevOps
  participant CI
  participant JFrog
  participant ECS
  PM->>Jira: Create and route SDLC tasks
  DeveloperAgents->>Jira: Update tasks and submit PRs
  Jira->>Reviewer: Send review request
  Reviewer->>Jira: Record approval or throwback
  Jira->>Tester: Send E2E testing request
  Tester->>Jira: Record test sign-off or throwback
  DeveloperAgents->>CI: Merge approved changes into dev
  CI->>JFrog: Publish and verify artifacts
  PM->>DevOps: Authorize deployment
  DevOps->>ECS: Deploy and health-check the release
Loading
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change by naming the updated sdlc-agentic-pipeline skill.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note

Due to the large number of review comments, Critical severity comments were prioritized as inline comments.

🟠 Major comments (22)
skills/sdlc-agentic-pipeline/references/agents/code-reviewer-agent.md-49-50 (1)

49-50: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Assign the release merge to the developer agent.

The PM policy forbids PR creation and merging, but these lines assign the devmain merge to PM. Name Backend as primary when both developers are active, otherwise the sole developer agent.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/agents/code-reviewer-agent.md` around
lines 49 - 50, Update the branch strategy guidance to assign the dev-to-main
release merge to the developer agent rather than the PM Agent; designate Backend
as primary when both developers are active, and designate the sole developer
agent when only one is active.
skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md-97-104 (1)

97-104: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Correct Option B repository bootstrap ownership. These sections say PM creates and clones the repository, but the PM policy assigns creation and initial clone to Backend and forbids PM git writes.

  • skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md#L97-L104: state that Backend created the repository; pass its URL/path and have Frontend clone or receive a workspace explicitly.
  • skills/sdlc-agentic-pipeline/references/agents/devops-agent.md#L112-L116: state that Backend created the repository and have DevOps clone it before infrastructure work.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md` around
lines 97 - 104, Update the repository bootstrap context in
skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md lines 97-104 to
state that the Backend Agent created the repository, and specify that Frontend
receives the repository URL/path and either clones it or uses an explicitly
provided workspace. Update
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md lines 112-116 to
state that Backend created the repository and that DevOps clones it before
infrastructure work.
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md-225-226 (1)

225-226: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Do not execute .env as shell code.

source evaluates command substitutions in configuration values. A modified .env can execute arbitrary commands in the PM agent context. Parse only the required JIRA_* key/value fields instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md` around lines 225
- 226, Replace the `.env` loading command in the Step 1 project-context setup
with safe parsing of only the required JIRA_* key/value fields; do not use
`source`, `eval`, or otherwise execute `.env` contents, while preserving the
environment values needed by the PM agent.
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md-372-379 (1)

372-379: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Remove the “accept dev for ALL conflicts” path.

This can silently discard fixes that exist only on main, including production hotfixes. Require domain-owner resolution before committing; the later instruction at Lines 395-397 already defines the safer rule.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/agents/backend-agent.md` around lines
372 - 379, Remove the “Accept dev version for ALL conflicts” instruction from
the dev-to-main conflict workflow. Update the resolution step to require
domain-owner review and resolution of each conflict before committing,
consistent with the existing safer rule referenced near lines 395-397; preserve
the remaining branch, CI/CD, and PR steps.
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md-121-124 (1)

121-124: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Do not place GitHub PATs in clone URLs. URL credentials are exposed through command history, process arguments, and tool logs.

  • skills/sdlc-agentic-pipeline/references/agents/backend-agent.md#L121-L124: use an approved credential helper or non-argument authentication flow for cloning.
  • skills/sdlc-agentic-pipeline/references/agents/devops-agent.md#L177-L180: use the same non-URL authentication mechanism.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/agents/backend-agent.md` around lines
121 - 124, Replace the PAT-in-URL clone instructions in
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md lines 121-124
and skills/sdlc-agentic-pipeline/references/agents/devops-agent.md lines 177-180
with the approved credential-helper or non-argument authentication flow,
ensuring the token is not exposed in command history, process arguments, or tool
logs.
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md-444-446 (1)

444-446: 🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift

Deploy an authorized immutable artifact, not latest. The release flow does not hand off a real tag/digest, while deployment pulls mutable latest; a later dev build can replace it before deployment, and rollback has no recorded previous image.

  • skills/sdlc-agentic-pipeline/references/agents/pm-agent.md#L444-L446: delegate real release-tag/ref creation and record the approved image digest or immutable tag.
  • skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml#L215-L224: publish and expose the built image digest/SHA as the release artifact handoff.
  • skills/sdlc-agentic-pipeline/references/agents/devops-agent.md#L482-L519: deploy the authorized immutable digest/SHA tag rather than latest.
  • skills/sdlc-agentic-pipeline/references/agents/devops-agent.md#L542-L546: capture the currently running image before replacement and use it for rollback.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md` around lines 444
- 446, Update skills/sdlc-agentic-pipeline/references/agents/pm-agent.md:444-446
to delegate creation of the real release tag/ref and record the approved
immutable image tag or digest. Update
skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml:215-224 to publish
and expose the built image digest/SHA as the release artifact handoff. Update
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md:482-519 to deploy
that authorized immutable digest/SHA tag instead of latest, and update
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md:542-546 to
capture the currently running image before replacement and use it for rollback.
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md-244-268 (1)

244-268: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Match the checklist to the workflow’s secret/variable contract.

The template reads JFROG_PLATFORM_URL, JFROG_DOCKER_REGISTRY, JFROG_USERNAME, JFROG_PROJECT, and SONAR_PROJECT_KEY from vars.*, but this checklist tells users to create the first four as secrets and omits SONAR_PROJECT_KEY. Following it leaves required workflow values empty.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/agents/devops-agent.md` around lines
244 - 268, Update the “GitHub Action Secrets Checklist” to match the ci-cd.yml
workflow contract: classify JFROG_PLATFORM_URL, JFROG_DOCKER_REGISTRY,
JFROG_USERNAME, JFROG_PROJECT, and SONAR_PROJECT_KEY as repository variables
under the appropriate Variables section, while retaining only actual secrets in
the required-secret comparison and adding SONAR_PROJECT_KEY to the required
configuration checklist. Update the procedure’s counts and wording so it
validates both secrets and variables before proceeding.
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md-90-96 (1)

90-96: 🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift

Parameterize the Option A integration and release branch. Option A permits a user-selected branch, but the CI, merge, release, and manual-trigger procedures hard-code dev; existing repositories using another branch will skip CI or merge the wrong branch.

  • skills/sdlc-agentic-pipeline/references/agents/pm-agent.md#L90-L96: persist one selected integration/release branch and pass it to every downstream agent.
  • skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml#L48-L52: generate triggers for that configured branch rather than always dev.
  • skills/sdlc-agentic-pipeline/references/agents/backend-agent.md#L318-L368: use the configured branch for feature merges and release PRs in Option A.
  • skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md#L253-L303: use the configured branch for feature merges and release PRs in Option A.
  • skills/sdlc-agentic-pipeline/references/agents/devops-agent.md#L270-L296: dispatch the workflow against the configured branch.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md` around lines 90 -
96, Parameterize the Option A integration/release branch end to end: in
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md lines 90-96, persist
the user-selected branch and pass it to downstream agents; in
skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml lines 48-52,
generate CI triggers from that branch; in
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md lines 318-368
and skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md lines
253-303, use it for feature merges and release PRs; and in
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md lines 270-296,
dispatch workflows against it instead of hard-coded dev.
skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml-156-166 (1)

156-166: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Wait for the submitted Quality Gate result. project_status can return the previous analysis if the scanner hasn’t finished processing yet, which can let a failing run reach deploy-to-jfrog. Set sonar.qualitygate.wait=true on the scan step or poll the analysis task ID before this check. skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml:143-166

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml` around lines 156
- 166, Update the SonarCloud scan step associated with the Check SonarCloud
Quality Gate step to wait for the submitted analysis to finish by enabling
sonar.qualitygate.wait=true, or alternatively poll its analysis task ID until
completion before querying project_status. Ensure the existing quality-gate
check evaluates the current analysis result and still blocks deploy-to-jfrog on
failure.
skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py-10-13 (1)

10-13: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Verify the ECS host identity instead of accepting any key. AutoAddPolicy and StrictHostKeyChecking=no allow a network attacker to impersonate the ECS host during password-based bootstrap or later verification.

  • skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py#L10-L13: load a verified known_hosts entry and use RejectPolicy.
  • skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py#L43-L46: remove StrictHostKeyChecking=no.
  • skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md#L875-L883: require users to verify and record the ECS host fingerprint before SSH automation.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py` around
lines 10 - 13, Harden ECS host verification across the referenced sites: in
skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py lines 10-13,
load the verified known_hosts entry and use RejectPolicy instead of
AutoAddPolicy; in the same file lines 43-46, remove StrictHostKeyChecking=no; in
skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md lines
875-883, require users to verify and record the ECS host fingerprint before
running SSH automation.

Source: Linters/SAST tools

skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py-30-37 (1)

30-37: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Fail the script when the remote key installation fails.

After a failed exec_command, the function only prints an error and exits successfully. Onboarding can therefore continue to Docker installation despite key-based access not being configured. Raise an exception or return a non-zero exit status before verification.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py` around
lines 30 - 37, Update the failure branch of the SSH key installation flow around
exec_command to terminate unsuccessfully when result is not "SUCCESS". Preserve
the existing error output, then raise an exception or return a non-zero status
before ssh.close() and any subsequent verification or onboarding steps can
continue.
skills/sdlc-agentic-pipeline/references/pipeline.md-177-184 (1)

177-184: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Use one CI/CD trigger contract.

Line 183 says workflow updates use manual dispatch, while Line 184 says CI/CD auto-triggers on pushes to dev. Choose one behavior and align the workflow instructions; otherwise the pipeline can wait for a run that was never triggered.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/pipeline.md` around lines 177 - 184,
Align the Step 6 CI/CD trigger instructions to one contract: choose either
manual dispatch or automatic triggering on pushes to dev, then update the
workflow verification and monitoring actions and the referenced devops-agent.md
guidance consistently. Remove contradictory trigger wording so the pipeline
execution path matches the selected behavior.
skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md-372-374 (1)

372-374: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Do not pass the GitHub PAT through the delegation prompt.

The GitHub MCP configuration is already written before this step. Forwarding the PAT to a subagent unnecessarily exposes a repository-admin credential in task context and logs. Have the Backend Agent use its configured MCP capability instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md` around
lines 372 - 374, Update the “Invoke Backend Agent” instructions to remove the
GitHub PAT from the values passed through the delegation prompt. Keep passing
the backend scope, tech stack, project prompt, repository name, owner, and
visibility, and direct the Backend Agent to use its preconfigured GitHub MCP
capability for repository creation.
skills/sdlc-agentic-pipeline/references/pipeline.md-89-102 (1)

89-102: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Delegate SDD repository writes to a developer agent.

The PM Agent is read-only in SKILL.md Lines 645-650, but this step requires creating and populating SDD files. Specify the developer-agent branch/commit/push handoff; otherwise the required SDD artifacts cannot reach dev.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/pipeline.md` around lines 89 - 102,
Update the Step 2 “PM Agent — Sprint Start & SDD Setup” workflow so the
read-only PM Agent delegates creating and populating spec.md, design.md, and
tasks.md to a developer agent. Specify that the developer agent works on its
branch, commits the SDD artifacts, pushes the branch, and provides the handoff
for merging into dev; keep Jira and sprint actions with the PM Agent.
skills/sdlc-agentic-pipeline/SKILL.md-148-165 (1)

148-165: 🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

Establish one canonical stage numbering scheme. The documents alternately define 9, 10, and 11 numbered stages, and rerun logic maps gates to the wrong stages.

  • skills/sdlc-agentic-pipeline/SKILL.md#L148-L165: rename and enumerate the canonical stages, including whether 1b is a stage.
  • skills/sdlc-agentic-pipeline/README.md#L39-L57: mirror the canonical numbering and CI trigger behavior.
  • skills/sdlc-agentic-pipeline/SKILL.md#L486-L503: correct release/deployment stage references.
  • skills/sdlc-agentic-pipeline/references/pipeline.md#L43-L51: remap idempotency checks to their actual stages.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/SKILL.md` around lines 148 - 165, Establish one
canonical stage numbering scheme across the pipeline documentation, explicitly
deciding whether “1b” is a numbered stage. Update
skills/sdlc-agentic-pipeline/SKILL.md lines 148-165 to define and enumerate the
canonical stages, mirror that numbering and CI-trigger behavior in
skills/sdlc-agentic-pipeline/README.md lines 39-57, correct release and
deployment references in skills/sdlc-agentic-pipeline/SKILL.md lines 486-503,
and remap idempotency checks to the actual stages in
skills/sdlc-agentic-pipeline/references/pipeline.md lines 43-51.
skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md-105-115 (1)

105-115: 🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

Implement the user-level installation option before asking for repository type.

Q0 offers user-level storage, but the copy/config instructions throughout this guide hard-code .codeartsdoer/... project paths. Also, the stated Q0 question is never actually asked. Capture the installation scope first and derive source/target paths from it.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md` around
lines 105 - 115, Update the setup flow around Q0 to actually ask and store
whether the skill is installed at user or project level before asking for
repository type. Use that selection to derive all subsequent skill, config, and
reference source/target paths instead of hard-coding .codeartsdoer project
paths, while preserving the existing project-level default.
skills/sdlc-agentic-pipeline/references/templates/env-template.env-14-15 (1)

14-15: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Normalize JFROG_PLATFORM_URL as a full URL. Onboarding and the environment template define it as https://…, while report and REST examples prepend another https://, producing invalid URLs.

  • skills/sdlc-agentic-pipeline/references/templates/env-template.env#L14-L15: retain the full-URL convention.
  • skills/sdlc-agentic-pipeline/SKILL.md#L364-L364: remove the prepended scheme.
  • skills/sdlc-agentic-pipeline/references/pipeline.md#L197-L197: use <JFROG_PLATFORM_URL>/artifactory/api/.
  • skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md#L803-L804: state explicitly that this value includes the scheme.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/templates/env-template.env` around
lines 14 - 15, Normalize JFROG_PLATFORM_URL as a full URL across all references:
retain the existing full-URL convention in
skills/sdlc-agentic-pipeline/references/templates/env-template.env lines 14-15,
remove the extra prepended scheme in skills/sdlc-agentic-pipeline/SKILL.md line
364, use <JFROG_PLATFORM_URL>/artifactory/api/ in
skills/sdlc-agentic-pipeline/references/pipeline.md line 197, and explicitly
state that the value includes the scheme in
skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md lines
803-804.
skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md-405-419 (1)

405-419: 🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift

Bootstrap dev before parallel development starts.

Frontend is told to concurrently commit to a clone and branch that Backend has not necessarily created yet. Separate agents also cannot safely push independent initial commits to the same branch without synchronization. Create the repository and dev first, then dispatch isolated feature branches or explicitly coordinate rebases.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md` around
lines 405 - 419, Update the setup flow before the “Frontend Agent builds
concurrently with Backend” step to create and initialize the repository, push
the bootstrap commit, and create the dev branch before dispatching either agent.
Replace direct concurrent pushes to dev with isolated frontend/backend feature
branches, or document explicit synchronization and rebase coordination before
merging their commits.
skills/sdlc-agentic-pipeline/references/templates/env-template.env-7-9 (1)

7-9: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Include the Sonar MCP values required by the documented contract.

mcp-settings.json requires SONAR_TOKEN and SONAR_ORGANIZATION, and onboarding says both belong in .env; this template only emits SONAR_PROJECT_KEY. Generated local configuration cannot fully populate the Sonar MCP server.

 # SonarCloud MCP
 SONAR_PROJECT_KEY=<SONAR_PROJECT_KEY>
+SONAR_ORGANIZATION=<SONAR_ORGANIZATION>
+SONAR_TOKEN=<SONAR_TOKEN>
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/templates/env-template.env` around
lines 7 - 9, Update the SonarCloud MCP section in env-template.env to include
placeholders for SONAR_TOKEN and SONAR_ORGANIZATION alongside SONAR_PROJECT_KEY,
matching the values required by mcp-settings.json and the documented onboarding
contract.
skills/sdlc-agentic-pipeline/references/templates/mcp-settings.json-32-36 (1)

32-36: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Use the collected JFrog credential placeholder consistently.

Onboarding collects JFROG_PASSWORD as the JFrog access token, but this template references undefined <JFROG_ACCESS_TOKEN>. The generated MCP config will not authenticate unless users manually invent an extra value.

-        "Authorization": "Bearer <JFROG_ACCESS_TOKEN>"
+        "Authorization": "Bearer <JFROG_PASSWORD>"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/templates/mcp-settings.json` around
lines 32 - 36, Update the jfrog entry in the MCP settings template to reference
the collected JFROG_PASSWORD placeholder for the Authorization bearer token
instead of the undefined JFROG_ACCESS_TOKEN placeholder, preserving the existing
URL and header structure.
skills/sdlc-agentic-pipeline/references/templates/set-secrets.js-129-140 (1)

129-140: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Exit non-zero when any secret or variable update fails.

setVariable and setSecret return failure, but their results are discarded and the script always prints Done. This lets onboarding proceed with missing CI/CD credentials.

+  let failed = false;
   console.log('Variables (plain text):');
   for (const [name, value] of Object.entries(VARIABLES)) {
-    await setVariable(GITHUB_OWNER, GITHUB_REPO, GITHUB_PAT, name, value);
+    failed ||= !(await setVariable(GITHUB_OWNER, GITHUB_REPO, GITHUB_PAT, name, value));
   }
 
   console.log('\nSecrets (encrypted):');
   for (const [name, value] of Object.entries(SECRETS)) {
-    await setSecret(GITHUB_OWNER, GITHUB_REPO, GITHUB_PAT, name, value);
+    failed ||= !(await setSecret(GITHUB_OWNER, GITHUB_REPO, GITHUB_PAT, name, value));
   }
 
+  if (failed) process.exit(1);
   console.log('\nDone. Verify at: https://github.com/' + GITHUB_OWNER + '/' + GITHUB_REPO + '/settings/secrets/actions');
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/templates/set-secrets.js` around
lines 129 - 140, Update the main variable and secret update loops to capture the
return value from setVariable and setSecret, track whether any update fails, and
exit with a non-zero status when failures occur. Only print the successful
“Done. Verify...” message when all updates succeed; preserve the existing
iteration behavior and credential arguments.
skills/sdlc-agentic-pipeline/SKILL.md-173-175 (1)

173-175: 🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Remove the claimed path-based direct-push exemption. GitHub branch protection doesn’t let .opencode/**, docs/**, or reports/** bypass PR requirements on a dev push; that ref update affects the whole branch. Route these changes through a docs branch + PR, or use a separately controlled automation path.

  • skills/sdlc-agentic-pipeline/SKILL.md#L173-L175
  • skills/sdlc-agentic-pipeline/SKILL.md#L680-L682
  • skills/sdlc-agentic-pipeline/references/pipeline.md#L299-L303
  • skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md#L1222-L1230
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/SKILL.md` around lines 173 - 175, Remove the
claimed path-based direct-push exemption from the documented SDLC pipeline flow.
In skills/sdlc-agentic-pipeline/SKILL.md lines 173-175 and 680-682,
skills/sdlc-agentic-pipeline/references/pipeline.md lines 299-303, and
skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md lines
1222-1230, require .opencode, docs, and reports changes to use a docs branch and
PR, or a separately controlled automation path.
🟡 Minor comments (2)
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md-419-430 (1)

419-430: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Choose PR-and-merge or direct push for reports. Both procedures claim a direct push to dev but instead create a PR and never merge it, leaving the report unpublished.

  • skills/sdlc-agentic-pipeline/references/agents/backend-agent.md#L419-L430: use a PR and explicitly merge it, or replace the PR call with the documented direct push.
  • skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md#L344-L355: apply the same consistent publication flow.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/agents/backend-agent.md` around lines
419 - 430, Make the report publication flow consistent in
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md lines 419-430
and skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md lines
344-355: either retain github_create_pull_request and add the required merge
step before reporting completion, or replace it with the documented direct push
to dev. Ensure both procedures publish the report before reporting the commit
URL and PR status to the PM Agent.
skills/sdlc-agentic-pipeline/references/pipeline.md-335-339 (1)

335-339: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix the broken onboarding reference.

eferences/setup/service-onboarding.md is missing its leading r, so the setup link/path is invalid.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/pipeline.md` around lines 335 - 339,
Correct the onboarding reference in the “In Testing” status instructions by
restoring the missing leading “r” in the setup path, while leaving the
surrounding Jira workflow guidance unchanged.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Major comments:
In `@skills/sdlc-agentic-pipeline/references/agents/backend-agent.md`:
- Around line 372-379: Remove the “Accept dev version for ALL conflicts”
instruction from the dev-to-main conflict workflow. Update the resolution step
to require domain-owner review and resolution of each conflict before
committing, consistent with the existing safer rule referenced near lines
395-397; preserve the remaining branch, CI/CD, and PR steps.
- Around line 121-124: Replace the PAT-in-URL clone instructions in
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md lines 121-124
and skills/sdlc-agentic-pipeline/references/agents/devops-agent.md lines 177-180
with the approved credential-helper or non-argument authentication flow,
ensuring the token is not exposed in command history, process arguments, or tool
logs.

In `@skills/sdlc-agentic-pipeline/references/agents/code-reviewer-agent.md`:
- Around line 49-50: Update the branch strategy guidance to assign the
dev-to-main release merge to the developer agent rather than the PM Agent;
designate Backend as primary when both developers are active, and designate the
sole developer agent when only one is active.

In `@skills/sdlc-agentic-pipeline/references/agents/devops-agent.md`:
- Around line 244-268: Update the “GitHub Action Secrets Checklist” to match the
ci-cd.yml workflow contract: classify JFROG_PLATFORM_URL, JFROG_DOCKER_REGISTRY,
JFROG_USERNAME, JFROG_PROJECT, and SONAR_PROJECT_KEY as repository variables
under the appropriate Variables section, while retaining only actual secrets in
the required-secret comparison and adding SONAR_PROJECT_KEY to the required
configuration checklist. Update the procedure’s counts and wording so it
validates both secrets and variables before proceeding.

In `@skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md`:
- Around line 97-104: Update the repository bootstrap context in
skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md lines 97-104 to
state that the Backend Agent created the repository, and specify that Frontend
receives the repository URL/path and either clones it or uses an explicitly
provided workspace. Update
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md lines 112-116 to
state that Backend created the repository and that DevOps clones it before
infrastructure work.

In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md`:
- Around line 225-226: Replace the `.env` loading command in the Step 1
project-context setup with safe parsing of only the required JIRA_* key/value
fields; do not use `source`, `eval`, or otherwise execute `.env` contents, while
preserving the environment values needed by the PM agent.
- Around line 444-446: Update
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md:444-446 to delegate
creation of the real release tag/ref and record the approved immutable image tag
or digest. Update
skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml:215-224 to publish
and expose the built image digest/SHA as the release artifact handoff. Update
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md:482-519 to deploy
that authorized immutable digest/SHA tag instead of latest, and update
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md:542-546 to
capture the currently running image before replacement and use it for rollback.
- Around line 90-96: Parameterize the Option A integration/release branch end to
end: in skills/sdlc-agentic-pipeline/references/agents/pm-agent.md lines 90-96,
persist the user-selected branch and pass it to downstream agents; in
skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml lines 48-52,
generate CI triggers from that branch; in
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md lines 318-368
and skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md lines
253-303, use it for feature merges and release PRs; and in
skills/sdlc-agentic-pipeline/references/agents/devops-agent.md lines 270-296,
dispatch workflows against it instead of hard-coded dev.

In `@skills/sdlc-agentic-pipeline/references/pipeline.md`:
- Around line 177-184: Align the Step 6 CI/CD trigger instructions to one
contract: choose either manual dispatch or automatic triggering on pushes to
dev, then update the workflow verification and monitoring actions and the
referenced devops-agent.md guidance consistently. Remove contradictory trigger
wording so the pipeline execution path matches the selected behavior.
- Around line 89-102: Update the Step 2 “PM Agent — Sprint Start & SDD Setup”
workflow so the read-only PM Agent delegates creating and populating spec.md,
design.md, and tasks.md to a developer agent. Specify that the developer agent
works on its branch, commits the SDD artifacts, pushes the branch, and provides
the handoff for merging into dev; keep Jira and sprint actions with the PM
Agent.

In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md`:
- Around line 372-374: Update the “Invoke Backend Agent” instructions to remove
the GitHub PAT from the values passed through the delegation prompt. Keep
passing the backend scope, tech stack, project prompt, repository name, owner,
and visibility, and direct the Backend Agent to use its preconfigured GitHub MCP
capability for repository creation.
- Around line 105-115: Update the setup flow around Q0 to actually ask and store
whether the skill is installed at user or project level before asking for
repository type. Use that selection to derive all subsequent skill, config, and
reference source/target paths instead of hard-coding .codeartsdoer project
paths, while preserving the existing project-level default.
- Around line 405-419: Update the setup flow before the “Frontend Agent builds
concurrently with Backend” step to create and initialize the repository, push
the bootstrap commit, and create the dev branch before dispatching either agent.
Replace direct concurrent pushes to dev with isolated frontend/backend feature
branches, or document explicit synchronization and rebase coordination before
merging their commits.

In `@skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py`:
- Around line 10-13: Harden ECS host verification across the referenced sites:
in skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py lines 10-13,
load the verified known_hosts entry and use RejectPolicy instead of
AutoAddPolicy; in the same file lines 43-46, remove StrictHostKeyChecking=no; in
skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md lines
875-883, require users to verify and record the ECS host fingerprint before
running SSH automation.
- Around line 30-37: Update the failure branch of the SSH key installation flow
around exec_command to terminate unsuccessfully when result is not "SUCCESS".
Preserve the existing error output, then raise an exception or return a non-zero
status before ssh.close() and any subsequent verification or onboarding steps
can continue.

In `@skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml`:
- Around line 156-166: Update the SonarCloud scan step associated with the Check
SonarCloud Quality Gate step to wait for the submitted analysis to finish by
enabling sonar.qualitygate.wait=true, or alternatively poll its analysis task ID
until completion before querying project_status. Ensure the existing
quality-gate check evaluates the current analysis result and still blocks
deploy-to-jfrog on failure.

In `@skills/sdlc-agentic-pipeline/references/templates/env-template.env`:
- Around line 14-15: Normalize JFROG_PLATFORM_URL as a full URL across all
references: retain the existing full-URL convention in
skills/sdlc-agentic-pipeline/references/templates/env-template.env lines 14-15,
remove the extra prepended scheme in skills/sdlc-agentic-pipeline/SKILL.md line
364, use <JFROG_PLATFORM_URL>/artifactory/api/ in
skills/sdlc-agentic-pipeline/references/pipeline.md line 197, and explicitly
state that the value includes the scheme in
skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md lines
803-804.
- Around line 7-9: Update the SonarCloud MCP section in env-template.env to
include placeholders for SONAR_TOKEN and SONAR_ORGANIZATION alongside
SONAR_PROJECT_KEY, matching the values required by mcp-settings.json and the
documented onboarding contract.

In `@skills/sdlc-agentic-pipeline/references/templates/mcp-settings.json`:
- Around line 32-36: Update the jfrog entry in the MCP settings template to
reference the collected JFROG_PASSWORD placeholder for the Authorization bearer
token instead of the undefined JFROG_ACCESS_TOKEN placeholder, preserving the
existing URL and header structure.

In `@skills/sdlc-agentic-pipeline/references/templates/set-secrets.js`:
- Around line 129-140: Update the main variable and secret update loops to
capture the return value from setVariable and setSecret, track whether any
update fails, and exit with a non-zero status when failures occur. Only print
the successful “Done. Verify...” message when all updates succeed; preserve the
existing iteration behavior and credential arguments.

In `@skills/sdlc-agentic-pipeline/SKILL.md`:
- Around line 148-165: Establish one canonical stage numbering scheme across the
pipeline documentation, explicitly deciding whether “1b” is a numbered stage.
Update skills/sdlc-agentic-pipeline/SKILL.md lines 148-165 to define and
enumerate the canonical stages, mirror that numbering and CI-trigger behavior in
skills/sdlc-agentic-pipeline/README.md lines 39-57, correct release and
deployment references in skills/sdlc-agentic-pipeline/SKILL.md lines 486-503,
and remap idempotency checks to the actual stages in
skills/sdlc-agentic-pipeline/references/pipeline.md lines 43-51.
- Around line 173-175: Remove the claimed path-based direct-push exemption from
the documented SDLC pipeline flow. In skills/sdlc-agentic-pipeline/SKILL.md
lines 173-175 and 680-682, skills/sdlc-agentic-pipeline/references/pipeline.md
lines 299-303, and
skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md lines
1222-1230, require .opencode, docs, and reports changes to use a docs branch and
PR, or a separately controlled automation path.

---

Minor comments:
In `@skills/sdlc-agentic-pipeline/references/agents/backend-agent.md`:
- Around line 419-430: Make the report publication flow consistent in
skills/sdlc-agentic-pipeline/references/agents/backend-agent.md lines 419-430
and skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md lines
344-355: either retain github_create_pull_request and add the required merge
step before reporting completion, or replace it with the documented direct push
to dev. Ensure both procedures publish the report before reporting the commit
URL and PR status to the PM Agent.

In `@skills/sdlc-agentic-pipeline/references/pipeline.md`:
- Around line 335-339: Correct the onboarding reference in the “In Testing”
status instructions by restoring the missing leading “r” in the setup path,
while leaving the surrounding Jira workflow guidance unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b8be17f5-7806-43bb-8754-451ead66505b

📥 Commits

Reviewing files that changed from the base of the PR and between 472e801 and 4dce110.

📒 Files selected for processing (16)
  • skills/sdlc-agentic-pipeline/README.md
  • skills/sdlc-agentic-pipeline/SKILL.md
  • skills/sdlc-agentic-pipeline/references/agents/backend-agent.md
  • skills/sdlc-agentic-pipeline/references/agents/code-reviewer-agent.md
  • skills/sdlc-agentic-pipeline/references/agents/devops-agent.md
  • skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md
  • skills/sdlc-agentic-pipeline/references/agents/pm-agent.md
  • skills/sdlc-agentic-pipeline/references/agents/tester-agent.md
  • skills/sdlc-agentic-pipeline/references/pipeline.md
  • skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md
  • skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py
  • skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml
  • skills/sdlc-agentic-pipeline/references/templates/env-template.env
  • skills/sdlc-agentic-pipeline/references/templates/mcp-settings.json
  • skills/sdlc-agentic-pipeline/references/templates/set-secrets.js
  • skills/sdlc-agentic-pipeline/references/templates/sonar-project.properties

@CodeArtsAgent
CodeArtsAgent merged commit 2d661ef into CodeArtsAgent:main Jul 18, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants