feat(kanban): add phase 6 gitops enforcement

[MohAnghabo]

Summary

• Add the Phase 6 GitOps provider slice for local git status, diff, staging, PR readiness, branch policy, provider status, and release/tag readiness gates.
• Extend the Kanban console contracts and mock snapshot with rename/copy source paths plus release latestTag and targetTag metadata.
• Fix review feedback for porcelain rename/copy parsing so staged rename actions use the real target path while preserving the source path for UI display.

Linked Work

• Refs MohAnghabo/ai-starter-pro#43
• Spec: docs/tasks/t3-kanban-project-console.md
• Completed: Phase 6 Git status and GitOps enforcement provider/contracts slice.
• Out of scope: Actual merge, deploy, tag creation, or GitHub Project state writes. Those remain confirmation-gated follow-up behavior.

Testing Guide

1. bun check

Focused checks also run during implementation:

1. bun run fmt:check
2. bun run --cwd packages/contracts test -- kanbanConsole
3. bun run --cwd apps/server test -- GitStatusProvider
4. bun run --cwd apps/web test -- kanbanConsoleMock
5. bun run --cwd apps/server typecheck

Risks and Rollback

• Risk: The GitOps provider shells out to git for new readiness checks; failures are intentionally degraded into blocked/setup-required gates where possible.
• Risk: PR size is above the 400 LOC target because the new provider, contracts, tests, and execution-log update need to land together for a coherent validated slice.
• Rollback: Revert this PR to remove the Phase 6 provider surface and return the console to the existing mock/contract state.

Readiness Checklist

• Relevant Markdown docs updated where needed
• Tests added or updated for this change
• All required local validation passed
• GitHub issue linked
• Durable spec path linked
• Task execution log updated

---

Note

^{Cursor Bugbot is generating a summary for commit 8620410. Configure here.}

Note

Add phase 6 GitOps enforcement with kanban console UI, AI loop workflows, and preflight checks

• Adds a KanbanConsoleMock React component with multi-view navigation, drag-and-drop task movement, and RTL/Arabic locale support, rendering at /kanban and as the authenticated home view
• Introduces GitHubProjectsProvider, KanbanGitStatusProvider, and AgentWorkflowLauncher Effect services for managing GitHub Projects board state, git status, and agent workflow dispatch
• Adds AI loop infrastructure: automated Claude review workflow, an event router that dispatches findings to an autofix executor, and a GitHub Actions workflow that applies, commits, and pushes fixes
• Adds a preflight check suite (scripts/preflight/) covering Doppler auth, stack-specific tooling (Neon/Convex/Vercel), environment tier parity, and secret rotation, with fix applicators that write secrets to Doppler
• Adds a sync-codex-commands.ts CLI that generates and validates .codex/commands/ wrappers from .claude/commands/ canonical runbooks, with --check mode for drift detection
• Adds governance rule files (.ai/rules/) covering PDPL compliance, IFRS accounting, secret management, PR readiness, AWS Well-Architected, and agent orchestration
• Risk: The AI fix executor workflow requires a GitHub App token and Claude API access; misconfigured credentials will cause the router to silently skip dispatch based on the enable gate in .github/ai-loop.yml

📊 Macroscope summarized 8620410. 38 files reviewed, 11 issues evaluated, 6 issues filtered, 0 comments posted

🗂️ Filtered Issues

apps/server/src/kanban/GitHubProjectsProvider.ts — 0 comments posted, 1 evaluated, 1 filtered

• line 191: In fieldValue, the priority of the nullish coalescing on line 191 is reversed. When the GitHub CLI returns field values with structure { "field": { "name": "Status" }, "name": "In Progress" }, the expression trim(field.name) ?? trim(objectValue(field.field)?.name) evaluates field.name first, which yields the value ("In Progress") rather than the field name ("Status"). Since "in progress" is not in the wanted set for field names like "Status", the field is skipped and the lookup falls through to the fallback. The expression should be trim(objectValue(field.field)?.name) ?? trim(field.name) to prioritize the nested field.field.name (the actual field name) over field.name (which may hold the value). [ Failed validation ]

apps/server/src/kanban/GitStatusProvider.ts — 0 comments posted, 1 evaluated, 1 filtered

• line 535: The targetTagOutput git command is only executed when input.targetTag is explicitly provided, but targetTag on line 554 can also be derived from releaseTagFromBranch(branch). When input.targetTag is undefined and targetTag is derived from the branch name, targetTagOutput will always be an empty string (from Effect.succeed("")), causing the gate-tag-readiness gate to incorrectly report "passing" even if the derived tag already exists in the repository. [ Posting failed ]

scripts/ai-loop/config.ts — 0 comments posted, 1 evaluated, 1 filtered

• line 53: The config file path defaults to .github/ai-loop.yml (a YAML file), but the code uses JSON.parse() to parse it. YAML is a superset of JSON, meaning valid JSON is valid YAML, but not vice versa. If the config file uses any YAML-specific syntax (like unquoted strings, multi-line strings with |, anchors, etc.), JSON.parse() will throw a SyntaxError. Either the file extension should be .json, or a YAML parser library should be used. [ Failed validation ]

scripts/ai-loop/router-logic.ts — 0 comments posted, 1 evaluated, 1 filtered

• line 56: The function checks state.last_result_fingerprint but the calling code stores the fingerprint in state.last_signal_fingerprint. In router.ts, after computing findingSetFingerprint, it is assigned to last_signal_fingerprint (e.g., last_signal_fingerprint: findingSetFingerprint). However, shouldBlockRepeatedFindingSet compares against last_result_fingerprint, which is a different field that is never populated with the finding fingerprint. This means the repeated-finding-set detection will never trigger, defeating the intended blocking behavior. [ Failed validation ]

scripts/preflight/checks/integrations.ts — 0 comments posted, 1 evaluated, 1 filtered

• line 181: The doppler/yaml check provides a misleading hint even when the check passes. When files.length > 0 && !hasPlaceholder evaluates to true (status = "pass"), the hint is still set to "Replace placeholder Doppler project names." because the ternary at lines 182-185 only distinguishes between files.length === 0 and files.length > 0, not whether the check passed. Other checks in this file correctly use undefined for the hint when passing (e.g., line 221, line 250), but this one always provides a string hint. [ Failed validation ]

scripts/preflight/fix/apply.ts — 0 comments posted, 1 evaluated, 1 filtered

• line 35: The checks for stack-b/convex-deployment (lines 34-38) and stack-a/neon-url (lines 44-46) only verify status === "error" but do not check the fixable property, unlike the other fix conditions which use hasFixableIssue. This inconsistency means fixes will be attempted for these checks even if they report fixable: false, potentially running provider CLI commands when the check explicitly indicated the issue cannot be auto-fixed. [ Posting failed ]

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 97268cfc-bd9d-4dad-9a4a-eb363f3d3594

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[MohAnghabo]

Opened against the upstream repo by mistake from the product fork workflow. Closing and recreating in MohAnghabo/kanban-console.

[macroscopeapp]

Approvability

Verdict: Unable to determine

Macroscope's correctness review was unable to post its findings for this PR. Approvability cannot proceed without a successful correctness review.

^{You can customize Macroscope's approvability policy. Learn more.}