Skip to content

OCPEDGE-2776: feat(agents): add agentic harness foundation with safety guardrails#2804

Open
qJkee wants to merge 3 commits into
openshift:mainfrom
qJkee:OCPEDGE-2776
Open

OCPEDGE-2776: feat(agents): add agentic harness foundation with safety guardrails#2804
qJkee wants to merge 3 commits into
openshift:mainfrom
qJkee:OCPEDGE-2776

Conversation

@qJkee

@qJkee qJkee commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Add Claude Code permissions (deny destructive LVM commands and generated file edits, allow safe build/test commands), PostToolUse hooks (API type change warning, per-package go vet), and PreToolUse secret detection.

Add GitHub Copilot instruction file derived from AGENTS.md. Restructure AGENTS.md safety section into three-tier boundaries (Always/Ask/Never) and add explicit build commands.

Summary by CodeRabbit

  • Documentation
    • Added clearer guidance for build, test, verify, generate, and release workflows, including expanded checklists for regenerating bundles and catalogs.
    • Added step-by-step instructions for modifying CRDs safely, plus updated API authoring and reconciliation/testing conventions.
    • Expanded AI-assisted tooling guidance and contribution workflows, including commit and documentation standards.
  • Chores
    • Added stronger tool-use guardrails to prevent unsafe operations and to flag potential secret content during edits.
    • Added automatic follow-up actions to keep generated outputs and related quality checks in sync after relevant changes.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 3, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 3, 2026

Copy link
Copy Markdown

@qJkee: This pull request references OCPEDGE-2776 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the ticket to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Add Claude Code permissions (deny destructive LVM commands and generated file edits, allow safe build/test commands), PostToolUse hooks (API type change warning, per-package go vet), and PreToolUse secret detection.

Add GitHub Copilot instruction file derived from AGENTS.md. Restructure AGENTS.md safety section into three-tier boundaries (Always/Ask/Never) and add explicit build commands.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 3, 2026
@openshift-ci openshift-ci Bot requested review from jeff-roche and pacevedom July 3, 2026 08:32
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: qJkee

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 3, 2026
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Caution

Review failed

An error occurred during the review process. Please try again later.

Walkthrough

This PR adds Claude, Cursor, and Copilot guidance files; expands shared repository instructions for builds, CRD changes, testing, and safety boundaries; and updates ADR decision documents and the ADR index to accepted status.

Changes

AI tooling guidance

Layer / File(s) Summary
Tool policy and hooks
.claude/settings.json
Defines edit/write restrictions, blocks destructive shell commands, adds secret-scanning pre-edit hooks, and posts edit guidance plus go vet hooks.
Repository guidance updates
AGENTS.md, .github/copilot-instructions.md, .github/instructions/api-types.instructions.md, .cursor/rules/lvms.mdc, CONTRIBUTING.md
Expands build/test/verify commands, CRD workflows, safety boundaries, path-scoped AI guidance, and attribution/commit instructions.
Claude commands and rules
.claude/commands/*, .claude/rules/*
Adds command docs for CRD edits, ADR creation, and E2E runs, plus rules for API types, reconciliation, testing, and VG Manager behavior.

ADR decision documentation

Layer / File(s) Summary
ADR status and outcomes
docs/decisions/0001-single-binary-architecture.md, docs/decisions/0002-v1alpha1-is-stable.md, docs/decisions/0003-finalizer-hierarchy.md, docs/decisions/0004-conservative-device-filters.md, docs/decisions/index.md
Marks ADRs 0001–0004 as accepted, rewrites decision outcomes and consequences, refreshes references, and updates the ADR index dates/statuses.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Suggested labels: ready-for-human-review

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding agentic harness safety guardrails and supporting instruction files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only changed docs/config files; no Go test files or Ginkgo titles were added or edited.
Test Structure And Quality ✅ Passed No test files or Ginkgo specs were changed; the PR only updates docs/config, so the test-structure check is not applicable.
Microshift Test Compatibility ✅ Passed No Ginkgo e2e tests were added; the diff only touches docs/config files, so there’s nothing MicroShift-specific to flag.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR changes only docs/instruction files; no new Ginkgo e2e tests or node-topology assumptions were added.
Topology-Aware Scheduling Compatibility ✅ Passed Only docs/instruction files changed; no deployment manifests, operator code, or controllers were modified, so no topology-aware scheduling risk was introduced.
Ote Binary Stdout Contract ✅ Passed PR only changes docs/config files; no process-level code or stdout-writing setup was added, so the OTE stdout contract isn’t affected.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Changed files are docs/config only; no new Ginkgo e2e test definitions or IPv4/external-network assumptions were added.
No-Weak-Crypto ✅ Passed Changed files are docs/config only; searches found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons.
Container-Privileges ✅ Passed PR diff is docs-only (.claude, .github, AGENTS.md, CONTRIBUTING.md) and adds no privileged/hostNetwork/hostPID/hostIPC/SYS_ADMIN/allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs ✅ Passed No new logging exposes secrets or PII; the only stderr output is a generic secret-detection warning with no user data.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov-commenter

codecov-commenter commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.00%. Comparing base (9a79642) to head (6988086).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #2804      +/-   ##
==========================================
- Coverage   54.14%   54.00%   -0.15%     
==========================================
  Files          54       54              
  Lines        4170     4170              
==========================================
- Hits         2258     2252       -6     
- Misses       1730     1733       +3     
- Partials      182      185       +3     

see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/settings.json:
- Around line 33-35: The Go Bash allow-rules are too broad because the current
go test, go vet, and go build patterns can permit execution of attacker-supplied
tools through flags like -exec, -toolexec, and -vettool. Tighten the matching
entries in .claude/settings.json by restricting them to safer package targets
such as ./... or by explicitly excluding those flags, and keep the change
focused on the three existing rules for go test, go vet, and go build.

In @.github/copilot-instructions.md:
- Around line 71-78: The fenced example in the copilot instructions markdown is
missing a language tag, which triggers markdownlint MD040. Update the example
near the commit-message guidance so the fenced block is labeled with an
appropriate language such as text, keeping the rest of the example content
unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 42aeed6a-d6aa-4658-83ac-ce1dc676ee6d

📥 Commits

Reviewing files that changed from the base of the PR and between 3082b77 and e4e3819.

📒 Files selected for processing (3)
  • .claude/settings.json
  • .github/copilot-instructions.md
  • AGENTS.md

Comment thread .claude/settings.json Outdated
Comment thread .github/copilot-instructions.md Outdated
@openshift-ci openshift-ci Bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 3, 2026
@coderabbitai coderabbitai Bot added the ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review label Jul 3, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.claude/rules/reconciliation.md (1)

23-24: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Narrow the errgroup guidance.

errgroup only cancels via errgroup.WithContext; this wording is broader than the actual failure mode. Please scope it to the context-canceling variant or the multi-node fan-out case.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/rules/reconciliation.md around lines 23 - 24, Narrow the `errgroup`
guidance so it only applies to `errgroup.WithContext` or the multi-node fan-out
pattern in reconciliation.md, since plain errgroup usage does not always cancel
work. Update the rule text to explicitly say to avoid the context-canceling
variant when continuing healthy nodes matters, and keep the recommendation
aligned with raw goroutines plus errors.Join for aggregate-error handling.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.claude/rules/reconciliation.md:
- Around line 23-24: Narrow the `errgroup` guidance so it only applies to
`errgroup.WithContext` or the multi-node fan-out pattern in reconciliation.md,
since plain errgroup usage does not always cancel work. Update the rule text to
explicitly say to avoid the context-canceling variant when continuing healthy
nodes matters, and keep the recommendation aligned with raw goroutines plus
errors.Join for aggregate-error handling.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 26dd008c-124a-48e3-bd29-255e77938faa

📥 Commits

Reviewing files that changed from the base of the PR and between e4e3819 and 7306533.

📒 Files selected for processing (18)
  • .claude/commands/modify-crd.md
  • .claude/commands/new-adr.md
  • .claude/commands/run-e2e.md
  • .claude/rules/api-types.md
  • .claude/rules/reconciliation.md
  • .claude/rules/testing.md
  • .claude/rules/vgmanager.md
  • .claude/settings.json
  • .cursor/rules/lvms.mdc
  • .github/copilot-instructions.md
  • .github/instructions/api-types.instructions.md
  • AGENTS.md
  • CONTRIBUTING.md
  • docs/decisions/0001-single-binary-architecture.md
  • docs/decisions/0002-v1alpha1-is-stable.md
  • docs/decisions/0003-finalizer-hierarchy.md
  • docs/decisions/0004-conservative-device-filters.md
  • docs/decisions/index.md
✅ Files skipped from review due to trivial changes (11)
  • .cursor/rules/lvms.mdc
  • .claude/rules/testing.md
  • .claude/commands/modify-crd.md
  • .claude/commands/new-adr.md
  • .claude/rules/api-types.md
  • .claude/commands/run-e2e.md
  • docs/decisions/0002-v1alpha1-is-stable.md
  • .github/instructions/api-types.instructions.md
  • docs/decisions/0004-conservative-device-filters.md
  • .github/copilot-instructions.md
  • docs/decisions/index.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • .claude/settings.json

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 3, 2026
qJkee added 3 commits July 3, 2026 19:41
Add Claude Code permissions (deny destructive LVM commands and generated
file edits, allow safe build/test commands), PostToolUse hooks (API type
change warning, per-package go vet), and PreToolUse secret detection.

Add GitHub Copilot instruction file derived from AGENTS.md. Restructure
AGENTS.md safety section into three-tier boundaries (Always/Ask/Never)
and add explicit build commands.
  Add Claude Code rules for api-types, vgmanager, reconciliation, and testing.
  Add slash commands: /modify-crd, /run-e2e, /new-adr. Fill considered options
  and promote ADRs 0001-0004 from draft to accepted with 2022-07-01 date.
Add Cursor (.cursor/rules/lvms.mdc) and Copilot path-specific
(.github/instructions/api-types.instructions.md) instruction files.
Add path-scoped guidance, agent skills, and cross-tool sections to
AGENTS.md. Expand AI-assisted contributions in CONTRIBUTING.md with
supported tools matrix and slash command documentation.
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 3, 2026
@qJkee

qJkee commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

/retest

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@qJkee: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants