librenotes/.wave/pipelines/code-review.yaml

kind: WavePipeline
metadata:
  name: code-review
  description: "Comprehensive code review for pull requests"
  release: true

input:
  source: cli
  example: "review the authentication module"

steps:
  - id: diff-analysis
    persona: navigator
    workspace:
      mount:
        - source: ./
          target: /project
          mode: readonly
    exec:
      type: prompt
      source: |
        Analyze the code changes for: {{ input }}

        1. Identify all modified files and their purposes
        2. Map the change scope (which modules/packages affected)
        3. Find related tests that should be updated
        4. Check for breaking API changes

        Produce a structured result matching the contract schema.
    output_artifacts:
      - name: diff
        path: .wave/output/diff-analysis.json
        type: json
    handover:
      contract:
        type: json_schema
        source: .wave/output/diff-analysis.json
        schema_path: .wave/contracts/diff-analysis.schema.json
        on_failure: retry
        max_retries: 2

  - id: security-review
    persona: auditor
    dependencies: [diff-analysis]
    memory:
      inject_artifacts:
        - step: diff-analysis
          artifact: diff
          as: changes
    exec:
      type: prompt
      source: |
        Security review of the changes:

        Check for:
        1. SQL injection, XSS, CSRF vulnerabilities
        2. Hardcoded secrets or credentials
        3. Insecure deserialization
        4. Missing input validation
        5. Authentication/authorization gaps
        6. Sensitive data exposure

        Output findings with severity (CRITICAL/HIGH/MEDIUM/LOW).
    output_artifacts:
      - name: security
        path: .wave/output/security-review.md
        type: markdown

  - id: quality-review
    persona: auditor
    dependencies: [diff-analysis]
    memory:
      inject_artifacts:
        - step: diff-analysis
          artifact: diff
          as: changes
    exec:
      type: prompt
      source: |
        Quality review of the changes:

        Check for:
        1. Error handling completeness
        2. Edge cases not covered
        3. Code duplication
        4. Naming consistency
        5. Missing or inadequate tests
        6. Performance implications
        7. Documentation gaps

        Output findings with severity and suggestions.
    output_artifacts:
      - name: quality
        path: .wave/output/quality-review.md
        type: markdown

  - id: summary
    persona: summarizer
    dependencies: [security-review, quality-review]
    memory:
      inject_artifacts:
        - step: security-review
          artifact: security
          as: security_findings
        - step: quality-review
          artifact: quality
          as: quality_findings
    exec:
      type: prompt
      source: |
        Synthesize the review findings into a final verdict:

        1. Overall assessment (APPROVE / REQUEST_CHANGES / NEEDS_DISCUSSION)
        2. Critical issues that must be fixed
        3. Suggested improvements (optional but recommended)
        4. Positive observations

        Format as a PR review comment ready to post.
        Do NOT include a title/header line — the publish step adds one.
    output_artifacts:
      - name: verdict
        path: .wave/output/review-summary.md
        type: markdown

  - id: publish
    persona: github-commenter
    dependencies: [summary]
    memory:
      inject_artifacts:
        - step: summary
          artifact: verdict
          as: review_summary
    exec:
      type: prompt
      source: |
        Post the code review summary as a PR comment.

        The original input was: {{ input }}
        Extract the PR number or URL from the input.

        1. Post the review as a PR comment using:
           gh pr comment <PR_NUMBER_OR_URL> --body "## Code Review (Wave Pipeline)

        <review content>

        ---
        *Generated by [Wave](https://github.com/re-cinq/wave) code-review pipeline*"

    output_artifacts:
      - name: publish-result
        path: .wave/output/publish-result.json
        type: json
    handover:
      contract:
        type: json_schema
        source: .wave/output/publish-result.json
        schema_path: .wave/contracts/publish-result.schema.json
        must_pass: true
        on_failure: retry
        max_retries: 2
    outcomes:
      - type: url
        extract_from: .wave/output/publish-result.json
        json_path: .comment_url
        label: "Review Comment"